4.5.17 Beta 1 is now available for testing.
Problems Corrected:
1) A number of issues have been corrected in the Debian and
Redhat/Fedora Shorewall-init SysV init scripts:
a) Settings in ${SHAREDIR}/vardir are now handled correctly.
b) Exit status is now returned correctly.
c) Stale lock files are avoided.
2) When the compiled firewall script is run directly, it no longer
attempts to copy itself onto itself using the ''cp''
utility.
New Features:
1) Route types ''blackhole'', ''unreachable''
and ''prohibit'' are no longer
copied to provider routing tables by default when
USE_DEFAULT_RT=No. You may cause them to be copied by including
''blackhole'', ''unreachable'' and/or
''prohibit'' in the COPY list along
with interface names.
2) Previously, the generated script always added a host route to a
provider''s gateway in the provider''s routing table.
Beginning with
this release, the ''noautosrc'' provider option can be used
to
inhibit this behavior. ''noautosrc'' must be used with care
since the
absense of such a route can cause start/restart runtime failures.
3) A ''-c'' (conditional) option has been added to the
''compile'' command.
This option causes compilation to proceed if:
a) The specified (or defaulted) firewall script does not exist; or
b) A file on the CONFIG_PATH (including any directory specified in
the command) is newer than the existing script.
Note: This new feature is not described in the release notes
in the Beta 1 packages.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O''Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Tom Eastep wrote:> 3) A ''-c'' (conditional) option has been added to the ''compile'' command. > This option causes compilation to proceed if: > > a) The specified (or defaulted) firewall script does not exist; or > b) A file on the CONFIG_PATH (including any directory specified in > the command) is newer than the existing script. > > Note: This new feature is not described in the release notes > in the Beta 1 packages. >init.<distro>.sh in shorewall-init could benefit from including the above option, but you haven''t done it. Any reason? ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/10/13 3:42 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote:> >Tom Eastep wrote: >> 3) A ''-c'' (conditional) option has been added to the ''compile'' command. >> This option causes compilation to proceed if: >> >> a) The specified (or defaulted) firewall script does not exist; or >> b) A file on the CONFIG_PATH (including any directory specified in >> the command) is newer than the existing script. >> >> Note: This new feature is not described in the release notes >> in the Beta 1 packages. >> >init.<distro>.sh in shorewall-init could benefit from including the >above option, but you haven''t done it. Any reason?You mean something like the attached? -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Tom Eastep wrote:> On 5/10/13 3:42 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: > >> init.<distro>.sh in shorewall-init could benefit from including the >> above option, but you haven''t done it. Any reason? >> > > You mean something like the attached? >Sort of - you need to include the same changes in "stop()" as well. In "setstatedir()" the "firewall" compilation "if" block isn''t needed either. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Dash Four wrote:> > Tom Eastep wrote: >> On 5/10/13 3:42 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: >> >>> init.<distro>.sh in shorewall-init could benefit from including the >>> above option, but you haven''t done it. Any reason? >>> >> >> You mean something like the attached? >> > Sort of - you need to include the same changes in "stop()" as well. In > "setstatedir()" the "firewall" compilation "if" block isn''t needed > either.One other thing - your Debian sysv script (ahem!) is not going to work - patch attached. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/10/13 7:31 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote:> >Dash Four wrote: >> >> Tom Eastep wrote: >>> On 5/10/13 3:42 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: >>> >>>> init.<distro>.sh in shorewall-init could benefit from including the >>>> above option, but you haven''t done it. Any reason? >>>> >>> >>> You mean something like the attached? >>> >> Sort of - you need to include the same changes in "stop()" as well. In >> "setstatedir()" the "firewall" compilation "if" block isn''t needed >> either. >One other thing - your Debian sysv script (ahem!) is not going to work - >patch attached.Thanks! -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/10/13 4:28 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote:> >Tom Eastep wrote: >> On 5/10/13 3:42 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote: >> >>> init.