extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 07:33:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '5.2.4'

Browse Source
This commit is contained in:
Tom Eastep 2020-03-10 14:18:52 -07:00
commit 54a70e4632
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
27 changed files with 575 additions and 527 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-core/Shorewall-core-targetname
View File

@ -1 +1 @@
5.2.3.7
5.2.4-Beta1

49
Shorewall-core/lib.cli
View File

@ -4120,9 +4120,9 @@ start_command() {
if [ -x $g_firewall ]; then
if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
run_it ${VARDIR}/${RESTOREFILE} restore
else
run_it $g_firewall $g_debugging start
run_it $g_firewall start
fi
rc=$?
else
@ -4256,7 +4256,7 @@ restart_command() {
[ -n "$g_nolock" ] || mutex_on
if [ -x $g_firewall ]; then
run_it $g_firewall $g_debugging $COMMAND
run_it $g_firewall $COMMAND
rc=$?
else
error_message "$g_firewall is missing or is not executable"
@ -4270,7 +4270,7 @@ restart_command() {
run_command() {
if [ -x $g_firewall ] ; then
run_it $g_firewall $g_debugging $@
run_it $g_firewall $@
else
fatal_error "$g_firewall does not exist or is not executable"
fi
@ -4287,7 +4287,13 @@ ecko() {
#
usage() # $1 = exit status
{
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
echo "Usage: $(basename $0) [ -T ] [ -D ] [ -N ] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
echo " -T : Direct the generated script to produce a shell trace to standard error"
echo " -D : Debug iptables commands"
echo " -N : Don't take the master shorewall lock"
echo " -q : Standard Shorewall verbosity control"
echo " -v : Standard Shorewall verbosity control"
echo " -t : Timestamp all messages"
echo "where <command> is one of:"
echo " add <interface>[:<host-list>] ... <zone>"
echo " allow <address> ..."
@ -4317,7 +4323,6 @@ usage() # $1 = exit status
echo " iptrace <ip6tables match expression>"
fi
ecko " load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
echo " logdrop <address> ..."
echo " logreject <address> ..."
echo " logwatch [<refresh interval>]"
@ -4415,20 +4420,16 @@ usage() # $1 = exit status
# here if that lib is loaded below.
#
shorewall_cli() {
g_debugging=
if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
g_debugging=$1
shift
fi
g_nolock=
#
# We'll keep this around for a while so we don't break people's started scripts
#
if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
g_nolock=nolock
shift
fi
g_debugging=
g_noroutes=
g_purge=
g_ipt_options="-nv"
@ -4456,6 +4457,7 @@ shorewall_cli() {
g_blacklistipset=
g_disconnect=
g_havemutex=
g_trace=
VERBOSE=
VERBOSITY=1
@ -4587,6 +4589,17 @@ shorewall_cli() {
finished=1
option=
;;
T*)
g_debugging=trace
option=${option#T}
;;
D*)
g_debugging=debug
option=${option#D}
;;
N*)
g_nolock=nolock
;;
*)
option_error $option
;;
@ -4639,7 +4652,7 @@ shorewall_cli() {
get_config
[ -x $g_firewall ] || fatal_error "$g_product has never been started"
[ -n "$g_nolock" ] || mutex_on
run_it $g_firewall $g_debugging $COMMAND
run_it $g_firewall $COMMAND
[ -n "$g_nolock" ] || mutex_off
;;
reset)
@ -4648,7 +4661,7 @@ shorewall_cli() {
shift
[ -n "$g_nolock" ] || mutex_on
[ -x $g_firewall ] || fatal_error "$g_product has never been started"
run_it $g_firewall $g_debugging reset $@
run_it $g_firewall reset $@
[ -n "$g_nolock" ] || mutex_off
;;
reload|restart)
@ -4661,7 +4674,7 @@ shorewall_cli() {
only_root
get_config Yes
if product_is_started; then
run_it $g_firewall $g_debugging $@
run_it $g_firewall $@
else
fatal_error "$g_product is not running"
fi
@ -4816,7 +4829,7 @@ shorewall_cli() {
# It isn't a function visible to this script -- try
# the compiled firewall
#
run_it $g_firewall $g_debugging call $@
run_it $g_firewall call $@
fi
else
missing_argument

16
Shorewall-core/lib.common
View File

@ -92,18 +92,20 @@ startup_error() # $* = Error Message
#
run_it() {
local script
local options
local options='-'
export VARDIR
script=$1
shift
if [ x$1 = xtrace -o x$1 = xdebug ]; then
options="$1 -"
shift;
if [ "$g_debugging" = debug ]; then
options='-D'
elif [ "$g_debugging" = trace ]; then
options='-T'
else
options='-'
options='-';
fi
[ -n "$g_noroutes" ] && options=${options}n
@ -736,8 +738,8 @@ truncate() # $1 = length
#
# Call this function to assert mutual exclusion with Shorewall. If you invoke the
# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
# the first argument. Example "shorewall nolock refresh"
# /sbin/shorewall program while holding mutual exclusion, you should pass -N as
# the first argument. Example "shorewall -N refresh"
#
# This function uses the lockfile utility from procmail if it exists.
# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the

