mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-26 23:49:08 +01:00
Minor Cleanup
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3382 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
89f7d3220d
commit
72e5f6e53a
@ -17,7 +17,8 @@ Note to users upgrading from Shorewall 2.x or 3.0
|
|||||||
|
|
||||||
While you are at it, if you have a file named /etc/shorewall/rfc1918 then
|
While you are at it, if you have a file named /etc/shorewall/rfc1918 then
|
||||||
please check that file. If it has addresses listed that are NOT in one of
|
please check that file. If it has addresses listed that are NOT in one of
|
||||||
these three ranges, then please rename the file to /etc/shorewall/rfc1918.old.
|
these three ranges, then please rename the file to
|
||||||
|
/etc/shorewall/rfc1918.old.
|
||||||
|
|
||||||
10.0.0.0 - 10.255.255.255
|
10.0.0.0 - 10.255.255.255
|
||||||
172.16.0.0 - 172.31.255.255
|
172.16.0.0 - 172.31.255.255
|
||||||
@ -33,18 +34,16 @@ Problems Corrected in 3.1.4
|
|||||||
|
|
||||||
New Features added in 3.1.4
|
New Features added in 3.1.4
|
||||||
|
|
||||||
1) The /etc/shorewall/maclist file has a new column layout. The first column is
|
1) The /etc/shorewall/maclist file has a new column layout. The first column
|
||||||
now DISPOSITION. This column determines what to do with matching packets and
|
is now DISPOSITION. This column determines what to do with matching
|
||||||
can have the value ACCEPT or DROP (if MACLIST_TABLE=filter, it can also
|
packets and can have the value ACCEPT or DROP (if MACLIST_TABLE=filter, it
|
||||||
contain REJECT). This change is upward compatible so your existing maclist
|
can also contain REJECT). This change is upward compatible so your existing
|
||||||
file can still be used.
|
maclist file can still be used.
|
||||||
|
|
||||||
ACCEPT, DROP and REJECT may be optionally followed by a log level to cause the
|
ACCEPT, DROP and REJECT may be optionally followed by a log level to
|
||||||
packet to be logged.
|
cause the packet to be logged.
|
||||||
|
|
||||||
2) Shorewall has always been very noisy (lots of messages). No more. The default
|
2) Shorewall has always been very noisy (lots of messages). No more.
|
||||||
for new users is now to be very quiet and you get more detail using the -v option
|
|
||||||
(or -vv if you want the old noisy behavior).
|
|
||||||
|
|
||||||
You set the default level of verbosity using the VERBOSITY option in
|
You set the default level of verbosity using the VERBOSITY option in
|
||||||
shorewall.conf. If you don't set it (as would be the case of you use your
|
shorewall.conf. If you don't set it (as would be the case of you use your
|
||||||
@ -52,22 +51,28 @@ New Features added in 3.1.4
|
|||||||
the old default. A value of 1 suppresses some of the output (like the old
|
the old default. A value of 1 suppresses some of the output (like the old
|
||||||
-q option did) while a value of 0 makes Shorewall almost silent.
|
-q option did) while a value of 0 makes Shorewall almost silent.
|
||||||
|
|
||||||
The value specified in the 3.2 shorewall.conf is 1. So you can make Shorewall
|
The value specified in the 3.2 shorewall.conf is 1. So you can make
|
||||||
as verbose as previously using a single -v and you can make it silent by using
|
Shorewall as verbose as previously using a single -v and you can make it
|
||||||
a single -1.
|
silent by using a single -q.
|
||||||
|
|
||||||
If the default is set at 2, you can still make a command silent by using two
|
If the default is set at 2, you can still make a command silent by using
|
||||||
"q"s (e.g., shorewall -qq restart).
|
two "q"s (e.g., shorewall -qq restart).
|
||||||
|
|
||||||
In summary, each "q" subtracts one from VERBOSITY while each "v" adds one to
|
In summary, each "q" subtracts one from VERBOSITY while each "v" adds one
|
||||||
VERBOSITY.
|
to VERBOSITY.
|
||||||
|
|
||||||
The "shorewall show log", "shorewall logwatch" and "shorewall dump" commands
|
The "shorewall show log", "shorewall logwatch" and "shorewall dump"
|
||||||
require VERBOSE to be greater than or equal to 3 to display MAC addresses.
|
commands require VERBOSE to be greater than or equal to 3 to display MAC
|
||||||
This is consistent with the previous implementation which required a single
|
addresses.This is consistent with the previous implementation which
|
||||||
-v to enable MAC display but means that if you set VERBOSITY=0 in shorewall.conf,
|
required a single -v to enable MAC display but means that if you set
|
||||||
then you will need to include -vvv in commands that display log records in
|
VERBOSITY=0 in shorewall.conf, then you will need to include -vvv in
|
||||||
order to have MACs displayed.
|
commands that display log records in order to have MACs displayed.
