From 2e949f5aa81d0e63d490ad8dce88013aee52bd01 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 31 Oct 2006 19:01:23 +0000 Subject: [PATCH] More code generation changes; remove trailing whitespace git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4772 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/compiler | 123 +++++++++++++++++++------------------ Shorewall/configpath | 8 +-- Shorewall/help | 2 +- Shorewall/lib.actions | 18 +++--- Shorewall/lib.base | 32 ++++++---- Shorewall/lib.config | 20 +++--- Shorewall/lib.maclist | 20 +++--- Shorewall/lib.nat | 6 +- Shorewall/lib.providers | 44 +++++++------ Shorewall/lib.tc | 27 ++++---- Shorewall/lib.tcrules | 2 +- Shorewall/lib.tunnels | 2 +- Shorewall/macro.Drop | 2 +- Shorewall/macro.Reject | 2 +- Shorewall/masq | 2 +- Shorewall/netmap | 2 +- Shorewall/policy | 4 +- Shorewall/prog.footer | 8 +-- Shorewall/releasenotes.txt | 100 +++++++++++++++--------------- Shorewall/rules | 2 +- Shorewall/shorewall | 2 +- Shorewall/shorewall.conf | 14 ++--- Shorewall/tcdevices | 6 +- Shorewall/tcrules | 2 +- Shorewall/zones | 2 +- 25 files changed, 229 insertions(+), 223 deletions(-) diff --git a/Shorewall/compiler b/Shorewall/compiler index 422acd1f6..38c129581 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -39,7 +39,7 @@ # Fatal error -- stops the compiler after issuing the error message # fatal_error() # $* = Error Message -{ +{ echo " ERROR: $@" >&2 [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$OUTPUT" ] && rm -f $OUTPUT @@ -49,10 +49,10 @@ fatal_error() # $* = Error Message # # We include this for compatibility with the 'firewall' script. It distinguishes between -# Fatal Errors (stop or restore required) and Startup Errors (errors detected before the firewall +# Fatal Errors (stop or restore required) and Startup Errors (errors detected before the firewall # state has been changed. This allows us to use common parsing routines in both programs. # -startup_error() +startup_error() { echo " ERROR: $@" >&2 [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR @@ -508,7 +508,7 @@ validate_policy() esac default= - + case $policy in *:None|*:none) default=none @@ -546,7 +546,7 @@ validate_policy() NONE) [ "$client" = "$FW" -o "$server" = "$FW" ] && \ fatal_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone" - + [ -n "$clientwild" -o -n "$serverwild" ] && \ fatal_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\"" ;; @@ -569,7 +569,7 @@ validate_policy() [ "x$synparams" = "x-" ] && synparams= policy=${policy%:*} - + [ $policy = NONE ] || ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" eval ${chain}_is_policy=Yes @@ -802,7 +802,7 @@ setup_ecn() # $1 = file name if [ -n "$interfaces" ]; then progress_message "$DOING ECN control on${interfaces}..." - + for interface in $interfaces; do chain=$(ecn_chain $interface) if havemanglechain $chain; then @@ -813,7 +813,7 @@ setup_ecn() # $1 = file name run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain fi done - + for host in $hosts; do interface=${host%:*} h=${host#*:} @@ -897,7 +897,7 @@ setup_tc1() { # Just in case the file ended with a comment # [ -n "$COMMENTS" ] && save_command COMMENT= - + # # Link to the TC mangle chains from the main chains # @@ -1371,7 +1371,7 @@ substitute_action() # $1 = parameter, $2 = action # it handles builtin actions. # process_actions3() -{ +{ for xaction in $USEDACTIONS; do # # Find the chain associated with this action:level:tag @@ -1538,7 +1538,7 @@ __EOF__ set -- $(separate_list $xtag) [ $# -eq 3 ] || fatal_error "Rule must include ,, as the log tag" - + run_iptables -A $xchain -m recent --name $1 --set if [ -n "$xlevel" ]; then @@ -1796,12 +1796,12 @@ add_a_rule() { { fatal_error "Unknown interface $1 in rule: \"$rule\"" } - + rule_interface_verify() { verify_interface $1 || interface_error $1 } - + handle_exclusion() { build_exclusion_chain chain filter "$excludesource" "$excludedest" @@ -1826,7 +1826,7 @@ add_a_rule() { do_ipp2p() { [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" - + dports="-m ipp2p --${port:-ipp2p}" case $proto in @@ -1879,7 +1879,7 @@ add_a_rule() { dest_interface= serv= - + case "$server" in -) ;; @@ -1907,7 +1907,7 @@ add_a_rule() { servport=$serverport multiport= user="$userandgroup" - + # Restore $chain to the canonical chain. chain=$logchain @@ -1958,7 +1958,7 @@ add_a_rule() { ;; REDIRECT) [ -n "$excludedest" ] && fatal_error "Invalid DEST for this ACTION; rule \"$rule\"" - + [ -n "$serv" ] && \ fatal_error "REDIRECT rules cannot specify a server IP; rule: \"$rule\"" servport=${servport:=$port} @@ -1966,7 +1966,7 @@ add_a_rule() { ;; DNAT|SAME) [ -n "$excludedest" ] && fatal_error "Invalid DEST for this ACTION; rule \"$rule\"" - + [ -n "$serv" ] || \ fatal_error "$logtarget rules require a server address; rule: \"$rule\"" natrule=Yes @@ -1986,7 +1986,7 @@ add_a_rule() { state= ;; esac - + if [ -n "${serv}${servport}" ]; then # A specific server or server port given @@ -1997,11 +1997,11 @@ add_a_rule() { elif [ -n "$servport" -a "$servport" != "$port" ]; then fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination port mapping; rule \"$rule\"" fi - + if [ -n "${excludesource}${excludedest}" ]; then