288
Shorewall-core/manpages/shorewall.xml
View File

@ -21,9 +21,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg rep="norepeat">options</arg>
<arg choice="plain"><option>add {</option></arg>
@ -39,9 +36,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>allow</option></arg>
@ -52,9 +46,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>blacklist</option></arg>
@ -67,9 +58,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>call</option></arg>
@ -106,9 +94,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg
@ -118,9 +103,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>close</option><arg choice="req">
@ -159,9 +141,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg rep="norepeat">options</arg>
<arg choice="plain"><option>delete {</option></arg>
@ -177,9 +156,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>disable</option></arg>
@ -191,9 +167,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>drop</option></arg>
@ -204,8 +177,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>dump</option></arg>
@ -222,9 +193,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>enable</option></arg>
@ -236,9 +204,6 @@
<cmdsynopsis>
<command>shorewall[6]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>export</option></arg>
@ -252,9 +217,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>forget</option></arg>
@ -265,8 +227,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>help</option></arg>
@ -275,8 +235,6 @@
<cmdsynopsis>
<command>shorewall[-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg
@ -286,8 +244,6 @@
<cmdsynopsis>
<command>shorewall[-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>ipcalc</option></arg>
@ -304,8 +260,6 @@
<cmdsynopsis>
<command>shorewall[-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>iprange</option></arg>
@ -317,8 +271,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>iptrace</option></arg>
@ -330,9 +282,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>logdrop</option></arg>
@ -343,8 +292,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>logwatch</option></arg>
@ -357,9 +304,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>logreject</option></arg>
@ -370,8 +314,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>noiptrace</option></arg>
@ -394,9 +336,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>reenable</option></arg>
@ -408,9 +347,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>reject</option></arg>
@ -421,9 +357,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>reload</option></arg>
@ -448,10 +381,6 @@
<cmdsynopsis>
<command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>remote-getcaps</option></arg>
<arg><option>-s</option></arg>
@ -472,8 +401,6 @@
<cmdsynopsis>
<command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>remote-getrc</option></arg>
@ -496,8 +423,6 @@
<cmdsynopsis>
<command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>remote-start</option></arg>
@ -520,8 +445,6 @@
<cmdsynopsis>
<command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>remote-reload</option></arg>
@ -544,8 +467,6 @@
<cmdsynopsis>
<command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>remote-restart</option></arg>
@ -568,9 +489,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg
@ -581,9 +499,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>restart</option></arg>
@ -608,9 +523,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg
@ -622,9 +534,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>run</option></arg>
@ -637,9 +546,6 @@
<cmdsynopsis>
<command>shorewall[6]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>safe-restart</option></arg>
@ -656,8 +562,6 @@
<cmdsynopsis>
<command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>safe-start</option></arg>
@ -674,9 +578,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg
@ -688,9 +589,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>savesets</option></arg>
@ -699,8 +597,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg>
@ -713,8 +609,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg>
@ -735,8 +629,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg>
@ -761,8 +653,6 @@
<cmdsynopsis>
<command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg>
@ -774,8 +664,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg>
@ -787,8 +675,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg>
@ -800,8 +686,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg>
@ -814,8 +698,6 @@
<cmdsynopsis>
<command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg>
@ -827,8 +709,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg>
@ -841,8 +721,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg>
@ -853,8 +731,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg>
@ -867,8 +743,7 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
@ -892,9 +767,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg
@ -904,8 +776,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><arg
@ -915,9 +785,6 @@
<cmdsynopsis>
<command>shorewall[6]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg>
<arg choice="plain"><option>try</option></arg>
@ -930,8 +797,6 @@
<cmdsynopsis>
<command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>update</option></arg>
@ -956,8 +821,6 @@
<cmdsynopsis>
<command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg
@ -1025,16 +888,7 @@
<refsect1>
<title>Options</title>
<para>The <option>trace</option> and <option>debug</option> options are
used for debugging. See <ulink
url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.org/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
<para>The <option>nolock</option> option prevents the command from
attempting to acquire the Shorewall lockfile. It is useful if you need to
include <command>shorewall</command> commands in
<filename>/etc/shorewall/started</filename>.</para>
<para>Other <replaceable>options</replaceable> are:</para>
<para>The <replaceable>options</replaceable> are:</para>
<variablelist>
<varlistentry>
@ -1176,7 +1030,66 @@
<para>Causes all progress messages to be timestamped.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T</term>
<listitem>
<para>Added in Shorewall 5.2.4 to replace the earlier
<command>trace</command> keyword.. If the command invokes the
generated firewall script, the script's execution will be traced to
standard error.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D</term>
<listitem>
<para>Added in Shorewall 5.2.4 to replace the earlier debug keyword.
If the command invokes the generated firewall script, individual
invocations of the ip[6]tables utility will be used to configure the
ruleset rather than ip[6]tables-restore. This is useful for
diagnosing ip[6]tables-restore failures on a *COMMIT command.</para>
</listitem>
</varlistentry>
</variablelist>
<note>
<para>Prior to Shorewall 5.2.4, the general syntax for a CLI command
was:</para>
<cmdsynopsis>
<arg><option>trace|debug</option></arg>
<arg><option>nolock</option></arg>
<arg><replaceable>options</replaceable></arg>
<arg choice="plain"><replaceable>command</replaceable></arg>
<arg><replaceable>command-options</replaceable></arg>
<arg><replaceable>command-arguments</replaceable></arg>
</cmdsynopsis>
<para>Examples:</para>
<programlisting> shorewall debug -tv2 reload
shorewall trace check
shorewall nolock enable eth0</programlisting>
<para>In Shorewall 5.2.4 and later, those commands would be:</para>
<programlisting> shorewall -Dtv2 reload
shorewall check -D
shorewall -N enable eth0</programlisting>
<para>While not shown in the command synopses at the top of this page,
the <option>nolock</option> keyword is still supported in Shorewall
5.2.4 and later, but is deprecated in favor of the -<option>N
</option>option.</para>
</note>
</refsect1>
<refsect1>
@ -1214,11 +1127,12 @@
<para>Beginning with Shorewall 4.5.9, the <emphasis
role="bold">dynamic_shared</emphasis> zone option (<ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),<ulink
url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5)) allows a single ipset to
handle entries for multiple interfaces. When that option is
specified for a zone, the <command>add</command> command has the
alternative syntax in which the <replaceable>zone</replaceable> name
precedes the <replaceable>host-list</replaceable>.</para>
url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5))
allows a single ipset to handle entries for multiple interfaces.
When that option is specified for a zone, the <command>add</command>
command has the alternative syntax in which the
<replaceable>zone</replaceable> name precedes the
<replaceable>host-list</replaceable>.</para>
</listitem>
</varlistentry>
@ -1294,7 +1208,7 @@
<term><emphasis role="bold">check</emphasis> [-<option>e</option>]
[-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
[-<option>T</option>] [-<option>i</option>]
[<replaceable>directory</replaceable>]</term>
[-D][<replaceable>directory</replaceable>]</term>
<listitem>
<para>Not available with Shorewall[6]-lite.</para>
@ -1333,6 +1247,10 @@
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
<para>The <emphasis role="bold">-D </emphasis>option was added in
Shoewall 5.2.4 and causes the compiler to write a large amount of
debugging information to standard output.</para>
</listitem>
</varlistentry>
@ -1383,8 +1301,9 @@
<varlistentry>
<term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
[-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
[-<option>T</option>] [-<option>i</option>] [<replaceable> directory
</replaceable>] [<replaceable> pathname</replaceable> ]</term>
[-<option>T</option>] [-<option>i</option>] [-D] [<replaceable>
directory </replaceable>] [<replaceable> pathname</replaceable>
]</term>
<listitem>
<para>Not available with shorewall[6]-lite.</para>
@ -1441,6 +1360,10 @@
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
<para>The <emphasis role="bold">-D </emphasis>option was added in
Shoewall 5.2.4 and causes the compiler to write a large amount of
debugging information to standard output.</para>
</listitem>
</varlistentry>
@ -1700,16 +1623,16 @@
<para>Monitors the log file specified by the LOGFILE option in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))
and produces an audible alarm when new Shorewall messages are
logged. The <emphasis role="bold">-m</emphasis> option causes the
MAC address of each packet source to be displayed if that
information is available. The
<replaceable>refresh-interval</replaceable> specifies the time in
seconds between screen refreshes. You can enter a negative number by
preceding the number with "--" (e.g., <command>shorewall logwatch --
-30</command>). In this case, when a packet count changes, you will
be prompted to hit any key to resume screen refreshes.</para>
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) and
produces an audible alarm when new Shorewall messages are logged.
The <emphasis role="bold">-m</emphasis> option causes the MAC
address of each packet source to be displayed if that information is
available. The <replaceable>refresh-interval</replaceable> specifies
the time in seconds between screen refreshes. You can enter a
negative number by preceding the number with "--" (e.g.,
<command>shorewall logwatch -- -30</command>). In this case, when a
packet count changes, you will be prompted to hit any key to resume
screen refreshes.</para>
</listitem>
</varlistentry>
@ -1824,7 +1747,8 @@
<term><emphasis role="bold">reload </emphasis>[-<option>n</option>]
[-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
[-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
[-<option>C</option>] [-D] [ <replaceable>directory</replaceable>
]</term>
<listitem>
<para>This command was re-implemented in Shorewall 5.0.0. The
@ -1889,6 +1813,10 @@
the one that generated the current running configuration, then
the running netfilter configuration will be reloaded as is so
as to preserve the iptables packet and byte counters.</para>
<para>The <emphasis role="bold">-D </emphasis>option was added
in Shoewall 5.2.4 and causes the compiler to write a large
amount of debugging information to standard output.</para>
</listitem>
</varlistentry>
@ -2071,7 +1999,8 @@
Beginning with Shorewall 5.0.13, if
<replaceable>system</replaceable> is omitted, then the FIREWALL
option setting in <ulink
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> (<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
(<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
assumed. In that case, if you want to specify a
<replaceable>directory</replaceable>, then the <option>-D</option>
@ -2144,7 +2073,8 @@
Beginning with Shorewall 5.0.13, if
<replaceable>system</replaceable> is omitted, then the FIREWALL
option setting in <ulink
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> (<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
(<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
assumed. In that case, if you want to specify a
<replaceable>directory</replaceable>, then the <option>-D</option>
@ -2178,6 +2108,10 @@
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <emphasis role="bold">-D </emphasis>option was added in
Shoewall 5.2.4 and causes the compiler to write a large amount of
debugging information to standard output.</para>
</listitem>
</varlistentry>
@ -2204,7 +2138,8 @@
<term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
[-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
[-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
[-<option>C</option>] [-D] [ <replaceable>directory</replaceable>
]</term>
<listitem>
<para>Beginning with Shorewall 5.0.0, this command performs a true
@ -2264,6 +2199,10 @@
the one that generated the current running configuration, then
the running netfilter configuration will be reloaded as is so
as to preserve the iptables packet and byte counters.</para>
<para>The <emphasis role="bold">-D </emphasis>option was added
in Shoewall 5.2.4 and causes the compiler to write a large
amount of debugging information to standard output.</para>
</listitem>
</varlistentry>
@ -2831,8 +2770,8 @@
<term><emphasis role="bold">start </emphasis><emphasis role="bold">
</emphasis>[-<option>n</option>] [-<option>p</option>]
[-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
[-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
<replaceable>directory</replaceable> ]</term>
[-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [-D]
[ <replaceable>directory</replaceable> ]</term>
<listitem>
<para><variablelist>
@ -2906,6 +2845,11 @@
option was also specified in the <emphasis
role="bold">save</emphasis> command, then the packet and
byte counters will be restored.</para>
<para>The <emphasis role="bold">-D </emphasis>option was
added in Shoewall 5.2.4 and causes the compiler to write a
large amount of debugging information to standard
output.</para>
</listitem>
</varlistentry>

2
Shorewall-lite/Shorewall-lite-targetname
View File

@ -1 +1 @@
5.2.3.7
5.2.4-Beta1

6
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -8727,6 +8727,8 @@ sub emitr1( $$ ) {
sub save_docker_rules($) {
my $tool = $_[0];
my $bridge = $config{DOCKER_BRIDGE};
emit( qq(if [ -n "\$g_docker" ]; then),
qq( $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
@ -8744,10 +8746,10 @@ sub save_docker_rules($) {
qq(),
);
if ( known_interface( 'docker0' ) ) {
if ( known_interface( $bridge ) ) {
emit( qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
} else {
emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] ($bridge|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
}
emit( q( [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),

4
Shorewall/Perl/Shorewall/Config.pm
View File

@ -1010,6 +1010,7 @@ sub initialize($;$$$) {
PERL_HASH_SEED => undef ,
USE_NFLOG_SIZE => undef ,
RENAME_COMBINED => undef ,
DOCKER_BRIDGE => undef ,
#
# Packet Disposition
#
@ -6569,6 +6570,9 @@ sub get_configuration( $$$ ) {
fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' );
require_capability( 'ADDRTYPE', ' DOCKER=Yes', 's' );
default( 'DOCKER_BRIDGE' , 'docker0' );
} elsif ( $family == F_IPV6 ) {
warning_message( "DOCKER_BRIDGE=$val ignored by shorewall6" ) if supplied( $val = $config{DOCKER_BRIDGE} );
}
if ( supplied( $val = $config{RESTART} ) ) {

38
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -675,6 +675,8 @@ sub process_stoppedrules() {
# Generate the rules required when DOCKER=Yes
#
sub create_docker_rules() {
my $bridge = $config{DOCKER_BRIDGE};
add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
my $chainref = $filter_table->{FORWARD};
@ -684,13 +686,13 @@ sub create_docker_rules() {
add_commands( $chainref, '[ -n "$g_dockeriso" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' );
add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' );
if ( my $dockerref = known_interface('docker0') ) {
if ( my $dockerref = known_interface( $bridge ) ) {
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
incr_cmd_level( $chainref );
add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
add_ijump( $chainref, j => 'DOCKER', o => $bridge );
add_ijump( $chainref, j => 'ACCEPT', o => $bridge , state_imatch 'ESTABLISHED,RELATED' );
add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => "! $bridge" );
add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => $bridge ) if $dockerref->{options}{routeback};
decr_cmd_level( $chainref );
add_commands( $chainref, 'fi' );
@ -2532,6 +2534,7 @@ sub compile_stop_firewall( $$$$ ) {
my $input = $filter_table->{INPUT};
my $output = $filter_table->{OUTPUT};
my $forward = $filter_table->{FORWARD};
my $absentminded = $config{ ADMINISABSENTMINDED };
emit <<'EOF';
#
@ -2539,7 +2542,7 @@ sub compile_stop_firewall( $$$$ ) {
#
stop_firewall() {
EOF
$output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
$output->{policy} = 'ACCEPT' if $absentminded;
if ( $family == F_IPV4 ) {
emit <<'EOF';
@ -2698,7 +2701,7 @@ EOF
#
create_docker_rules if $config{DOCKER};
if ( $config{ADMINISABSENTMINDED} ) {
if ( $absentminded ) {
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
}
@ -2707,7 +2710,7 @@ EOF
add_ijump $input, j => 'ACCEPT', d => IPv6_LINKLOCAL;
add_ijump $input, j => 'ACCEPT', d => IPv6_MULTICAST;
unless ( $config{ADMINISABSENTMINDED} ) {
unless ( $absentminded ) {
add_ijump $output, j => 'ACCEPT', d => IPv6_LINKLOCAL;
add_ijump $output, j => 'ACCEPT', d => IPv6_MULTICAST;
}
@ -2721,12 +2724,25 @@ EOF
process_stoppedrules;
if ( $family == F_IPV6 ) {
my $chain = new_action_chain( 'filter', 'AllowICMPs' );
for my $type ( 1, 2, 3, 4, 130, 131, 132, 133, 134, 135, 136, 137, 141, 142, 143, 148, 149, 151, 152, 153 ) {
add_ijump( $chain, j => 'ACCEPT', p => IPv6_ICMP . " --icmpv6-type $type" );
}
for $chain ( $input, $output, $forward ) {
next if $chain eq $output && $absentminded;
add_ijump( $chain, j => 'AllowICMPs', p => IPv6_ICMP );
}
}
if ( have_capability 'IFACE_MATCH' ) {
add_ijump $input, j => 'ACCEPT', iface => '--dev-in --loopback';
add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED};
add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $absentminded;
} else {
add_ijump $input, j => 'ACCEPT', i => loopback_interface;
add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED};
add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $absentminded;
}
my $interfaces = find_interfaces_by_option 'dhcp';
@ -2736,7 +2752,7 @@ EOF
for my $interface ( @$interfaces ) {
add_ijump $input, j => 'ACCEPT', p => "udp --dport $ports", imatch_source_dev( $interface );
add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $config{ADMINISABSENTMINDED};
add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $absentminded;
#
# This might be a bridge
#

26
Shorewall/Perl/prog.footer
View File

@ -42,6 +42,7 @@ usage() {
echo " up <interface>"
echo " savesets <file>"
echo " call <function> [ <parameter> ... ]"
echo " help"
echo " version"
echo " info"
echo
@ -54,6 +55,8 @@ usage() {
echo " -c Save/restore iptables counters"
echo " -V <verbosity> Set verbosity explicitly"
echo " -R <file> Override RESTOREFILE setting"
echo " -T Trace execution"
echo " -D Debug iptables"
exit $1
}
@ -109,20 +112,6 @@ reload_command() {
# E X E C U T I O N B E G I N S H E R E #
################################################################################
#
# Start trace if first arg is "debug" or "trace"
#
g_debug_iptables=
if [ $# -gt 1 ]; then
if [ "x$1" = "xtrace" ]; then
set -x
shift
elif [ "x$1" = "xdebug" ]; then
g_debug_iptables=Yes
shift
fi
fi
#
# Map VERBOSE to VERBOSITY for compatibility with old Shorewall[6]-lite installations
#
[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
@ -152,6 +141,7 @@ g_dockeriso=
g_dockerisostage=
g_forcereload=
g_fallback=
g_debug_iptables=
[ -n "$SERVICEDIR" ] && SUBSYSLOCK=
@ -258,6 +248,14 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
RESTOREFILE=$option
option=
;;
T*)
set -x;
option=${option#T}
;;
D*)
g_debug_iptables=Yes
option=${option#D}
;;
*)
usage 1
;;

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -163,6 +163,8 @@ DISABLE_IPV6=No
DOCKER=No
DOCKER_BRIDGE=docker0
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -174,6 +174,8 @@ DISABLE_IPV6=No
DOCKER=No
DOCKER_BRIDGE=docker0
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -171,6 +171,8 @@ DISABLE_IPV6=No
DOCKER=No
DOCKER_BRIDGE=docker0
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -174,6 +174,8 @@ DISABLE_IPV6=No
DOCKER=No
DOCKER_BRIDGE=docker0
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No

2
Shorewall/Shorewall-targetname
View File

@ -1 +1 @@
5.2.3.7
5.2.4-Beta1

2
Shorewall/configfiles/shorewall.conf
View File

@ -167,6 +167,8 @@ DISABLE_IPV6=No
DOCKER=No
DOCKER_BRIDGE=docker0
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes

2
Shorewall/configfiles/started
View File

@ -8,7 +8,7 @@
# signaling that the firewall is completely up).
#
# This script should not change the firewall configuration directly but
# may do so indirectly by running /sbin/shorewall with the 'nolock'
# may do so indirectly by running /sbin/shorewall with the -N
# option.
#
# See http://shorewall.org/shorewall_extension_scripts.htm for additional

68
Shorewall/lib.cli-std
View File

@ -503,7 +503,7 @@ compiler() {
[ -n "$g_timestamp" ] && options="$options --timestamp"
[ -n "$g_test" ] && options="$options --test"
[ -n "$g_preview" ] && options="$options --preview"
[ "$g_debugging" = trace ] && options="$options --debug"
[ -n "$g_trace" ] && options="$options --debug"
[ -n "$g_confess" ] && options="$options --confess"
[ -n "$g_update" ] && options="$options --update"
[ -n "$g_annotate" ] && options="$options --annotate"
@ -531,7 +531,7 @@ compiler() {
#
# Only use the pager if 'trace' or -r was specified and -d was not
#
[ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
[ -z "$g_trace" -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
case $PERL_HASH_SEED in
random)
@ -615,6 +615,10 @@ start_command() {
g_counters=Yes
option=${option#C}
;;
D*)
g_trace=Yes
option=${option#D}
;;
*)
option_error $option
;;
@ -660,14 +664,14 @@ start_command() {
if [ -n "$AUTOMAKE" ]; then
[ -n "$g_nolock" ] || mutex_on
run_it $g_firewall $g_debugging start
run_it $g_firewall start
rc=$?
[ -n "$g_nolock" ] || mutex_off
else
g_file="${VARDIR}/.start"
if compiler $g_debugging $g_nolock compile "$g_file"; then
if compiler compile "$g_file"; then
[ -n "$g_nolock" ] || mutex_on
run_it ${VARDIR}/.start $g_debugging start
run_it ${VARDIR}/.start start
rc=$?
[ -n "$g_nolock" ] || mutex_off
else
@ -721,6 +725,10 @@ compile_command() {
g_confess=Yes
option=${option#T}
;;
D*)
g_trace=Yes
option=${option#D}
;;
-)
finished=1
option=
@ -768,7 +776,7 @@ compile_command() {
[ "x$g_file" = x- ] && g_doing=''
compiler $g_debugging compile "$g_file"
compiler compile "$g_file"
}
#
@ -815,6 +823,10 @@ check_command() {
g_confess=Yes
option=${option#T}
;;
D*)
g_trace=Yes
option=${option#D}
;;
*)
option_error $option
;;
@ -851,7 +863,7 @@ check_command() {
g_doing="Checking"
compiler $g_debugging $g_nolock check
compiler check
}
#
@ -906,6 +918,10 @@ update_command() {
A*)
option=${option#A}
;;
D*)
g_trace=Yes
option=${option#D}
;;
*)
option_error $option
;;
@ -942,7 +958,7 @@ update_command() {
g_doing="Updating"
compiler $g_debugging $g_nolock check
compiler check
}
#
@ -999,6 +1015,10 @@ restart_command() {
g_counters=Yes
option=${option#C}
;;
D*)
g_trace=Yes
option=${option#D}
;;
*)
option_error $option
;;
@ -1044,9 +1064,9 @@ restart_command() {
g_file="${VARDIR}/.${COMMAND}"
if [ -z "$g_fast" ]; then
if compiler $g_debugging $g_nolock compile "$g_file"; then
if compiler compile "$g_file"; then
[ -n "$g_nolock" ] || mutex_on
run_it ${VARDIR}/.${COMMAND} $g_debugging ${COMMAND}
run_it ${VARDIR}/.${COMMAND} ${COMMAND}
rc=$?
[ -n "$g_nolock" ] || mutex_off
else
@ -1056,7 +1076,7 @@ restart_command() {
else
[ -x $g_firewall ] || fatal_error "No $g_firewall file found"
[ -n "$g_nolock" ] || mutex_on
run_it $g_firewall $g_debugging $COMMAND
run_it $g_firewall $COMMAND
rc=$?
[ -n "$g_nolock" ] || mutex_off
fi
@ -1197,7 +1217,7 @@ safe_commands() {
g_file="${VARDIR}/.$command"
if ! compiler $g_debugging nolock compile "$g_file"; then
if ! compiler compile "$g_file"; then
status=$?
exit $status
fi
@ -1223,7 +1243,7 @@ safe_commands() {
[ -n "$g_nolock" ] || mutex_on
if run_it ${VARDIR}/.$command $g_debugging $command; then
if run_it ${VARDIR}/.$command $command; then
printf "Do you want to accept the new firewall configuration? [y/n] "
@ -1334,7 +1354,7 @@ try_command() {
g_file="${VARDIR}/.$command"
if ! compiler $g_debugging $g_nolock compile "$g_file"; then
if ! compiler compile "$g_file"; then
status=$?
exit $status
fi
@ -1356,7 +1376,7 @@ try_command() {
[ -n "$g_nolock" ] || mutex_on
if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
sleep $timeout
if [ "$command" = "reload" ]; then
@ -1606,6 +1626,10 @@ remote_commands() # $* = original arguments less the command.
g_confess=Yes
option=${option#T}
;;
D*)
g_trace=Yes
option=${option#D}
;;
*)
option_error $option
;;
@ -1697,7 +1721,7 @@ remote_commands() # $* = original arguments less the command.
exitstatus=0
if compiler $g_debugging compiler "$g_file"; then
if compiler compiler "$g_file"; then
progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..."
if rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir}; then
save=$(find_file save);
@ -1712,20 +1736,20 @@ remote_commands() # $* = original arguments less the command.
progress_message3 "Copy complete"
if [ $COMMAND = remote-reload ]; then
if rsh_command "$program $g_debugging $verbose $timestamp reload"; then
if rsh_command "$program $verbose $timestamp reload"; then
progress_message3 "System $system reloaded"
else
exitstatus=$?
savit=
fi
elif [ $COMMAND = remote-restart ]; then
if rsh_command "$program $g_debugging $verbose $timestamp restart"; then
if rsh_command "$program $verbose $timestamp restart"; then
progress_message3 "System $system restarted"
else
exitstatus=$?
saveit=
fi
elif rsh_command "$program $g_debugging $verbose $timestamp start"; then
elif rsh_command "$program $verbose $timestamp start"; then
progress_message3 "System $system started"
else
exitstatus=$?
@ -1733,7 +1757,7 @@ remote_commands() # $* = original arguments less the command.
fi
if [ -n "$saveit" ]; then
if rsh_command "$program $g_debugging $verbose $timestamp save"; then
if rsh_command "$program $verbose $timestamp save"; then
progress_message3 "Configuration on system $system saved"
else
exitstatus=$?
@ -1816,7 +1840,7 @@ export_command() # $* = original arguments less the command.
g_file="$g_shorewalldir/firewall"
if compiler $g_debugging compile "$g_file" && \
if compiler compile "$g_file" && \
echo "Copying $file and ${file}.conf to ${target#*@}..." && \
scp $g_shorewalldir/firewall $g_shorewalldir/firewall.conf $target
then
@ -1831,7 +1855,7 @@ export_command() # $* = original arguments less the command.
run_command() {
if [ -x $g_firewall ] ; then
uptodate $g_firewall || echo " WARNING: $g_firewall is not up to date" >&2
run_it $g_firewall $g_debugging $@
run_it $g_firewall $@
else
fatal_error "$g_firewall does not exist or is not executable"
fi

