extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 09:03:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implement header matching

Browse Source
This commit is contained in:
Tom Eastep 2010-11-24 10:46:06 -08:00
parent 5e48faad9e
commit 2702d7f208
20 changed files with 430 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -52,7 +52,7 @@ sub process_accounting_rule( ) {
our $jumpchainref; our $jumpchainref;
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File'; my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File';
if ( $action eq 'COMMENT' ) { if ( $action eq 'COMMENT' ) {
process_comment; process_comment;
@ -95,7 +95,7 @@ sub process_accounting_rule( ) {
$ports = '' if $ports eq 'any' || $ports eq 'all'; $ports = '' if $ports eq 'any' || $ports eq 'all';
$sports = '' if $sports eq 'any' || $sports eq 'all'; $sports = '' if $sports eq 'any' || $sports eq 'all';
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ); my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
my $rule2 = 0; my $rule2 = 0;
my $jump = 0; my $jump = 0;

57
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -143,6 +143,7 @@ our %EXPORT_TAGS = (
do_tos do_tos
do_connbytes do_connbytes
do_helper do_helper
do_headers
have_ipset_rules have_ipset_rules
match_source_dev match_source_dev
match_dest_dev match_dest_dev
@ -2522,7 +2523,7 @@ sub do_connbytes( $ ) {
} }
# #
# Create a "-m helper" match for the passed argument # Create a soft "-m helper" match for the passed argument
# #
sub do_helper( $ ) { sub do_helper( $ ) {
my $helper = shift; my $helper = shift;
@ -2542,6 +2543,60 @@ sub do_length( $ ) {
$length ne '-' ? "-m length --length $length " : ''; $length ne '-' ? "-m length --length $length " : '';
} }
#
# Create a "-m -ipv6header" match for the passed argument
#
my %headers = ( hop => 1,
dst => 1,
route => 1,
frag => 1,
auth => 1,
esp => 1,
none => 1,
'hop-by-hop' => 1,
'ipv6-opts' => 1,
'ipv6-route' => 1,
'ipv6-frag' => 1,
ah => 1,
'ipv6-nonxt' => 1,
'protocol' => 1,
0 => 1,
43 => 1,
44 => 1,
50 => 1,
51 => 1,
59 => 1,
60 => 1,
255 => 1 );
sub do_headers( $ ) {
my $headers = shift;
return '' if $headers eq '-';
require_capability 'HEADER_MATCH', 'A non-empty HEADER column', 's';
my $invert = $headers =~ s/^!// ? '! ' : "";
my $soft = '--soft ';
if ( $headers =~ s/^exactly:// ) {
$soft = '';
} else {
$headers =~ s/^any://;
}
for ( split_list $headers, "Header" ) {
if ( $_ eq 'proto' ) {
$_ = 'protocol';
} else {
fatal_error "Unknown IPv6 Header ($_)" unless $headers{$_};
}
}
"-m ipv6header ${invert}--header ${headers} ${soft}";
}
# #
# Match Source Interface # Match Source Interface
# #

