extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '5.1.4'

Browse Source
This commit is contained in:
Tom Eastep 2017-05-31 08:23:07 -07:00
commit 29ffb7eb4b
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
5 changed files with 140 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Shorewall/manpages/shorewall-zones.xml
View File

@ -55,14 +55,14 @@
<para>The maximum length of an iptables log prefix is 29 bytes. As
explained in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
where the first %s is replaced by the chain name and the second is
replaced by the disposition.</para>
the legacy default LOGPREFIX formatting string is
“Shorewall:%s:%s:” where the first %s is replaced by the chain
name and the second is replaced by the disposition.</para>
<itemizedlist>
<listitem>
<para>The default formatting string has 12 fixed characters
("Shorewall" and three colons).</para>
<para>The "Shorewall:%s:%s:" formatting string has 12 fixed
characters ("Shorewall" and three colons).</para>
</listitem>
<listitem>
@ -90,6 +90,29 @@
</simplelist>
</listitem>
</itemizedlist>
<para>In Shorewall 5.1.0, the LOGFORMAT in the default and sample
shorewall.conf files was changed to "%s:%s ".</para>
<itemizedlist>
<listitem>
<para>That formatting string has 2 fixed characters (":" and a
space).</para>
</listitem>
<listitem>
<para>So the maximum zone name length M is calculated
as:</para>
<simplelist>
<member>2 + 6 + 2*M + 1 = 29</member>
<member>2M = 29 - 2 + 6 + 1 = 20</member>
<member>M = 10</member>
</simplelist>
</listitem>
</itemizedlist>
</blockquote>
<para>The order in which Shorewall matches addresses from packets to

47
Shorewall/manpages/shorewall.conf.xml
View File

@ -1443,15 +1443,20 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem>
</itemizedlist>
<para/>
<blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for
logging from the nat table's PREROUTING chain is:</para>
logging from the nat table's PREROUTING chain is as follows in
versions prior to 5.1.0:</para>
<programlisting> Shorewall:nat:PREROUTING
</programlisting>
<para>In Shorewall 5.1.0 and later releases, the log prefix
is:</para>
<programlisting> nat:PREROUTING
</programlisting>
<important>
<para>To help insure that all packets in the NEW state are
logged, rate limiting (LOGLIMIT) should be disabled when using
@ -1515,6 +1520,24 @@ net all DROP info</programlisting>then the chain name is 'net-all'
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>
(5).</para>
</note>
<caution>
<para>Beginning with Shorewall 5.1.0, the default and sample
shorewall.conf files set LOGFORMAT="%s %s ". Shorewall log
messages that use this LOGFORMAT can be uniquely identified using
the following regular expression:</para>
<simplelist>
<member>'IN=.* OUT=.* SRC=.*\..* DST='</member>
</simplelist>
<para>To match all Netfilter log messages (Both IPv4 and IPv6),
use:</para>
<simplelist>
<member>'IN=.* OUT=.* SRC=.* DST='</member>
</simplelist>
</caution>
</listitem>
</varlistentry>
@ -1551,8 +1574,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Using the default LOGFORMAT, chain names may not exceed 11
characters or truncation of the log prefix may occur. Longer chain
<para>Using LOGFORMAT=“Shorewall:%s:%s:”, chain names may not exceed
5 characters or truncation of the log prefix may occur. Longer chain
names may be used with log tags if you set LOGTAGONLY=Yes. With
LOGTAGONLY=Yes, if a log tag is specified then the tag is included
in the log prefix in place of the chain name.</para>
@ -1564,10 +1587,10 @@ net all DROP info</programlisting>then the chain name is 'net-all'
separated by a comma. So this rule:</para>
<programlisting>#ACTION SOURCE DEST
LOG:info:foo,bar net fw</programlisting>
LOG:info:foo,bar net fw</programlisting>
<para>would generate the following log prefix when using the default
LOGFORMAT setting:</para>
<para>would generate the following log prefix when using
LOGFORMAT=“Shorewall:%s:%s:”:</para>
<simplelist>
<member>Shorewall:foo:bar:</member>
@ -2550,7 +2573,7 @@ INLINE - - - ;; -j REJECT
the <option>routeback</option> option.<footnote>
<para>Hairpin packets are packets that are routed out of the
same interface that they arrived on.</para>
</footnote> interfaces without the routeback option.</para>
</footnote></para>
</listitem>
</varlistentry>
@ -2566,9 +2589,9 @@ INLINE - - - ;; -j REJECT
the <option>routeback</option> option.<footnote>
<para>Hairpin packets are packets that are routed out of the
same interface that they arrived on.</para>
</footnote> interfaces without the routeback option. The default
is <option>info</option>. If you don't wish for these packets to be
logged, use SFILTER_LOG_LEVEL=none.</para>
</footnote> The default is <option>info</option>. If you don't
wish for these packets to be logged, use
SFILTER_LOG_LEVEL=none.</para>
</listitem>
</varlistentry>

