Support a richer SOURCE and DEST syntax

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-12-09 09:43:10 -08:00
parent 6c8dae45c4
commit 5ea3334a66
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
4 changed files with 1002 additions and 524 deletions

View File

@ -7602,7 +7602,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
# #
# Returns the destination interface specified in the rule, if any. # Returns the destination interface specified in the rule, if any.
# #
sub expand_rule( $$$$$$$$$$$$;$ ) sub expand_rule1( $$$$$$$$$$$$;$ )
{ {
my ($chainref , # Chain my ($chainref , # Chain
$restriction, # Determines what to do with interface names in the SOURCE or DEST $restriction, # Determines what to do with interface names in the SOURCE or DEST
@ -7619,8 +7619,6 @@ sub expand_rule( $$$$$$$$$$$$;$ )
$logname, # Name of chain to name in log messages $logname, # Name of chain to name in log messages
) = @_; ) = @_;
return if $chainref->{complete};
my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) =
( '', '', '', '', '', '', '', '', '', '' ); ( '', '', '', '', '', '', '', '', '', '' );
my $chain = $actparams{chain} || $chainref->{name}; my $chain = $actparams{chain} || $chainref->{name};
@ -7855,6 +7853,78 @@ sub expand_rule( $$$$$$$$$$$$;$ )
$diface; $diface;
} }
sub expand_rule( $$$$$$$$$$$$;$$$ )
{
my ($chainref , # Chain
$restriction, # Determines what to do with interface names in the SOURCE or DEST
$prerule, # Matches that go at the front of the rule
$rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
$source, # SOURCE
$dest, # DEST
$origdest, # ORIGINAL DEST
$target, # Target ('-j' part of the rule - may be empty)
$loglevel , # Log level (and tag)
$disposition, # Primtive part of the target (RETURN, ACCEPT, ...)
$exceptionrule,# Caller's matches used in exclusion case
$usergenerated,# Rule came from the IP[6]TABLES target
$logname, # Name of chain to name in log messages
$device, # TC Device Name
$classid, # TC Class Id
) = @_;
return if $chainref->{complete};
my ( @source, @dest );
$source = '' unless defined $source;
$dest = '' unless defined $dest;
if ( $source =~ /\(.+\)/ ) {
@source = split_list3( $source, 'SOURCE' );
} else {
@source = ( $source );
}
if ( $dest =~ /\(.+\)/ ) {
@dest = split_list3( $dest, 'DEST' );
} else {
@dest = ( $dest );
}
for $source ( @source ) {
if ( $source =~ /^(.+?):\((.+)\)$/ ) {
$source = join( ':', $1, $2 );
} elsif ( $source =~ /^\((.+)\)$/ ) {
$source = $1;
}
for $dest ( @dest ) {
if ( $dest =~ /^(.+?):\((.+)\)$/ ) {
$dest = join( ':', $1, $2 );
} elsif ( $dest =~ /^\((.+)\)$/ ) {
$dest = $1;
}
if ( ( my $result = expand_rule1( $chainref ,
$restriction ,
$prerule ,
$rule ,
$source ,
$dest ,
$origdest ,
$target ,
$loglevel ,
$disposition ,
$exceptionrule ,
$usergenerated ,
$logname ,
) ) && $device ) {
fatal_error "Class Id $classid is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
}
}
}
}
# #
# Returns true if the passed interface is associated with exactly one zone # Returns true if the passed interface is associated with exactly one zone
# #

View File

@ -2718,8 +2718,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
# #
# For now, we'll just strip the parens from the SOURCE and DEST. In a later release, we might be able to do something more with them # For now, we'll just strip the parens from the SOURCE and DEST. In a later release, we might be able to do something more with them
# #
$source =~ s/[()]//g;
$dest =~ s/[()]//g;
if ( $actiontype == MACRO ) { if ( $actiontype == MACRO ) {
# #
@ -3847,7 +3845,11 @@ sub process_raw_rule ( ) {
} }
for $source ( @source ) { for $source ( @source ) {
$source = join(':', $1, $2 ) if $source =~ /^(.+?):\((.+)\)$/;
for $dest ( @dest ) { for $dest ( @dest ) {
$dest = join( ':', $1, $2 ) if $dest =~ /^(.+?):\((.+)\)$/;
process_raw_rule1( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper ); process_raw_rule1( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
} }
} }
@ -4936,37 +4938,35 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
$restriction |= $chainref->{restriction}; $restriction |= $chainref->{restriction};
if ( ( my $result = expand_rule( $chainref , expand_rule( $chainref ,
$restriction, $restriction,
$prerule, $prerule,
do_proto( $proto, $ports, $sports) . $matches . do_proto( $proto, $ports, $sports) . $matches .