8
Shorewall/Perl/Shorewall/Config.pm
View File

@ -254,6 +254,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
FLOW_FILTER => 'Flow Classifier', FLOW_FILTER => 'Flow Classifier',
FWMARK_RT_MASK => 'fwmark route mask', FWMARK_RT_MASK => 'fwmark route mask',
MARK_ANYWHERE => 'Mark in any table', MARK_ANYWHERE => 'Mark in any table',
HEADER_MATCH => 'Header Match',
CAPVERSION => 'Capability Version', CAPVERSION => 'Capability Version',
KERNELVERSION => 'Kernel Version', KERNELVERSION => 'Kernel Version',
); );
@ -353,7 +354,7 @@ sub initialize( $ ) {
STATEMATCH => '-m state --state', STATEMATCH => '-m state --state',
UNTRACKED => 0, UNTRACKED => 0,
VERSION => "4.4.15-RC1", VERSION => "4.4.15-RC1",
CAPVERSION => 40413 , CAPVERSION => 40415 ,
); );
# #
@ -2503,6 +2504,10 @@ sub Mark_Anywhere() {
qt1( "$iptables -A $sillyname -j MARK --set-mark 5" ); qt1( "$iptables -A $sillyname -j MARK --set-mark 5" );
} }
sub Header_Match() {
qt1( "$iptables -A $sillyname -m ipv6header --header 255 -j ACCEPT" );
}
our %detect_capability = our %detect_capability =
( ADDRTYPE => \&Addrtype, ( ADDRTYPE => \&Addrtype,
CLASSIFY_TARGET => \&Classify_Target, CLASSIFY_TARGET => \&Classify_Target,
@ -2517,6 +2522,7 @@ our %detect_capability =
FWMARK_RT_MASK => \&Fwmark_Rt_Mask, FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
GOTO_TARGET => \&Goto_Target, GOTO_TARGET => \&Goto_Target,
HASHLIMIT_MATCH => \&Hashlimit_Match, HASHLIMIT_MATCH => \&Hashlimit_Match,
HEADER_MATCH => \&Header_Match,
HELPER_MATCH => \&Helper_Match, HELPER_MATCH => \&Helper_Match,
IPMARK_TARGET => \&IPMark_Target, IPMARK_TARGET => \&IPMark_Target,
IPP2P_MATCH => \&Ipp2p_Match, IPP2P_MATCH => \&Ipp2p_Match,

26
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -888,13 +888,13 @@ sub setup_mac_lists( $ ) {
} }
} }
sub process_rule1 ( $$$$$$$$$$$$$ ); sub process_rule1 ( $$$$$$$$$$$$$$ );
# #
# Expand a macro rule from the rules file # Expand a macro rule from the rules file
# #
sub process_macro ( $$$$$$$$$$$$$$$ ) { sub process_macro ( $$$$$$$$$$$$$$$$ ) {
my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $wildcard ) = @_; my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_;
my $nocomment = no_comment; my $nocomment = no_comment;
@ -912,13 +912,13 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
while ( read_a_line ) { while ( read_a_line ) {
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime); my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders );
if ( $format == 1 ) { if ( $format == 1 ) {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands; ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
( $morigdest, $mmark, $mconnlimit, $mtime ) = qw/- - - -/; ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders ) = qw/- - - - -/;
} else { } else {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime ) = split_line1 1, 12, 'macro file', $macro_commands; ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders ) = split_line1 1, 13, 'macro file', $macro_commands;
} }
if ( $mtarget eq 'COMMENT' ) { if ( $mtarget eq 'COMMENT' ) {
@ -986,6 +986,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
merge_macro_column( $mmark, $mark ) , merge_macro_column( $mmark, $mark ) ,
merge_macro_column( $mconnlimit, $connlimit) , merge_macro_column( $mconnlimit, $connlimit) ,
merge_macro_column( $mtime, $time ), merge_macro_column( $mtime, $time ),
merge_macro_column( $mheaders, $headers ),
$wildcard $wildcard
); );
@ -1005,8 +1006,8 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
# Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If # Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion. # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
# #
sub process_rule1 ( $$$$$$$$$$$$$ ) { sub process_rule1 ( $$$$$$$$$$$$$$ ) {
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wildcard ) = @_; my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_;
my ( $action, $loglevel) = split_action $target; my ( $action, $loglevel) = split_action $target;
my ( $basictarget, $param ) = get_target_param $action; my ( $basictarget, $param ) = get_target_param $action;
my $rule = ''; my $rule = '';
@ -1051,6 +1052,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$mark, $mark,
$connlimit, $connlimit,
$time, $time,
$headers,
$wildcard ); $wildcard );
$macro_nest_level--; $macro_nest_level--;
@ -1244,7 +1246,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
do_user( $user ) , do_user( $user ) ,
do_test( $mark , $globals{TC_MASK} ) , do_test( $mark , $globals{TC_MASK} ) ,
do_connlimit( $connlimit ), do_connlimit( $connlimit ),
do_time( $time ) ); do_time( $time ) ,
do_headers( $headers )
);
} }
unless ( $section eq 'NEW' ) { unless ( $section eq 'NEW' ) {
@ -1606,7 +1610,7 @@ sub build_zone_list( $$$\$\$ ) {
# Process a Record in the rules file # Process a Record in the rules file
# #
sub process_rule ( ) { sub process_rule ( ) {
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time ) = split_line1 1, 12, 'rules file', \%rules_commands; my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'rules file', \%rules_commands;
process_comment, return 1 if $target eq 'COMMENT'; process_comment, return 1 if $target eq 'COMMENT';
process_section( $source ), return 1 if $target eq 'SECTION'; process_section( $source ), return 1 if $target eq 'SECTION';
@ -1638,7 +1642,7 @@ sub process_rule ( ) {
my $destzone = (split( /:/, $dest, 2 ) )[0]; my $destzone = (split( /:/, $dest, 2 ) )[0];
$destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone; $destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) { if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
$generated |= process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild; $generated |= process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $wild;
} }
} }
} }

