Enhancement #3427
Update to shorewall 5
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | <multiple packages> | |||
Target version: | v6.8 | |||
Resolution: | NEEDINFO: | No |
Description
Shorewall 5 implements the persistent provider option that we introduced in NethServer 6.8.
I'd like to drop our implementation and switch to the official shorewall 5.
Associated revisions
Require: shorewall 5. Refs #3427
lsm.conf: provider status is unknown on restart. Refs #3427
History
#1 Updated by Filippo Carletti almost 5 years ago
- Status changed from NEW to TRIAGED
- Assignee set to Filippo Carletti
- % Done changed from 0 to 20
#2 Updated by Filippo Carletti almost 5 years ago
- Status changed from TRIAGED to ON_DEV
- Target version set to v6.8
- % Done changed from 20 to 30
We need to modify both nethserver-firewall-base and nethserver-lsm.
1. backport from 7 shorewall 5 syntax
2. start lsm in unknown state to cope with a corner case: provider status switch during reboot
#3 Updated by Filippo Carletti almost 5 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Filippo Carletti) - % Done changed from 30 to 60
#4 Updated by Filippo Carletti almost 5 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
Packages in nethserver-testing:
shorewall-core-5.0.12.1-1.el6.noarch.rpm
shorewall-5.0.12.1-1.el6.noarch.rpm
nethserver-firewall-base-2.10.7-1.4.gc48c7f4.ns6.noarch.rpm
nethserver-firewall-base-ui-2.10.7-1.4.gc48c7f4.ns6.noarch.rpm
nethserver-lsm-1.1.1-1.1.gcde4b15.ns6.noarch.rpm
Test cases:
1. clean system, install above packages, check shorewall status, create some firewall rules
2. update system, check shorewall status, check pre-existing rules are active
3. test multiwan: disconnect cables, reconnect, create/change rules while one cable is disconnected, reboot
- break eth2:
iptables -I OUTPUT -o eth2 -p icmp -d 8.8.8.8 -j DROP
iptables -I OUTPUT -o eth2 -p icmp -d 208.67.222.222 -j DROP - fix eth2:
iptables -D OUTPUT -o eth2 -p icmp -d 208.67.222.222 -j DROP
#5 Updated by Giacomo Sanchietti almost 5 years ago
- Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
Actually Shorewall 5 has problems with ipset on CentOS 6.
Reference: https://sourceforge.net/p/shorewall/mailman/message/35438429/
#6 Updated by Filippo Carletti almost 5 years ago
- Status changed from TRIAGED to MODIFIED
- % Done changed from 20 to 60
#7 Updated by Filippo Carletti almost 5 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
I've uploaded a new shorewall version that should fix the problem. In nethserver-testing:
shorewall-5.0.13.3-1.el6.noarch.rpm
shorewall-core-5.0.13.3-1.el6.noarch.rpm
#8 Updated by Giacomo Sanchietti almost 5 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
Everything works fine with last update.
#9 Updated by Giacomo Sanchietti almost 5 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-lsm-1.1.2-1.ns6.noarch.rpm
- nethserver-firewall-base-2.11.0-1.ns7.noarch.rpm
- nethserver-firewall-base-ui-2.11.0-1.ns7.noarch.rpm
- shorewall-5.0.13.3-1.el6.noarch.rpm
- shorewall-core-5.0.13.3-1.el6.noarch.rpm