diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml index dd91cb818..bda4a6bc7 100644 --- a/docs/CompiledPrograms.xml +++ b/docs/CompiledPrograms.xml @@ -5,7 +5,7 @@ - Compiled Firewall Programs + Compiled Firewall Programs and Shorewall Lite @@ -103,6 +103,14 @@ + + + You must install Shorewall Lite on the system where you want + to run the script. You then install the compiled program in + /usr/share/shorewall/firewall and use the /sbin/shorewall program + included with Shorewall Lite to control the firewall just as if the + full Shorewall distribution was installed. + @@ -114,8 +122,8 @@ command:
- shorewall compile [ -e ] [ -d <distro> ] [ - <directory name> ] <path name> + shorewall compile [ -e ] [ <directory name> ] + <path name>
where @@ -128,8 +136,8 @@ Indicates that the program is to be "exported" to another system. When this flag is set, the "detectnets" interface is not - allowed but the created program may be run on a system that - doesn't even have Shorewall installed. + allowed but the created program may be run on a system that has + only Shorewall Lite installed When this flag is given, Shorewall does not probe the current system to determine the kernel/iptables features that it @@ -139,33 +147,6 @@ - - -d <distro> - - - is normally used with "-e" and specifies the Linux - distribution that is running on the remote system. The program - will be tailored so that it integrates with the initialization - script system (init) on that system. Distributions currently - supported are: - - - suse - - redhat - - debian (Note that Debian compiled programs may not be - installed directly into /etc/init.d — they require the - soon-to-be-released Shorewall-minimal Debian package. - - - If -d is not specified, the - compiled program is generally not suitable for being installed in - /etc/init.d. - - - <directory name> @@ -188,57 +169,64 @@
- /usr/share/shorewall/configfiles (Added in version 3.2.0 RC - 1) + Shorewall Lite (Added in version 3.2.0 RC 1) - The /usr/share/shorewall/configfiles directory - contains a copy of the Shorewall configuration files that are normally - installed in /etc/shorewall. + Shorewall Lite is a companion product to Shorewall and is designed + to allow you to maintain all Shorewall configuration information on a + single system within your network. - Suppose that you want to create a configuration directory for remote - system 'gateway'. - - + - mkdir gateway + You install the full Shorewall release on one system within your + network. You need not configure Shorewall there and you may totally + disable startup of Shorewall in your init scripts. For ease of + reference, we call this system the 'administrative system'. - cp /usr/share/shorewall/configfiles/* - gateway + On each system where you wish to run a Shorewall-generated + firewall, you install Shorewall Lite. For ease of reference, we will + call these systems the 'firewall systems'. - Generate a capabilities file on the - 'gateway' system as described in the next section and copy that file - to the gateway + On the administrative system you create a separete + 'configuration directory' for each firewall system. You copy the + contents of /usr/share/shorewall/configfiles into each configuration directory. - Modify the files in the gateway directory to match the - configuration on 'gateway'. + On each firewall system, you run: + + /usr/share/shorewall/shorecap > capabilities +scp capabilities <admin system>:<this system's config dir> - cd gateway + On the administrative system, for each firewall system you do + the following (this may be done by a non-root user): + + + + modify the files in the corresponding configuration + directory appropriately. + + + + + + cd <configuration directory> +/sbin/shorewall compile -e . firewall +scp firewall root@<firewall system>:/usr/share/shorewall/ + + - /sbin/shorewall compile -e . firewall - + On each firewall system: - - Copy the firewall file to /etc/init.d on system 'gateway' and - arrange for it to be started at boot time. - - - - On the 'gateway' system, /etc/init.d/firewall - start + shorewall start