5
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -195,7 +195,7 @@ sub initialize( $ ) {
} }
sub process_tc_rule( ) { sub process_tc_rule( ) {
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file'; my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = split_line1 2, 13, 'tcrules file';
our @tccmd; our @tccmd;
@ -412,7 +412,8 @@ sub process_tc_rule( ) {
do_length( $length ) . do_length( $length ) .
do_tos( $tos ) . do_tos( $tos ) .
do_connbytes( $connbytes ) . do_connbytes( $connbytes ) .
do_helper( $helper ), do_helper( $helper ) .
do_headers( $headers ) ,
$source , $source ,
$dest , $dest ,
'' , '' ,

4
Shorewall/changelog.txt
View File

@ -1,11 +1,13 @@
Changes in Shorewall 4.4.15 Changes in Shorewall 4.4.15
Beta 3 RC 1
1) Another Perl 5.12 warning. 1) Another Perl 5.12 warning.
2) Avoid anomalous behavior regarding syn flood chains. 2) Avoid anomalous behavior regarding syn flood chains.
3) Add HEADERS column for IPv6
Beta 2 Beta 2
1) Tweaks to IPv6 tcfilters 1) Tweaks to IPv6 tcfilters

2
Shorewall/configfiles/accounting
View File

@ -6,6 +6,6 @@
# Please see http://shorewall.net/Accounting.html for examples and # Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file. # additional information about how to use this file.
# #
##################################################################################################### #################################################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
# PORT(S) PORT(S) GROUP # PORT(S) PORT(S) GROUP

2
Shorewall/lib.base
View File

@ -29,7 +29,7 @@
# #
SHOREWALL_LIBVERSION=40407 SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40413 SHOREWALL_CAPVERSION=40415
[ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ]

3
Shorewall/lib.cli
View File

@ -1659,6 +1659,7 @@ determine_capabilities() {
FLOW_FILTER= FLOW_FILTER=
FWMARK_RT_MASK= FWMARK_RT_MASK=
MARK_ANYWHERE= MARK_ANYWHERE=
HEADER_MATCH=
chain=fooX$$ chain=fooX$$
@ -1877,6 +1878,7 @@ report_capabilities() {
report_capability "FLOW Classifier" $FLOW_FILTER report_capability "FLOW Classifier" $FLOW_FILTER
report_capability "fwmark route mask" $FWMARK_RT_MASK report_capability "fwmark route mask" $FWMARK_RT_MASK
report_capability "Mark in any table" $MARK_ANYWHERE report_capability "Mark in any table" $MARK_ANYWHERE
report_capability "Header Match" $HEADER_MATCH
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1942,6 +1944,7 @@ report_capabilities1() {
report_capability1 FLOW_FILTER report_capability1 FLOW_FILTER
report_capability1 FWMARK_RT_MASK report_capability1 FWMARK_RT_MASK
report_capability1 MARK_ANYWHERE report_capability1 MARK_ANYWHERE
report_capability1 HEADER_MATCH
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION echo KERNELVERSION=$KERNELVERSION

