There has been some dissatisfaction expressed with my decision to merge manpage documentation into the configuration files by default. So I''m releasing 4.4.20.1 that switches the default to not include documentation. If you do want the documentation, supply the -a (annotate) option to the installer. I''m releasing this now rather than waiting so that those distro maintainers who have not yet released 4.4.20 packages will not have to change their package creation scripting twice. Other changes: 1) The address of the Free Software Foundation has been corrected in the License files. 2) The shorewall[6].conf file installed in /usr/share/shorewall[6]/configfiles is no longer modified for use with Shorewall[6]-lite. When creating a new configuration for a remote forewall, two lines need to be modified in the copy CONFIG_PATH=/usr/share/shorewall (or shorewall6) STARTUP_LOG=/var/log/shorewall-lite-init.log (or shorewall6-lite-init.log) -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
> There has been some dissatisfaction expressed with my decision to merge > manpage documentation into the configuration files by default. So I''m > releasing 4.4.20.1 that switches the default to not include > documentation. If you do want the documentation, supply the -a > (annotate) option to the installer.Hi Tom, I''d be interested to hear what kind of "dissatisfaction" was expressed to you? I have welcomed the change because it eliminates most man page lookups for me. That said, I''m using some kind of diff/patch magic to keep the configs on my systems up2date. I can understand that otherwise the docs in the configs would become out of date. Thanks, Simon ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
> There has been some dissatisfaction expressed with my decision to merge > manpage documentation into the configuration files by default. So I''m > releasing 4.4.20.1 that switches the default to not include > documentation. If you do want the documentation, supply the -a > (annotate) option to the installer. > > I''m releasing this now rather than waiting so that those distro > maintainers who have not yet released 4.4.20 packages will not have to > change their package creation scripting twice. >Bugger! I''ve just changed my .spec file and built the new shorewall using -p instead. I guess I shouldn''t be that quick the next time around. ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
> That said, I''m using some kind of diff/patch magic to keep > the configs on my systems up2date. I can understand that otherwise the > docs in the configs would become out of date. >I''ve offered my update-shorewall-config script (plus 3 other files) a while ago which does just that - "automagically" updates shorewall.conf options. I did send this email in the shorewall-devel list though, so here they are again - attached with this email plus the text I posted in the shorewall-devel list: --->8----------------------------- OK, I am attaching quite a few files to this post, so hopefully the mailing list daemon won''t moan too much. If it does, then I am going to have to attach these again in a private email. I have created the following files, which I have used to install and configure my shorewall yesterday: 1. shorewall.default - contains shorewall.conf''s "default" options as per the file you enclosed in your previous post. These are used to construct the final shorewall.conf (see below); 2. shorewall.template - template to be used to "transform" the values and produce the final shorewall.conf; 3. shorewall-terse.template - another template, which does not contain any comments at all (may be suitable to "experts" who think they know what they are doing); 4. update-shorewall-config - a shell script, which does the donkey work of transforming shorewall.conf options (whether from an old shorewall.conf, "shorewal.default", or both, giving preference to the values present in the old shorewall.conf - in other words, if option is specified in both the existing "shorewall.conf" and "shorewall.default" then the value of that option specified in the old "shorewall.conf" takes precedence) and produces a final "shorewall.conf", based on one of the two templates specified above ("shorewall.template" or "shorewall-terse.template"). From the shell script''s heading: PURPOSE: Combines all values from /etc/shorewall/shorewall.default with <old_shorewall_conf> (if specified) and then uses /etc/shorewall/shorewall[-terse].template to dump the output to <old_shorewall_conf>, renaming <old_shorewall_conf> to <old_shorewall_conf>.org, if applicable. Preference is given to the values specified in <old_shorewall_conf>. "Deprecated" options (i.e. options used in <old_shorewall_conf>, but not present in /etc/shorewall/shorewall.default) are ignored. If no <old_shorewall_conf> is specified /etc/shorewall/shorewall.conf is assumed. If /etc/shorewall/shorewall.conf does not exist, then a new /etc/shorewall/shorewall.conf is created based on values in /etc/shorewall/shorewall.default. SYNTAX: $0 [-teastep] [<old_shorewall_conf>] REQUIRES: /etc/shorewall/shorewall.default - containing all "default" values applicable to the distributed version of