diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml
index 85c248e63..d0135a4f8 100644
--- a/docs/CompiledPrograms.xml
+++ b/docs/CompiledPrograms.xml
@@ -34,6 +34,13 @@
+
+ This article applies to Shorewall 4.0 and
+ later. If you are running a version of Shorewall earlier than Shorewall
+ 4.0.0-Beta4 or you are not running Shorewall-perl then please see this article.
+
+
Overview
@@ -73,36 +80,6 @@
will not use the updated script.
-
- With Shorewall 3.2.0 through 3.2.8, the
- params extension script is executed at
- compile time as well as at run time.
-
- Running the script at compile time allows variable
- expansion (expanding $variable to its defined value) of
- variables used in Shorewall configuration files to occur at
- compile time. Running it at run-time allows your extension
- scripts to use the variables that it creates. BUT -- for any
- given variable, the value at compile time may be different from
- the value at run-time unless you only assign constant
- values.
-
- For example, if you have:
-
- EXT_IP=$(find_first_interface_address eth0)
-
- in /etc/shorewall/params then all
- occurrences of $EXT_IP in Shorewall configuration files will be
- replaced with eth0's IP address when the program is being
- compiled. On the other hand, if you use $EXT_IP in your start
- script, the value will be the IP address of eth0 when the
- program is run.
-
- Bottom line: You probably want to use only constant values
- for variables set in
- /etc/shorewall/params.
-
-
Beginning with Shorewall 3.2.9 and 3.4.0 RC2, the
params file is only processed at compile
@@ -211,13 +188,6 @@
Shorewall Lite (Added in version 3.2.0 RC 1)
-
- The following information applies to Shorewall 3.2.2 and later. Users running versions
- of Shorewall and Shorewall Lite earlier than 3.2.2 are urged to
- upgrade.
-
-
Shorewall Lite is a companion product to Shorewall and is designed
to allow you to maintain all Shorewall configuration information on a
single system within your network.
@@ -237,7 +207,7 @@
by all users on the administrative system. Not all packages secure
the files that way and you may have to change the file permissions
yourself. /sbin/shorewall uses the SHOREWALL_COMPILER setting to
- determine which compiler to lanuch. If the compiler is
+ determine which compiler to launch. If the compiler is
shorewall-shell, then the SHOREWALL_SHELL setting from
/etc/shorewall/shorewall.conf determines the
shell to use. /sbin/shorewall also uses the VERBOSITY setting for
@@ -326,45 +296,22 @@
- If you are running Shorewall 3.2.5 or earlier then:
-
-
- cd <export directory>
-/sbin/shorewall load firewall
-
- The load
- command compiles a firewall script from the configuration files
- in the current working directory (using shorewall
- compile -e), copies that file to the remote system via
- scp and starts Shorewall Lite on the remote system via
- ssh.
-
- Example (firewall's DNS name is 'gateway'):
-
- /sbin/shorewall load gateway
-
-
- If you are running Shorewall 3.2.6 or later then:
-
-
- cd <export directory>
+ cd <export directory>/sbin/shorewall load -c firewall
- The load
- command compiles a firewall script from the configuration files
- in the current working directory (using shorewall
- compile -e), copies that file to the remote system via
- scp and starts Shorewall Lite on the remote system via ssh. The
- -c option causes the capabilities of the remote system to be
- generated and copied to a file named capabilities in the export
- directory. See below.
+ The load
+ command compiles a firewall script from the configuration files in
+ the current working directory (using shorewall compile
+ -e), copies that file to the remote system via scp and
+ starts Shorewall Lite on the remote system via ssh. The -c option
+ causes the capabilities of the remote system to be generated and
+ copied to a file named capabilities in the export directory. See
+ below.
- Example (firewall's DNS name is 'gateway'):
+ Example (firewall's DNS name is 'gateway'):
- /sbin/shorewall load -c gateway
-
+ /sbin/shorewall load -c gateway
@@ -496,13 +443,6 @@ clean:
use that file on the firewall system to override some of the settings from
the shorewall.conf file in the export directory.
-
- In Shorewall 3.2.*, the name of the file was
- /etc/shorewall-lite/shorewall.conf -- it was
- changed to shorewall-lite.conf in version
- 3.4.0.
-
-
Settings that you can override are:
@@ -605,14 +545,6 @@ clean:
startup=1.
-
- If you are running Shorewall 3.2.5 or earlier, then on the
- firewall system:
-
- /usr/share/shorewall-lite/shorecap > capabilities
-scp capabilities <admin system>:<this system's config dir>
-
-
On the administrative system:
@@ -646,75 +578,25 @@ clean:
If you set variables in the params file, there are a couple of
issues:
-
-
- With Shorewall 3.2.0 through 3.2.8, the
- params extension script is executed at
- compile time as well as at run time.
+ Beginning with Shorewall 3.2.9 and 3.4.0 RC2, the
+ params file is only processed at compile time
+ if you set EXPORTPARAMS=No in shorewall.conf.
+ For run-time setting of shell variables, use the
+ init extension script.
- Running the script at compile time allows variable
- expansion (expanding $variable to its defined value) of
- variables used in Shorewall configuration files to occur at
- compile time. Running it at run-time allows your extension
- scripts to use the variables that it creates. BUT -- for any
- given variable, the value at compile time may be different from
- the value at run-time unless you only assign constant
- values.
+ If the params file needs to set shell
+ variables based on the configuration of the firewall system, you can
+ use this trick:
- For example, if you have:
+ EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")
- EXT_IP=$(find_first_interface_address eth0)
-
- in /etc/shorewall/params then all
- occurrences of $EXT_IP in Shorewall configuration files will be
- replaced with eth0's IP address when the program is being
- compiled. On the other hand, if you use $EXT_IP in your start
- script, the value will be the IP address of eth0 when the
- program is run.
-
- Bottom line: You probably want to use only constant values
- for variables set in /etc/shorewall/params
- or upgrade to Shorewall 3.2.9 or later (3.4.0 RC2 or
- later).
-
-
-
- Beginning with Shorewall 3.2.9 and 3.4.0 RC2, the
- params file is only processed at compile
- time if you set EXPORTPARAMS=No in
- shorewall.conf. For run-time setting of
- shell variables, use the init extension
- script.
-
- If the params file needs to set shell
- variables based on the configuration of the firewall system, you
- can use this trick:
-
- EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")
-
- The shorewall-lite call command allows
- you to to call interactively any Shorewall function that you can
- call in an extension script.
-
-
+ The shorewall-lite call command allows you
+ to to call interactively any Shorewall function that you can call in
+ an extension script.After having made the above changes to the firewall's export
directory, execute the following commands.
- For Shorewall version 3.2.5 and earlier:
-
-
- cd <export directory>
-/sbin/shorewall load <firewall system>
-
-
- Example (firewall's DNS name is 'gateway'):
-
- /sbin/shorewall load gateway
-
- The refresh command was added in Shorewall
- 3.2.3.
-
The options have their same meaning is when they are passed to
/sbin/shorewall itself. The default VERBOSITY level
is the level specified in the shorewall.conf file used when then program