Am 12.03.2018 um 20:11 schrieb Tom Eastep: > On 03/12/2018 12:06 PM, Max Addler (Dersbach) wrote: >> Am 12.03.2018 um 19:47 schrieb Tom Eastep: >>> On 03/11/2018 02:56 PM, Max Addler (Dersbach) wrote: >>>> Hi all >>>> >>>> for a current project I would be happy to have INCLUDE be able to nest >>>> to more than 3 levels. The limit is imposed in Config.pm line 3480 and >>>> AFAIK in three other locations (the actual limit is "4"). >>>> >>>> While it is easy to change these explicit numeric limits to a constant >>>> and e.g. set that to 10 in my locally installed copy, and it does not >>>> create any obvious problem, the question is of course if there are any >>>> side effects to be expected from such a change. Can anyone provide me >>>> with an opinion or maybe a reference information? >>>> >>> Hi Max, >>> >>> There should be no side effects to changing the literal '4' in those >>> cases. In 5.2.0, I have replaced those literals with a symbolic constant >>> so the limit can be modified with a single-line change. >>> >>> -Tom >> Hi Tom >> >> Thanks for your answer - good to know. That does help. >> >> "Symbolic constant" means I can change that in a single line of perl >> code - right? >> >> If I would attempt to create a patch for making that a shorewall.conf >> option, would you consider including such a change in the release? >> >> (If it's not a config option, or even if I create a working patch, but >> it's not going to be in the release, I need to keep patching after each >> shorewall package update. I will not have any system running without >> updates). >> > Yes -- as things now stand, patching would be required. The number 4 was > picked rather arbitrarily back when Shorewall was shell-based, and there > is no good reason to keep that particular limit. What limit does your > project require? The only reason that there is a limit at all is to > catch INCLUDE loops before they result in an out-of-memory trap. > > -Tom >
I started out with 10, and currently I am at 15 - and almost ready with configuration at a maximum actual level of 12, so I think it will not increase further. It will take me some time to create a patch unless you set it to at least 15 - in which case I will probably not need to provide one. For catching INCLUDE loops, during startup (of other programs I wrote) I usually record the name of each included file in a temporary file, and whenever a new INCLUDE directive is encountered, I grep the file for the new filename - if the grep is successful, there is an INCLUDE loop, and I can abort startup. Yes this slows down startup, takes up disk space, but is a viable approach if robustness is more important than speed. Rationale behind my shorewall recursion: The idea is to have networks behind networks - currently that's a prototype. Imagine the "outermost" network to be connected to the Internet (let's call it A), and the innermost (let's call it Z) to be connected just to the outer next one (let's call it Y), and each one in-between is connected to one lying to the inside, and one to the outside. A package from Z needs to traverse each of the other intermediate networks until it reaches A and then the Internet. Whenever one physically interrupts any of the interconnections, everything on the inside will work as an island. As connectivity is strictly inside-out, Z would need to know at least about Y, but also about at least some of the more outward lying hosts, and Y needs to know all of that, too, except for the Z stuff, and X needs to know all of that, too, except for the Y and Z stuff, and so on. So in Z there is an INLCUDE of Y definitions, and in Y there's an include of X definitions, so that in the end Z has a 26-level recursive include which allows it to know about A. "Definitions" currently affects zones, hosts, params, and rules. This is work in progress. -- Max ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
