diff --git a/Shorewall2/accounting b/Shorewall2/accounting index 3b8cbedfd..849cb043b 100644 --- a/Shorewall2/accounting +++ b/Shorewall2/accounting @@ -69,7 +69,7 @@ # # The column may contain: # -# [!][][:][/] +# [!][][:][+] # # When this column is non-empty, the rule applies only # if the program generating the output is running under @@ -83,7 +83,7 @@ # #the 'kids' group # !:kids #program must not be run by a member # #of the 'kids' group -# /upnpd #program named upnpd +# +upnpd #program named upnpd # # In all of the above columns except ACTION and CHAIN, the values "-", # "any" and "all" may be used as wildcards diff --git a/Shorewall2/action.template b/Shorewall2/action.template index 210b590c2..a0688dcd9 100644 --- a/Shorewall2/action.template +++ b/Shorewall2/action.template @@ -146,7 +146,7 @@ # # The column may contain: # -# [!][][:][/] +# [!][][:][+] # # When this column is non-empty, the rule applies only # if the program generating the output is running under @@ -160,7 +160,7 @@ # #the 'kids' group # !:kids #program must not be run by a member # #of the 'kids' group -# /upnpd #program named upnpd +# +upnpd #program named upnpd # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 830fdfcd6..865f9d718 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -2408,9 +2408,9 @@ process_tc_rule() r="$r-m owner" case "$user" in - */*) + *+*) r="$r --cmd-owner ${user#*/}" - user=${user%/*} + user=${user%+*} ;; esac @@ -2752,15 +2752,17 @@ process_accounting_rule() { user1="$user" case "$user" in - !*/*) - if [ "$user" != "!/" ]; then - rule="$rule ! --cmd-owner ${user#*/} " - user1=${user%/*} + !*+*) + if [ -n "${user#*+}" ]; then + rule="$rule ! --cmd-owner ${user#*+} " fi + user1=${user%/+} ;; - */*) - rule="$rule --cmd-owner ${user#*/} " - user1=${user%/*} + *+*) + if [ -n "${user#*+}" ]; then + rule="$rule --cmd-owner ${user#*+} " + fi + user1=${user%+*} ;; esac @@ -3180,17 +3182,17 @@ process_action() # $1 = chain (Chain to add the rules to) userandgroup="-m owner" case "$userspec" in - !*/*) - if [ "$userspec" != "!/" ]; then - userandgroup="$userandgroup ! --cmd-owner ${userspec#*/}" - userspec=${userspec%/*} + !*+*) + if [ -n "${userspec#*+}" ]; then + userandgroup="$userandgroup ! --cmd-owner ${userspec#*+}" fi + userspec=${userspec%+*} ;; */*) - if [ "$userspec" != "/" ]; then - userandgroup="$userandgroup --cmd-owner ${userspec#*/}" - userspec=${userspec%/*} + if [ -n "${userspec#*+}" ]; then + userandgroup="$userandgroup --cmd-owner ${userspec#*+}" fi + userspec=${userspec%+*} ;; esac @@ -4357,16 +4359,16 @@ process_rule() # $1 = target userandgroup="-m owner" case "$userspec" in - !*/*) - if [ "$userspec" != "!/" ]; then - userandgroup="$userandgroup ! --cmd-owner ${userspec#*/}" - userspec=${userspec%/*} + !*+*) + if [ "$userspec" != "!+" ]; then + userandgroup="$userandgroup ! --cmd-owner ${userspec#*+}" + userspec=${userspec%+*} fi ;; */*) - if [ "$userspec" != "/" ]; then - userandgroup="$userandgroup --cmd-owner ${userspec#*/}" - userspec=${userspec%/*} + if [ "$userspec" != "+" ]; then + userandgroup="$userandgroup --cmd-owner ${userspec#*+}" + userspec=${userspec%+*} fi ;; esac diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 0ad140042..b8c1ef7ae 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -20,14 +20,14 @@ New Features in version 2.3.0 /etc/shorewall/tcrules /usr/share/shorewall/action.template - To specify a command, prefix the command name with "/". + To specify a command, prefix the command name with "+". Examples: - /mozilla-bin #The program is named "mozilla-bin" - joe/mozilla-bin #The program is named "mozilla-bin" and + +mozilla-bin #The program is named "mozilla-bin" + joe+mozilla-bin #The program is named "mozilla-bin" and #is being run by user "joe" - joe:users/mozilla-bin #The program is named "mozilla-bin" and + joe:users+mozilla-bin #The program is named "mozilla-bin" and #is being run by user "joe" with #effective group "users". diff --git a/Shorewall2/rules b/Shorewall2/rules index 73d675de6..76a7086e2 100755 --- a/Shorewall2/rules +++ b/Shorewall2/rules @@ -285,7 +285,7 @@ # # The column may contain: # -# [!][][:][/] +# [!][][:][+] # # When this column is non-empty, the rule applies only # if the program generating the output is running under @@ -299,7 +299,7 @@ # #the 'kids' group # !:kids #program must not be run by a member # #of the 'kids' group -# /upnpd #program named 'upnpd' +# +upnpd #program named 'upnpd' # # Example: Accept SMTP requests from the DMZ to the internet # diff --git a/Shorewall2/tcrules b/Shorewall2/tcrules index 4b450bdff..ba43486b1 100755 --- a/Shorewall2/tcrules +++ b/Shorewall2/tcrules @@ -130,10 +130,11 @@ # # It may contain : # -# []:[] +# []:[][+] # -# The colon is optionnal when specifying only a user. -# Examples : john: / john / :users / john:users +# The colon is optionnal when specifying only a user +# or a program name. +# Examples : john: , john , :users , john:users , +mozilla-bin # # TEST Defines a test on the existing packet or connection mark. # The rule will match only if the test returns true. Tests