Implement header matching

This commit is contained in:
Tom Eastep 2010-11-24 10:46:06 -08:00
parent 5e48faad9e
commit 2702d7f208
20 changed files with 430 additions and 167 deletions

View File

@ -52,7 +52,7 @@ sub process_accounting_rule( ) {
our $jumpchainref;
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File';
if ( $action eq 'COMMENT' ) {
process_comment;
@ -95,7 +95,7 @@ sub process_accounting_rule( ) {
$ports = '' if $ports eq 'any' || $ports eq 'all';
$sports = '' if $sports eq 'any' || $sports eq 'all';
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
my $rule2 = 0;
my $jump = 0;

View File

@ -143,6 +143,7 @@ our %EXPORT_TAGS = (
do_tos
do_connbytes
do_helper
do_headers
have_ipset_rules
match_source_dev
match_dest_dev
@ -2522,7 +2523,7 @@ sub do_connbytes( $ ) {
}
#
# Create a "-m helper" match for the passed argument
# Create a soft "-m helper" match for the passed argument
#
sub do_helper( $ ) {
my $helper = shift;
@ -2542,6 +2543,60 @@ sub do_length( $ ) {
$length ne '-' ? "-m length --length $length " : '';
}
#
# Create a "-m -ipv6header" match for the passed argument
#
my %headers = ( hop => 1,
dst => 1,
route => 1,
frag => 1,
auth => 1,
esp => 1,
none => 1,
'hop-by-hop' => 1,
'ipv6-opts' => 1,
'ipv6-route' => 1,
'ipv6-frag' => 1,
ah => 1,
'ipv6-nonxt' => 1,
'protocol' => 1,
0 => 1,
43 => 1,
44 => 1,
50 => 1,
51 => 1,
59 => 1,
60 => 1,
255 => 1 );
sub do_headers( $ ) {
my $headers = shift;
return '' if $headers eq '-';
require_capability 'HEADER_MATCH', 'A non-empty HEADER column', 's';
my $invert = $headers =~ s/^!// ? '! ' : "";
my $soft = '--soft ';
if ( $headers =~ s/^exactly:// ) {
$soft = '';
} else {
$headers =~ s/^any://;
}
for ( split_list $headers, "Header" ) {
if ( $_ eq 'proto' ) {
$_ = 'protocol';
} else {
fatal_error "Unknown IPv6 Header ($_)" unless $headers{$_};
}
}
"-m ipv6header ${invert}--header ${headers} ${soft}";
}
#
# Match Source Interface
#

View File

@ -254,6 +254,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
FLOW_FILTER => 'Flow Classifier',
FWMARK_RT_MASK => 'fwmark route mask',
MARK_ANYWHERE => 'Mark in any table',
HEADER_MATCH => 'Header Match',
CAPVERSION => 'Capability Version',
KERNELVERSION => 'Kernel Version',
);
@ -353,7 +354,7 @@ sub initialize( $ ) {
STATEMATCH => '-m state --state',
UNTRACKED => 0,
VERSION => "4.4.15-RC1",
CAPVERSION => 40413 ,
CAPVERSION => 40415 ,
);
#
@ -2503,6 +2504,10 @@ sub Mark_Anywhere() {
qt1( "$iptables -A $sillyname -j MARK --set-mark 5" );
}
sub Header_Match() {
qt1( "$iptables -A $sillyname -m ipv6header --header 255 -j ACCEPT" );
}
our %detect_capability =
( ADDRTYPE => \&Addrtype,
CLASSIFY_TARGET => \&Classify_Target,
@ -2517,6 +2522,7 @@ our %detect_capability =
FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
GOTO_TARGET => \&Goto_Target,
HASHLIMIT_MATCH => \&Hashlimit_Match,
HEADER_MATCH => \&Header_Match,
HELPER_MATCH => \&Helper_Match,
IPMARK_TARGET => \&IPMark_Target,
IPP2P_MATCH => \&Ipp2p_Match,

