extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '5.2.4'

Browse Source
This commit is contained in:
Tom Eastep 2020-03-10 14:18:52 -07:00
commit 54a70e4632
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
27 changed files with 575 additions and 527 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-core/Shorewall-core-targetname
View File

@ -1 +1 @@
5.2.3.7 5.2.4-Beta1

49
Shorewall-core/lib.cli
View File

@ -4120,9 +4120,9 @@ start_command() {
if [ -x $g_firewall ]; then if [ -x $g_firewall ]; then
if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore run_it ${VARDIR}/${RESTOREFILE} restore
else else
run_it $g_firewall $g_debugging start run_it $g_firewall start
fi fi
rc=$? rc=$?
else else
@ -4256,7 +4256,7 @@ restart_command() {
[ -n "$g_nolock" ] || mutex_on [ -n "$g_nolock" ] || mutex_on
if [ -x $g_firewall ]; then if [ -x $g_firewall ]; then
run_it $g_firewall $g_debugging $COMMAND run_it $g_firewall $COMMAND
rc=$? rc=$?
else else
error_message "$g_firewall is missing or is not executable" error_message "$g_firewall is missing or is not executable"
@ -4270,7 +4270,7 @@ restart_command() {
run_command() { run_command() {
if [ -x $g_firewall ] ; then if [ -x $g_firewall ] ; then
run_it $g_firewall $g_debugging $@ run_it $g_firewall $@
else else
fatal_error "$g_firewall does not exist or is not executable" fatal_error "$g_firewall does not exist or is not executable"
fi fi
@ -4287,7 +4287,13 @@ ecko() {
# #
usage() # $1 = exit status usage() # $1 = exit status
{ {
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>" echo "Usage: $(basename $0) [ -T ] [ -D ] [ -N ] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
echo " -T : Direct the generated script to produce a shell trace to standard error"
echo " -D : Debug iptables commands"
echo " -N : Don't take the master shorewall lock"
echo " -q : Standard Shorewall verbosity control"
echo " -v : Standard Shorewall verbosity control"
echo " -t : Timestamp all messages"
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host-list>] ... <zone>" echo " add <interface>[:<host-list>] ... <zone>"
echo " allow <address> ..." echo " allow <address> ..."
@ -4317,7 +4323,6 @@ usage() # $1 = exit status
echo " iptrace <ip6tables match expression>" echo " iptrace <ip6tables match expression>"
fi fi
ecko " load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
echo " logdrop <address> ..." echo " logdrop <address> ..."
echo " logreject <address> ..." echo " logreject <address> ..."
echo " logwatch [<refresh interval>]" echo " logwatch [<refresh interval>]"
@ -4415,20 +4420,16 @@ usage() # $1 = exit status
# here if that lib is loaded below. # here if that lib is loaded below.
# #
shorewall_cli() { shorewall_cli() {
g_debugging=
if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
g_debugging=$1
shift
fi
g_nolock= g_nolock=
#
# We'll keep this around for a while so we don't break people's started scripts
#
if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
g_nolock=nolock g_nolock=nolock
shift shift
fi fi
g_debugging=
g_noroutes= g_noroutes=
g_purge= g_purge=
g_ipt_options="-nv" g_ipt_options="-nv"
@ -4456,6 +4457,7 @@ shorewall_cli() {
g_blacklistipset= g_blacklistipset=
g_disconnect= g_disconnect=
g_havemutex= g_havemutex=
g_trace=
VERBOSE= VERBOSE=
VERBOSITY=1 VERBOSITY=1
@ -4587,6 +4589,17 @@ shorewall_cli() {
finished=1 finished=1
option= option=
;; ;;
T*)
g_debugging=trace
option=${option#T}
;;
D*)
g_debugging=debug
option=${option#D}
;;
N*)
g_nolock=nolock
;;
*) *)
option_error $option option_error $option
;; ;;
@ -4639,7 +4652,7 @@ shorewall_cli() {
get_config get_config
[ -x $g_firewall ] || fatal_error "$g_product has never been started" [ -x $g_firewall ] || fatal_error "$g_product has never been started"
[ -n "$g_nolock" ] || mutex_on [ -n "$g_nolock" ] || mutex_on
run_it $g_firewall $g_debugging $COMMAND run_it $g_firewall $COMMAND
[ -n "$g_nolock" ] || mutex_off [ -n "$g_nolock" ] || mutex_off
;; ;;
reset) reset)
@ -4648,7 +4661,7 @@ shorewall_cli() {
shift shift
[ -n "$g_nolock" ] || mutex_on [ -n "$g_nolock" ] || mutex_on
[ -x $g_firewall ] || fatal_error "$g_product has never been started" [ -x $g_firewall ] || fatal_error "$g_product has never been started"
run_it $g_firewall $g_debugging reset $@ run_it $g_firewall reset $@
[ -n "$g_nolock" ] || mutex_off [ -n "$g_nolock" ] || mutex_off
;; ;;
reload|restart) reload|restart)
@ -4661,7 +4674,7 @@ shorewall_cli() {
only_root only_root
get_config Yes get_config Yes
if product_is_started; then if product_is_started; then
run_it $g_firewall $g_debugging $@ run_it $g_firewall $@
else else
fatal_error "$g_product is not running" fatal_error "$g_product is not running"
fi fi
@ -4816,7 +4829,7 @@ shorewall_cli() {
# It isn't a function visible to this script -- try # It isn't a function visible to this script -- try
# the compiled firewall # the compiled firewall
# #
run_it $g_firewall $g_debugging call $@ run_it $g_firewall call $@
fi fi
else else
missing_argument missing_argument

16
Shorewall-core/lib.common
View File

@ -92,18 +92,20 @@ startup_error() # $* = Error Message
# #
run_it() { run_it() {
local script local script
local options local options='-'
export VARDIR export VARDIR
script=$1 script=$1
shift shift
if [ x$1 = xtrace -o x$1 = xdebug ]; then
options="$1 -" if [ "$g_debugging" = debug ]; then
shift; options='-D'
elif [ "$g_debugging" = trace ]; then
options='-T'
else else
options='-' options='-';
fi fi
[ -n "$g_noroutes" ] && options=${options}n [ -n "$g_noroutes" ] && options=${options}n
@ -736,8 +738,8 @@ truncate() # $1 = length
# #
# Call this function to assert mutual exclusion with Shorewall. If you invoke the # Call this function to assert mutual exclusion with Shorewall. If you invoke the
# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as # /sbin/shorewall program while holding mutual exclusion, you should pass -N as
# the first argument. Example "shorewall nolock refresh" # the first argument. Example "shorewall -N refresh"
# #
# This function uses the lockfile utility from procmail if it exists. # This function uses the lockfile utility from procmail if it exists.
# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the