<distro>.sh in shorewall-init could benefit from including the >>> above option, but you haven''t done it. Any reason? >>> >> >> You mean something like the attached? >> >Sort of - you need to include the same changes in "stop()" as well. In >"setstatedir()" the "firewall" compilation "if" block isn''t needed either.This should remove redundant compilation and handle stop as well. Apply your patch on top of it. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Tom Eastep wrote:>> Sort of - you need to include the same changes in "stop()" as well. In >> "setstatedir()" the "firewall" compilation "if" block isn''t needed either. >> > > This should remove redundant compilation and handle stop as well. Apply > your patch on top of it. >Two additional (minor) issues: Currently, if I have PRODUCTS="mickey-mouse" in /etc/sysconfig/shorewall-init, the init.d script completes and tells me that everything is OK. The outcome is exactly the same if the conditional compilation fails for some reason (regardless of whether the old "firewall" is present or not). I think that''s wrong and the init.d script should return a failure if: 1. "PRODUCTS" has not been processed for whatever reason; 2. "shorewall compile -c" fails; or 3. "firewall" does not exist. Finally, in init.<distro>.sh, the usage message should really be "Usage: $0" or "Usage: shorewall-init" instead of "Usage: /etc/init.d/shorewall-init {...}" ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/10/13 10:13 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote:> >Tom Eastep wrote: >>> Sort of - you need to include the same changes in "stop()" as well. In >>> "setstatedir()" the "firewall" compilation "if" block isn''t needed >>>either. >>> >> >> This should remove redundant compilation and handle stop as well. Apply >> your patch on top of it. >> >Two additional (minor) issues: Currently, if I have >PRODUCTS="mickey-mouse" in /etc/sysconfig/shorewall-init, the init.d >script completes and tells me that everything is OK. The outcome is >exactly the same if the conditional compilation fails for some reason >(regardless of whether the old "firewall" is present or not). I think >that''s wrong and the init.d script should return a failure if: > >1. "PRODUCTS" has not been processed for whatever reason; >2. "shorewall compile -c" fails; or >3. "firewall" does not exist.The problem is that PRODUCTS is plural. What if one fails and the other succeeds? Or one of two members of $PRODUCTS is invalid? I''m guessing that you vote for a failure exit status to be returned? What should the exit status be if $PRODUCTS is empty?> >Finally, in init.<distro>.sh, the usage message should really be "Usage: >$0" or "Usage: shorewall-init" instead of "Usage: >/etc/init.d/shorewall-init {...}"Agreed. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Tom Eastep wrote:>> Two additional (minor) issues: Currently, if I have >> PRODUCTS="mickey-mouse" in /etc/sysconfig/shorewall-init, the init.d >> script completes and tells me that everything is OK. The outcome is >> exactly the same if the conditional compilation fails for some reason >> (regardless of whether the old "firewall" is present or not). I think >> that''s wrong and the init.d script should return a failure if: >> >> 1. "PRODUCTS" has not been processed for whatever reason; >> 2. "shorewall compile -c" fails; or >> 3. "firewall" does not exist. >> > > The problem is that PRODUCTS is plural. What if one fails and the other > succeeds?If one fails, then, from what I recall, there is a "break" statement and the failure code is returned immediately, which is the right thing to do. To answer your question - if one fails, then the other doesn''t run and failure is returned to the OS. Same with iptables-restore - if a single statement fails, then nothing after that is attempted, which is the correct course of action.> Or one of two members of $PRODUCTS is invalid?Same as above - if any member of PRODUCTS is invalid, then there should be a failure returned to the OS straight away.> I''m guessing that > you vote for a failure exit status to be returned?Yep.> What should the exit > status be if $PRODUCTS is empty? >Same as above - failure. Again, from memory (I don''t have the contents of this file in front of me at present), I think the init script checks whether there is anything specified for PRODUCTS and if the variable is empty, then a failure is returned which is the right thing to do - one has to specify at least one "product" in order to run shorewall-init. ... Yep, I just checked my version of shorewall-init: if [ -z "$PRODUCTS" ]; then echo "No firewalls configured for shorewall-init" failure return 6 #Not configured fi So, if PRODUCTS is empty, then nothing is ever attempted and an error status code is immediately returned to the OS, which is the correct thing to do. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may