On 03/30/2012 02:07 AM, Tuomo Soini wrote:
> On Wed, 28 Mar 2012 07:13:55 -0700
>
> I must very stongly disagree how shorewallrc is now implemented.
>
> Problem number one:
>
> Code snippet:
>
> if [ -z "$g_readrc" ]; then
>
> if [ -f ./.shorewallrc ]; then
> . ./.shorewallrc || exit 1
> elif [ -r /root/.shorewallrc ]; then
> . /root/.shorewallrc || exit 1
> elif [ -r /.shorewallrc ]; then
> . /root/.shorewallrc || exit 1
> elif [ -f ~/.shorewallrc ]; then
> . ~/.shorewallrc || exit 1
> elif - -f ${SHOREWALLRC_HOME}/.shorewallrc; then
> . ${SHOREWALLRC_HOME}/.shorewallrc || exit 1
> else
> SHAREDIR=/usr/share
> CONFDIR=/etc
> SBINDIR=/sbin
> LIBEXECDIR=/usr/share
> fi
>
> Security software like shorewall can NEVER include files from random
> location like current directory or user home dir.
>
> Installer MUST hardcode the shorewallrc location into shorewall runtime
> programs when installing. That is:
>
> if SHAREDIR is set to /usr/share - all files needing to read
> shorewallrc must be generated so they
> have /usr/share/shorewall/shorewallrc hardcoded in for reading the file.
>
> Currently shorewall-4.5.2-Beta4 totally breaks if there is
> no /root/.shorewallrc or ~/.shorewallrc.
>
> Software can not rely on file in user root home directory.
>
> Problem 2:
>
> Shorewall doesn't work at all without ~/.shorewallrc - that
> is /usr/share/shorewall/shorewallrc which is installed is not used at
> all by runtime shorewall - so shorewall try to find compiler.pl
> from /usr/share/shorewall/compiler.pl when it's isntalled on different
> path.
The above two problems can be corrected by modifying the CLI programs (
and lib.base) to read the correct rc file. I'll include that in Beta 5.
>
> Problem 3:
>
> the configire which was imho total waste of programming time to
> generate is not able to unset any value.
>
> shorewallrc.redhat has SYSTEMD set.
>
> On rhel systems there is no SYSTEMD but installer still try to install
> system files.
>
> This gives two possibilities: Either Only required options can be set
> in default shorewallrc.<hosttype>.
>
> That means both INITDDIR and SYSTEMD must be unset so that one can be
> selected, either install of INITDDIR file or SYSTEMD service.
>
> Or there must be possibility to unset config value with configure.
teastep@ubuntu:$ ./configure --host=redhat --systemd=
HOST=redhat
PREFIX=/usr
SHAREDIR=${PREFIX}/share
LIBEXECDIR=${PREFIX}/share
PERLLIBDIR=/usr/share/shorewall
CONFDIR=/etc
SBINDIR=/sbin
MANDIR=${SHAREDIR}/man
INITDIR=/etc/rc.d/init.d
INITSOURCE=init.fedora.sh
INITFILE=$PRODUCT
AUXINITSOURCE=
AUXINITFILE=
SYSTEMD=
SYSCONFILE=
SYSCONFDIR=/etc/sysconfig/
ANNOTATED=
VARDIR=/var/lib
teastep@ubuntu:$
>
> Problem 4:
>
> Now, when systemd service is installed, shorewall doesn't create path
> if it's missing so installing service to DESTDIR fails because there is
> no directory to intall systemd service file to.
>
I'll fix that in Beta5.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