288
Shorewall-core/manpages/shorewall.xml
View File

@ -21,9 +21,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg rep="norepeat">options</arg> <arg rep="norepeat">options</arg>
<arg choice="plain"><option>add {</option></arg> <arg choice="plain"><option>add {</option></arg>
@ -39,9 +36,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>allow</option></arg> <arg choice="plain"><option>allow</option></arg>
@ -52,9 +46,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>blacklist</option></arg> <arg choice="plain"><option>blacklist</option></arg>
@ -67,9 +58,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>call</option></arg> <arg choice="plain"><option>call</option></arg>
@ -106,9 +94,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg <arg
@ -118,9 +103,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>close</option><arg choice="req"> <arg choice="plain"><option>close</option><arg choice="req">
@ -159,9 +141,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg rep="norepeat">options</arg> <arg rep="norepeat">options</arg>
<arg choice="plain"><option>delete {</option></arg> <arg choice="plain"><option>delete {</option></arg>
@ -177,9 +156,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>disable</option></arg> <arg choice="plain"><option>disable</option></arg>
@ -191,9 +167,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>drop</option></arg> <arg choice="plain"><option>drop</option></arg>
@ -204,8 +177,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>dump</option></arg> <arg choice="plain"><option>dump</option></arg>
@ -222,9 +193,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>enable</option></arg> <arg choice="plain"><option>enable</option></arg>
@ -236,9 +204,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6]</command> <command>shorewall[6]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>export</option></arg> <arg choice="plain"><option>export</option></arg>
@ -252,9 +217,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>forget</option></arg> <arg choice="plain"><option>forget</option></arg>
@ -265,8 +227,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>help</option></arg> <arg choice="plain"><option>help</option></arg>
@ -275,8 +235,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[-lite]</command> <command>shorewall[-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg <arg
@ -286,8 +244,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[-lite]</command> <command>shorewall[-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>ipcalc</option></arg> <arg choice="plain"><option>ipcalc</option></arg>
@ -304,8 +260,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[-lite]</command> <command>shorewall[-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>iprange</option></arg> <arg choice="plain"><option>iprange</option></arg>
@ -317,8 +271,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>iptrace</option></arg> <arg choice="plain"><option>iptrace</option></arg>
@ -330,9 +282,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>logdrop</option></arg> <arg choice="plain"><option>logdrop</option></arg>
@ -343,8 +292,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>logwatch</option></arg> <arg choice="plain"><option>logwatch</option></arg>
@ -357,9 +304,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>logreject</option></arg> <arg choice="plain"><option>logreject</option></arg>
@ -370,8 +314,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>noiptrace</option></arg> <arg choice="plain"><option>noiptrace</option></arg>
@ -394,9 +336,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>reenable</option></arg> <arg choice="plain"><option>reenable</option></arg>
@ -408,9 +347,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>reject</option></arg> <arg choice="plain"><option>reject</option></arg>
@ -421,9 +357,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>reload</option></arg> <arg choice="plain"><option>reload</option></arg>
@ -448,10 +381,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6]</command> <command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg>
<arg choice="plain"><option>remote-getcaps</option></arg> <arg choice="plain"><option>remote-getcaps</option></arg>
<arg><option>-s</option></arg> <arg><option>-s</option></arg>
@ -472,8 +401,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6]</command> <command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>remote-getrc</option></arg> <arg choice="plain"><option>remote-getrc</option></arg>
@ -496,8 +423,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6]</command> <command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>remote-start</option></arg> <arg choice="plain"><option>remote-start</option></arg>
@ -520,8 +445,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6]</command> <command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>remote-reload</option></arg> <arg choice="plain"><option>remote-reload</option></arg>
@ -544,8 +467,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6]</command> <command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>remote-restart</option></arg> <arg choice="plain"><option>remote-restart</option></arg>
@ -568,9 +489,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg <arg
@ -581,9 +499,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>restart</option></arg> <arg choice="plain"><option>restart</option></arg>
@ -608,9 +523,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg <arg
@ -622,9 +534,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>run</option></arg> <arg choice="plain"><option>run</option></arg>
@ -637,9 +546,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6]</command> <command>shorewall[6]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>safe-restart</option></arg> <arg choice="plain"><option>safe-restart</option></arg>
@ -656,8 +562,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6]</command> <command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>safe-start</option></arg> <arg choice="plain"><option>safe-start</option></arg>
@ -674,9 +578,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg <arg
@ -688,9 +589,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>savesets</option></arg> <arg choice="plain"><option>savesets</option></arg>
@ -699,8 +597,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg> <arg choice="req"><option>show | list | ls </option></arg>
@ -713,8 +609,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg> <arg choice="req"><option>show | list | ls </option></arg>
@ -735,8 +629,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg> <arg choice="req"><option>show | list | ls </option></arg>
@ -761,8 +653,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6]</command> <command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg> <arg choice="req"><option>show | list | ls </option></arg>
@ -774,8 +664,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg> <arg choice="req"><option>show | list | ls </option></arg>
@ -787,8 +675,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg> <arg choice="req"><option>show | list | ls </option></arg>
@ -800,8 +686,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg> <arg choice="req"><option>show | list | ls </option></arg>
@ -814,8 +698,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6]</command> <command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg> <arg choice="req"><option>show | list | ls </option></arg>
@ -827,8 +709,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg> <arg choice="req"><option>show | list | ls </option></arg>
@ -841,8 +721,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg> <arg choice="req"><option>show | list | ls </option></arg>
@ -853,8 +731,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="req"><option>show | list | ls </option></arg> <arg choice="req"><option>show | list | ls </option></arg>
@ -867,8 +743,7 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
@ -892,9 +767,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg <arg
@ -904,8 +776,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><arg <arg choice="plain"><arg
@ -915,9 +785,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6]</command> <command>shorewall[6]</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>try</option></arg> <arg choice="plain"><option>try</option></arg>
@ -930,8 +797,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6]</command> <command>shorewall[6]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg choice="plain"><option>update</option></arg> <arg choice="plain"><option>update</option></arg>
@ -956,8 +821,6 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall[6][-lite]</command> <command>shorewall[6][-lite]</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>options</arg> <arg>options</arg>
<arg <arg
@ -1025,16 +888,7 @@
<refsect1> <refsect1>
<title>Options</title> <title>Options</title>
<para>The <option>trace</option> and <option>debug</option> options are <para>The <replaceable>options</replaceable> are:</para>
used for debugging. See <ulink
url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.org/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
<para>The <option>nolock</option> option prevents the command from
attempting to acquire the Shorewall lockfile. It is useful if you need to
include <command>shorewall</command> commands in
<filename>/etc/shorewall/started</filename>.</para>
<para>Other <replaceable>options</replaceable> are:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -1176,7 +1030,66 @@
<para>Causes all progress messages to be timestamped.</para> <para>Causes all progress messages to be timestamped.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-T</term>
<listitem>
<para>Added in Shorewall 5.2.4 to replace the earlier
<command>trace</command> keyword.. If the command invokes the
generated firewall script, the script's execution will be traced to
standard error.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D</term>
<listitem>
<para>Added in Shorewall 5.2.4 to replace the earlier debug keyword.
If the command invokes the generated firewall script, individual
invocations of the ip[6]tables utility will be used to configure the
ruleset rather than ip[6]tables-restore. This is useful for
diagnosing ip[6]tables-restore failures on a *COMMIT command.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<note>
<para>Prior to Shorewall 5.2.4, the general syntax for a CLI command
was:</para>
<cmdsynopsis>
<arg><option>trace|debug</option></arg>
<arg><option>nolock</option></arg>
<arg><replaceable>options</replaceable></arg>
<arg choice="plain"><replaceable>command</replaceable></arg>
<arg><replaceable>command-options</replaceable></arg>
<arg><replaceable>command-arguments</replaceable></arg>
</cmdsynopsis>
<para>Examples:</para>
<programlisting> shorewall debug -tv2 reload
shorewall trace check
shorewall nolock enable eth0</programlisting>
<para>In Shorewall 5.2.4 and later, those commands would be:</para>
<programlisting> shorewall -Dtv2 reload
shorewall check -D
shorewall -N enable eth0</programlisting>
<para>While not shown in the command synopses at the top of this page,
the <option>nolock</option> keyword is still supported in Shorewall
5.2.4 and later, but is deprecated in favor of the -<option>N
</option>option.</para>
</note>
</refsect1> </refsect1>
<refsect1> <refsect1>
@ -1214,11 +1127,12 @@
<para>Beginning with Shorewall 4.5.9, the <emphasis <para>Beginning with Shorewall 4.5.9, the <emphasis
role="bold">dynamic_shared</emphasis> zone option (<ulink role="bold">dynamic_shared</emphasis> zone option (<ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),<ulink url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),<ulink
url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5)) allows a single ipset to url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5))
handle entries for multiple interfaces. When that option is allows a single ipset to handle entries for multiple interfaces.
specified for a zone, the <command>add</command> command has the When that option is specified for a zone, the <command>add</command>
alternative syntax in which the <replaceable>zone</replaceable> name command has the alternative syntax in which the
precedes the <replaceable>host-list</replaceable>.</para> <replaceable>zone</replaceable> name precedes the
<replaceable>host-list</replaceable>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1294,7 +1208,7 @@
<term><emphasis role="bold">check</emphasis> [-<option>e</option>] <term><emphasis role="bold">check</emphasis> [-<option>e</option>]
[-<option>d</option>] [-<option>p</option>] [-<option>r</option>] [-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
[-<option>T</option>] [-<option>i</option>] [-<option>T</option>] [-<option>i</option>]
[<replaceable>directory</replaceable>]</term> [-D][<replaceable>directory</replaceable>]</term>
<listitem> <listitem>
<para>Not available with Shorewall[6]-lite.</para> <para>Not available with Shorewall[6]-lite.</para>
@ -1333,6 +1247,10 @@
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink (<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para> url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
<para>The <emphasis role="bold">-D </emphasis>option was added in
Shoewall 5.2.4 and causes the compiler to write a large amount of
debugging information to standard output.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1383,8 +1301,9 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">compile </emphasis>[-<option>e</option>] <term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
[-<option>c</option>] [-<option>d</option>] [-<option>p</option>] [-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
[-<option>T</option>] [-<option>i</option>] [<replaceable> directory [-<option>T</option>] [-<option>i</option>] [-D] [<replaceable>
</replaceable>] [<replaceable> pathname</replaceable> ]</term> directory </replaceable>] [<replaceable> pathname</replaceable>
]</term>
<listitem> <listitem>
<para>Not available with shorewall[6]-lite.</para> <para>Not available with shorewall[6]-lite.</para>
@ -1441,6 +1360,10 @@
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink (<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para> url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
<para>The <emphasis role="bold">-D </emphasis>option was added in
Shoewall 5.2.4 and causes the compiler to write a large amount of
debugging information to standard output.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1700,16 +1623,16 @@
<para>Monitors the log file specified by the LOGFILE option in <para>Monitors the log file specified by the LOGFILE option in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink (<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) and
and produces an audible alarm when new Shorewall messages are produces an audible alarm when new Shorewall messages are logged.
logged. The <emphasis role="bold">-m</emphasis> option causes the The <emphasis role="bold">-m</emphasis> option causes the MAC
MAC address of each packet source to be displayed if that address of each packet source to be displayed if that information is
information is available. The available. The <replaceable>refresh-interval</replaceable> specifies
<replaceable>refresh-interval</replaceable> specifies the time in the time in seconds between screen refreshes. You can enter a
seconds between screen refreshes. You can enter a negative number by negative number by preceding the number with "--" (e.g.,
preceding the number with "--" (e.g., <command>shorewall logwatch -- <command>shorewall logwatch -- -30</command>). In this case, when a
-30</command>). In this case, when a packet count changes, you will packet count changes, you will be prompted to hit any key to resume
be prompted to hit any key to resume screen refreshes.</para> screen refreshes.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1824,7 +1747,8 @@
<term><emphasis role="bold">reload </emphasis>[-<option>n</option>] <term><emphasis role="bold">reload </emphasis>[-<option>n</option>]
[-<option>p</option>] [-<option>d</option>] [-<option>f</option>] [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
[-<option>c</option>] [-<option>T</option>] [-<option>i</option>] [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term> [-<option>C</option>] [-D] [ <replaceable>directory</replaceable>
]</term>
<listitem> <listitem>
<para>This command was re-implemented in Shorewall 5.0.0. The <para>This command was re-implemented in Shorewall 5.0.0. The
@ -1889,6 +1813,10 @@
the one that generated the current running configuration, then the one that generated the current running configuration, then
the running netfilter configuration will be reloaded as is so the running netfilter configuration will be reloaded as is so
as to preserve the iptables packet and byte counters.</para> as to preserve the iptables packet and byte counters.</para>
<para>The <emphasis role="bold">-D </emphasis>option was added
in Shoewall 5.2.4 and causes the compiler to write a large
amount of debugging information to standard output.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2071,7 +1999,8 @@
Beginning with Shorewall 5.0.13, if Beginning with Shorewall 5.0.13, if
<replaceable>system</replaceable> is omitted, then the FIREWALL <replaceable>system</replaceable> is omitted, then the FIREWALL
option setting in <ulink option setting in <ulink
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> (<ulink url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
(<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
assumed. In that case, if you want to specify a assumed. In that case, if you want to specify a
<replaceable>directory</replaceable>, then the <option>-D</option> <replaceable>directory</replaceable>, then the <option>-D</option>
@ -2144,7 +2073,8 @@
Beginning with Shorewall 5.0.13, if Beginning with Shorewall 5.0.13, if
<replaceable>system</replaceable> is omitted, then the FIREWALL <replaceable>system</replaceable> is omitted, then the FIREWALL
option setting in <ulink option setting in <ulink
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> (<ulink url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
(<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
assumed. In that case, if you want to specify a assumed. In that case, if you want to specify a
<replaceable>directory</replaceable>, then the <option>-D</option> <replaceable>directory</replaceable>, then the <option>-D</option>
@ -2178,6 +2108,10 @@
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink (<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para> url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <emphasis role="bold">-D </emphasis>option was added in
Shoewall 5.2.4 and causes the compiler to write a large amount of
debugging information to standard output.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2204,7 +2138,8 @@
<term><emphasis role="bold">restart </emphasis>[-<option>n</option>] <term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
[-<option>p</option>] [-<option>d</option>] [-<option>f</option>] [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
[-<option>c</option>] [-<option>T</option>] [-<option>i</option>] [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term> [-<option>C</option>] [-D] [ <replaceable>directory</replaceable>
]</term>
<listitem> <listitem>
<para>Beginning with Shorewall 5.0.0, this command performs a true <para>Beginning with Shorewall 5.0.0, this command performs a true
@ -2264,6 +2199,10 @@
the one that generated the current running configuration, then the one that generated the current running configuration, then
the running netfilter configuration will be reloaded as is so the running netfilter configuration will be reloaded as is so
as to preserve the iptables packet and byte counters.</para> as to preserve the iptables packet and byte counters.</para>
<para>The <emphasis role="bold">-D </emphasis>option was added
in Shoewall 5.2.4 and causes the compiler to write a large
amount of debugging information to standard output.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2831,8 +2770,8 @@
<term><emphasis role="bold">start </emphasis><emphasis role="bold"> <term><emphasis role="bold">start </emphasis><emphasis role="bold">
</emphasis>[-<option>n</option>] [-<option>p</option>] </emphasis>[-<option>n</option>] [-<option>p</option>]
[-<option>d</option>] [-<option>f</option>] [-<option>c</option>] [-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
[-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [ [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [-D]
<replaceable>directory</replaceable> ]</term> [ <replaceable>directory</replaceable> ]</term>
<listitem> <listitem>
<para><variablelist> <para><variablelist>
@ -2906,6 +2845,11 @@
option was also specified in the <emphasis option was also specified in the <emphasis
role="bold">save</emphasis> command, then the packet and role="bold">save</emphasis> command, then the packet and
byte counters will be restored.</para> byte counters will be restored.</para>
<para>The <emphasis role="bold">-D </emphasis>option was
added in Shoewall 5.2.4 and causes the compiler to write a
large amount of debugging information to standard
output.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

