mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
Add TCPMSS Match detection and fix bug in maclist handling
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6560 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
9d512c2514
commit
108ee0be91
@ -1,3 +1,7 @@
|
|||||||
|
Changes in 4.0.0 Beta 6
|
||||||
|
|
||||||
|
1) Validate the DISPOSITION in /etc/shorewall/maclist entries.
|
||||||
|
|
||||||
Changes in 4.0.0 Beta 5
|
Changes in 4.0.0 Beta 5
|
||||||
|
|
||||||
1) Fix undefined function call when both an input interface and an
|
1) Fix undefined function call when both an input interface and an
|
||||||
|
@ -998,6 +998,7 @@ determine_capabilities() {
|
|||||||
MANGLE_FORWARD=
|
MANGLE_FORWARD=
|
||||||
COMMENTS=
|
COMMENTS=
|
||||||
ADDRTYPE=
|
ADDRTYPE=
|
||||||
|
TCPMSS_MATCH=
|
||||||
|
|
||||||
qt $IPTABLES -N fooX1234
|
qt $IPTABLES -N fooX1234
|
||||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||||
@ -1065,6 +1066,7 @@ determine_capabilities() {
|
|||||||
|
|
||||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
|
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
|
qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
|
||||||
|
qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
|
||||||
|
|
||||||
qt $IPTABLES -F fooX1234
|
qt $IPTABLES -F fooX1234
|
||||||
qt $IPTABLES -X fooX1234
|
qt $IPTABLES -X fooX1234
|
||||||
@ -1109,6 +1111,7 @@ report_capabilities() {
|
|||||||
report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
|
report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
|
||||||
report_capability "Comments" $COMMENTS
|
report_capability "Comments" $COMMENTS
|
||||||
report_capability "Address Type Match" $ADDRTYPE
|
report_capability "Address Type Match" $ADDRTYPE
|
||||||
|
report_capability "TCPMSS Match" $TCPMSS_MATCH
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
Shorewall 4.0.0 Beta 5
|
Shorewall 4.0.0 Beta 6
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
R E L E A S E H I G H L I G H T S
|
R E L E A S E H I G H L I G H T S
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
@ -15,115 +15,15 @@ Shorewall 4.0.0 Beta 5
|
|||||||
You must install Shorewall and at least one of the compiler packages
|
You must install Shorewall and at least one of the compiler packages
|
||||||
(you may install them both).
|
(you may install them both).
|
||||||
|
|
||||||
Problems corrected in 4.0.0 Beta 5.
|
Problems corrected in 4.0.0 Beta 6.
|
||||||
|
|
||||||
1) With Shorewall-perl, if a bridge port was used to qualify the SOURCE
|
1) With Shorewall-perl, an invalid DISPOSITION in an
|
||||||
in a rule where there was also a DEST interface, then the following
|
/etc/shorewall/maclist entry would cause Perl error messages to be
|
||||||
diagnostic was produced:
|
issued.
|
||||||
|
|
||||||
Undefined subroutine &Shorewall::Chains::source_port_to_bridge called
|
Other changes in Shorewall 4.0.0 Beta 6
|
||||||
at /usr/share/shorewall-perl/Shorewall/Chains.pm line 1521, <$currentfile>
|
|
||||||
line 363.
|
|
||||||
|
|
||||||
2) 'shorewall dump', 'shorewall show log' and 'shorewall logwatch'
|
None.
|
||||||
work again.
|
|
||||||
|
|
||||||
3) The 'mss' zone option and the CLAMPMSS=<number> option in
|
|
||||||
shorewall.conf could previously *increase* the MSS in a
|
|
||||||
packet; this possibility has been eliminated.
|
|
||||||
|
|
||||||
Other changes in Shorewall 4.0.0 Beta 5.
|
|
||||||
|
|
||||||
1) The Perl compiler is now externalized. Both the compiler.pl program
|
|
||||||
and the Perl Module interface are documented.
|
|
||||||
|
|
||||||
The compiler program is /usr/share/shorewall-perl/compiler.pl:
|
|
||||||
|
|
||||||
compiler.pl [ <option> ... ] [ <filename> ]
|
|
||||||
|
|
||||||
If a <filename> is given, then the configuration will be compiled
|
|
||||||
output placed in the named file. If <filename> is not given, then
|
|
||||||
the configuration will simply be syntax checked.