do_user( $user ) . do_user( $user ) .
do_test( $testval, $globals{TC_MASK} ) . do_test( $testval, $globals{TC_MASK} ) .
do_length( $length ) . do_length( $length ) .
do_tos( $tos ) . do_tos( $tos ) .
do_connbytes( $connbytes ) . do_connbytes( $connbytes ) .
do_helper( $helper ) . do_helper( $helper ) .
do_headers( $headers ) . do_headers( $headers ) .
do_probability( $probability ) . do_probability( $probability ) .
do_dscp( $dscp ) . do_dscp( $dscp ) .
state_match( $state ) . state_match( $state ) .
do_time( $time ) . do_time( $time ) .
( $ttl ? "-t $ttl " : '' ) . ( $ttl ? "-t $ttl " : '' ) .
$raw_matches , $raw_matches ,
$source , $source ,
$dest , $dest ,
'' , '' ,
$target, $target,
'' , '' ,
$target , $target ,
$exceptionrule , $exceptionrule ,
$usergenerated ) ) $usergenerated ,
&& $device ) { '' , # Log Name
# $device ,
# expand_rule() returns destination device if any $params
# );
fatal_error "Class Id $params is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
}
} }
progress_message " Mangle Rule \"$currentline\" $done"; progress_message " Mangle Rule \"$currentline\" $done";

View File

@ -900,108 +900,185 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - <term><emphasis role="bold">SOURCE -
{<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis <replaceable>source-spec</replaceable>[,...]</emphasis></term>
role="bold">all</emphasis>|<emphasis
role="bold">any</emphasis>}[<emphasis
role="bold">+</emphasis>][<emphasis
role="bold">-</emphasis>]}<emphasis
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
role="bold">:</emphasis>[(]{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}[)][,...]</term>
<listitem> <listitem>
<para>Source hosts to which the rule applies. May be a <para>Source hosts to which the rule applies.</para>
<replaceable>zone</replaceable> declared in /etc/shorewall/zones,
<emphasis role="bold">$FW</emphasis> to indicate the firewall
itself, <emphasis role="bold">all</emphasis>, <emphasis
role="bold">all+</emphasis>, <emphasis role="bold">all-</emphasis>,
<emphasis role="bold">all+-</emphasis> or <emphasis
role="bold">none</emphasis>.</para>
<para>Beginning with Shorewall 4.4.13, you may use a <para><replaceable>source-spec</replaceable> is one of the
<replaceable>zone-list </replaceable>which consists of a following:</para>
comma-separated list of zones declared in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
This <replaceable>zone-list</replaceable> may be optionally followed
by "+" to indicate that the rule is to apply to intra-zone traffic
as well as inter-zone traffic.</para>
<para>When <emphasis role="bold">none</emphasis> is used either in <variablelist>
the <emphasis role="bold">SOURCE</emphasis> or <emphasis <varlistentry>
role="bold">DEST</emphasis> column, the rule is ignored.</para> <term><emphasis
role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
<para><emphasis role="bold">all</emphasis> means "All Zones", <listitem>
including the firewall itself. <emphasis role="bold">all-</emphasis> <para>The name of a zone defined in <ulink
means "All Zones, except the firewall itself". When <emphasis url="shorewall-zones.html">shorewall-zones</ulink>(5). When
role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is only the zone name is specified, the packet source may be any
used either in the <emphasis role="bold">SOURCE</emphasis> or host in that zone.</para>
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
<ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis <para>zone may also be one of the following:</para>
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
<emphasis role="bold">any</emphasis>[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
specified, clients may be further restricted to a list of networks
and/or hosts by appending ":" and a comma-separated list of network
and/or host addresses. Hosts may be specified by IP or MAC address;
mac addresses must begin with "~" and must use "-" as a
separator.</para>
<para>The above restriction on <emphasis <variablelist>
role="bold">all</emphasis>[<emphasis <varlistentry>
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and <term>all[+][-]</term>
<emphasis role="bold">any</emphasis>[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
removed in Shorewall-4.4.13.</para>
<para><emphasis role="bold">any</emphasis> is equivalent to <listitem>
<emphasis role="bold">all</emphasis> when there are no nested zones. <para><emphasis role="bold">all</emphasis>, without the
When there are nested zones, <emphasis role="bold">any</emphasis> "-" means "All Zones, including the firewall zone". If
only refers to top-level zones (those with no parent zones). Note the "-" is included, the firewall zone is omitted.
