extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 14:20:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Deimplement several .conf options

Browse Source 
- LOGRATE/LOGBURST
- EXPORTPARAMS
- LEGACY_FASTSTART
This commit is contained in:
Tom Eastep 2015-08-01 11:11:35 -07:00
parent 67589cab69
commit 85648bded1
4 changed files with 24 additions and 214 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
Shorewall/Perl/Shorewall/Config.pm
View File

@ -605,10 +605,7 @@ our %validlevels; # Valid log levels.
# #
# Deprecated options with their default values # Deprecated options with their default values
# #
our %deprecated = ( LOGRATE => '' , our %deprecated = ( WIDE_TC_MARKS => 'no',
LOGBURST => '' ,
EXPORTPARAMS => 'no',
WIDE_TC_MARKS => 'no',
HIGH_ROUTE_MARKS => 'no', HIGH_ROUTE_MARKS => 'no',
BLACKLISTNEWONLY => 'yes', BLACKLISTNEWONLY => 'yes',
); );
@ -620,6 +617,14 @@ our %converted = ( WIDE_TC_MARKS => 1,
BLACKLISTNEWONLY => 1, BLACKLISTNEWONLY => 1,
); );
# #
# Eliminated options
#
our %eliminated = ( LOGRATE => 1,
LOGBURST => 1,
EXPORTPARAMS => 1,
LEGACY_FASTSTART => 1,
);
#
# Variables involved in ?IF, ?ELSE ?ENDIF processing # Variables involved in ?IF, ?ELSE ?ENDIF processing
# #
our $omitting; our $omitting;
@ -730,8 +735,6 @@ sub initialize( $;$$) {
LOGFORMAT => undef, LOGFORMAT => undef,
LOGTAGONLY => undef, LOGTAGONLY => undef,
LOGLIMIT => undef, LOGLIMIT => undef,
LOGRATE => undef,
LOGBURST => undef,
LOGALLNEW => undef, LOGALLNEW => undef,
BLACKLIST_LOG_LEVEL => undef, BLACKLIST_LOG_LEVEL => undef,
RELATED_LOG_LEVEL => undef, RELATED_LOG_LEVEL => undef,
@ -840,7 +843,6 @@ sub initialize( $;$$) {
FORWARD_CLEAR_MARK => undef, FORWARD_CLEAR_MARK => undef,
COMPLETE => undef, COMPLETE => undef,
EXPORTMODULES => undef, EXPORTMODULES => undef,
LEGACY_FASTSTART => undef,
USE_PHYSICAL_NAMES => undef, USE_PHYSICAL_NAMES => undef,
HELPERS => undef, HELPERS => undef,
AUTOHELPERS => undef, AUTOHELPERS => undef,
@ -4838,6 +4840,7 @@ sub update_config_file( $$ ) {
# #
$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf"; $fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
} }
if ( -f $fn ) { if ( -f $fn ) {
my ( $template, $output ); my ( $template, $output );
@ -4959,6 +4962,8 @@ sub process_shorewall_conf( $$$ ) {
unless ( exists $config{$var} ) { unless ( exists $config{$var} ) {
if ( exists $renamed{$var} ) { if ( exists $renamed{$var} ) {
$var = $renamed{$var}; $var = $renamed{$var};
} elsif ( $eliminated{$var} ) {
warning_message "The $var configuration option is no longer supported";
} else { } else {
warning_message "Unknown configuration option ($var) ignored"; warning_message "Unknown configuration option ($var) ignored";
next ; next ;
@ -5543,22 +5548,6 @@ sub get_configuration( $$$$$ ) {
} }
$globals{LOGLIMIT} = $limit; $globals{LOGLIMIT} = $limit;
warning_message "LOGRATE Ignored when LOGLIMIT is specified" if $config{LOGRATE};
warning_message "LOGBURST Ignored when LOGLIMIT is specified" if $config{LOGBURST};
} elsif ( $config{LOGRATE} || $config{LOGBURST} ) {
if ( supplied $config{LOGRATE} ) {
fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/;
}
if ( supplied $config{LOGBURST} ) {
fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/;
}
$globals{LOGLIMIT} = '-m limit ';
$globals{LOGLIMIT} .= "--limit $config{LOGRATE} " if supplied $config{LOGRATE};
$globals{LOGLIMIT} .= "--limit-burst $config{LOGBURST} " if supplied $config{LOGBURST};
} else { } else {
$globals{LOGLIMIT} = ''; $globals{LOGLIMIT} = '';
} }
@ -5768,7 +5757,6 @@ sub get_configuration( $$$$$ ) {
default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : ''; default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : '';
default_yes_no 'COMPLETE' , ''; default_yes_no 'COMPLETE' , '';
default_yes_no 'EXPORTMODULES' , ''; default_yes_no 'EXPORTMODULES' , '';
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
default_yes_no 'USE_PHYSICAL_NAMES' , ''; default_yes_no 'USE_PHYSICAL_NAMES' , '';
default_yes_no 'IPSET_WARNINGS' , 'Yes'; default_yes_no 'IPSET_WARNINGS' , 'Yes';
default_yes_no 'AUTOHELPERS' , 'Yes'; default_yes_no 'AUTOHELPERS' , 'Yes';