1
Shorewall6/actions.std
View File

@ -17,6 +17,7 @@ allowInvalid inline # Accepts packets in the INVALID conntrack state
allowMcast inline # Silently Allow Multicast
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
AutoBLL noinline # Helper for AutoBL
BLACKLIST logjump,section # Add sender to the dynamic blacklist
Broadcast noinline # Handles Broadcast/Anycast
Drop # Default Action for DROP policy (deprecated)
dropBcast inline # Silently Drop Broadcast

49
Shorewall6/manpages/shorewall6-zones.xml
View File

@ -42,26 +42,27 @@
role="bold">,</emphasis><emphasis>parent-zone</emphasis>]...]</term>
<listitem>
<para>Name of the <emphasis>zone</emphasis>. The names "all",
"none", "SOURCE" and "DEST" are reserved and may not be used as zone
names. The maximum length of a zone name is determined by the
setting of the LOGFORMAT option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
With the default LOGFORMAT, zone names can be at most 5 characters
<para>Name of the <emphasis>zone</emphasis>. Must start with a
letter and consist of letters, digits or '_'. The names "all",
"none", "any", "SOURCE" and "DEST" are reserved and may not be used
as zone names. The maximum length of a zone name is determined by
the setting of the LOGFORMAT option in <ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5). With
the default LOGFORMAT, zone names can be at most 5 characters
long.</para>
<blockquote>
<para>The maximum length of an iptables log prefix is 29 bytes. As
explained in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5),
the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
where the first %s is replaced by the chain name and the second is
url="shorewall6.conf.html">shorewall6.conf</ulink> (5), the legacy
default LOGPREFIX formatting string is “Shorewall:%s:%s:” where
the first %s is replaced by the chain name and the second is
replaced by the disposition.</para>
<itemizedlist>
<listitem>
<para>The default formatting string has 12 fixed characters
("Shorewall" and three colons).</para>
<para>The "Shorewall:%s:%s:" formatting string has 12 fixed
characters ("Shorewall" and three colons).</para>
</listitem>
<listitem>
@ -72,7 +73,8 @@
<listitem>
<para>The canonical name for the chain containing the rules
for traffic going from zone 1 to zone 2 is "&lt;zone
1&gt;2&lt;zone 2&gt;".</para>
1&gt;2&lt;zone 2&gt;" or "&lt;zone 1&gt;-&lt;zone
2&gt;".</para>
</listitem>
<listitem>
@ -88,6 +90,29 @@
</simplelist>
</listitem>
</itemizedlist>
<para>In Shorewall 5.1.0, the LOGFORMAT in the default and sample
shorewall.conf files was changed to "%s:%s ".</para>
<itemizedlist>
<listitem>
<para>That formatting string has 2 fixed characters (":" and a
space).</para>
</listitem>
<listitem>
<para>So the maximum zone name length M is calculated
as:</para>
<simplelist>
<member>2 + 6 + 2*M + 1 = 29</member>
<member>2M = 29 - 2 + 6 + 1 = 20</member>
<member>M = 10</member>
</simplelist>
</listitem>
</itemizedlist>
</blockquote>
<para>The order in which Shorewall6 matches addresses from packets