2
Shorewall-lite/Shorewall-lite-targetname
View File

@ -1 +1 @@
5.2.3.7 5.2.4-Beta1

6
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -8727,6 +8727,8 @@ sub emitr1( $$ ) {
sub save_docker_rules($) { sub save_docker_rules($) {
my $tool = $_[0]; my $tool = $_[0];
my $bridge = $config{DOCKER_BRIDGE};
emit( qq(if [ -n "\$g_docker" ]; then), emit( qq(if [ -n "\$g_docker" ]; then),
qq( $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER), qq( $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT), qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
@ -8744,10 +8746,10 @@ sub save_docker_rules($) {
qq(), qq(),
); );
if ( known_interface( 'docker0' ) ) { if ( known_interface( $bridge ) ) {
emit( qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) ); emit( qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
} else { } else {
emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) ); emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] ($bridge|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
} }
emit( q( [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD), emit( q( [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),

4
Shorewall/Perl/Shorewall/Config.pm
View File

@ -1010,6 +1010,7 @@ sub initialize($;$$$) {
PERL_HASH_SEED => undef , PERL_HASH_SEED => undef ,
USE_NFLOG_SIZE => undef , USE_NFLOG_SIZE => undef ,
RENAME_COMBINED => undef , RENAME_COMBINED => undef ,
DOCKER_BRIDGE => undef ,
# #
# Packet Disposition # Packet Disposition
# #
@ -6569,6 +6570,9 @@ sub get_configuration( $$$ ) {
fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6; fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' ); require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' );
require_capability( 'ADDRTYPE', ' DOCKER=Yes', 's' ); require_capability( 'ADDRTYPE', ' DOCKER=Yes', 's' );
default( 'DOCKER_BRIDGE' , 'docker0' );
} elsif ( $family == F_IPV6 ) {
warning_message( "DOCKER_BRIDGE=$val ignored by shorewall6" ) if supplied( $val = $config{DOCKER_BRIDGE} );
} }
if ( supplied( $val = $config{RESTART} ) ) { if ( supplied( $val = $config{RESTART} ) ) {

38
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -675,6 +675,8 @@ sub process_stoppedrules() {
# Generate the rules required when DOCKER=Yes # Generate the rules required when DOCKER=Yes
# #
sub create_docker_rules() { sub create_docker_rules() {
my $bridge = $config{DOCKER_BRIDGE};
add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' ); add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
my $chainref = $filter_table->{FORWARD}; my $chainref = $filter_table->{FORWARD};
@ -684,13 +686,13 @@ sub create_docker_rules() {
add_commands( $chainref, '[ -n "$g_dockeriso" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' ); add_commands( $chainref, '[ -n "$g_dockeriso" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' );
add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' ); add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' );
if ( my $dockerref = known_interface('docker0') ) { if ( my $dockerref = known_interface( $bridge ) ) {
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' ); add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
incr_cmd_level( $chainref ); incr_cmd_level( $chainref );
add_ijump( $chainref, j => 'DOCKER', o => 'docker0' ); add_ijump( $chainref, j => 'DOCKER', o => $bridge );
add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' ); add_ijump( $chainref, j => 'ACCEPT', o => $bridge , state_imatch 'ESTABLISHED,RELATED' );
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' ); add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => "! $bridge" );
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback}; add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => $bridge ) if $dockerref->{options}{routeback};
decr_cmd_level( $chainref ); decr_cmd_level( $chainref );
add_commands( $chainref, 'fi' ); add_commands( $chainref, 'fi' );
@ -2532,6 +2534,7 @@ sub compile_stop_firewall( $$$$ ) {
my $input = $filter_table->{INPUT}; my $input = $filter_table->{INPUT};
my $output = $filter_table->{OUTPUT}; my $output = $filter_table->{OUTPUT};
my $forward = $filter_table->{FORWARD}; my $forward = $filter_table->{FORWARD};
my $absentminded = $config{ ADMINISABSENTMINDED };
emit <<'EOF'; emit <<'EOF';
# #
@ -2539,7 +2542,7 @@ sub compile_stop_firewall( $$$$ ) {
# #
stop_firewall() { stop_firewall() {
EOF EOF
$output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED}; $output->{policy} = 'ACCEPT' if $absentminded;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
emit <<'EOF'; emit <<'EOF';
@ -2698,7 +2701,7 @@ EOF
# #
create_docker_rules if $config{DOCKER}; create_docker_rules if $config{DOCKER};
if ( $config{ADMINISABSENTMINDED} ) { if ( $absentminded ) {
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/; add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
} }
@ -2707,7 +2710,7 @@ EOF
add_ijump $input, j => 'ACCEPT', d => IPv6_LINKLOCAL; add_ijump $input, j => 'ACCEPT', d => IPv6_LINKLOCAL;
add_ijump $input, j => 'ACCEPT', d => IPv6_MULTICAST; add_ijump $input, j => 'ACCEPT', d => IPv6_MULTICAST;
unless ( $config{ADMINISABSENTMINDED} ) { unless ( $absentminded ) {
add_ijump $output, j => 'ACCEPT', d => IPv6_LINKLOCAL; add_ijump $output, j => 'ACCEPT', d => IPv6_LINKLOCAL;
add_ijump $output, j => 'ACCEPT', d => IPv6_MULTICAST; add_ijump $output, j => 'ACCEPT', d => IPv6_MULTICAST;
} }
@ -2721,12 +2724,25 @@ EOF
process_stoppedrules; process_stoppedrules;
if ( $family == F_IPV6 ) {
my $chain = new_action_chain( 'filter', 'AllowICMPs' );
for my $type ( 1, 2, 3, 4, 130, 131, 132, 133, 134, 135, 136, 137, 141, 142, 143, 148, 149, 151, 152, 153 ) {
add_ijump( $chain, j => 'ACCEPT', p => IPv6_ICMP . " --icmpv6-type $type" );
}
for $chain ( $input, $output, $forward ) {
next if $chain eq $output && $absentminded;
add_ijump( $chain, j => 'AllowICMPs', p => IPv6_ICMP );
}
}
if ( have_capability 'IFACE_MATCH' ) { if ( have_capability 'IFACE_MATCH' ) {
add_ijump $input, j => 'ACCEPT', iface => '--dev-in --loopback'; add_ijump $input, j => 'ACCEPT', iface => '--dev-in --loopback';
add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED}; add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $absentminded;
} else { } else {
add_ijump $input, j => 'ACCEPT', i => loopback_interface; add_ijump $input, j => 'ACCEPT', i => loopback_interface;
add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED}; add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $absentminded;
} }
my $interfaces = find_interfaces_by_option 'dhcp'; my $interfaces = find_interfaces_by_option 'dhcp';
@ -2736,7 +2752,7 @@ EOF
for my $interface ( @$interfaces ) { for my $interface ( @$interfaces ) {
add_ijump $input, j => 'ACCEPT', p => "udp --dport $ports", imatch_source_dev( $interface ); add_ijump $input, j => 'ACCEPT', p => "udp --dport $ports", imatch_source_dev( $interface );
add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $config{ADMINISABSENTMINDED}; add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $absentminded;
# #
# This might be a bridge # This might be a bridge
# #

26
Shorewall/Perl/prog.footer
View File

@ -42,6 +42,7 @@ usage() {
echo " up <interface>" echo " up <interface>"
echo " savesets <file>" echo " savesets <file>"
echo " call <function> [ <parameter> ... ]" echo " call <function> [ <parameter> ... ]"
echo " help"
echo " version" echo " version"
echo " info" echo " info"
echo echo
@ -54,6 +55,8 @@ usage() {
echo " -c Save/restore iptables counters" echo " -c Save/restore iptables counters"
echo " -V <verbosity> Set verbosity explicitly" echo " -V <verbosity> Set verbosity explicitly"
echo " -R <file> Override RESTOREFILE setting" echo " -R <file> Override RESTOREFILE setting"
echo " -T Trace execution"
echo " -D Debug iptables"
exit $1 exit $1
} }
@ -109,20 +112,6 @@ reload_command() {
# E X E C U T I O N B E G I N S H E R E # # E X E C U T I O N B E G I N S H E R E #
################################################################################ ################################################################################
# #
# Start trace if first arg is "debug" or "trace"
#
g_debug_iptables=
if [ $# -gt 1 ]; then
if [ "x$1" = "xtrace" ]; then
set -x
shift
elif [ "x$1" = "xdebug" ]; then
g_debug_iptables=Yes
shift
fi
fi
#
# Map VERBOSE to VERBOSITY for compatibility with old Shorewall[6]-lite installations # Map VERBOSE to VERBOSITY for compatibility with old Shorewall[6]-lite installations
# #
[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE [ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
@ -152,6 +141,7 @@ g_dockeriso=
g_dockerisostage= g_dockerisostage=
g_forcereload= g_forcereload=
g_fallback= g_fallback=
g_debug_iptables=
[ -n "$SERVICEDIR" ] && SUBSYSLOCK= [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
@ -258,6 +248,14 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
RESTOREFILE=$option RESTOREFILE=$option
option= option=
;; ;;
T*)
set -x;
option=${option#T}
;;
D*)
g_debug_iptables=Yes
option=${option#D}
;;
*) *)
usage 1 usage 1
;; ;;

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -163,6 +163,8 @@ DISABLE_IPV6=No
DOCKER=No DOCKER=No
DOCKER_BRIDGE=docker0
DELETE_THEN_ADD=Yes DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -174,6 +174,8 @@ DISABLE_IPV6=No
DOCKER=No DOCKER=No
DOCKER_BRIDGE=docker0
DELETE_THEN_ADD=Yes DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -171,6 +171,8 @@ DISABLE_IPV6=No
DOCKER=No DOCKER=No
DOCKER_BRIDGE=docker0
DELETE_THEN_ADD=Yes DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -174,6 +174,8 @@ DISABLE_IPV6=No
DOCKER=No DOCKER=No
DOCKER_BRIDGE=docker0
DELETE_THEN_ADD=Yes DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No

2
Shorewall/Shorewall-targetname
View File

@ -1 +1 @@
5.2.3.7 5.2.4-Beta1

2
Shorewall/configfiles/shorewall.conf
View File

@ -167,6 +167,8 @@ DISABLE_IPV6=No
DOCKER=No DOCKER=No
DOCKER_BRIDGE=docker0
DONT_LOAD= DONT_LOAD=
DYNAMIC_BLACKLIST=Yes DYNAMIC_BLACKLIST=Yes

2
Shorewall/configfiles/started
View File

@ -8,7 +8,7 @@
# signaling that the firewall is completely up). # signaling that the firewall is completely up).
# #
# This script should not change the firewall configuration directly but # This script should not change the firewall configuration directly but
# may do so indirectly by running /sbin/shorewall with the 'nolock' # may do so indirectly by running /sbin/shorewall with the -N
# option. # option.
# #
# See http://shorewall.org/shorewall_extension_scripts.htm for additional # See http://shorewall.org/shorewall_extension_scripts.htm for additional