handle_exclusion fi - + if [ -z "$dnat_only" ]; then if [ -n "$serv" ]; then for serv1 in $(separate_list $serv); do @@ -2019,7 +2019,7 @@ __EOF__ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \ $user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state fi - + run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \ $(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target done @@ -2029,12 +2029,12 @@ __EOF__ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ $state $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi - + if [ -n "$nonat" ]; then addnatrule $(dnat_chain $source) $proto $multiport \ $cli $sports $(dest_ip_range $srv) $dports $ratelimit $user -j RETURN fi - + if [ "$logtarget" != NONAT ]; then run_iptables2 -A $chain $state $proto $multiport $cli $sports \ $(dest_ip_range $srv) $dports $ratelimit $user -j $target @@ -2047,11 +2047,11 @@ __EOF__ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ $state $(fix_bang $proto $sports $multiport $cli $dports) fi - + [ -n "$nonat" ] && \ addnatrule $(dnat_chain $source) $proto $multiport \ $cli $sports $dports $ratelimit $user -j RETURN - + [ "$logtarget" != NONAT ] && \ run_iptables2 -A $chain $state $proto $multiport $cli $sports \ $dports $ratelimit $user -j $target @@ -2071,13 +2071,13 @@ __EOF__ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr) fi - + if [ "$logtarget" != LOG ]; then if [ -n "$nonat" ]; then addnatrule $(dnat_chain $source) $proto $multiport \ $cli $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j RETURN fi - + if [ "$logtarget" != NONAT ]; then run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j $target @@ -2089,13 +2089,13 @@ __EOF__ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) fi - + if [ "$logtarget" != LOG ]; then if [ -n "$nonat" ]; then addnatrule $(dnat_chain $source) $proto $multiport \ $cli $sports $dports $ratelimit $user -j RETURN fi - + if [ "$logtarget" != NONAT ]; then run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ $sports $dports $ratelimit $user -j $target @@ -2923,13 +2923,13 @@ process_default_macro() # $1 = macro name add_a_rule progress_message "Rule \"$target $protocol $port $cport $ratelimit $userspec\" $DONE" - + done < $TMP_DIR/macro.$macro progress_message "..End Macro" } - + # # Process a record from the tos file # @@ -3118,11 +3118,11 @@ process_tos() # $1 = name of tos file chain=fortos stdchain=FORWARD fi - + strip_file tos $1 if [ -s $TMP_DIR/tos ] ; then - + save_progress_message "Setting up TOS..." progress_message2 "$DOING $1..." @@ -3496,7 +3496,7 @@ refresh_blacklist() { expandv networks protocol ports process_blacklist_rec done < $TMP_DIR/blacklist - + INDENT="$indent" save_command "fi" } @@ -4234,7 +4234,7 @@ activate_rules() fi need_broadcast= - + if [ -n "$complex" ]; then frwd_chain=${zone}_frwd chain=$(dnat_chain $zone) @@ -4266,7 +4266,7 @@ activate_rules() if [ -n "$exclusions" ]; then run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j ${zone}_input run_iptables -A ${zone}_input -j $chain2 - else + else run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 fi fi @@ -4302,20 +4302,20 @@ activate_rules() dest_zones= # - # The following loop attempts to eliminate redundant sequences of jumps to - # all2all or 2all. It does so by combining all trailing + # The following loop attempts to eliminate redundant sequences of jumps to + # all2all or 2all. It does so by combining all trailing # jumps to the same policy-only chain. # for zone1 in $ZONES; do eval policy=\$${zone}2${zone1}_policy - + [ "$policy" = NONE ] && continue - + chain="$(rules_chain $zone $zone1)" - + [ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain. - + if [ $zone = $zone1 ]; then # # Try not to generate superfluous intra-zone rules @@ -4323,7 +4323,7 @@ activate_rules() eval routeback=\"\$${zone}_routeback\" eval interfaces=\"\$${zone}_interfaces\" eval ports="\$${zone}_ports" - + num_ifaces=$(list_count1 $interfaces) # # If the zone has a single interface then what matters is how many ports it has @@ -4335,8 +4335,8 @@ activate_rules() # if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then continue - fi - fi + fi + fi case $chain in *2all) @@ -4402,7 +4402,7 @@ activate_rules() for zone1 in $dest_zones; do eval policy=\$${zone}2${zone1}_policy - + [ "$policy" = NONE ] && continue eval dest_hosts=\$${zone1}_hosts @@ -4411,7 +4411,7 @@ activate_rules() chain="$(rules_chain $zone $zone1)" [ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain. - + [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> $STATEDIR/chains if [ $zone = $zone1 ]; then @@ -4420,12 +4420,12 @@ activate_rules() eval ports="\$${zone}_ports" num_ifaces=$(list_count1 $interfaces) - + [ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports) if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then continue - fi + fi else routeback= num_ifaces=0 @@ -4473,8 +4473,8 @@ activate_rules() *) insert_exclusions filter $chain $exclusions1 ;; - esac - fi + esac + fi if [ -n "$complex" ]; then for host1 in $dest_hosts; do @@ -4519,9 +4519,9 @@ activate_rules() for host in $source_hosts; do interface=${host%%:*} networks=${host#*:} - + chain=$(forward_chain $interface) - + run_iptables -A $chain $(match_source_hosts $networks) -j $last_chain done fi @@ -4880,7 +4880,7 @@ conditionally_add_option() { # $1 = option name [ -n "\${$1:=$value}" ] __EOF__ fi -} +} conditionally_add_option1() { # $1 = option name local value @@ -4892,7 +4892,7 @@ conditionally_add_option1() { # $1 = option name $1="$value" __EOF__ fi -} +} # # Compile a Firewall Script @@ -5054,7 +5054,7 @@ run_iptables() else \$IPTABLES \$@ fi - + if [ \$? -ne 0 ]; then error_message "ERROR: Command \"\$IPTABLES \$@\" Failed" stop_firewall @@ -5377,7 +5377,7 @@ __EOF__ done strip_file_and_lib_load accounting accounting && setup_accounting $(find_file accounting) - + createchain reject no createchain dynamic no createchain logdrop no @@ -5431,8 +5431,9 @@ __EOF__ # if strip_file_and_lib_load providers providers; then setup_providers $(find_file providers) - [ -n "$ROUTEMARK_INTERFACES" ] && setup_routes + [ -n "$ROUTEMARK_INTERFACES" ] && setup_route_marking else + save_command save_command undo_routing save_command restore_default_route fi @@ -5624,10 +5625,10 @@ __EOF__ for option in VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE; do conditionally_add_option $option done - + conditionally_add_option1 TC_ENABLED - exec 3>&- + exec 3>&- fi progress_message3 "Shorewall configuration compiled to $(resolve_file $outfile)" diff --git a/Shorewall/configpath b/Shorewall/configpath index 4a220c039..a285a49cb 100644 --- a/Shorewall/configpath +++ b/Shorewall/configpath @@ -6,8 +6,8 @@ # Note to maintainers. # # The CONFDIR variable is normally set to /etc/shorewall but when -# the command is "compile -e" then CONFDIR is set to -# /usr/share/shorewall/configfiles/. This prevents 'compile -e' +# the command is "compile -e" then CONFDIR is set to +# /usr/share/shorewall/configfiles/. This prevents 'compile -e' # from trying to use configuration information from /etc/shorewall. CONFIG_PATH=${CONFDIR}:/usr/share/shorewall @@ -15,8 +15,8 @@ CONFIG_PATH=${CONFDIR}:/usr/share/shorewall # # SHOREWALL LITE'S FIREWALL SCRIPT DIRECTORY # -# There is lack of agreement about where exactly in the file hierarchy the -# firewall script in Shorewall Lite systems should be stored. To allow +# There is lack of agreement about where exactly in the file hierarchy the +# firewall script in Shorewall Lite systems should be stored. To allow # everyone's opinion to prevail (and to prevent the Shorewall author from # going crazy), the LITEDIR option allows you to decide where the file will # be stored on Shorewall Lite systems under your distribution. diff --git a/Shorewall/help b/Shorewall/help index 8a8614120..71de30a32 100755 --- a/Shorewall/help +++ b/Shorewall/help @@ -175,7 +175,7 @@ export) the '/firewall' script is copied via scp to the specified - is of the form [user@]:[] + is of the form [user@]:[] Example: diff --git a/Shorewall/lib.actions b/Shorewall/lib.actions index d3bc57372..b74d7484b 100644 --- a/Shorewall/lib.actions +++ b/Shorewall/lib.actions @@ -773,7 +773,7 @@ process_action3() { if [ -n "$is_macro" ]; then xtarget1=$(map_old_action $xtarget1) - + case $xtarget1 in */*) param=${xtarget1#*/} @@ -784,15 +784,15 @@ process_action3() { progress_message "..Expanding Macro $(find_file macro.$xtarget1)..." while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec - + mtarget=$(merge_levels $xaction2 $mtarget) - + case $mtarget in PARAM|PARAM:*) [ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation" ;; esac - + if [ -n "$mclients" ]; then case $mclients in -|SOURCE) @@ -808,7 +808,7 @@ process_action3() { else mclients=${xclients} fi - + if [ -n "$mservers" ]; then case $mservers in -|DEST) @@ -824,13 +824,13 @@ process_action3() { else mservers=${xserverss} fi - + [ -n "$xprotocol" ] && [ "x${xprotocol}" != x- ] && mprotocol=$xprotocol [ -n "$xports" ] && [ "x${xports}" != x- ] && mports=$xports [ -n "$xcports" ] && [ "x${xcports}" != x- ] && mcports=$xcports [ -n "$xratelimit" ] && [ "x${xratelimit}" != x- ] && mratelimit=$xratelimit [ -n "$xuserspec" ] && [ "x${xuserspec}" != x- ] && muserspec=$xuserspec - + rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-}" process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec done < $TMP_DIR/macro.$xtarget1 @@ -840,7 +840,7 @@ process_action3() { process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec fi done < $TMP_DIR/$f - + [ -n "$COMMENTS" ] && save_command COMMENT= - + } diff --git a/Shorewall/lib.base b/Shorewall/lib.base index 91921b2d2..06dd77bf6 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -22,9 +22,9 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # # This library contains the code common to all Shorewall components. It is copied into -# the compiled script with the -e compiler flag is specified and is loaded by +# the compiled script with the -e compiler flag is specified and is loaded by # /sbin/shorewall, /usr/share/shorewall/compiler and /usr/share/shorewall/firewall. It -# is also released as part of Shorewall Lite where it is used by /sbin/shorewall-lite +# is also released as part of Shorewall Lite where it is used by /sbin/shorewall-lite # and /usr/share/shorewall-lite/shorecap. # @@ -179,9 +179,9 @@ deleteallchains() { } # -# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains +# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains # a space-separated list of directories to search for -# the module and that 'moduleloader' contains the +# the module and that 'moduleloader' contains the # module loader command. # loadmodule() # $1 = module name, $2 - * arguments @@ -346,7 +346,7 @@ lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library lib_avail() # $1 = Name of the Library { [ -f ${SHAREDIR}/lib.