diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 89aa10118..a93251c0f 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -605,21 +605,26 @@ our %validlevels; # Valid log levels.
#
# Deprecated options with their default values
#
-our %deprecated = ( LOGRATE => '' ,
- LOGBURST => '' ,
- EXPORTPARAMS => 'no',
- WIDE_TC_MARKS => 'no',
+our %deprecated = ( WIDE_TC_MARKS => 'no',
HIGH_ROUTE_MARKS => 'no',
BLACKLISTNEWONLY => 'yes',
);
#
# Deprecated options that are eliminated via update
#
-our %converted = ( WIDE_TC_MARKS => 1,
+our %converted = ( WIDE_TC_MARKS => 1,
HIGH_ROUTE_MARKS => 1,
BLACKLISTNEWONLY => 1,
);
#
+# Eliminated options
+#
+our %eliminated = ( LOGRATE => 1,
+ LOGBURST => 1,
+ EXPORTPARAMS => 1,
+ LEGACY_FASTSTART => 1,
+ );
+#
# Variables involved in ?IF, ?ELSE ?ENDIF processing
#
our $omitting;
@@ -730,8 +735,6 @@ sub initialize( $;$$) {
LOGFORMAT => undef,
LOGTAGONLY => undef,
LOGLIMIT => undef,
- LOGRATE => undef,
- LOGBURST => undef,
LOGALLNEW => undef,
BLACKLIST_LOG_LEVEL => undef,
RELATED_LOG_LEVEL => undef,
@@ -840,7 +843,6 @@ sub initialize( $;$$) {
FORWARD_CLEAR_MARK => undef,
COMPLETE => undef,
EXPORTMODULES => undef,
- LEGACY_FASTSTART => undef,
USE_PHYSICAL_NAMES => undef,
HELPERS => undef,
AUTOHELPERS => undef,
@@ -4838,7 +4840,8 @@ sub update_config_file( $$ ) {
#
$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
}
- if ( -f $fn ) {
+
+ if ( -f $fn ) {
my ( $template, $output );
open $template, '<' , $fn or fatal_error "Unable to open $fn: $!";
@@ -4959,6 +4962,8 @@ sub process_shorewall_conf( $$$ ) {
unless ( exists $config{$var} ) {
if ( exists $renamed{$var} ) {
$var = $renamed{$var};
+ } elsif ( $eliminated{$var} ) {
+ warning_message "The $var configuration option is no longer supported";
} else {
warning_message "Unknown configuration option ($var) ignored";
next ;
@@ -5543,22 +5548,6 @@ sub get_configuration( $$$$$ ) {
}
$globals{LOGLIMIT} = $limit;
-
- warning_message "LOGRATE Ignored when LOGLIMIT is specified" if $config{LOGRATE};
- warning_message "LOGBURST Ignored when LOGLIMIT is specified" if $config{LOGBURST};
-
- } elsif ( $config{LOGRATE} || $config{LOGBURST} ) {
- if ( supplied $config{LOGRATE} ) {
- fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/;
- }
-
- if ( supplied $config{LOGBURST} ) {
- fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/;
- }
-
- $globals{LOGLIMIT} = '-m limit ';
- $globals{LOGLIMIT} .= "--limit $config{LOGRATE} " if supplied $config{LOGRATE};
- $globals{LOGLIMIT} .= "--limit-burst $config{LOGBURST} " if supplied $config{LOGBURST};
} else {
$globals{LOGLIMIT} = '';
}
@@ -5768,7 +5757,6 @@ sub get_configuration( $$$$$ ) {
default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : '';
default_yes_no 'COMPLETE' , '';
default_yes_no 'EXPORTMODULES' , '';
- default_yes_no 'LEGACY_FASTSTART' , 'Yes';
default_yes_no 'USE_PHYSICAL_NAMES' , '';
default_yes_no 'IPSET_WARNINGS' , 'Yes';
default_yes_no 'AUTOHELPERS' , 'Yes';
diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std
index 14a88361a..c5874372e 100644
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -308,21 +308,6 @@ get_config() {
