Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#973990: shorewall: Fails to start with "Couldn't load match `iface':No such file or directory"
25 views
Skip to first unread message
Vincas Dargis
Nov 8, 2020, 12:00:04 PM11/8/20
to
Package: shorewall
Version: 5.2.3.4-1
Severity: normal
Dear Maintainer,
I've accidentally noticed that /var/log/ulog/syslogemu.log is suspiciously
"quiet"...
`shorewall status` says `Shorewall is stopped`. Trying to
launch manually with `shorewall start` I get this errous output:
```
Starting Shorewall....
Initializing...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
WARNING: Optional Interface wlp4s0 is not usable -- wlp not Started
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
iptables-restore v1.8.5 (nf_tables): Couldn't load match `iface':No such file or directory
Error occurred at line: 121
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input
Restoring Shorewall...
Initializing...
Setting up Route Filtering...
Setting up Martian Logging...
WARNING: Optional Interface wlp4s0 is not usable -- wlp not Started
iptables-restore v1.8.5 (nf_tables): Couldn't load match `iface':No such file or directory
Error occurred at line: 105
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
done.
Shorewall restored from /var/lib/shorewall/restore
Terminated
```
I did not configuration changes for quite some time, so I assume some update on Sid broke Shorewall.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.9.0-1-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=lt_LT.UTF-8, LC_CTYPE=lt_LT.UTF-8 (charmap=UTF-8), LANGUAGE=lt
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages shorewall depends on:
ii bc 1.07.1-2+b2
ii debconf [debconf-2.0] 1.5.74
ii iproute2 5.9.0-1
ii iptables 1.8.5-3
ii lsb-base 11.1.0
ii perl 5.30.3-4
ii shorewall-core 5.2.3.4-1
Versions of packages shorewall recommends:
ii libnetfilter-cthelper0 1.0.0-1+b1
Versions of packages shorewall suggests:
ii make 4.3-4
pn shorewall-doc <none>
-- Configuration Files:
/etc/default/shorewall changed:
startup=0
OPTIONS=""
STARTOPTIONS="-f"
RESTARTOPTIONS=""
RELOADOPTIONS=""
STOPOPTIONS=""
INITLOG=/dev/null
SAFESTOP=1
/etc/shorewall/conntrack [Errno 13] Permission denied: '/etc/shorewall/conntrack'
/etc/shorewall/params [Errno 13] Permission denied: '/etc/shorewall/params'
/etc/shorewall/shorewall.conf changed:
STARTUP_ENABLED=Yes
VERBOSITY=1
PAGER=
FIREWALL=
LOG_LEVEL="NFLOG"
BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2
LOG_ZONE=Both
LOGALLNEW=
LOGFILE=/var/log/ulog/syslogemu.log
LOGFORMAT="%s %s "
LOGTAGONLY=No
LOGLIMIT="s:1/sec:10"
MACLIST_LOG_LEVEL="$LOG_LEVEL"
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL="NFLOG:rpfilter"
SFILTER_LOG_LEVEL="NFLOG:sfilter"
SMURF_LOG_LEVEL="NFLOG:smurf"
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL="NFLOG:fcpflags"
UNTRACKED_LOG_LEVEL=
ARPTABLES=
CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLES=
IP=
IPSET=
LOCKFILE=
MODULESDIR=
NFACCT=
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
TC=
ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=No
AUTOMAKE=Yes
BALANCE_PROVIDERS=No
BASIC_FILTERS=No
BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No
CLEAR_TC=Yes
COMPLETE=No
DEFER_DNS_RESOLUTION=Yes
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
DISABLE_IPV6=Yes
DOCKER=No
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=ftp
IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=Keep
KEEP_RT_TABLES=No
MACLIST_TABLE=filter
MACLIST_TTL=
MANGLE_ENABLED=Yes
MARK_IN_FORWARD_CHAIN=No
MINIUPNPD=No
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
PERL_HASH_SEED=0
REJECT_ACTION=
RENAME_COMBINED=Yes
REQUIRE_INTERFACE=Yes
RESTART=restart
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=Yes
SAVE_ARPTABLES=No
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes
TRACK_RULES=No
USE_DEFAULT_RT=Yes
USE_NFLOG_SIZE=No
USE_PHYSICAL_NAMES=No
USE_RT_NAMES=No
VERBOSE_MESSAGES=Yes
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
TC_BITS=
PROVIDER_BITS=
PROVIDER_OFFSET=
MASK_BITS=
ZONE_BITS=0
-- debconf information:
shorewall/major_release:
shorewall/dont_restart:
shorewall/invalid_config:
Version: 5.2.3.4-1
Severity: normal
Dear Maintainer,
I've accidentally noticed that /var/log/ulog/syslogemu.log is suspiciously
"quiet"...
`shorewall status` says `Shorewall is stopped`. Trying to
launch manually with `shorewall start` I get this errous output:
```
Starting Shorewall....
Initializing...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
WARNING: Optional Interface wlp4s0 is not usable -- wlp not Started
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
iptables-restore v1.8.5 (nf_tables): Couldn't load match `iface':No such file or directory
Error occurred at line: 121
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input
Restoring Shorewall...