that <emphasis role="bold">any</emphasis> excludes all vserver Normally all omits intra-zone traffic, but intra-zone
zones, since those zones are nested within the firewall zone. traffic can be included specifying "+".</para>
Beginning with Shorewall 4.4.13, exclusion is supported with </listitem>
<emphasis role="bold">any</emphasis> -- see see <ulink </varlistentry>
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
<para>Hosts may also be specified as an IP address range using the <varlistentry>
syntax <term>any[+][-]</term>
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
This requires that your kernel and iptables contain iprange match
support. If your kernel and iptables have ipset match support then
you may give the name of an ipset prefaced by "+". The ipset name
may be optionally followed by a number from 1 to 6 enclosed in
square brackets ([]) to indicate the number of levels of source
bindings to be matched.</para>
<para>Beginning with Shorewall 4.4.17, the primary IP address of a <listitem>
firewall interface can be specified by an ampersand ('&amp;') <para><emphasis role="bold">any</emphasis> is equivalent
followed by the logical name of the interface as found in the to <emphasis role="bold">all</emphasis> when there are
INTERFACE column of <ulink no nested zones. When there are nested zones, <emphasis
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> role="bold">any</emphasis> only refers to top-level
(5).</para> zones (those with no parent zones). Note that <emphasis
role="bold">any</emphasis> excludes all vserver zones,
since those zones are nested within the firewall
zone.</para>
</listitem>
</varlistentry>
<para>Beginning with Shorewall 4.5.4, A <varlistentry>
<replaceable>countrycode-list</replaceable> may be specified. A <term>none</term>
countrycode-list is a comma-separated list of up to 15 two-character
ISO-3661 country codes enclosed in square brackets ('[...]') and
preceded by a caret ('^'). When a single country code is given, the
square brackets may be omitted. A list of country codes supported by
Shorewall may be found at <ulink
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
Specifying a <replaceable>countrycode-list</replaceable> requires
<firstterm>GeoIP Match</firstterm> support in your iptables and
Kernel.</para>
<para>You may exclude certain hosts from the set already defined <listitem>
through use of an <emphasis>exclusion</emphasis> (see <ulink <para>When <emphasis role="bold">none</emphasis> is used
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para> either in the <emphasis role="bold">SOURCE</emphasis> or
<emphasis role="bold">DEST</emphasis> column, the rule
is ignored.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Similar to with <emphasis role="bold">all</emphasis> and
<emphasis role="bold">any</emphasis>, intra-zone traffic is
normally excluded when multiple zones are listed. Intra-zone
traffic may be included by following the list with a plus sign
("+").</para>
<para><emphasis role="bold">all</emphasis> and <emphasis
role="bold">any</emphasis> may be followed by an exclamation
point ("!") and a comma-separated list of zone names to be
omitted.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
<listitem>
<para>When this form is used,
<replaceable>interface</replaceable> must be the name of an
interface associated with the named
<replaceable>zone</replaceable> in either <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
or <ulink
url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
packets from hosts in the <replaceable>zone</replaceable> that
arrive through the named interface will match the rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
<listitem>
<para>where address can be:</para>
<itemizedlist>
<listitem>
<para>A host or network IP address. A network address may
be followed by exclusion (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
</listitem>
<listitem>
<para>An address range, specified using the syntax
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
</listitem>
<listitem>
<para>+<replaceable>ipset</replaceable> where
<replaceable>ipset</replaceable> is the name of an ipset
and must be preceded by a plus sign ("+").</para>
</listitem>
<listitem>
<para>A MAC address in Shorewall format (preceded by a