;;
esac
- case $LEGACY_FASTSTART in
- Yes|yes)
- ;;
- No|no)
- LEGACY_FASTSTART=
- ;;
- *)
- if [ -n "$LEGACY_FASTSTART" ]; then
- fatal_error "Invalid LEGACY_FASTSTART setting ($LEGACY_FASTSTART)"
- fi
-
- LEGACY_FASTSTART=Yes
- ;;
- esac
-
if [ -n "$WORKAROUNDS" ]; then
case $WORKAROUNDS in
[Yy]es)
@@ -608,38 +593,13 @@ start_command() {
esac
if [ -n "${g_fast}${AUTOMAKE}" ]; then
- if [ -z "$g_fast" -o -z "${LEGACY_FASTSTART}${g_counters}" ]; then
- #
- # Automake or ( LEGACY_FASTSTART=No and not -C ) -- use the last compiled script
- #
- object=firewall
- else
- #
- # 'start -f' with ( LEGACY_FASTSTART=Yes or -C ) -- use last saved configuration
- #
- object=$RESTOREFILE
- fi
-
if ! uptodate ${VARDIR}/$object; then
g_fast=
AUTOMAKE=
fi
-
- if [ -n "$g_fast" -a $object = $RESTOREFILE ]; then
- g_restorepath=${VARDIR}/$object
- [ -n "$nolock" ] || mutex_on
- echo Restoring Shorewall...
- run_it $g_restorepath restore
- rc=$?
- [ -n "$nolock" ] || mutex_off
- [ $rc -eq 0 ] && progress_message3 "$g_product restored from $g_restorepath"
- exit $rc
- else
- do_it
- fi
- else
- do_it
fi
+
+ do_it
}
#
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 5216239de..25c6da338 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -822,33 +822,6 @@ net all DROP infothen the chain name is 'net-all'
-
- EXPORTPARAMS={Yes|No}
-
-
- Deprecated in Shorewall 4.4.17.
-
- Beginning with Shorewall 4.4.17, the variables set in the
- 'params' file at compile time are available at run time with
- EXPORTPARAMS=No. As a consequence, beginning with that version the
- recommended setting is EXPORTPARAMS=No.
-
- It is quite difficult to code a 'params' file that assigns
- other than constant values such that it works correctly with
- Shorewall Lite. The EXPORTPARAMS option works around this problem.
- When EXPORTPARAMS=No, the 'params' file is not copied to the
- compiler output.
-
- With EXPORTPARAMS=No, if you need to set environmental
- variables on the firewall system for use by your extension scripts,
- then do so in the init extension script.
-
- The default is EXPORTPARAMS=Yes which is the recommended
- setting unless you are using Shorewall Lite.
-
-
-
FASTACCEPT={Yes|No}
@@ -1458,10 +1431,10 @@ net all DROP infothen the chain name is 'net-all'
To help insure that all packets in the NEW state are
- logged, rate limiting (LOGBURST and LOGRATE) should be disabled
- when using LOGALLNEW. Use LOGALLNEW at your own risk; it may
- cause high CPU and disk utilization and you may not be able to
- control your firewall after you enable this option.
+ logged, rate limiting (LOGLIMIT) should be disabled when using
+ LOGALLNEW. Use LOGALLNEW at your own risk; it may cause high CPU
+ and disk utilization and you may not be able to control your
+ firewall after you enable this option.
@@ -1543,48 +1516,6 @@ net all DROP infothen the chain name is 'net-all'
-
- LOGBURST=[burst]
-
-
- Deprecated in Shorewall 4.4.12.
-
-
-
-
- LOGRATE=[rate/{minute|second}]
-
-
- Deprecated in Shorewall 4.4.12. These options are ignored when
- LOGLIMIT is specified.
