Firewall / Shorewall does not start at boot

Bug
,
#1

Hi,

I’m running NS 7.4 bare metal on HP Proliant DL380p Gen8. The firewall service does no longer start at boot. When I start manually it works fine. In the logs I can find the following information:

Running /sbin/iptables-restore …
Mar 3 16:23:22 ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input
Mar 3 16:23:24 Processing /etc/shorewall/stop …
Mar 3 16:23:24 Processing /etc/shorewall/tcclear …
Mar 3 16:23:24 Preparing iptables-restore input…
Mar 3 16:23:24 Running /sbin/iptables-restore…
Mar 3 16:23:24 IPv4 Forwarding Enabled
Mar 3 16:23:24 Processing /etc/shorewall/stopped …

The error is since I start more things at boot such as boinc client and an kvm guest. For a while I could help myself with a low priority in /etc/init.d scripts.

My impression is that it has something to do with the boot order and services not being available when shorewall starts. I’m not an linux expert but for sure can help with the right instructions to reproduce the error with more info.

Thanks
Thomas

#2

Hi Thomas,

you may try to boot with an older kernel.

Here are some hints about not starting shorewall:

http://shorewall.org/troubleshoot.htm

Does shorewall start normally when you deactivate boinc and kvm guest? Just to see if one of these services makes problems…

Do you use custom templates?

#3

Hi Markus,

the first time I noticed this was after enabling the Virt Manager with only one autostart ubuntu guest on a fresh NS installation.

I’m not using custom templates yet. In the meantime I registered three services in nethserer according to the manual with their firewall rules. Boinc starts with a init.d script with chkconfig: 235 95 95.

Unfortunately the issue does not occur at every boot.

The shorewall log shows a couple of warnings which I have not yet futher investigated.

WARNING: Unknown capability (RAWPOST_TABLE) ignored /etc/shorewall/capabilities (line 77)
Mar 3 22:00:18 Processing /etc/shorewall/params …
Mar 3 22:00:18 Processing /etc/shorewall/shorewall.conf…
Mar 3 22:00:18 WARNING: The CHAIN_SCRIPTS configuration option is no longer supported /etc/shorewall/shorewall.conf (line 154)
Mar 3 22:00:18 WARNING: The MODULE_SUFFIX configuration option is no longer supported /etc/shorewall/shorewall.conf (line 211)
Mar 3 22:00:18 WARNING: Your capabilities file is out of date – it does not contain all of the capabilities defined by Shorewall version 5.1.10.2 /etc/shorewall/shorewall.conf (EOF)

Thomas

#4

Some of those Shorewall warnings should be fixed in the next upcoming update:

1 Like
#5

All of them should disappear. :slight_smile:

@tmb I had one case of shorewall not starting at boot in the past, only once and with a different message. But it happened after I enabled libvirt and added a virtual machine.
We should find a way to reproduce the problem.

#6

One additional information. I run NS in bridge mode: a RED interface with static IP from the router and a green interface with DHCP enabled.

I also lean towards an issue in connection with libvirt manager and not with the other services.

Therefore I increased START_DELAY= in the /etc/sysconfig/libvirt-guests file to a value greater 0
But given my novice experience with LINUX you should see this more as a trial and error approach than a knowledgable solution. I’m also not yet confident that this is really the issue.

The last two reboots were without error, the firewall started as it should. I will come back to this thread when I see it again and will take notes what has changed in between.

1 Like
#7

Here are the logs from my system:

Jan 31 10:55:43 n3 shorewall: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Jan 31 10:55:43 n3 shorewall: ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input
Jan 31 10:55:43 n3 logger: ERROR:Shorewall start failed