[Shorewall-devel] Wither the /etc/shorewall/tunnels file

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Because of the amount of change and the breadth of the change in the
current 2.5 development branch, we have decided that when the code is
released as a stable release, it will be called Shorewall 3.0.0.

One of the changes in 3.0.0 is as follows (from the release notes):

9) In previous versions of Shorewall, the rules generated by entries in
   /etc/shorewall/tunnels preceded those rules generated by entries in
   /etc/shorewall/rules. Beginning with this release, the rules
   generated by entries in the tunnels file will appear *AFTER* the
   rules generated by the rules file. This may cause you problems if
   you have REJECT, DENY or CONTINUE rules in your rules file that
   would cause the tunnel transport packets to not reach the rules that
   ACCEPT them. See http://www.shorewall.net/VPNBasics.html for
   information on the rules generated by entries in the tunnels file.

As I'm sure that many of you are aware, I have been dissatisfied for
some time with the notion of the tunnels file. I believe that it
prevents users from understanding the basics of VPN handling in
Netfilter and makes it harder for user's to troubleshoot VPN problems. I
wrote the article referred to in the above note to try to illustrate
that there is nothing magic about the tunnels file and that it is
perfectly possible to define VPN connections using the rules file alone.

Given that we're calling the new release "Shorewall 3", it seems like a
good time to retire the tunnels file altogether. I can create a
"shorewall convert" command (or some such) that will read the tunnels
file and create a macro called "macro.tunnels" (for example). Existing
users with entries in the tunnels file can then simple add one line to
the front of their rules file to obtain the same behavior as in prior
releases:

	#ACTION	SOURCE	DEST	...
	tunnels

My concern, as always, is that people upgrade blindly between releases
then come whining to the mailing list or IRC channel when "it doesn't work".

Example:

	I just upgraded from Shorewall 1.0.4-RC2 to Shorewall 3.2.4 and
        now nothing works. Can someone help me?

Of course, usually the poster is clueless about what version they were
running before the upgrade which makes it even more difficult.

One idea I've had to try to slap them in the face ahead of time is to
create a file named 0READ_THIS_BEFORE_UPGRADING_TO_THIS_RELEASE in the
download directory (including at Sourceforge). I suspect that maybe one
in 10 might bother to read it.

I welcome your input on this issue.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ te...@sh...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key