From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] firewall: Ensure the xt_geoip module is always loaded
Date: Mon, 07 Feb 2022 10:43:56 +0000 [thread overview]
Message-ID: <1E56D9BA-54C6-4560-BB56-CEABD69B5F91@ipfire.org> (raw)
In-Reply-To: <6845b9e9-54ef-5584-f10e-4778f51bde97@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2252 bytes --]
Hello,
So what would be different upon first boot?
We will probably run a location update after the first time we connect to the internet and refresh the database, because the one that was shipped is likely too old.
However, I checked the code of the xt_geoip module and it does not look like it would complain in any way that it would look like the module does not exist - so the kernel simply cannot find it.
That only leaves us with a missing module on the dependency tree (but we would never update that in production I believe) or that the file can simply not be opened.
strace might help with this.
-Michael
> On 1 Feb 2022, at 17:19, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Hello Michael,
>
> thanks for your reply.
>
> I have no idea, but am interested in the root cause of this as well. It only happens
> while loading the firewall engine on first boot. On every subsequent boot, iptables
> does not complain.
>
> Thanks, and best regards,
> Peter Müller
>
>> Hello,
>>
>> I would be great to know *why* this is happening.
>>
>> iptables should automatically trigger loading the kernel module.
>>
>> Did we just forget to run something like depmod -a?
>>
>> -Michael
>>
>>> On 30 Jan 2022, at 17:08, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>
>>> For some reason, this module is not present after the very first boot of
>>> an IPFire installation.
>>>
>>> Fixes: #12767
>>>
>>> Reported-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>> ---
>>> src/initscripts/system/firewall | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>> index ebc8168ae..bfab6d538 100644
>>> --- a/src/initscripts/system/firewall
>>> +++ b/src/initscripts/system/firewall
>>> @@ -39,6 +39,9 @@ iptables_init() {
>>> iptables -P FORWARD DROP
>>> iptables -P OUTPUT ACCEPT
>>>
>>> + # Ensure the xt_geoip module is always loaded (#12767)
>>> + modprobe xt_geoip
>>> +
>>> # Enable TRACE logging to syslog
>>> modprobe nf_log_ipv4
>>> sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4
>>> --
>>> 2.31.1
>>
next prev parent reply other threads:[~2022-02-07 10:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <723823EE-B712-4C51-BF85-5DC3059C76C8@ipfire.org>
2022-02-01 17:19 ` Peter Müller
2022-02-07 10:43 ` Michael Tremer [this message]
2022-01-30 17:08 Peter Müller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1E56D9BA-54C6-4560-BB56-CEABD69B5F91@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox