I've posted a Shorewall HowTo http://www.openwrt.org/ConfigurableFirewall on the wiki and have it up and running on my router nicely. I am also in the proccess of creating ipkgs, one for iptables-save/restore and the other for Shorewall. I will add my package site to the package site list when I have done so.

Any input on the HowTo is welcome

I've created some packages so that people can use shorewall without going through everything in the howto.

Simply add the line

src yani http://openwrt.wojjie.net/packages

to /etc/ipkg.conf, and do an

ipkg update && ipkg install shorewall

Hi Yani,

Excellent work with this - I'm glad to see you've packaged it properly and provided documentation. I think Shorewall is one of the key apps that will make a WRT54G with OpenWRT a truly flexible, powerful little box.

I've been playing with Shorewall on the WRT54G myself but have limited spare time at my disposal.  I got bogged down getting 'printf' to work - Shorewall uses it to make log entries, but printf is not included in the standard OpenWRT busybox.  However, 'awk' is in the default OpenWRT busybox and mbm has pointed out that 'awk' has a printf command that could be used replace the shell 'printf'.  I've included a couple of diffs (created with 'diff -u ') to show how I've edited my 'shorewall' and 'firewall' Shorewall scripts to take advantage of this.

As an example - in the 'shorewall' script there is the line

printf '%7d %5d %sn' $count $port $srv

I replaced this with

echo $count $port $srv | awk '{printf("%7d %5dn",$1,$2,$3)}'

Thanks to mbm for pointing out how to do this with awk.

I'd actually prefer if Shorewall didn't log to the flash at all - I don't want to wear out the flash memory with it's limited read/write lifetime.  From reading another thread I've seen that invoking syslogd like so:

syslogd -C

causes it to write to RAM as a circular log - i.e. the oldest entries are erased and the whole log remains at 200k in size. You can read the log by typing:

logread

The latest versions of OpenWRT have 'syslogd -C 16' set up by default in /etc/init.d/S10boot

If you reboot you lose the log - so my advice is if you want to keep the log, send it to a PC or other device with a hard-drive.   As I understand it, syslogd allows you to log to both local RAM and an external PC at the same time.

In my diff files you'll notice that I've also removed a lot of the comments (except for the copyright and GPL comments) to save space.  In my Shorewall I've actually removed the comments from most of the config files as well, simply becase I run Shorewall on my router PCs at home and can refer to the comments in their config files if I get stuck.  Space is at a premium, espcecially in the WRT54G and I think a Shorewall package that has most of the comments removed from it's files would be a good option.

Hmm..I never encountered any problems actually, I have printf on my openwrt router but I modified the openwrt build for my firmware and added a whole load of stripped stuff, this was probably one of them.

So..the packaged build probably depends on printf :shock: . Two options are to either package printf into a .ipk (how big a deal is installing this?) or to do as you suggest and replace the printfs with echo/awks. Actually looking at the size of printf is 779K :shock: ...so I'm going to have to strip out the printfs I think.

I have logging setup as you describe it, so I'm happy but yes this is something to keep in mind for users. The packaged version does automatically force shorewall to put its variable stuff in a ramfs directory, but I don't setup logging at all and assume the user has done so. I might add a pointer to the logging howto in wiki to the post-install script in a future build.

As for the comment stripping you are correct in that this might be a good space saving measure, although realistically just how much would this save and how worth the hassle is it?

I am a bit spoilt for space I guess..I have a wrt54gs

add printf(and a number stuff to busybox build), the space increment is small. In fact, I don't know why it has not been included. take ip as an example, unless for the very bare usage, ip is needed and the busybox one vs stand alone one results in about 60k size difference favoring busybox.

Ok, all is fixed (I think). I replaced the printfs with echo/awks, it is suprisingly easy to do and worth the space savings I think (chimpanzee - my printf is > 700K!, but I agree with you on things like ip, etc).

Please re-install your shorewall package (the updated version has the same ipkg version, but the package is different), first backup any customizations you have made to your config files and then do a

ipkg update
ipkg install shorewall

and now you should have no troubles. Sorry to those who encountered this problem when trying to use the package. Notice you now get a warning to setup logging as described in the Mini HowTo. We want your wrt54g to have a long (if tortured) life after all ;-).

As for stripping the comments, I had a look into it. It would save some space, however most of the configuration files have a comment on the last line that *cannot* be removed, and additionally I personally find the comments inside those extremely useful.

I was trying to automate stripping the shell scripts of comments though and although it is possible using and awk global substitution I havn't come up with a regular expression thats fool proof and I feel safe applying to anything, for example

sed -e 's/#.*$//g'<inputfile >outputfile

will strip most comments, even comments on end of lines however it doesn't handle the special case where a # is present inside a string so,

echo '#this hash is safe from being interpreted'

gets stripped to

echo '

.