$1 ] -} +} # # Note: The following set of IP address manipulation functions have anomalous @@ -758,6 +758,14 @@ find_first_interface_address_if_any() # $1 = interface [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0 } +# +# Determine if interface is usable from a Netfilter prespective +# +interface_is_usable() # $1 = interface +{ + interface_is_up $1 && [ "\$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] +} + # # Find interface addresses--returns the set of addresses assigned to the passed # device @@ -990,9 +998,9 @@ report_capabilities() { report_capability() # $1 = Capability Description , $2 Capability Setting (if any) { local setting= - + [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" - + echo " " $1: $setting } @@ -1286,7 +1294,7 @@ get_device_mtu() # $1 = device # Undo changes to routing # undo_routing() { - + if [ -z "$NOROUTES" ]; then # # Restore rt_tables database @@ -1308,7 +1316,7 @@ undo_routing() { } restore_default_route() { - + if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then local default_route= route @@ -1329,10 +1337,10 @@ restore_default_route() { progress_message "Default Route (${default_route# }) restored" ;; esac - + break fi - + default_route="$default_route $route" ;; *) @@ -1340,7 +1348,7 @@ restore_default_route() { ;; esac done < ${VARDIR}/default_route - + rm -f ${VARDIR}/default_route fi } diff --git a/Shorewall/lib.config b/Shorewall/lib.config index 752c487a1..74851bab5 100644 --- a/Shorewall/lib.config +++ b/Shorewall/lib.config @@ -102,13 +102,13 @@ separate_list() { # Undo the effect of 'separate_list()' # combine_list() -{ +{ local f o= - for f in $* ; do + for f in $* ; do o="${o:+$o,}$f" done - + echo $o } @@ -448,7 +448,7 @@ setup_ipsec() { # Set up rules to set MSS to and/or from zone "$zone" # set_mss() # $1 = MSS value, $2 = _in, _out or "" - { + { for z in $ZONES $FW; do case $2 in _in) @@ -599,7 +599,7 @@ validate_hosts_file() { eval ${z}_is_complex=Yes ;; esac - fi + fi for host in $(separate_list $hosts); do if [ -n "$BRIDGING" ]; then @@ -632,7 +632,7 @@ validate_hosts_file() { ;; esac fi - + for option in $(separate_list $options) ; do case $option in norfc1918|blacklist|tcpflags|nosmurfs|-) @@ -998,7 +998,7 @@ match_dest_hosts() # # Matches for either or :
# -match_source() +match_source() { case "$1" in *:*) @@ -1273,7 +1273,7 @@ determine_hosts() { if [ -n "$hosts" ]; then if [ $VERBOSE -ge 1 ]; then - [ -n "$exclusions" ] && display_list "$zone Zone:" $hosts minus "($exclusions)" || display_list "$zone Zone:" $hosts + [ -n "$exclusions" ] && display_list "$zone Zone:" $hosts minus "($exclusions)" || display_list "$zone Zone:" $hosts fi else error_message "WARNING: Zone $zone is empty" @@ -1635,7 +1635,7 @@ strip_file_and_lib_load() # $1 = logical file name, $2 = library to load if the lib_load $2 "A non-empty $1 file ($f)" return 0 fi - + eval test -n \"\$LIB_${2}_LOADED\" } @@ -2013,7 +2013,7 @@ do_initialize() { TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT) USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS) [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes" - + [ -n "$XCONNMARK_MATCH" ] || XCONNMARK= [ -n "$XMARK" ] || XCONNMARK= diff --git a/Shorewall/lib.maclist b/Shorewall/lib.maclist index 60dd93ab9..a0e7fd3fa 100644 --- a/Shorewall/lib.maclist +++ b/Shorewall/lib.maclist @@ -42,7 +42,7 @@ setup_mac_lists() # $1 = Phase Number local ipsec local policy= - create_mac_chain() + create_mac_chain() { case $MACLIST_TABLE in filter) @@ -100,7 +100,7 @@ setup_mac_lists() # $1 = Phase Number if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then run_iptables -t mangle -A $chain -s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN fi - + if [ -n "$MACLIST_TTL" ]; then chain1=$(macrecent_target $interface) create_mac_chain $chain1 @@ -117,7 +117,7 @@ setup_mac_lists() # $1 = Phase Number expandv disposition interface mac addresses level= - + case $disposition in ACCEPT:*) level=${disposition#*:} @@ -165,11 +165,11 @@ setup_mac_lists() # $1 = Phase Number fi [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) - + if ! have_mac_chain $chain ; then fatal_error "No hosts on $interface have the maclist option specified" fi - + if [ x${mac:=-} = x- ]; then if [ -z "$addresses" ]; then fatal_error "You must specify a MAC address or an IP address" @@ -196,7 +196,7 @@ setup_mac_lists() # $1 = Phase Number # Generate jumps from the input and forward chains # [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - + for hosts in $maclist_hosts; do ipsec=${hosts%^*} hosts=${hosts#*^} @@ -223,11 +223,11 @@ setup_mac_lists() # $1 = Phase Number for interface in $maclist_interfaces; do [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) - + if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then indent >&3 << __EOF__ -if interface_is_up $interface && [ "\$(find_first_interface_address_if_any $interface)" != 0.0.0.0 ]; then +if interface_is_usable $interface; then ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do address=\${address%/*} if [ -n "\$broadcast" ]; then @@ -247,11 +247,11 @@ __EOF__ CHAIN=$chain append_file maclog - + if [ -n "$MACLIST_LOG_LEVEL" ]; then log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE fi - + if [ $MACLIST_DISPOSITION != ACCEPT ]; then run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET fi diff --git a/Shorewall/lib.nat b/Shorewall/lib.nat index 2e8b01ef9..11dad98a6 100644 --- a/Shorewall/lib.nat +++ b/Shorewall/lib.nat @@ -526,7 +526,7 @@ setup_nat() { while read external interface internal allints localnat; do expandv external interface internal allints localnat - + if [ "x$external" = xCOMMENT ]; then if [ -n "$COMMENTS" ]; then comment=$(echo $interface $internal $allints $localnat) @@ -539,10 +539,10 @@ setup_nat() { fi progress_message_and_save " Host $internal NAT $external on $interface" done < $TMP_DIR/nat - + [ -n "$COMMENTS" ] && save_command COMMENT= fi - + } # diff --git a/Shorewall/lib.providers b/Shorewall/lib.providers index 1b4c302de..ff2b4f348 100644 --- a/Shorewall/lib.providers +++ b/Shorewall/lib.providers @@ -113,14 +113,14 @@ __EOF__ # Add Provider $table ($number) # __EOF__ - save_command "if interface_is_up $interface && [ \"\$(find_first_interface_address_if_any $interface)\" != 0.0.0.0 ]; then" + save_command "if interface_is_usable $interface; then" save_indent1="$INDENT" INDENT="$INDENT " iface=$(chain_base $interface) - + save_command "${iface}_up=Yes" - + save_command "qt ip route flush table $number" indent >&3 << __EOF__ @@ -246,7 +246,7 @@ __EOF__ INDENT="$save_indent1" save_command else - + if [ -n "$optional" ]; then save_command " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"" save_command " ${iface}_up=" @@ -386,19 +386,19 @@ __EOF__ for table in $PROVIDERS; do eval number=\$${table}_number indent >&3 << __EOF__ -echobin=\$(mywhich echo) +echobin=\$(mywhich echo) \${echobin:-echo} -e "$number\t$table" >> /etc/iproute2/rt_tables __EOF__ done f=$(find_file route_rules) - + if [ -f $f ]; then strip_file route_rules $f if [ -s $TMP_DIR/route_rules ]; then progress_message2 "$DOING $f..." - + save_command while read source dest provider priority; do @@ -417,9 +417,9 @@ __EOF__ } # -# Set up Routing +# Set up Route marking (Only called if $ROUTEMARK_INTERFACES is non-empty) # -setup_routes() +setup_route_marking() { local mask=0xFF mark_op="--set-mark" save_indent="$INDENT" @@ -429,22 +429,20 @@ setup_routes() run_iptables -t mangle -A OUTPUT -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask createmanglechain routemark - if [ -n "$ROUTEMARK_INTERFACES" ]; then - for interface in $ROUTEMARK_INTERFACES ; do - iface=$(chain_base $interface) - eval mark_value=\$${iface}_routemark + for interface in $ROUTEMARK_INTERFACES ; do + iface=$(chain_base $interface) + eval mark_value=\$${iface}_routemark - save_command - save_command "if [ -n \"\$${iface}_up\" ]; then" - INDENT="$INDENT " - run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark - run_iptables -t mangle -A routemark -i $interface -j MARK $mark_op $mark_value - INDENT="$save_indent" - save_command "fi" - done - save_command - fi + save_command "if [ -n \"\$${iface}_up\" ]; then" + INDENT="$INDENT " + run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark + run_iptables -t mangle -A routemark -i $interface -j MARK $mark_op $mark_value + INDENT="$save_indent" + save_command "fi" + done + + save_command run_iptables -t mangle -A routemark -m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask diff --git a/Shorewall/lib.tc b/Shorewall/lib.tc index 18264f2ab..ad4c41859 100644 --- a/Shorewall/lib.tc +++ b/Shorewall/lib.tc @@ -26,7 +26,7 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -# This library is loaded by /usr/share/shorewall/compiler when TC_ENABLED=Internal +# This library is loaded by /usr/share/shorewall/compiler when TC_ENABLED=Internal # and the tcdevices and/or the tcclasses file is non-empty. It is also loaded under # the same circumstances by the compiled firewall script when processing the # 'refresh' command. @@ -179,7 +179,7 @@ setup_traffic_shaping() dev=$(chain_base $device) - save_command "if qt ip link ls dev $device; then" + save_command "if interface_is_usable $device; then" indent="$INDENT" INDENT="$INDENT " save_command ${dev}_exists=Yes @@ -202,7 +202,7 @@ setup_traffic_shaping() INDENT="$indent" save_command else INDENT="$INDENT " - save_command error_message "\"WARNING: Device $device not found -- traffic-shaping configuration skipped\"" + save_command error_message "\"WARNING: Device $device not up and configured -- traffic-shaping configuration skipped\"" save_command "${dev}_exists=" INDENT="$indent" save_command "fi" @@ -282,6 +282,12 @@ setup_traffic_shaping() return 0 } + finish_device() { + INDENT="$indent" + save_command fi + save_command + } + validate_tcdevices_file