Shorewall Modularization

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

2009/01/20


Table of Contents

Introduction
Required Libraries
Optional Libraries

Introduction

One of the major changes in Shorewall version 3.4 involved breaking much of the code into libraries. This modularization is expected to be used primarily by embedded distributions that wish to minimize the Shorewall disk and RAM footprint.

Shorewall libraries are Bourne shell source files that contain nothing but function declarations. Shorewall libraries may be loaded into a running shell program using the shell's "." operator. The library files have names which begin with "lib." and are installed in /usr/share/shorewall/.

Individual libraries are of one of two classes. The first class of libraries are required libraries which, as their name implies, must be included in any Shorewall installation. The other libraries are optional libraries that implement a particular function. Each optional library may be included or omitted based on the requirements of the individual installation.

Required Libraries

Shorewall 3.4 includes the following required libraries.

  • lib.base — includes functions needed by all Shorewall programs.

  • lib.cli — includes functions common to both /sbin/shorewall and /sbin/shorewall-lite.

  • lib.config — contains functions common to both /sbin/shorewall and /usr/share/shorewall/firewall.

lib.base and lib.cli are installed in /usr/share/shorewall-lite/ on Shorewall Lite systems.

Optional Libraries

Optional libraries are loaded upon demand based on the user's configuration.

In Shorewall 3.4, the optional libraries are as follows.

  • lib.accounting — required if the /etc/shorewall/accounting file is non-empty.

  • lib.actions — required if USE_ACTIONS=Yes in /etc/shorewall/shorewall.conf.

  • lib.dynamiczones — required if DYNAMIC_ZONES=Yes in /etc/shorewall/shorewall.conf.

  • lib.maclist — required if the maclist option is specified in any entry in /etc/shorewall/interfaces or /etc/shorewall/hosts.

  • lib.nat — required if the /etc/shorewall/masq, /etc/shorewall/nat or /etc/shorewall/netmap files are non-empty or if DNAT[-] rules are present in /etc/shorewall/rules.

  • lib.providers — required if the /etc/shorewall/providers file is non-empty.

  • lib.proxyarp — required if the /etc/shorewall/proxyarp file is non-empty or if the proxyarp option is specified in an entry in /etc/shorewall/interfaces.

  • lib.tc — required if the /etc/shorewall/tcdevices or /etc/shorewall/tcclasses file is non-empty.

  • lib.tcrules — required if the /etc/shorewall/tcrules file is non-empty.

  • lib.tunnels — required if the /etc/shorewall/tunnels file is non-empty.

As described, many of the libraries are required when one or more configuration files are non-empty and embedded distribution providers are encouraged to package each optional library together with its associated configuration files.

LibraryFiles
lib.accounting/etc/shorewall/accounting
lib.actions/etc/shorewall/actions
lib.maclist/etc/shorewall/maclist
lib.nat/etc/shorewall/masq, /etc/shorewall/nat, /etc/shorewall/netmap
lib.providers/etc/shorewall/route_rules, /etc/shorewall/providers
lib.proxyarp/etc/shorewall/proxyarp
lib.tc/etc/shorewall/tcclasses, /etc/shorewall/tcdevices
lib.tcrules/etc/shorewall/tcrules
lib.tunnels/etc/shorewall/tunnels

Note that in Shorewall 4, the optional libraries (with the exception of lib.dynamiczones) are included in the Shorewall-shell package while the required libraries and lib.dynamiczones are included in the Shorewall-common package.