tilde ("~") and with the hex byte values separated by
dashes (e.g., "~00-0a-f6-04-9c-7d").</para>
</listitem>
<listitem>
<para>^<replaceable>country-code</replaceable> where
country-code is a two-character ISO-3661 country code
preceded by a caret ("^").</para>
</listitem>
<listitem>
<para>^<replaceable>country-code-list</replaceable> where
<replaceable>country-code-list</replaceable> is a
comma-separated list of up to 15 ISO-3661 country codes
enclosed in square brackets ("[...]").</para>
</listitem>
<listitem>
<para>The primary IP address of a firewall interface can
be specified by an ampersand ('&amp;') followed by the
logical name of the interface as found in the INTERFACE
column of <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>zone:interface:address[,...]</term>
<listitem>
<para>This form combines the preceding two and requires that
both the incoming interface and source address match.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
<listitem>
<para>This form matches if the host IP address does not match
any of the entries in the exclusion (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
</variablelist>
<para>Beginning with Shorewall 5.1.0, multiple
<replaceable>source-spec</replaceable>s may be listed, provided that
extended forms of the source-spec are used:</para>
<blockquote>
<para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
<para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
<para>zone:(interface:address[,...])</para>
<para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
</blockquote>
<para>Examples:</para> <para>Examples:</para>
@ -1070,8 +1147,8 @@
<term>$FW:&amp;eth0</term> <term>$FW:&amp;eth0</term>
<listitem> <listitem>
<para>The primary IP address of eth0 in the firewall zone <para>The primary IP address of eth0 in the firewall
(Shorewall 4.4.17 and later).</para> zone.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1092,24 +1169,23 @@
zone.</para> zone.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist>
<para>Beginning with Shorewall 5.1.0, multiple
<replaceable>zone</replaceable>:[<replaceable>interface</replaceable>:](<replaceable>address-list</replaceable>)
tupples can be listed, separated by commas. Where the
<replaceable>address-list</replaceable> consists of more than a
single address, the list must be enclosed in parentheses.</para>
<para>Example:</para>
<variablelist>
<varlistentry> <varlistentry>
<term>dmz:(192.168.2.2,192.168.2.3),net:(206.124.146.22,155.186.235.0/24!155.186.235.16/28)</term> <term>net:^CN</term>
<listitem> <listitem>
<para>Hosts 192.168.2.2 and 192.168.2.3 in the dmz zone, host <para>China.</para>
206.124.146.22 in the dmz zone and network 155.186.235.0/24 in </listitem>
the net zone excluding 155.186.235.16/28.</para> </varlistentry>
<varlistentry>
<term>loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net</term>
<listitem>
<para>Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the
packet arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12
in the dmz zone when the packet arrives through eth2 plus all
of the net zone.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -1117,87 +1193,223 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DEST</emphasis> - <term><emphasis role="bold">DEST -
{<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis <replaceable>dest-spec</replaceable>[,...]</emphasis></term>
role="bold">all</emphasis>|<emphasis
role="bold">any</emphasis>}[<emphasis
role="bold">+</emphasis>][<emphasis
role="bold">-</emphasis>]}<emphasis
role="bold">[:{</emphasis><emphasis>interface</emphasis>|[(]<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>][)]|[(]<emphasis>exclusion</emphasis>[)]|<emphasis
role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
role="bold">random</emphasis>]]</term>
<listitem> <listitem>
<para>Location of Server. May be a zone declared in <ulink <para>Destination hosts to which the rule applies.</para>
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
$<emphasis role="bold">FW</emphasis> to indicate the firewall
itself, <emphasis role="bold">all</emphasis>. <emphasis
role="bold">all+</emphasis> or <emphasis
role="bold">none</emphasis>.</para>
<para>Beginning with Shorewall 4.4.13, you may use a <para><replaceable>dest-spec</replaceable> is one of the
<replaceable>zone-list </replaceable>which consists of a following:</para>
