forked from extern/shorewall_code
More incompatibilities flagged and documented
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5784 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
f8eb05923e
commit
280d8b4b27
@ -87,12 +87,16 @@ our %config =
|
|||||||
# Location of Files
|
# Location of Files
|
||||||
#
|
#
|
||||||
IPTABLES => undef,
|
IPTABLES => undef,
|
||||||
|
#
|
||||||
#PATH is inherited
|
#PATH is inherited
|
||||||
|
#
|
||||||
PATH => undef,
|
PATH => undef,
|
||||||
SHOREWALL_SHELL => undef,
|
SHOREWALL_SHELL => undef,
|
||||||
SUBSYSLOCK => undef,
|
SUBSYSLOCK => undef,
|
||||||
MODULESDIR => undef,
|
MODULESDIR => undef,
|
||||||
|
#
|
||||||
#CONFIG_PATH is inherited
|
#CONFIG_PATH is inherited
|
||||||
|
#
|
||||||
CONFIG_PATH => undef,
|
CONFIG_PATH => undef,
|
||||||
RESTOREFILE => undef,
|
RESTOREFILE => undef,
|
||||||
IPSECFILE => undef,
|
IPSECFILE => undef,
|
||||||
@ -230,6 +234,9 @@ INIT {
|
|||||||
$tmp_dir = $ENV{TMP_DIR};
|
$tmp_dir = $ENV{TMP_DIR};
|
||||||
@config_path = split /:/, $ENV{CONFIG_PATH};
|
@config_path = split /:/, $ENV{CONFIG_PATH};
|
||||||
|
|
||||||
|
for ( @config_path ) {
|
||||||
|
$_ .= '/' unless m|//$|;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -492,10 +499,6 @@ sub get_configuration( $ ) {
|
|||||||
|
|
||||||
my $export = $_[0];
|
my $export = $_[0];
|
||||||
|
|
||||||
for ( @config_path ) {
|
|
||||||
$_ .= '/' unless m|//$|;
|
|
||||||
}
|
|
||||||
|
|
||||||
my $file = find_file 'shorewall.conf';
|
my $file = find_file 'shorewall.conf';
|
||||||
|
|
||||||
if ( -f $file ) {
|
if ( -f $file ) {
|
||||||
@ -602,6 +605,9 @@ sub get_configuration( $ ) {
|
|||||||
|
|
||||||
default_yes_no 'STARTUP_ENABLED' , 'Yes';
|
default_yes_no 'STARTUP_ENABLED' , 'Yes';
|
||||||
default_yes_no 'DELAYBLACKLISTLOAD' , '';
|
default_yes_no 'DELAYBLACKLISTLOAD' , '';
|
||||||
|
|
||||||
|
warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall-perl ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD};
|
||||||
|
|
||||||
default_yes_no 'LOGTAGONLY' , '';
|
default_yes_no 'LOGTAGONLY' , '';
|
||||||
default_yes_no 'RFC1918_STRICT' , '';
|
default_yes_no 'RFC1918_STRICT' , '';
|
||||||
default_yes_no 'SAVE_IPSETS' , '';
|
default_yes_no 'SAVE_IPSETS' , '';
|
||||||
@ -681,6 +687,8 @@ sub get_configuration( $ ) {
|
|||||||
default 'OPTIMIZE' , 0;
|
default 'OPTIMIZE' , 0;
|
||||||
default 'IPSECFILE' , 'ipsec';
|
default 'IPSECFILE' , 'ipsec';
|
||||||
|
|
||||||
|
fatal_error "IPSECFILE=ipsec is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{IPSECFILE} eq 'zones';
|
||||||
|
|
||||||
for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT ACCEPT_DEFAULT/ {
|
for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT ACCEPT_DEFAULT/ {
|
||||||
$config{$default} = 'none' if "\L$config{$default}" eq 'none';
|
$config{$default} = 'none' if "\L$config{$default}" eq 'none';
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,5 +1,6 @@
|
|||||||
Shorewall-perl 3.9.0
|
----------------------------------------------------------------------------
|
||||||
|
Shorewall-perl 3.9.0
|
||||||
|
----------------------------------------------------------------------------
|
||||||
This companion product to Shorewall 3.4.2 and later includes a complete
|
This companion product to Shorewall 3.4.2 and later includes a complete
|
||||||
rewrite of the compiler in Perl.
|
rewrite of the compiler in Perl.
|
||||||
|
|
||||||
@ -27,21 +28,21 @@ version of Shorewall itself.
