On 5/29/11 2:42 PM, Mr Dash Four wrote:
>
>> Here's the final file.
>>
> OK, I am attaching quite a few files to this post, so hopefully the
> mailing list daemon won't moan too much. If it does, then I am going to
> have to attach these again in a private email.
>
> I have created the following files, which I have used to install and
> configure my shorewall yesterday:
>
> 1. shorewall.default - contains shorewall.conf's "default" options as
> per the file you enclosed in your previous post. These are used to
> construct the final shorewall.conf (see below);
> 2. shorewall.template - template to be used to "transform" the values
> and produce the final shorewall.conf;
> 3. shorewall-terse.template - another template, which does not contain
> any comments at all (may be suitable to "experts" who think they know
> what they are doing);
> 4. update-shorewall-config - a shell script, which does the donkey work
> of transforming shorewall.conf options (whether from an old
> shorewall.conf, "shorewal.default", or both, giving preference to the
> values present in the old shorewall.conf - in other words, if option is
> specified in both the existing "shorewall.conf" and "shorewall.default"
> then the value of that option specified in the old "shorewall.conf"
> takes precedence) and produces a final "shorewall.conf", based on one of
> the two templates specified above ("shorewall.template" or
> "shorewall-terse.template").
Unfortunately, life isn't quite this simple.
- As I have already mentioned on the user's list, the
'update-shorewall-config' script doesn't take the params file into
account. In my own configuration, I have this in
/etc/shorewall/params:
LOG=ULOG
Then, in /etc/shorewall/shorewall.conf, I have:
MACLIST_LOG_LEVEL="$LOG"
TCP_FLAGS_LOG_LEVEL="$LOG"
SMURF_LOG_LEVEL="$LOG"
This is fairly simple to correct: load the relevant libraries
(remember, /etc/shorewall/params can use a number of
shorewall-supplied functions) and source the params file before
sourcing the .conf file.
- On a fresh installation, it is preferable to omit the deprecated
options. During an upgrade, however, we want to keep those options -
especially if they have a non-default value.
Today, I modified both the 4.4.20 and 4.4.21 branches to omit the
deprecated options from the .conf files (Shorewall, Shorewall6 and
their samples).
- I'm particularly uncomfortable with the idea of modifying users'
configurations during an upgrade. I prefer to make it an optional
post-installation step initiated by the user.
- Doesn't handle Shorewall6 (although it would be easy to adapt).
- The sarcastic name of the option (-teastep) won't do.
So, I'm thinking that:
- The 'upgrade-shorewall-config' script will not be invoked
automatically during install/upgrade. It may or may not be invoked in
my product build (I will have to think some more about that).
- It will be documented as an optional post-installation step.
Adventurous package maintainers may choose to use it. I will
maintain and include the necessary support files.
- It will also be included in Shorewall6.
- Deprecated options with non-default values will be retained with a
warning message. These options will be tacked onto the end of the
file with a suitable comment.
- The -teastep option will become -a (annotated). The default will be
non-annotated .conf files (which is consistent with the install.sh
scripts). The template files will be renamed accordingly.
- It is likely that none of this will be in 4.4.21 Beta 1
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
