From 1de5404e67834a0d82d62947760b44191114f836 Mon Sep 17 00:00:00 2001 From: el_cubano Date: Tue, 29 Jul 2008 04:28:41 +0000 Subject: [PATCH] Format and grammar fixes. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8660 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/changelog.txt | 2 +- Shorewall-common/releasenotes.txt | 291 +++++++++++++++--------------- 2 files changed, 146 insertions(+), 147 deletions(-) diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 04165c80d..c57d6c0e6 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -10,7 +10,7 @@ Changes in 4.2.0-Beta3 5) Fix COPY column. -6) Add macro.RNDC. +6) Add macro.RNDC. Changes in 4.2.0-Beta2 diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 75dfb02dd..6bcef030c 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -36,20 +36,20 @@ Migration Issues. 3) Specifying a destination zone in a NAT-only rule now generates a warning and the destination zone is ignored. NAT-only rules are: - NONAT - REDIRECT- - DNAT- + NONAT + REDIRECT- + DNAT- 4) The default value for LOG_MARTIANS has been changed. Previously, the defaults were: - Shorewall-perl - 'Off' - Shorewall-shell - 'No' + Shorewall-perl - 'Off' + Shorewall-shell - 'No' The new default values are: - Shorewall-perl - 'On' - Shorewall-shell - 'Yes'. + Shorewall-perl - 'On' + Shorewall-shell - 'Yes'. Shorewall-perl users may: @@ -200,16 +200,16 @@ New Features in Shorewall 4.2. /etc/shorewall/route_rules: - #SOURCE DEST PROVIDER PRIORITY - - 206.124.146.0/24 Blarg 1000 - - 130.252.144.0/24 Avvanta 1000 - 206.124.146.177 - Blarg 26000 + #SOURCE DEST PROVIDER PRIORITY + - 206.124.146.0/24 Blarg 1000 + - 130.252.144.0/24 Avvanta 1000 + 206.124.146.177 - Blarg 26000 /etc/shorewall/tcrules - #MARK/CLASSIFY SOURCE DEST - 1 eth0:206.124.146.0/24 0.0.0.0/0 - 2 eth0:130.242.144.0/24 0.0.0.0/0 + #MARK/CLASSIFY SOURCE DEST + 1 eth0:206.124.146.0/24 0.0.0.0/0 + 2 eth0:130.242.144.0/24 0.0.0.0/0 2) You may now include the name of a table (nat, mangle or filter) in a 'shorewall refresh' command by following the table name with a @@ -218,7 +218,7 @@ New Features in Shorewall 4.2. Example: - shorewall refresh nat: + shorewall refresh nat: 3) When no chain name is given to the 'shorewall refresh' command, the mangle table is refreshed along with the blacklist chain (if @@ -243,11 +243,11 @@ New Features in Shorewall 4.2. /etc/shorewall/shorewall.conf: - MACLIST_LOG_LEVEL=NFLOG(1,0,1) + MACLIST_LOG_LEVEL=NFLOG(1,0,1) /etc/shorewall/rules: - ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 + ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 5) Shorewall-perl 4.2 implements an alternative syntax for macro parameters and for the NFQUEUE queue number. Rather than following @@ -256,8 +256,8 @@ New Features in Shorewall 4.2. Examples -- each pair shown below are equivalent: - DNS/ACCEPT DNS(ACCEPT) - NFQUEUE/3 NFQUEUE(3) + DNS/ACCEPT DNS(ACCEPT) + NFQUEUE/3 NFQUEUE(3) The old syntax will still be accepted but will cease to be documented in some future Shorewall release. @@ -276,17 +276,17 @@ New Features in Shorewall 4.2. the verbosity at which logging will occur. It uses the same value range as VERBOSITY: - -1 Do not log - 0 Almost quiet - 1 Only major steps - 2 Verbose + -1 Do not log + 0 Almost quiet + 1 Only major steps + 2 Verbose c) An absolute VERBOSITY may be specified on the command line using the -v option followed by -1,0,1 or 2. - Example: + Example: - shorewall -v2 check + shorewall -v2 check d) The /etc/init.d/shorewall script supplied with the shorewall.net packages sets '-v0' as the default. This may be @@ -296,17 +296,17 @@ New Features in Shorewall 4.2. Logging occurs on both Shorewall-perl and the generated script when the following commands are issued: - start - restart - refresh + start + restart + refresh Messages in the log are always timestamped. This change implemented two new options to the Shorewall-perl compiler (/usr/share/shorewall-perl/compiler.pl). - --log= - --log_verbosity={-1|0-2} + --log= + --log_verbosity={-1|0-2} The --log option is ignored when --log_verbosity is not supplied or is supplied with value -1. @@ -315,35 +315,35 @@ New Features in Shorewall 4.2. Shorewall::Compiler::compile(), that function has been changed to use named parameters. Parameter names are: - object Object file. If omitted or '', the - configuration is syntax checked. - directory Directory. If omitted or '', configuration - files are located using - CONFIG_PATH. Otherwise, the directory named by - this parameter is searched first. - verbosity Verbosity; range -1 to 2 - timestamp 0|1 -- timestamp messages. - debug 0|1 -- include stack trace in warning/error - messages. - export 0|1 -- compile for export. - chains List of chains to be reloaded by 'refresh'. - log File to log compiler messages to. - log_verbosity Log Verbosity; range -1 to 2. + object Object file. If omitted or '', the + configuration is syntax checked. + directory Directory. If omitted or '', configuration + files are located using + CONFIG_PATH. Otherwise, the directory named by + this parameter is searched first. + verbosity Verbosity; range -1 to 2 + timestamp 0|1 -- timestamp messages. + debug 0|1 -- include stack trace in warning/error + messages. + export 0|1 -- compile for export. + chains List of chains to be reloaded by 'refresh'. + log File to log compiler messages to. + log_verbosity Log Verbosity; range -1 to 2. Those parameters that are supplied must have defined values. Defaults are: - object '' ('check' command) - directory '' - verbosity 1 - timestamp 0 - debug 0 - export 0 - chains '' - log '' - log_verbosity -1 - + object '' ('check' command) + directory '' + verbosity 1 + timestamp 0 + debug 0 + export 0 + chains '' + log '' + log_verbosity -1 + Example: @@ -352,7 +352,7 @@ New Features in Shorewall 4.2. compiler( object => '/root/firewall', log => '/root/compile.log', - log_verbosity => 2 ); + log_verbosity => 2 ); 7) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero mark values < 256 to be assigned in the OUTPUT chain. This has been @@ -371,7 +371,7 @@ New Features in Shorewall 4.2. column. Currently only a single option is defined. classify When specified, you must use explicit CLASSIFY tcrules - to classify traffic by class. Shorewall will not create + to classify traffic by class. Shorewall will not create any CLASSIFY rules to classify traffic by mark value. See http://www.shorewall.net/traffic_shaping.htm for further @@ -386,25 +386,25 @@ New Features in Shorewall 4.2. when the top-level macro was invoked. This allows the following: - /etc/shorewall/macro.SSH: + /etc/shorewall/macro.SSH: - #ACTION SOURCE PROTO DEST SOURCE RATE USER/ - # PORT(S) PORT(S) LIMIT GROUP - COMMENT My SSH Macro - PARAM - - tcp 22 + #ACTION SOURCE PROTO DEST SOURCE RATE USER/ + # PORT(S) PORT(S) LIMIT GROUP + COMMENT My SSH Macro + PARAM - - tcp 22 - /etc/shorewall/rules: + /etc/shorewall/rules: - COMMENT Allow SSH from home - SSH/ALLOW net:$MYIP $FW - COMMENT + COMMENT Allow SSH from home + SSH/ALLOW net:$MYIP $FW + COMMENT - The comment line in macro.SSH will not override the - COMMENT line in the rules file and the generated rule will show + The comment line in macro.SSH will not override the + COMMENT line in the rules file and the generated rule will show - /* Allow SSH from home */ + /* Allow SSH from home */ - when displayed through the Shorewall show and dump commands. + when displayed through the Shorewall show and dump commands. If a macro is invoked and there is no current comment, then the name of the macro automatically becomes the current comment. This @@ -429,7 +429,7 @@ New Features in Shorewall 4.2. Example: - OWNER=foo GROUP=bar ./install.sh + OWNER=foo GROUP=bar ./install.sh To install Shorewall-perl under Cygwin: @@ -450,9 +450,9 @@ New Features in Shorewall 4.2. 16) Specifying a destination zone in a NAT-only rule now generates a warning and the destination zone is ignored. NAT-only rules are: - NONAT - REDIRECT- - DNAT- + NONAT + REDIRECT- + DNAT- 17) The /etc/shorewall/masq and /etc/shorewall/nat file now accept a comma-separated list of interface names where before only a single @@ -469,26 +469,26 @@ New Features in Shorewall 4.2. /etc/shorewall/masq: #INTERFACE SOURCE ADDRESS - eth0,eth1 eth2 1.2.3.4 + eth0,eth1 eth2 1.2.3.4 equivalent to: #INTERFACE SOURCE ADDRESS - eth0 eth2 1.2.3.4 - eth1 eth2 1.2.3.4 + eth0 eth2 1.2.3.4 + eth1 eth2 1.2.3.4 Example 2: /etc/shorewall/masq: - #INTERFACE SOURCE ADDRESS - eth0,eth1::192.168.1.0/24 eth2 1.2.3.4 + #INTERFACE SOURCE ADDRESS + eth0,eth1::192.168.1.0/24 