comma-separated list of zones declared in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
This <replaceable>zone-list</replaceable> may be optionally followed
by "+" to indicate that the rule is to apply to intra-zone traffic
as well as inter-zone traffic.</para>
<para>Beginning with Shorewall 4.5.4, A <variablelist>
<replaceable>countrycode-list</replaceable> may be specified. A <varlistentry>
countrycode-list is a comma-separated list of up to 15 two-character <term><emphasis
ISO-3661 country codes enclosed in square brackets ('[...]') and role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
preceded by a caret ('^'). When a single country code is given, the
square brackets may be omitted. A list of country codes supported by
Shorewall may be found at <ulink
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
Specifying a <replaceable>countrycode-list</replaceable> requires
<firstterm>GeoIP Match</firstterm> support in your iptables and
Kernel.</para>
<para>When <emphasis role="bold">none</emphasis> is used either in <listitem>
the <emphasis role="bold">SOURCE</emphasis> or <emphasis <para>The name of a zone defined in <ulink
role="bold">DEST</emphasis> column, the rule is ignored.</para> url="shorewall-zones.html">shorewall-zones</ulink>(5). When
only the zone name is specified, the packet destination may be
any host in that zone.</para>
<para><emphasis role="bold">all</emphasis> means "All Zones", <para>zone may also be one of the following:</para>
including the firewall itself. <emphasis role="bold">all-</emphasis>
means "All Zones, except the firewall itself". When <emphasis
role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
used either in the <emphasis role="bold">SOURCE</emphasis> or
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
<ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
<para><emphasis role="bold">any</emphasis> is equivalent to <variablelist>
<emphasis role="bold">all</emphasis> when there are no nested zones. <varlistentry>
When there are nested zones, <emphasis role="bold">any</emphasis> <term>all[+][-]</term>
only refers to top-level zones (those with no parent zones). Note
that <emphasis role="bold">any</emphasis> excludes all vserver
zones, since those zones are nested within the firewall zone.</para>
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis <listitem>
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or <para><emphasis role="bold">all</emphasis>, without the
<emphasis role="bold">any</emphasis>[<emphasis "-" means "All Zones, including the firewall zone". If
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is the "-" is included, the firewall zone is omitted.
specified, clients may be further restricted to a list of networks Normally all omits intra-zone traffic, but intra-zone
and/or hosts by appending ":" and a comma-separated list of network traffic can be included specifying "+".</para>
and/or host addresses. Hosts may be specified by IP or MAC address; </listitem>
mac addresses must begin with "~" and must use "-" as a </varlistentry>
separator.</para>
<para>When <emphasis role="bold">all</emphasis> is used either in <varlistentry>
the <emphasis role="bold">SOURCE</emphasis> or <emphasis <term>any[+][-]</term>
role="bold">DEST</emphasis> column intra-zone traffic is not
affected. When <emphasis role="bold">all+</emphasis> is used,
intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
exclusion is supported -- see see <ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
<para>The <replaceable>zone</replaceable> should be omitted in <listitem>
DNAT-, REDIRECT- and NONAT rules.</para> <para><emphasis role="bold">any</emphasis> is equivalent
to <emphasis role="bold">all</emphasis> when there are
no nested zones. When there are nested zones, <emphasis
role="bold">any</emphasis> only refers to top-level
zones (those with no parent zones). Note that <emphasis
role="bold">any</emphasis> excludes all vserver zones,
since those zones are nested within the firewall
zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>none</term>
<listitem>
<para>When <emphasis role="bold">none</emphasis> is used
either in the <emphasis role="bold">SOURCE</emphasis> or
<emphasis role="bold">DEST</emphasis> column, the rule
