I have decided to play around with KVM. Following the Wiki at

https://wiki.mageia.org/en/Virt-Manager

everything was fine until recompiling shorewall with

/bin/su -c "shorewall restart"

This threw up an error message:

Compiling /etc/shorewall/policy...
ERROR: Policy "fw virt ACCEPT" duplicates earlier policy "fw virt
REJECT" /etc/shorewall/policy (line 14)

The "earlier policy" must be elsewhere.
The current contents of "policy" are:

fw net ACCEPT
net all DROP info
all all REJECT info
virt all ACCEPT info
fw virt ACCEPT

This is in Mga 8. Everything seemed fine in Cauldron (Mga 9)

This is where my limitations become apparent.

On Mon, 17 May 2021 18:06:14 +1000, Doug Laidlaw wrote:
> I have decided to play around with KVM. Following the Wiki at
>
> https://wiki.mageia.org/en/Virt-Manager
>
> everything was fine until recompiling shorewall with
>
> /bin/su -c "shorewall restart"
>
> This threw up an error message:
>
> Compiling /etc/shorewall/policy...
> ERROR: Policy "fw virt ACCEPT" duplicates earlier policy "fw virt
> REJECT" /etc/shorewall/policy (line 14)
>
> The "earlier policy" must be elsewhere.
> The current contents of "policy" are:
>
> fw net ACCEPT
> net all DROP info
> all all REJECT info
> virt all ACCEPT info
> fw virt ACCEPT
>
> This is in Mga 8. Everything seemed fine in Cauldron (Mga 9)
>
> This is where my limitations become apparent.

shorewall reads the rules and passes the packet based on the
first rule that allows using it.

Whenever you dink around with settings you might consider running
shorewall check
before starting shorewall.

You lucked out that shorewall does extra checking when processing
the policy file.

It is telling you that the two rules are in conflict with each other,

The error message tells you which rules are in conflict.

On 17/5/21 7:51 pm, Bit Twister wrote:
> On Mon, 17 May 2021 18:06:14 +1000, Doug Laidlaw wrote:
>> I have decided to play around with KVM. Following the Wiki at
>>
>> https://wiki.mageia.org/en/Virt-Manager
>>
>> everything was fine until recompiling shorewall with
>>
>> /bin/su -c "shorewall restart"
>>
>> This threw up an error message:
>>
>> Compiling /etc/shorewall/policy...
>> ERROR: Policy "fw virt ACCEPT" duplicates earlier policy "fw virt
>> REJECT" /etc/shorewall/policy (line 14)
>>
>> The "earlier policy" must be elsewhere.
>> The current contents of "policy" are:
>>
>> fw net ACCEPT
>> net all DROP info
>> all all REJECT info
>> virt all ACCEPT info
>> fw virt ACCEPT
>>
>> This is in Mga 8. Everything seemed fine in Cauldron (Mga 9)
>>
>> This is where my limitations become apparent.
>
> shorewall reads the rules and passes the packet based on the
> first rule that allows using it.
>
> Whenever you dink around with settings you might consider running
> shorewall check
> before starting shorewall.
>
> You lucked out that shorewall does extra checking when processing
> the policy file.
>
> It is telling you that the two rules are in conflict with each other,
>
> The error message tells you which rules are in conflict.
>
>
Thanks for the explanation. I was able to continue, ignoring the
conflict. Similarly, there was a dependency conflict which required me
to uninstall task-printing. That was no problem either, probably
because task-printing is an "umbrella" file, and the RPMs I needed to
make my printer work, were not affected.

On Tue, 18 May 2021 08:25:12 +1000, Doug Laidlaw wrote:
> On 17/5/21 7:51 pm, Bit Twister wrote:
>> On Mon, 17 May 2021 18:06:14 +1000, Doug Laidlaw wrote:
>>> I have decided to play around with KVM. Following the Wiki at
>>>
>>> https://wiki.mageia.org/en/Virt-Manager
>>>
>>> everything was fine until recompiling shorewall with
>>>
>>> /bin/su -c "shorewall restart"
>>>
>>> This threw up an error message:
>>>
>>> Compiling /etc/shorewall/policy...
>>> ERROR: Policy "fw virt ACCEPT" duplicates earlier policy "fw virt
>>> REJECT" /etc/shorewall/policy (line 14)
>>>
>>> The "earlier policy" must be elsewhere.
>>> The current contents of "policy" are:
>>>
>>> fw net ACCEPT
>>> net all DROP info
>>> all all REJECT info
>>> virt all ACCEPT info
>>> fw virt ACCEPT
>>>
>>> This is in Mga 8. Everything seemed fine in Cauldron (Mga 9)
>>>
>>> This is where my limitations become apparent.
>>
>> shorewall reads the rules and passes the packet based on the
>> first rule that allows using it.
>>
>> Whenever you dink around with settings you might consider running
>> shorewall check
>> before starting shorewall.
>>
>> You lucked out that shorewall does extra checking when processing
>> the policy file.
>>
>> It is telling you that the two rules are in conflict with each other,
>>
>> The error message tells you which rules are in conflict.
>>
>>
> Thanks for the explanation. I was able to continue, ignoring the
> conflict.

In that case I expect that shorewall is not running. :(

The pooicy header should have "man shorewall-policy"
which will tell what causes your problem .

On 18/5/21 9:42 am, Bit Twister wrote:
> In that case I expect that shorewall is not running.:(
>
> The pooicy header should have "man shorewall-policy"
> which will tell what causes your problem .
>
No, shorewall wsas NOT running. To locate the conflicting rule, I ran

grep "fw virt REJECT" *

in the etc/shorewall directory. That produced a NIL result. At this
point, to get Shorewall running again, I commented out the new
conflicting line. I think that it would have been simpler to keep using
VirtualBox.

On Fri, 21 May 2021 19:39:09 +1000, Doug Laidlaw wrote:
> On 18/5/21 9:42 am, Bit Twister wrote:
>> In that case I expect that shorewall is not running.:(
>>
>> The policy header should have "man shorewall-policy"
>> which will tell what causes your problem .
>>
> No, shorewall wsas NOT running. To locate the conflicting rule, I ran
>
> grep "fw virt REJECT" *
>
> in the etc/shorewall directory. That produced a NIL result.

Yep. Does not surprise me. Policy file could be tab separated fields.

> At this
> point, to get Shorewall running again, I commented out the new
> conflicting line.

How sad, the "man shorewall-policy" tells you the all all REJECT info
line is to be last in the file.