31
Shorewall/releasenotes.txt
View File

@ -85,7 +85,36 @@ Beta 1.
RC 1 RC 1
A Munin macro has been contributed by Tuomo Soini. 1) A Munin macro has been contributed by Tuomo Soini.
2) The Shorewall6 accounting, tcrules and rules files now include a
HEADERS column which allows matching based on the IPv6 extension and
protocol headers included in a packet.
The contents of the column are:
[any:|exactly:]<header list>
where <header list> is a comma-separated list of headers from the
following:
Long Name Short Name Number
--------------------------------------
auth ah 50
esp esp 51
hop-by-hop hop 0
route ipv6-route 41
frag ipv6-frag 44
none ipv6-nonxt 59
protocol proto 255
If 'any:' is specified, the rule will match if any of the listed
headers are present. If 'exactly:' is specified, the will match
packets that exactly include all specified headers. If neither is
given, 'any:' is assumed.
This change adds a new capability (Header Match) so if you use a
capabilities file, you will need to regenerate using this release.
Beta 2 Beta 2

4
Shorewall6/accounting
View File

@ -6,6 +6,6 @@
# Please see http://shorewall.net/Accounting.html for examples and # Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file. # additional information about how to use this file.
# #
##################################################################################### ###############################################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC HEADERS
# PORT(S) PORT(S) GROUP # PORT(S) PORT(S) GROUP

2
Shorewall6/lib.base
View File

@ -33,7 +33,7 @@
# #
SHOREWALL_LIBVERSION=40407 SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40413 SHOREWALL_CAPVERSION=40415
[ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]

4
Shorewall6/lib.cli
View File

@ -1334,6 +1334,7 @@ determine_capabilities() {
FLOW_FILTER= FLOW_FILTER=
FWMARK_RT_MASK= FWMARK_RT_MASK=
MARK_ANYWHERE= MARK_ANYWHERE=
HEADER_MATCH=
chain=fooX$$ chain=fooX$$
@ -1476,6 +1477,7 @@ determine_capabilities() {
qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
qt $IP6TABLES -A $chain -j LOG || LOG_TARGET= qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
qt $IP6TABLES -F $chain qt $IP6TABLES -F $chain
qt $IP6TABLES -X $chain qt $IP6TABLES -X $chain
@ -1553,6 +1555,7 @@ report_capabilities() {
report_capability "FLOW Classifier" $FLOW_FILTER report_capability "FLOW Classifier" $FLOW_FILTER
report_capability "fwmark route mask" $FWMARK_RT_MASK report_capability "fwmark route mask" $FWMARK_RT_MASK
report_capability "Mark in any table" $MARK_ANYWHERE report_capability "Mark in any table" $MARK_ANYWHERE
report_capability "Header Match" $HEADER_MATCH
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1615,6 +1618,7 @@ report_capabilities1() {
report_capability1 FLOW_FILTER report_capability1 FLOW_FILTER
report_capability1 FWMARK_RT_MASK report_capability1 FWMARK_RT_MASK
report_capability1 MARK_ANYWHERE report_capability1 MARK_ANYWHERE
report_capability1 HEADER_MATCH
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION echo KERNELVERSION=$KERNELVERSION

4
Shorewall6/rules
View File

@ -6,8 +6,8 @@
# The manpage is also online at # The manpage is also online at
# http://www.shorewall.net/manpages6/shorewall6-rules.html # http://www.shorewall.net/manpages6/shorewall6-rules.html
# #
#################################################################################################################################################### #######################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
# PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED #SECTION ESTABLISHED
#SECTION RELATED #SECTION RELATED

4
Shorewall6/tcrules
View File

@ -9,6 +9,6 @@
# #
# See http://shorewall.net/PacketMarking.html for a detailed description of # See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism. # the Netfilter/Shorewall packet marking mechanism.
###################################################################################################################### ##################################################################################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS
# PORT(S) PORT(S) # PORT(S) PORT(S)