is ignored.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Similar to with <emphasis role="bold">all</emphasis> and
<emphasis role="bold">any</emphasis>, intra-zone traffic is
normally excluded when multiple zones are listed. Intra-zone
traffic may be included by following the list with a plus sign
("+").</para>
<para><emphasis role="bold">all</emphasis> and <emphasis
role="bold">any</emphasis> may be followed by an exclamation
point ("!") and a comma-separated list of zone names to be
omitted.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
<listitem>
<para>When this form is used,
<replaceable>interface</replaceable> must be the name of an
interface associated with the named
<replaceable>zone</replaceable> in either <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
or <ulink
url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
packets to hosts in the <replaceable>zone</replaceable> that
are sent through the named interface will match the
rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
<listitem>
<para>where address can be:</para>
<itemizedlist>
<listitem>
<para>A host or network IP address. A network address may
be followed by exclusion (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
</listitem>
<listitem>
<para>An address range, specified using the syntax
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
</listitem>
<listitem>
<para>+<replaceable>ipset</replaceable> where
<replaceable>ipset</replaceable> is the name of an ipset
and must be preceded by a plus sign ("+").</para>
</listitem>
<listitem>
<para>^<replaceable>country-code</replaceable> where
country-code is a two-character ISO-3661 country code
preceded by a caret ("^").</para>
</listitem>
<listitem>
<para>^<replaceable>country-code-list</replaceable> where
<replaceable>country-code-list</replaceable> is a
comma-separated list of up to 15 ISO-3661 country codes
enclosed in square brackets ("[...]").</para>
</listitem>
<listitem>
<para>The primary IP address of a firewall interface can
be specified by an ampersand ('&amp;') followed by the
logical name of the interface as found in the INTERFACE
column of <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>zone:interface:address[,...]</term>
<listitem>
<para>This form combines the preceding two and requires that
both the outgoing interface and destinationaddress
match.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
<listitem>
<para>This form matches if the host IP address does not match
any of the entries in the exclusion (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>[<replaceable>zone</replaceable>]:[<replaceable>server-IP</replaceable>][:<replaceable>port-or-port-range</replaceable>[:random]]</term>
<listitem>
<para>This form applies when the ACTION is DNAT[-] or
REDIRECT[-]. The zone may be omitted in REDIRECT rules ($FW is
assumed) and must be omitted in DNAT-, REDIRECT- and NONAT
rules.</para>
<para><replaceable role="bold">server-IP</replaceable> is not
allowed in REDIRECT rules and may be omitted in DNAT[-] rules
provided that <replaceable>port-or-port-range</replaceable> is
included.</para>
<itemizedlist>
<listitem>
<para>The IP address of the server to which the packet is
to be sent.</para>
</listitem>
<listitem>
<para>A range of IP address with the low and high address
separated by a dash (:"-"). Connections are distributed
among the IP addresses in the range.</para>
</listitem>
</itemizedlist>
<para>If <replaceable>server-IP </replaceable>is omitted in a
DNAT[-] rule, only the destination port number is modified by
the rule.</para>
<para>port-or-port-range may be:</para>
<itemizedlist>
<listitem>
<para>An integer port number in the range 1 -
65535.</para>
</listitem>
<listitem>
<para>The name of a service from
<filename>/etc/services</filename>.</para>
</listitem>
<listitem>
<para>A port range with the low and high integer port
numbers separated by a dash ("-"). Connections are
distributed among the ports in the range.</para>
</listitem>
</itemizedlist>
<para>If <emphasis role="bold">random</emphasis> is specified,
port mapping will be randomized.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If the DEST <replaceable>zone</replaceable> is a bport zone, <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
then either:<orderedlist numeration="loweralpha"> then either:<orderedlist numeration="loweralpha">