@@ -254,10 +242,10 @@
NAT_ENABLED=Yes # NAT MANGLE_ENABLED=Yes # Packet Mangling -CONNTRACK_MATCH=Yes # Connection Tracking Match -USEPKTTYPE= # Packet Type Match MULTIPORT=Yes # Multi-port Match XMULTIPORT=Yes # Extended Multi-port Match +CONNTRACK_MATCH=Yes # Connection Tracking Match +USEPKTTYPE= # Packet Type Match POLICY_MATCH=Yes # Policy Match PHYSDEV_MATCH=Yes # Physdev Match LENGTH_MATCH=Yes # Packet Length Match @@ -266,12 +254,17 @@ RECENT_MATCH=Yes # Recent Match OWNER_MATCH=Yes # Owner match IPSET_MATCH= # Ipset Match CONNMARK=Yes # CONNMARK Target +XCONNMARK=Yes # Extended CONNMARK Target CONNMARK_MATCH=Yes # Connmark Match +XCONNMARK_MATCH=Yes # Extended Connmark Match RAW_TABLE=Yes # Raw Table IPP2P_MATCH= # IPP2P Match CLASSIFY_TARGET=Yes # CLASSIFY Target ENHANCED_REJECT=Yes # Extended REJECT -KLUDGEFREE= # iptables accepts multiple "-m iprange" or "-m physdev" in a single command +KLUDGEFREE= # iptables accepts multiple "-m iprange" or "-m physdev" in a single command +MARK=Yes # MARK Target Support +XMARK=YES # Extended MARK Target Support +MANGLE_FORWARD # Mangle table has FORWARD chain
As you can see, the file contains a simple list of shell variable @@ -279,15 +272,15 @@ KLUDGEFREE= # iptables accepts multiple "-m iprange" or "-m shorewall show capabilities command appear in the same order as the output of that command. - To aid in creating this file, Shorewall 3.1 and later include a - shorecap program. The program is installed in the - /usr/share/shorewall/ directory and may be copied to - /usr/bin on a remote system then run as follows: + To aid in creating this file, Shorewall Lite includes a + shorecap program. The program is installed in the + /usr/share/shorewall/ directory and may be run as + follows:
[ IPTABLES=<iptables binary> ] [ - MODULESDIR=<kernel modules directory> ] shorecap > - capabilities + MODULESDIR=<kernel modules directory> ] + /usr/share/shorewall/shorecap > capabilities
The IPTABLES and MODULESDIR options have their
- Running compiled programs + Running compiled programs directly Compiled firewall programs are complete programs that support the following run-line commands: diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml index 57001d3a9..4a7cfb80f 100644 --- a/docs/starting_and_stopping_shorewall.xml +++ b/docs/starting_and_stopping_shorewall.xml @@ -15,7 +15,7 @@ - 2006-05-31 + 2006-06-03 2004 @@ -647,8 +647,8 @@ compile (Shorewall 3.1 and later) - shorewall compile [ -e ] [ -d <distro> ] [ - <directory name> ] <path name> + shorewall compile [ -e ] [ <directory name> ] + <path name> Compiles the current configuration into the executable file <path name>. If <path name> names a file in @@ -656,36 +656,13 @@ command. When -e is specified, the compilation is being performed on a - system other than where the compiled script will run. This option - disables certain configuration options that require the script to be - compiled where it is to be run and allows the script to be run on a - system that does not have Shorewall installed at all. The file - /etc/shorewall/capabilities must be present when -e is used; that - file specifies the iptables/kernel capabilities on the target - system. - - When -d <distribution> is given, the script is built for - installation in /etc/init.d - on the distribution specified by <distro>. Currently supported - values for <distro>are: - - - redhat (also good for Fedora Core and CentOS) - - debian (Requires the soon to be released Shorewall-minimal - package to be run on Debian) - - suse - - - Usually specified together with -e. If not specified, the - output file is not suitable for installation into /etc/init.d/ - - Example:
- shorewall compile -ed redhat foo -
