Re: [leaf-devel] [Shorewall-devel] Future of Shorewall
Tom Eastep wrote: > Natanael Copa wrote: > >> Have you thought of lua? should give you better performance than perl >> and would still be small enough for embedded. I can't say I have been >> looking at the shorewall code, but lua is very table oriented, which >> might be good for your table based config files. > > I suspect that the parser part of Shorewall might be difficult to write > entirely in LUA (although I've only browsed the reference manual). Also, LUA > appears to be a language that may only be embedded in C -- it does not stand > on its own. So what you end up with is a C program that uses a "smart > library". > Tom, Since I was mentioned in this thread already, I'll give my $0.02. Feel free to send to /dev/null A) The Lua manual is really bad. LuaForge is a mess. I really needed Programming in Lua to make sense of the language (Ver 1 is online http://www.lua.org/pil/ Version 2 is only available in dead-tree format and was worth the cost. B) The Lua parser is surprisingly good for regex type stuff. Its just /different/ from the other "standard" regexes. C) You are right about Lua wanting to be embedded in C (or some other language) - imagine however, a tiny "C" wrapper that forked iptables-restore[1] once and then used a lua parser to send all the data to that one process instead of forking iptables 1000's of times. The C code would be minimal, just enough to instantiate a Lua VM. D) Shorewall is YOUR fun project... so none of the above need apply. ;-) [1] - Believe it or not, http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5 says this is the "official" way to program iptables without using system() calls. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Perl
On Sun, 2007-02-25 at 13:22, Eric Spakman wrote: > We have indeed, but like Kp said it's around 350 kbytes compressed and > only contains the Perl (micro) interpreter. No Perl modules or any > other goodies (this would probably the same with the openwrt ipkg). > Together with a Shorewall interpretation, the combination would be at > least somewhere between 400 and 500 kbyte (compressed). That's a lot > more than the current 90 kbyte... Eric, I knew it would be. The questions become how much smaller is microperl than perl, and is the lowest common denominator (microperl) sufficient for Tom's needs. Specifically, does microperl support ipv4 and ipv6 modules? -- Mike Noyes http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, sitedocs - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Perl
Hi Mike, >Everyone, >It looks like there are some embedded distributions that successfully >built relatively small perl packages. See: > >CPAN/Ports >http://www.cpan.org/ports/ > >Maybe we can glean useful information from existing binary builds to >generate our own package. > I don't see a lot of embedded distributions in this list, only sharp, symbian and wince but no linux based. Eric - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Perl
Hi Mike, >On Sun, 2007-02-25 at 11:11, Tom Eastep wrote: >> If you find one that looks promising, let me know. I assume that it will >> be limited in some way but I'm used to programming to "the greatest >> common denominator". > >Tom, >It looks like OpenWrt and NSLU2-Linux have microperl ipkg builds >available. > >http://openwrt.org/ >http://www.nslu2-linux.org/ > >ipkg - the Itsy Package Management System >http://handhelds.org/moin/moin.cgi/Ipkg > >As does LEAF Bering-uClibc. :-) > >http://leaf.cvs.sourceforge.net/leaf/bin/packages/uclibc-0.9/28/testing/uperl.lrp?view=log > We have indeed, but like Kp said it's around 350 kbytes compressed and only contains the Perl (micro) interpreter. No Perl modules or any other goodies (this would probably the same with the openwrt ipkg). Together with a Shorewall interpretation, the combination would be at least somewhere between 400 and 500 kbyte (compressed). That's a lot more than the current 90 kbyte... Eric - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Perl
On Sun, 2007-02-25 at 11:11, Tom Eastep wrote: > If you find one that looks promising, let me know. I assume that it will > be limited in some way but I'm used to programming to "the greatest > common denominator". Tom, It looks like OpenWrt and NSLU2-Linux have microperl ipkg builds available. http://openwrt.org/ http://www.nslu2-linux.org/ ipkg - the Itsy Package Management System http://handhelds.org/moin/moin.cgi/Ipkg As does LEAF Bering-uClibc. :-) http://leaf.cvs.sourceforge.net/leaf/bin/packages/uclibc-0.9/28/testing/uperl.lrp?view=log -- Mike Noyes http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, sitedocs - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Perl