140
docs/Accounting.xml
View File

@ -53,141 +53,11 @@
including traffic that will later be rejected by interface options such as including traffic that will later be rejected by interface options such as
<quote>tcpflags</quote> and <quote>maclist</quote>.</para> <quote>tcpflags</quote> and <quote>maclist</quote>.</para>
<para>The columns in the accounting file are as follows:</para> <para>The columns in the accounting file are described in <ulink
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink> (5)
<itemizedlist> and <ulink
<listitem> url="manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>
<para><emphasis role="bold">ACTION </emphasis>- What to do when a (5).</para>
match is found. Possible values are:</para>
<itemizedlist>
<listitem>
<para>COUNT- Simply count the match and continue trying to match
the packet with the following accounting rules</para>
</listitem>
<listitem>
<para>DONE- Count the match and don't attempt to match any
following accounting rules.</para>
</listitem>
<listitem>
<para><emphasis>&lt;chain&gt;</emphasis> - The name of a chain;
Shorewall will create the chain automatically if it doesn't
already exist. A jump to this chain will be generated from the
chain specified by the CHAIN column. If the name of the chain is
followed by <quote>:COUNT</quote> then a COUNT rule matching this
entry will automatically be added to &lt;chain&gt;. Chain names
must start with a letter, must be composed of letters and digits,
and may contain underscores (<quote>_</quote>) and periods
(<quote>.</quote>). Beginning with Shorewall version 1.4.8, chain
names may also contain embedded dashes (<quote>-</quote>) and are
not required to start with a letter.</para>
</listitem>
<listitem>
<para>COMMENT - (Shorewall-perl only) - The remainder of the line
is treated as a comment which is <ulink
url="configuration_file_basics.htm#COMMENT">attached to subsequent
rules</ulink> until another COMMENT line is found or until the end
of the file is reached. To stop adding comments to rules, use a
line with only the word COMMENT.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><emphasis role="bold">CHAIN</emphasis> - The name of the chain
where the accounting rule is to be added. If empty or <quote>-</quote>
then the <quote>accounting</quote> chain is assumed (see <link
linkend="Bridge">below</link> for exceptions).</para>
</listitem>
<listitem>
<para><emphasis role="bold">SOURCE</emphasis> - Packet Source. The
name of an interface, an address (host or net), or an interface name
followed by <quote>:</quote> and a host or net address.</para>
</listitem>
<listitem>
<para><emphasis role="bold">DESTINATION</emphasis> - Packet
Destination. Format the same as the SOURCE column.</para>
</listitem>
<listitem>
<para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name
(from <filename>/etc/protocols</filename>), a protocol number or
<quote>ipp2p</quote>. For <quote>ipp2p</quote>, your kernel and
iptables must have ipp2p match support from <ulink
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
number. Service name from <filename>/etc/services</filename> or port
number. May only be specified if the protocol is TCP (6), UDP (17),
DCCP (33), SCTP (132) or UDPLITE (136). If the PROTOCOL is
<quote>ipp2p</quote>, then this column is interpreted as an ipp2p
option without the leading <quote>--</quote> (default
<quote>ipp2p</quote>). For a list of value ipp2p options, as root type
<command>iptables -m ipp2p --help</command>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">SOURCE PORT</emphasis>- Source Port
number. Service name from /etc/services or port number. May only be
specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132)
or UDPLITE (136).</para>
</listitem>
<listitem>
<para><emphasis role="bold">USER/GROUP</emphasis> - This column may
only be non-empty if the CHAIN is OUTPUT. The column may
contain:</para>
<programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;]</programlisting>
<para>When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
&lt;user&gt; and/or &lt;group&gt; specified (or is NOT running under
that id if <quote>!</quote> is given).</para>
<para>Examples:</para>
<simplelist>
<member>joe #program must be run by joe</member>
<member>:kids #program must be run by a member of the
<quote>kids</quote> group.</member>
<member>!:kids #program must not be run by a member of the
<quote>kids</quote> group</member>
</simplelist>
</listitem>
<listitem>
<para><emphasis role="bold">MARK</emphasis> - Only count packets with
particular mark values. <programlisting>[!]&lt;value&gt;[/&lt;mask&gt;][:C]</programlisting>
Defines a test on the existing packet or connection mark. The rule
will match only if the test returns true.</para>
<para>If you dont want to define a test but need to specify anything
in the following columns, place a <quote>-</quote> in this
field.<simplelist>
<member>! — Inverts the test (not equal)</member>
<member>&lt;value&gt; — Value of the packet or connection
mark.</member>
<member>&lt;mask&gt; — A mask to be applied to the mark before
testing.</member>
<member>:C — Designates a connection mark. If omitted, the packet
marks value is tested. This option is only supported by
Shorewall-perl.</member>
</simplelist></para>
</listitem>
</itemizedlist>
<para>In all columns except ACTION and CHAIN, the values <quote>-</quote>, <para>In all columns except ACTION and CHAIN, the values <quote>-</quote>,
<quote>any</quote> and <quote>all</quote> are treated as <quote>any</quote> and <quote>all</quote> are treated as

