More inline match documentation

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-09-03 09:45:39 -07:00
parent 8f86e2df19
commit 07976556ed
5 changed files with 114 additions and 8 deletions

View File

@ -363,6 +363,12 @@ INLINE eth0 - ; -p tcp -j MARK --set
then the third rule above can be specified as follows:</para>
<programlisting>MARK(2):P eth0 - ; -p tcp</programlisting>
<para>Beginning with Shorewall 5.0.0, the rule may also be
written this way, irrespective of the setting of
INLINE_MATCHES:</para>
<programlisting>MARK(2):P eth0 - ;; -p tcp</programlisting>
</listitem>
</varlistentry>

View File

@ -969,9 +969,18 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<ulink url="/configuration_file_basics.htm#Pairs">alternative
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
specified, the specifications on the right are interpreted as if
INLINE had been specified in the ACTION column. If not specified or
if specified as the empty value, the value 'No' is assumed for
backward compatibility.</para>
INLINE had been specified in the ACTION column. This also applies to
<ulink url="shorewall-masq.html">shorewall-masq(5)</ulink> and
<ulink url="shorewall-mangle.html">shorewall-mangle(5</ulink>) which
also support INLINE. If not specified or if specified as the empty
value, the value 'No' is assumed for backward compatibility.</para>
<para>Beginning with Shorewall 5.0.0, it is no longer necessary to
set INLINE_MATCHES=Yes in order to be able to specify your own
iptables text in a rule. You may simply preface that text with a
pair of semicolons (";;"). If alternate input is also specified in
the rule, it should appear before the semicolons and may be
seperated from normal column input by a single semicolon.</para>
</listitem>
</varlistentry>

View File

@ -364,6 +364,12 @@ INLINE eth0 - ; -p tcp -j MARK --set
then the third rule above can be specified as follows:</para>
<programlisting>MARK(2):P eth0 - ; -p tcp</programlisting>
<para>Beginning with Shorewall 5.0.0, the rule may also be
written this way, irrespective of the setting of
INLINE_MATCHES:</para>
<programlisting>MARK(2):P eth0 - ;; -p tcp</programlisting>
</listitem>
</varlistentry>

View File

@ -833,9 +833,19 @@ net all DROP info</programlisting>then the chain name is 'net-all'
from <ulink url="/configuration_file_basics.htm#Pairs">alternative
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
specified, the specifications on the right are interpreted as if
INLINE had been specified in the ACTION column. If not specified or
if specified as the empty value, the value 'No' is assumed for
backward compatibility.</para>
INLINE had been specified in the ACTION column. This also applies to
<ulink url="shorewall6-masq.html">shorewall6-masq(5)</ulink> and
<ulink url="shorewall6-mangle.html">shorewall6-mangle(5</ulink>)
which also support INLINE. If not specified or if specified as the
empty value, the value 'No' is assumed for backward
compatibility.</para>
<para>Beginning with Shorewall 5.0.0, it is no longer necessary to
set INLINE_MATCHES=Yes in order to be able to specify your own
iptables text in a rule. You may simply preface that text with a
pair of semicolons (";;"). If alternate input is also specified in
the rule, it should appear before the semicolons and may be
seperated from normal column input by a single semicolon.</para>
</listitem>
</varlistentry>

View File

@ -538,8 +538,8 @@ ACCEPT net:\
</simplelist>
<important>
<para>That usage is deprecated beginning with Shorewall 4.6.0. See
the INLINE_MATCHES option in <ulink
<para>This form is incompatible with INLINE_MATCHES=Yes. See the
INLINE_MATCHES option in <ulink
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
</important>
</listitem>
@ -766,6 +766,81 @@ DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</pro
DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting>
</section>
<section>
<title>Using Netfilter Features not Directly Supported by
Shorewall</title>
<para>Shorewall doesn't contain built-in support for all ip[6]tables
targets and matches. Nevertheless, you can still use the unsupported
ip[6]tables features through several Shorewall facilities.</para>
<variablelist>
<varlistentry>
<term>INLINE</term>
<listitem>
<para>INLINE, added in Shorewall 4. is available in the mangle, masq
and rules files and allows you to specify ip[6]table text following
a semicolon to the right of the column-oriented
specifications.</para>
<para>INLINE takes one optional parameter which, if present, must be
a valid entry for the first column of the file. If the parameter is
omitted, then you can specify the target of the rule in the
text.</para>
<para>Examples from the rules file:</para>
<programlisting>#ACTION SOURCE DEST
?COMMENT Drop DNS Amplification Attack Packets
INLINE(DROP):info net $FW ; udp 53 ; -m u32 --u32 "0&gt;&gt;22&amp;0x3C\@8&amp;0xffff=0x0100 &amp;&amp; 0&gt;&gt;22&amp;0x3C\@12&amp;0xffff0000=0x00010000"
?COMMENT
?COMMENT Rule generated by the IfEvent action
INLINE net $FW ; -m recent --rcheck 10 --hitcount 5 --name SSH -s 1.2.3.4 -j MARK --or-mark 0x4000
?COMMENT</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPTABLES and IP6TABLES</term>
<listitem>
<para>These are very similar to INLINE. The difference is that the
parameter to IPTABLES and IP6TABLES is the ip[6]tables target of the
Rule rather than a Shorewall-defined action or target.</para>
<para>Example from the mangle file:</para>
<programlisting>IPTABLES(MARK --set-mark 0x4):P eth0 1.2.3.4</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Inline Matches</term>
<listitem>
<para>In Shorewall 4.6.0 and later, setting INLINE_MATCHES=Yes in
shorewall[6].conf allows you to include ip[6]tables matches
following a semicolon on any rule in the mangle, masq and rules
files. Note that this is incompatible with the Alternate Input form
that uses a semicolon to delimit column-oriented specifications from
column=value specifications. In Shorewall 5.0.0 and later, inline
matches are allowed in mangle, masq and rules following two adjacent
semicolons (";;"). If alternate input is present, the adjacent
semicolons should follow that input.</para>
<para>Example from the masq file that spits outgoing SNAT between
two public IP addresses</para>
<programlisting>COMB_IF !70.90.191.120/29 70.90.191.121 ;; -m statistic --mode random --probability 0.50
COMB_IF !70.90.191.120/29 70.90.191.123</programlisting>
</listitem>
</varlistentry>
</variablelist>
</section>
<section>
<title>Addresses</title>