Initializing...
Setting up Route Filtering...
Setting up Martian Logging...
WARNING: Optional Interface wlp4s0 is not usable -- wlp not Started
iptables-restore v1.8.5 (nf_tables): Couldn't load match `iface':No such file or directory
Error occurred at line: 105
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
done.
Shorewall restored from /var/lib/shorewall/restore
Terminated
```
I did not configuration changes for quite some time, so I assume some update on Sid broke Shorewall.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.9.0-1-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=lt_LT.UTF-8, LC_CTYPE=lt_LT.UTF-8 (charmap=UTF-8), LANGUAGE=lt
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages shorewall depends on:
ii bc 1.07.1-2+b2
ii debconf [debconf-2.0] 1.5.74
ii iproute2 5.9.0-1
ii iptables 1.8.5-3
ii lsb-base 11.1.0
ii perl 5.30.3-4
ii shorewall-core 5.2.3.4-1
Versions of packages shorewall recommends:
ii libnetfilter-cthelper0 1.0.0-1+b1
Versions of packages shorewall suggests:
ii make 4.3-4
pn shorewall-doc <none>
-- Configuration Files:
/etc/default/shorewall changed:
startup=0
OPTIONS=""
STARTOPTIONS="-f"
RESTARTOPTIONS=""
RELOADOPTIONS=""
STOPOPTIONS=""
INITLOG=/dev/null
SAFESTOP=1
/etc/shorewall/conntrack [Errno 13] Permission denied: '/etc/shorewall/conntrack'
/etc/shorewall/params [Errno 13] Permission denied: '/etc/shorewall/params'
/etc/shorewall/shorewall.conf changed:
STARTUP_ENABLED=Yes
VERBOSITY=1
PAGER=
FIREWALL=
LOG_LEVEL="NFLOG"
BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2
LOG_ZONE=Both
LOGALLNEW=
LOGFILE=/var/log/ulog/syslogemu.log
LOGFORMAT="%s %s "
LOGTAGONLY=No
LOGLIMIT="s:1/sec:10"
MACLIST_LOG_LEVEL="$LOG_LEVEL"
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL="NFLOG:rpfilter"
SFILTER_LOG_LEVEL="NFLOG:sfilter"
SMURF_LOG_LEVEL="NFLOG:smurf"
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL="NFLOG:fcpflags"
UNTRACKED_LOG_LEVEL=
ARPTABLES=
CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLES=
IP=
IPSET=
LOCKFILE=
MODULESDIR=
NFACCT=
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
TC=
ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=No
AUTOMAKE=Yes
BALANCE_PROVIDERS=No
BASIC_FILTERS=No
BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No
CLEAR_TC=Yes
COMPLETE=No
DEFER_DNS_RESOLUTION=Yes
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
DISABLE_IPV6=Yes
DOCKER=No
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=ftp
IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=Keep
KEEP_RT_TABLES=No
MACLIST_TABLE=filter
MACLIST_TTL=
MANGLE_ENABLED=Yes
MARK_IN_FORWARD_CHAIN=No
MINIUPNPD=No
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
PERL_HASH_SEED=0
REJECT_ACTION=
RENAME_COMBINED=Yes
REQUIRE_INTERFACE=Yes
RESTART=restart
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=Yes
SAVE_ARPTABLES=No
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes
TRACK_RULES=No
USE_DEFAULT_RT=Yes
USE_NFLOG_SIZE=No
USE_PHYSICAL_NAMES=No
USE_RT_NAMES=No
VERBOSE_MESSAGES=Yes
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
TC_BITS=
PROVIDER_BITS=
PROVIDER_OFFSET=
MASK_BITS=
ZONE_BITS=0
-- debconf information:
shorewall/major_release:
shorewall/dont_restart:
shorewall/invalid_config:
Vincas Dargis
Nov 8, 2020, 12:10:03 PM11/8/20
to
Rebooted back to 5.8.0-3-amd64, it works! Something happened with Linux 5.9...
