From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] firewall: Ensure the xt_geoip module is always loaded
Date: Mon, 07 Feb 2022 10:43:56 +0000
Message-ID: <1E56D9BA-54C6-4560-BB56-CEABD69B5F91@ipfire.org>
In-Reply-To: <6845b9e9-54ef-5584-f10e-4778f51bde97@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1038387470880285797=="
List-Id: <development.lists.ipfire.org>

--===============1038387470880285797==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

So what would be different upon first boot?

We will probably run a location update after the first time we connect to the=
 internet and refresh the database, because the one that was shipped is likel=
y too old.

However, I checked the code of the xt_geoip module and it does not look like =
it would complain in any way that it would look like the module does not exis=
t - so the kernel simply cannot find it.

That only leaves us with a missing module on the dependency tree (but we woul=
d never update that in production I believe) or that the file can simply not =
be opened.

strace might help with this.

-Michael

> On 1 Feb 2022, at 17:19, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wro=
te:
>=20
> Hello Michael,
>=20
> thanks for your reply.
>=20
> I have no idea, but am interested in the root cause of this as well. It onl=
y happens
> while loading the firewall engine on first boot. On every subsequent boot, =
iptables
> does not complain.
>=20
> Thanks, and best regards,
> Peter M=C3=BCller
>=20
>> Hello,
>>=20
>> I would be great to know *why* this is happening.
>>=20
>> iptables should automatically trigger loading the kernel module.
>>=20
>> Did we just forget to run something like depmod -a?
>>=20
>> -Michael
>>=20
>>> On 30 Jan 2022, at 17:08, Peter M=C3=BCller <peter.mueller(a)ipfire.org> =
wrote:
>>>=20
>>> For some reason, this module is not present after the very first boot of
>>> an IPFire installation.
>>>=20
>>> Fixes: #12767
>>>=20
>>> Reported-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
>>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>>> ---
>>> src/initscripts/system/firewall | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>=20
>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fir=
ewall
>>> index ebc8168ae..bfab6d538 100644
>>> --- a/src/initscripts/system/firewall
>>> +++ b/src/initscripts/system/firewall
>>> @@ -39,6 +39,9 @@ iptables_init() {
>>> 	iptables -P FORWARD DROP
>>> 	iptables -P OUTPUT ACCEPT
>>>=20
>>> +	# Ensure the xt_geoip module is always loaded (#12767)
>>> +	modprobe xt_geoip
>>> +
>>> 	# Enable TRACE logging to syslog
>>> 	modprobe nf_log_ipv4
>>> 	sysctl -q -w net.netfilter.nf_log.2=3Dnf_log_ipv4
>>> --=20
>>> 2.31.1
>>=20


--===============1038387470880285797==--