26
Shorewall/manpages/shorewall.conf.xml
View File

@ -834,18 +834,30 @@
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 5.0.6. When set to <option>Yes</option>,
the generated script will save Docker-generated rules before and
restore them after executing the <command>start</command>,
<command>stop</command>, <command>reload</command> and
<command>restart</command> commands. If set to <option>No</option>
(the default), the generated script will delete any Docker-generated
rules when executing those commands. See<ulink url="/Docker.html">
<para>Added in Shorewall 5.0.6; IPv4 only. When set to
<option>Yes</option>, the generated script will save
Docker-generated rules before and restore them after executing the
<command>start</command>, <command>stop</command>,
<command>reload</command> and <command>restart</command> commands.
If set to <option>No</option> (the default), the generated script
will delete any Docker-generated rules when executing those
commands. See<ulink url="/Docker.html">
http://www.shorewall.org/Docker.html</ulink> for additional
information.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">DOCKER_BRIDGE=</emphasis>[<emphasis>bridgename</emphasis>]</term>
<listitem>
<para>Added in Shorewall 5.2.4; IPv4 only. Specifies the name of the
default Docker bridge. If not specified, the value 'docker0' is
assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>

2
Shorewall6-lite/Shorewall6-lite-targetname
View File

@ -1 +1 @@
5.2.3.7
5.2.4-Beta1

2
Shorewall6/Shorewall6-targetname
View File

@ -1 +1 @@
5.2.3.7
5.2.4-Beta1

2
Shorewall6/configfiles/started
View File

@ -8,7 +8,7 @@
# firewall is completely up).
#
# This script should not change the firewall configuration directly but
# may do so indirectly by running /sbin/shorewall6 with the 'nolock'
# may do so indirectly by running /sbin/shorewall6 with the '-N'
# option.
#
# See http://shorewall.org/shorewall_extension_scripts.htm for additional

391
docs/CompiledPrograms.xml
View File

@ -20,6 +20,8 @@
<copyright>
<year>2006-2010</year>
<year>2020</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -227,10 +229,10 @@
<listitem>
<programlisting><command>cd &lt;export directory&gt;</command>
<command>/sbin/shorewall load firewall</command></programlisting>
<command>/sbin/shorewall remote-startfirewall</command></programlisting>
<para>The <ulink
url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
url="starting_and_stopping_shorewall.htm#Load"><command>remote-start</command></ulink>
command compiles a firewall script from the configuration files
in the current working directory (using <command>shorewall
compile -e</command>), copies that file to the remote system via
@ -239,7 +241,8 @@
<para>Example (firewall's DNS name is 'gateway'):</para>
<para><command>/sbin/shorewall load gateway</command><note>
<para><command>/sbin/shorewall remote-start
gateway</command><note>
<para>Although scp and ssh are used by default, you can use
other utilities by setting RSH_COMMAND and RCP_COMMAND in
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
@ -261,119 +264,16 @@
then:</para>
<programlisting><command>cd &lt;export directory&gt;</command>
<command>/sbin/shorewall reload firewall</command></programlisting>
<command>/sbin/shorewall remote-reload firewall</command></programlisting>
<para>The <ulink
url="manpages/shorewall.html"><command>reload</command></ulink>
url="manpages/shorewall.html"><command>remote-reload</command></ulink>
command compiles a firewall script from the configuration files in
the current working directory (using <command>shorewall compile
-e</command>), copies that file to the remote system via scp and
restarts Shorewall Lite on the remote system via ssh. The <emphasis
role="bold">reload</emphasis> command also supports the '-c'
role="bold">remote-reload</emphasis> command also supports the '-c'
option.</para>
<para>I personally place a <filename>Makefile</filename> in each
export directory as follows:</para>
<blockquote>
<programlisting># Shorewall Packet Filtering Firewall Export Directory Makefile - V3.3
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2006 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.org
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
################################################################################
# Place this file in each export directory. Modify each copy to set HOST
# to the name of the remote firewall corresponding to the directory.
#
# To make the 'firewall' script, type "make".
#
# Once the script is compiling correctly, you can install it by
# typing "make install".
#
################################################################################
# V A R I A B L E S
#
# Files in the export directory on which the firewall script does not depend
#
IGNOREFILES = firewall% Makefile% trace% %~
#
# Remote Firewall system
#
HOST = gateway
#
# Save some typing
#
LITEDIR = /var/lib/shorewall-lite
#
# Set this if the remote system has a non-standard modules directory
#
MODULESDIR=
#
# Default target is the firewall script
#
################################################################################
# T A R G E T S
#
all: firewall
#
# Only generate the capabilities file if it doesn't already exist
#
capabilities:
ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap &gt; $(LITEDIR)/capabilities"
scp root@$(HOST):$(LITEDIR)/capabilities .
#
# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
# 'filter-out' will be presented with the list of files in this directory rather than "*"
#
firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
shorewall compile -e . firewall
#
# Only reload on demand.
#
install: firewall
scp firewall firewall.conf root@$(HOST):$(LITEDIR)
ssh root@$(HOST) "/sbin/shorewall-lite restart"
#
# Save running configuration
#
save:
ssh root@$(HOST) "/sbin/shorewall-lite save"
#
# Remove generated files
#
clean:
rm -f capabilities firewall firewall.conf reload
</programlisting>
</blockquote>
<para>That way, after I've changed the configuration, I can simply
type <command>make</command> or <emphasis role="bold">make
install</emphasis>.</para>
<note>
<para>The above Makefile is available at <ulink
url="http://www1.shorewall.net/pub/shorewall/contrib/Shorewall-lite/">http://www.shorewall.org/pub/shorewall/contrib/Shorewall-lite/</ulink></para>
</note>
<note>
<para>I omit trace% because I often trace compiler execution while
I'm debugging new versions of Shorewall.</para>
</note>
</listitem>
</orderedlist>
@ -410,63 +310,63 @@ clean:
run Debian or one of its derivatives (see <link
linkend="Debian">above</link>).</para>
<para>The <filename>/sbin/shorewall-lite</filename> program included
<para>The <filename>/sbin/shorewall-lite</filename> program (which is a
symbolic link pointing to <filename>/sbin/shorewall</filename>) included
with Shorewall Lite supports the same set of commands as the
<filename>/sbin/shorewall</filename> program in a full Shorewall
installation with the following exceptions:</para>
<blockquote>
<simplelist>
<member>add</member>
<member>action</member>
<member>actions</member>
<member>check</member>
<member>compile</member>
<member>delete</member>
<member>export</member>
<member>refresh</member>
<member>macro</member>
<member>reload</member>
<member>macros</member>
<member>try</member>
<member>remote-getrc</member>
<member>safe-start</member>
<member>remote-getcaps</member>
<member>remote-reload</member>
<member>remote-restart</member>
<member>remote-start</member>
<member>safe-reload</member>
<member>safe-restart</member>
<member>show actions</member>
<member>safe-start</member>
<member>show macros</member>
<member>try</member>
<member>update</member>
</simplelist>
</blockquote>
<para>On systems with only Shorewall Lite installed, I recommend that
you create a symbolic link <filename>/sbin/shorewall</filename> and
point it at <filename>/sbin/shorewall-lite</filename>. That way, you can
use <command>shorewall</command> as the command regardless of which
product is installed.</para>
<blockquote>
<programlisting><command>ln -sf shorewall-lite /sbin/shorewall</command></programlisting>
</blockquote>
<section>
<title>Module Loading</title>
<para>As with a normal Shorewall configuration, the shorewall.conf
file can specify LOAD_HELPERS_ONLY which determines if the
<filename>modules</filename> file (LOAD_HELPERS_ONLY=No) or
<filename>helpers</filename> file (LOAD_HELPERS_ONLY=Yes) is used.
Normally, the file on the firewall system is used. If you want to
specify modules at compile time on the Administrative System, then you
must place a copy of the appropriate file
(<filename>modules</filename> or <filename>helpers</filename>) in the
firewall's configuration directory before compilation.</para>
<para>Normally, the <filename>helpers</filename> file on the firewall
system is used. If you want to specify modules at compile time on the
Administrative System, then you must place a copy of the
<filename>helpers</filename> file in the firewall's configuration
directory before compilation.</para>
<para>In Shorewall 4.4.17, the EXPORTMODULES option was added to
shorewall.conf (and shorewall6.conf). When EXPORTMODULES=Yes, any
<filename>modules</filename> or <filename>helpers</filename> file
found on the CONFIG_PATH on the Administrative System during
compilation will be used.</para>
<filename>helpers</filename> file found on the CONFIG_PATH on the
Administrative System during compilation will be used.</para>
</section>
<section id="Converting">
@ -503,10 +403,6 @@ clean:
<listitem>
<para>Install Shorewall Lite on the firewall system.</para>
<para>If you are running Debian or one of its derivatives like
Ubuntu then edit <filename>/etc/default/shorewall-lite</filename>
and set startup=1.</para>
</listitem>
<listitem>
@ -753,52 +649,126 @@ clean:
kernel/iptables capabilities of the target system. Here is a sample
file:</para>
<blockquote>
<programlisting>#
# Shorewall detected the following iptables/netfilter capabilities - Tue Jul 15 07:28:12 PDT 2008
<programlisting>
# Shorewall 5.2.3.3 detected the following iptables/netfilter capabilities - Mon 16 Sep 2019 01:32:20 PM PDT
#
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
MULTIPORT=Yes
XMULTIPORT=Yes
CONNTRACK_MATCH=Yes
POLICY_MATCH=Yes
PHYSDEV_MATCH=Yes
PHYSDEV_BRIDGE=Yes
LENGTH_MATCH=Yes
IPRANGE_MATCH=Yes
RECENT_MATCH=Yes
OWNER_MATCH=Yes
IPSET_MATCH=Yes
CONNMARK=Yes
XCONNMARK=Yes
CONNMARK_MATCH=Yes
XCONNMARK_MATCH=Yes
RAW_TABLE=Yes
IPP2P_MATCH=
CLASSIFY_TARGET=Yes
ENHANCED_REJECT=Yes
KLUDGEFREE=Yes
MARK=Yes
XMARK=Yes
MANGLE_FORWARD=Yes
COMMENTS=Yes
ACCOUNT_TARGET=
ADDRTYPE=Yes
TCPMSS_MATCH=Yes
AMANDA_HELPER=
ARPTABLESJF=
AUDIT_TARGET=Yes
BASIC_EMATCH=Yes
BASIC_FILTER=Yes
CAPVERSION=50200
CHECKSUM_TARGET=Yes
CLASSIFY_TARGET=Yes
COMMENTS=Yes
CONDITION_MATCH=
CONNLIMIT_MATCH=Yes
CONNMARK_MATCH=Yes
CONNMARK=Yes
CONNTRACK_MATCH=Yes
CPU_FANOUT=Yes
CT_TARGET=Yes
DSCP_MATCH=Yes
DSCP_TARGET=Yes
EMULTIPORT=Yes
ENHANCED_REJECT=Yes
EXMARK=Yes
FLOW_FILTER=Yes
FTP0_HELPER=
FTP_HELPER=Yes
FWMARK_RT_MASK=Yes
GEOIP_MATCH=
GOTO_TARGET=Yes
H323_HELPER=
HASHLIMIT_MATCH=Yes
HEADER_MATCH=
HELPER_MATCH=Yes
IFACE_MATCH=
IMQ_TARGET=
IPMARK_TARGET=
IPP2P_MATCH=
IPRANGE_MATCH=Yes
IPSET_MATCH_COUNTERS=Yes
IPSET_MATCH_NOMATCH=Yes
IPSET_MATCH=Yes
IPSET_V5=Yes
IPTABLES_S=Yes
IRC0_HELPER=
IRC_HELPER=Yes
KERNELVERSION=41900
KLUDGEFREE=Yes
LENGTH_MATCH=Yes
LOGMARK_TARGET=
LOG_TARGET=Yes
MANGLE_ENABLED=Yes
MANGLE_FORWARD=Yes
MARK_ANYWHERE=Yes
MARK=Yes
MASQUERADE_TGT=Yes
MULTIPORT=Yes
NAT_ENABLED=Yes
NAT_INPUT_CHAIN=Yes
NETBIOS_NS_HELPER=
NETMAP_TARGET=Yes
NEW_CONNTRACK_MATCH=Yes
NEW_TOS_MATCH=Yes
NFACCT_MATCH=Yes
NFLOG_SIZE=Yes
NFLOG_TARGET=Yes
NFQUEUE_TARGET=Yes
OLD_CONNTRACK_MATCH=
OLD_HL_MATCH=
OLD_IPP2P_MATCH=
OLD_IPSET_MATCH=
OWNER_MATCH=Yes
OWNER_NAME_MATCH=Yes
PERSISTENT_SNAT=Yes
PHYSDEV_BRIDGE=Yes
PHYSDEV_MATCH=Yes
POLICY_MATCH=Yes
PPTP_HELPER=
RAW_TABLE=Yes
REALM_MATCH=Yes
CAPVERSION=40190</programlisting>
</blockquote>
REAP_OPTION=Yes
RECENT_MATCH=Yes
RESTORE_WAIT_OPTION=Yes
RPFILTER_MATCH=Yes
SANE0_HELPER=
SANE_HELPER=
SIP0_HELPER=
SIP_HELPER=
SNMP_HELPER=
STATISTIC_MATCH=Yes
TARPIT_TARGET=
TCPMSS_MATCH=Yes
TCPMSS_TARGET=Yes
TFTP0_HELPER=
TFTP_HELPER=
TIME_MATCH=Yes
TPROXY_TARGET=Yes
UDPLITEREDIRECT=
ULOG_TARGET=
WAIT_OPTION=Yes
XCONNMARK_MATCH=Yes
XCONNMARK=Yes
XMARK=Yes
XMULTIPORT=Yes</programlisting>
<para>As you can see, the file contains a simple list of shell variable
assignments — the variables correspond to the capabilities listed by the
<command>shorewall show capabilities</command> command and they appear in
the same order as the output of that command.</para>
<para>To aid in creating this file, Shorewall Lite includes a
<command>shorecap</command> program. The program is installed in the
<filename class="directory">/usr/share/shorewall-lite/</filename>
<para>The capabilities file can be generated automatically from the
administrative system by using the <command>remote-getcaps</command>
command. Should that option fail for any reason, the file can be generated
manually on the remote firewall.</para>
<para>To aid in creating this file on the remote firewall, Shorewall Lite
includes a <command>shorecap</command> program. The program is installed
in the <filename class="directory">/usr/share/shorewall-lite/</filename>
directory and may be run as follows:</para>
<blockquote>
@ -825,41 +795,52 @@ CAPVERSION=40190</programlisting>
<command>show capabilities</command> command shows the kernel's current
capabilities; it does not attempt to load additional kernel
modules.</para>
<para>Once generated, the file can be copied manually to the
administrative system.</para>
</section>
<section id="Running">
<title>Running compiled programs directly</title>
<para>Compiled firewall programs are complete shell programs that support
the following command line forms:</para>
<para>Compiled firewall programs are complete shell programs that may be
run directly. Here is the output from the program's help command
(Shorewall version 5.2.4)</para>
<blockquote>
<simplelist>
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
start</command></member>
<programlisting>&lt;program&gt; [ options ] &lt;command&gt;
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
stop</command></member>
&lt;command&gt; is one of:
start
stop
clear
disable &lt;interface&gt;
down &lt;interface&gt;
enable &lt;interface&gt;
reset
reenable &lt;interface&gt;
refresh
reload
restart
run &lt;command&gt; [ &lt;parameter&gt; ... ]
status
up &lt;interface&gt;
savesets &lt;file&gt;
call &lt;function&gt; [ &lt;parameter&gt; ... ]
help
version
info
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
clear</command></member>
Options are:
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
refresh</command></member>
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
reset</command></member>
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
restart</command></member>
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
status</command></member>
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
version</command></member>
</simplelist>
</blockquote>
-v and -q Standard Shorewall verbosity controls
-n Don't update routing configuration
-p Purge Conntrack Table
-t Timestamp progress Messages
-c Save/restore iptables counters
-V &lt;verbosity&gt; Set verbosity explicitly
-R &lt;file&gt; Override RESTOREFILE setting
-T Trace execution
</programlisting>
<para>The options have the same meanings as when they are passed to
<filename>/sbin/shorewall</filename> itself. The default VERBOSITY level