Additional distributions are expected to be supported - shortly. + system other than where the compiled script will run under Shorewall + Lite. This option disables certain configuration options that + require the script to be compiled where it is to be run and allows + the script to be run on a system where Shorewall Lite is installed. + The file /etc/shorewall/capabilities must be present when -e is + used; that file specifies the iptables/kernel capabilities on the + target system. The compiled script is a complete program that supports the following commands: @@ -715,10 +692,6 @@ The options have their same meaning is when they are passed to /sbin/shorewall itself. - When the '-e' option is specified during compilation, the - program may be installed in /etc/init.d/ and serve as the firewall - on a system without Shorewall installed. - For additional information about the compile command, see this article. diff --git a/tools/build/makeshorewall b/tools/build/makeshorewall index 2bbffb094..98056a332 100755 --- a/tools/build/makeshorewall +++ b/tools/build/makeshorewall @@ -56,17 +56,22 @@ RPMDIR=~/rpm/ # Directory where you want the release to be built # DIR=$PWD + ################################################################################ # V A R I A B L E S ################################################################################ VERSION= OLDVERSION= SHOREWALLDIR= +SHOREWALLLITEDIR= SOURCEDIR= SVNBRANCH= +LITESVNBRANCH= XMLPROJ= RPMNAME= +LITERPMNAME= TARBALL= +LITETARBALL= LOGFILE= HTMLDIR= BUILDTARBALL= @@ -74,6 +79,7 @@ BUILDRPM= BUILDXML= BUILDHTML= SAMPLESTAG= +HASLITE= ################################################################################ # F U N C T I O N S ################################################################################ @@ -214,15 +220,19 @@ case $VERSION in ;; 3.2.*) SVNBRANCH="trunk/Shorewall" + LITESVNBRANCH="trunk/Shorewall-lite" DOCTAG="trunk/docs" XMLPROJ="docs-3.2" SAMPLESTAG="trunk/Samples" + HASLITE=Yes ;; 3.3.*) SVNBRANCH="trunk/Shorewall" + LITESVNBRANCH="trunk/Shorewall-lite" DOCTAG="trunk/docs" XMLPROJ="docs-3.3" SAMPLESTAG="trunk/Samples" + HASLITE=Yes ;; *) echo "Unsupported Version: $VERSION" @@ -242,16 +252,22 @@ case $VERSION in # Beta or Release Candidate # SHOREWALLDIR=shorewall-${VERSION%-*} + SHOREWALLLITEDIR=shorewall-lite-${VERSION%-*} TARBALL=shorewall-${VERSION%-*}.tgz + LITETARBALL=shorewall-lite-${VERSION%-*}.tgz RPMNAME=shorewall-${VERSION%-*}-0${VERSION#*-}.noarch.rpm + LITERPMNAME=shorewall-lite-${VERSION%-*}-0${VERSION#*-}.noarch.rpm ;; *) # # Normal Release # SHOREWALLDIR=shorewall-$VERSION + SHOREWALLLITEDIR=shorewall-lite-$VERSION TARBALL=shorewall-$VERSION.tgz + LITETARBALL=shorewall-lite-$VERSION.tgz RPMNAME=shorewall-${VERSION}-1.noarch.rpm + LITERPMNAME=shorewall-lite-${VERSION}-1.noarch.rpm ;; esac @@ -259,9 +275,11 @@ HTMLDIR=shorewall-docs-html-$VERSION if [ -n "${BUILDTARBALL}${BUILDRPM}" ]; then report "Shorewall directory is $DIR/$SHOREWALLDIR" + report "Shorewall Lite directory is $DIR/$SHOREWALLLITEDIR" report "SVN tag is $SVNBRANCH" - [ -n "$BUILDTARBALL" ] && report "TARBALL is $TARBALL" - [ -n "$BUILDRPM" ] && report "RPM is $RPMNAME" + report "Lite SVN tag is $LITESVNBRANCH" + [ -n "$BUILDTARBALL" ] && report "TARBALL is $TARBALL" && report "LITETARBALL is $LITETARBALL" + [ -n "$BUILDRPM" ] && report "RPM is $RPMNAME" && report "LITERPM is $LITERPMNAME" fi [ -n "$BUILDHTML" ] && report "HTML Directory is $HTMLDIR" @@ -270,14 +288,25 @@ if [ -n "${BUILDTARBALL}${BUILDRPM}" ]; then progress_message "Exporting $SVNBRANCH from SVN..." rm -rf $SHOREWALLDIR + rm -rf $SHOREWALLLITEDIR - do_or_die "svn export --non-interactive --force https://svn.sourceforge.net/svnroot/shorewall/$SVNBRANCH $SHOREWALLDIR >> $LOGFILE 2>&1" + do_or_die "svn export --non-interactive --force https://svn.sourceforge.net/svnroot/shorewall/$SVNBRANCH $SHOREWALLDIR >> $LOGFILE 2>&1" + if [ -n "$HASLITE" ]; then + progress_message "Exporting $LITESVNBRANCH from SVN..." + do_or_die "svn export --non-interactive --force https://svn.sourceforge.net/svnroot/shorewall/$LITESVNBRANCH $SHOREWALLLITEDIR >> $LOGFILE 2>&1" + fi fgrep VERSION=$VERSION $SHOREWALLDIR/install.sh > /dev/null 2>&1 || fatal_error "install.sh has wrong version" fgrep VERSION=$VERSION $SHOREWALLDIR/uninstall.sh > /dev/null 2>&1 || fatal_error "uninstall.sh has wrong version" fgrep VERSION=$VERSION $SHOREWALLDIR/fallback.sh > /dev/null 2>&1 || fatal_error "fallback.sh has wrong version" [ -f $SHOREWALLDIR/shorecap ] && \ { fgrep VERSION=$VERSION $SHOREWALLDIR/shorecap > /dev/null 2>&1 || fatal_error "shorecap has wrong version"; } + if [ -n "$HASLITE" ]; then + fgrep VERSION=$VERSION $SHOREWALLLITEDIR/install.sh > /dev/null 2>&1 || fatal_error "Lite install.sh has wrong version" + fgrep VERSION=$VERSION $SHOREWALLLITEDIR/uninstall.sh > /dev/null 2>&1 || fatal_error "Lite uninstall.sh has wrong version" + fgrep VERSION=$VERSION $SHOREWALLLITEDIR/fallback.sh > /dev/null 2>&1 || fatal_error "Lite fallback.sh has wrong version" + fgrep VERSION=$VERSION $SHOREWALLLITEDIR/shorecap > /dev/null 2>&1 || fatal_error "Lite shorecap has wrong version" + fi if [ -n "$SAMPLESTAG" ]; then cd $SHOREWALLDIR @@ -297,6 +326,17 @@ if [ -n "${BUILDTARBALL}${BUILDRPM}" ]; then rm -f ${shoreball}.asc do_or_die "$GPG $shoreball" done + if [ -n "$HASLITE" ]; then + progress_message "Creating $DIR/$LITETARBALL..." + do_or_die "tar -zcvf $LITETARBALL $SHOREWALLLITEDIR >> $LOGFILE 2>&1" + do_or_die "tar -jcvf shorewall-lite-${VERSION%-*}.tar.bz2 $SHOREWALLLITEDIR >> $LOGFILE 2>&1" + for shoresuffix in tgz tar.bz2; do + shoreball=shorewall-lite-${VERSION%-*}.${shoresuffix} + report "GPG signing $DIR/$shoreball" + rm -f ${shoreball}.asc + do_or_die "$GPG $shoreball" + done + fi fi if [ -n "$BUILDRPM" ]; then @@ -304,6 +344,13 @@ if [ -n "${BUILDTARBALL}${BUILDRPM}" ]; then do_or_die "rpmbuild -tb --sign $TARBALL >> $LOGFILE 2>&1" do_or_die cp -a $RPMDIR/RPMS/noarch/$RPMNAME . + + if [ -n "$HASLITE" ]; then + progress_message "Building $LITERPMNAME..." + + do_or_die "rpmbuild -tb --sign $LITETARBALL >> $LOGFILE 2>&1" + do_or_die cp -a $RPMDIR/RPMS/noarch/$LITERPMNAME . + fi fi fi @@ -442,6 +489,28 @@ fi rm -f ${betaball}.asc do_or_die "$GPG $betaball" done + + + if [ -n "$HASLITE" ]; then + progress_message "Creating $DIR/shorewall-lite-$VERSION..." + + rm -rf shorewall-lite-$VERSION + + do_or_die mv $SHOREWALLLITEDIR shorewall-lite-$VERSION + + + progress_message "Creating $DIR/shorewall-lite-${VERSION}.tgz ..." + + do_or_die "tar -zcvf shorewall-lite-${VERSION}.tgz shorewall-lite-$VERSION >> $LOGFILE 2>&1" + do_or_die "tar -jcvf shorewall-lite-$VERSION.tar.bz2 shorewall-lite-$VERSION >> $LOGFILE 2>&1" + + for shoresuffix in tgz tar.bz2; do + betaball=shorewall-lite-$VERSION.${shoresuffix} + report "GPG signing $DIR/$betaball tarball" + rm -f ${betaball}.asc + do_or_die "$GPG $betaball" + done + fi ;; esac @@ -457,6 +526,10 @@ case $VERSION in *Beta*|*RC*) do_or_die "md5sum shorewall-${VERSION%-*}-0${VERSION#*-}.noarch.rpm >> $VERSION.md5sums" do_or_die "sha1sum shorewall-${VERSION%-*}-0${VERSION#*-}.noarch.rpm >> $VERSION.sha1sums" + if [ -n "$HASLITE" ]; then + do_or_die "md5sum shorewall-lite-${VERSION%-*}-0${VERSION#*-}.noarch.rpm >> $VERSION.md5sums" + do_or_die "sha1sum shorewall-lite-${VERSION%-*}-0${VERSION#*-}.noarch.rpm >> $VERSION.sha1sums" + fi ;; esac diff --git a/tools/build/upload b/tools/build/upload index d955d778d..bc0ba2543 100755 --- a/tools/build/upload +++ b/tools/build/upload @@ -1,6 +1,7 @@ #/bin/sh rpm= +literpm= case $1 in *.*[13569].*) @@ -9,6 +10,7 @@ case $1 in *Beta*|*RC*) DEST="root@mail.shorewall.net:/srv/ftp/pub/shorewall/development/${1%.*}/shorewall-$1" rpm=shorewall-${1%-*}-0${1#*-}.noarch.rpm + literpm=shorewall-lite-${1%-*}-0${1#*-}.noarch.rpm ;; *) DEST="root@mail.shorewall.net:/srv/ftp/pub/shorewall/${1%.*}/shorewall-$1"