From fa024a63aae2aac343bde2fdb2a1942fcb00ac3b Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 4 Feb 2007 01:00:15 +0000 Subject: [PATCH] /etc/shorewall/params only at compile-time git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5352 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/compiler | 26 ------------------ Shorewall/lib.config | 2 -- Shorewall/releasenotes.txt | 55 +++++++++++++++++++++----------------- 3 files changed, 31 insertions(+), 52 deletions(-) diff --git a/Shorewall/compiler b/Shorewall/compiler index b14139346..295bef0c6 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -121,16 +121,6 @@ indent1() { fi } -# -# Echo the contents of the passed file indented by $INDENT and perform INCLUDE processing. -# -indent2() { - if [ -n "$INDENT" ]; then - read_file $1 0 | eval sed \'s\/^/"$INDENT"\/\' - else - read_file $1 0 - fi -} # # Append a file to the compiler's output with indentation. @@ -155,20 +145,6 @@ append_file() # $1 = File Name esac } -# -# Append a file to the compiler's output with indentation and INCLUDE expansion. -# -append_file1() # $1 = File Name -{ - local user_exit=$(find_file $1) - - if [ -f $user_exit ]; then - save_progress_message "Processing $user_exit ..." - indent2 $user_exit >&3 - save_command - fi -} - # # Generate a command to run iptables # @@ -5115,8 +5091,6 @@ __EOF__ __EOF__ fi - append_file1 params - cat >&3 << __EOF__ STOPPING= diff --git a/Shorewall/lib.config b/Shorewall/lib.config index 303d96368..8d5ece775 100644 --- a/Shorewall/lib.config +++ b/Shorewall/lib.config @@ -1874,8 +1874,6 @@ do_initialize() { run_user_exit params - [ $PROGRAM = compiler ] && run_user_exit compile - config=$(find_file shorewall.conf) if [ -f $config ]; then diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 269c76892..1fcec96ce 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -34,28 +34,22 @@ None. Other Changes in 3.4.0 RC 1 -1) A new 'compile' extension script has been added. This script is - invoked in the compiler to set shell variables needed at compile - time. The script can use 'ssh' to obtain information from a remote - firewall system. +1) In spite of my claim that I would not introduce any changes other + than bug fixes in a release candidate, I'm going to do so anyway. - One common thing that such a script might want to do is to obtain - the IP address of an interface on a remote firewall for later use - in Shorewall configuration files. This can be done using the - following trick: + Beginning with Shorewall 3.4.0, Shorewall will only process + /etc/shorewall/params during the compile phase. Any shell variables + needed at run-time must be set in /etc/shorewall/init. - ADDR=$(ssh root@ "shorewall-lite call - get_first_interface_address ") - - where: - - is the name of the remote firewall system; and - is the name of an interface on that system. - - The shorewall-lite "call" command allows you to interactively call - any function in /usr/share/shorewall-lite/lib.base and - /usr/share/shorewall-lite/lib.config. + In a Shorewall/Shorewall Lite environment, his allows + /etc/shorewall/params to be written to run exclusively + on the administrative system while /etc/shorewall/init runs + exclusively on the firewall system. + So shell variables required at compile time may be set in + /etc/shorewall/params and those required at run-time may be set in + /etc/shorewall/init. + Migration Considerations: If you are migrating from a Shorewall version earlier than 3.2.0 then @@ -64,7 +58,20 @@ information. http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/releasenotes.txt -1) Shorewall supports the notion of "default actions". A default +1) Beginning with Shorewall 3.4.0, Shorewall will only process + /etc/shorewall/params during the compile phase. Any shell variables + needed at run-time must be set in /etc/shorewall/init. + + In a Shorewall/Shorewall Lite environment, his allows + /etc/shorewall/params to be written to run exclusively + on the administrative system while /etc/shorewall/init runs + exclusively on the firewall system. + + So shell variables required at compile time may be set in + /etc/shorewall/params and those required at run-time may be set in + /etc/shorewall/init. + +2) Shorewall supports the notion of "default actions". A default action defines a set of rules that are applied before a policy is enforced. Default actions accomplish two goals: @@ -97,12 +104,12 @@ http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/releasenotes.txt Shorewall version 3.4. Otherwise, please see item 3) in the New Features below. -2) The 'Limit' action is now a builtin. If you have 'Limit' listed in +3) The 'Limit' action is now a builtin. If you have 'Limit' listed in /etc/shorewall/actions, remove the entry. Also remove the files /etc/shorewall/action.Limit and/or /etc/shorewall/Limit if you have them. -3) This issue only applies if you have entries in +4) This issue only applies if you have entries in /etc/shorewall/providers. Previously, Shorewall has not attempted to undo the changes it has @@ -128,13 +135,13 @@ http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/releasenotes.txt do exist, remove them. b) Either restart networking or reboot. -4) This issue only applies if you run Shorewall Lite. +5) This issue only applies if you run Shorewall Lite. The /etc/shorewall-lite/shorewall.conf file has been renamed /etc/shorewall-lite/shorewall-lite.conf. When you upgrade, your shorewall.conf file will be renamed shorewall-lite.conf. -5) Previously, 'ipsecnat' tunnels allowed AH traffic by default +6) Previously, 'ipsecnat' tunnels allowed AH traffic by default (unless 'isecnat:noah' was given). Given that AH is incompatible with nat-traversal, 'ipsecnat' now implies 'ipsecnat:noah' and the latter is now redundant.