eth2 1.2.3.4 equivalent to: #INTERFACE SOURCE ADDRESS - eth0::192.168.1.0/24 eth2 1.2.3.4 - eth1::192.168.1.0/24 eth2 1.2.3.4 + eth0::192.168.1.0/24 eth2 1.2.3.4 + eth1::192.168.1.0/24 eth2 1.2.3.4 Example 3: @@ -513,11 +513,11 @@ New Features in Shorewall 4.2. /etc/shorewall/interfaces: - vpn tun+ + vpn tun+ /etc/shorewall/masq: - tun1 192.168.4.0/24 + tun1 192.168.4.0/24 19) Previously, Shorewall classified non-firewall zones as either 'simple' or 'complex'. Attributes of a zone which made it 'complex' @@ -564,7 +564,7 @@ New Features in Shorewall 4.2. So, if you have this rule: - SSH/ACCEPT loc fw + SSH/ACCEPT loc fw then the generated netfilter rule will include "/* SSH */" when viewed with 'iptables -L' or 'shorewall show loc2fw' or 'shorewall @@ -594,9 +594,9 @@ New Features in Shorewall 4.2. Example: - #INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS - 1:eth0 1300kbit 384kbit classify - 2:eth1 5600kbit 1000kbit + #INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS + 1:eth0 1300kbit 384kbit classify + 2:eth1 5600kbit 1000kbit In /etc/shorewall/tcclasses: @@ -634,26 +634,26 @@ New Features in Shorewall 4.2. Example: - ursa:~ # modprobe ifb numifbs=1 - ursa:~ # ip link ls - 1: lo: mtu 16436 qdisc noqueue - link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 - 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 - link/ether cc:2b:cb:24:1b:00 brd ff:ff:ff:ff:ff:ff - 3: wlan0: mtu 1500 qdisc pfifo_fast qlen 1000 - link/ether 00:1a:73:db:8c:35 brd ff:ff:ff:ff:ff:ff + ursa:~ # modprobe ifb numifbs=1 + ursa:~ # ip link ls + 1: lo: mtu 16436 qdisc noqueue + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 + link/ether cc:2b:cb:24:1b:00 brd ff:ff:ff:ff:ff:ff + 3: wlan0: mtu 1500 qdisc pfifo_fast qlen 1000 + link/ether 00:1a:73:db:8c:35 brd ff:ff:ff:ff:ff:ff 4: ifb0: mtu 1500 qdisc noop qlen 32 - link/ether 26:99:d8:7d:32:26 brd ff:ff:ff:ff:ff:ff - ursa:~ # + link/ether 26:99:d8:7d:32:26 brd ff:ff:ff:ff:ff:ff + ursa:~ # After you have created the IFB(s), you must bring it(them) up: - ip link set dev ifb0 up + ip link set dev ifb0 up You can place all of this in /etc/shorewall/init as follows: - modprobe ifb numifbs=1 - ip link set dev ifb0 up + modprobe ifb numifbs=1 + ip link set dev ifb0 up The /etc/shorewall/tcdevices file has been extended to include an additional REDIRECTED DEVICES column. To convert your configuration @@ -662,15 +662,15 @@ New Features in Shorewall 4.2. a) Look at your current /etc/shorewall/tcdevices file. Suppose you have: - #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS - eth0 1300kbit 384kbit - + #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS + eth0 1300kbit 384kbit - Change it as follows: - #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED - # DEVICES - eth0 - 384kkbit - - ifb0 - 1300kbit - eth0 + #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED + # DEVICES + eth0 - 384kkbit - + ifb0 - 1300kbit - eth0 Note that the old IN-BANDWIDTH for eth0 has become the OUT-BANDWIDTH for ifb0 and that neither device has an @@ -695,32 +695,32 @@ New Features in Shorewall 4.2. INTERFACE:CLASS - The interface name or number followed by a colon (":") - and the class number. + The interface name or number followed by a colon (":") + and the class number. SOURCE Source IP address. May be a host or network address. - Specify "-" if any SOURCE address should match. + Specify "-" if any SOURCE address should match. DEST - Destination IP address. May be a host or network - address. Specify "-" if any DEST address should match. + Destination IP address. May be a host or network + address. Specify "-" if any DEST address should match. PROTO - Protocol Name/Number. Specify "-" if any PROTO should - match. + Protocol Name/Number. Specify "-" if any PROTO should + match. DEST PORT(S) - A comma-separated list of destination ports. May only - be given if the PROTO is tcp, udp, icmp or - sctp. Port ranges may be used, except when the PROTO is - icmp. Specify "-" if any PORT should match. + A comma-separated list of destination ports. May only + be given if the PROTO is tcp, udp, icmp or + sctp. Port ranges may be used, except when the PROTO is + icmp. Specify "-" if any PORT should match. SOURCE PORT(S) - A comma-separated list of source port. May only be - given