-
- These parameters set the match rate and initial burst size for
- logged packets. Please see iptables(8) for a description of the
- behavior of these parameters (the iptables option --limit is set by
- LOGRATE and --limit-burst is set by LOGBURST). If both parameters
- are set empty, no rate-limiting will occur. If you supply one of
- these, then you should also supply the other.
-
- Example:
-
- LOGRATE=10/minute
- LOGBURST=5
-
- For each logging rule, the first time the rule is reached, the
- packet will be logged; in fact, since the burst is 5, the first five
- packets will be logged. After this, it will be 6 seconds (1 minute
- divided by the rate of 10) before a message will be logged from the
- rule, regardless of how many packets reach it. Also, every 6
- seconds, one of the bursts will be regained; if no packets hit the
- rule for 30 seconds, the burst will be fully recharged; back where
- we started.
-
-
-
LOGTAGONLY=[Yes|No]
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 50fc62179..a37d0265b 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -707,33 +707,6 @@ net all DROP infothen the chain name is 'net-all'
-
- EXPORTPARAMS={Yes|No}
-
-
- Deprecated beginning with Shorewall 4.4.17.
-
- Beginning with Shorewall 4.4.17, the variables set in the
- 'params' file at compile time are available at run time with
- EXPORTPARAMS=No. As a consequence, beginning with that version the
- recommended setting is EXPORTPARAMS=No.
-
- It is quite difficult to code a 'params' file that assigns
- other than constant values such that it works correctly with
- Shorewall6 Lite. The EXPORTPARAMS option works around this problem.
- When EXPORTPARAMS=No, the 'params' file is not copied to the
- compiler output.
-
- With EXPORTPARAMS=No, if you need to set environmental
- variables on the firewall system for use by your extension scripts,
- then do so in the init extension script.
-
- The default is EXPORTPARAMS=Yes which is the recommended
- setting unless you are running Shorewall6 Lite.
-
-
-
FASTACCEPT={Yes|No}
@@ -1274,10 +1247,10 @@ net all DROP infothen the chain name is 'net-all'
To help insure that all packets in the NEW state are
- logged, rate limiting (LOGBURST and LOGRATE) should be disabled
- when using LOGALLNEW. Use LOGALLNEW at your own risk; it may
- cause high CPU and disk utilization and you may not be able to
- control your firewall after you enable this option.
+ logged, rate limiting (LOGLIMIT) should be disabled when using
+ LOGALLNEW. Use LOGALLNEW at your own risk; it may cause high CPU
+ and disk utilization and you may not be able to control your
+ firewall after you enable this option.
@@ -1358,48 +1331,6 @@ net all DROP infothen the chain name is 'net-all'
-
- LOGBURST=[burst]
-
-
- Deprecated in Shorewall 4.4.12.
-
-
-
-
- LOGRATE=[rate/{minute|second}]
-
-
- As of Shorewall 4.4.12, these parameters are
- Deprecated.
-
- These parameters set the match rate and initial burst size for
- logged packets. Please see ip6tables(8) for a description of the
- behavior of these parameters (the ip6tables option --limit is set by
- LOGRATE and --limit-burst is set by LOGBURST). If both parameters
- are set empty, no rate-limiting will occur. If you supply one of
- these, then you should also supply the other.
-
- Example:
-
- LOGRATE=10/minute
- LOGBURST=5
-
- For each logging rule, the first time the rule is reached, the
- packet will be logged; in fact, since the burst is 5, the first five
- packets will be logged. After this, it will be 6 seconds (1 minute
- divided by the rate of 10) before a message will be logged from the
- rule, regardless of how many packets reach it. Also, every 6
- seconds, one of the bursts will be regained; if no packets hit the
- rule for 30 seconds, the burst will be fully recharged; back where
- we started.
-
-
-
LOGTAGONLY=[Yes|No]