42
Shorewall/lib.cli-std
View File

@ -308,21 +308,6 @@ get_config() {
;; ;;
esac esac
case $LEGACY_FASTSTART in
Yes|yes)
;;
No|no)
LEGACY_FASTSTART=
;;
*)
if [ -n "$LEGACY_FASTSTART" ]; then
fatal_error "Invalid LEGACY_FASTSTART setting ($LEGACY_FASTSTART)"
fi
LEGACY_FASTSTART=Yes
;;
esac
if [ -n "$WORKAROUNDS" ]; then if [ -n "$WORKAROUNDS" ]; then
case $WORKAROUNDS in case $WORKAROUNDS in
[Yy]es) [Yy]es)
@ -608,38 +593,13 @@ start_command() {
esac esac
if [ -n "${g_fast}${AUTOMAKE}" ]; then if [ -n "${g_fast}${AUTOMAKE}" ]; then
if [ -z "$g_fast" -o -z "${LEGACY_FASTSTART}${g_counters}" ]; then
#
# Automake or ( LEGACY_FASTSTART=No and not -C ) -- use the last compiled script
#
object=firewall
else
#
# 'start -f' with ( LEGACY_FASTSTART=Yes or -C ) -- use last saved configuration
#
object=$RESTOREFILE
fi
if ! uptodate ${VARDIR}/$object; then if ! uptodate ${VARDIR}/$object; then
g_fast= g_fast=
AUTOMAKE= AUTOMAKE=
fi fi
fi
if [ -n "$g_fast" -a $object = $RESTOREFILE ]; then
g_restorepath=${VARDIR}/$object
[ -n "$nolock" ] || mutex_on
echo Restoring Shorewall...
run_it $g_restorepath restore
rc=$?
[ -n "$nolock" ] || mutex_off
[ $rc -eq 0 ] && progress_message3 "$g_product restored from $g_restorepath"
exit $rc
else
do_it do_it
fi
else
do_it
fi
} }
# #

77
Shorewall/manpages/shorewall.conf.xml
View File

@ -822,33 +822,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">EXPORTPARAMS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Deprecated in Shorewall 4.4.17.</para>
<para>Beginning with Shorewall 4.4.17, the variables set in the
'params' file at compile time are available at run time with
EXPORTPARAMS=No. As a consequence, beginning with that version the
recommended setting is EXPORTPARAMS=No.</para>
<para>It is quite difficult to code a 'params' file that assigns
other than constant values such that it works correctly with
Shorewall Lite. The EXPORTPARAMS option works around this problem.
When EXPORTPARAMS=No, the 'params' file is not copied to the
compiler output.</para>
<para>With EXPORTPARAMS=No, if you need to set environmental
variables on the firewall system for use by your extension scripts,
then do so in the init extension script.</para>
<para>The default is EXPORTPARAMS=Yes which is the recommended
setting unless you are using Shorewall Lite.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">FASTACCEPT=</emphasis>{<emphasis <term><emphasis role="bold">FASTACCEPT=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -1458,10 +1431,10 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<important> <important>
<para>To help insure that all packets in the NEW state are <para>To help insure that all packets in the NEW state are
logged, rate limiting (LOGBURST and LOGRATE) should be disabled logged, rate limiting (LOGLIMIT) should be disabled when using
when using LOGALLNEW. Use LOGALLNEW at your own risk; it may LOGALLNEW. Use LOGALLNEW at your own risk; it may cause high CPU
cause high CPU and disk utilization and you may not be able to and disk utilization and you may not be able to control your
control your firewall after you enable this option.</para> firewall after you enable this option.</para>
</important> </important>
<para/> <para/>
@ -1543,48 +1516,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOGBURST=</emphasis>[<emphasis>burst</emphasis>]</term>
<listitem>
<para>Deprecated in Shorewall 4.4.12.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOGRATE=</emphasis>[<emphasis>rate</emphasis>/{<emphasis
role="bold">minute</emphasis>|<emphasis
role="bold">second</emphasis>}]</term>
<listitem>
<para>Deprecated in Shorewall 4.4.12. These options are ignored when
LOGLIMIT is specified.</para>
<para>These parameters set the match rate and initial burst size for
logged packets. Please see iptables(8) for a description of the
behavior of these parameters (the iptables option --limit is set by
LOGRATE and --limit-burst is set by LOGBURST). If both parameters
are set empty, no rate-limiting will occur. If you supply one of
these, then you should also supply the other.</para>
<para>Example:</para>
<programlisting> LOGRATE=10/minute
LOGBURST=5</programlisting>
<para>For each logging rule, the first time the rule is reached, the
packet will be logged; in fact, since the burst is 5, the first five
packets will be logged. After this, it will be 6 seconds (1 minute
divided by the rate of 10) before a message will be logged from the
rule, regardless of how many packets reach it. Also, every 6
seconds, one of the bursts will be regained; if no packets hit the
rule for 30 seconds, the burst will be fully recharged; back where
we started.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">LOGTAGONLY=</emphasis>[<emphasis <term><emphasis role="bold">LOGTAGONLY=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