if the PROTO is tcp, udp or sctp. Port ranges - may be used unless the protocol is icmp. Specify "-" if - any PORT should match. + A comma-separated list of source port. May only be + given if the PROTO is tcp, udp or sctp. Port ranges + may be used unless the protocol is icmp. Specify "-" if + any PORT should match. Entries in /etc/shorewall/tcfilters generate U32 tc filters which may be displayed using the "shorewall show filters" ("shorewall-lite @@ -745,23 +745,23 @@ New Features in Shorewall 4.2. where is the interface name: - - in upper case - - with any characters not allowed in shell variable names - replaced by '_'. + - in upper case + - with any characters not allowed in shell variable names + replaced by '_'. Example (from OpenWRT): - Interface: eth0.1 - Variable: ETH0_1_GATEWAY + Interface: eth0.1 + Variable: ETH0_1_GATEWAY /etc/shorewall/init: - ETH0_1_GATEWAY=$(uci get /var/state/network.wan0.gateway) + ETH0_1_GATEWAY=$(uci get /var/state/network.wan0.gateway) 29) A new CONNBYTES column has been added to the tcrules file. The column defines a byte or packet range that the connection must fall within in order for the rule to match. The contents are: - [!]:[[:{O|R|B}[:{B|P|A}]]] + [!]:[[:{O|R|B}[:{B|P|A}]]] ! matches if the the packet/byte count is not within the range defined by and . @@ -790,7 +790,7 @@ New Features in Shorewall 4.2. Examples: - 1000000: - Connection has transferred a total of + 1000000: - Connection has transferred a total of at least 1,000,000 bytes. 1000000::R - Connection has transferred at least @@ -799,8 +799,8 @@ New Features in Shorewall 4.2. large download). 1000000::O:P - Connection has sent at least 1,000,000 - packets in the direction of the original - connection. + packets in the direction of the original + connection. 30) A new MANGLE_ENABLED option is added to shorewall.conf. The default setting is 'Yes' which causes Shorewall to assume responsibility for @@ -828,7 +828,7 @@ New Features in Shorewall 4.2. columns. So that Shorewall-perl can determine which column layout each macro has, a new FORMAT directive is added: - FORMAT {1|2} + FORMAT {1|2} The default is FORMAT 1 which is the old format. FORMAT 2 specifies that the macro is in the new format. @@ -839,12 +839,12 @@ New Features in Shorewall 4.2. The macro body is: - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ - # PORT(S) PORT(S) DEST LIMIT GROUP + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ + # PORT(S) PORT(S) DEST LIMIT GROUP FORMAT 2 - PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \ - DEST - - - - - - - PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \ + DEST - - - - - - + PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE The 'norfc1918' option on the interface associated with zone 'z' @@ -875,7 +875,6 @@ New Features in Shorewall 4.2. 35) Previously, when IP_FORWARDING=Yes in shorewall.conf, Shorewall would enable ip forwarding before instantiating the rules. This could lead to incorrect connection tracking entries being created - between the time that forwarding was enabled and when the nat table rules were instantiated. @@ -904,12 +903,12 @@ New Features in Shorewall 4.2. 39) A 'save' extension script is added. The script is run after iptables-save has completed successfully. - The 'load' and 'reload' commands copy the save script (if any) to - /etc/shorewall-lite/ on the remove firewall system. The 'export' - command copies the file to the same directory as the 'firewall' and - 'firewall.conf' scripts. + The 'load' and 'reload' commands copy the save script (if any) to + /etc/shorewall-lite/ on the remove firewall system. The 'export' + command copies the file to the same directory as the 'firewall' and + 'firewall.conf' scripts. - I have the following commands in my 'save' script: + I have the following commands in my 'save' script: [ -s /root/ipsets.save ] && cp -a /root/ipsets.save /root/ipsets.save.backup ipset -S > /root/ipsets.save @@ -921,10 +920,10 @@ New Features in Shorewall 4.2. if [ "$COMMAND" = start ]; then ipset -U :all: :all: - ipset -U :all: :default: - ipset -F - ipset -X - ipset -R < /root/ipsets.save + ipset -U :all: :default: + ipset -F + ipset -X + ipset -R < /root/ipsets.save fi Those two scripts allow me to save and restore the contents of my