mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-24 00:23:28 +01:00
/etc/shorewall/params only at compile-time
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5352 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a378a22865
commit
fa024a63aa
@ -121,16 +121,6 @@ indent1() {
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Echo the contents of the passed file indented by $INDENT and perform INCLUDE processing.
|
||||
#
|
||||
indent2() {
|
||||
if [ -n "$INDENT" ]; then
|
||||
read_file $1 0 | eval sed \'s\/^/"$INDENT"\/\'
|
||||
else
|
||||
read_file $1 0
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Append a file to the compiler's output with indentation.
|
||||
@ -155,20 +145,6 @@ append_file() # $1 = File Name
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
# Append a file to the compiler's output with indentation and INCLUDE expansion.
|
||||
#
|
||||
append_file1() # $1 = File Name
|
||||
{
|
||||
local user_exit=$(find_file $1)
|
||||
|
||||
if [ -f $user_exit ]; then
|
||||
save_progress_message "Processing $user_exit ..."
|
||||
indent2 $user_exit >&3
|
||||
save_command
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Generate a command to run iptables
|
||||
#
|
||||
@ -5115,8 +5091,6 @@ __EOF__
|
||||
__EOF__
|
||||
fi
|
||||
|
||||
append_file1 params
|
||||
|
||||
cat >&3 << __EOF__
|
||||
|
||||
STOPPING=
|
||||
|
@ -1874,8 +1874,6 @@ do_initialize() {
|
||||
|
||||
run_user_exit params
|
||||
|
||||
[ $PROGRAM = compiler ] && run_user_exit compile
|
||||
|
||||
config=$(find_file shorewall.conf)
|
||||
|
||||
if [ -f $config ]; then
|
||||
|
@ -34,28 +34,22 @@ None.
|
||||
|
||||
Other Changes in 3.4.0 RC 1
|
||||
|
||||
1) A new 'compile' extension script has been added. This script is
|
||||
invoked in the compiler to set shell variables needed at compile
|
||||
time. The script can use 'ssh' to obtain information from a remote
|
||||
firewall system.
|
||||
1) In spite of my claim that I would not introduce any changes other
|
||||
than bug fixes in a release candidate, I'm going to do so anyway.
|
||||
|
||||
One common thing that such a script might want to do is to obtain
|
||||
the IP address of an interface on a remote firewall for later use
|
||||
in Shorewall configuration files. This can be done using the
|
||||
following trick:
|
||||
Beginning with Shorewall 3.4.0, Shorewall will only process
|
||||
/etc/shorewall/params during the compile phase. Any shell variables
|
||||
needed at run-time must be set in /etc/shorewall/init.
|
||||
|
||||
ADDR=$(ssh root@<firewall> "shorewall-lite call
|
||||
get_first_interface_address <interface>")
|
||||
|
||||
where:
|
||||
|
||||
<firewall> is the name of the remote firewall system; and
|
||||
<interface> is the name of an interface on that system.
|
||||
|
||||
The shorewall-lite "call" command allows you to interactively call
|
||||
any function in /usr/share/shorewall-lite/lib.base and
|
||||
/usr/share/shorewall-lite/lib.config.
|
||||
In a Shorewall/Shorewall Lite environment, his allows
|
||||
/etc/shorewall/params to be written to run exclusively
|
||||
on the administrative system while /etc/shorewall/init runs
|
||||
exclusively on the firewall system.
|
||||
|
||||
So shell variables required at compile time may be set in
|
||||
/etc/shorewall/params and those required at run-time may be set in
|
||||
/etc/shorewall/init.
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
If you are migrating from a Shorewall version earlier than 3.2.0 then
|
||||
@ -64,7 +58,20 @@ information.
|
||||
|
||||
http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/releasenotes.txt
|
||||
|
||||
1) Shorewall supports the notion of "default actions". A default
|
||||
1) Beginning with Shorewall 3.4.0, Shorewall will only process
|
||||
/etc/shorewall/params during the compile phase. Any shell variables
|
||||
needed at run-time must be set in /etc/shorewall/init.
|
||||
|
||||
In a Shorewall/Shorewall Lite environment, his allows
|
||||
/etc/shorewall/params to be written to run exclusively
|
||||
on the administrative system while /etc/shorewall/init runs
|
||||
exclusively on the firewall system.
|
||||
|
||||
So shell variables required at compile time may be set in
|
||||
/etc/shorewall/params and those required at run-time may be set in
|
||||
/etc/shorewall/init.
|
||||
|
||||
2) Shorewall supports the notion of "default actions". A default
|
||||
action defines a set of rules that are applied before a policy is
|
||||
enforced. Default actions accomplish two goals:
|
||||
|
||||
@ -97,12 +104,12 @@ http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/releasenotes.txt
|
||||
Shorewall version 3.4. Otherwise, please see item 3) in the New
|
||||
Features below.
|
||||
|
||||
2) The 'Limit' action is now a builtin. If you have 'Limit' listed in
|
||||
3) The 'Limit' action is now a builtin. If you have 'Limit' listed in
|
||||
/etc/shorewall/actions, remove the entry. Also remove the files
|
||||
/etc/shorewall/action.Limit and/or /etc/shorewall/Limit if you have
|
||||
them.
|
||||
|
||||
3) This issue only applies if you have entries in
|
||||
4) This issue only applies if you have entries in
|
||||
/etc/shorewall/providers.
|
||||
|
||||
Previously, Shorewall has not attempted to undo the changes it has
|
||||
@ -128,13 +135,13 @@ http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/releasenotes.txt
|
||||
do exist, remove them.
|
||||
b) Either restart networking or reboot.
|
||||
|
||||
4) This issue only applies if you run Shorewall Lite.
|
||||
5) This issue only applies if you run Shorewall Lite.
|
||||
|
||||
The /etc/shorewall-lite/shorewall.conf file has been renamed
|
||||
/etc/shorewall-lite/shorewall-lite.conf. When you upgrade,
|
||||
your shorewall.conf file will be renamed shorewall-lite.conf.
|
||||
|
||||
5) Previously, 'ipsecnat' tunnels allowed AH traffic by default
|
||||
6) Previously, 'ipsecnat' tunnels allowed AH traffic by default
|
||||
(unless 'isecnat:noah' was given). Given that AH is incompatible
|
||||
with nat-traversal, 'ipsecnat' now implies 'ipsecnat:noah' and the
|
||||
latter is now redundant.
|
||||
|
Loading…
Reference in New Issue
Block a user