View File

@ -888,13 +888,13 @@ sub setup_mac_lists( $ ) {
}
}
sub process_rule1 ( $$$$$$$$$$$$$ );
sub process_rule1 ( $$$$$$$$$$$$$$ );
#
# Expand a macro rule from the rules file
#
sub process_macro ( $$$$$$$$$$$$$$$ ) {
my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $wildcard ) = @_;
sub process_macro ( $$$$$$$$$$$$$$$$ ) {
my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_;
my $nocomment = no_comment;
@ -912,13 +912,13 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
while ( read_a_line ) {
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime);
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders );
if ( $format == 1 ) {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
( $morigdest, $mmark, $mconnlimit, $mtime ) = qw/- - - -/;
( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders ) = qw/- - - - -/;
} else {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime ) = split_line1 1, 12, 'macro file', $macro_commands;
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders ) = split_line1 1, 13, 'macro file', $macro_commands;
}
if ( $mtarget eq 'COMMENT' ) {
@ -986,6 +986,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
merge_macro_column( $mmark, $mark ) ,
merge_macro_column( $mconnlimit, $connlimit) ,
merge_macro_column( $mtime, $time ),
merge_macro_column( $mheaders, $headers ),
$wildcard
);
@ -1005,8 +1006,8 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
# Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
#
sub process_rule1 ( $$$$$$$$$$$$$ ) {
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wildcard ) = @_;
sub process_rule1 ( $$$$$$$$$$$$$$ ) {
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_;
my ( $action, $loglevel) = split_action $target;
my ( $basictarget, $param ) = get_target_param $action;
my $rule = '';
@ -1051,6 +1052,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$mark,
$connlimit,
$time,
$headers,
$wildcard );
$macro_nest_level--;
@ -1244,7 +1246,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
do_user( $user ) ,
do_test( $mark , $globals{TC_MASK} ) ,
do_connlimit( $connlimit ),
do_time( $time ) );
do_time( $time ) ,
do_headers( $headers )
);
}
unless ( $section eq 'NEW' ) {
@ -1606,7 +1610,7 @@ sub build_zone_list( $$$\$\$ ) {
# Process a Record in the rules file
#
sub process_rule ( ) {
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time ) = split_line1 1, 12, 'rules file', \%rules_commands;
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'rules file', \%rules_commands;
process_comment, return 1 if $target eq 'COMMENT';
process_section( $source ), return 1 if $target eq 'SECTION';
@ -1638,7 +1642,7 @@ sub process_rule ( ) {
my $destzone = (split( /:/, $dest, 2 ) )[0];
$destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
$generated |= process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild;
$generated |= process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $wild;
}
}
}

View File

@ -195,7 +195,7 @@ sub initialize( $ ) {
}
sub process_tc_rule( ) {
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = split_line1 2, 13, 'tcrules file';
our @tccmd;
@ -412,7 +412,8 @@ sub process_tc_rule( ) {
do_length( $length ) .
do_tos( $tos ) .
do_connbytes( $connbytes ) .
do_helper( $helper ),
do_helper( $helper ) .
do_headers( $headers ) ,
$source ,
$dest ,
'' ,

View File

@ -1,10 +1,12 @@
Changes in Shorewall 4.4.15
Beta 3
RC 1
1) Another Perl 5.12 warning.
2) Avoid anomalous behavior regarding syn flood chains.
2) Avoid anomalous behavior regarding syn flood chains.
3) Add HEADERS column for IPv6
Beta 2

View File

@ -6,6 +6,6 @@
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#####################################################################################################
#################################################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
# PORT(S) PORT(S) GROUP

View File

@ -29,7 +29,7 @@
#
SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40413
SHOREWALL_CAPVERSION=40415
[ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]

View File

@ -1659,6 +1659,7 @@ determine_capabilities() {
FLOW_FILTER=
FWMARK_RT_MASK=
MARK_ANYWHERE=
HEADER_MATCH=
chain=fooX$$
@ -1877,6 +1878,7 @@ report_capabilities() {
report_capability "FLOW Classifier" $FLOW_FILTER
report_capability "fwmark route mask" $FWMARK_RT_MASK
report_capability "Mark in any table" $MARK_ANYWHERE
report_capability "Header Match" $HEADER_MATCH
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1942,6 +1944,7 @@ report_capabilities1() {
report_capability1 FLOW_FILTER
report_capability1 FWMARK_RT_MASK
report_capability1 MARK_ANYWHERE
report_capability1 HEADER_MATCH
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION

View File

@ -85,7 +85,36 @@ Beta 1.
RC 1
A Munin macro has been contributed by Tuomo Soini.
1) A Munin macro has been contributed by Tuomo Soini.
2) The Shorewall6 accounting, tcrules and rules files now include a
HEADERS column which allows matching based on the IPv6 extension and
protocol headers included in a packet.
The contents of the column are:
[any:|exactly:]<header list>
where <header list> is a comma-separated list of headers from the
following:
Long Name Short Name Number
--------------------------------------
auth ah 50
esp esp 51
hop-by-hop hop 0
route ipv6-route 41
frag ipv6-frag 44
none ipv6-nonxt 59
protocol proto 255
If 'any:' is specified, the rule will match if any of the listed
headers are present. If 'exactly:' is specified, the will match
packets that exactly include all specified headers. If neither is
given, 'any:' is assumed.
This change adds a new capability (Header Match) so if you use a
capabilities file, you will need to regenerate using this release.
Beta 2