7
docs/traffic_shaping.xml
View File

@ -1161,6 +1161,13 @@ ppp0 6000kbit 500kbit</programlisting>
modules such as <emphasis>ftp</emphasis>, <emphasis>sip</emphasis>, modules such as <emphasis>ftp</emphasis>, <emphasis>sip</emphasis>,
<emphasis>amanda</emphasis>, etc.</para> <emphasis>amanda</emphasis>, etc.</para>
</listitem> </listitem>
<listitem>
<para>HEADERS (Optioinal, Shorewall6 only, added in Shorewall
4.4.15). List of IPv6 headers that may appear in packets. See <ulink
url="manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>
(5) for details.</para>
</listitem>
</itemizedlist> </itemizedlist>
<example id="Example1"> <example id="Example1">

94
manpages6/shorewall6-accounting.xml
View File

@ -455,6 +455,100 @@
role="bold">accounting</emphasis> chain.</para> role="bold">accounting</emphasis> chain.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">HEADERS -
[!][any:|exactly:]</emphasis><replaceable>header-list
</replaceable>(Optional - Added in Shorewall 4.4.15)</term>
<listitem>
<para>The <replaceable>header-list</replaceable> consists of a
comma-separated list of headers from the following list. </para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">auth</emphasis>, <emphasis
role="bold">ah</emphasis>, or <emphasis
role="bold">50</emphasis></term>
<listitem>
<para><firstterm>Authentication Headers</firstterm> extension
header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">esp</emphasis>, or <emphasis
role="bold">51</emphasis></term>
<listitem>
<para><firstterm>Encrypted Security Payload</firstterm>
extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hop</emphasis>, <emphasis
role="bold">hop-by-hop</emphasis> or <emphasis
role="bold">0</emphasis></term>
<listitem>
<para>Hop-by-hop options extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">route</emphasis>, <emphasis
role="bold">ipv6-route</emphasis> or <emphasis
role="bold">41</emphasis></term>
<listitem>
<para>IPv6 Route extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">frag</emphasis>, <emphasis
role="bold">ipv6-frag</emphasis> or <emphasis
role="bold">44</emphasis></term>
<listitem>
<para>IPv6 fragmentation extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">none</emphasis>, <emphasis
role="bold">ipv6-nonxt</emphasis> or <emphasis
role="bold">59</emphasis></term>
<listitem>
<para>No next header</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto</emphasis>, <emphasis
role="bold">protocol</emphasis> or <emphasis
role="bold">255</emphasis></term>
<listitem>
<para>Any protocol header. </para>
</listitem>
</varlistentry>
</variablelist>
<para>If <emphasis role="bold">any:</emphasis> is specified, the
rule will match if any of the listed headers are present. If
<emphasis role="bold">exactly:</emphasis> is specified, the will
match packets that exactly include all specified headers. If neither
is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
<para>If <emphasis role="bold">!</emphasis> is entered, the rule
will match those packets which would not be matched when <emphasis
role="bold">!</emphasis> is omitted.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para>In all of the above columns except <emphasis <para>In all of the above columns except <emphasis

