/etc/shorewall/params only at compile-time

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5352 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-02-04 01:00:15 +00:00
parent a378a22865
commit fa024a63aa
3 changed files with 31 additions and 52 deletions

View File

@ -121,16 +121,6 @@ indent1() {
fi fi
} }
#
# Echo the contents of the passed file indented by $INDENT and perform INCLUDE processing.
#
indent2() {
if [ -n "$INDENT" ]; then
read_file $1 0 | eval sed \'s\/^/"$INDENT"\/\'
else
read_file $1 0
fi
}
# #
# Append a file to the compiler's output with indentation. # Append a file to the compiler's output with indentation.
@ -155,20 +145,6 @@ append_file() # $1 = File Name
esac esac
} }
#
# Append a file to the compiler's output with indentation and INCLUDE expansion.
#
append_file1() # $1 = File Name
{
local user_exit=$(find_file $1)
if [ -f $user_exit ]; then
save_progress_message "Processing $user_exit ..."
indent2 $user_exit >&3
save_command
fi
}
# #
# Generate a command to run iptables # Generate a command to run iptables
# #
@ -5115,8 +5091,6 @@ __EOF__
__EOF__ __EOF__
fi fi
append_file1 params
cat >&3 << __EOF__ cat >&3 << __EOF__
STOPPING= STOPPING=

View File

@ -1874,8 +1874,6 @@ do_initialize() {
run_user_exit params run_user_exit params
[ $PROGRAM = compiler ] && run_user_exit compile
config=$(find_file shorewall.conf) config=$(find_file shorewall.conf)
if [ -f $config ]; then if [ -f $config ]; then

View File

@ -34,27 +34,21 @@ None.
Other Changes in 3.4.0 RC 1 Other Changes in 3.4.0 RC 1
1) A new 'compile' extension script has been added. This script is 1) In spite of my claim that I would not introduce any changes other
invoked in the compiler to set shell variables needed at compile than bug fixes in a release candidate, I'm going to do so anyway.
time. The script can use 'ssh' to obtain information from a remote
firewall system.
One common thing that such a script might want to do is to obtain Beginning with Shorewall 3.4.0, Shorewall will only process
the IP address of an interface on a remote firewall for later use /etc/shorewall/params during the compile phase. Any shell variables
in Shorewall configuration files. This can be done using the needed at run-time must be set in /etc/shorewall/init.
following trick:
ADDR=$(ssh root@<firewall> "shorewall-lite call In a Shorewall/Shorewall Lite environment, his allows
get_first_interface_address <interface>") /etc/shorewall/params to be written to run exclusively
on the administrative system while /etc/shorewall/init runs
exclusively on the firewall system.
where: So shell variables required at compile time may be set in
/etc/shorewall/params and those required at run-time may be set in
<firewall> is the name of the remote firewall system; and /etc/shorewall/init.
<interface> is the name of an interface on that system.
The shorewall-lite "call" command allows you to interactively call
any function in /usr/share/shorewall-lite/lib.base and
/usr/share/shorewall-lite/lib.config.
Migration Considerations: Migration Considerations:
@ -64,7 +58,20 @@ information.
http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/releasenotes.txt http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/releasenotes.txt
1) Shorewall supports the notion of "default actions". A default 1) Beginning with Shorewall 3.4.0, Shorewall will only process
/etc/shorewall/params during the compile phase. Any shell variables
needed at run-time must be set in /etc/shorewall/init.
In a Shorewall/Shorewall Lite environment, his allows
/etc/shorewall/params to be written to run exclusively
on the administrative system while /etc/shorewall/init runs
exclusively on the firewall system.
So shell variables required at compile time may be set in
/etc/shorewall/params and those required at run-time may be set in
/etc/shorewall/init.
2) Shorewall supports the notion of "default actions". A default
action defines a set of rules that are applied before a policy is action defines a set of rules that are applied before a policy is
enforced. Default actions accomplish two goals: enforced. Default actions accomplish two goals:
@ -97,12 +104,12 @@ http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/releasenotes.txt
Shorewall version 3.4. Otherwise, please see item 3) in the New Shorewall version 3.4. Otherwise, please see item 3) in the New
Features below. Features below.
2) The 'Limit' action is now a builtin. If you have 'Limit' listed in 3) The 'Limit' action is now a builtin. If you have 'Limit' listed in
/etc/shorewall/actions, remove the entry. Also remove the files /etc/shorewall/actions, remove the entry. Also remove the files
/etc/shorewall/action.Limit and/or /etc/shorewall/Limit if you have /etc/shorewall/action.Limit and/or /etc/shorewall/Limit if you have
them. them.
3) This issue only applies if you have entries in 4) This issue only applies if you have entries in
/etc/shorewall/providers. /etc/shorewall/providers.
Previously, Shorewall has not attempted to undo the changes it has Previously, Shorewall has not attempted to undo the changes it has
@ -128,13 +135,13 @@ http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/releasenotes.txt
do exist, remove them. do exist, remove them.
b) Either restart networking or reboot. b) Either restart networking or reboot.
4) This issue only applies if you run Shorewall Lite. 5) This issue only applies if you run Shorewall Lite.
The /etc/shorewall-lite/shorewall.conf file has been renamed The /etc/shorewall-lite/shorewall.conf file has been renamed
/etc/shorewall-lite/shorewall-lite.conf. When you upgrade, /etc/shorewall-lite/shorewall-lite.conf. When you upgrade,
your shorewall.conf file will be renamed shorewall-lite.conf. your shorewall.conf file will be renamed shorewall-lite.conf.
5) Previously, 'ipsecnat' tunnels allowed AH traffic by default 6) Previously, 'ipsecnat' tunnels allowed AH traffic by default
(unless 'isecnat:noah' was given). Given that AH is incompatible (unless 'isecnat:noah' was given). Given that AH is incompatible
with nat-traversal, 'ipsecnat' now implies 'ipsecnat:noah' and the with nat-traversal, 'ipsecnat' now implies 'ipsecnat:noah' and the
latter is now redundant. latter is now redundant.