|
||||||
|
|
||||||
|
3) Shorewall now implements the 'start' and 'restart' using a "compile and
|
||||||
|
go" approach. See the details under the first new feature below.
|
||||||
|
|
||||||
|
4) The "-p" option to the 'compile' command is gone. Generation of a
|
||||||
|
complete program is now the default.
|
||||||
|
|
||||||
Migration Considerations:
|
Migration Considerations:
|
||||||
|
|
||||||
@ -77,7 +82,8 @@ New Features:
|
|||||||
|
|
||||||
1) A new 'shorewall generate' command has been added.
|
1) A new 'shorewall generate' command has been added.
|
||||||
|
|
||||||
shorewall generate [ -v ] [ -q ] [ -e ] [ <config directory> ] <script file>
|
shorewall generate [ -v ] [ -q ] [ -e ] [ <config directory> ] <script
|
||||||
|
file>
|
||||||
|
|
||||||
where:
|
where:
|
||||||
|
|
||||||
@ -91,12 +97,13 @@ New Features:
|
|||||||
on a system without Shorewall installed.
|
on a system without Shorewall installed.
|
||||||
<config directory> Is an optional directory to be searched for
|
<config directory> Is an optional directory to be searched for
|
||||||
configuration files prior to those listed
|
configuration files prior to those listed
|
||||||
in CONFIG_DIR in /etc/shorewall/shorewall.conf.
|
in CONFIG_DIR in
|
||||||
|
/etc/shorewall/shorewall.conf.
|
||||||
<script file> Is the name of the output file.
|
<script file> Is the name of the output file.
|
||||||
|
|
||||||
The 'generate' command processes the configuration and writes a script file
|
The 'generate' command processes the configuration and writes a script
|
||||||
which may then be executed (either directly or using the 'shorewall restore'
|
file which may then be executed (either directly or using the
|
||||||
command) to configure the firewall.
|
'shorewall restore' command) to configure the firewall.
|
||||||
|
|
||||||
'compile' is a synonym for 'generate':
|
'compile' is a synonym for 'generate':
|
||||||
|
|
||||||
@ -105,12 +112,12 @@ New Features:
|
|||||||
The generated script contains error checking and will terminate if an
|
The generated script contains error checking and will terminate if an
|
||||||
important command fails. Before terminating:
|
important command fails. Before terminating:
|
||||||
|
|
||||||
a) The script will check for the existence of the restore script specified
|
a) The script will check for the existence of the restore script
|
||||||
by the RESTOREFILE variable in shorewall.conf. If that restore script
|
specified by the RESTOREFILE variable in shorewall.conf. If that
|
||||||
exists, it is executed.
|
restore script exists, it is executed.
|
||||||
|
|
||||||
b) If the restore script doesn't exist but Shorewall appears to be installed
|
b) If the restore script doesn't exist but Shorewall appears to be
|
||||||
on the system, an "/sbin/shorewall stop" command is executed.
|
installed on the system, an "/sbin/shorewall stop" command is executed.
|
||||||
|
|
||||||
Some additional considerations:
|
Some additional considerations:
|
||||||
|
|
||||||
@ -123,14 +130,15 @@ New Features:
|
|||||||
2) The 'detectnets' interface option is not allowed.
|
2) The 'detectnets' interface option is not allowed.
|
||||||
|
|
||||||
b) If you have extension scripts, they may need modification. Some of
|
b) If you have extension scripts, they may need modification. Some of
|
||||||
the scripts will be run at compile time, rather than when the generated
|
the scripts will be run at compile time, rather than when the
|
||||||
script is executed. The standard functions like 'run_iptables' and
|
generated script is executed. The standard functions like
|
||||||
'log_rule_limit' will write the iptables command to the script file
|
'run_iptables' and 'log_rule_limit' will write the iptables command
|
||||||
rather than executing the command. As always, you can check $COMMAND
|
to the script file rather than executing the command. As always, you
|
||||||
to determine which shorewall command is being executed.
|
can check $COMMAND to determine which shorewall command is being
|
||||||
|
executed.
|
||||||
|
|
||||||
Extension Scripts that are run at compile time rather than at run-time
|
Extension Scripts that are run at compile time rather than at
|
||||||
are:
|
run-time are:
|
||||||
|
|
||||||
- params
|
- params
|
||||||
- init
|
- init
|
||||||
@ -138,7 +146,8 @@ New Features:
|
|||||||
- initdone
|
- initdone
|
||||||
- start
|
- start
|
||||||
- started
|
- started
|
||||||
- All scripts associated with a given chain such as Action chains
|
- All scripts associated with a given chain such as Action
|
||||||
|
chains
|
||||||
|
|
||||||
In addition to 'generate', a 'shorewall reload' command has been added.
|
In addition to 'generate', a 'shorewall reload' command has been added.