View File

@ -6,6 +6,6 @@
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#####################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK
###############################################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC HEADERS
# PORT(S) PORT(S) GROUP

View File

@ -33,7 +33,7 @@
#
SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40413
SHOREWALL_CAPVERSION=40415
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]

View File

@ -1334,6 +1334,7 @@ determine_capabilities() {
FLOW_FILTER=
FWMARK_RT_MASK=
MARK_ANYWHERE=
HEADER_MATCH=
chain=fooX$$
@ -1476,6 +1477,7 @@ determine_capabilities() {
qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
qt $IP6TABLES -F $chain
qt $IP6TABLES -X $chain
@ -1553,6 +1555,7 @@ report_capabilities() {
report_capability "FLOW Classifier" $FLOW_FILTER
report_capability "fwmark route mask" $FWMARK_RT_MASK
report_capability "Mark in any table" $MARK_ANYWHERE
report_capability "Header Match" $HEADER_MATCH
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1615,6 +1618,7 @@ report_capabilities1() {
report_capability1 FLOW_FILTER
report_capability1 FWMARK_RT_MASK
report_capability1 MARK_ANYWHERE
report_capability1 HEADER_MATCH
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION

View File

@ -6,8 +6,8 @@
# The manpage is also online at
# http://www.shorewall.net/manpages6/shorewall6-rules.html
#
####################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
#######################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED

View File

@ -9,6 +9,6 @@
#
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
######################################################################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
##################################################################################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS
# PORT(S) PORT(S)

View File

@ -53,141 +53,11 @@
including traffic that will later be rejected by interface options such as
<quote>tcpflags</quote> and <quote>maclist</quote>.</para>
<para>The columns in the accounting file are as follows:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">ACTION </emphasis>- What to do when a
match is found. Possible values are:</para>
<itemizedlist>
<listitem>
<para>COUNT- Simply count the match and continue trying to match
the packet with the following accounting rules</para>
</listitem>
<listitem>
<para>DONE- Count the match and don't attempt to match any
following accounting rules.</para>
</listitem>
<listitem>
<para><emphasis>&lt;chain&gt;</emphasis> - The name of a chain;
Shorewall will create the chain automatically if it doesn't
already exist. A jump to this chain will be generated from the
chain specified by the CHAIN column. If the name of the chain is
followed by <quote>:COUNT</quote> then a COUNT rule matching this
entry will automatically be added to &lt;chain&gt;. Chain names
must start with a letter, must be composed of letters and digits,
and may contain underscores (<quote>_</quote>) and periods
(<quote>.</quote>). Beginning with Shorewall version 1.4.8, chain
names may also contain embedded dashes (<quote>-</quote>) and are
not required to start with a letter.</para>
</listitem>
<listitem>
<para>COMMENT - (Shorewall-perl only) - The remainder of the line
is treated as a comment which is <ulink
url="configuration_file_basics.htm#COMMENT">attached to subsequent
rules</ulink> until another COMMENT line is found or until the end
of the file is reached. To stop adding comments to rules, use a
line with only the word COMMENT.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><emphasis role="bold">CHAIN</emphasis> - The name of the chain
where the accounting rule is to be added. If empty or <quote>-</quote>
then the <quote>accounting</quote> chain is assumed (see <link
linkend="Bridge">below</link> for exceptions).</para>
</listitem>
<listitem>
<para><emphasis role="bold">SOURCE</emphasis> - Packet Source. The
name of an interface, an address (host or net), or an interface name
followed by <quote>:</quote> and a host or net address.</para>
</listitem>
<listitem>
<para><emphasis role="bold">DESTINATION</emphasis> - Packet
Destination. Format the same as the SOURCE column.</para>
</listitem>
<listitem>
<para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name
(from <filename>/etc/protocols</filename>), a protocol number or
<quote>ipp2p</quote>. For <quote>ipp2p</quote>, your kernel and
iptables must have ipp2p match support from <ulink
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
number. Service name from <filename>/etc/services</filename> or port
number. May only be specified if the protocol is TCP (6), UDP (17),
DCCP (33), SCTP (132) or UDPLITE (136). If the PROTOCOL is
<quote>ipp2p</quote>, then this column is interpreted as an ipp2p
option without the leading <quote>--</quote> (default
<quote>ipp2p</quote>). For a list of value ipp2p options, as root type
<command>iptables -m ipp2p --help</command>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">SOURCE PORT</emphasis>- Source Port
number. Service name from /etc/services or port number. May only be
specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132)
or UDPLITE (136).</para>
</listitem>
<listitem>
<para><emphasis role="bold">USER/GROUP</emphasis> - This column may
only be non-empty if the CHAIN is OUTPUT. The column may
contain:</para>
<programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;]</programlisting>
<para>When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
&lt;user&gt; and/or &lt;group&gt; specified (or is NOT running under
that id if <quote>!</quote> is given).</para>
<para>Examples:</para>
<simplelist>
<member>joe #program must be run by joe</member>
<member>:kids #program must be run by a member of the
<quote>kids</quote> group.</member>
<member>!:kids #program must not be run by a member of the
<quote>kids</quote> group</member>
</simplelist>
</listitem>
<listitem>
<para><emphasis role="bold">MARK</emphasis> - Only count packets with
particular mark values. <programlisting>[!]&lt;value&gt;[/&lt;mask&gt;][:C]</programlisting>
Defines a test on the existing packet or connection mark. The rule
will match only if the test returns true.</para>
<para>If you dont want to define a test but need to specify anything
in the following columns, place a <quote>-</quote> in this
field.<simplelist>
<member>! — Inverts the test (not equal)</member>
<member>&lt;value&gt; — Value of the packet or connection
mark.</member>
<member>&lt;mask&gt; — A mask to be applied to the mark before
testing.</member>
<member>:C — Designates a connection mark. If omitted, the packet
marks value is tested. This option is only supported by
Shorewall-perl.</member>
</simplelist></para>
</listitem>
</itemizedlist>
<para>The columns in the accounting file are described in <ulink
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink> (5)
and <ulink
url="manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>
(5).</para>
<para>In all columns except ACTION and CHAIN, the values <quote>-</quote>,
<quote>any</quote> and <quote>all</quote> are treated as

