From: Tom E. <te...@sh...> - 2006-10-26 17:59:40
|
David Mohr wrote: > On 10/26/06, Vieri Di Paola <vie...@ya...> wrote: >> I was wondering if there could be a slight change to >> the Shorewall configuration files. >> >> It's a Gentoo-specific issue but some other >> distributions might find some interest in this. >> >> Basically, whenever a Gentoo user updates his/her >> shorewall from portage via >> >> # emerge shorewall >> >> the ebuild asks the user to update the config files in >> /etc/shorewall and proposes going through diffs. >> The problem is that most of the time the user just has >> to update the header (i.e. documentation) of each >> config file. The user entries (e.g. shorewall rules) >> are usually left untouched unless there's a new column >> in the new version, etc. >=20 > I don't really see the point of updating the headers of the files, but > not the content. AFAIK shorewall is usually able to run with 'older' > config files by assuming reasonable defaults. What you are proposing > would be very confusing, because the rules that follow the header > might not match the documentation in the header anymore. If you update > one, you should also update the other, and the rules can't be updated > automatically, so it's better to do this by hand alltogether. >=20 >> So maybe if the Shorewall config files could >> source/include other "custom" config files then the >> upgrade process would be a lot easier. >> For example, default shorewall installation puts the >> rules file in /etc/shorewall. If the default rules >> file could contain a statement such as ". >> rules_custom" or "include rules_custom" the only real >> "diff" that the user would have to worry about is >> uncommenting this line in the new version. >> >> Of course one could define a different config file >> path in shorewall.conf and point to something like >> /etc/shorewall_custom. >> But by upgrading for example from 3.0 to 3.2 the user >> would have to deal with more than just file content. >> One would have to move over new files such as >> route_rules, etc. >> In other words the Gentoo emerge procedure would be to >> my understanding a lot simpler if the default >> configuration files could include custom files. >> I believe FreePBX/Asterisk does something of the sort >> (e.g. sip.conf can include sip_custom.conf). >=20 > Debian I believe does not do automatic updates of shorewall > configuration files, for the reason mentioned above. Debian only populates /etc/shorewall with shorewall.conf and Makefile. shorewall.conf has been an ongoing headache because people blindly update= it with the new options and their values then wonder why their Shorewall configuration suddenly stopped working. I've given up trying to change Shorewall's default behavior over time by changing shorewall.conf -- from now on, any additions that I make to that= file will set all new options to preserve the existing behavior rather than to= produce the new more desirable behavior. In 3.4, I will start including a= modified shorewall.conf in the sample configuration so that new users wil= l get the new behavior while existing users will stop shooting themselves in th= e foot each time that they upgrade. -Tom --=20 Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |