More address validate changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6289 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-05-08 19:05:25 +00:00
parent b557ba02c8
commit 0d00d30d94
13 changed files with 644 additions and 195 deletions

View File

@ -40,9 +40,21 @@ Problems corrected in 3.9.7.
4) A value of 'detect' in the GATEWAY column of the providers file no
longer generates an error during [re]start.
Other changes in Shorewall 3.9.6.
5) The command 'shorewall check -p' resulted in an indefinite loop.
None.
6) A number of problems having to do with SECTIONs in the rules file
have been corrected.
7) The mss zone option now works correctly.
8) The LOGBURST and LOGLIMIT options in shorewall.conf now work
correctly
Other changes in Shorewall 3.9.7.
1) Shorewall-perl now validates all IP addresses and addresses ranges
in rules. DNS names are resolved and an error is issued for any
name that cannot be resolved.
Migration Considerations:

View File

@ -44,6 +44,7 @@ our @EXPORT = qw(
pop_open
read_a_line
validate_level
qt
get_configuration
require_capability
report_capabilities

View File

@ -31,6 +31,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw(
validate_address
validate_net
validate_range
ip_range_explicit
@ -50,14 +51,23 @@ sub valid_address( $ ) {
1;
}
sub validate_address( $ ) {
unless ( valid_address $_[0] ) {
fatal_error "Unknown Host ($_[0])" unless qt "host $_[0]";
}
}
sub validate_net( $ ) {
my ($net, $vlsm) = split '/', $_[0];
if ( defined $vlsm ) {
fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 32;
fatal_error "Invalid IP address ($net)" unless valid_address $net;
} else {
fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
fatal_error "Invalid Network address ($_[0])" unless defined $net;
validate_address $net;
}
fatal_error "Invalid IP address ($net)" unless valid_address $net;
}
sub decodeaddr( $ ) {

View File

@ -186,7 +186,9 @@ sub setup_providers() {
"fi\n" );
$gateway = '$gateway';
} elsif ( $gateway && $gateway ne '-' ) {
emit "run_ip route replace $gateway src \$(find_first_interface_address $interface) dev $interface table $number";
validate_address $gateway;
my $variable = get_interface_address $interface;
emit "run_ip route replace $gateway src $variable dev $interface table $number";
emit "run_ip route add default via $gateway dev $interface table $number";
} else {
$gateway = '';

View File

@ -244,6 +244,55 @@
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> — [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
<para>In all of the above columns except <emphasis

View File

@ -92,6 +92,11 @@ loc eth2 -</programlisting>
<para>If you don't want to give a value for this column but you want
to enter a value in the OPTIONS column, enter <emphasis
role="bold">-</emphasis> in this column.</para>
<para><emphasis role="bold">Note to Shorewall-perl users:</emphasis>
Shorewall-perl only supports <option>detect</option> in this column.
If you specify <replaceable>address</replaceable>es, a compilation
warning will be issued.</para>
</listitem>
</varlistentry>
@ -107,173 +112,7 @@ loc eth2 -</programlisting>
<variablelist>
<varlistentry>
<term><emphasis role="bold">dhcp</emphasis></term>
<listitem>
<para>Specify this option when any of the following are
true:</para>
<orderedlist spacing="compact">
<listitem>
<para>the interface gets its IP address via DHCP</para>
</listitem>
<listitem>
<para>the interface is used by a DHCP server running on
the firewall</para>
</listitem>
<listitem>
<para>you have a static IP but are on a LAN segment with
lots of DHCP clients.</para>
</listitem>
<listitem>
<para>the interface is a bridge with a DHCP server on one
port and DHCP clients on another port.</para>
</listitem>
</orderedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">norfc1918</emphasis></term>
<listitem>
<para>This interface should not receive any packets whose
source is in one of the ranges reserved by RFC 1918 (i.e.,
private or "non-routable" addresses). If packet mangling or
connection-tracking match is enabled in your kernel, packets
whose destination addresses are reserved by RFC 1918 are also
rejected.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routefilter</emphasis></term>
<listitem>
<para>Turn on kernel route filtering for this interface
(anti-spoofing measure).</para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
<para>This option can also be enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">logmartians</emphasis></term>
<listitem>
<para>Turn on kernel martian logging (logging of packets with
impossible source addresses. It is strongly suggested that if
you set <emphasis role="bold">routefilter</emphasis> on an
interface that you also set <emphasis
role="bold">logmartians</emphasis>. Even if you do not specify
the <option>routefilter</option> option, it is a good idea to
specify <option>logmartians</option> because your distribution
may be enabling route filtering without you knowing it.</para>
<para>To find out if route filtering is set on a given
<replaceable>interface</replaceable>, check the contents of
<filename>/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/rp_filter</filename>
— a non-zero value indicates that route filtering is
enabled.</para>
<para>Example:</para>
<programlisting> teastep@lists:~$ <command>cat /proc/sys/net/ipv4/conf/eth0/rp_filter </command>
1
teastep@lists:~$ </programlisting>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
<para>This option may also be enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>Check packets arriving on this interface against the
<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">maclist</emphasis></term>
<listitem>
<para>Connection requests from this interface are compared
against the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an ethernet
NIC and must be up before Shorewall is started.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">tcpflags</emphasis></term>
<listitem>
<para>Packets arriving on this interface are checked for
certain illegal combinations of TCP flags. Packets found to
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proxyarp</emphasis></term>
<listitem>
<para>Sets
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
Do NOT use this option if you are employing Proxy ARP through
entries in <ulink
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
This option is intended solely for use with Proxy ARP
sub-networking as described at: <ulink
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html</ulink><note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+)
in the INTERFACE column.</para>
</note></para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routeback</emphasis></term>
<listitem>
<para>If specified, indicates that Shorewall should include
rules that allow filtering traffic arriving on this interface
back out that same interface. This option is also required
when you have used a wildcard in the INTERFACE column if you
want to allow traffic between the interfaces that match the
wildcard.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">arp_filter</emphasis></term>
<term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
<listitem>
<para>If specified, this interface will only respond to ARP
@ -282,6 +121,13 @@ loc eth2 -</programlisting>
requests for IP addresses on any of the firewall's interface.
The interface must be up when Shorewall is started.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>arp_filter</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
@ -328,16 +174,13 @@ loc eth2 -</programlisting>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nosmurfs</emphasis></term>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>Filter packets for smurfs (packets with a broadcast
address as the source).</para>
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
logging, the packets are dropped.</para>
<para>Check packets arriving on this interface against the
<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
file.</para>
</listitem>
</varlistentry>
@ -358,7 +201,230 @@ loc eth2 -</programlisting>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">sourceroute</emphasis></term>
<term><emphasis role="bold">dhcp</emphasis></term>
<listitem>
<para>Specify this option when any of the following are
true:</para>
<orderedlist spacing="compact">
<listitem>
<para>the interface gets its IP address via DHCP</para>
</listitem>
<listitem>
<para>the interface is used by a DHCP server running on
the firewall</para>
</listitem>
<listitem>
<para>you have a static IP but are on a LAN segment with
lots of DHCP clients.</para>
</listitem>
<listitem>
<para>the interface is a bridge with a DHCP server on one
port and DHCP clients on another port.</para>
</listitem>
</orderedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">logmartians[={0|1}]</emphasis></term>
<listitem>
<para>Turn on kernel martian logging (logging of packets with
impossible source addresses. It is strongly suggested that if
you set <emphasis role="bold">routefilter</emphasis> on an
interface that you also set <emphasis
role="bold">logmartians</emphasis>. Even if you do not specify
the <option>routefilter</option> option, it is a good idea to
specify <option>logmartians</option> because your distribution
may be enabling route filtering without you knowing it.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>logmartians</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<para>To find out if route filtering is set on a given
<replaceable>interface</replaceable>, check the contents of
<filename>/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/rp_filter</filename>
— a non-zero value indicates that route filtering is
enabled.</para>
<para>Example:</para>
<programlisting> teastep@lists:~$ <command>cat /proc/sys/net/ipv4/conf/eth0/rp_filter </command>
1
teastep@lists:~$ </programlisting>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
<blockquote>
<para>This option may also be enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">maclist</emphasis></term>
<listitem>
<para>Connection requests from this interface are compared
against the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an ethernet
NIC and must be up before Shorewall is started.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">norfc1918</emphasis></term>
<listitem>
<para>This interface should not receive any packets whose
source is in one of the ranges reserved by RFC 1918 (i.e.,
private or "non-routable" addresses). If packet mangling or
connection-tracking match is enabled in your kernel, packets
whose destination addresses are reserved by RFC 1918 are also
rejected.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nosmurfs</emphasis></term>
<listitem>
<para>Filter packets for smurfs (packets with a broadcast
address as the source).</para>
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
logging, the packets are dropped.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">optional</emphasis></term>
<listitem>
<para>Only supported by Shorewall-perl. When
<option>optional</option> is specified for an interface,
Shorewall will be silent when:</para>
<itemizedlist>
<listitem>
<para>a <filename
class="directory">/proc/sys/net/ipv4/conf/</filename>
entry for the interface cannot be modified (including for
proxy ARP).</para>
</listitem>
<listitem>
<para>The first address of the interface cannot be
obtained.</para>
</listitem>
</itemizedlist>
<para>I specify <option>optional</option> on interfaces to Xen
virtual machines that may or may not be running when Shorewall
is [re]started.</para>
<caution>
<para>Use <option>optional</option> at your own risk. If you
[re]start Shorewall when an 'optional' interface is not
available and then do a <command>shorewall save</command>,
subsequent <command>shorewall restore</command> and
<command>shorewall -f start</command> operations will
instantiate a ruleset that does not support that interface,
even if it is available at the time of the
restore/start.</para>
</caution>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
<listitem>
<para>Sets
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
Do NOT use this option if you are employing Proxy ARP through
entries in <ulink
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
This option is intended solely for use with Proxy ARP
sub-networking as described at: <ulink
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
</ulink><note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+)
in the INTERFACE column.</para>
</note>The option value (0 or 1) may only be specified if
you are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>proxyarp</option> option will have
their setting changes; the value assigned to the setting will
be the value specified (if any) or 1 if no value is
given.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routeback</emphasis></term>
<listitem>
<para>If specified, indicates that Shorewall should include
rules that allow filtering traffic arriving on this interface
back out that same interface. This option is also required
when you have used a wildcard in the INTERFACE column if you
want to allow traffic between the interfaces that match the
wildcard.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">routefilter[={0|1}]</emphasis></term>
<listitem>
<para>Turn on kernel route filtering for this interface
(anti-spoofing measure).</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>routefilter</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
<blockquote>
<para>This option can also be enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">sourceroute[={0|1}]</emphasis></term>
<listitem>
<para>If this option is not specified for an interface, then
@ -369,6 +435,13 @@ loc eth2 -</programlisting>
This might represent a security risk and is not usually
needed.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>sourceroute</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
@ -377,6 +450,18 @@ loc eth2 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">tcpflags</emphasis></term>
<listitem>
<para>Packets arriving on this interface are checked for
certain illegal combinations of TCP flags. Packets found to
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">upnp</emphasis></term>

View File

@ -302,6 +302,55 @@
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> — [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

View File

@ -891,6 +891,55 @@
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> — [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

View File

@ -410,8 +410,7 @@
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true. Tests have the
format</para>
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>

View File

@ -28,10 +28,10 @@
<variablelist>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> -
{<emphasis>zone</emphasis>[<emphasis
{<emphasis>all</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>|<emphasis
role="bold">$FW</emphasis>}</term>
role="bold">all</emphasis>|<emphasis role="bold">$FW</emphasis>}
(Shorewall-shell)</term>
<listitem>
<para>Name of a zone declared in <ulink
@ -53,11 +53,31 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>:<emphasis>address</emphasis>|<emphasis
role="bold">$FW</emphasis>} (Shorewall-perl)</term>
<listitem>
<para>If <emphasis role="bold">all</emphasis>, may optionally be
followed by ":" and an IP address, a MAC address, a subnet
specification or the name of an interface.</para>
<para>Example: all:192.168.2.3</para>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
<para>Example: ~00-A0-C9-15-39-78</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> -
{<emphasis>zone</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>}</term>
role="bold">all</emphasis>} (Shorewall-shell)</term>
<listitem>
<para>Name of a zone declared in <ulink
@ -71,6 +91,17 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>:<emphasis>address</emphasis>}
(Shorewall-perl)</term>
<listitem>
<para>Example: 192.168.2.3</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTOCOL</emphasis>
<emphasis>proto-name-or-number</emphasis></term>
@ -114,6 +145,52 @@
<emphasis role="bold">tos-normal-service</emphasis> (0)</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> — [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

View File

@ -36,10 +36,10 @@
role="bold">,</emphasis><emphasis>parent-zone</emphasis>]...]</term>
<listitem>
<para>Name of the <emphasis>zone</emphasis>. The names "all" and
"none" are reserved and may not be used as zone names. The maximum
length of a zone name is determined by the setting of the LOGFORMAT
option in <ulink
<para>Name of the <emphasis>zone</emphasis>. The names "all",
"none", "SOURCE" and "DEST" are reserved and may not be used as zone
names. The maximum length of a zone name is determined by the
setting of the LOGFORMAT option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). With the
default LOGFORMAT, zone names can be at most 5 characters
long.</para>

View File

@ -256,6 +256,26 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">BLACKLISTNEWONLY=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new
connections. When set to <emphasis role="bold">No</emphasis> or
<emphasis role="bold">no</emphasis>, blacklists are consulted for
every packet (will slow down your firewall noticably if you have
large blacklists). If the BLACKLISTNEWONLY option is not set or is
set to the empty value then BLACKLISTNEWONLY=No is assumed.</para>
<note>
<para>BLACKLISTNEWONLY=No is incompatible with
FASTACCEPT=Yes.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">BRIDGING=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -363,6 +383,11 @@
role="bold">shorewall</emphasis> [<emphasis
role="bold">re</emphasis>]<emphasis
role="bold">start</emphasis>.</para>
<note>
<para>DELAYBLACKLISTLOAD=Yes is not supported by
Shorewall-perl.</para>
</note>
</listitem>
</varlistentry>
@ -429,6 +454,11 @@
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
or RELATED sections of <ulink
url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
<note>
<para>FASTACCEPT=Yes is incompatible with
BLACKLISTNEWONLY=No.</para>
</note>
</listitem>
</varlistentry>
@ -574,7 +604,8 @@
<varlistentry>
<term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
role="bold">Yes</emphasis>|<emphasis
role="bold">No</emphasis>|Keep]</term>
<listitem>
<para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
@ -586,6 +617,15 @@
may still enable it for individual interfaces using the <emphasis
role="bold">logmartians</emphasis> interface option in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
<para>The value <emphasis role="bold">Keep</emphasis> is only
allowed under Shorewall-perl. It causes Shorewall to ignore the
option. If the option is set to <emphasis
role="bold">Yes</emphasis>, then martians are logged on all
interfaces. If the option is set to <emphasis
role="bold">No</emphasis>, then martian logging is disabled on all
interfaces except those specified in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
</listitem>
</varlistentry>
@ -807,7 +847,13 @@
parameterized macros. For compatibility, Shorewall can map the old
names into invocations of the new macros if you set
MAPOLDACTIONS=Yes. If this option is not set or is set to the empty
value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed</para>
value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed.</para>
<note>
<para>MAPOLDACTIONS=Yes is not supported by Shorewall-perl. With
Shorewall-perl, if MAPOLDACTIONS is not set or is set to the ampty
value then MAPOLDACTIONS=No is assumed.</para>
</note>
</listitem>
</varlistentry>
@ -940,6 +986,60 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">RCP_COMMAND="</emphasis><replaceable>command</replaceable><emphasis
role="bold">"</emphasis></term>
<listitem>
<para></para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">RSH_COMMAND="</emphasis><replaceable>command</replaceable><emphasis
role="bold">"</emphasis></term>
<listitem>
<para>Eariler generations of Shorewall Lite required that remote
root login via ssh be enabled in order to use the
<command>load</command> and <command>reload</command> commands.
Beginning with release 3.9.5, you may define an alternative means
for accessing the remote firewall system. In that release, two new
options were added to shorewall.conf:<simplelist>
<member>RSH_COMMAND</member>
<member>RCP_COMMAND</member>
</simplelist>The default values for these are as
follows:<simplelist>
<member>RSH_COMMAND: ssh ${root}@${system} ${command}</member>
<member>RCP_COMMAND: scp ${files}
${root}@${system}:${destination}</member>
</simplelist>Shell variables that will be set when the commands
are envoked are as follows:<simplelist>
<member><replaceable>root</replaceable> - root user. Normally
<option>root</option> but may be overridden using the '-r'
option.</member>
<member><replaceable>system</replaceable> - The name/IP address
of the remote firewall system.</member>
<member><replaceable>command</replaceable> - For RSH_COMMAND,
the command to be executed on the firewall system.</member>
<member><replaceable>files</replaceable> - For RCP_COMMAND, a
space-separated list of files to be copied to the remote
firewall system.</member>
<member><replaceable>destination</replaceable> - The directory
on the remote system that the files are to be copied
into.</member>
</simplelist></para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">RESTOREFILE=</emphasis><emphasis>filename</emphasis></term>
@ -1025,7 +1125,8 @@
<varlistentry>
<term><emphasis role="bold">ROUTE_FILTER=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
role="bold">Yes</emphasis>|<emphasis
role="bold">No</emphasis>|Keep]</term>
<listitem>
<para>If this parameter is given the value <emphasis
@ -1034,6 +1135,15 @@
interfaces which are brought up while Shorewall is in the started
state. The default value is <emphasis
role="bold">no</emphasis>.</para>
<para>The value <emphasis role="bold">Keep</emphasis> is only
allowed under Shorewall-perl. It causes Shorewall to ignore the
option. If the option is set to <emphasis
role="bold">Yes</emphasis>, then route filtering occurs on all
interfaces. If the option is set to <emphasis
role="bold">No</emphasis>, then route filtering is disabled on all
interfaces except those specified in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
</listitem>
</varlistentry>
@ -1182,6 +1292,10 @@
a sizable amount of code to implement. By setting USE_ACTIONS=No,
embedded Shorewall installations can omit the large library
/usr/share/shorewall/lib.actions.</para>
<note>
<para>USE_ACTIONS=No is not supported by Shorewall-perl.</para>
</note>
</listitem>
</varlistentry>

View File

@ -735,7 +735,9 @@
<listitem>
<para>The rules involving the the black list, ECN control rules, and
traffic shaping are recreated to reflect any changes made to your
configuration files. Existing connections are untouched.</para>
configuration files. Existing connections are untouched. Under
Shorewall-perl, <command>refresh</command> is synonamous with
<command>restart</command>.</para>
</listitem>
</varlistentry>