Shorewall; /etc/shorewall/shorewall[-terse].template - containing the template to be used during transformation; IN: "-teastep" - use the "terse" shorewall template (/etc/shorewall/shorewall-terse.template). Optional, defaults to using /etc/shorewall/shorewall.template <old_shorewall_conf> - old shorewall.conf to use. If <old_shorewall_conf> is not specified: 1) /etc/shorewall/shorewall.conf is checked and if it exists, this is then used; 2) if /etc/shorewall/shorewall.conf does not exists, then it is created based on the values in /etc/shorewall/shorewall.default, using the preselected template - /etc/shorewall/shorewal[-terse].template OUT: One of: - modified /etc/shorewall/shorewall.conf if "/etc/shorewall/shorewall.conf" exists or no <old_shorewall_conf> was specified - modified <old_shorewall_conf> For this to really work the following needs to be done: 1. The existing shorewall.conf from the distribution (configfiles/shorewall.conf) needs to be wiped out and the attached shorewall.default needs to be used instead. All references of "shorewall.conf" in install.sh need to be replaced with "shorewall.default": sed -i "s/shorewall\.conf/shorewall\.default/" install.sh 2. The two templates need to be copied where they belong - in the configfiles/ directory so that they could be used. These need to be installed in /etc/shorewall at least so that they could be used by the update-shorewall-config script. 3. The update shorewall.conf script needs to be copied to a path where it can be executed (preferably /usr/sbin - this is what I''ve done anyway) and its attributes properly set (0755 and owner as root:root for example). All of the above is done in my shorewall.spec file "automagically" when I use it to build my shorewall rpm. There is a little script in the %post section: %post if [ $1 = 1 ]; then /sbin/chkconfig --add shorewall fi /usr/sbin/update-shorewall-config &> /dev/null What that does, among other things, is, it checks if there is old shorewall.conf present and if that is so, it runs the update-shorewall-config script to convert the options based on the "normal" template ("shorewall.template"). If "shorewall.conf" does *not* exists (new installation perhaps) it creates one based on "shorewall.default" and "shorewall.template". In that way there won''t be any more daft messages like "shorewall.conf has been saved as shorewall.conf.rpmnew" from the RPM engine as the file is created/modified (the old file, if exists, is still saved as shorewall.conf.org!). By adopting this, there isn''t any danger of carrying "deprecated" options (I had about 9 when I first used this) or missing on new ones released with each shorewall version. ------8<-------------------------- ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On 6/7/11 6:57 AM, Mr Dash Four wrote:> >> There has been some dissatisfaction expressed with my decision to merge >> manpage documentation into the configuration files by default. So I''m >> releasing 4.4.20.1 that switches the default to not include >> documentation. If you do want the documentation, supply the -a >> (annotate) option to the installer. >> >> I''m releasing this now rather than waiting so that those distro >> maintainers who have not yet released 4.4.20 packages will not have to >> change their package creation scripting twice. >> > Bugger! I''ve just changed my .spec file and built the new shorewall > using -p instead. I guess I shouldn''t be that quick the next time around.-p is still accepted (and ignored). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On 6/7/11 6:55 AM, Simon Matter wrote:>> There has been some dissatisfaction expressed with my decision to merge >> manpage documentation into the configuration files by default. So I''m >> releasing 4.4.20.1 that switches the default to not include >> documentation. If you do want the documentation, supply the -a >> (annotate) option to the installer. > > Hi Tom, > > I''d be interested to hear what kind of "dissatisfaction" was expressed to > you? I have welcomed the change because it eliminates most man page > lookups for me. That said, I''m using some kind of diff/patch magic to keep > the configs on my systems up2date. I can understand that otherwise the > docs in the configs would become out of date.First, it is a departure from my long-standing practice of not changing the default behavior. Second, the issue of the documentation becoming out of date is a real concern. I have plans to eliminate that problem by optionally allowing the existing files to be merged with the latest manpages during upgrade. See Mr Dash Four''s post on the development list where he demonstrated a limited such a facility for shorewall.conf. The other issue is just the shear size of the files and the fact that the documentation just gets in the way of experienced users (I, for one, find it a nuisance). So it is still there for those that want it and I plan to improve it. But for now, it will remain optional. I''m beginning to thing about Shorewall 5.0 a bit; that might be a reasonable time to change the default, once all of the machinery is in place to keep the documentation current. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
