diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml index c64d40785..3dce4acf7 100644 --- a/Shorewall/manpages/shorewall-mangle.xml +++ b/Shorewall/manpages/shorewall-mangle.xml @@ -363,6 +363,12 @@ INLINE eth0 - ; -p tcp -j MARK --set then the third rule above can be specified as follows: MARK(2):P eth0 - ; -p tcp + + Beginning with Shorewall 5.0.0, the rule may also be + written this way, irrespective of the setting of + INLINE_MATCHES: + + MARK(2):P eth0 - ;; -p tcp diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 11918e89c..129eeebf6 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -969,9 +969,18 @@ net all DROP infothen the chain name is 'net-all' alternative specificaitons on the right.. When INLINE_MATCHES=Yes is specified, the specifications on the right are interpreted as if - INLINE had been specified in the ACTION column. If not specified or - if specified as the empty value, the value 'No' is assumed for - backward compatibility. + INLINE had been specified in the ACTION column. This also applies to + shorewall-masq(5) and + shorewall-mangle(5) which + also support INLINE. If not specified or if specified as the empty + value, the value 'No' is assumed for backward compatibility. + + Beginning with Shorewall 5.0.0, it is no longer necessary to + set INLINE_MATCHES=Yes in order to be able to specify your own + iptables text in a rule. You may simply preface that text with a + pair of semicolons (";;"). If alternate input is also specified in + the rule, it should appear before the semicolons and may be + seperated from normal column input by a single semicolon. diff --git a/Shorewall6/manpages/shorewall6-mangle.xml b/Shorewall6/manpages/shorewall6-mangle.xml index c403f4552..95a164d75 100644 --- a/Shorewall6/manpages/shorewall6-mangle.xml +++ b/Shorewall6/manpages/shorewall6-mangle.xml @@ -364,6 +364,12 @@ INLINE eth0 - ; -p tcp -j MARK --set then the third rule above can be specified as follows: MARK(2):P eth0 - ; -p tcp + + Beginning with Shorewall 5.0.0, the rule may also be + written this way, irrespective of the setting of + INLINE_MATCHES: + + MARK(2):P eth0 - ;; -p tcp diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 1b1a88f26..cade5b156 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -833,9 +833,19 @@ net all DROP infothen the chain name is 'net-all' from alternative specificaitons on the right.. When INLINE_MATCHES=Yes is specified, the specifications on the right are interpreted as if - INLINE had been specified in the ACTION column. If not specified or - if specified as the empty value, the value 'No' is assumed for - backward compatibility. + INLINE had been specified in the ACTION column. This also applies to + shorewall6-masq(5) and + shorewall6-mangle(5) + which also support INLINE. If not specified or if specified as the + empty value, the value 'No' is assumed for backward + compatibility. + + Beginning with Shorewall 5.0.0, it is no longer necessary to + set INLINE_MATCHES=Yes in order to be able to specify your own + iptables text in a rule. You may simply preface that text with a + pair of semicolons (";;"). If alternate input is also specified in + the rule, it should appear before the semicolons and may be + seperated from normal column input by a single semicolon. diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 2d449b7f3..13d74b93b 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -538,8 +538,8 @@ ACCEPT net:\ - That usage is deprecated beginning with Shorewall 4.6.0. See - the INLINE_MATCHES option in This form is incompatible with INLINE_MATCHES=Yes. See the + INLINE_MATCHES option in shorewall.conf(5). @@ -766,6 +766,81 @@ DNAT net loc:10.0.0.1 tcp 80 ; mark="88" +
+ Using Netfilter Features not Directly Supported by + Shorewall + + Shorewall doesn't contain built-in support for all ip[6]tables + targets and matches. Nevertheless, you can still use the unsupported + ip[6]tables features through several Shorewall facilities. + + + + INLINE + + + INLINE, added in Shorewall 4. is available in the mangle, masq + and rules files and allows you to specify ip[6]table text following + a semicolon to the right of the column-oriented + specifications. + + INLINE takes one optional parameter which, if present, must be + a valid entry for the first column of the file. If the parameter is + omitted, then you can specify the target of the rule in the + text. + + Examples from the rules file: + + #ACTION SOURCE DEST + +?COMMENT Drop DNS Amplification Attack Packets +INLINE(DROP):info net $FW ; udp 53 ; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000" +?COMMENT + +?COMMENT Rule generated by the IfEvent action +INLINE net $FW ; -m recent --rcheck 10 --hitcount 5 --name SSH -s 1.2.3.4 -j MARK --or-mark 0x4000 +?COMMENT + + + + + IPTABLES and IP6TABLES + + + These are very similar to INLINE. The difference is that the + parameter to IPTABLES and IP6TABLES is the ip[6]tables target of the + Rule rather than a Shorewall-defined action or target. + + Example from the mangle file: + + IPTABLES(MARK --set-mark 0x4):P eth0 1.2.3.4 + + + + + Inline Matches + + + In Shorewall 4.6.0 and later, setting INLINE_MATCHES=Yes in + shorewall[6].conf allows you to include ip[6]tables matches + following a semicolon on any rule in the mangle, masq and rules + files. Note that this is incompatible with the Alternate Input form + that uses a semicolon to delimit column-oriented specifications from + column=value specifications. In Shorewall 5.0.0 and later, inline + matches are allowed in mangle, masq and rules following two adjacent + semicolons (";;"). If alternate input is present, the adjacent + semicolons should follow that input. + + Example from the masq file that spits outgoing SNAT between + two public IP addresses + + COMB_IF !70.90.191.120/29 70.90.191.121 ;; -m statistic --mode random --probability 0.50 +COMB_IF !70.90.191.120/29 70.90.191.123 + + + +
+
Addresses