On 03/12/2018 12:41 PM, Max Addler (Dersbach) wrote: > > Am 12.03.2018 um 20:11 schrieb Tom Eastep: >> On 03/12/2018 12:06 PM, Max Addler (Dersbach) wrote: >>> Am 12.03.2018 um 19:47 schrieb Tom Eastep: >>>> On 03/11/2018 02:56 PM, Max Addler (Dersbach) wrote: >>>>> Hi all >>>>> >>>>> for a current project I would be happy to have INCLUDE be able to nest >>>>> to more than 3 levels. The limit is imposed in Config.pm line 3480 and >>>>> AFAIK in three other locations (the actual limit is "4"). >>>>> >>>>> While it is easy to change these explicit numeric limits to a constant >>>>> and e.g. set that to 10 in my locally installed copy, and it does not >>>>> create any obvious problem, the question is of course if there are any >>>>> side effects to be expected from such a change. Can anyone provide me >>>>> with an opinion or maybe a reference information? >>>>> >>>> Hi Max, >>>> >>>> There should be no side effects to changing the literal '4' in those >>>> cases. In 5.2.0, I have replaced those literals with a symbolic constant >>>> so the limit can be modified with a single-line change. >>>> >>>> -Tom >>> Hi Tom >>> >>> Thanks for your answer - good to know. That does help. >>> >>> "Symbolic constant" means I can change that in a single line of perl >>> code - right? >>> >>> If I would attempt to create a patch for making that a shorewall.conf >>> option, would you consider including such a change in the release? >>> >>> (If it's not a config option, or even if I create a working patch, but >>> it's not going to be in the release, I need to keep patching after each >>> shorewall package update. I will not have any system running without >>> updates). >>> >> Yes -- as things now stand, patching would be required. The number 4 was >> picked rather arbitrarily back when Shorewall was shell-based, and there >> is no good reason to keep that particular limit. What limit does your >> project require? The only reason that there is a limit at all is to >> catch INCLUDE loops before they result in an out-of-memory trap. >> >> -Tom >> > > I started out with 10, and currently I am at 15 - and almost ready with > configuration at a maximum actual level of 12, so I think it will not > increase further. > > It will take me some time to create a patch unless you set it to at > least 15 - in which case I will probably not need to provide one. > > For catching INCLUDE loops, during startup (of other programs I wrote) I > usually record the name of each included file in a temporary file, and > whenever a new INCLUDE directive is encountered, I grep the file for the > new filename - if the grep is successful, there is an INCLUDE loop, and > I can abort startup. Yes this slows down startup, takes up disk space, > but is a viable approach if robustness is more important than speed. > > Rationale behind my shorewall recursion: The idea is to have networks > behind networks - currently that's a prototype. > Imagine the "outermost" network to be connected to the Internet (let's > call it A), and the innermost (let's call it Z) to be connected just to > the outer next one (let's call it Y), and each one in-between is > connected to one lying to the inside, and one to the outside. A package > from Z needs to traverse each of the other intermediate networks until > it reaches A and then the Internet. Whenever one physically interrupts > any of the interconnections, everything on the inside will work as an > island. > As connectivity is strictly inside-out, Z would need to know at least > about Y, but also about at least some of the more outward lying hosts, > and Y needs to know all of that, too, except for the Z stuff, and X > needs to know all of that, too, except for the Y and Z stuff, and so on. > So in Z there is an INLCUDE of Y definitions, and in Y there's an > include of X definitions, so that in the end Z has a 26-level recursive > include which allows it to know about A. "Definitions" currently affects > zones, hosts, params, and rules. This is work in progress. >
Okay -- 5.2.0 will set the limit at 20. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
