Tom Eastep
2003-Aug-23 15:00 UTC
[Shorewall-users] Warning of upcoming removal of ''logunclean'' and ''dropunclean'' interface options.
Harald Welte just announced that the 2.6 Kernels will not support the ''unclean'' match extension except via Patch-O-Matic. Since I have a polciy of not supporting Netfilter features that are only available in P-O-M, I will be removing the ''logunclean'' and ''dropunclean'' interface options from Shorewall. In 1.4.7, a warning will be issued if these options are specified. In a later release, the warning will be replaced with an error and the code to create ''unclean'' match rules will be removed. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Rodolfo J. Paiz
2003-Aug-23 23:19 UTC
[Shorewall-users] Warning of upcoming removal of ''logunclean'' and ''dropunclean'' interface options.
At 8/23/2003 14:59 -0700, Tom Eastep wrote:>Harald Welte just announced that the 2.6 Kernels will not support the >''unclean'' match extension except via Patch-O-Matic. > >Since I have a polciy of not supporting Netfilter features that are only >available in P-O-M, I will be removing the ''logunclean'' and ''dropunclean'' >interface options from Shorewall. > >In 1.4.7, a warning will be issued if these options are specified. In a >later release, the warning will be replaced with an error and the code to >create ''unclean'' match rules will be removed.May I suggest that the error be generated, the code to create the rules removed, but that the firewall be started anyway without those rules? I would imagine this is a more "fail-safe" mode of operation, or am I missing something? -- Rodolfo J. Paiz rpaiz@simpaticus.com
Tom Eastep
2003-Aug-24 08:34 UTC
[Shorewall-users] Warning of upcoming removal of ''logunclean'' and ''dropunclean'' interface options.
On Sat, 2003-08-23 at 23:18, Rodolfo J. Paiz wrote:> > > >In 1.4.7, a warning will be issued if these options are specified. In a > >later release, the warning will be replaced with an error and the code to > >create ''unclean'' match rules will be removed. > > May I suggest that the error be generated, the code to create the rules > removed, but that the firewall be started anyway without those rules? I > would imagine this is a more "fail-safe" mode of operation, or am I missing > something?I suppose I could make it fatal in the "check" command and a warning in [re]start; there a couple of cases handled like that currently. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net