156415 – net-firewall/shorewall should check that at least basic firewall support is inside the kernel

Bug 156415 - net-firewall/shorewall should check that at least basic firewall support is inside the kernel

Summary: net-firewall/shorewall should check that at least basic firewall support is i...

Status:	RESOLVED LATER

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Netmon project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-11-27 07:56 UTC by Petteri Räty (RETIRED)
Modified:	2007-02-15 22:18 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Petteri Räty (RETIRED) gentoo-dev

2006-11-27 07:56:35 UTC

It would be nice if shorewall checked that at least the mandatory options are turned on in the kernel so that one does not need to go hunting for them.

Comment 1 Vieri 2006-12-08 02:56:58 UTC

(In reply to comment #0)
> It would be nice if shorewall checked that at least the mandatory options are
> turned on in the kernel so that one does not need to go hunting for them.

It's difficult to define what is "mandatory" and what is not. It all depends on the type of connection you're using. A user might "require" MPPE for a PPTP connection (as in "mandatory requirement" since without it his/her system wouldn't connect) but then most users usually don't need this feature in the kernel or as a module.

Also, the minimal setup is the "standalone firewall" as described here:
http://www.shorewall.net/standalone.htm
The "default kernel" should work out-of-the-box in this setup.
(correct me if I'm wrong)

Another issue would be to document all netfilter-related kernel options within the ebuild and optionally allow the user to auto-filter the kernel's .config file with a quick menu (eg. ebuild shorewall.ebuild config). But I think that would be hard to maintain as new kernel options keep appearing, some go obsolete and sometimes others change their names (personally I've seen that for SCSI controllers).

This said, I too believe that it's a bit of a drag hunting down all kernel options. Fortunately, kernel compilations aren't that frequent :-)

Comment 2 Markus Ullmann (RETIRED) gentoo-dev

2007-02-01 16:47:23 UTC

betelgeuse: which ones would you consider "required"?

Comment 3 Petteri Räty (RETIRED) gentoo-dev

2007-02-01 18:12:07 UTC

(In reply to comment #2)
> betelgeuse: which ones would you consider "required"?
>

Modules marked as essential in /etc/shorewall/modules at least. I would make the error description show that these are probably not enough.

Comment 4 Martin Jackson (RETIRED) gentoo-dev

2007-02-02 02:14:39 UTC

What about the situation where you install shorewall as a binpkg?  The package builder may not have any of the firewalling kernel modules enabled, and why should it?  Failing those modules will cause the package to fail to build; is that the right thing?

Comment 5 Petteri Räty (RETIRED) gentoo-dev

2007-02-02 11:50:13 UTC

(In reply to comment #4)
> What about the situation where you install shorewall as a binpkg?  The package
> builder may not have any of the firewalling kernel modules enabled, and why
> should it?  Failing those modules will cause the package to fail to build; is
> that the right thing?
> 

That would be an argument against any package that currently tests kernel config. I think there could be support for user disabling those tests as this has come up before.

Comment 6 Markus Ullmann (RETIRED) gentoo-dev

2007-02-15 22:18:29 UTC

Delaying it a bit, net kernel interface has quite some renamings atm. Let's do this when things have settled