On 9/7/10 4:43 AM, Mr Dash Four wrote: > >> Done. >> > Do you have a patch or new rpm for me to test?
I'll be releasing Beta-4 later in the week; you can test then. > >>> 2. Currently there is no ability to add comments in secmarks - it would >>> be nice if I could do that as is the case with the rules file (I am not >>> sure if the Shorewall adds comments automatically in secmarks as is the >>> case with the rules file - when common port numbers are used for example). >>> >> >> COMMENT is supported in the secmarks file. See >> http://www.shorewall.net/configuration_file_basics.html#COMMENT Typo in the link -- http://www.shorewall.net/configuration_file_basics.htm#COMMENT >> > That link is getting me nowhere! I presume you meant > http://www.shorewall.net/configuration_file_basics.htm#Comments which > isn't what I really meant in my previous post, but this: > > COMMENT the rest of the line will be attached as a comment to the > Netfilter rule(s) generated by the following entries. The comment will > appear delimited by "/* ... */" in the output of "shorewall show > <chain>". To stop the comment from being attached to further rules, > simply include COMMENT on a line by itself. > > In other words, COMMENT the command as is in the rules file - as pointed > out in my previous post. Which is already implemented in the Alpha-level code that you have; I just haven't gotten around to documenting it in the man pages yet. > >>> 4. CONNSECMARK - that was a true eye opener for me!!! >>> >>> >>> >> So exactly what are you pushing for? >> > Instead of manually adding "SAVE I:N", "SAVE O:N" and then "RESTORE > I:ER", "RESTORE O:ER" etc. at the end of each chain (as this would be > the most efficient way of dealing with SELinux contexts once they are > established) it would be nice if these things are 'optimised' and added > automatically by Shorewall when an appropriate option is turned on in > shorewall.conf (like "AUTO_CONNSECMARK=Yes" for example) so that I do > not have to put these manually. > > As I already pointed out - in vast majority of cases SAVE and RESTORE > would make sense to be placed in the above form at the end of each chain > so that they take care of preserving and restoring SELinux contexts in > connections, so why not add them automatically? I try to avoid adding any 'Shorewall automatically assumes ....' features because "The vast majority of cases" is not "All cases". In general, my approach with Shorewall has been flexibility, rather than "works is most cases". I will consider a shorewall.conf (shorewall6.conf) option as a follow-on enhancement, but given how much more popular tcrules are than secmarks, I would probably add the enhancement for tcrules first. > >>> 6. Finally, two minor bits, which I am sure will be ironed out by the >>> time the new version of Shorewall is released - it would be good to have >>> a 'sample' secmarks file in the distribution and all man-pages (except >>> shorewall-secmarks) need to reference shorewall-secmarks as is done with >>> all the other sections of the manual. >>> >> >> That's not going to happen either. >> > What isn't going to happen - a new Shorewall version?! > > Sample files, more like templates really (like empty rules, interfaces > and many other files) are provided as part of the Shorewall > distribution, so I do not see why including an empty template secmarks > file in the final Shorewall distribution is proving to be such a major > headache? I misread your comment; sorry. There are already empty secmarks files in my source tree -- I just haven't updated the installers to include them in the packages. > > As for the man pages - at the end of each man page there is reference to > all other shorewall-* man pages, so I thought it would make sense to > include shorewall-secmarks in that list, that's all. Don't see why this > is proving to be such a problem, but guessing by your rant below you > couldn't be arsed - fair enough. Again, I'll get around to it. Remember that what you are running is alpha level code. > > >> <rant> This is basically a one-man project. I get excellent help from a >> group of people that produce packages for various distributions and that >> help with support. But I produce almost all of the code and >> documentation. And writing code is about 20% of my time spent on >> Shorewall; the rest is support, writing documentation, and answering >> posts like yours. >> </rant> >> > Your point being? > I apologize for the rant -- I should have set your expectations when we started. I don't run SELinux on any of my test environments and I have no time or interest to learn how Netfilter interacts with SELinux, except at the iptables command syntax level. I therefore needed someone to verify that the ruleset would actually load on a SELinux-enabled system and that the ruleset would do whatever it is intended to do. So I sent you the very first code that I produced in an effort to ensure that the iptables-restore input produced by Shorewall will actually load and work. I sent you a second RPM because the change you suggested to add a USER/GROUP column involved several files and would have been hard for you to install as a patch. My ill-conceived rant was my way of pointing out that getting code that works is only a small part of what is required to produce a complete and supportable product. There is a lot that needs to be done after the code apparently works before the product can be considered complete. So please bear with me; when Beta 4 is finally released, *then* please send me feedback about missing examples and incomplete documentation. Thanks, -Tom PS -- In my rant, I failed to mention that there also people who work tirelessly to test the Betas and RCs; they are also very much appreciated. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