2
docs/SharedConfig.xml
View File

@ -348,7 +348,7 @@ ZONE_BITS=0
# For information about the settings in this file, type "man shorewall6.conf"
#
# Manpage also online at
# http://www.shorewall.net/manpages/shorewall.conf.html
# http://www.shorewall.org/manpages/shorewall.conf.html
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################

77
docs/configuration_file_basics.xml
View File

@ -18,7 +18,7 @@
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2001-2019</year>
<year>2001-2020</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -56,7 +56,7 @@
Shorewall</ulink> is required reading for being able to use this article
effectively. For information about setting up your first Shorewall-based
firewall, see the <ulink url="GettingStarted.html">Quickstart
Guides</ulink>.in</para>
Guides</ulink>.</para>
</section>
<section id="Files">
@ -327,6 +327,39 @@
page for that file is 'shorewall.conf':</para>
<programlisting>man shorewall.conf</programlisting>
<para>Parts of this and other articles are also available as
manpages:</para>
<itemizedlist>
<listitem>
<para>shorewall-addresses(5)</para>
</listitem>
<listitem>
<para>shorewall-exclusion(5)</para>
</listitem>
<listitem>
<para>shorewall-files(5)</para>
</listitem>
<listitem>
<para>shorewall-ipsets(5)</para>
</listitem>
<listitem>
<para>shorewall-logging(5)</para>
</listitem>
<listitem>
<para>shorewall-names(5)</para>
</listitem>
<listitem>
<para>shorewall-nesting(5)</para>
</listitem>
</itemizedlist>
</section>
<section id="Comments">
@ -534,7 +567,7 @@ ACCEPT net:\
readability as in:</para>
<simplelist>
<member><emphasis role="bold">{ proto=&gt;udp, port=1024
<member><emphasis role="bold">{ proto=&gt;udp, dport=1024
}</emphasis></member>
</simplelist>
</listitem>
@ -545,13 +578,14 @@ ACCEPT net:\
<simplelist>
<member><emphasis role="bold">; proto:udp,
port:1024</emphasis></member>
dport:1024</emphasis></member>
</simplelist>
<important>
<para>This form is incompatible with INLINE_MATCHES=Yes. See the
INLINE_MATCHES option in <ulink
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, if you
are running a version of Shorewall earlier than 5.0..</para>
</important>
</listitem>
</itemizedlist>
@ -1509,16 +1543,15 @@ SSH(ACCEPT) net:$MYIP $FW
<programlisting>    /etc/shorewall/params
NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,routefilter
    /etc/shorewall/interfaces record:
net $NET_IF $NET_BCAST $NET_OPTIONS
net $NET_IF $NET_OPTIONS
    The result will be the same as if the record had been written
net eth0 130.252.100.255 routefilter,routefilter
net eth0 routefilter,routefilter
</programlisting>
</blockquote>
@ -2193,7 +2226,7 @@ SSH(ACCEPT) net:$MYIP $FW
<important>
<para>Beginning with Shorewall 4.5.11, the compiler's environmental
variables are search last rather than first.</para>
variables are searched last rather than first.</para>
</important>
<para>If the <replaceable>variable</replaceable> is still not
@ -2704,9 +2737,10 @@ POP(ACCEPT) loc net:pop.gmail.com</programlisting>
<section id="IPRanges">
<title>IP Address Ranges</title>
<para>If you kernel and iptables have iprange match support, you may use
IP address ranges in Shorewall configuration file entries; IP address
ranges have the syntax &lt;<emphasis>low IP
<para>If you kernel and iptables have <emphasis>iprange</emphasis>
<emphasis>match</emphasis> <emphasis>support</emphasis>, you may use IP
address ranges in Shorewall configuration file entries; IP address ranges
have the syntax &lt;<emphasis>low IP
address</emphasis>&gt;-&lt;<emphasis>high IP address</emphasis>&gt;.
Example: 192.168.1.5-192.168.1.12.</para>
@ -2714,16 +2748,15 @@ POP(ACCEPT) loc net:pop.gmail.com</programlisting>
the <command>shorewall show capabilities</command> command:</para>
<programlisting>&gt;~ <command>shorewall show capabilities</command>
...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Not available
Policy Match: Available
Physdev Match: Available
<emphasis role="bold">IP range Match: Available &lt;--------------</emphasis></programlisting>
ACCOUNT Target (ACCOUNT_TARGET): Not available
Address Type Match (ADDRTYPE): Available
Amanda Helper: Available
...
IPMARK Target (IPMARK_TARGET): Not available
IPP2P Match (IPP2P_MATCH): Not available
<emphasis role="bold">IP range Match(IPRANGE_MATCH): Available</emphasis> <emphasis
role="bold">&lt;================</emphasis></programlisting>
</section>
<section id="Ports">
@ -2860,7 +2893,7 @@ neighbour-solicitation =&gt; 135
neighbour-advertisement =&gt; 136
redirect =&gt; 137</programlisting>
<para>Shorewall 4.4 does not accept lists if ICMP (ICMP6) types prior to
<para>Shorewall 4.4 does not accept lists of ICMP (ICMP6) types prior to
Shorewall 4.4.19.</para>
</section>

2
docs/docs-targetname
View File

@ -1 +1 @@
5.2.3.7
5.2.4-Beta1

2
docs/images/docs-images-targetname
View File

@ -1 +1 @@
5.2.3.7
5.2.4-Beta1

83
docs/starting_and_stopping_shorewall.xml
View File

@ -26,6 +26,8 @@
<year>2007</year>
<year>2020</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -201,6 +203,40 @@
</blockquote></para>
</section>
<section>
<title>systemd</title>
<para>As with SysV init described in the preceeding section, the behavior
of systemctl commands differ from the Shorewall CLI commands on
Debian-based systems. To make systemctl stop shorewall[-lite] and
systemctl restart shorewall[-lite] behave like shorewall stop and
shorewall restart, use this workaround provided by J Cliff
Armstrong:</para>
<para> Type (as root):</para>
<programlisting> <command>systemctl edit shorewall.service</command></programlisting>
<para>This will open the default terminal editor to a blank file in which
you can paste the following:</para>
<programlisting>[Service]
# reset ExecStop ExecStop=
# set ExecStop to "stop" instead of "clear"
ExecStop=/sbin/shorewall $OPTIONS stop</programlisting>
<para>Then type</para>
<programlisting> <command>systemctl daemon-reload</command></programlisting>
<para>to activate the changes. This change will survive future updates of
the shorewall package from apt repositories. The override file itself will
be saved to `/etc/systemd/system/shorewall.service.d/`.</para>
<para>The same workaround may be applied to the other Shorewall products
(excluding Shorewall Init).</para>
</section>
<section id="Trace">
<title>Tracing Command Execution and other Debugging Aids</title>
@ -211,21 +247,25 @@
<para>Example:</para>
<programlisting>shorewall trace check -r</programlisting>
<programlisting><command>shorewall trace check -r</command> # Shorewall versions prior to 5.2.4
<command>shorewall check -D </command> # Shorewall versions 5.2.4 and later</programlisting>
<para>This produces a large amount of diagnostic output to standard out
during the compilation step. If entered on a command that doesn't invoke
the compiler, <emphasis role="bold">trace</emphasis> is ignored.</para>
during the compilation step. If the command invokes the compiled firewall
script, then that script's execution is traced to standard error. If
entered on a command that invokes neither the compiler nor the compiled
script, <emphasis role="bold">trace</emphasis> is ignored.</para>
<para>Commands that invoke a compiled fireawll script can have the word
debug inserted immediately after the command.</para>
<para>Example:</para>
<programlisting>shorewall debug restart</programlisting>
<programlisting><command>shorewall debug restart</command> # Shorewall versions prior to 5.2.4
<command>shorewall -D restart</command> # Shorewall versions 5.2.4 and later</programlisting>
<para><emphasis role="bold">debug</emphasis> causes altered behavior of
scripts generated by the Shorewall compiler. These scripts normally use
<para><emphasis role="bold">debug</emphasis> (-D) causes altered behavior
of scripts generated by the Shorewall compiler. These scripts normally use
ip[6]tables-restore to install the Netfilter ruleset, but with debug, the
commands normally passed to iptables-restore in its input file are passed
individually to ip[6]tables. This is a diagnostic aid which allows
@ -257,37 +297,6 @@
</warning>
</section>
<section id="Boot">
<title>Having Shorewall Start Automatically at Boot Time</title>
<para>The .rpm, .deb and .tgz all try to configure your startup scripts so
that Shorewall will start automatically at boot time. If you are using the
<command>install.sh </command>script from the .tgz and it cannot determine
how to configure automatic startup, a message to that effect will be
displayed. You will need to consult your distribution's documentation to
see how to integrate the <filename>/etc/init.d/shorewall</filename> script
into the distribution's startup mechanism.<caution>
<itemizedlist>
<listitem>
<para>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by editing
<filename>/etc/shorewall/shorewall.conf</filename> and setting
STARTUP_ENABLED=Yes.. Note: Users of the .deb package must rather
edit <filename>/etc/default/shorewall</filename> and set
<quote>startup=1</quote>.</para>
</listitem>
<listitem>
<para>If you use dialup or some flavor of PPP where your IP
address can change arbitrarily, you may want to start the firewall
in your <command>/etc/ppp/ip-up.local</command> script. I
recommend just placing <quote><command>/sbin/shorewall
restart</command></quote> in that script.</para>
</listitem>
</itemizedlist>
</caution></para>
</section>
<section id="Saved">
<title>Saving a Working Configuration for Error Recovery and Fast
Startup</title>