68
Shorewall/lib.cli-std
View File

@ -503,7 +503,7 @@ compiler() {
[ -n "$g_timestamp" ] && options="$options --timestamp" [ -n "$g_timestamp" ] && options="$options --timestamp"
[ -n "$g_test" ] && options="$options --test" [ -n "$g_test" ] && options="$options --test"
[ -n "$g_preview" ] && options="$options --preview" [ -n "$g_preview" ] && options="$options --preview"
[ "$g_debugging" = trace ] && options="$options --debug" [ -n "$g_trace" ] && options="$options --debug"
[ -n "$g_confess" ] && options="$options --confess" [ -n "$g_confess" ] && options="$options --confess"
[ -n "$g_update" ] && options="$options --update" [ -n "$g_update" ] && options="$options --update"
[ -n "$g_annotate" ] && options="$options --annotate" [ -n "$g_annotate" ] && options="$options --annotate"
@ -531,7 +531,7 @@ compiler() {
# #
# Only use the pager if 'trace' or -r was specified and -d was not # Only use the pager if 'trace' or -r was specified and -d was not
# #
[ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager= [ -z "$g_trace" -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
case $PERL_HASH_SEED in case $PERL_HASH_SEED in
random) random)
@ -615,6 +615,10 @@ start_command() {
g_counters=Yes g_counters=Yes
option=${option#C} option=${option#C}
;; ;;
D*)
g_trace=Yes
option=${option#D}
;;
*) *)
option_error $option option_error $option
;; ;;
@ -660,14 +664,14 @@ start_command() {
if [ -n "$AUTOMAKE" ]; then if [ -n "$AUTOMAKE" ]; then
[ -n "$g_nolock" ] || mutex_on [ -n "$g_nolock" ] || mutex_on
run_it $g_firewall $g_debugging start run_it $g_firewall start
rc=$? rc=$?
[ -n "$g_nolock" ] || mutex_off [ -n "$g_nolock" ] || mutex_off
else else
g_file="${VARDIR}/.start" g_file="${VARDIR}/.start"
if compiler $g_debugging $g_nolock compile "$g_file"; then if compiler compile "$g_file"; then
[ -n "$g_nolock" ] || mutex_on [ -n "$g_nolock" ] || mutex_on
run_it ${VARDIR}/.start $g_debugging start run_it ${VARDIR}/.start start
rc=$? rc=$?
[ -n "$g_nolock" ] || mutex_off [ -n "$g_nolock" ] || mutex_off
else else
@ -721,6 +725,10 @@ compile_command() {
g_confess=Yes g_confess=Yes
option=${option#T} option=${option#T}
;; ;;
D*)
g_trace=Yes
option=${option#D}
;;
-) -)
finished=1 finished=1
option= option=
@ -768,7 +776,7 @@ compile_command() {
[ "x$g_file" = x- ] && g_doing='' [ "x$g_file" = x- ] && g_doing=''
compiler $g_debugging compile "$g_file" compiler compile "$g_file"
} }
# #
@ -815,6 +823,10 @@ check_command() {
g_confess=Yes g_confess=Yes
option=${option#T} option=${option#T}
;; ;;
D*)
g_trace=Yes
option=${option#D}
;;
*) *)
option_error $option option_error $option
;; ;;
@ -851,7 +863,7 @@ check_command() {
g_doing="Checking" g_doing="Checking"
compiler $g_debugging $g_nolock check compiler check
} }
# #
@ -906,6 +918,10 @@ update_command() {
A*) A*)
option=${option#A} option=${option#A}
;; ;;
D*)
g_trace=Yes
option=${option#D}
;;
*) *)
option_error $option option_error $option
;; ;;
@ -942,7 +958,7 @@ update_command() {
g_doing="Updating" g_doing="Updating"
compiler $g_debugging $g_nolock check compiler check
} }
# #
@ -999,6 +1015,10 @@ restart_command() {
g_counters=Yes g_counters=Yes
option=${option#C} option=${option#C}
;; ;;
D*)
g_trace=Yes
option=${option#D}
;;
*) *)
option_error $option option_error $option
;; ;;
@ -1044,9 +1064,9 @@ restart_command() {
g_file="${VARDIR}/.${COMMAND}" g_file="${VARDIR}/.${COMMAND}"
if [ -z "$g_fast" ]; then if [ -z "$g_fast" ]; then
if compiler $g_debugging $g_nolock compile "$g_file"; then if compiler compile "$g_file"; then
[ -n "$g_nolock" ] || mutex_on [ -n "$g_nolock" ] || mutex_on
run_it ${VARDIR}/.${COMMAND} $g_debugging ${COMMAND} run_it ${VARDIR}/.${COMMAND} ${COMMAND}
rc=$? rc=$?
[ -n "$g_nolock" ] || mutex_off [ -n "$g_nolock" ] || mutex_off
else else
@ -1056,7 +1076,7 @@ restart_command() {
else else
[ -x $g_firewall ] || fatal_error "No $g_firewall file found" [ -x $g_firewall ] || fatal_error "No $g_firewall file found"
[ -n "$g_nolock" ] || mutex_on [ -n "$g_nolock" ] || mutex_on
run_it $g_firewall $g_debugging $COMMAND run_it $g_firewall $COMMAND
rc=$? rc=$?
[ -n "$g_nolock" ] || mutex_off [ -n "$g_nolock" ] || mutex_off
fi fi
@ -1197,7 +1217,7 @@ safe_commands() {
g_file="${VARDIR}/.$command" g_file="${VARDIR}/.$command"
if ! compiler $g_debugging nolock compile "$g_file"; then if ! compiler compile "$g_file"; then
status=$? status=$?
exit $status exit $status
fi fi
@ -1223,7 +1243,7 @@ safe_commands() {
[ -n "$g_nolock" ] || mutex_on [ -n "$g_nolock" ] || mutex_on
if run_it ${VARDIR}/.$command $g_debugging $command; then if run_it ${VARDIR}/.$command $command; then
printf "Do you want to accept the new firewall configuration? [y/n] " printf "Do you want to accept the new firewall configuration? [y/n] "
@ -1334,7 +1354,7 @@ try_command() {
g_file="${VARDIR}/.$command" g_file="${VARDIR}/.$command"
if ! compiler $g_debugging $g_nolock compile "$g_file"; then if ! compiler compile "$g_file"; then
status=$? status=$?
exit $status exit $status
fi fi
@ -1356,7 +1376,7 @@ try_command() {
[ -n "$g_nolock" ] || mutex_on [ -n "$g_nolock" ] || mutex_on
if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
sleep $timeout sleep $timeout
if [ "$command" = "reload" ]; then if [ "$command" = "reload" ]; then
@ -1606,6 +1626,10 @@ remote_commands() # $* = original arguments less the command.
g_confess=Yes g_confess=Yes
option=${option#T} option=${option#T}
;; ;;
D*)
g_trace=Yes
option=${option#D}
;;
*) *)
option_error $option option_error $option
;; ;;
@ -1697,7 +1721,7 @@ remote_commands() # $* = original arguments less the command.
exitstatus=0 exitstatus=0
if compiler $g_debugging compiler "$g_file"; then if compiler compiler "$g_file"; then
progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..."
if rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir}; then if rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir}; then
save=$(find_file save); save=$(find_file save);
@ -1712,20 +1736,20 @@ remote_commands() # $* = original arguments less the command.
progress_message3 "Copy complete" progress_message3 "Copy complete"
if [ $COMMAND = remote-reload ]; then if [ $COMMAND = remote-reload ]; then
if rsh_command "$program $g_debugging $verbose $timestamp reload"; then if rsh_command "$program $verbose $timestamp reload"; then
progress_message3 "System $system reloaded" progress_message3 "System $system reloaded"
else else
exitstatus=$? exitstatus=$?
savit= savit=
fi fi
elif [ $COMMAND = remote-restart ]; then elif [ $COMMAND = remote-restart ]; then
if rsh_command "$program $g_debugging $verbose $timestamp restart"; then if rsh_command "$program $verbose $timestamp restart"; then
progress_message3 "System $system restarted" progress_message3 "System $system restarted"
else else
exitstatus=$? exitstatus=$?
saveit= saveit=
fi fi
elif rsh_command "$program $g_debugging $verbose $timestamp start"; then elif rsh_command "$program $verbose $timestamp start"; then
progress_message3 "System $system started" progress_message3 "System $system started"
else else
exitstatus=$? exitstatus=$?
@ -1733,7 +1757,7 @@ remote_commands() # $* = original arguments less the command.
fi fi
if [ -n "$saveit" ]; then if [ -n "$saveit" ]; then
if rsh_command "$program $g_debugging $verbose $timestamp save"; then if rsh_command "$program $verbose $timestamp save"; then
progress_message3 "Configuration on system $system saved" progress_message3 "Configuration on system $system saved"
else else
exitstatus=$? exitstatus=$?
@ -1816,7 +1840,7 @@ export_command() # $* = original arguments less the command.
g_file="$g_shorewalldir/firewall" g_file="$g_shorewalldir/firewall"
if compiler $g_debugging compile "$g_file" && \ if compiler compile "$g_file" && \
echo "Copying $file and ${file}.conf to ${target#*@}..." && \ echo "Copying $file and ${file}.conf to ${target#*@}..." && \
scp $g_shorewalldir/firewall $g_shorewalldir/firewall.conf $target scp $g_shorewalldir/firewall $g_shorewalldir/firewall.conf $target
then then
@ -1831,7 +1855,7 @@ export_command() # $* = original arguments less the command.
run_command() { run_command() {
if [ -x $g_firewall ] ; then if [ -x $g_firewall ] ; then
uptodate $g_firewall || echo " WARNING: $g_firewall is not up to date" >&2 uptodate $g_firewall || echo " WARNING: $g_firewall is not up to date" >&2
run_it $g_firewall $g_debugging $@ run_it $g_firewall $@
else else
fatal_error "$g_firewall does not exist or is not executable" fatal_error "$g_firewall does not exist or is not executable"
fi fi

26
Shorewall/manpages/shorewall.conf.xml
View File

@ -834,18 +834,30 @@
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall 5.0.6. When set to <option>Yes</option>, <para>Added in Shorewall 5.0.6; IPv4 only. When set to
the generated script will save Docker-generated rules before and <option>Yes</option>, the generated script will save
restore them after executing the <command>start</command>, Docker-generated rules before and restore them after executing the
<command>stop</command>, <command>reload</command> and <command>start</command>, <command>stop</command>,
<command>restart</command> commands. If set to <option>No</option> <command>reload</command> and <command>restart</command> commands.
(the default), the generated script will delete any Docker-generated If set to <option>No</option> (the default), the generated script
rules when executing those commands. See<ulink url="/Docker.html"> will delete any Docker-generated rules when executing those
commands. See<ulink url="/Docker.html">
http://www.shorewall.org/Docker.html</ulink> for additional http://www.shorewall.org/Docker.html</ulink> for additional
information.</para> information.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">DOCKER_BRIDGE=</emphasis>[<emphasis>bridgename</emphasis>]</term>
<listitem>
<para>Added in Shorewall 5.2.4; IPv4 only. Specifies the name of the
default Docker bridge. If not specified, the value 'docker0' is
assumed.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term> role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>

2
Shorewall6-lite/Shorewall6-lite-targetname
View File

@ -1 +1 @@
5.2.3.7 5.2.4-Beta1

2
Shorewall6/Shorewall6-targetname
View File

@ -1 +1 @@
5.2.3.7 5.2.4-Beta1

2
Shorewall6/configfiles/started
View File

@ -8,7 +8,7 @@
# firewall is completely up). # firewall is completely up).
# #
# This script should not change the firewall configuration directly but # This script should not change the firewall configuration directly but
# may do so indirectly by running /sbin/shorewall6 with the 'nolock' # may do so indirectly by running /sbin/shorewall6 with the '-N'
# option. # option.
# #
# See http://shorewall.org/shorewall_extension_scripts.htm for additional # See http://shorewall.org/shorewall_extension_scripts.htm for additional

