Enhancement #3427

Update to shorewall 5

Added by Filippo Carletti about 3 years ago. Updated almost 3 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:<multiple packages>
Target version:v6.8
Resolution: NEEDINFO:No

Description

Shorewall 5 implements the persistent provider option that we introduced in NethServer 6.8.
I'd like to drop our implementation and switch to the official shorewall 5.

Associated revisions

Revision c48c7f43
Added by Filippo Carletti about 3 years ago

Require: shorewall 5. Refs #3427

Revision cde4b155
Added by Filippo Carletti about 3 years ago

lsm.conf: provider status is unknown on restart. Refs #3427

History

#1 Updated by Filippo Carletti about 3 years ago

  • Status changed from NEW to TRIAGED
  • Assignee set to Filippo Carletti
  • % Done changed from 0 to 20

#2 Updated by Filippo Carletti about 3 years ago

  • Status changed from TRIAGED to ON_DEV
  • Target version set to v6.8
  • % Done changed from 20 to 30

We need to modify both nethserver-firewall-base and nethserver-lsm.
1. backport from 7 shorewall 5 syntax
2. start lsm in unknown state to cope with a corner case: provider status switch during reboot

#3 Updated by Filippo Carletti about 3 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Filippo Carletti)
  • % Done changed from 30 to 60

#4 Updated by Filippo Carletti about 3 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

Packages in nethserver-testing:
shorewall-core-5.0.12.1-1.el6.noarch.rpm
shorewall-5.0.12.1-1.el6.noarch.rpm
nethserver-firewall-base-2.10.7-1.4.gc48c7f4.ns6.noarch.rpm
nethserver-firewall-base-ui-2.10.7-1.4.gc48c7f4.ns6.noarch.rpm
nethserver-lsm-1.1.1-1.1.gcde4b15.ns6.noarch.rpm

Test cases:
1. clean system, install above packages, check shorewall status, create some firewall rules
2. update system, check shorewall status, check pre-existing rules are active
3. test multiwan: disconnect cables, reconnect, create/change rules while one cable is disconnected, reboot

Some useful commands to test multi wan:
  • break eth2:
    iptables -I OUTPUT -o eth2 -p icmp -d 8.8.8.8 -j DROP
    iptables -I OUTPUT -o eth2 -p icmp -d 208.67.222.222 -j DROP
  • fix eth2:
    iptables -D OUTPUT -o eth2 -p icmp -d 208.67.222.222 -j DROP

#5 Updated by Giacomo Sanchietti almost 3 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20

Actually Shorewall 5 has problems with ipset on CentOS 6.

Reference: https://sourceforge.net/p/shorewall/mailman/message/35438429/

#6 Updated by Filippo Carletti almost 3 years ago

  • Status changed from TRIAGED to MODIFIED
  • % Done changed from 20 to 60

#7 Updated by Filippo Carletti almost 3 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

I've uploaded a new shorewall version that should fix the problem. In nethserver-testing:
shorewall-5.0.13.3-1.el6.noarch.rpm
shorewall-core-5.0.13.3-1.el6.noarch.rpm

#8 Updated by Giacomo Sanchietti almost 3 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Everything works fine with last update.

#9 Updated by Giacomo Sanchietti almost 3 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released:
  • nethserver-lsm-1.1.2-1.ns6.noarch.rpm
  • nethserver-firewall-base-2.11.0-1.ns7.noarch.rpm
  • nethserver-firewall-base-ui-2.11.0-1.ns7.noarch.rpm
  • shorewall-5.0.13.3-1.el6.noarch.rpm
  • shorewall-core-5.0.13.3-1.el6.noarch.rpm

Also available in: Atom PDF