Shorewall devel - Mar 2003 - Where do we go from here?

As I recently announced on the Shorewall Development list, the version of 
Shorewall 1.4 currently in the CVS development tree improves the 
performance of complex zones (those requiring entries in 
/etc/shorewall/hosts).

With that change, I''ve completed the product cleanup that I envisioned
for
1.4.

Before I wrap up 1.4.2 and begin thinking about 2.0, is there anything 
else that people believe is needed that can''t wait until 2.0? I would 
prefer that you not request integration with other products in 1.4 as I 
believe that the structure of 2.0 will make such integration easier.

Thanks for any thoughts you might have,
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom,

On Wed, 26 Mar 2003 13:20:06 PST Tom Eastep wrote:
> Before I wrap up 1.4.2 and begin thinking about 2.0, is there anything 
> else that people believe is needed that can''t wait until 2.0? I
would
> prefer that you not request integration with other products in 1.4 as I 
> believe that the structure of 2.0 will make such integration easier.
One feature that I would find useful is the ability to include
configuration directives from arbitrary files.  That ability
would make management of several firewalls with common rulesets
more convenient.  An example to help clarify:

  shorewall/params.mgmt:
  MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
  TIME_SERVERS=4.4.4.4
  BACKUP_SERVERS=5.5.5.5
  ----- end params.mgmt -----


  shorewall/params:
  # Shorewall 1.3 /etc/shorewall/params
  [..]
  #######################################

  INCLUDE params.mgmt    # proposed INCLUDE directive to source
                         # auxiliary file
  # params unique to this host here
  #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
  ----- end params -----


  shorewall/rules.mgmt:
  ACCEPT net:$MGMT_SERVERS          $FW    tcp    22
  ACCEPT $FW          net:$TIME_SERVERS    udp    123
  ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22
  ----- end rules.mgmt -----


  shorewall/rules:
  # Shorewall version 1.3 - Rules File
  [..]
  #######################################

  INCLUDE rules.mgmt     # proposed INCLUDE directive to source
                         # auxiliary file
  # rules unique to this host here
  #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
  ----- end rules -----


I primarily use Shorewall with the Bering LEAF variant, so it
would be nice to have something like that in the 1.4 series.

I scanned the docs and mailing list archives looking for similar
features or related requests and didn''t see any; apologies if
this has already been discussed previously.  If not, would anyone
else find such a feature useful?

--Brad

On Thu, 27 Mar 2003, Brad Fritz wrote:
> One feature that I would find useful is the ability to include
> configuration directives from arbitrary files.  That ability
> would make management of several firewalls with common rulesets
> more convenient.  An example to help clarify:
> 
>   shorewall/params.mgmt:
>   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
>   TIME_SERVERS=4.4.4.4
>   BACKUP_SERVERS=5.5.5.5
>   ----- end params.mgmt -----
> 
> 
>   shorewall/params:
>   # Shorewall 1.3 /etc/shorewall/params
>   [..]
>   #######################################
> 
>   INCLUDE params.mgmt    # proposed INCLUDE directive to source
>                          # auxiliary file
Already supported -- just use "." in place of INCLUDE:

. /some/dir/params.mgmt

Be sure to fully qualify the file name since you can''t make any 
assumptions about the CWD when Shorewall is running.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Thu, 27 Mar 2003, Tom Eastep wrote:
> >   #######################################
> > 
> >   INCLUDE params.mgmt    # proposed INCLUDE directive to source
> >                          # auxiliary file
> 
> Already supported -- just use "." in place of INCLUDE:
> 
> . /some/dir/params.mgmt
> 
> Be sure to fully qualify the file name since you can''t make any 
> assumptions about the CWD when Shorewall is running.
> 
And note that this only works for files that contain shell commands like 
/etc/shorewall/shorewall.conf, /etc/shorewall/params, 
/etc/shorewall/start, etc. It does not work for files such as 
/etc/shorewall/rules or /etc/shorewall/masq which are read and processed 
by Shorewall.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Thu, 27 Mar 2003, Tom Eastep wrote:
> 
> And note that this only works for files that contain shell commands like 
> /etc/shorewall/shorewall.conf, /etc/shorewall/params, 
> /etc/shorewall/start, etc. It does not work for files such as 
> /etc/shorewall/rules or /etc/shorewall/masq which are read and processed 
> by Shorewall.
> 
It took just a few minutes to hack out some code to make it work in the 
other cases as well -- will be included in 1.4.2.

Thanks,
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom,

On Thu, 27 Mar 2003 11:40:11 PST Tom Eastep wrote:
> On Thu, 27 Mar 2003, Tom Eastep wrote:
> 
> > 
> > And note that this only works for files that contain shell commands
like
> > /etc/shorewall/shorewall.conf, /etc/shorewall/params, 
> > /etc/shorewall/start, etc. It does not work for files such as 
> > /etc/shorewall/rules or /etc/shorewall/masq which are read and
processed
> > by Shorewall.
> 
> It took just a few minutes to hack out some code to make it work in the 
> other cases as well -- will be included in 1.4.2.
Awesome!  Thank you, Tom.

--Brad