Received: from out.smtp-auth.no-ip.com (smtp-auth.no-ip.com [8.23.224.60])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 95131780790
	for <~alpine/devel@lists.alpinelinux.org>; Sun, 28 Aug 2022 19:37:11 +0000 (UTC)
X-No-IP: flyn.org@noip-smtp
X-Report-Spam-To: abuse@no-ip.com
Received: from www.flyn.org (unknown [137.26.240.243])
	(Authenticated sender: flyn.org@noip-smtp)
	by smtp-auth.no-ip.com (Postfix) with ESMTPA id 4MG3jy1Nx5z7sTR
	for <~alpine/devel@lists.alpinelinux.org>; Sun, 28 Aug 2022 19:37:10 +0000 (UTC)
Received: by www.flyn.org (Postfix, from userid 1001)
	id 577D11EE00A7; Sun, 28 Aug 2022 14:37:09 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=flyn.org; s=mail;
	t=1661715429; bh=VMWfSM5pyzSQppnqEWnJ53MfbUnuZiYQ/pmQ0r00yGw=;
	h=Date:From:To:Subject;
	b=hlpr2sp3YLQ/++pHss9RLuRNYO1ctUyiYXYEtCcU5Ul8UsTDmglc4C+HsaEphoSil
	 pdI5krzpo2/Vkv41zMEq2U/7uDkIqPkoyHuLsNQv78Iw/ERa0F+Ut+aGLRXESZlgFM
	 tIuR7wo7N3BPaHBRvtr7kYj7+KNV4/hoeANGuKSE/9Us3SK2+FM/gMJfyM2UKgelYl
	 Z/7r6PaYIAkZpsnicE6epgERpIK8TSfKdXdsUWCYczY4rgRgVCOVdh7aBofx6IpC3H
	 fnU9HftMxEx018aGFloK0Kr4EjrWE411bfzfMYFtp/oJxTwxx91E65daCu/bR1ZB+0
	 9yheeCle7O3Vt/t8MG9yWlzJzobrFx95gX8vooMfKDtDIeFQxb95AK3dk1YFKKSPAr
	 8jKNWpyt5F6wmbKuKWQ03//VOvZoMpbdDNOHuElS81wacWWW8a0jbBB3GqjYyO+i8S
	 ymyt4+5TurnnfuiC+o3fdrPvTcJvpbQPcYYcJsbbHVCM6KCyWQd
Received: from imp.flyn.org (guardian.flyn.org [137.26.240.242])
	by www.flyn.org (Postfix) with ESMTPSA id 3C1A21EE0040
	for <~alpine/devel@lists.alpinelinux.org>; Sun, 28 Aug 2022 14:37:09 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=flyn.org; s=mail;
	t=1661715429; bh=VMWfSM5pyzSQppnqEWnJ53MfbUnuZiYQ/pmQ0r00yGw=;
	h=Date:From:To:Subject;
	b=hlpr2sp3YLQ/++pHss9RLuRNYO1ctUyiYXYEtCcU5Ul8UsTDmglc4C+HsaEphoSil
	 pdI5krzpo2/Vkv41zMEq2U/7uDkIqPkoyHuLsNQv78Iw/ERa0F+Ut+aGLRXESZlgFM
	 tIuR7wo7N3BPaHBRvtr7kYj7+KNV4/hoeANGuKSE/9Us3SK2+FM/gMJfyM2UKgelYl
	 Z/7r6PaYIAkZpsnicE6epgERpIK8TSfKdXdsUWCYczY4rgRgVCOVdh7aBofx6IpC3H
	 fnU9HftMxEx018aGFloK0Kr4EjrWE411bfzfMYFtp/oJxTwxx91E65daCu/bR1ZB+0
	 9yheeCle7O3Vt/t8MG9yWlzJzobrFx95gX8vooMfKDtDIeFQxb95AK3dk1YFKKSPAr
	 8jKNWpyt5F6wmbKuKWQ03//VOvZoMpbdDNOHuElS81wacWWW8a0jbBB3GqjYyO+i8S
	 ymyt4+5TurnnfuiC+o3fdrPvTcJvpbQPcYYcJsbbHVCM6KCyWQd
Received: by imp.flyn.org (Postfix, from userid 1101)
	id E574A639491; Sun, 28 Aug 2022 14:37:03 -0500 (CDT)
Date: Sun, 28 Aug 2022 14:37:03 -0500
From: "W. Michael Petullo" <mike@flyn.org>
To: ~alpine/devel@lists.alpinelinux.org
Subject: Strange behavior in "awall activate -f"
Message-ID: <YwvD38auXDts3zJn@imp.flyn.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.5
X-Virus-Scanned: clamav-milter 0.104.2 at herald.flyn.org
X-Virus-Status: Clean

I find that "awall activate -f" fails on a fresh install unless I run
"awall activate" at least once in interactive mode first. The failure
message is:

  host:~# (Deploy firewall rules ...)
  host:~# awall activate -f
  Warning: firewall not enabled for inet6
  Warning: firewall not enabled for inet
  awall: Firewall not enabled in kernel

It turns out this is because the ip_tables and ip6_tables kernel
modules are not loaded. It seems "awall activate" will load the required
modules. Indeed, the first "awall activate" is quite chatty about doing
this and a number of other things:

  Warning: firewall not enabled for inet6
  Warning: firewall not enabled for inet
  Firewall is not active
  Press RETURN to perform initial configuration and activation: 
   * rc-update: ip6tables already installed in runlevel `default'; skipping
   * Caching service dependencies ...
   [ ok ]
   * Loading ip6tables state and starting firewall ...
   [ ok ]
   * Enabling forwarding ...
   [ ok ]
   * rc-update: iptables already installed in runlevel `default'; skipping
   * Caching service dependencies ...
   [ ok ]
   * Loading iptables state and starting firewall ...
   [ ok ]
   * Enabling forwarding ...
   [ ok ]

If I do start a new system, load ip_tables and ip6_tables, and run
"awall activate -f", then awall runs without error. However, I do not
see evidence of the other configuration going on, as with the output from
"awall activate" above.

My questions:

Should "awall activate -f" be changed to load the kernel modules, as
interactive mode does? Is there a reason for the inconsistency?

Does running "awall activate -f" after manually loading the modules
perform all the steps to activate the firewall for the first time?
Put another way, does "awall activate -f" do everything "awall activate"
does, albeit in a much less verbose mode?

Having a fully-automated install motivates my questions.

-- 
Mike

:wq