> I''m beginning to thing about Shorewall 5.0 a bit; that might be a > reasonable time to change the default, once all of the machinery is in > place to keep the documentation current. >One thing I am hoping you will have available by then is tc support for ipsets (i.e. the ability to include ipsets in tcfilters) - there were a couple of posts last week on the netfilter-dev mailing list with regards to that, so, fingers crossed, it won''t be that long before this is implemented. ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
> On 6/7/11 6:55 AM, Simon Matter wrote: >>> There has been some dissatisfaction expressed with my decision to merge >>> manpage documentation into the configuration files by default. So I''m >>> releasing 4.4.20.1 that switches the default to not include >>> documentation. If you do want the documentation, supply the -a >>> (annotate) option to the installer. >> >> Hi Tom, >> >> I''d be interested to hear what kind of "dissatisfaction" was expressed >> to >> you? I have welcomed the change because it eliminates most man page >> lookups for me. That said, I''m using some kind of diff/patch magic to >> keep >> the configs on my systems up2date. I can understand that otherwise the >> docs in the configs would become out of date. > > First, it is a departure from my long-standing practice of not changing > the default behavior. > > Second, the issue of the documentation becoming out of date is a real > concern. I have plans to eliminate that problem by optionally allowing > the existing files to be merged with the latest manpages during upgrade. > See Mr Dash Four''s post on the development list where he demonstrated a > limited such a facility for shorewall.conf.OK, what I do is not limited to shorewall, I do in with every RPM update. What I do is to create a backup file named .orig before editing any config file. Then, RPM will create a .rpmnew file, and the config update script does all the diffing and patching so the .orig and the real config get updated. I don''t know how to keep configs clean otherwise. Simon ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
> OK, what I do is not limited to shorewall, I do in with every RPM update. > What I do is to create a backup file named .orig before editing any config > file. Then, RPM will create a .rpmnew file, and the config update script > does all the diffing and patching so the .orig and the real config get > updated. I don''t know how to keep configs clean otherwise. >Read what I posted about an hour or so while ago on this list (provided the daemon didn''t cut off my attachments, that is) - when I first started with shorewall, I used to do exactly what you have been doing, but got really fed up with it after a while. Since 20-Beta5 I thought that needed changing as there were a lot of options introduced in one go in that version, so I designed the script I attached earlier. It works and I use it in my rpm files (both during building of shorewall as well as in the %post section during installation/upgrade) and it does a good job as it merges my old options with the new, giving preference to what I have already selected in my old shorewall.conf file. I am hoping something will be done in 20.x because as it is now, there is no way to have that merged unless one is patient enough to check (i.e. diff) old and new options every single time shorewall is released. I am planning an improved version of my update-shorewall-config script to include more information as to what were old (deprecated) and what were new (missing in the ''old'') options in the resulting shorewall.conf file, something like this: #DEPRECATED USE_ACTIONS=Yes #NEW introduced in 4.4.20 - DEFAULT value selected SMURF_DISPOSITION=DROP ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On 06/07/2011 08:18 AM, Mr Dash Four wrote:> > Since 20-Beta5 I thought that needed changing as there were a lot of > options introduced in one go in that version, so I designed the script I > attached earlier. It works and I use it in my rpm files (both during > building of shorewall as well as in the %post section during > installation/upgrade) and it does a good job as it merges my old options > with the new, giving preference to what I have already selected in my > old shorewall.conf file.One word of warning to anyone tempted to adopt Dash''s script -- it doesn''t handle a params file, so any settings in the existing shorewall.conf that derive from variables set in params will end up with an empty value.> > I am hoping something will be done in 20.x because as it is now, there > is no way to have that merged unless one is patient enough to check > (i.e. diff) old and new options every single time shorewall is released.I''ll not do anything with this in a patch release, but rather in one of the early .21 betas.> > I am planning an improved version of my update-shorewall-config script > to include more information as to what were old (deprecated) and what > were new (missing in the ''old'') options in the resulting shorewall.conf > file, something like this: > > #DEPRECATED USE_ACTIONS=Yes > > #NEW introduced in 4.4.20 - DEFAULT value selected > SMURF_DISPOSITION=DROPGood idea. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev