holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Document 'compile' extension script

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5348 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-02-03 01:28:29 +00:00
parent a91402e601
commit d42db46a4c
2 changed files with 85 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/changelog.txt
View File

@ -1,3 +1,7 @@
Changes in 3.4.0 RC 2
1) Add 'compile' user exit.
Changes in 3.4.0 RC 1 Changes in 3.4.0 RC 1
1) LITEDIR option in shorewall.conf 1) LITEDIR option in shorewall.conf

135
Shorewall/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 3.4.0 RC1 Shorewall 3.4.0 RC2
Release Highlights Release Highlights
@ -28,63 +28,33 @@ Release Highlights
/etc/shorewall/route_rules and reverses those changes when /etc/shorewall/route_rules and reverses those changes when
appropriate. appropriate.
Problems Corrected in 3.4.0 RC1 Problems Corrected in 3.4.0 RC2
1) While most distributions store the Shorewall Lite compiled program None.
in /var/lib/shorewall/, Shorewall includes features that allow that
location to be changed on a per-distribution basis. The default for
a particular distribution may be determined by the command
"shorewall[-lite] show config".
teastep@lists:~/shorewall/trunk$ shorewall show config
Default CONFIG_PATH is /etc/shorewall:/usr/share/shorewall
LITEDIR is /var/lib/shorewall-lite
teastep@lists:~/shorewall/trunk$
The LITEDIR setting is the location where the compiled script
should be placed. Unfortunately, the "shorewall [re]load" command
previously used the setting on the administrative system rather
than the one from the firewall system so it was possible for that
command to upload the compiled script to the wrong directory.
To work around this problem, Shorewall now determines the LITEDIR
setting on the firewall system and uses that setting for uploading
the compiled script and its companion .conf file.
2) Previously, IP ranges and ipset names were handled incorrectly in
the last column of the maclist file with the result that run-time
errors occured.
3) The Beta3 manpages are sprinked with .html filenames enclosed in
square brackets.
Example:
...set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf
[shorewall.conf.html](5) and have...
These were generated by <ulink> elements in the XML source which
were added to provide inter-document links in the HTML rendition of
the manpages. <ulink>s were previously ignored by the XML->man
conversion tool; unfortunately, the latest release of the tool
no longer ignores these elements but rather produces the ugly
result shown above.
This problem has been corrected in RC1.
4) Previously, if "INCLUDE <filename>" appeared in
/etc/shorewall/params then run-time errors occurred.
As part of the fix for this problem, the mechanism by which
/etc/shorewall/params is copied into the compiler output was
changed. As a result, extra white space is removed from the text
during the copy operation so code in /etc/shorewall/params should
not depend on precise white-space, even in quoted strings.
Other Changes in 3.4.0 RC 1 Other Changes in 3.4.0 RC 1
1) A macro that handles SixXS has been contributed by Christian 1) A new 'compile' extension script has been added. This script is
Roessner. invoked in the compiler to set shell variables needed at compile
time. The script can use 'ssh' to obtain information from a remote
firewall system.
One common thing that such a script might want to do is to obtain
the IP address of an interface on a remote firewall for later use
in Shorewall configuration files. This can be done using the
following trick:
ADDR=$(ssh root@<firewall> "shorewall-lite call
get_first_interface_address <interface>")
where:
<firewall> is the name of the remote firewall system; and
<interface> is the name of an interface on that system.
The shorewall-lite "call" command allows you to interactively call
any function in /usr/share/shorewall-lite/lib.base and
/usr/share/shorewall-lite/lib.config.
Migration Considerations: Migration Considerations:
@ -765,4 +735,61 @@ Problems Corrected in 3.4.0 Beta 3
ERROR: Invalid DISPOSITION (ALOW:info) in rule "ALOW:info eth0 ERROR: Invalid DISPOSITION (ALOW:info) in rule "ALOW:info eth0
02:0C:03:04:05:06" 02:0C:03:04:05:06"
Problems Corrected in 3.4.0 RC1
1) While most distributions store the Shorewall Lite compiled program
in /var/lib/shorewall/, Shorewall includes features that allow that
location to be changed on a per-distribution basis. The default for
a particular distribution may be determined by the command
"shorewall[-lite] show config".
teastep@lists:~/shorewall/trunk$ shorewall show config
Default CONFIG_PATH is /etc/shorewall:/usr/share/shorewall
LITEDIR is /var/lib/shorewall-lite
teastep@lists:~/shorewall/trunk$
The LITEDIR setting is the location where the compiled script
should be placed. Unfortunately, the "shorewall [re]load" command
previously used the setting on the administrative system rather
than the one from the firewall system so it was possible for that
command to upload the compiled script to the wrong directory.
To work around this problem, Shorewall now determines the LITEDIR
setting on the firewall system and uses that setting for uploading
the compiled script and its companion .conf file.
2) Previously, IP ranges and ipset names were handled incorrectly in
the last column of the maclist file with the result that run-time
errors occured.
3) The Beta3 manpages are sprinked with .html filenames enclosed in
square brackets.
Example:
...set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf
[shorewall.conf.html](5) and have...
These were generated by <ulink> elements in the XML source which
were added to provide inter-document links in the HTML rendition of
the manpages. <ulink>s were previously ignored by the XML->man
conversion tool; unfortunately, the latest release of the tool
no longer ignores these elements but rather produces the ugly
result shown above.
This problem has been corrected in RC1.
4) Previously, if "INCLUDE <filename>" appeared in
/etc/shorewall/params then run-time errors occurred.
As part of the fix for this problem, the mechanism by which
/etc/shorewall/params is copied into the compiler output was
changed. As a result, extra white space is removed from the text
during the copy operation so code in /etc/shorewall/params should
not depend on precise white-space, even in quoted strings.
Other Changes in 3.4.0 RC 1
1) A macro that handles SixXS has been contributed by Christian
Roessner.