View File

@ -1161,6 +1161,13 @@ ppp0 6000kbit 500kbit</programlisting>
modules such as <emphasis>ftp</emphasis>, <emphasis>sip</emphasis>,
<emphasis>amanda</emphasis>, etc.</para>
</listitem>
<listitem>
<para>HEADERS (Optioinal, Shorewall6 only, added in Shorewall
4.4.15). List of IPv6 headers that may appear in packets. See <ulink
url="manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>
(5) for details.</para>
</listitem>
</itemizedlist>
<example id="Example1">

View File

@ -455,6 +455,100 @@
role="bold">accounting</emphasis> chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HEADERS -
[!][any:|exactly:]</emphasis><replaceable>header-list
</replaceable>(Optional - Added in Shorewall 4.4.15)</term>
<listitem>
<para>The <replaceable>header-list</replaceable> consists of a
comma-separated list of headers from the following list. </para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">auth</emphasis>, <emphasis
role="bold">ah</emphasis>, or <emphasis
role="bold">50</emphasis></term>
<listitem>
<para><firstterm>Authentication Headers</firstterm> extension
header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">esp</emphasis>, or <emphasis
role="bold">51</emphasis></term>
<listitem>
<para><firstterm>Encrypted Security Payload</firstterm>
extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hop</emphasis>, <emphasis
role="bold">hop-by-hop</emphasis> or <emphasis
role="bold">0</emphasis></term>
<listitem>
<para>Hop-by-hop options extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">route</emphasis>, <emphasis
role="bold">ipv6-route</emphasis> or <emphasis
role="bold">41</emphasis></term>
<listitem>
<para>IPv6 Route extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">frag</emphasis>, <emphasis
role="bold">ipv6-frag</emphasis> or <emphasis
role="bold">44</emphasis></term>
<listitem>
<para>IPv6 fragmentation extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">none</emphasis>, <emphasis
role="bold">ipv6-nonxt</emphasis> or <emphasis
role="bold">59</emphasis></term>
<listitem>
<para>No next header</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto</emphasis>, <emphasis
role="bold">protocol</emphasis> or <emphasis
role="bold">255</emphasis></term>
<listitem>
<para>Any protocol header. </para>
</listitem>
</varlistentry>
</variablelist>
<para>If <emphasis role="bold">any:</emphasis> is specified, the
rule will match if any of the listed headers are present. If
<emphasis role="bold">exactly:</emphasis> is specified, the will
match packets that exactly include all specified headers. If neither
is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
<para>If <emphasis role="bold">!</emphasis> is entered, the rule
will match those packets which would not be matched when <emphasis
role="bold">!</emphasis> is omitted.</para>
</listitem>
</varlistentry>
</variablelist>
<para>In all of the above columns except <emphasis

