diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml index 85c248e63..d0135a4f8 100644 --- a/docs/CompiledPrograms.xml +++ b/docs/CompiledPrograms.xml @@ -34,6 +34,13 @@ + + This article applies to Shorewall 4.0 and + later. If you are running a version of Shorewall earlier than Shorewall + 4.0.0-Beta4 or you are not running Shorewall-perl then please see this article. + +
Overview @@ -73,36 +80,6 @@ will not use the updated script. - - With Shorewall 3.2.0 through 3.2.8, the - params extension script is executed at - compile time as well as at run time. - - Running the script at compile time allows variable - expansion (expanding $variable to its defined value) of - variables used in Shorewall configuration files to occur at - compile time. Running it at run-time allows your extension - scripts to use the variables that it creates. BUT -- for any - given variable, the value at compile time may be different from - the value at run-time unless you only assign constant - values. - - For example, if you have: - - EXT_IP=$(find_first_interface_address eth0) - - in /etc/shorewall/params then all - occurrences of $EXT_IP in Shorewall configuration files will be - replaced with eth0's IP address when the program is being - compiled. On the other hand, if you use $EXT_IP in your start - script, the value will be the IP address of eth0 when the - program is run. - - Bottom line: You probably want to use only constant values - for variables set in - /etc/shorewall/params. - - Beginning with Shorewall 3.2.9 and 3.4.0 RC2, the params file is only processed at compile @@ -211,13 +188,6 @@
Shorewall Lite (Added in version 3.2.0 RC 1) - - The following information applies to Shorewall 3.2.2 and later. Users running versions - of Shorewall and Shorewall Lite earlier than 3.2.2 are urged to - upgrade. - - Shorewall Lite is a companion product to Shorewall and is designed to allow you to maintain all Shorewall configuration information on a single system within your network. @@ -237,7 +207,7 @@ by all users on the administrative system. Not all packages secure the files that way and you may have to change the file permissions yourself. /sbin/shorewall uses the SHOREWALL_COMPILER setting to - determine which compiler to lanuch. If the compiler is + determine which compiler to launch. If the compiler is shorewall-shell, then the SHOREWALL_SHELL setting from /etc/shorewall/shorewall.conf determines the shell to use. /sbin/shorewall also uses the VERBOSITY setting for @@ -326,45 +296,22 @@ - If you are running Shorewall 3.2.5 or earlier then: - -
- cd <export directory> -/sbin/shorewall load firewall - - The load - command compiles a firewall script from the configuration files - in the current working directory (using shorewall - compile -e), copies that file to the remote system via - scp and starts Shorewall Lite on the remote system via - ssh. - - Example (firewall's DNS name is 'gateway'): - - /sbin/shorewall load gateway -
- - If you are running Shorewall 3.2.6 or later then: - -
- cd <export directory> + cd <export directory> /sbin/shorewall load -c firewall - The load - command compiles a firewall script from the configuration files - in the current working directory (using shorewall - compile -e), copies that file to the remote system via - scp and starts Shorewall Lite on the remote system via ssh. The - -c option causes the capabilities of the remote system to be - generated and copied to a file named capabilities in the export - directory. See below. + The load + command compiles a firewall script from the configuration files in + the current working directory (using shorewall compile + -e), copies that file to the remote system via scp and + starts Shorewall Lite on the remote system via ssh. The -c option + causes the capabilities of the remote system to be generated and + copied to a file named capabilities in the export directory. See + below. - Example (firewall's DNS name is 'gateway'): + Example (firewall's DNS name is 'gateway'): - /sbin/shorewall load -c gateway -
+ /sbin/shorewall load -c gateway
@@ -496,13 +443,6 @@ clean: use that file on the firewall system to override some of the settings from the shorewall.conf file in the export directory. - - In Shorewall 3.2.*, the name of the file was - /etc/shorewall-lite/shorewall.conf -- it was - changed to shorewall-lite.conf in version - 3.4.0. - - Settings that you can override are:
@@ -605,14 +545,6 @@ clean: startup=1. - - If you are running Shorewall 3.2.5 or earlier, then on the - firewall system: - - /usr/share/shorewall-lite/shorecap > capabilities -scp capabilities <admin system>:<this system's config dir> - - On the administrative system: @@ -646,75 +578,25 @@ clean: If you set variables in the params file, there are a couple of issues: - - - With Shorewall 3.2.0 through 3.2.8, the - params extension script is executed at - compile time as well as at run time. + Beginning with Shorewall 3.2.9 and 3.4.0 RC2, the + params file is only processed at compile time + if you set EXPORTPARAMS=No in shorewall.conf. + For run-time setting of shell variables, use the + init extension script. - Running the script at compile time allows variable - expansion (expanding $variable to its defined value) of - variables used in Shorewall configuration files to occur at - compile time. Running it at run-time allows your extension - scripts to use the variables that it creates. BUT -- for any - given variable, the value at compile time may be different from - the value at run-time unless you only assign constant - values. + If the params file needs to set shell + variables based on the configuration of the firewall system, you can + use this trick: - For example, if you have: + EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0") - EXT_IP=$(find_first_interface_address eth0) - - in /etc/shorewall/params then all - occurrences of $EXT_IP in Shorewall configuration files will be - replaced with eth0's IP address when the program is being - compiled. On the other hand, if you use $EXT_IP in your start - script, the value will be the IP address of eth0 when the - program is run. - - Bottom line: You probably want to use only constant values - for variables set in /etc/shorewall/params - or upgrade to Shorewall 3.2.9 or later (3.4.0 RC2 or - later). - - - - Beginning with Shorewall 3.2.9 and 3.4.0 RC2, the - params file is only processed at compile - time if you set EXPORTPARAMS=No in - shorewall.conf. For run-time setting of - shell variables, use the init extension - script. - - If the params file needs to set shell - variables based on the configuration of the firewall system, you - can use this trick: - - EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0") - - The shorewall-lite call command allows - you to to call interactively any Shorewall function that you can - call in an extension script. - - + The shorewall-lite call command allows you + to to call interactively any Shorewall function that you can call in + an extension script. After having made the above changes to the firewall's export directory, execute the following commands. - For Shorewall version 3.2.5 and earlier: - -
- cd <export directory> -/sbin/shorewall load <firewall system> - - - Example (firewall's DNS name is 'gateway'): - - /sbin/shorewall load gateway -
- - For Shorewall versions 3.2.6 and later: -
cd <export directory> /sbin/shorewall load -c <firewall system> @@ -877,9 +759,6 @@ CAPVERSION=30405
- The refresh command was added in Shorewall - 3.2.3. - The options have their same meaning is when they are passed to /sbin/shorewall itself. The default VERBOSITY level is the level specified in the shorewall.conf file used when then program