diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 1e595e3cd..3fd72af4d 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -198,7 +198,7 @@ our %EXPORT_TAGS = (
Exporter::export_ok_tags('internal');
-our $VERSION = '4.4_16';
+our $VERSION = '4.4_17';
#
# Chain Table
diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index be4c16b8f..5d0274948 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -43,7 +43,7 @@ use Shorewall::Misc;
our @ISA = qw(Exporter);
our @EXPORT = qw( compiler );
our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_16';
+our $VERSION = '4.4_17';
our $export;
@@ -229,7 +229,11 @@ sub generate_script_2() {
set_chain_variables;
- append_file 'params' if $config{EXPORTPARAMS};
+ if ( $config{EXPORTPARAMS} ) {
+ append_file 'params';
+ } else {
+ export_params;
+ }
emit ( '',
"g_stopping=",
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 389fc4276..7335e5684 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -98,6 +98,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
pop_open
push_params
pop_params
+ export_params
read_a_line
validate_level
which
@@ -135,7 +136,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
Exporter::export_ok_tags('internal');
-our $VERSION = '4.4_16';
+our $VERSION = '4.4_17';
#
# describe the current command, it's present progressive, and it's completion.
@@ -3024,6 +3025,34 @@ sub get_params() {
}
}
+#
+# emit param=value for each param set in the params file
+#
+sub export_params() {
+ #
+ # These are variables that the compiler adds to the hash
+ #
+ my %exclude = ( root => 1,
+ system => 1,
+ files => 1,
+ destination => 1,
+ command => 1,
+ FW => 1,
+ CONFDIR => 1 );
+
+ while ( my ( $param, $value ) = each %params ) {
+ next if $exclude{$param};
+ #
+ # Don't export pairs from %ENV
+ #
+ if ( exists $ENV{$param} && defined $ENV{$param} ) {
+ next if $value eq $ENV{$param};
+ }
+
+ emit "$param='$value'";
+ }
+}
+
#
# - Read the shorewall.conf file
# - Read the capabilities file, if any
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index abd2400a7..c9bb281ea 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,6 +1,10 @@
Changes in Shorewall 4.4.17 Beta 1
-1) None.
+1) Improve readability of logging logic in expand_rule().
+
+2) Improve efficency of oddball targets in process_rule1().
+
+3) Export (param,value) pairs with EXPORTPARAMS=No.
Changes in Shorewall 4.4.16 RC 1
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index aad11f48c..96e7b2ab6 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -152,7 +152,7 @@ HIGH_ROUTE_MARKS=No
OPTIMIZE=0
-EXPORTPARAMS=Yes
+EXPORTPARAMS=No
EXPAND_POLICIES=Yes
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index cefb4c003..caf861e1d 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -27,7 +27,9 @@ None.
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-None.
+1) The (param,value) pairs set in /etc/shorewall/params
+ (/etc/shorewall6/params) are now available at run-time with
+ EXPORTPARAMS=No. The EXPORTPARAMS parameter is now deprecated.
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
diff --git a/Shorewall6/shorewall6.conf b/Shorewall6/shorewall6.conf
index 6d0f63f57..7a5bbbbbb 100644
--- a/Shorewall6/shorewall6.conf
+++ b/Shorewall6/shorewall6.conf
@@ -121,7 +121,7 @@ HIGH_ROUTE_MARKS=No
OPTIMIZE=1
-EXPORTPARAMS=Yes
+EXPORTPARAMS=No
EXPAND_POLICIES=Yes
diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml
index 83d61e813..252f64ac1 100644
--- a/docs/CompiledPrograms.xml
+++ b/docs/CompiledPrograms.xml
@@ -510,8 +510,10 @@ clean:
The params file is not processed at run
time if you set EXPORTPARAMS=No in
shorewall.conf. For run-time setting of shell
- variables, use the init extension
- script.
+ variables, use the init extension script.
+ Beginning with Shorewall 4.4.17, the variables set in the
+ params file are available in the firewall
+ script when EXPORTPARAMS=No.
If the params file needs to set shell
variables based on the configuration of the firewall system, you
@@ -612,8 +614,10 @@ clean:
shorewall.conf. For run-time setting of
shell variables, use the init extension
script. Although the default setting is EXPORTPARAMS=Yes for
- compatibility, the recommended setting is
- EXPORTPARAMS=No.
+ compatibility, the recommended setting is EXPORTPARAMS=No.
+ Beginning with Shorewall 4.4.17, the variables set in the
+ params file are available in the firewall
+ script when EXPORTPARAMS=No.
If the params file needs to set shell
variables based on the configuration of the firewall system, you
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index 9518dad46..04c23b5ac 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -649,7 +649,9 @@ ACCEPT net:\
shorewall.conf. That prevents the
params file from being copied into the compiled
script. With EXPORTPARAMS=No, it is perfectly okay to use INCLUDE in the
- params file.
+ params file. Note that with Shorewall 4.4.17 and
+ later, the variables set at compile time are available at run-time even
+ with EXPORTPARAMS=No.
@@ -860,8 +862,9 @@ SHELL cat /etc/shorewall/rules.d/*.rules
run-time. If you have set EXPORTPARAMS=No in
shorewall.conf, then the
params file is only
- processed by the compiler; it is not run by the compiled
- script.
+ processed by the compiler; it is not run by the compiled script.
+ Beginning with Shorewall 4.4.17, the values of the variables set at
+ compile time are available at run time with EXPORTPRARMS=No.
diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml
index 4c08bbe3e..189d6b4cd 100644
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@@ -548,9 +548,15 @@ net all DROP infothen the chain name is 'net2all'
EXPORTPARAMS={Yes|No}
+ role="bold">Yes|No}
+ (Deprecated beginning with Shorewall 4.4.17)
+ Beginning with Shorewall 4.4.17, the variables set in the
+ 'params' file at compile time are available at run time with
+ EXPORTPARAMS=No. As a consequence, beginning with that version the
+ recommended setting is EXPORTPARAMS=No.
+
It is quite difficult to code a 'params' file that assigns
other than constant values such that it works correctly with
Shorewall Lite. The EXPORTPARAMS option works around this problem.
@@ -583,8 +589,6 @@ net all DROP infothen the chain name is 'net2all'
or RELATED sections of shorewall-rules(5).
-
-
FASTACCEPT=Yes is incompatible with
BLACKLISTNEWONLY=No.
diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml
index e4055df16..39cee1c93 100644
--- a/manpages6/shorewall6.conf.xml
+++ b/manpages6/shorewall6.conf.xml
@@ -465,9 +465,15 @@ net all DROP infothen the chain name is 'net2all'
EXPORTPARAMS={Yes|No}
+ role="bold">Yes|No}
+ (Deprecated beginning with Shorewall 4.4.17)
+ Beginning with Shorewall 4.4.17, the variables set in the
+ 'params' file at compile time are available at run time with
+ EXPORTPARAMS=No. As a consequence, beginning with that version the
+ recommended setting is EXPORTPARAMS=No.
+
It is quite difficult to code a 'params' file that assigns
other than constant values such that it works correctly with
Shorewall6 Lite. The EXPORTPARAMS option works around this problem.