validate_tcclasses_file @@ -309,12 +315,9 @@ setup_traffic_shaping() dev=$(chain_base $device) if [ "$device" != "$last_device" ]; then - if [ -n "$last_device" ]; then - INDENT="$indent" - save_command fi - save_command - fi - + + [ -n "$last_device" ] && finish_device + save_command "if [ -n \"\$${dev}_exists\" ] ; then" indent="$INDENT" INDENT="$INDENT " @@ -326,10 +329,6 @@ setup_traffic_shaping() add_tc_class && progress_message " TC Class $tcdev defined." done < $TMP_DIR/tcclasses - if [ -n "$last_device" ]; then - INDENT="$indent" - save_command fi - save_command - fi + [ -n "$last_device" ] && finish_device fi } diff --git a/Shorewall/lib.tcrules b/Shorewall/lib.tcrules index 79e37d8ae..e83ed2b75 100644 --- a/Shorewall/lib.tcrules +++ b/Shorewall/lib.tcrules @@ -85,7 +85,7 @@ process_tc_rule() mark=$mark/0xff did_connmark=Yes } - + validate_mark() { case $1 in diff --git a/Shorewall/lib.tunnels b/Shorewall/lib.tunnels index 3a5768a1f..a6eb88bde 100644 --- a/Shorewall/lib.tunnels +++ b/Shorewall/lib.tunnels @@ -21,7 +21,7 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -# This library is loaded by /usr/share/shorewall/compiler when the tunnels file is +# This library is loaded by /usr/share/shorewall/compiler when the tunnels file is # non-empty. # diff --git a/Shorewall/macro.Drop b/Shorewall/macro.Drop index db461ae8f..22dac79fe 100644 --- a/Shorewall/macro.Drop +++ b/Shorewall/macro.Drop @@ -8,7 +8,7 @@ # # Example: # -# Drop net all +# Drop net all # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ diff --git a/Shorewall/macro.Reject b/Shorewall/macro.Reject index 08ebb5c58..cae95c977 100644 --- a/Shorewall/macro.Reject +++ b/Shorewall/macro.Reject @@ -8,7 +8,7 @@ # # Example: # -# Reject loc fw +# Reject loc fw # # ############################################################################### diff --git a/Shorewall/masq b/Shorewall/masq index 12341661a..2da200141 100644 --- a/Shorewall/masq +++ b/Shorewall/masq @@ -87,7 +87,7 @@ # Example: 206.124.146.177-206.124.146.180 # # You may also use the special value "detect" -# which causes Shorewall to determine the +# which causes Shorewall to determine the # IP addresses configured on the interface named # in the INTERFACES column and substitute them # in this column. diff --git a/Shorewall/netmap b/Shorewall/netmap index cd99e14d9..e0ad9d76b 100644 --- a/Shorewall/netmap +++ b/Shorewall/netmap @@ -20,7 +20,7 @@ # If SNAT, traffic leaving INTERFACE with a source # address in NET1 has it's source address rewritten to # the corresponding address in NET2. -# +# # NET1 Network in CIDR format (e.g., 192.168.1.0/24) # # INTERFACE The name of a network interface. The interface must diff --git a/Shorewall/policy b/Shorewall/policy index 82bb26e9c..c53618d8f 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -61,12 +61,12 @@ # # If the policy is DROP or REJECT then the policy should # be followed by ":" and one of the following: -# +# # a) The word "None" or "none". This causes any default # action defined in /etc/shorewall/shorewall.conf to # be omitted for this policy. # b) The name of an action (requires that USE_ACTIONS=Yes -# in shorewall.conf). That action will be invoked +# in shorewall.conf). That action will be invoked # before the policy is enforced. # c) The name of a macro. The rules in that macro will # be applied before the policy is enforced. This diff --git a/Shorewall/prog.footer b/Shorewall/prog.footer index 9d221e390..e338337b6 100644 --- a/Shorewall/prog.footer +++ b/Shorewall/prog.footer @@ -14,7 +14,7 @@ initialize # Start trace if first arg is "debug" or "trace" # if [ $# -gt 1 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then - set -x + set -x shift fi @@ -95,7 +95,7 @@ case "$COMMAND" in status=0 progress_message3 "$PRODUCT Counters Reset" fi - ;; + ;; restart) if shorewall_is_started; then progress_message3 "Restarting $PRODUCT...." @@ -108,7 +108,7 @@ case "$COMMAND" in status=$? if [ -n "$SUBSYSLOCK" ]; then [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK - fi + fi progress_message3 "done." ;; refresh) @@ -127,7 +127,7 @@ case "$COMMAND" in status=$? if [ -n "$SUBSYSLOCK" ]; then [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK - fi + fi ;; clear) progress_message3 "Clearing $PRODUCT...." diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index cc5b1493d..dd096ba53 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,36 +1,36 @@ Shorewall 3.3.5 - - Note to users upgrading from Shorewall 3.0 or 3.3 - - Most problems associated with upgrades come from two causes: - - - The user didn't read and follow the migration considerations in these - release notes. - - - The user mis-handled the /etc/shorewall/shorewall.conf file during - upgrade. Shorewall is designed to allow the default behavior of - the product to evolve over time. To make this possible, the design - assumes that you will not replace your current shorewall.conf file - during upgrades. If you feel absolutely compelled to have the latest - comments and options in your shorewall.conf then you must proceed - carefully. - - While you are at it, if you have a file named /etc/shorewall/rfc1918 then - please check that file. If it has addresses