holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Deimplement several .conf options

Browse Source 
- LOGRATE/LOGBURST
- EXPORTPARAMS
- LEGACY_FASTSTART
This commit is contained in:
Tom Eastep 2015-08-01 11:11:35 -07:00
parent 67589cab69
commit 85648bded1
4 changed files with 24 additions and 214 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Shorewall/Perl/Shorewall/Config.pm
View File

@ -605,21 +605,26 @@ our %validlevels; # Valid log levels.
#
# Deprecated options with their default values
#
our %deprecated = ( LOGRATE => '' ,
LOGBURST => '' ,
EXPORTPARAMS => 'no',
WIDE_TC_MARKS => 'no',
our %deprecated = ( WIDE_TC_MARKS => 'no',
HIGH_ROUTE_MARKS => 'no',
BLACKLISTNEWONLY => 'yes',
);
#
# Deprecated options that are eliminated via update
#
our %converted = ( WIDE_TC_MARKS => 1,
our %converted = ( WIDE_TC_MARKS => 1,
HIGH_ROUTE_MARKS => 1,
BLACKLISTNEWONLY => 1,
);
#
# Eliminated options
#
our %eliminated = ( LOGRATE => 1,
LOGBURST => 1,
EXPORTPARAMS => 1,
LEGACY_FASTSTART => 1,
);
#
# Variables involved in ?IF, ?ELSE ?ENDIF processing
#
our $omitting;
@ -730,8 +735,6 @@ sub initialize( $;$$) {
LOGFORMAT => undef,
LOGTAGONLY => undef,
LOGLIMIT => undef,
LOGRATE => undef,
LOGBURST => undef,
LOGALLNEW => undef,
BLACKLIST_LOG_LEVEL => undef,
RELATED_LOG_LEVEL => undef,
@ -840,7 +843,6 @@ sub initialize( $;$$) {
FORWARD_CLEAR_MARK => undef,
COMPLETE => undef,
EXPORTMODULES => undef,
LEGACY_FASTSTART => undef,
USE_PHYSICAL_NAMES => undef,
HELPERS => undef,
AUTOHELPERS => undef,
@ -4838,7 +4840,8 @@ sub update_config_file( $$ ) {
#
$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
}
if ( -f $fn ) {
if ( -f $fn ) {
my ( $template, $output );
open $template, '<' , $fn or fatal_error "Unable to open $fn: $!";
@ -4959,6 +4962,8 @@ sub process_shorewall_conf( $$$ ) {
unless ( exists $config{$var} ) {
if ( exists $renamed{$var} ) {
$var = $renamed{$var};
} elsif ( $eliminated{$var} ) {
warning_message "The $var configuration option is no longer supported";
} else {
warning_message "Unknown configuration option ($var) ignored";
next ;
@ -5543,22 +5548,6 @@ sub get_configuration( $$$$$ ) {
}
$globals{LOGLIMIT} = $limit;
warning_message "LOGRATE Ignored when LOGLIMIT is specified" if $config{LOGRATE};
warning_message "LOGBURST Ignored when LOGLIMIT is specified" if $config{LOGBURST};
} elsif ( $config{LOGRATE} || $config{LOGBURST} ) {
if ( supplied $config{LOGRATE} ) {
fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/;
}
if ( supplied $config{LOGBURST} ) {
fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/;
}
$globals{LOGLIMIT} = '-m limit ';
$globals{LOGLIMIT} .= "--limit $config{LOGRATE} " if supplied $config{LOGRATE};
$globals{LOGLIMIT} .= "--limit-burst $config{LOGBURST} " if supplied $config{LOGBURST};
} else {
$globals{LOGLIMIT} = '';
}
@ -5768,7 +5757,6 @@ sub get_configuration( $$$$$ ) {
default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : '';
default_yes_no 'COMPLETE' , '';
default_yes_no 'EXPORTMODULES' , '';
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
default_yes_no 'USE_PHYSICAL_NAMES' , '';
default_yes_no 'IPSET_WARNINGS' , 'Yes';
default_yes_no 'AUTOHELPERS' , 'Yes';

44
Shorewall/lib.cli-std
View File

@ -308,21 +308,6 @@ get_config() {
;;
esac
case $LEGACY_FASTSTART in
Yes|yes)
;;
No|no)
LEGACY_FASTSTART=
;;
*)
if [ -n "$LEGACY_FASTSTART" ]; then
fatal_error "Invalid LEGACY_FASTSTART setting ($LEGACY_FASTSTART)"
fi
LEGACY_FASTSTART=Yes
;;
esac
if [ -n "$WORKAROUNDS" ]; then
case $WORKAROUNDS in
[Yy]es)
@ -608,38 +593,13 @@ start_command() {
esac
if [ -n "${g_fast}${AUTOMAKE}" ]; then
if [ -z "$g_fast" -o -z "${LEGACY_FASTSTART}${g_counters}" ]; then
#
# Automake or ( LEGACY_FASTSTART=No and not -C ) -- use the last compiled script
#
object=firewall
else
#
# 'start -f' with ( LEGACY_FASTSTART=Yes or -C ) -- use last saved configuration
#
object=$RESTOREFILE
fi
if ! uptodate ${VARDIR}/$object; then
g_fast=
AUTOMAKE=
fi
if [ -n "$g_fast" -a $object = $RESTOREFILE ]; then
g_restorepath=${VARDIR}/$object
[ -n "$nolock" ] || mutex_on
echo Restoring Shorewall...
run_it $g_restorepath restore
rc=$?
[ -n "$nolock" ] || mutex_off
[ $rc -eq 0 ] && progress_message3 "$g_product restored from $g_restorepath"
exit $rc
else
do_it
fi
else
do_it
fi
do_it
}
#

77
Shorewall/manpages/shorewall.conf.xml
View File

@ -822,33 +822,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">EXPORTPARAMS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Deprecated in Shorewall 4.4.17.</para>
<para>Beginning with Shorewall 4.4.17, the variables set in the
'params' file at compile time are available at run time with
EXPORTPARAMS=No. As a consequence, beginning with that version the
recommended setting is EXPORTPARAMS=No.</para>
<para>It is quite difficult to code a 'params' file that assigns
other than constant values such that it works correctly with
Shorewall Lite. The EXPORTPARAMS option works around this problem.
When EXPORTPARAMS=No, the 'params' file is not copied to the
compiler output.</para>
<para>With EXPORTPARAMS=No, if you need to set environmental
variables on the firewall system for use by your extension scripts,
then do so in the init extension script.</para>
<para>The default is EXPORTPARAMS=Yes which is the recommended
setting unless you are using Shorewall Lite.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">FASTACCEPT=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -1458,10 +1431,10 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<important>
<para>To help insure that all packets in the NEW state are
logged, rate limiting (LOGBURST and LOGRATE) should be disabled
when using LOGALLNEW. Use LOGALLNEW at your own risk; it may
cause high CPU and disk utilization and you may not be able to
control your firewall after you enable this option.</para>
logged, rate limiting (LOGLIMIT) should be disabled when using
LOGALLNEW. Use LOGALLNEW at your own risk; it may cause high CPU
and disk utilization and you may not be able to control your
firewall after you enable this option.</para>
</important>
<para/>
@ -1543,48 +1516,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOGBURST=</emphasis>[<emphasis>burst</emphasis>]</term>
<listitem>
<para>Deprecated in Shorewall 4.4.12.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOGRATE=</emphasis>[<emphasis>rate</emphasis>/{<emphasis
role="bold">minute</emphasis>|<emphasis
role="bold">second</emphasis>}]</term>
<listitem>
<para>Deprecated in Shorewall 4.4.12. These options are ignored when
LOGLIMIT is specified.</para>
<para>These parameters set the match rate and initial burst size for
logged packets. Please see iptables(8) for a description of the
behavior of these parameters (the iptables option --limit is set by
LOGRATE and --limit-burst is set by LOGBURST). If both parameters
are set empty, no rate-limiting will occur. If you supply one of
these, then you should also supply the other.</para>
<para>Example:</para>
<programlisting> LOGRATE=10/minute
LOGBURST=5</programlisting>
<para>For each logging rule, the first time the rule is reached, the
packet will be logged; in fact, since the burst is 5, the first five
packets will be logged. After this, it will be 6 seconds (1 minute
divided by the rate of 10) before a message will be logged from the
rule, regardless of how many packets reach it. Also, every 6
seconds, one of the bursts will be regained; if no packets hit the
rule for 30 seconds, the burst will be fully recharged; back where
we started.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">LOGTAGONLY=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

77
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -707,33 +707,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">EXPORTPARAMS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Deprecated beginning with Shorewall 4.4.17.</para>
<para>Beginning with Shorewall 4.4.17, the variables set in the
'params' file at compile time are available at run time with
EXPORTPARAMS=No. As a consequence, beginning with that version the
recommended setting is EXPORTPARAMS=No.</para>
<para>It is quite difficult to code a 'params' file that assigns
other than constant values such that it works correctly with
Shorewall6 Lite. The EXPORTPARAMS option works around this problem.
When EXPORTPARAMS=No, the 'params' file is not copied to the
compiler output.</para>
<para>With EXPORTPARAMS=No, if you need to set environmental
variables on the firewall system for use by your extension scripts,
then do so in the init extension script.</para>
<para>The default is EXPORTPARAMS=Yes which is the recommended
setting unless you are running Shorewall6 Lite.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">FASTACCEPT=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -1274,10 +1247,10 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<important>
<para>To help insure that all packets in the NEW state are
logged, rate limiting (LOGBURST and LOGRATE) should be disabled
when using LOGALLNEW. Use LOGALLNEW at your own risk; it may
cause high CPU and disk utilization and you may not be able to
control your firewall after you enable this option.</para>
logged, rate limiting (LOGLIMIT) should be disabled when using
LOGALLNEW. Use LOGALLNEW at your own risk; it may cause high CPU
and disk utilization and you may not be able to control your
firewall after you enable this option.</para>
</important>
<para/>
@ -1358,48 +1331,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOGBURST=</emphasis>[<emphasis>burst</emphasis>]</term>
<listitem>
<para>Deprecated in Shorewall 4.4.12.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOGRATE=</emphasis>[<emphasis>rate</emphasis>/{<emphasis
role="bold">minute</emphasis>|<emphasis
role="bold">second</emphasis>}]</term>
<listitem>
<para>As of Shorewall 4.4.12, these parameters are
Deprecated.</para>
<para>These parameters set the match rate and initial burst size for
logged packets. Please see ip6tables(8) for a description of the
behavior of these parameters (the ip6tables option --limit is set by
LOGRATE and --limit-burst is set by LOGBURST). If both parameters
are set empty, no rate-limiting will occur. If you supply one of
these, then you should also supply the other.</para>
<para>Example:</para>
<programlisting> LOGRATE=10/minute
LOGBURST=5</programlisting>
<para>For each logging rule, the first time the rule is reached, the
packet will be logged; in fact, since the burst is 5, the first five
packets will be logged. After this, it will be 6 seconds (1 minute
divided by the rate of 10) before a message will be logged from the
rule, regardless of how many packets reach it. Also, every 6
seconds, one of the bursts will be regained; if no packets hit the
rule for 30 seconds, the burst will be fully recharged; back where
we started.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">LOGTAGONLY=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>