On 09/02/2012 09:31 AM, Mr Dash Four wrote:
>> THEY ARE NOT HARD-CODED -- They come from the first 'shorewallrc' file
>> encountered on your CONFIG_PATH at the time of compilation.
> Ah, right, which is also wrong as they should come from the remote copy of
> shorewallrc. I presume that is fixed in your (CONF.patch?) patch, right?
No -- the configuration directory is expected to contain the remote
firewall's shorewallrc file. This point was not previously explained in
the Shorewall-Lite article :-( It is now.
>
> I also forgot to mention the different meaning of VARDIR in shorewall and
> shorewall-lite. In the former, this is assumed to be /var/lib, in the latter
> it is /var/lib/shorewall-lite, but I suspect you already know that.
It's not! The meaning of VARDIR is exactly the same.
Here's the history:
- Originally, each of the products had their own CLI and libraries. It
was a maintenance nightmare. Shorewall6 never had the same features
as Shorewall and the -Lite products were always different from their
full-featured counterparts.
- In all of these programs and libraries, VARDIR pointed to
/var/lib/$product.
- I finally bit the bullet and unified all of the code. I retained the
the meaning of VARDIR.
- When I created the 'shorewallrc' file, I had to make a decision about
what to do with /var/lib; I could call it VARDIR or something else.
I chose to retain the name VARDIR and have each product append the
/<product name> to the VARDIR setting from shorewallrc.
So there is two interpretations of VARDIR -- one in the shorewallrc file
and one in the code.
>
>
>>> lib.cli:3106:
>>> PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
>>>
>>
>> That's the default if PATH isn't set in your
>> ${CONFDIR}/${g_product}.conf file. And the compiled script doesn't use
>> lib.cli.
> I did a little experiment when discovered this bug and explicitly wrote the
> existing path just before modprobe was executed. It wasn't like what I have
> specified in my .conf file at all, hence the error I was getting. I had to
> alter the file in order to get it to execute my own version of modprobe with
> the required modules.
>
>>> Except that it won't. It would have executed the busybox modprobe with my
>>> own (new) kernel modules directory, which would also fail. I want to
>>> execute *my* modprobe with *my* kernel modules directory. WHen the PATH is
>>> hard-coded it is hard to do that.
>>>
>>
>> How have you set PATH in ${CONFDIR}/shorewall-lite/shorewall-lite.conf?
> CONFIG_PATH="/opt/etc/shorewall:/opt/share/shorewall:/etc/shorewall:/usr/share/shorewall"
Have you installed the firewall.conf file? What does it have for a PATH
setting? What is the PATH setting in the initialize() function of the
generated script?
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
