Copyright © 2006 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
2009/01/20
Table of Contents
One of the major changes in Shorewall version 3.4 involved breaking much of the code into libraries. This modularization is expected to be used primarily by embedded distributions that wish to minimize the Shorewall disk and RAM footprint.
Shorewall libraries are Bourne shell source files that contain
nothing but function declarations. Shorewall libraries may be loaded into
a running shell program using the shell's "." operator. The library files
have names which begin with "lib." and are installed in /usr/share/shorewall/.
Individual libraries are of one of two classes. The first class of libraries are required libraries which, as their name implies, must be included in any Shorewall installation. The other libraries are optional libraries that implement a particular function. Each optional library may be included or omitted based on the requirements of the individual installation.
Shorewall 3.4 includes the following required libraries.
lib.base — includes functions needed by all Shorewall programs.
lib.cli — includes functions common to both
/sbin/shorewall and
/sbin/shorewall-lite.
lib.config — contains functions common to both
/sbin/shorewall and
/usr/share/shorewall/firewall.
lib.base and lib.cli are installed in /usr/share/shorewall-lite/ on Shorewall Lite systems.
Optional libraries are loaded upon demand based on the user's configuration.
In Shorewall 3.4, the optional libraries are as follows.
lib.accounting — required if the
/etc/shorewall/accounting file is
non-empty.
lib.actions — required if USE_ACTIONS=Yes in
/etc/shorewall/shorewall.conf.
lib.dynamiczones — required if DYNAMIC_ZONES=Yes in
/etc/shorewall/shorewall.conf.
lib.maclist — required if the maclist option is specified in any
entry in /etc/shorewall/interfaces or
/etc/shorewall/hosts.
lib.nat — required if the
/etc/shorewall/masq,
/etc/shorewall/nat or
/etc/shorewall/netmap files are non-empty or if
DNAT[-] rules are present in
/etc/shorewall/rules.
lib.providers — required if the
/etc/shorewall/providers file is
non-empty.
lib.proxyarp — required if the
/etc/shorewall/proxyarp file is non-empty or if
the proxyarp option is specified in
an entry in /etc/shorewall/interfaces.
lib.tc — required if the
/etc/shorewall/tcdevices or
/etc/shorewall/tcclasses file is
non-empty.
lib.tcrules — required if the
/etc/shorewall/tcrules file is non-empty.
lib.tunnels — required if the /etc/shorewall/tunnels file is non-empty.
As described, many of the libraries are required when one or more configuration files are non-empty and embedded distribution providers are encouraged to package each optional library together with its associated configuration files.
| Library | Files |
| lib.accounting | /etc/shorewall/accounting |
| lib.actions | /etc/shorewall/actions |
| lib.maclist | /etc/shorewall/maclist |
| lib.nat | /etc/shorewall/masq, /etc/shorewall/nat,
/etc/shorewall/netmap |
| lib.providers | /etc/shorewall/route_rules,
/etc/shorewall/providers |
| lib.proxyarp | /etc/shorewall/proxyarp |
| lib.tc | /etc/shorewall/tcclasses,
/etc/shorewall/tcdevices |
| lib.tcrules | /etc/shorewall/tcrules |
| lib.tunnels | /etc/shorewall/tunnels |
Note that in Shorewall 4, the optional libraries (with the exception
of lib.dynamiczones) are included in the
Shorewall-shell package while the required libraries and
lib.dynamiczones are included in the Shorewall-common
package.