77
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -707,33 +707,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">EXPORTPARAMS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Deprecated beginning with Shorewall 4.4.17.</para>
<para>Beginning with Shorewall 4.4.17, the variables set in the
'params' file at compile time are available at run time with
EXPORTPARAMS=No. As a consequence, beginning with that version the
recommended setting is EXPORTPARAMS=No.</para>
<para>It is quite difficult to code a 'params' file that assigns
other than constant values such that it works correctly with
Shorewall6 Lite. The EXPORTPARAMS option works around this problem.
When EXPORTPARAMS=No, the 'params' file is not copied to the
compiler output.</para>
<para>With EXPORTPARAMS=No, if you need to set environmental
variables on the firewall system for use by your extension scripts,
then do so in the init extension script.</para>
<para>The default is EXPORTPARAMS=Yes which is the recommended
setting unless you are running Shorewall6 Lite.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">FASTACCEPT=</emphasis>{<emphasis <term><emphasis role="bold">FASTACCEPT=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -1274,10 +1247,10 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<important> <important>
<para>To help insure that all packets in the NEW state are <para>To help insure that all packets in the NEW state are
logged, rate limiting (LOGBURST and LOGRATE) should be disabled logged, rate limiting (LOGLIMIT) should be disabled when using
when using LOGALLNEW. Use LOGALLNEW at your own risk; it may LOGALLNEW. Use LOGALLNEW at your own risk; it may cause high CPU
cause high CPU and disk utilization and you may not be able to and disk utilization and you may not be able to control your
control your firewall after you enable this option.</para> firewall after you enable this option.</para>
</important> </important>
<para/> <para/>
@ -1358,48 +1331,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOGBURST=</emphasis>[<emphasis>burst</emphasis>]</term>
<listitem>
<para>Deprecated in Shorewall 4.4.12.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOGRATE=</emphasis>[<emphasis>rate</emphasis>/{<emphasis
role="bold">minute</emphasis>|<emphasis
role="bold">second</emphasis>}]</term>
<listitem>
<para>As of Shorewall 4.4.12, these parameters are
Deprecated.</para>
<para>These parameters set the match rate and initial burst size for
logged packets. Please see ip6tables(8) for a description of the
behavior of these parameters (the ip6tables option --limit is set by
LOGRATE and --limit-burst is set by LOGBURST). If both parameters
are set empty, no rate-limiting will occur. If you supply one of
these, then you should also supply the other.</para>
<para>Example:</para>
<programlisting> LOGRATE=10/minute
LOGBURST=5</programlisting>
<para>For each logging rule, the first time the rule is reached, the
packet will be logged; in fact, since the burst is 5, the first five
packets will be logged. After this, it will be 6 seconds (1 minute
divided by the rate of 10) before a message will be logged from the
rule, regardless of how many packets reach it. Also, every 6
seconds, one of the bursts will be regained; if no packets hit the
rule for 30 seconds, the burst will be fully recharged; back where
we started.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">LOGTAGONLY=</emphasis>[<emphasis <term><emphasis role="bold">LOGTAGONLY=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>