|
|||||||
d) Along the same vein, I think that users will be more likely to experiment
|
d) Along the same vein, I think that users will be more likely to experiment
|
||||||
with the new compiler if they can easily fall back to the old one if things
|
with the new compiler if they can easily fall back to the old one if things
|
||||||
get sticky.
|
get sticky.
|
||||||
|
----------------------------------------------------------------------------
|
||||||
The good news:
|
T H E G O O D N E W S:
|
||||||
|
----------------------------------------------------------------------------
|
||||||
a) The compiler has a small disk footprint.
|
a) The compiler has a small disk footprint.
|
||||||
b) The compiler is very fast.
|
b) The compiler is very fast.
|
||||||
c) The compiler generates a firewall script that uses iptables-restore;
|
c) The compiler generates a firewall script that uses iptables-restore;
|
||||||
so the script is very fast.
|
so the script is very fast.
|
||||||
d) Use of the perl compiler is optional! The old slow clunky
|
d) Use of the perl compiler is optional! The old slow clunky
|
||||||
Bourne-shell compiler is still available.
|
Bourne-shell compiler is still available.
|
||||||
|
----------------------------------------------------------------------------
|
||||||
The bad news:
|
T H E B A D N E W S:
|
||||||
|
----------------------------------------------------------------------------
|
||||||
There are a number of incompatibilities between the Perl-based compiler
|
There are a number of incompatibilities between the Perl-based compiler
|
||||||
and the Bourne-shell one. Some of these will probably go away by first
|
and the Bourne-shell one. Some of these will probably go away by first
|
||||||
official release but some will not.
|
official release but most will not.
|
||||||
|
|
||||||
a) The Perl-based compiler requires the following capabilities in your
|
a) The Perl-based compiler requires the following capabilities in your
|
||||||
kernel and iptables.
|
kernel and iptables.
|
||||||
@ -152,15 +153,23 @@ j) Because the configuration files (with the exception of
|
|||||||
($variable and ${variable}) are supported. The more exotic forms
|
($variable and ${variable}) are supported. The more exotic forms
|
||||||
such as ${variable:=default} are not supported. Both variables
|
such as ${variable:=default} are not supported. Both variables
|
||||||
defined in /etc/shorewall/params and environmental variables
|
defined in /etc/shorewall/params and environmental variables
|
||||||
(exported by the shell) can be used.
|
(exported by the shell) can be used in configuration files.
|
||||||
|
|
||||||
h) USE_ACTIONS=No is not supported. That option is intended to minimize
|
h) USE_ACTIONS=No is not supported. That option is intended to minimize
|
||||||
Shorewall's footprint in embedded applications. As a consequence,
|
Shorewall's footprint in embedded applications. As a consequence,
|
||||||
Default Macros are not supported.
|
Default Macros are not supported.
|
||||||
|
|
||||||
Installation
|
i) DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is
|
||||||
------------
|
atomically loaded with one execution of iptables-restore.
|
||||||
|
|
||||||
|
j) MAPOLDACTIONS=Yes is not supported. People should have converted to
|
||||||
|
using macros by now.
|
||||||
|
|
||||||
|
k) The pre Shorewall-3.0 format of the zones file is not supported;
|
||||||
|
neither is the /etc/shorewall/ipsec file.
|
||||||
|
----------------------------------------------------------------------------
|
||||||
|
I N S T A L L A T I O N
|
||||||
|
----------------------------------------------------------------------------
|
||||||
Either
|
Either
|
||||||
|
|
||||||
$ tar -jxf shorewall-perl-3.9.0.tar.bz2
|
$ tar -jxf shorewall-perl-3.9.0.tar.bz2
|
||||||
@ -170,10 +179,9 @@ Either
|
|||||||
or
|
or
|
||||||
|
|
||||||
$ rpm -ivh shoreawll-pl-3.9.0-1.noarch.rpm
|
$ rpm -ivh shoreawll-pl-3.9.0-1.noarch.rpm
|
||||||
|
----------------------------------------------------------------------------
|
||||||
Using the New compiler
|
U S I N G T H E N E W C O M P I L E R
|
||||||
----------------------
|
----------------------------------------------------------------------------
|
||||||
|
|
||||||
By default, the old Bourne-shell based compiler will be used.
|
By default, the old Bourne-shell based compiler will be used.
|
||||||
|
|
||||||
To use the new compiler, add this to shorewall.conf:
|
To use the new compiler, add this to shorewall.conf:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user