From cd4e9654d8debedffd003a29850518e0a232e272 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille Date: Sun, 29 May 2016 11:00:52 +0200 Subject: [PATCH] (Fwd) [Shorewall-users] Shorewall-lite on OpenWRT ------- Forwarded message follows ------- From: istvan@istvan.org To: shorewall-users@lists.sourceforge.net Date sent: Thu, 19 May 2016 09:10:21 +0200 Subject: [Shorewall-users] Shorewall-lite on OpenWRT Send reply to: Shorewall Users Hi there, I use Shorewall on an OpenWRT distribution and I experience 2 problems. I have solved them myself and report them here to help others with it. Shorewall version: shorewall[6]-lite 5.0.4 OpenWRT version: Chaos Calmer 15.05, r46767 Problem 1: Shorewall uses the lock utility from openwrt. I believe it is used in the wrong way. File lib.common line 775 First it passes arguments which the utility doesn't use/know. The util accepts them dumbly and continues to create a lockfile. It has no time-out functionality. I do not know the meaning of the r1 argument. Second the mutex_off simply deletes the lockfile by using the utility rm. This way a stale lock process keeps running. After a while the router is running a high number of stale processes which has impact on the load of the router. The correct way is to use "lock -u /lib/shorewall-lite/lock". This way the lockfile will be removed and the process will be terminated accordingly. To make it work for me, I no more let shorewall use the lock utility by using an ugly hack. Problem 2: An fgrep on the output of the type utility is wrongly coded. The output of the type command probably has been changed. File lib.cli line 4343 It is coded: "if type $1 2> /dev/null | fgrep -q 'is a function'; then" To make it work for me, it should be coded: "if type $1 2> /dev/null | fgrep -q 'is a shell function'; then" With regards, Stefan ------- End of forwarded message ------- Tom, attached as code.patch, are the patches that I believe will correct those issues In addition to those patches I've also added 3 patches: - Patch 1 will emulate the -p flag of the ps utility which is not available on openwrt. - The last two patches will add "file" to the progress message of SYSCONFFILE to make it more consistent among the installers. In shorewall-init/install.sh the else clause between the line 586 and 597 will only work for a sysvinit script. Should I make it also work for a systemd service script or can't we simply remove that else clause? In the compiled firewall script the comments before and after the functions imported from lib.common have two slashes in the path: $ grep -H lib.common firewall firewall:# Functions imported from /usr/share/shorewall//lib.common firewall:# End of imports from /usr/share/shorewall//lib.common -Matt -------------- Enclosure number 1 ---------------- >From 6ff651108df33ab8be4562caef03a8582e9eac5e Mon Sep 17 00:00:00 2001 From: Matt Darfeuille Date: Tue, 24 May 2016 13:10:28 +0200 Subject: [PATCH 1/8] Emulate 'ps -p' using grep to work on openwrt Signed-off-by: Matt Darfeuille Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 5 +++++ Shorewall-core/lib.common | 8 ++++---- Shorewall-lite/install.sh | 2 +- Shorewall/install.sh | 2 +- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index bc9318b77..4778ada32 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -4560,6 +4560,11 @@ shorewall_cli() { # It's a shell function -- call it # $@ + elif type $1 2> /dev/null | fgrep -q 'is a shell function'; then + # + # It's a shell function -- call it + # + $@ else # # It isn't a function visible to this script -- try diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index 03ecb2a4a..3d0bacb1d 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -776,7 +776,7 @@ mutex_on() error_message "WARNING: Stale lockfile ${lockf} removed" elif [ $lockpid -eq $$ ]; then return 0 - elif ! qt ps p ${lockpid}; then + elif ! qt ps | grep -v grep | grep ${lockpid}; then rm -f ${lockf} error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed" fi @@ -788,10 +788,9 @@ mutex_on() echo $$ > ${lockf} chmod u-w ${lockf} elif qt mywhich lock; then - lock -${MUTEX_TIMEOUT} -r1 ${lockf} - chmod u+w ${lockf} echo $$ > ${lockf} - chmod u-w ${lockf} + chmod u=r ${lockf} + lock ${lockf} else while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do sleep 1 @@ -813,6 +812,7 @@ mutex_on() # mutex_off() { + [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock} rm -f ${LOCKFILE:=${VARDIR}/lock} } diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 439d4a9f0..c8bffe108 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -550,7 +550,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR fi install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640 - echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" + echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" fi if [ ${SHAREDIR} != /usr/share ]; then diff --git a/Shorewall/install.sh b/Shorewall/install.sh index bdd82715c..581ae5079 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -1215,7 +1215,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR fi run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT - echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" + echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}" fi if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then