391
docs/CompiledPrograms.xml
View File

@ -20,6 +20,8 @@
<copyright> <copyright>
<year>2006-2010</year> <year>2006-2010</year>
<year>2020</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -227,10 +229,10 @@
<listitem> <listitem>
<programlisting><command>cd &lt;export directory&gt;</command> <programlisting><command>cd &lt;export directory&gt;</command>
<command>/sbin/shorewall load firewall</command></programlisting> <command>/sbin/shorewall remote-startfirewall</command></programlisting>
<para>The <ulink <para>The <ulink
url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink> url="starting_and_stopping_shorewall.htm#Load"><command>remote-start</command></ulink>
command compiles a firewall script from the configuration files command compiles a firewall script from the configuration files
in the current working directory (using <command>shorewall in the current working directory (using <command>shorewall
compile -e</command>), copies that file to the remote system via compile -e</command>), copies that file to the remote system via
@ -239,7 +241,8 @@
<para>Example (firewall's DNS name is 'gateway'):</para> <para>Example (firewall's DNS name is 'gateway'):</para>
<para><command>/sbin/shorewall load gateway</command><note> <para><command>/sbin/shorewall remote-start
gateway</command><note>
<para>Although scp and ssh are used by default, you can use <para>Although scp and ssh are used by default, you can use
other utilities by setting RSH_COMMAND and RCP_COMMAND in other utilities by setting RSH_COMMAND and RCP_COMMAND in
<filename>/etc/shorewall/shorewall.conf</filename>.</para> <filename>/etc/shorewall/shorewall.conf</filename>.</para>
@ -261,119 +264,16 @@
then:</para> then:</para>
<programlisting><command>cd &lt;export directory&gt;</command> <programlisting><command>cd &lt;export directory&gt;</command>
<command>/sbin/shorewall reload firewall</command></programlisting> <command>/sbin/shorewall remote-reload firewall</command></programlisting>
<para>The <ulink <para>The <ulink
url="manpages/shorewall.html"><command>reload</command></ulink> url="manpages/shorewall.html"><command>remote-reload</command></ulink>
command compiles a firewall script from the configuration files in command compiles a firewall script from the configuration files in
the current working directory (using <command>shorewall compile the current working directory (using <command>shorewall compile
-e</command>), copies that file to the remote system via scp and -e</command>), copies that file to the remote system via scp and
restarts Shorewall Lite on the remote system via ssh. The <emphasis restarts Shorewall Lite on the remote system via ssh. The <emphasis
role="bold">reload</emphasis> command also supports the '-c' role="bold">remote-reload</emphasis> command also supports the '-c'
option.</para> option.</para>
<para>I personally place a <filename>Makefile</filename> in each
export directory as follows:</para>
<blockquote>
<programlisting># Shorewall Packet Filtering Firewall Export Directory Makefile - V3.3
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2006 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.org
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
################################################################################
# Place this file in each export directory. Modify each copy to set HOST
# to the name of the remote firewall corresponding to the directory.
#
# To make the 'firewall' script, type "make".
#
# Once the script is compiling correctly, you can install it by
# typing "make install".
#
################################################################################
# V A R I A B L E S
#
# Files in the export directory on which the firewall script does not depend
#
IGNOREFILES = firewall% Makefile% trace% %~
#
# Remote Firewall system
#
HOST = gateway
#
# Save some typing
#
LITEDIR = /var/lib/shorewall-lite
#
# Set this if the remote system has a non-standard modules directory
#
MODULESDIR=
#
# Default target is the firewall script
#
################################################################################
# T A R G E T S
#
all: firewall
#
# Only generate the capabilities file if it doesn't already exist
#
capabilities:
ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap &gt; $(LITEDIR)/capabilities"
scp root@$(HOST):$(LITEDIR)/capabilities .
#
# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
# 'filter-out' will be presented with the list of files in this directory rather than "*"
#
firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
shorewall compile -e . firewall
#
# Only reload on demand.
#
install: firewall
scp firewall firewall.conf root@$(HOST):$(LITEDIR)
ssh root@$(HOST) "/sbin/shorewall-lite restart"
#
# Save running configuration
#
save:
ssh root@$(HOST) "/sbin/shorewall-lite save"
#
# Remove generated files
#
clean:
rm -f capabilities firewall firewall.conf reload
</programlisting>
</blockquote>
<para>That way, after I've changed the configuration, I can simply
type <command>make</command> or <emphasis role="bold">make
install</emphasis>.</para>
<note>
<para>The above Makefile is available at <ulink
url="http://www1.shorewall.net/pub/shorewall/contrib/Shorewall-lite/">http://www.shorewall.org/pub/shorewall/contrib/Shorewall-lite/</ulink></para>
</note>
<note>
<para>I omit trace% because I often trace compiler execution while
I'm debugging new versions of Shorewall.</para>
</note>
</listitem> </listitem>
</orderedlist> </orderedlist>
@ -410,63 +310,63 @@ clean:
run Debian or one of its derivatives (see <link run Debian or one of its derivatives (see <link
linkend="Debian">above</link>).</para> linkend="Debian">above</link>).</para>
<para>The <filename>/sbin/shorewall-lite</filename> program included <para>The <filename>/sbin/shorewall-lite</filename> program (which is a
symbolic link pointing to <filename>/sbin/shorewall</filename>) included
with Shorewall Lite supports the same set of commands as the with Shorewall Lite supports the same set of commands as the
<filename>/sbin/shorewall</filename> program in a full Shorewall <filename>/sbin/shorewall</filename> program in a full Shorewall
installation with the following exceptions:</para> installation with the following exceptions:</para>
<blockquote> <blockquote>
<simplelist> <simplelist>
<member>add</member> <member>action</member>
<member>actions</member>
<member>check</member>
<member>compile</member> <member>compile</member>
<member>delete</member> <member>export</member>
<member>refresh</member> <member>macro</member>
<member>reload</member> <member>macros</member>
<member>try</member> <member>remote-getrc</member>
<member>safe-start</member> <member>remote-getcaps</member>
<member>remote-reload</member>
<member>remote-restart</member>
<member>remote-start</member>
<member>safe-reload</member>
<member>safe-restart</member> <member>safe-restart</member>
<member>show actions</member> <member>safe-start</member>
<member>show macros</member> <member>try</member>
<member>update</member>
</simplelist> </simplelist>
</blockquote> </blockquote>
<para>On systems with only Shorewall Lite installed, I recommend that
you create a symbolic link <filename>/sbin/shorewall</filename> and
point it at <filename>/sbin/shorewall-lite</filename>. That way, you can
use <command>shorewall</command> as the command regardless of which
product is installed.</para>
<blockquote>
<programlisting><command>ln -sf shorewall-lite /sbin/shorewall</command></programlisting>
</blockquote>
<section> <section>
<title>Module Loading</title> <title>Module Loading</title>
<para>As with a normal Shorewall configuration, the shorewall.conf <para>Normally, the <filename>helpers</filename> file on the firewall
file can specify LOAD_HELPERS_ONLY which determines if the system is used. If you want to specify modules at compile time on the
<filename>modules</filename> file (LOAD_HELPERS_ONLY=No) or Administrative System, then you must place a copy of the