100
manpages6/shorewall6-rules.xml
View File

@ -930,6 +930,100 @@
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">HEADERS -
[!][any:|exactly:]</emphasis><replaceable>header-list
</replaceable>(Optional - Added in Shorewall 4.4.15)</term>
<listitem>
<para>The <replaceable>header-list</replaceable> consists of a
comma-separated list of headers from the following list.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">auth</emphasis>, <emphasis
role="bold">ah</emphasis>, or <emphasis
role="bold">50</emphasis></term>
<listitem>
<para><firstterm>Authentication Headers</firstterm> extension
header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">esp</emphasis>, or <emphasis
role="bold">51</emphasis></term>
<listitem>
<para><firstterm>Encrypted Security Payload</firstterm>
extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hop</emphasis>, <emphasis
role="bold">hop-by-hop</emphasis> or <emphasis
role="bold">0</emphasis></term>
<listitem>
<para>Hop-by-hop options extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">route</emphasis>, <emphasis
role="bold">ipv6-route</emphasis> or <emphasis
role="bold">41</emphasis></term>
<listitem>
<para>IPv6 Route extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">frag</emphasis>, <emphasis
role="bold">ipv6-frag</emphasis> or <emphasis
role="bold">44</emphasis></term>
<listitem>
<para>IPv6 fragmentation extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">none</emphasis>, <emphasis
role="bold">ipv6-nonxt</emphasis> or <emphasis
role="bold">59</emphasis></term>
<listitem>
<para>No next header</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto</emphasis>, <emphasis
role="bold">protocol</emphasis> or <emphasis
role="bold">255</emphasis></term>
<listitem>
<para>Any protocol header.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If <emphasis role="bold">any:</emphasis> is specified, the
rule will match if any of the listed headers are present. If
<emphasis role="bold">exactly:</emphasis> is specified, the will
match packets that exactly include all specified headers. If neither
is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
<para>If <emphasis role="bold">!</emphasis> is entered, the rule
will match those packets which would not be matched when <emphasis
role="bold">!</emphasis> is omitted.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>
@ -1004,8 +1098,8 @@
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para> shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

94
manpages6/shorewall6-tcrules.xml
View File

@ -600,6 +600,100 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
4 ::/0 ::/0 TCP - - - - - - - ftp</programlisting></para> 4 ::/0 ::/0 TCP - - - - - - - ftp</programlisting></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">HEADERS -
[!][any:|exactly:]</emphasis><replaceable>header-list
</replaceable>(Optional - Added in Shorewall 4.4.15)</term>
<listitem>
<para>The <replaceable>header-list</replaceable> consists of a
comma-separated list of headers from the following list.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">auth</emphasis>, <emphasis
role="bold">ah</emphasis>, or <emphasis
role="bold">50</emphasis></term>
<listitem>
<para><firstterm>Authentication Headers</firstterm> extension
header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">esp</emphasis>, or <emphasis
role="bold">51</emphasis></term>
<listitem>
<para><firstterm>Encrypted Security Payload</firstterm>
extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hop</emphasis>, <emphasis
role="bold">hop-by-hop</emphasis> or <emphasis
role="bold">0</emphasis></term>
<listitem>
<para>Hop-by-hop options extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">route</emphasis>, <emphasis
role="bold">ipv6-route</emphasis> or <emphasis
role="bold">41</emphasis></term>
<listitem>
<para>IPv6 Route extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">frag</emphasis>, <emphasis
role="bold">ipv6-frag</emphasis> or <emphasis
role="bold">44</emphasis></term>
<listitem>
<para>IPv6 fragmentation extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">none</emphasis>, <emphasis
role="bold">ipv6-nonxt</emphasis> or <emphasis
role="bold">59</emphasis></term>
<listitem>
<para>No next header</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto</emphasis>, <emphasis
role="bold">protocol</emphasis> or <emphasis
role="bold">255</emphasis></term>
<listitem>
<para>Any protocol header.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If <emphasis role="bold">any:</emphasis> is specified, the
rule will match if any of the listed headers are present. If
<emphasis role="bold">exactly:</emphasis> is specified, the will
match packets that exactly include all specified headers. If neither
is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
<para>If <emphasis role="bold">!</emphasis> is entered, the rule
will match those packets which would not be matched when <emphasis
role="bold">!</emphasis> is omitted.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>