I currently havn't had enough sleep to write the appropriate regular expression so I'm going to leave the comments in for now.

In the particular case of printf I've tried to create a wrapper script that uses awk as a substitute.

#!/bin/sh
#"printf2" - printf substitute
echo | awk -v v1=$1 -v v2=$2 -v v3=$3 -v v4=$4 -v v5=$5 -v v6=$6 -v v7=$7 -v v8=$8 -v v9=$9 '{printf(v1,v2,v3,v4,v5,v6,v7,v8,v9)}'

The above script works, but only if your print format doesn't have spaces in it - e.g. it accepts

 root@OpenWrt:/# printf2 '%7d%5d%sn' $count $port $srv

at the command line but not

 root@OpenWrt:/# printf2 '%7d %5d %sn' $count $port $srv

I can't get awk to accept escaped spaces - it always sees them as parameter separators.

Someone who knows what they're doing ('cos I don't) could try an awk script - e.g.

#!/usr/bin/awk -f
END
{
printf($1,$2,$3,$4,$5,$6,$7,$8,$9)
}

Note that this script doesn't actually work, due to my complete lack of awk programming experience.   But I think someone who knows awk can see what I'm trying to do...

In general, I think we should be keeping an eye on what dependencies our packages have, and asking ourselves if they will work on the standard OpenWRT firmware.  If we start to package a lot of programs that depend on absent basic tools, like printf, we can then consider making such tools part of the base firmware.  I'd like to see OpenWRT as a firmware work 'out of the box' as much as possible.

yes, stand alone printf can take up lots of space, same goes for ip or other utilties. The whole idea behind busybox is that if we put all these apps together, the spacing is quite significant. My build of openwrt's busybox has more utilities included and the space increase is neglegible. In fact, because of the change of standard alone ip to busybox ip, I saved some space for other stuff.

BTW, have you run strip on your printf ? many of the binaries I built are also very large but shrink a lot after stripping. For things as simple as printf, it should be below 30k or so.

Thanks doing the mod to your Shorewall package Yani.  When I get a moment, I'll create a .diff that only strips comments from the Shorewall config files - I did it totally by hand so nothing breaks.

In the meantime - heres a diff against the mainline Shorewall 2.0.8 tarball contents that strips comments, substitutes awk for printf, and slightly modifies the default config files.  Feel free to adapt it for your own usage.

strip.diff

The size of the diff file shows how much space would be saved - 145k - altough, foolishly, I stripped things that didn't really need stripping such as the COPYING file - it doesn't get installed anyway.  Still, if it saves 100k it's worth it.

We would only need to update the comment-stripping patch if the mainline release of Shorewall adds new config files.  If you have a script to automatically package new Shorewall releases, you can get it to create two packages - 'shorewall' and 'shorewall-stripped'.  The 'shorewall' package would be for people like yourself who like to have all the comments in place, and the 'stripped' version for those who have severe space limitations (WRT54G users) or for use with a future 'shorewall-web-interface' package where comments wouldn't be that important.

I like the Shorewall comments too, they make it quite easy to use, but I find I don't need them to reside on the WRT54G itself for them to be useful.  For packages such as Shorewall, Quagga/OSPF and the Web Interface, I do think a WRT54GS is the way to go - you're cutting a bit too fine otherwise.

Thanks danversj, I'll have a look at integrating your patch tonight, and I think your suggestion of having a stripped and non-stripped package is a good idea. In some ways I wish I had a WRT54G just so I could feel the space limitations and be forced to strip my packages to the bare minimum. As the saying goes OSS software is created to satisfy an itch and I jsut havn't got the low-space itch ... yet .

Wow..100k, I guess I shouldn't be shocked there are a LOT of comments. I think I'd like to leave in the 'header' section of the config files though that describe each field, they aren't very large.

Beware of the strip.diff I posted - I did it the wrong way around...  :? So it adds comments instead of stripping them.  I'll do it properly as soon as I can and let you know.

EDIT: OK it's fixed now - here's the link again
strip.diff

Hi, I had a look at the diff and most is good, however there are at least a few lines I noticed where your config differs from the default and the change is included in the diff. I will have to go through it and look for these when I have more time and remove them. Applying the patch however is very simple and I can have it packaged in no time once I'm satisfied the patch is only removing comments and not changing the config.

I wouldn't mind hearing from somebody who has tried out the package - I'm a bit paranoid that maybe there is something else I missed when packaging it that might be a requirement but is satisfied by my wrt54gs's customized firmware.