<filename>helpers</filename> file (LOAD_HELPERS_ONLY=Yes) is used. <filename>helpers</filename> file in the firewall's configuration
Normally, the file on the firewall system is used. If you want to directory before compilation.</para>
specify modules at compile time on the Administrative System, then you
must place a copy of the appropriate file
(<filename>modules</filename> or <filename>helpers</filename>) in the
firewall's configuration directory before compilation.</para>
<para>In Shorewall 4.4.17, the EXPORTMODULES option was added to <para>In Shorewall 4.4.17, the EXPORTMODULES option was added to
shorewall.conf (and shorewall6.conf). When EXPORTMODULES=Yes, any shorewall.conf (and shorewall6.conf). When EXPORTMODULES=Yes, any
<filename>modules</filename> or <filename>helpers</filename> file <filename>helpers</filename> file found on the CONFIG_PATH on the
found on the CONFIG_PATH on the Administrative System during Administrative System during compilation will be used.</para>
compilation will be used.</para>
</section> </section>
<section id="Converting"> <section id="Converting">
@ -503,10 +403,6 @@ clean:
<listitem> <listitem>
<para>Install Shorewall Lite on the firewall system.</para> <para>Install Shorewall Lite on the firewall system.</para>
<para>If you are running Debian or one of its derivatives like
Ubuntu then edit <filename>/etc/default/shorewall-lite</filename>
and set startup=1.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -753,52 +649,126 @@ clean:
kernel/iptables capabilities of the target system. Here is a sample kernel/iptables capabilities of the target system. Here is a sample
file:</para> file:</para>
<blockquote> <programlisting>
<programlisting># # Shorewall 5.2.3.3 detected the following iptables/netfilter capabilities - Mon 16 Sep 2019 01:32:20 PM PDT
# Shorewall detected the following iptables/netfilter capabilities - Tue Jul 15 07:28:12 PDT 2008
# #
NAT_ENABLED=Yes ACCOUNT_TARGET=
MANGLE_ENABLED=Yes
MULTIPORT=Yes
XMULTIPORT=Yes
CONNTRACK_MATCH=Yes
POLICY_MATCH=Yes
PHYSDEV_MATCH=Yes
PHYSDEV_BRIDGE=Yes
LENGTH_MATCH=Yes
IPRANGE_MATCH=Yes
RECENT_MATCH=Yes
OWNER_MATCH=Yes
IPSET_MATCH=Yes
CONNMARK=Yes
XCONNMARK=Yes
CONNMARK_MATCH=Yes
XCONNMARK_MATCH=Yes
RAW_TABLE=Yes
IPP2P_MATCH=
CLASSIFY_TARGET=Yes
ENHANCED_REJECT=Yes
KLUDGEFREE=Yes
MARK=Yes
XMARK=Yes
MANGLE_FORWARD=Yes
COMMENTS=Yes
ADDRTYPE=Yes ADDRTYPE=Yes
TCPMSS_MATCH=Yes AMANDA_HELPER=
ARPTABLESJF=
AUDIT_TARGET=Yes
BASIC_EMATCH=Yes
BASIC_FILTER=Yes
CAPVERSION=50200
CHECKSUM_TARGET=Yes
CLASSIFY_TARGET=Yes
COMMENTS=Yes
CONDITION_MATCH=
CONNLIMIT_MATCH=Yes
CONNMARK_MATCH=Yes
CONNMARK=Yes
CONNTRACK_MATCH=Yes
CPU_FANOUT=Yes
CT_TARGET=Yes
DSCP_MATCH=Yes
DSCP_TARGET=Yes
EMULTIPORT=Yes
ENHANCED_REJECT=Yes
EXMARK=Yes
FLOW_FILTER=Yes
FTP0_HELPER=
FTP_HELPER=Yes
FWMARK_RT_MASK=Yes
GEOIP_MATCH=
GOTO_TARGET=Yes
H323_HELPER=
HASHLIMIT_MATCH=Yes HASHLIMIT_MATCH=Yes
HEADER_MATCH=
HELPER_MATCH=Yes
IFACE_MATCH=
IMQ_TARGET=
IPMARK_TARGET=
IPP2P_MATCH=
IPRANGE_MATCH=Yes
IPSET_MATCH_COUNTERS=Yes
IPSET_MATCH_NOMATCH=Yes
IPSET_MATCH=Yes
IPSET_V5=Yes
IPTABLES_S=Yes
IRC0_HELPER=
IRC_HELPER=Yes
KERNELVERSION=41900
KLUDGEFREE=Yes
LENGTH_MATCH=Yes
LOGMARK_TARGET=
LOG_TARGET=Yes
MANGLE_ENABLED=Yes
MANGLE_FORWARD=Yes
MARK_ANYWHERE=Yes
MARK=Yes
MASQUERADE_TGT=Yes
MULTIPORT=Yes
NAT_ENABLED=Yes
NAT_INPUT_CHAIN=Yes
NETBIOS_NS_HELPER=
NETMAP_TARGET=Yes
NEW_CONNTRACK_MATCH=Yes
NEW_TOS_MATCH=Yes
NFACCT_MATCH=Yes
NFLOG_SIZE=Yes
NFLOG_TARGET=Yes
NFQUEUE_TARGET=Yes NFQUEUE_TARGET=Yes
OLD_CONNTRACK_MATCH=
OLD_HL_MATCH=
OLD_IPP2P_MATCH=
OLD_IPSET_MATCH=
OWNER_MATCH=Yes
OWNER_NAME_MATCH=Yes
PERSISTENT_SNAT=Yes
PHYSDEV_BRIDGE=Yes
PHYSDEV_MATCH=Yes
POLICY_MATCH=Yes
PPTP_HELPER=
RAW_TABLE=Yes
REALM_MATCH=Yes REALM_MATCH=Yes
CAPVERSION=40190</programlisting> REAP_OPTION=Yes
</blockquote> RECENT_MATCH=Yes
RESTORE_WAIT_OPTION=Yes
RPFILTER_MATCH=Yes
SANE0_HELPER=
SANE_HELPER=
SIP0_HELPER=
SIP_HELPER=
SNMP_HELPER=
STATISTIC_MATCH=Yes
TARPIT_TARGET=
TCPMSS_MATCH=Yes
TCPMSS_TARGET=Yes
TFTP0_HELPER=
TFTP_HELPER=
TIME_MATCH=Yes
TPROXY_TARGET=Yes
UDPLITEREDIRECT=
ULOG_TARGET=
WAIT_OPTION=Yes
XCONNMARK_MATCH=Yes
XCONNMARK=Yes
XMARK=Yes
XMULTIPORT=Yes</programlisting>
<para>As you can see, the file contains a simple list of shell variable <para>As you can see, the file contains a simple list of shell variable
assignments — the variables correspond to the capabilities listed by the assignments — the variables correspond to the capabilities listed by the
<command>shorewall show capabilities</command> command and they appear in <command>shorewall show capabilities</command> command and they appear in
the same order as the output of that command.</para> the same order as the output of that command.</para>
<para>To aid in creating this file, Shorewall Lite includes a <para>The capabilities file can be generated automatically from the
<command>shorecap</command> program. The program is installed in the administrative system by using the <command>remote-getcaps</command>
<filename class="directory">/usr/share/shorewall-lite/</filename> command. Should that option fail for any reason, the file can be generated
manually on the remote firewall.</para>
<para>To aid in creating this file on the remote firewall, Shorewall Lite
includes a <command>shorecap</command> program. The program is installed
in the <filename class="directory">/usr/share/shorewall-lite/</filename>
directory and may be run as follows:</para> directory and may be run as follows:</para>
<blockquote> <blockquote>
@ -825,41 +795,52 @@ CAPVERSION=40190</programlisting>
<command>show capabilities</command> command shows the kernel's current <command>show capabilities</command> command shows the kernel's current
capabilities; it does not attempt to load additional kernel capabilities; it does not attempt to load additional kernel
modules.</para> modules.</para>
<para>Once generated, the file can be copied manually to the
administrative system.</para>
</section> </section>
<section id="Running"> <section id="Running">
<title>Running compiled programs directly</title> <title>Running compiled programs directly</title>
<para>Compiled firewall programs are complete shell programs that support <para>Compiled firewall programs are complete shell programs that may be
the following command line forms:</para> run directly. Here is the output from the program's help command
(Shorewall version 5.2.4)</para>
<blockquote> <programlisting>&lt;program&gt; [ options ] &lt;command&gt;
<simplelist>
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
start</command></member>
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ] &lt;command&gt; is one of:
stop</command></member> start
stop
clear
disable &lt;interface&gt;
down &lt;interface&gt;
enable &lt;interface&gt;
reset
reenable &lt;interface&gt;
refresh
reload
restart
run &lt;command&gt; [ &lt;parameter&gt; ... ]
status
up &lt;interface&gt;
savesets &lt;file&gt;
call &lt;function&gt; [ &lt;parameter&gt; ... ]
help
version
info
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ] Options are:
clear</command></member>
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ] -v and -q Standard Shorewall verbosity controls
refresh</command></member> -n Don't update routing configuration
-p Purge Conntrack Table
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ] -t Timestamp progress Messages
reset</command></member> -c Save/restore iptables counters
-V &lt;verbosity&gt; Set verbosity explicitly
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ] -R &lt;file&gt; Override RESTOREFILE setting
restart</command></member> -T Trace execution
</programlisting>
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
status</command></member>
<member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
version</command></member>
</simplelist>
</blockquote>
<para>The options have the same meanings as when they are passed to <para>The options have the same meanings as when they are passed to
<filename>/sbin/shorewall</filename> itself. The default VERBOSITY level <filename>/sbin/shorewall</filename> itself. The default VERBOSITY level