View File

@ -930,6 +930,100 @@
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HEADERS -
[!][any:|exactly:]</emphasis><replaceable>header-list
</replaceable>(Optional - Added in Shorewall 4.4.15)</term>
<listitem>
<para>The <replaceable>header-list</replaceable> consists of a
comma-separated list of headers from the following list.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">auth</emphasis>, <emphasis
role="bold">ah</emphasis>, or <emphasis
role="bold">50</emphasis></term>
<listitem>
<para><firstterm>Authentication Headers</firstterm> extension
header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">esp</emphasis>, or <emphasis
role="bold">51</emphasis></term>
<listitem>
<para><firstterm>Encrypted Security Payload</firstterm>
extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hop</emphasis>, <emphasis
role="bold">hop-by-hop</emphasis> or <emphasis
role="bold">0</emphasis></term>
<listitem>
<para>Hop-by-hop options extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">route</emphasis>, <emphasis
role="bold">ipv6-route</emphasis> or <emphasis
role="bold">41</emphasis></term>
<listitem>
<para>IPv6 Route extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">frag</emphasis>, <emphasis
role="bold">ipv6-frag</emphasis> or <emphasis
role="bold">44</emphasis></term>
<listitem>
<para>IPv6 fragmentation extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">none</emphasis>, <emphasis
role="bold">ipv6-nonxt</emphasis> or <emphasis
role="bold">59</emphasis></term>
<listitem>
<para>No next header</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto</emphasis>, <emphasis
role="bold">protocol</emphasis> or <emphasis
role="bold">255</emphasis></term>
<listitem>
<para>Any protocol header.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If <emphasis role="bold">any:</emphasis> is specified, the
rule will match if any of the listed headers are present. If
<emphasis role="bold">exactly:</emphasis> is specified, the will
match packets that exactly include all specified headers. If neither
is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
<para>If <emphasis role="bold">!</emphasis> is entered, the rule
will match those packets which would not be matched when <emphasis
role="bold">!</emphasis> is omitted.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -1004,8 +1098,8 @@
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

View File

@ -600,6 +600,100 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
4 ::/0 ::/0 TCP - - - - - - - ftp</programlisting></para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HEADERS -
[!][any:|exactly:]</emphasis><replaceable>header-list
</replaceable>(Optional - Added in Shorewall 4.4.15)</term>
<listitem>
<para>The <replaceable>header-list</replaceable> consists of a
comma-separated list of headers from the following list.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">auth</emphasis>, <emphasis
role="bold">ah</emphasis>, or <emphasis
role="bold">50</emphasis></term>
<listitem>
<para><firstterm>Authentication Headers</firstterm> extension
header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">esp</emphasis>, or <emphasis
role="bold">51</emphasis></term>
<listitem>
<para><firstterm>Encrypted Security Payload</firstterm>
extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hop</emphasis>, <emphasis
role="bold">hop-by-hop</emphasis> or <emphasis
role="bold">0</emphasis></term>
<listitem>
<para>Hop-by-hop options extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">route</emphasis>, <emphasis
role="bold">ipv6-route</emphasis> or <emphasis
role="bold">41</emphasis></term>
<listitem>
<para>IPv6 Route extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">frag</emphasis>, <emphasis
role="bold">ipv6-frag</emphasis> or <emphasis
role="bold">44</emphasis></term>
<listitem>
<para>IPv6 fragmentation extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">none</emphasis>, <emphasis
role="bold">ipv6-nonxt</emphasis> or <emphasis
role="bold">59</emphasis></term>
<listitem>
<para>No next header</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto</emphasis>, <emphasis
role="bold">protocol</emphasis> or <emphasis
role="bold">255</emphasis></term>
<listitem>
<para>Any protocol header.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If <emphasis role="bold">any:</emphasis> is specified, the
rule will match if any of the listed headers are present. If
<emphasis role="bold">exactly:</emphasis> is specified, the will
match packets that exactly include all specified headers. If neither
is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
<para>If <emphasis role="bold">!</emphasis> is entered, the rule
will match those packets which would not be matched when <emphasis
role="bold">!</emphasis> is omitted.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>