On Sun, 2007-02-25 at 11:11, Tom Eastep wrote: > If you find one that looks promising, let me know. I assume that it will > be limited in some way but I'm used to programming to "the greatest > common denominator". Tom, KP and Eric found the smallest one Microperl. The other one is Miniperl. I'm not sure if Microperl will provide the functionality you desire. Anyway, from what I'm able to glean, size and functionality go from: Microperl -> Miniperl -> Perl Building Embedded Linux Systems http://www.oreilly.com/catalog/belinuxsys/ -- Mike Noyes http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, sitedocs - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Perl
Am Sonntag, 25. Februar 2007 19:45:53 schrieb Mike Noyes: > Everyone, > It looks like we need to see how large a perl package for leaf branches > is. 344kb for Microperl ( a subset of perl) according to a test package by Eric Spakman http://www.leaf-project.org/bering-uclibc/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=12&MMN_position=32:32 I don't think we have to get into hurry. Building workable floppy images may be outdated and looking strange, but replacing a useful, almost error-free appr. 90kb shorewall with a 350k interpreter plus perl-shorewall has to have good reasons for other minimalists as well :) kp - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Perl
Mike Noyes wrote: > On Sun, 2007-02-25 at 10:45, Mike Noyes wrote: >> I'm not having much luck finding embedded builds of the perl engine. >> I'll keep looking. > > Everyone, > It looks like there are some embedded distributions that successfully > built relatively small perl packages. See: > > CPAN/Ports > http://www.cpan.org/ports/ > > Maybe we can glean useful information from existing binary builds to > generate our own package. > Mike, If you find one that looks promising, let me know. I assume that it will be limited in some way but I'm used to programming to "the greatest common denominator". -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Perl
On Sun, 2007-02-25 at 10:45, Mike Noyes wrote: > I'm not having much luck finding embedded builds of the perl engine. > I'll keep looking. Everyone, It looks like there are some embedded distributions that successfully built relatively small perl packages. See: CPAN/Ports http://www.cpan.org/ports/ Maybe we can glean useful information from existing binary builds to generate our own package. -- Mike Noyes http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, sitedocs - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
[leaf-devel] Perl
Everyone, It looks like we need to see how large a perl package for leaf branches is. I'm not having much luck finding embedded builds of the perl engine. I'll keep looking. -- Mike Noyes http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, sitedocs - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-devel] Future of Shorewall
Simon Matter wrote: > My question is whether it's possible to use perl for some kind of > Shorewall-accelerator. I mean if it would be possible to create a simple > shell to perl converter which then runs perl instead of the shell and does > exactly the same, then it could be used whenever perl is available, > otherwise a shell would be used. If we look at overall performance, the compiler and the generated script need to be considered separately. I don't believe that the fact that the generated script is interpreted using a Bourne shell is a significant contributing factor to its performance. The bulk of the time is spent in fork() and exec() while launching iptables 1000s of times. So I think that we're safe in leaving that part alone. The compiler is a different issue. One problem is that some of the things needed to make Shorewall generate iptables-restore input would be very slow if implemented in the shell. Even though Perl is a somewhat quirky language, it works really well for writing the compiler part of Shorewall. But the Perl version of the compiler employs quite different algorithms from those used in the shell. My belief is that a shell->Perl translator capable of translating the current Shorewall shell code would comprise a much larger project then Shorewall itself. One example of what it would need to do: Because the shell provides exactly one hash table (it's symbol table), the current Shorewall code manufactures symbols on the fly (using 'eval') in an attempt to provide some of the same function that Perl hashes do. It would take a very smart program to see through what the current code is doing and create Perl hashes instead. Another factor concerning the current code is that it is beginning to get somewhat fragile. Today's Shorewall is doing many things that were not envisioned in the original design. The shell also tends to promote some bad programming practices, owing to the fact that all symbols are global (and I didn't start from the beginning setting the -u option). As a consequence, it is getting more and more difficult to extend the code to do new things without breaking old things. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-devel] Future of Shorewall
Mike Noyes wrote: > > > I'd worry when distributions start dropping Shorewall. That's an > indication of decline. > Good point. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Future of Shorewall