2
docs/SharedConfig.xml
View File

@ -348,7 +348,7 @@ ZONE_BITS=0
# For information about the settings in this file, type "man shorewall6.conf" # For information about the settings in this file, type "man shorewall6.conf"
# #
# Manpage also online at # Manpage also online at
# http://www.shorewall.net/manpages/shorewall.conf.html # http://www.shorewall.org/manpages/shorewall.conf.html
############################################################################### ###############################################################################
# S T A R T U P E N A B L E D # S T A R T U P E N A B L E D
############################################################################### ###############################################################################

77
docs/configuration_file_basics.xml
View File

@ -18,7 +18,7 @@
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright> <copyright>
<year>2001-2019</year> <year>2001-2020</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -56,7 +56,7 @@
Shorewall</ulink> is required reading for being able to use this article Shorewall</ulink> is required reading for being able to use this article
effectively. For information about setting up your first Shorewall-based effectively. For information about setting up your first Shorewall-based
firewall, see the <ulink url="GettingStarted.html">Quickstart firewall, see the <ulink url="GettingStarted.html">Quickstart
Guides</ulink>.in</para> Guides</ulink>.</para>
</section> </section>
<section id="Files"> <section id="Files">
@ -327,6 +327,39 @@
page for that file is 'shorewall.conf':</para> page for that file is 'shorewall.conf':</para>
<programlisting>man shorewall.conf</programlisting> <programlisting>man shorewall.conf</programlisting>
<para>Parts of this and other articles are also available as
manpages:</para>
<itemizedlist>
<listitem>
<para>shorewall-addresses(5)</para>
</listitem>
<listitem>
<para>shorewall-exclusion(5)</para>
</listitem>
<listitem>
<para>shorewall-files(5)</para>
</listitem>
<listitem>
<para>shorewall-ipsets(5)</para>
</listitem>
<listitem>
<para>shorewall-logging(5)</para>
</listitem>
<listitem>
<para>shorewall-names(5)</para>
</listitem>
<listitem>
<para>shorewall-nesting(5)</para>
</listitem>
</itemizedlist>
</section> </section>
<section id="Comments"> <section id="Comments">
@ -534,7 +567,7 @@ ACCEPT net:\
readability as in:</para> readability as in:</para>
<simplelist> <simplelist>
<member><emphasis role="bold">{ proto=&gt;udp, port=1024 <member><emphasis role="bold">{ proto=&gt;udp, dport=1024
}</emphasis></member> }</emphasis></member>
</simplelist> </simplelist>
</listitem> </listitem>
@ -545,13 +578,14 @@ ACCEPT net:\
<simplelist> <simplelist>
<member><emphasis role="bold">; proto:udp, <member><emphasis role="bold">; proto:udp,
port:1024</emphasis></member> dport:1024</emphasis></member>
</simplelist> </simplelist>
<important> <important>
<para>This form is incompatible with INLINE_MATCHES=Yes. See the <para>This form is incompatible with INLINE_MATCHES=Yes. See the
INLINE_MATCHES option in <ulink INLINE_MATCHES option in <ulink
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para> url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, if you
are running a version of Shorewall earlier than 5.0..</para>
</important> </important>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -1509,16 +1543,15 @@ SSH(ACCEPT) net:$MYIP $FW
<programlisting>    /etc/shorewall/params <programlisting>    /etc/shorewall/params
NET_IF=eth0 NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,routefilter NET_OPTIONS=routefilter,routefilter
    /etc/shorewall/interfaces record:     /etc/shorewall/interfaces record:
net $NET_IF $NET_BCAST $NET_OPTIONS net $NET_IF $NET_OPTIONS
    The result will be the same as if the record had been written     The result will be the same as if the record had been written
net eth0 130.252.100.255 routefilter,routefilter net eth0 routefilter,routefilter
</programlisting> </programlisting>
</blockquote> </blockquote>
@ -2193,7 +2226,7 @@ SSH(ACCEPT) net:$MYIP $FW
<important> <important>
<para>Beginning with Shorewall 4.5.11, the compiler's environmental <para>Beginning with Shorewall 4.5.11, the compiler's environmental
variables are search last rather than first.</para> variables are searched last rather than first.</para>
</important> </important>
<para>If the <replaceable>variable</replaceable> is still not <para>If the <replaceable>variable</replaceable> is still not
@ -2704,9 +2737,10 @@ POP(ACCEPT) loc net:pop.gmail.com</programlisting>
<section id="IPRanges"> <section id="IPRanges">
<title>IP Address Ranges</title> <title>IP Address Ranges</title>
<para>If you kernel and iptables have iprange match support, you may use <para>If you kernel and iptables have <emphasis>iprange</emphasis>
IP address ranges in Shorewall configuration file entries; IP address <emphasis>match</emphasis> <emphasis>support</emphasis>, you may use IP
ranges have the syntax &lt;<emphasis>low IP address ranges in Shorewall configuration file entries; IP address ranges
have the syntax &lt;<emphasis>low IP
address</emphasis>&gt;-&lt;<emphasis>high IP address</emphasis>&gt;. address</emphasis>&gt;-&lt;<emphasis>high IP address</emphasis>&gt;.
Example: 192.168.1.5-192.168.1.12.</para> Example: 192.168.1.5-192.168.1.12.</para>
@ -2714,16 +2748,15 @@ POP(ACCEPT) loc net:pop.gmail.com</programlisting>
the <command>shorewall show capabilities</command> command:</para> the <command>shorewall show capabilities</command> command:</para>
<programlisting>&gt;~ <command>shorewall show capabilities</command> <programlisting>&gt;~ <command>shorewall show capabilities</command>
...
Shorewall has detected the following iptables/netfilter capabilities: Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available ACCOUNT Target (ACCOUNT_TARGET): Not available
Packet Mangling: Available Address Type Match (ADDRTYPE): Available
Multi-port Match: Available Amanda Helper: Available
Connection Tracking Match: Available ...
Packet Type Match: Not available IPMARK Target (IPMARK_TARGET): Not available
Policy Match: Available IPP2P Match (IPP2P_MATCH): Not available
Physdev Match: Available <emphasis role="bold">IP range Match(IPRANGE_MATCH): Available</emphasis> <emphasis
<emphasis role="bold">IP range Match: Available &lt;--------------</emphasis></programlisting> role="bold">&lt;================</emphasis></programlisting>
</section> </section>
<section id="Ports"> <section id="Ports">
@ -2860,7 +2893,7 @@ neighbour-solicitation =&gt; 135
neighbour-advertisement =&gt; 136 neighbour-advertisement =&gt; 136
redirect =&gt; 137</programlisting> redirect =&gt; 137</programlisting>
<para>Shorewall 4.4 does not accept lists if ICMP (ICMP6) types prior to <para>Shorewall 4.4 does not accept lists of ICMP (ICMP6) types prior to
Shorewall 4.4.19.</para> Shorewall 4.4.19.</para>
</section> </section>

2
docs/docs-targetname
View File

@ -1 +1 @@
5.2.3.7 5.2.4-Beta1

2
docs/images/docs-images-targetname
View File

@ -1 +1 @@
5.2.3.7 5.2.4-Beta1

83
docs/starting_and_stopping_shorewall.xml
View File

@ -26,6 +26,8 @@
<year>2007</year> <year>2007</year>
<year>2020</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -201,6 +203,40 @@
</blockquote></para> </blockquote></para>
</section> </section>
<section>
<title>systemd</title>
<para>As with SysV init described in the preceeding section, the behavior
of systemctl commands differ from the Shorewall CLI commands on
Debian-based systems. To make systemctl stop shorewall[-lite] and
systemctl restart shorewall[-lite] behave like shorewall stop and
shorewall restart, use this workaround provided by J Cliff
Armstrong:</para>
<para> Type (as root):</para>
<programlisting> <command>systemctl edit shorewall.service</command></programlisting>
<para>This will open the default terminal editor to a blank file in which
you can paste the following:</para>
<programlisting>[Service]
# reset ExecStop ExecStop=
# set ExecStop to "stop" instead of "clear"
ExecStop=/sbin/shorewall $OPTIONS stop</programlisting>
<para>Then type</para>
<programlisting> <command>systemctl daemon-reload</command></programlisting>
<para>to activate the changes. This change will survive future updates of
the shorewall package from apt repositories. The override file itself will
be saved to `/etc/systemd/system/shorewall.service.d/`.</para>
<para>The same workaround may be applied to the other Shorewall products
(excluding Shorewall Init).</para>
</section>
<section id="Trace"> <section id="Trace">
<title>Tracing Command Execution and other Debugging Aids</title> <title>Tracing Command Execution and other Debugging Aids</title>
@ -211,21 +247,25 @@
<para>Example:</para> <para>Example:</para>
<programlisting>shorewall trace check -r</programlisting> <programlisting><command>shorewall trace check -r</command> # Shorewall versions prior to 5.2.4
<command>shorewall check -D </command> # Shorewall versions 5.2.4 and later</programlisting>
<para>This produces a large amount of diagnostic output to standard out <para>This produces a large amount of diagnostic output to standard out
during the compilation step. If entered on a command that doesn't invoke during the compilation step. If the command invokes the compiled firewall
the compiler, <emphasis role="bold">trace</emphasis> is ignored.</para> script, then that script's execution is traced to standard error. If
entered on a command that invokes neither the compiler nor the compiled
script, <emphasis role="bold">trace</emphasis> is ignored.</para>
<para>Commands that invoke a compiled fireawll script can have the word <para>Commands that invoke a compiled fireawll script can have the word
debug inserted immediately after the command.</para> debug inserted immediately after the command.</para>
<para>Example:</para> <para>Example:</para>
<programlisting>shorewall debug restart</programlisting> <programlisting><command>shorewall debug restart</command> # Shorewall versions prior to 5.2.4
<command>shorewall -D restart</command> # Shorewall versions 5.2.4 and later</programlisting>
<para><emphasis role="bold">debug</emphasis> causes altered behavior of <para><emphasis role="bold">debug</emphasis> (-D) causes altered behavior
scripts generated by the Shorewall compiler. These scripts normally use of scripts generated by the Shorewall compiler. These scripts normally use
ip[6]tables-restore to install the Netfilter ruleset, but with debug, the ip[6]tables-restore to install the Netfilter ruleset, but with debug, the
commands normally passed to iptables-restore in its input file are passed commands normally passed to iptables-restore in its input file are passed
individually to ip[6]tables. This is a diagnostic aid which allows individually to ip[6]tables. This is a diagnostic aid which allows
@ -257,37 +297,6 @@
</warning> </warning>
</section> </section>
<section id="Boot">
<title>Having Shorewall Start Automatically at Boot Time</title>
<para>The .rpm, .deb and .tgz all try to configure your startup scripts so
that Shorewall will start automatically at boot time. If you are using the
<command>install.sh </command>script from the .tgz and it cannot determine
how to configure automatic startup, a message to that effect will be
displayed. You will need to consult your distribution's documentation to
see how to integrate the <filename>/etc/init.d/shorewall</filename> script
into the distribution's startup mechanism.<caution>
<itemizedlist>
<listitem>
<para>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by editing
<filename>/etc/shorewall/shorewall.conf</filename> and setting
STARTUP_ENABLED=Yes.. Note: Users of the .deb package must rather
edit <filename>/etc/default/shorewall</filename> and set
<quote>startup=1</quote>.</para>
</listitem>
<listitem>
<para>If you use dialup or some flavor of PPP where your IP
address can change arbitrarily, you may want to start the firewall
in your <command>/etc/ppp/ip-up.local</command> script. I
recommend just placing <quote><command>/sbin/shorewall
restart</command></quote> in that script.</para>
</listitem>
</itemizedlist>
</caution></para>
</section>
<section id="Saved"> <section id="Saved">
<title>Saving a Working Configuration for Error Recovery and Fast <title>Saving a Working Configuration for Error Recovery and Fast
Startup</title> Startup</title>