|
|
||||||
|
|
||||||
Options are:
|
|
||||||
|
|
||||||
-v <verbosity>
|
|
||||||
--verbosity=<verbosity>
|
|
||||||
|
|
||||||
The <verbosity> is a number between 0 and 2 and corresponds to
|
|
||||||
the VERBOSITY setting in shorewall.conf. This setting controls
|
|
||||||
the verbosity of the compiler itself.
|
|
||||||
|
|
||||||
-e
|
|
||||||
--export
|
|
||||||
|
|
||||||
If given, the configuration will be compiled for export to
|
|
||||||
another system.
|
|
||||||
|
|
||||||
-d <directory>
|
|
||||||
--directory=<directory>
|
|
||||||
|
|
||||||
If this option is omitted, the configuration in /etc/shorewall
|
|
||||||
is compiled/checked. Otherwise, the configuration in the named
|
|
||||||
directory will be compiled/checked.
|
|
||||||
|
|
||||||
-t
|
|
||||||
--timestamp
|
|
||||||
|
|
||||||
If given, each progress message issued by the compiler and by
|
|
||||||
the compiled program will be timestamped.
|
|
||||||
|
|
||||||
Example (compiles the configuration in the current directory
|
|
||||||
generating a script named 'firewall' and using VERBOSITY
|
|
||||||
2).
|
|
||||||
|
|
||||||
/usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall
|
|
||||||
|
|
||||||
Note: For compatibility with Shorewall 3.4.2 and later 3.4
|
|
||||||
releases, options not passed on the run-line get their values from
|
|
||||||
environmental variables:
|
|
||||||
|
|
||||||
Option Variable
|
|
||||||
|
|
||||||
--verbosity VERBOSE
|
|
||||||
--export EXPORT
|
|
||||||
--directory SHOREWALL_DIR
|
|
||||||
--timestamp TIMESTAMP
|
|
||||||
|
|
||||||
The Perl Module is externalized as follows:
|
|
||||||
|
|
||||||
use lib '/usr/share/shorewall-perl';
|
|
||||||
use Shorewall::Compiler;
|
|
||||||
|
|
||||||
compiler $filename, $directory, $verbose, $options
|
|
||||||
|
|
||||||
The arguments to the compiler function are as follows:
|
|
||||||
|
|
||||||
$filename - Name of the compiled script to be created.
|
|
||||||
If the arguments evaluates to false, the
|
|
||||||
configuration is syntax checked
|
|
||||||
|
|
||||||
$directory - The directory containing the configuration.
|
|
||||||
If passed as '', then /etc/shorewall/ is assumed.
|
|
||||||
|
|
||||||
$verbose - The verbosity level (0-2).
|
|
||||||
|
|
||||||
$options - A bitmap of options. Shorewall::Compiler
|
|
||||||
exports two constants to help building this
|
|
||||||
argument:
|
|
||||||
|
|
||||||
EXPORT = 0x01
|
|
||||||
TIMESTAMP = 0x02
|
|
||||||
|
|
||||||
The compiler raises an exception with 'die' if it encounters an
|
|
||||||
error; $@ contains the 'ERROR' messages describing the problem.
|
|
||||||
|
|
||||||
The compiler function can be called repeatedly with different
|
|
||||||
inputs.
|
|
||||||
|
|
||||||
2) When TC_ENABLED=Internal, Shorewall-perl now validates classids in
|
|
||||||
the MARK/CLASSIFY column of /etc/shorewall/tcrules against the
|
|
||||||
classes generated by /etc/shorewall/tcclasses.
|
|
||||||
|
|
||||||
Migration Considerations:
|
Migration Considerations:
|
||||||
|
|
||||||
@ -649,6 +549,97 @@ Migration Considerations:
|
|||||||
Shorewall-perl 4.0.0-Beta1
|
Shorewall-perl 4.0.0-Beta1
|
||||||
gateway:/bulk/backup #
|
gateway:/bulk/backup #
|
||||||
|
|
||||||
|
14) The Perl compiler is externalized. Both the compiler.pl program
|
||||||
|
and the Perl Module interface are documented.
|
||||||
|
|
||||||
|
The compiler program is /usr/share/shorewall-perl/compiler.pl:
|
||||||
|
|
||||||
|
compiler.pl [ <option> ... ] [ <filename> ]
|
||||||
|
|
||||||
|
If a <filename> is given, then the configuration will be compiled
|
||||||
|
output placed in the named file. If <filename> is not given, then
|
||||||
|
the configuration will simply be syntax checked.
|
||||||
|
|
||||||
|
Options are:
|
||||||
|
|
||||||
|
-v <verbosity>
|
||||||
|
--verbosity=<verbosity>
|
||||||
|
|
||||||
|
The <verbosity> is a number between 0 and 2 and corresponds to
|
||||||
|
the VERBOSITY setting in shorewall.conf. This setting controls
|
||||||
|
the verbosity of the compiler itself.
|
||||||
|
|
||||||
|
-e
|
||||||
|
--export
|
||||||
|
|
||||||
|
If given, the configuration will be compiled for export to
|
||||||
|
another system.
|
||||||
|
|
||||||
|
-d <directory>
|
||||||
|
--directory=<directory>
|
||||||
|
|
||||||
|
If this option is omitted, the configuration in /etc/shorewall
|
||||||
|
is compiled/checked. Otherwise, the configuration in the named
|
||||||
|
directory will be compiled/checked.
|
||||||
|
|
||||||
|
-t
|
||||||
|
--timestamp
|
||||||
|
|
||||||
|
If given, each progress message issued by the compiler and by
|
||||||
|
the compiled program will be timestamped.
|
||||||
|
|
||||||
|
Example (compiles the configuration in the current directory
|
||||||
|
generating a script named 'firewall' and using VERBOSITY
|
||||||
|
2).
|
||||||
|
|
||||||
|
/usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall
|
||||||
|
|
||||||
|
Note: For compatibility with Shorewall 3.4.2 and later 3.4
|
||||||
|
releases, options not passed on the run-line get their values from
|
||||||
|
environmental variables:
|
||||||
|
|
||||||
|
Option Variable
|
||||||
|
|
||||||
|
--verbosity VERBOSE
|
||||||
|
--export EXPORT
|
||||||
|
--directory SHOREWALL_DIR
|
||||||
|
--timestamp TIMESTAMP
|
||||||
|
|
||||||
|
The Perl Module is externalized as follows:
|
||||||
|
|
||||||
|
use lib '/usr/share/shorewall-perl';
|
||||||
|
use Shorewall::Compiler;
|
||||||
|
|
||||||
|
compiler $filename, $directory, $verbose, $options
|
||||||
|
|
||||||
|
The arguments to the compiler function are as follows:
|
||||||
|
|
||||||
|
$filename - Name of the compiled script to be created.
|
||||||
|
If the arguments evaluates to false, the
|
||||||
|
configuration is syntax checked
|
||||||
|
|
||||||
|
$directory - The directory containing the configuration.
|
||||||
|
If passed as '', then /etc/shorewall/ is assumed.
|
||||||
|
|
||||||
|
$verbose - The verbosity level (0-2).
|
||||||
|
|
||||||
|
$options - A bitmap of options. Shorewall::Compiler
|
||||||
|
exports two constants to help building this
|
||||||
|
argument:
|
||||||
|
|
||||||
|
EXPORT = 0x01
|
||||||
|
TIMESTAMP = 0x02
|
||||||
|
|
||||||
|
The compiler raises an exception with 'die' if it encounters an
|
||||||
|
error; $@ contains the 'ERROR' messages describing the problem.
|
||||||
|
|
||||||
|
The compiler function can be called repeatedly with different
|
||||||
|
inputs.
|
||||||
|
|
||||||
|
15) When TC_ENABLED=Internal, Shorewall-perl now validates classids in
|
||||||
|
the MARK/CLASSIFY column of /etc/shorewall/tcrules against the
|
||||||
|
classes generated by /etc/shorewall/tcclasses.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
P R E R E Q U I S I T E S
|
P R E R E Q U I S I T E S
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
# /etc/shorewall/shorewall.conf V3.4 - Change the following variables to
|
# /etc/shorewall/shorewall.conf V4.0 - Change the following variables to
|
||||||
# match your setup
|
# match your setup
|
||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
|
@ -709,7 +709,8 @@ sub set_mss1( $$ ) {
|
|||||||
my $chainref = ensure_chain 'filter', $chain;
|
my $chainref = ensure_chain 'filter', $chain;
|
||||||
|
|
||||||
if ( $chainref->{policy} ne 'NONE' ) {
|
if ( $chainref->{policy} ne 'NONE' ) {
|
||||||
insert_rule $chainref, 1, "-p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss: -j TCPMSS --set-mss $mss"
|
my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
|
||||||
|
insert_rule $chainref, 1, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -299,6 +299,7 @@ sub initialize() {
|
|||||||
MANGLE_FORWARD => 'Mangle FORWARD Chain',
|
MANGLE_FORWARD => 'Mangle FORWARD Chain',
|
||||||
COMMENTS => 'Comments',
|
COMMENTS => 'Comments',
|
||||||
ADDRTYPE => 'Address Type Match',
|
ADDRTYPE => 'Address Type Match',
|
||||||
|
TCPMSS_MATCH => 'TCP MSS',
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# Directories to search for configuration files
|
# Directories to search for configuration files
|
||||||
@ -857,6 +858,7 @@ sub determine_capabilities() {
|
|||||||
|
|
||||||
$capabilities{USEPKTTYPE} = qt( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
|
$capabilities{USEPKTTYPE} = qt( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
|
||||||
$capabilities{ADDRTYPE} = qt( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
|
$capabilities{ADDRTYPE} = qt( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
|
||||||
|
$capabilities{TCPMSS_MATCH} = qt( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
|
||||||
|
|
||||||
qt( "$iptables -F $sillyname" );
|
qt( "$iptables -F $sillyname" );
|
||||||
qt( "$iptables -X $sillyname" );
|
qt( "$iptables -X $sillyname" );
|
||||||
|
@ -730,7 +730,7 @@ sub setup_mac_lists( $ ) {
|
|||||||
|
|
||||||
my $targetref = $maclist_targets{$disposition};
|
my $targetref = $maclist_targets{$disposition};
|
||||||
|
|
||||||
fatal_error "Invalid DISPOSITION ( $disposition)" if ( $table eq 'mangle' ) && ! $targetref->{mangle};
|
fatal_error "Invalid DISPOSITION ( $disposition)" if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
|
||||||
|
|
||||||
unless ( $maclist_interfaces{$interface} ) {
|
unless ( $maclist_interfaces{$interface} ) {
|
||||||
next if get_interface_option( $interface, 'optional' ) && get_interface_option( $interface, 'detectnets' );
|
next if get_interface_option( $interface, 'optional' ) && get_interface_option( $interface, 'detectnets' );
|
||||||
@ -1792,7 +1792,7 @@ sub setup_mss( $ ) {
|
|||||||
if ( "\L$clampmss" eq 'yes' ) {
|
if ( "\L$clampmss" eq 'yes' ) {
|
||||||
$option = '--clamp-mss-to-pmtu';
|
$option = '--clamp-mss-to-pmtu';
|
||||||
} else {
|
} else {
|
||||||
$match = "-m tcpmss --mss $clampmss: ";
|
$match = "-m tcpmss --mss $clampmss: " if $capabilities{TCPMSS_MATCH};
|
||||||
$option = '--set-mss $clampmss';
|
$option = '--set-mss $clampmss';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -101,7 +101,8 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>refresh -- invoked while the firewall is being refreshed but
|
<para>refresh -- invoked while the firewall is being refreshed but
|
||||||
before the blacklst chains have been rebuilt.</para>
|
before the blacklst chains have been rebuilt (Not used by Shorewall
|
||||||
|
Perl).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -109,7 +110,8 @@
|
|||||||
traffic while Shorewall is [re]starting. Any rules added in this script
|
traffic while Shorewall is [re]starting. Any rules added in this script
|
||||||
should be deleted in your <emphasis>start</emphasis> script. This script
|
should be deleted in your <emphasis>start</emphasis> script. This script
|
||||||
is invoked earlier in the [re]start process than is the
|
is invoked earlier in the [re]start process than is the
|
||||||
<emphasis>initdone</emphasis> script described above.</para>
|
<emphasis>initdone</emphasis> script described above (Not used by
|
||||||
|
Shorewall Perl).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -284,17 +286,17 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis role="bold">Shorewall version 3.2.9 (3.4.0 RC2) and
|
<para><emphasis role="bold">Shorewall version 3.2.9 (3.4.0 RC2) and
|
||||||
later.</emphasis> When compiling your firewall configuration, Shorewall
|
later (Shorewall-shell).</emphasis> When compiling your firewall
|
||||||
copies most extension scripts directly into the "compiled" program where
|
configuration, Shorewall copies most extension scripts directly into the
|
||||||
they are executed in-line during processing of the start, restart and
|
"compiled" program where they are executed in-line during processing of
|
||||||
restore commands. When copying a script, Shorewall indents the script to
|
the start, restart and restore commands. When copying a script,
|
||||||
match the surrounding code; if you have 'awk' installed on the system
|
Shorewall indents the script to match the surrounding code; if you have
|
||||||
where the configuration is being compiled, Shorewall can correctly
|
'awk' installed on the system where the configuration is being compiled,
|
||||||
handle line continuation in your script ("\" as the last character on a
|
Shorewall can correctly handle line continuation in your script ("\" as
|
||||||
line). If you do not have awk, you may not use line continuation in your
|
the last character on a line). If you do not have awk, you may not use
|
||||||
scripts. Also beware that quoted strings continued from one line to
|
line continuation in your scripts. Also beware that quoted strings
|
||||||
another will have extra whitespace inserted as a result of
|
continued from one line to another will have extra whitespace inserted
|
||||||
indentation.</para>
|
as a result of indentation.</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>The <filename>/etc/shorewall/params</filename> script is
|
<para>The <filename>/etc/shorewall/params</filename> script is
|
||||||
@ -332,5 +334,79 @@
|
|||||||
script.</para>
|
script.</para>
|
||||||
</note>
|
</note>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">Shorewall-perl</emphasis>. Because the
|
||||||
|
compiler is now written in Perl, your compile-time extension scripts
|
||||||
|
from earlier versions will no longer work. Compile-time extension
|
||||||
|
scripts are executed using the Perl 'eval `cat <file>`' mechanism.
|
||||||
|
Be sure that each script returns a 'true' value; otherwise, the compiler
|
||||||
|
will assume that the script failed and will abort the
|
||||||
|
compilation.</para>
|
||||||
|
|
||||||
|
<para>All scripts will need to begin with the following
|
||||||
|
line:<programlisting>use Shorewall::Chains;</programlisting> For more
|
||||||
|
complex scripts, you may need to 'use' other Shorewall Perl modules --
|
||||||
|
browse <filename
|
||||||
|
class="directory">/usr/share/shorewall-perl/Shorewall/</filename> to see
|
||||||
|
what's available.</para>
|
||||||
|
|
||||||
|
<para>When a script is invoked, the $chainref scalar variable will hold
|
||||||
|
a reference to a chain table entry.<simplelist>
|
||||||
|
<member>$chainref->{name} contains the name of the chain</member>
|
||||||
|
|
||||||
|
<member>$chainref->{table} holds the table name</member>
|
||||||
|
</simplelist>To add a rule to the chain:<programlisting>add_rule( $chainref, <the rule> );</programlisting>Where<simplelist>
|
||||||
|
<member><the rule> is a scalar argument holding the rule text.
|
||||||
|
Do not include "-A <chain name>"</member>
|
||||||
|
</simplelist>Example:<programlisting>add_rule( $chainref, '-j ACCEPT' );</programlisting>To
|
||||||
|
insert a rule into the chain:<programlisting> insert_rule( $chainref, <rulenum>, <the rule> );</programlisting>The
|
||||||
|
log_rule_limit function works like it does in the shell compiler with
|
||||||
|
two exceptions:<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>You pass the chain reference rather than the name of the
|
||||||
|
chain.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The commands are 'add' and 'insert' rather than '-A' and
|
||||||
|
'-I'.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>There is only a single "pass as-is to iptables" argument (so
|
||||||
|
you must quote that part).</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>Example:<programlisting>log_rule_limit(
|
||||||
|
'info' ,
|
||||||
|
$chainref ,
|
||||||
|
$chainref->{name},
|
||||||
|
'DROP' ,
|
||||||
|
'', #Limit
|
||||||
|
'' , #Log tag
|
||||||
|
'add', #Command
|
||||||
|
'-p tcp' #Pass as-is
|
||||||
|
);</programlisting>Some run-time scripts have been converted to
|
||||||
|
compile time scripts:<simplelist>
|
||||||
|
<member>initdone</member>
|
||||||
|
|
||||||
|
<member>maclog</member>
|
||||||
|
</simplelist>Note that in the 'initdone' script, there is no default
|
||||||
|
chain ($chainref). You can objtain a reference to a standard chain
|
||||||
|
by:<programlisting>my $chainref = $chain_table{<table>}{<chain name>};</programlisting>Example:<programlisting>my $chainref = $chain_table{filter}{INPUT};</programlisting>Some
|
||||||
|
run-time scripts are simply eliminated because they no longer make any
|
||||||
|
sense under Shorewall-perl:<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>continue - This script was designed to allow you to add
|
||||||
|
special temporary rules during [re]start. Shorewall-perl doesn't
|
||||||
|
need such rules.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>refresh - The <command>refresh</command> command is the same
|
||||||
|
as <command>restart</command></para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist></para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</article>
|
</article>
|
Loading…
Reference in New Issue
Block a user