Implement header matching

2025-08-15 19:23:41 +02:00 · 2010-11-24 10:46:06 -08:00
parent 5e48faad9e
commit 2702d7f208
20 changed files with 430 additions and 167 deletions
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@ -53,141 +53,11 @@
    including traffic that will later be rejected by interface options such as
    <quote>tcpflags</quote> and <quote>maclist</quote>.</para>

-    <para>The columns in the accounting file are as follows:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para><emphasis role="bold">ACTION </emphasis>- What to do when a
-        match is found. Possible values are:</para>
-
-        <itemizedlist>
-          <listitem>
-            <para>COUNT- Simply count the match and continue trying to match
-            the packet with the following accounting rules</para>
-          </listitem>
-
-          <listitem>
-            <para>DONE- Count the match and don't attempt to match any
-            following accounting rules.</para>
-          </listitem>
-
-          <listitem>
-            <para><emphasis>&lt;chain&gt;</emphasis> - The name of a chain;
-            Shorewall will create the chain automatically if it doesn't
-            already exist. A jump to this chain will be generated from the
-            chain specified by the CHAIN column. If the name of the chain is
-            followed by <quote>:COUNT</quote> then a COUNT rule matching this
-            entry will automatically be added to &lt;chain&gt;. Chain names
-            must start with a letter, must be composed of letters and digits,
-            and may contain underscores (<quote>_</quote>) and periods
-            (<quote>.</quote>). Beginning with Shorewall version 1.4.8, chain
-            names may also contain embedded dashes (<quote>-</quote>) and are
-            not required to start with a letter.</para>
-          </listitem>
-
-          <listitem>
-            <para>COMMENT - (Shorewall-perl only) - The remainder of the line
-            is treated as a comment which is <ulink
-            url="configuration_file_basics.htm#COMMENT">attached to subsequent
-            rules</ulink> until another COMMENT line is found or until the end
-            of the file is reached. To stop adding comments to rules, use a
-            line with only the word COMMENT.</para>
-          </listitem>
-        </itemizedlist>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">CHAIN</emphasis> - The name of the chain
-        where the accounting rule is to be added. If empty or <quote>-</quote>
-        then the <quote>accounting</quote> chain is assumed (see <link
-        linkend="Bridge">below</link> for exceptions).</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">SOURCE</emphasis> - Packet Source. The
-        name of an interface, an address (host or net), or an interface name
-        followed by <quote>:</quote> and a host or net address.</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">DESTINATION</emphasis> - Packet
-        Destination. Format the same as the SOURCE column.</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name
-        (from <filename>/etc/protocols</filename>), a protocol number or
-        <quote>ipp2p</quote>. For <quote>ipp2p</quote>, your kernel and
-        iptables must have ipp2p match support from <ulink
-        url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
-        number. Service name from <filename>/etc/services</filename> or port
-        number. May only be specified if the protocol is TCP (6), UDP (17),
-        DCCP (33), SCTP (132) or UDPLITE (136). If the PROTOCOL is
-        <quote>ipp2p</quote>, then this column is interpreted as an ipp2p
-        option without the leading <quote>--</quote> (default
-        <quote>ipp2p</quote>). For a list of value ipp2p options, as root type
-        <command>iptables -m ipp2p --help</command>.</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">SOURCE PORT</emphasis>- Source Port
-        number. Service name from /etc/services or port number. May only be
-        specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132)
-        or UDPLITE (136).</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">USER/GROUP</emphasis> - This column may
-        only be non-empty if the CHAIN is OUTPUT. The column may
-        contain:</para>
-
-        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;]</programlisting>
-
-        <para>When this column is non-empty, the rule applies only if the
-        program generating the output is running under the effective
-        &lt;user&gt; and/or &lt;group&gt; specified (or is NOT running under
-        that id if <quote>!</quote> is given).</para>
-
-        <para>Examples:</para>
-
-        <simplelist>
-          <member>joe #program must be run by joe</member>
-
-          <member>:kids #program must be run by a member of the
-          <quote>kids</quote> group.</member>
-
-          <member>!:kids #program must not be run by a member of the
-          <quote>kids</quote> group</member>
-        </simplelist>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">MARK</emphasis> - Only count packets with
-        particular mark values. <programlisting>[!]&lt;value&gt;[/&lt;mask&gt;][:C]</programlisting>
-        Defines a test on the existing packet or connection mark. The rule
-        will match only if the test returns true.</para>
-
-        <para>If you don’t want to define a test but need to specify anything
-        in the following columns, place a <quote>-</quote> in this
-        field.<simplelist>
-            <member>! — Inverts the test (not equal)</member>
-
-            <member>&lt;value&gt; — Value of the packet or connection
-            mark.</member>
-
-            <member>&lt;mask&gt; — A mask to be applied to the mark before
-            testing.</member>
-
-            <member>:C — Designates a connection mark. If omitted, the packet
-            mark’s value is tested. This option is only supported by
-            Shorewall-perl.</member>
-          </simplelist></para>
-      </listitem>
-    </itemizedlist>
+    <para>The columns in the accounting file are described in <ulink
+    url="manpages/shorewall-accounting.html">shorewall-accounting</ulink> (5)
+    and <ulink
+    url="manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>
+    (5).</para>

    <para>In all columns except ACTION and CHAIN, the values <quote>-</quote>,
    <quote>any</quote> and <quote>all</quote> are treated as
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@ -1161,6 +1161,13 @@ ppp0           6000kbit         500kbit</programlisting>
          modules such as <emphasis>ftp</emphasis>, <emphasis>sip</emphasis>,
          <emphasis>amanda</emphasis>, etc.</para>
        </listitem>
+
+        <listitem>
+          <para>HEADERS (Optioinal, Shorewall6 only, added in Shorewall
+          4.4.15). List of IPv6 headers that may appear in packets. See <ulink
+          url="manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>
+          (5) for details.</para>
+        </listitem>
      </itemizedlist>

      <example id="Example1">