Vincas Dargis
Nov 9, 2020, 12:40:04 PM11/9/20
to
This is due to xtables-addons failing to build on 5.9:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972454
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972454
Vincas Dargis
Jan 22, 2023, 8:20:04 AM1/22/23
to
On Tue, 10 Jan 2023 23:22:37 +0000 Jeremy Sowden <jer...@azazel.net> wrote:
> xtables-addons 3.9 did not support linux 5.9. The upgrade to 3.11 fixed
But it's 3.23 on my machine:
```
$ LC_ALL=C apt policy xtables-addons-common
xtables-addons-common:
Installed: 3.23-1
Candidate: 3.23-1
Version table:
*** 3.23-1 500
500 http://debian.mirror.vu.lt/debian unstable/main amd64 Packages
100 /var/lib/dpkg/status
```
> xtables-addons 3.9 did not support linux 5.9. The upgrade to 3.11 fixed
But it's 3.23 on my machine:
```
$ LC_ALL=C apt policy xtables-addons-common
xtables-addons-common:
Installed: 3.23-1
Candidate: 3.23-1
Version table:
*** 3.23-1 500
500 http://debian.mirror.vu.lt/debian unstable/main amd64 Packages
100 /var/lib/dpkg/status
```
Vincas Dargis
Jan 22, 2023, 8:30:03 AM1/22/23
to
I don't see errors in:
`sudo apt install --reinstall xtables-addons-dkms`
`sudo apt install --reinstall xtables-addons-dkms`
Vincas Dargis
Jan 22, 2023, 8:40:05 AM1/22/23
to
reopen 973990
Vincas Dargis
Jan 22, 2023, 8:50:04 AM1/22/23
to
reassing 973990 xtables-addons
Vincas Dargis
Jan 23, 2023, 1:10:03 PM1/23/23
to
Control: reopen -1
Control: reassign -1 xtables-addons
Control: severity -1 critical
On Tue, 10 Jan 2023 23:22:37 +0000 Jeremy Sowden <jer...@azazel.net> wrote:
> xtables-addons 3.9 did not support linux 5.9. The upgrade to 3.11 fixed
Reopening, as Sid has 3.23 and it does not work.
Setting to critical because:
"makes unrelated software on the system (or the whole system) break" [0]
[0] https://www.debian.org/Bugs/Developer#severities
Control: reassign -1 xtables-addons
Control: severity -1 critical
On Tue, 10 Jan 2023 23:22:37 +0000 Jeremy Sowden <jer...@azazel.net> wrote:
> xtables-addons 3.9 did not support linux 5.9. The upgrade to 3.11 fixed
Setting to critical because:
"makes unrelated software on the system (or the whole system) break" [0]
[0] https://www.debian.org/Bugs/Developer#severities
Jeremy Sowden
Jan 31, 2023, 6:50:05 PM1/31/23
to
I think there may be some confusion about where the problem lies with
this bug. Let me summarize my understanding.
The original bug-report was created against shorewall because shorewall
had stopped working:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973990#5
However, Vincas Dargis, the reporter, observed that shorewall worked
with Linux 5.8 and did not with 5.9 and proposed #972454 as the culprit:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973990#15
On that basis, I reassigned the report to xtables-addons and closed it,
since Linux 5.9 support was added in a later version of xtables-addons:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973990#26
However, the bug was reopened by Vincas because even with the latest
version of xtables-addons (3.23-1), shorewall is still not working
correctly.
I believe, therefore, that the failure of xtables-addons to build with
Linux 5.9 was merely coincidental, and so we can rule out it as the
cause of the bug and should assign the bug back to shorewall.
J.
this bug. Let me summarize my understanding.
The original bug-report was created against shorewall because shorewall
had stopped working:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973990#5
However, Vincas Dargis, the reporter, observed that shorewall worked
with Linux 5.8 and did not with 5.9 and proposed #972454 as the culprit:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973990#15
On that basis, I reassigned the report to xtables-addons and closed it,
since Linux 5.9 support was added in a later version of xtables-addons:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973990#26
However, the bug was reopened by Vincas because even with the latest
version of xtables-addons (3.23-1), shorewall is still not working
correctly.
I believe, therefore, that the failure of xtables-addons to build with
Linux 5.9 was merely coincidental, and so we can rule out it as the
cause of the bug and should assign the bug back to shorewall.
J.
Jeremy Sowden
Feb 1, 2023, 1:30:05 PM2/1/23
to
On 2023-02-01, at 20:04:22 +0200, Vincas Dargis wrote:
>
> Anyway, shorewall works now:
>
> ```
> $ LC_ALL=C sudo shorewall status
> Shorewall 5.2.8 Status at vinco - Wed Feb 1 20:01:08 EET 2023
>
> Shorewall is running
> State:Started Wed Feb 1 19:57:54 EET 2023 from /etc/shorewall/
> (/var/lib/shorewall/firewall compiled 2023 m. vasario 01 d. 19:56:59 EET by
> Shorewall version 5.2.8
> ```
Cool. I shall close the bug then.
J.
> On Tue, 31 Jan 2023 23:41:54 +0000 Jeremy Sowden <jer...@azazel.net> wrote:
> > However, Vincas Dargis, the reporter, observed that shorewall worked
> > with Linux 5.8 and did not with 5.9 and proposed #972454 as the culprit:
>
> I completely forgot that I wrote that bug in 2020...
> > However, Vincas Dargis, the reporter, observed that shorewall worked
> > with Linux 5.8 and did not with 5.9 and proposed #972454 as the culprit:
>
>
> Anyway, shorewall works now:
>
> ```
> $ LC_ALL=C sudo shorewall status
> Shorewall 5.2.8 Status at vinco - Wed Feb 1 20:01:08 EET 2023
>
> Shorewall is running
> State:Started Wed Feb 1 19:57:54 EET 2023 from /etc/shorewall/
> (/var/lib/shorewall/firewall compiled 2023 m. vasario 01 d. 19:56:59 EET by
> Shorewall version 5.2.8
> ```
Cool. I shall close the bug then.
J.
0 new messages