Ubuntu
shorewall-shell package

"shorewall check" should only check configuration, but, actually, it misconfigures routing policies

Bug #497692 reported by Anderson
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shorewall-shell (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: shorewall-shell

"shorewall check" should only check configuration, but, actually, it misconfigures routing policies.

When using multiple providers (http://www.shorewall.net/MultiISP.html), Shorewall allows an administrator to force routing of packets to one provider by using packet marking rules in "/etc/shorewall/tcrules".

Such feature is implemented with "iptables" and its "mark" module and RPDB (routing policy database).

The bug is: when I issue a "shorewall check" in order to validate my configuration files, Shorewall actually edits the RPDB and lets the packet routing settings misconfigured.

Using Ubuntu 9.04 Jaunty Jackalope - i386. But my production gateway uses AMD64 and is also affected by the bug.
"shorewall-shell" version is 4.0.15-1

-----------------------------

* Steps to reproduce the bug *

Setup a machine with two network interfaces and Ubuntu Server 9.04 Jaunty Jackalope installed. Then, issue the following commands:

# apt-get update
# apt-get -y install shorewall-shell
# cd /usr/share/doc/shorewall-common/examples/two-interfaces
# cp interfaces masq policy routestopped rules zones /etc/shorewall
# cd /etc/shorewall
# echo 'prov1 1 1 main eth0 192.168.1.1' > providers
# echo 'prov2 2 2 main eth0 192.168.2.1' > providers
# ifconfig eth0 192.168.1.11 netmask 255.255.255.0 up
# ifconfig eth0:0 192.168.2.22 netmask 255.255.255.0 up
# ifconfig eth1 10.0.0.1 netmask 255.0.0.0 up
# shorewall start

After the "shorewall start" command, the output of "ip rule show" is:

# ip rule show
0: from all lookup local
10001: from all fwmark 0x1 lookup prov1
10002: from all fwmark 0x2 lookup prov2
20256: from 192.168.2.22 lookup prov2
20257: from 192.168.1.11 lookup prov2
32766: from all lookup main
32767: from all lookup default

Then, issue a "shorewall check" and another "ip rule show". The output is:

# shorewall check
# ip rule show
0: from all lookup local
20256: from 192.168.2.22 lookup prov2
20257: from 192.168.1.11 lookup prov2
32766: from all lookup main
32767: from all lookup default

Note the disappearing of "10001:" and "10002:".

-----------------------------

In my production system, the bug prevents the mail exchange between a mail server behind my gateway and the Internet, because it erases my settings which tell "mails must go to provider 'poprs'".

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.