Set IPTABLES_RESTORE from IPTABLES

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6669 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -12,6 +12,8 @@ Changes in 4.0.0 Beta 6
 
 6)  First step to adding compiler debugging facility.
 
+7)  Assume that iptables-restore is in the same directory as $IPTABLES
+
 Changes in 4.0.0 Beta 5
 
 1)  Fix undefined function call when both an input interface and an

Shorewall-common/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.0.0 Beta 6
+Shorewall 4.0.0 Beta 7
 ----------------------------------------------------------------------------
                    R E L E A S E  H I G H L I G H T S
 ----------------------------------------------------------------------------
@@ -15,85 +15,31 @@ Shorewall 4.0.0 Beta 6
 You must install Shorewall and at least one of the compiler packages
 (you may install them both).
 
-Problems corrected in 4.0.0 Beta 6.
+3) The facilities for supporting bridge/firewalls under earlier
+   releases are deprecated and their documentation is omitted from the
+   4.0 distribution. New bridge support is implemented in the
+   Shorewall-perl compiler. This support utilizes the reduced-function
+   physdev match support available in Linux kernel 2.6.20 and later.
 
-1)  With Shorewall-perl, an invalid DISPOSITION in an
+Problems corrected in 4.0.0 Beta 7.
-    /etc/shorewall/maclist entry would cause Perl error messages to be
-    issued.
 
-2)  Shorewall-perl now catches invalid interface names in the
+None.
-    /etc/shorewall/routestopped file.
 
-3)  DYNAMIC_ZONES=Yes can now coexist with Shorewall-perl's 'bport'
+Other changes in Shorewall 4.0.0 Beta 7
-    zones. Those zones themselves may not be dynamically modified but
-    the presence of bport zones no longer causes the 'shorewall add'
-    command to fail.
 
-Other changes in Shorewall 4.0.0 Beta 6
+1)  When an /sbin/shorewall command that begins with 'debug' or 'trace'
+    invokes the Shorewall-perl compiler, the compiler will include
+    additional debugging information in its warning and error
+    messages. This additional information is intended to help the
+    people supporting Shorewall to diagnose the cause of the message.
 
-1)  When a Shorewall release includes detection of an additional
+2)  The script generated by Shorewall-perl now assumes that
-    capability, existing capabilities files become out of
+    iptables-restore is in the same directory as the program specified
-    date. Previously, this condition was not detected.
+    in the IPTABLES setting in Shorewall-conf.
 
-    Beginning with this release, each generated capabilities file
+    If IPTABLES is not specified, then the iptables utility is located
-    contains a CAPVERSION specification which defines the capabilities
+    using the PATH setting and the iptables-restore program from the
-    version of the file. If the CAPVERSION in a capabilities file is
+    same directory is used.
-    less than the current CAPVERSION, then Shorewall will issue the
-    following message:
-
-    WARNING: <file> is out of date -- it does not contain all of
-    the capabilities defined by Shorewall version <version>
-
-    where
-
-	<file>    is the name of the capabilities file.
-	<version> is the current Shorewall version.
-
-    Existing capabilities files contain no CAPVERSION. When such a file
-    is read, Shorewall will issue this message:
-
-    WARNING: <file> may be not contain all of the capabilities defined
-    by Shorewall version <version>
-
-2)  When a directory is specified in a command such as 'start' or
-    'compile', Shorewall now reads the shorewall.conf file (if any) in
-    that directory before deciding which compiler to use. So if
-    SHOREWALL_COMPILER is not specified in
-    /etc/shorewall/shorewall.conf and the -C option was not specified
-    on the run-line, then if both Shorewall-shell and Shorewall-perl
-    are installed, the additional shorewall.conf file is read to see if
-    it specifies a SHOREWALL_COMPILER.
-
-3)  Previously, Shorewall-perl read /etc/protocols and /etc/services
-    during compiler startup to build internal protocol and service
-    tables. This had a fixed cost of up to one half second or more,
-    depending on the speed of the system and the distribution
-    (The /etc/services released with OpenSuSE 10.2 is over 14,000
-    lines!!) These tables are now initialized by the Perl compiler
-    which speeds up compilation considerably. 
-
-    During installation, Shorewall generates the Perl module
-    /usr/share/shorewall-perl/Shorewall/Ports.pm, using your
-    /etc/protocols and /etc/services as input.
-
-    To re-generate the module from those two files:
-
-	1. Backup your current /usr/share/shorewall-perl/Shorewall/Ports.pm
-	   file.
-        2. /usr/share/shorewall-perl/buildports.pl > \
-	   /usr/share/shorewall-perl/Shorewall/Ports.pm
-
-    Note: If the buildports.pl program fails to run to a successful
-    completion during installation, a fallback version of
-    module will be installed. That fallback module was generated from
-    the /etc/protocols and /etc/services shipped with Ubuntu Feisty
-    Fawn.
-
-    Even if the buildports.pl program runs successfully, the fallback
-    module is also installed as
-    /usr/share/shorewall-perl/Shorewall/FallbackPorts.pm. So if you
-    encounter problems with the generated module, simply copy the
-    fallback module to /usr/share/shorewall-perl/Shorewall/Ports.pm.
 
 Migration Considerations:
 
@@ -716,6 +662,29 @@ Migration Considerations:
     the MARK/CLASSIFY column of /etc/shorewall/tcrules against the
     classes generated by /etc/shorewall/tcclasses.
 
+16) During installation, Shorewall generates the Perl module
+    /usr/share/shorewall-perl/Shorewall/Ports.pm, using your
+    /etc/protocols and /etc/services as input.
+
+    To re-generate the module from those two files:
+
+	1. Backup your current /usr/share/shorewall-perl/Shorewall/Ports.pm
+	   file.
+        2. /usr/share/shorewall-perl/buildports.pl > \
+	   /usr/share/shorewall-perl/Shorewall/Ports.pm
+
+    Note: If the buildports.pl program fails to run to a successful
+    completion during installation, a fallback version of
+    module will be installed. That fallback module was generated from
+    the /etc/protocols and /etc/services shipped with Ubuntu Feisty
+    Fawn.
+
+    Even if the buildports.pl program runs successfully, the fallback
+    module is also installed as
+    /usr/share/shorewall-perl/Shorewall/FallbackPorts.pm. So if you
+    encounter problems with the generated module, simply copy the
+    fallback module to /usr/share/shorewall-perl/Shorewall/Ports.pm.
+
 ----------------------------------------------------------------------------
                       P R E R E Q U I S I T E S
 ----------------------------------------------------------------------------

Shorewall-perl/Shorewall/Chains.pm

@@ -1956,7 +1956,7 @@ sub create_netfilter_load() {
 	   '',
 	   'progress_message2 "Running iptables-restore..."',
 	   '',
-	   'iptables-restore < ${VARDIR}/.iptables-restore-input'
+	   '$IPTABLES_RESTORE < ${VARDIR}/.iptables-restore-input'
 	 );
 
     emitj( 'if [ $? != 0 ]; then',

Shorewall-perl/Shorewall/Compiler.pm

@@ -172,6 +172,9 @@ sub generate_script_1() {
 	       );
     }
 
+    emitj( 'IPTABLES_RESTORE=${IPTABLES}-restore',
+	   '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
+
     append_file 'params' if $config{EXPORTPARAMS};
 
     emitj ( '',