57
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -1229,7 +1229,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<listitem>
<para>This option is intended for use as a debugging aid. When set
to a log level, this option causes Shorewall6 to generate a logging
to a log level, this option causes Shorewall to generate a logging
rule as the first rule in each builtin chain.</para>
<itemizedlist>
@ -1244,14 +1244,19 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem>
</itemizedlist>
<para/>
<blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for
logging from the nat table's PREROUTING chain is:</para>
logging from the nat table's PREROUTING chain is as follows in
versions prior to 5.1.0:</para>
<programlisting> Shorewall:nat:PREROUTING
</programlisting>
</programlisting>
<para>In Shorewall 5.1.0 and later releases, the log prefix
is:</para>
<programlisting> nat:PREROUTING
</programlisting>
<important>
<para>To help insure that all packets in the NEW state are
@ -1295,7 +1300,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<listitem>
<para>The value of this variable generate the --log-prefix setting
for Shorewall6 logging rules. It contains a “printf” formatting
for Shorewall logging rules. It contains a “printf” formatting
template which accepts three arguments (the chain name, logging rule
number (optional) and the disposition). To use LOGFORMAT with
fireparse, set it as:</para>
@ -1306,14 +1311,31 @@ net all DROP info</programlisting>then the chain name is 'net-all'
logging rule number is calculated and formatted in that position; if
that substring is not included then the rule number is not included.
If not supplied or supplied as empty (LOGFORMAT="") then
“Shorewall6:%s:%s:” is assumed.</para>
“Shorewall:%s:%s:” is assumed.</para>
<note>
<para>The setting of LOGFORMAT has an effect of the permitted
length of zone names. See <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>
url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>
(5).</para>
</note>
<caution>
<para>Beginning with Shorewall 5.1.0, the default and sample
shorewall.conf files set LOGFORMAT="%s %s ". Shorewall6 log
messages that use this LOGFORMAT can be uniquely identified using
the following regular expression:</para>
<simplelist>
<member>'IN=.* OUT=.* SRC=.*:.* DST='</member>
</simplelist>
<para>To match all Netfilter log messages, use:</para>
<simplelist>
<member>'IN=.* OUT=.* SRC=.* DST='</member>
</simplelist>
</caution>
</listitem>
</varlistentry>
@ -1350,8 +1372,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Using the default LOGFORMAT, chain names may not exceed 11
characters or truncation of the log prefix may occur. Longer chain
<para>Using LOGFORMAT=“Shorewall:%s:%s:”, chain names may not exceed
5 characters or truncation of the log prefix may occur. Longer chain
names may be used with log tags if you set LOGTAGONLY=Yes. With
LOGTAGONLY=Yes, if a log tag is specified then the tag is included
in the log prefix in place of the chain name.</para>
@ -1363,10 +1385,10 @@ net all DROP info</programlisting>then the chain name is 'net-all'
separated by a comma. So this rule:</para>
<programlisting>#ACTION SOURCE DEST
LOG:info:foo,bar net fw</programlisting>
LOG:info:foo,bar net fw</programlisting>
<para>would generate the following log prefix when using the default
LOGFORMAT setting:</para>
<para>would generate the following log prefix when using
LOGFORMAT=“Shorewall:%s:%s:”:</para>
<simplelist>
<member>Shorewall:foo:bar:</member>
@ -1375,7 +1397,7 @@ LOG:info:foo,bar net fw</programlisting>
<para>Similarly,</para>
<programlisting>#ACTION SOURCE DEST
LOG:info:,bar net fw</programlisting>
LOG:info:,bar net fw</programlisting>
<para>would generate</para>
@ -2236,7 +2258,7 @@ INLINE - - - ;; -j REJECT
the <option>routeback</option> option.<footnote>
<para>Hairpin packets are packets that are routed out of the
same interface that they arrived on.</para>
</footnote> interfaces without the routeback option.</para>
</footnote></para>
</listitem>
</varlistentry>
@ -2252,9 +2274,8 @@ INLINE - - - ;; -j REJECT
the <option>routeback</option> option.<footnote>
<para>Hairpin packets are packets that are routed out of the
same interface that they arrived on.</para>
</footnote> interfaces without the routeback option. The default
is <option>info</option>. If you don't wish for these packets to be
logged, use SFILTER_LOG_LEVEL=none.</para>
</footnote>The default is <option>info</option>. If you don't wish
for these packets to be logged, use SFILTER_LOG_LEVEL=none.</para>
</listitem>
</varlistentry>