|
||||||
|
|
||||||
@ -149,11 +158,13 @@ New Features:
|
|||||||
The 'reload' command creates a script using 'generate' and if there are
|
The 'reload' command creates a script using 'generate' and if there are
|
||||||
no errors, it then restores that script. It is equivalent to:
|
no errors, it then restores that script. It is equivalent to:
|
||||||
|
|
||||||
if shorewall generate /var/lib/shorewall/.reload; then restore .reload; fi
|
if shorewall generate /var/lib/shorewall/.reload; then
|
||||||
|
restore .reload;
|
||||||
|
fi
|
||||||
|
|
||||||
The advantage of using reload over restart is that reload results in new
|
The advantage of using reload over restart is that reload results in new
|
||||||
connections being dropped for a much shorter time. Here are the results of
|
connections being dropped for a much shorter time. Here are the results
|
||||||
tests that I conducted on my own firewall:
|
of tests that I conducted on my own firewall:
|
||||||
|
|
||||||
A) shorewall restart (Shorewall 3.0.4)
|
A) shorewall restart (Shorewall 3.0.4)
|
||||||
|
|
||||||
@ -176,10 +187,10 @@ New Features:
|
|||||||
sys 0m0.608s
|
sys 0m0.608s
|
||||||
|
|
||||||
The time difference between B and C reflects the difference between
|
The time difference between B and C reflects the difference between
|
||||||
"iptables-restore" and multiple executions of "iptables". The system is a
|
"iptables-restore" and multiple executions of "iptables". The system is
|
||||||
1.4Ghz Celeron with 512MB RAM.
|
a 1.4Ghz Celeron with 512MB RAM.
|
||||||
|
|
||||||
Compilation generates a complete program This program is suitable for
|
Compilation generates a complete program. This program is suitable for
|
||||||
installation into /etc/init.d and, when generated with the "-e" option,
|
installation into /etc/init.d and, when generated with the "-e" option,
|
||||||
can serve as your firewall on a system that doesn't even have Shorewall
|
can serve as your firewall on a system that doesn't even have Shorewall
|
||||||
installed.
|
installed.
|
||||||
@ -193,14 +204,20 @@ New Features:
|
|||||||
<program> [ -q ] [ -v ] [ -n ] status
|
<program> [ -q ] [ -v ] [ -n ] status
|
||||||
<program> [ -q ] [ -v ] [ -n ] version
|
<program> [ -q ] [ -v ] [ -n ] version
|
||||||
|
|
||||||
The "shorewall start" and "shorewall restart" commands have been rewritten
|
The "shorewall start" and "shorewall restart" commands have been
|
||||||
to use compilation. They both compile a temporary program then run it. This
|
rewritten to use compilation. They both compile a temporary program
|
||||||
results in a slightly longer elapsed time than the similar commands required
|
then run it. This results in a slightly longer elapsed time than the
|
||||||
under earlier versions of Shorewall but new connections are blocked for a
|
similar commands required under earlier versions of Shorewall but new
|
||||||
much smaller percentage of that time as shown by the numbers above. Under
|
connections are blocked for a much smaller percentage of that time as
|
||||||
Shorewall 3.1.4, "shorewall restart" takes roughly 20.5 seconds on my
|
shown by the numbers above. Under Shorewall 3.1.4, "shorewall restart"
|
||||||
firewall:
|
takes roughly 20.5 seconds on my firewall:
|
||||||
|
|
||||||
real 0m20.206s
|
real 0m20.206s
|
||||||
user 0m7.412s
|
user 0m7.412s
|
||||||
sys 0m12.773s
|
sys 0m12.773s
|
||||||
|
|
||||||
|
As a final part of this change, the "check" command now compiles the
|
||||||
|
current configuration then discards the generated script. So "check"
|
||||||
|
performs all of the same checks that compile does. Note that there is
|
||||||
|
still no guarantee that the generated script won't encounter run-time
|
||||||
|
errors.
|
||||||
|
|||||||
@ -179,7 +179,11 @@ validate_restorefile() # $* = label
|
|||||||
{
|
{
|
||||||
case $RESTOREFILE in
|
case $RESTOREFILE in
|
||||||
*/*)
|
*/*)
|
||||||
echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2
|
error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
|
||||||
|
exit 2
|
||||||
|
;;
|
||||||
|
.*)
|
||||||
|
error_message "ERROR: Reserved File Name: $RESTOREFILE"
|
||||||
exit 2
|
exit 2
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -488,6 +492,7 @@ save_config() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Start Command Executor
|
# Start Command Executor
|
||||||
#
|
#
|
||||||
@ -1802,6 +1807,10 @@ case "$COMMAND" in
|
|||||||
VERBOSE=$(($VERBOSE + 1 ))
|
VERBOSE=$(($VERBOSE + 1 ))
|
||||||
option=${option#v}
|
option=${option#v}
|
||||||
;;
|
;;
|
||||||
|
q*)
|
||||||
|
VERBOSE=$(($VERBOSE - 1 ))
|
||||||
|
option=${option#q}
|
||||||
|
;;
|
||||||
-)
|
-)
|
||||||
finished=1
|
finished=1
|
||||||
option=
|
option=
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user