listed that are NOT in one of - these three ranges, then please rename the file to - /etc/shorewall/rfc1918.old. - - 10.0.0.0 - 10.255.255.255 - 172.16.0.0 - 172.31.255.255 - 192.168.0.0 - 192.168.255.255 - - If you have a file named /etc/shorewall/modules, please remove - it. The default modules file is now located in /usr/share/shorewall/ - (see the "Migration Considerations" below). - - Please see the "Migration Considerations" below for additional upgrade - information. - + + Note to users upgrading from Shorewall 3.0 or 3.3 + + Most problems associated with upgrades come from two causes: + + - The user didn't read and follow the migration considerations in these + release notes. + + - The user mis-handled the /etc/shorewall/shorewall.conf file during + upgrade. Shorewall is designed to allow the default behavior of + the product to evolve over time. To make this possible, the design + assumes that you will not replace your current shorewall.conf file + during upgrades. If you feel absolutely compelled to have the latest + comments and options in your shorewall.conf then you must proceed + carefully. + + While you are at it, if you have a file named /etc/shorewall/rfc1918 then + please check that file. If it has addresses listed that are NOT in one of + these three ranges, then please rename the file to + /etc/shorewall/rfc1918.old. + + 10.0.0.0 - 10.255.255.255 + 172.16.0.0 - 172.31.255.255 + 192.168.0.0 - 192.168.255.255 + + If you have a file named /etc/shorewall/modules, please remove + it. The default modules file is now located in /usr/share/shorewall/ + (see the "Migration Considerations" below). + + Please see the "Migration Considerations" below for additional upgrade + information. + Problems Corrected in 3.3.5 1) Previously, if the last 'balance' provider was removed from @@ -98,7 +98,7 @@ New Features: - lib.accounting. Must be available if you include entries in /etc/shorewall/accounting. - - lib.actions. Must be available if you do not specify + - lib.actions. Must be available if you do not specify USE_ACTIONS=No in /etc/shorewall/shorewall.conf. - lib.dynamiczones. Must be available if you specify @@ -179,7 +179,7 @@ New Features: The value assigned to these may be: - a) The name of an action. + a) The name of an action. b) The name of a macro c) 'None' or 'none' @@ -203,12 +203,12 @@ New Features: In /etc/shorewall/policy, when the POLICY is DROP, REJECT, ACCEPT or QUEUE then the policy may be followed by ":" and one of the following: - + a) The word "None" or "none". This causes any default action defined in /etc/shorewall/shorewall.conf to be omitted for this policy. b) The name of an action (requires that USE_ACTIONS=Yes - in shorewall.conf). That action will be invoked + in shorewall.conf). That action will be invoked before the policy is enforced. c) The name of a macro. The rules in that macro will be applied before the policy is enforced. This @@ -248,8 +248,8 @@ New Features: than 5 but it may be greater than 5). For example, setting LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters. -6) Netfilter provides support for attaching comments to Netfilter - rules. Comments can be up to 255 bytes in length and are +6) Netfilter provides support for attaching comments to Netfilter + rules. Comments can be up to 255 bytes in length and are visible using the "shorewall show ", "shorewall show nat", "shorewall show mangle" and "shorewall dump" commands. Comments are delimited by '/* ... */" in the output. @@ -280,12 +280,12 @@ New Features: Example from my rules file: #SOURCE SOURCE DEST PROTO DEST PORT(S) - + COMMENT Stop Microsoft Noise REJECT loc net tcp 137,445 REJECT loc net udp 137:139 - + COMMENT # Stop comment from being attached to rules below The output of "shorewall show loc2net" includes (folded): @@ -348,7 +348,7 @@ New Features: 0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none 0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none 0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none - gateway:~ # + gateway:~ # This redundancy may be eliminated by setting OPTIMIZE=1 in shorewall.conf. @@ -362,7 +362,7 @@ New Features: 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0 gateway:~ # - + Note that with OPTIMIZE=1, traffic destined for an interface/Address that falls outside of all defined zones may now be logged out of a '2all' chain rather than out of the FORWARD @@ -395,26 +395,26 @@ New Features: Counters reset Thu Oct 26 07:54:58 PDT 2006 Chain loc2net (1 references) - pkts bytes target prot opt in out source destination + pkts bytes target prot opt in out source destination ... - 0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0 - 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 - 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 + 0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0 + 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 + 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 gateway:~ OPTIMIZE=1 - + gateway:~ # shorewall show loc2net Shorewall Lite 3.3.3 Chains loc2net at gateway - Thu Oct 26 07:57:12 PDT 2006 Counters reset Thu Oct 26 07:56:38 PDT 2006 Chain loc2net (1 references) - pkts bytes