Paul G Rogers wrote: > Tom, there's an ancient expression, "the fox knows many things, the > hedgehog knows just one thing." I don't prend to understand all the > complications, but I do understand the internet environment is not > getting any safer--it's getting more dangerous. To be sure, the current > exploits making the news are at higher levels, but nobody with the > slightest sense would connect without a strong firewall. If you think > overhead is an issue, look at Vista! ;-) I agree that in Shorewall's case, security is more important than performance. But performance is still important, especially to those whose Shorewall-based firewalls require several minutes to restart. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-devel] Future of Shorewall
Natanael Copa wrote: > > Have you thought of lua? should give you better performance than perl > and would still be small enough for embedded. I can't say I have been > looking at the shorewall code, but lua is very table oriented, which > might be good for your table based config files. I suspect that the parser part of Shorewall might be difficult to write entirely in LUA (although I've only browsed the reference manual). Also, LUA appears to be a language that may only be embedded in C -- it does not stand on its own. So what you end up with is a C program that uses a "smart library". The change in Shorewall 3.0 which produced the compiler and Shorewall Lite was intended to pave the way toward an environment where the heavy lifting could be done on a central system and the generated firewall script exported to smaller less-powerful devices. In that model, the language in which the compiler is written is not so important for portability. The current compiler can even run under Cygwin on Windows systems (or it could the last time I tried it). I (or someone else -- any volunteers?) will probably continue to support Shorewall 3.4 for the forseeable future (although enhancements will be minimal). So those who are happy with the current state of the package can continue to use it. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
[leaf-devel] Shorewall 3.4.0 RC3
I had hoped to be able to avoid another RC but there have been enough changes that I've decided that the safe thing to do is to release RC3. http://www1.shorewall.net/pub/shorewall/development/3.4/shorewall-3.4.0-RC3/ ftp://ftp1.shorewall.net/pub/shorewall/development/3.4/shorewall-3.4.0-RC3/ Problems Corrected in 3.4.0 RC3 1) The route_rules file was being ignored. This has been corrected. 2) If an IP range was specified in a 'drop' or 'reject' command (including the logging forms) and a 'shorewall save' was performed, then the next time that Shorewall was restarted, new connections from outside the firewall were totally blocked. 3) If a 'start' or restart' command failed during the compile phase, /sbin/shorewall erroneously returned an exit status of 0. 4) If IMPLICIT_CONTINUE=Yes was in effect, then sub-zones received the implicit CONTINUE policy for their intra-zone traffic (rather than the implicit ACCEPT policy for such traffic). This could cause intra-zone traffic to be rejected by rules for one of the parent zones. Other Changes in 3.4.0 RC3 1) A warning is now issued when 'loose' and 'balance' are specified together for a provider. This combination of options can lead to packets being dropped as 'martians'. 2) If the 'setkey' program is installed, then the IPSEC SPD and SAD are displayed in the output of "shorewall[-lite] dump. All key information (E: and A: lines) is suppressed in the command output so that the output of "dump" cannot be used to breach IPSEC security. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] [Shorewall-devel] Future of Shorewall
On Fri, 2007-02-23 at 16:02, Tom Eastep wrote: > Activity on the mailing lists and IRC channel has been steadily declining > for the last couple of years. This signals to me that the rate at which > people are adopting Shorewall is waning (I grant that the documentation has > gotten better over the years which helps lower the noise level somewhat). > While I've never had any ambitions toward dominating the OSS firewall > market, Shorewall takes a lot of work so I would prefer to spend my effort > on something that people want to use. Maybe it is still Shorewall -- maybe > it is something else. Tom, I just did a few Google searches, and I now think it's something else. Shorewall is included in most distributions (Debian, Ubuntu, OpenSUSE, Gentoo, etc.), and the website is mirrored in multiple locations. It looks like people are asking for assistance in a variety of places. Shorewall support looks distributed and successful. Example: http://gentoo-wiki.com/HOWTO_Shorewall_Firewall_IPsec_VPN_and_2.6_kernel http://gentoo-wiki.com/SECURITY_Howto_setup_a_firewall_with_shorewall I'd worry when distributions start dropping Shorewall. That's an indication of decline. -- Mike Noyes http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, sitedocs - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
