On 03/12/2018 12:41 PM, Max Addler (Dersbach) wrote:
> Am 12.03.2018 um 20:11 schrieb Tom Eastep:
>> On 03/12/2018 12:06 PM, Max Addler (Dersbach) wrote:
>>> Am 12.03.2018 um 19:47 schrieb Tom Eastep:
>>>> On 03/11/2018 02:56 PM, Max Addler (Dersbach) wrote:
>>>>> Hi all
>>>>> for a current project I would be happy to have INCLUDE be able to nest
>>>>> to more than 3 levels. The limit is imposed in Config.pm line 3480 and
>>>>> AFAIK in three other locations (the actual limit is "4").
>>>>> While it is easy to change these explicit numeric limits to a constant
>>>>> and e.g. set that to 10 in my locally installed copy, and it does not
>>>>> create any obvious problem, the question is of course if there are any
>>>>> side effects to be expected from such a change. Can anyone provide me
>>>>> with an opinion or maybe a reference information?
>>>> Hi Max,
>>>> There should be no side effects to changing the literal '4' in those
>>>> cases. In 5.2.0, I have replaced those literals with a symbolic constant
>>>> so the limit can be modified with a single-line change.
>>>> -Tom
>>> Hi Tom
>>> Thanks for your answer - good to know. That does help.
>>> "Symbolic constant" means I can change that in a single line of perl
>>> code - right?
>>> If I would attempt to create a patch for making that a shorewall.conf
>>> option, would you consider including such a change in the release?
>>> (If it's not a config option, or even if I create a working patch, but
>>> it's not going to be in the release, I need to keep patching after each
>>> shorewall package update. I will not have any system running without
>>> updates).
>> Yes -- as things now stand, patching would be required. The number 4 was
>> picked rather arbitrarily back when Shorewall was shell-based, and there
>> is no good reason to keep that particular limit. What limit does your
>> project require? The only reason that there is a limit at all is to
>> catch INCLUDE loops before they result in an out-of-memory trap.
>> -Tom
> I started out with 10, and currently I am at 15 - and almost ready with
> configuration at a maximum actual level of 12, so I think it will not
> increase further.
> It will take me some time to create a patch unless you set it to at
> least 15 - in which case I will probably not need to provide one.
> For catching INCLUDE loops, during startup (of other programs I wrote) I
> usually record the name of each included file in a temporary file, and
> whenever a new INCLUDE directive is encountered, I grep the file for the
> new filename - if the grep is successful, there is an INCLUDE loop, and
> I can abort startup. Yes this slows down startup, takes up disk space,
> but is a viable approach if robustness is more important than speed.
> Rationale behind my shorewall recursion: The idea is to have networks
> behind networks - currently that's a prototype.
> Imagine the "outermost" network to be connected to the Internet (let's
> call it A), and the innermost (let's call it Z) to be connected just to
> the outer next one (let's call it Y), and each one in-between is
> connected to one lying to the inside, and one to the outside. A package
> from Z needs to traverse each of the other intermediate networks until
> it reaches A and then the Internet. Whenever one physically interrupts
> any of the interconnections, everything on the inside will work as an
> island.
> As connectivity is strictly inside-out, Z would need to know at least
> about Y, but also about at least some of the more outward lying hosts,
> and Y needs to know all of that, too, except for the Z stuff, and X
> needs to know all of that, too, except for the Y and Z stuff, and so on.
> So in Z there is an INLCUDE of Y definitions, and in Y there's an
> include of X definitions, so that in the end Z has a 26-level recursive
> include which allows it to know about A. "Definitions" currently affects
> zones, hosts, params, and rules. This is work in progress.

Okay -- 5.2.0 will set the limit at 20.

Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand

Attachment: signature.asc
Description: OpenPGP digital signature

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Shorewall-users mailing list

Reply via email to