target prot opt in out source destination + pkts bytes target prot opt in out source destination ... - 0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0 - 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 + 0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0 + 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 gateway:~ diff --git a/Shorewall/rules b/Shorewall/rules index 46ce9f382..26267bffc 100644 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -116,7 +116,7 @@ # COMMENT -- the rest of the line will be attached # as a comment to the Netfilter rule(s) # generated by the following entres. -# The comment will appear delimited by +# The comment will appear delimited by # "/* ... */" in the output of # "shorewall show ". To stop # the comment from being attached to diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 0251f1b39..b02306419 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -911,7 +911,7 @@ usage() # $1 = exit status } # -# Execution begins here +# Execution begins here # debugging= diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index e79d550bc..8c41ea5ab 100644 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -150,7 +150,7 @@ LOGFILE=/var/log/messages # longer than 29 bytes when passed the chain name, [rule number], and 'ACCEPT'. # Using the default LOGFORMAT, the name of a chain must be 11 characters or # less; since chain names are often of the form 2, zone names are -# limited to 5 characters using the default LOGFORMAT. In contrast, if +# limited to 5 characters using the default LOGFORMAT. In contrast, if # LOGFORMAT="FW:%s:%s:", then zone names can be as long as 8 characters. LOGFORMAT="Shorewall:%s:%s:" @@ -227,7 +227,7 @@ BLACKLIST_LOGLEVEL= # Specifies the logging level for connection requests that fail MAC # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then # such connection requests will not be logged. -# +# # See the comment at the top of this section for a description of log levels # # If you wish to filter messages logged under this option, then supply @@ -240,7 +240,7 @@ BLACKLIST_LOGLEVEL= # If you set MACLIST_TABLE=mangle later in this file, be sure that your # 'run_iptables' commands include '-t mangle'. # -# See http://www.shorewall.net/shorewall_extension_scripts.htm for more +# See http://www.shorewall.net/shorewall_extension_scripts.htm for more # information about extension scripts. # @@ -409,7 +409,7 @@ IPSECFILE=zones # # The value applied to these may be: # -# a) The name of an action. +# a) The name of an action. # b) The name of a macro # c) 'None' or 'none' # @@ -517,7 +517,7 @@ RETAIN_ALIASES=No # See http://shorewall.net/traffic_shaping.htm for more information. TC_ENABLED=Internal - + # # TRAFFIC SHAPING EXPERT # @@ -953,10 +953,10 @@ USE_ACTIONS=Yes # # Optimize Ruleset # -# Traditionally, Shorewall has created rules for the complete matrix of +# Traditionally, Shorewall has created rules for the complete matrix of # Networks defined by the zones, interfaces and hosts files. Any traffic that # didn't correspond to an element of that matrix was rejected in one of the -# built-in changes. When the matrix is sparse, this results in lots of +# built-in changes. When the matrix is sparse, this results in lots of # largely useless rules. # # These extra rules can be eliminated by setting OPTIMIZE=1 diff --git a/Shorewall/tcdevices b/Shorewall/tcdevices index d17ea567b..0a141f10a 100644 --- a/Shorewall/tcdevices +++ b/Shorewall/tcdevices @@ -19,7 +19,7 @@ # once in this file. You may NOT specify the name of # an alias (e.g., eth0:0) here; see # http://www.shorewall.net/FAQ.htm#faq18 -# +# # You man NOT specify wildcards here, e.g. if you # have multiple ppp interfaces, you need to put # them all in here! @@ -46,10 +46,10 @@ # speed, and make sure there is NO space between the # number and the unit. # -# OUT-BANDWIDTH The outgoing Bandwidth of that interface. +# OUT-BANDWIDTH The outgoing Bandwidth of that interface. # This is the maximum speed you connection can handle. # It is also the speed you can refer as "full" if -# you define the tc classes. +# you define the tc classes. # Outgoing traffic above this rate will be dropped. # # Use kbit or kbps(for Kilobytes per second) for diff --git a/Shorewall/tcrules b/Shorewall/tcrules index 10f061c19..f3c48cf0e 100644 --- a/Shorewall/tcrules +++ b/Shorewall/tcrules @@ -29,7 +29,7 @@ # ampersand ("&"), will be logically ANDed with the # current mark value to produce a new mark value. # -# Both "|" and "&" require Extended MARK Target +# Both "|" and "&" require Extended MARK Target # support in your kernel and iptables; neither may # be used with connection marks (see below). # diff --git a/Shorewall/zones b/Shorewall/zones index f1ed7fff9..7efcff0b4 100644 --- a/Shorewall/zones +++ b/Shorewall/zones @@ -22,7 +22,7 @@ # # ZONE Short name of the zone. The names "all" and "none" are reserved # and may not be used as zone names. The maximum length of a -# zone name is determined by the setting of the LOGFORMAT option +# zone name is determined by the setting of the LOGFORMAT option # in shorewall.conf. With the default LOGFORMAT, zone names can # be at most 5 characters long. #