It turns out to be very difficult to write a ''params'' file
that is usable
with Shorewall Lite unless the file contains nothing but static assignments.
That is because ''params'' runs both on the administrative
system at compile
time and on the firewall system at run-time.
After making several false starts in an effort to solve this problem,
I''ve
decided to make the following change in both 3.2.9 and 3.4.0 RC2.
When the "-e" option is specified to the compiler (as it is when run
by the
"load" and "reload" commands), the
''params'' file will no longer be copied
into the compiled script. So ''params'' will only be run at
compile time. This
means that shell variables needed at compile time (i.e., those that appear
in Shorewall configuration files) need to be assigned a value in the export
directory''s ''params'' file. Those shell variables
needed at run-time (i.e.,
those that appear in extension scripts that are copied into the compiled
script) need to be assigned a value in the ''init'' extension
script.
With this change, ''params'' can be coded under the assumption
that it always
runs on the administrative system while ''init'' can continue to
be coded
under the assumption that it will always run on the firewall system. If
''params'' needs to get information from the firewall system, it
can do so
using ssh. For example, you can use the following trick to obtain the IP
address of an interface on the firewall system (but don''t fold it like
my
mailer is doing here):
ADDR=$(ssh root@firewall "/sbin/shorewall-lite call
find_first_interface_address eth0" )
The above would set ADDR to the IP address of ''eth0'' on the
system
''firewall''. The shorewall-lite ''call''
command allows you to interactively
call any function in shorewall-lite or in
/usr/share/shorewall-lite/functions (3.2.x) and in
/usr/share/shorewall-lite/lib.base and /usr/share/shorewall-lite/lib.cli
(3.4.x).
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel