mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 10:18:58 +02:00
Implement Run-time Address Variables
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
17a1cd3c57
commit
156b04c380
@ -2679,6 +2679,15 @@ sub have_ipset_rules() {
|
|||||||
$ipset_rules;
|
$ipset_rules;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub get_interface_address( $ );
|
||||||
|
|
||||||
|
sub record_runtime_address( $ ) {
|
||||||
|
my $interface = shift;
|
||||||
|
fatal_error "Unknown interface address variable (&$interface)" unless known_interface( $interface );
|
||||||
|
fatal_error "Invalid interface address variable (&$interface)" if $interface =~ /\+$/;
|
||||||
|
get_interface_address( $interface ) . ' ';
|
||||||
|
}
|
||||||
|
|
||||||
sub mysplit( $ );
|
sub mysplit( $ );
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -2714,8 +2723,14 @@ sub match_source_net( $;$ ) {
|
|||||||
|
|
||||||
$result;
|
$result;
|
||||||
} elsif ( $net =~ s/^!// ) {
|
} elsif ( $net =~ s/^!// ) {
|
||||||
|
if ( $net =~ /^&(.+)/ ) {
|
||||||
|
'! -s ' . record_runtime_address $1;
|
||||||
|
} else {
|
||||||
validate_net $net, 1;
|
validate_net $net, 1;
|
||||||
"! -s $net ";
|
"! -s $net ";
|
||||||
|
}
|
||||||
|
} elsif ( $net =~ /^&(.+)/ ) {
|
||||||
|
'-s ' . record_runtime_address $1;
|
||||||
} else {
|
} else {
|
||||||
validate_net $net, 1;
|
validate_net $net, 1;
|
||||||
$net eq ALLIP ? '' : "-s $net ";
|
$net eq ALLIP ? '' : "-s $net ";
|
||||||
@ -2749,10 +2764,15 @@ sub match_dest_net( $ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$result;
|
$result;
|
||||||
} elsif ( $net =~ /^!/ ) {
|
} elsif ( $net =~ s/^!// ) {
|
||||||
$net =~ s/!//;
|
if ( $net =~ /^&(.+)/ ) {
|
||||||
|
'! -d ' . record_runtime_address $1;
|
||||||
|
} else {
|
||||||
validate_net $net, 1;
|
validate_net $net, 1;
|
||||||
"! -d $net ";
|
"! -d $net ";
|
||||||
|
}
|
||||||
|
} elsif ( $net =~ /^&(.+)/ ) {
|
||||||
|
'-d ' . record_runtime_address $1;
|
||||||
} else {
|
} else {
|
||||||
validate_net $net, 1;
|
validate_net $net, 1;
|
||||||
$net eq ALLIP ? '' : "-d $net ";
|
$net eq ALLIP ? '' : "-d $net ";
|
||||||
@ -2769,10 +2789,20 @@ sub match_orig_dest ( $ ) {
|
|||||||
return '' unless have_capability( 'CONNTRACK_MATCH' );
|
return '' unless have_capability( 'CONNTRACK_MATCH' );
|
||||||
|
|
||||||
if ( $net =~ s/^!// ) {
|
if ( $net =~ s/^!// ) {
|
||||||
validate_net $net, 1;
|
if ( $net =~ /^&(.+)/ ) {
|
||||||
have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
|
$net = record_runtime_address $1;
|
||||||
} else {
|
} else {
|
||||||
validate_net $net, 1;
|
validate_net $net, 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
|
||||||
|
} else {
|
||||||
|
if ( $net =~ /^&(.+)/ ) {
|
||||||
|
$net = record_runtime_address $1;
|
||||||
|
} else {
|
||||||
|
validate_net $net, 1;
|
||||||
|
}
|
||||||
|
|
||||||
$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
|
$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -3501,7 +3531,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
if ( $source =~ /^(.+?):(.+)$/ ) {
|
if ( $source =~ /^(.+?):(.+)$/ ) {
|
||||||
$iiface = $1;
|
$iiface = $1;
|
||||||
$inets = $2;
|
$inets = $2;
|
||||||
} elsif ( $source =~ /\+|~|\..*\./ ) {
|
} elsif ( $source =~ /\+|&|~|\..*\./ ) {
|
||||||
$inets = $source;
|
$inets = $source;
|
||||||
} else {
|
} else {
|
||||||
$iiface = $source;
|
$iiface = $source;
|
||||||
@ -3515,7 +3545,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
} else {
|
} else {
|
||||||
$inets = $source;
|
$inets = $source;
|
||||||
}
|
}
|
||||||
} elsif ( $source =~ /\+|~|\..*\./ ) {
|
} elsif ( $source =~ /(?:\+|&|~|\..*\.)/ ) {
|
||||||
$inets = $source;
|
$inets = $source;
|
||||||
} else {
|
} else {
|
||||||
$iiface = $source;
|
$iiface = $source;
|
||||||
@ -3592,7 +3622,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
if ( $dest =~ /^(.+?):(.+)$/ ) {
|
if ( $dest =~ /^(.+?):(.+)$/ ) {
|
||||||
$diface = $1;
|
$diface = $1;
|
||||||
$dnets = $2;
|
$dnets = $2;
|
||||||
} elsif ( $dest =~ /\+|~|\..*\./ ) {
|
} elsif ( $dest =~ /\+|&|~|\..*\./ ) {
|
||||||
$dnets = $dest;
|
$dnets = $dest;
|
||||||
} else {
|
} else {
|
||||||
$diface = $dest;
|
$diface = $dest;
|
||||||
@ -3606,7 +3636,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
} else {
|
} else {
|
||||||
$dnets = $dest;
|
$dnets = $dest;
|
||||||
}
|
}
|
||||||
} elsif ( $dest =~ /\+|~|\..*\./ ) {
|
} elsif ( $dest =~ /^(?:\+|&|\..*\.)/ ) {
|
||||||
$dnets = $dest;
|
$dnets = $dest;
|
||||||
} else {
|
} else {
|
||||||
$diface = $dest;
|
$diface = $dest;
|
||||||
|
@ -10,6 +10,8 @@ Changes in Shorewall 4.4.17 Beta 1
|
|||||||
|
|
||||||
5) Add 'USE_LOCAL_MODULES' option.
|
5) Add 'USE_LOCAL_MODULES' option.
|
||||||
|
|
||||||
|
6) Implement runtime address variables (&interface)
|
||||||
|
|
||||||
Changes in Shorewall 4.4.17 Beta 1
|
Changes in Shorewall 4.4.17 Beta 1
|
||||||
|
|
||||||
1) Improve readability of logging logic in expand_rule().
|
1) Improve readability of logging logic in expand_rule().
|
||||||
|
@ -54,6 +54,54 @@ Beta 1
|
|||||||
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
|
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Beta 2
|
||||||
|
|
||||||
|
1) Traditionally, the -lite products have used the modules (or
|
||||||
|
helpers) file on the firewall system unless there is a modules (or
|
||||||
|
helpers) file in the configuration directory. This release
|
||||||
|
introduces the USE_LOCAL_MODULES option in shorewall[6].conf.
|
||||||
|
|
||||||
|
When USE_LOCAL_MODULES=Yes, the modules (helpers) file on the
|
||||||
|
administrative system will be used to determine the set of modules
|
||||||
|
loaded.
|
||||||
|
|
||||||
|
2) Given that shell variables are expanded at compile time, there was
|
||||||
|
previously no way to cause such variables to be expended at run
|
||||||
|
time. This made it difficult (to impossible) to include dynamic IP
|
||||||
|
addresses in a Shorewall-lite configuration.
|
||||||
|
|
||||||
|
This release implements "Run-time address variables". In
|
||||||
|
configuration files, these variables are expressed as an apersand
|
||||||
|
('&') followed by the name of an interface defined in
|
||||||
|
/etc/shorewall/interfaces.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
ð0 would represent the primary IP address of eth0.
|
||||||
|
|
||||||
|
Run-time address variables may be used in the SOURCE and DEST
|
||||||
|
column of the following configuration files:
|
||||||
|
|
||||||
|
accounting
|
||||||
|
action files
|
||||||
|
blacklist
|
||||||
|
macro files
|
||||||
|
rules
|
||||||
|
tcrules
|
||||||
|
tos
|
||||||
|
|
||||||
|
They may also appear in the ORIGINAL DEST column of
|
||||||
|
|
||||||
|
action files
|
||||||
|
macro files
|
||||||
|
rules
|
||||||
|
|
||||||
|
For optional interfaces, if the interface is not usable at the time
|
||||||
|
that the firewall starts the all-zero address will be used (0.0.0.0
|
||||||
|
in IPv4 and :: in IPv6), resulting in no packets matching the rule.
|
||||||
|
|
||||||
|
Beta 1
|
||||||
|
|
||||||
1) The shell variables set in /etc/shorewall/params
|
1) The shell variables set in /etc/shorewall/params
|
||||||
(/etc/shorewall6/params) are now available in the compiled script
|
(/etc/shorewall6/params) are now available in the compiled script
|
||||||
at run-time with EXPORTPARAMS=No. The EXPORTPARAMS option is now
|
at run-time with EXPORTPARAMS=No. The EXPORTPARAMS option is now
|
||||||
@ -85,15 +133,6 @@ Beta 1
|
|||||||
INCLUDE was performed on the firewall system rather than on the
|
INCLUDE was performed on the firewall system rather than on the
|
||||||
administrative system.
|
administrative system.
|
||||||
|
|
||||||
3) Traditionally, the -lite products have used the modules (or
|
|
||||||
helpers) file on the firewall system unless there is a modules (or
|
|
||||||
helpers) file in the configuration directory. This release
|
|
||||||
introduces the USE_LOCAL_MODULES option in shorewall[6].conf.
|
|
||||||
|
|
||||||
When USE_LOCAL_MODULES=Yes, the modules (helpers) file on the
|
|
||||||
administrative system will be used to determine the set of modules
|
|
||||||
loaded.
|
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
@ -620,6 +620,12 @@ ACCEPT net:\
|
|||||||
role="bold">loc</emphasis> zone — <emphasis
|
role="bold">loc</emphasis> zone — <emphasis
|
||||||
role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
|
role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The primary IP address of eth0 in the $FW zone - <emphasis
|
||||||
|
role="bold">$FW:&eth0</emphasis> (see <link
|
||||||
|
linkend="Rvariables">Run-time Address Variables</link> below)</para>
|
||||||
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -713,7 +719,7 @@ ACCEPT net:\
|
|||||||
<filename>params</filename> file from being copied into the compiled
|
<filename>params</filename> file from being copied into the compiled
|
||||||
script. With EXPORTPARAMS=No, it is perfectly okay to use INCLUDE in the
|
script. With EXPORTPARAMS=No, it is perfectly okay to use INCLUDE in the
|
||||||
<filename>params</filename> file. Note that with Shorewall 4.4.17 and
|
<filename>params</filename> file. Note that with Shorewall 4.4.17 and
|
||||||
later: </para>
|
later:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -954,14 +960,103 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
|
|||||||
<para>The <command>shorewall-lite call</command> command allows you to
|
<para>The <command>shorewall-lite call</command> command allows you to
|
||||||
to call interactively any Shorewall function that you can call in an
|
to call interactively any Shorewall function that you can call in an
|
||||||
extension script.</para>
|
extension script.</para>
|
||||||
|
|
||||||
|
<note>
|
||||||
|
<para>Within your configuration files, only the $VAR and ${VAR}
|
||||||
|
forms of variable expansion are supported. You may not use the more
|
||||||
|
exotic forms supported by the shell (${VAR:=val}, ${VAR:-val},
|
||||||
|
...)</para>
|
||||||
|
</note>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<note>
|
<para id="Rvariables">Given that shell variables are expanded at compile
|
||||||
<para>Within your configuration files, only the $VAR and ${VAR} forms of
|
time, there is no way to cause such variables to be expended at run time.
|
||||||
variable expansion are supported. You may not use the more exotic forms
|
Prior to Shorewall 4.4.17, this made it difficult (to impossible) to
|
||||||
supported by the shell (${VAR:=val}, ${VAR:-val}, ...)</para>
|
include dynamic IP addresses in a <ulink
|
||||||
</note>
|
url="CompiledPrograms.html">Shorewall-lite</ulink> configuration.</para>
|
||||||
|
|
||||||
|
<para>Version 4.4.17 implemented <firstterm>Run-time address
|
||||||
|
variables</firstterm>. In configuration files, these variables are
|
||||||
|
expressed as an apersand ('&') followed by the logical name of an
|
||||||
|
interface defined in shorewall-interfaces (5). Wildcard interfaces (those
|
||||||
|
ending in '+') are not supported and will cause a compilation
|
||||||
|
error.</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>Example:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">&eth0</emphasis> would represent the
|
||||||
|
primary IP address of eth0.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>Run-time address variables may be used in the SOURCE and DEST column
|
||||||
|
of the following configuration files:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para><ulink
|
||||||
|
url="manapges/shorewall-accounting.html">shorewall-accounting</ulink>
|
||||||
|
(5)</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><ulink url="Actions.html">Action</ulink> files</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><ulink
|
||||||
|
url="manpages/shorewall-accounting.html">shorewall-blacklist</ulink>
|
||||||
|
(5)</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><ulink url="Macros.html">Macro</ulink> files</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><ulink
|
||||||
|
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><ulink
|
||||||
|
url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
|
||||||
|
(5)</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
|
||||||
|
(5)</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>They may also appear in the ORIGINAL DEST column of:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para><ulink
|
||||||
|
url="manapges/shorewall-accounting.html">shorewall-accounting</ulink>
|
||||||
|
(5)</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><ulink url="Macros.html">Macro</ulink> files</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><ulink
|
||||||
|
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>For optional interfaces, if the interface is not usable at the time
|
||||||
|
that the firewall starts the all-zero address will be used (0.0.0.0 in
|
||||||
|
IPv4 and :: in IPv6), resulting in no packets matching the rule. </para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Embedded">
|
<section id="Embedded">
|
||||||
|
@ -481,10 +481,10 @@
|
|||||||
</ulink></para>
|
</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
|
<para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
|
||||||
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
|
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||||
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
|
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
||||||
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
|
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
||||||
shorewall-proxyarp(5), shorewall-route_rules(5),
|
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
|
||||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
|
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
|
||||||
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
||||||
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
||||||
|
@ -553,7 +553,7 @@
|
|||||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
|
||||||
<emphasis role="bold">any</emphasis>[<emphasis
|
<emphasis role="bold">any</emphasis>[<emphasis
|
||||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
||||||
removed in Shorewall-4.4.13. </para>
|
removed in Shorewall-4.4.13.</para>
|
||||||
|
|
||||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
<para><emphasis role="bold">any</emphasis> is equivalent to
|
||||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
||||||
@ -572,6 +572,13 @@
|
|||||||
square brackets ([]) to indicate the number of levels of source
|
square brackets ([]) to indicate the number of levels of source
|
||||||
bindings to be matched.</para>
|
bindings to be matched.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 4.4.17, the primary IP address of a
|
||||||
|
firewall interface can be specified by an apersand ('&')
|
||||||
|
followed by the logican name of the interface as found in the
|
||||||
|
INTERFACE column of <ulink
|
||||||
|
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||||
|
(5).</para>
|
||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para>You may exclude certain hosts from the set already defined
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
@ -638,6 +645,15 @@
|
|||||||
155.186.235.16/28</para>
|
155.186.235.16/28</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>$FW:&eth0</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The primary IP address of eth0 in the firewall zone
|
||||||
|
(Shorewall 4.4.17 and later).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -743,6 +759,13 @@
|
|||||||
role="bold">DEST</emphasis> columns may specify an ipset
|
role="bold">DEST</emphasis> columns may specify an ipset
|
||||||
name.</para>
|
name.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 4.4.17, the primary IP address of a
|
||||||
|
firewall interface can be specified by an apersand ('&')
|
||||||
|
followed by the logical name of the interface as found in the
|
||||||
|
INTERFACE column of <ulink
|
||||||
|
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||||
|
(5).</para>
|
||||||
|
|
||||||
<para>The <replaceable>port</replaceable> that the server is
|
<para>The <replaceable>port</replaceable> that the server is
|
||||||
listening on may be included and separated from the server's IP
|
listening on may be included and separated from the server's IP
|
||||||
address by ":". If omitted, the firewall will not modifiy the
|
address by ":". If omitted, the firewall will not modifiy the
|
||||||
@ -900,6 +923,13 @@
|
|||||||
if the original destination address in the connection request does
|
if the original destination address in the connection request does
|
||||||
not match any of the addresses listed.</para>
|
not match any of the addresses listed.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 4.4.17, the primary IP address of a
|
||||||
|
firewall interface can be specified by an apersand ('&')
|
||||||
|
followed by the logical name of the interface as found in the
|
||||||
|
INTERFACE column of <ulink
|
||||||
|
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||||
|
(5).</para>
|
||||||
|
|
||||||
<para>For other actions, this column may be included and may contain
|
<para>For other actions, this column may be included and may contain
|
||||||
one or more addresses (host or network) separated by commas. Address
|
one or more addresses (host or network) separated by commas. Address
|
||||||
ranges are not allowed. When this column is supplied, rules are
|
ranges are not allowed. When this column is supplied, rules are
|
||||||
@ -1370,12 +1400,13 @@
|
|||||||
url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
|
url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||||
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
|
||||||
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
||||||
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
|
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
||||||
shorewall-routestopped(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
|
shorewall-route_rules(5), shorewall-routestopped(5), shorewall.conf(5),
|
||||||
shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
|
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
||||||
shorewall-tunnels(5), shorewall-zones(5)</para>
|
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
||||||
|
shorewall-zones(5)</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
</refentry>
|
</refentry>
|
||||||
|
@ -425,6 +425,13 @@
|
|||||||
square brackets ([]) to indicate the number of levels of source
|
square brackets ([]) to indicate the number of levels of source
|
||||||
bindings to be matched.</para>
|
bindings to be matched.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a
|
||||||
|
firewall interface can be specified by an apersand ('&')
|
||||||
|
followed by the logican name of the interface as found in the
|
||||||
|
INTERFACE column of <ulink
|
||||||
|
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>
|
||||||
|
(5).</para>
|
||||||
|
|
||||||
<para>When an <replaceable>interface</replaceable> is not specified,
|
<para>When an <replaceable>interface</replaceable> is not specified,
|
||||||
you may omit the angled brackets ('<' and '>') around the
|
you may omit the angled brackets ('<' and '>') around the
|
||||||
address(es) or you may supply them to improve readability.</para>
|
address(es) or you may supply them to improve readability.</para>
|
||||||
@ -478,17 +485,24 @@
|
|||||||
2001:4d48:ad51:24:6:/80.</para>
|
2001:4d48:ad51:24:6:/80.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>$FW:&eth0</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The primary IP address of eth0 in the firewall zone
|
||||||
|
(Shorewall6 4.4.17 and later).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<blockquote>
|
|
||||||
<para>Alternatively, clients may be specified by interface by
|
<para>Alternatively, clients may be specified by interface by
|
||||||
appending ":" to the zone name followed by the interface name. For
|
appending ":" to the zone name followed by the interface name. For
|
||||||
example, <emphasis role="bold">loc:eth1</emphasis> specifies a
|
example, <emphasis role="bold">loc:eth1</emphasis> specifies a
|
||||||
client that communicates with the firewall system through eth1.
|
client that communicates with the firewall system through eth1. This
|
||||||
This may be optionally followed by another colon (":") and an
|
may be optionally followed by another colon (":") and an
|
||||||
IP/MAC/subnet address as described above (e.g., <emphasis
|
IP/MAC/subnet address as described above (e.g., <emphasis
|
||||||
role="bold">loc:eth1:<2002:ce7c::92b4:1::2></emphasis>).</para>
|
role="bold">loc:eth1:<2002:ce7c::92b4:1::2></emphasis>).</para>
|
||||||
</blockquote>
|
|
||||||
|
|
||||||
<para>Examples:</para>
|
<para>Examples:</para>
|
||||||
|
|
||||||
@ -533,6 +547,13 @@
|
|||||||
exclusion is supported -- see see <ulink
|
exclusion is supported -- see see <ulink
|
||||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a
|
||||||
|
firewall interface can be specified by an apersand ('&')
|
||||||
|
followed by the logican name of the interface as found in the
|
||||||
|
INTERFACE column of <ulink
|
||||||
|
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>
|
||||||
|
(5).</para>
|
||||||
|
|
||||||
<para>When <emphasis role="bold">none</emphasis> is used either in
|
<para>When <emphasis role="bold">none</emphasis> is used either in
|
||||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
||||||
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
||||||
|
Loading…
x
Reference in New Issue
Block a user