@ -1214,89 +1426,132 @@
<para>the SOURCE <replaceable>zone</replaceable> must be an <para>the SOURCE <replaceable>zone</replaceable> must be an
ipv4 zone that is associated with only the same bridge.</para> ipv4 zone that is associated with only the same bridge.</para>
</listitem> </listitem>
</orderedlist></para> </orderedlist>Beginning with Shorewall 5.1.0, multiple
<replaceable>dest-spec</replaceable>s may be listed, provided that
extended forms of the source-spec are used:</para>
<para>Except when <emphasis <blockquote>
role="bold">{all|any}</emphasis>[<emphasis <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
role="bold">+]|[-</emphasis>] is specified, the server may be
further restricted to a particular network, host or interface by
appending ":" and the network, host or interface. See <emphasis
role="bold">SOURCE</emphasis> above.</para>
<para>You may exclude certain hosts from the set already defined <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
<para>Restriction: MAC addresses are not allowed (this is a <para>zone:(interface:address[,...])</para>
Netfilter restriction).</para>
<para>Like in the <emphasis role="bold">SOURCE</emphasis> column, <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
you may specify a range of IP addresses using the syntax </blockquote>
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
When the <emphasis role="bold">ACTION</emphasis> is <emphasis
role="bold">DNAT</emphasis> or <emphasis
role="bold">DNAT-</emphasis>, the connections will be assigned to
addresses in the range in a round-robin fashion.</para>
<para>If your kernel and iptables have ipset match support then you <para>Multiple <replaceable>dest-spec</replaceable>s are not
may give the name of an ipset prefaced by "+". The ipset name may be permitted in DNAT[-] and REDIRECT[-] rules.</para>
optionally followed by a number from 1 to 6 enclosed in square
brackets ([]) to indicate the number of levels of destination
bindings to be matched. Only one of the <emphasis
role="bold">SOURCE</emphasis> and <emphasis
role="bold">DEST</emphasis> columns may specify an ipset
name.</para>
<para>Beginning with Shorewall 4.4.17, the primary IP address of a <para>Examples:</para>
firewall interface can be specified by an ampersand ('&amp;')
followed by the logical name of the interface as found in the
INTERFACE column of <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para>
<para>The <replaceable>port</replaceable> that the server is
listening on may be included and separated from the server's IP
address by ":". If omitted, the firewall will not modify the
destination port. A destination port may only be included if the
<emphasis role="bold">ACTION</emphasis> is <emphasis
role="bold">DNAT</emphasis> or <emphasis
role="bold">REDIRECT</emphasis>.</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>Example:</term> <term>dmz:192.168.2.2</term>
<listitem> <listitem>
<para><emphasis role="bold">loc:192.168.1.3:3128</emphasis> <para>Host 192.168.2.2 in the DMZ</para>
specifies a local server at IP address 192.168.1.3 and </listitem>
listening on port 3128.</para> </varlistentry>
<varlistentry>
<term>net:155.186.235.0/24</term>
<listitem>
<para>Subnet 155.186.235.0/24 on the Internet</para>
</listitem>
</varlistentry>
<varlistentry>
<term>loc:192.168.1.1,192.168.1.2</term>
<listitem>
<para>Hosts 192.168.1.1 and 192.168.1.2 in the local
zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>net:192.0.2.11-192.0.2.17</term>
<listitem>
<para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>net:!192.0.2.11-192.0.2.17</term>
<listitem>
<para>All hosts in the net zone except for
192.0.2.11-192.0.2.17.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>net:155.186.235.0/24!155.186.235.16/28</term>
<listitem>
<para>Subnet 155.186.235.0/24 on the Internet except for
155.186.235.16/28</para>
</listitem>
</varlistentry>
<varlistentry>
<term>$FW:&amp;eth0</term>
<listitem>
<para>The primary IP address of eth0 in the firewall
zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>loc,dmz</term>
<listitem>
<para>Both the <emphasis role="bold">loc</emphasis> and
<emphasis role="bold">dmz</emphasis> zones.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>all!dmz</term>
<listitem>
<para>All but the <emphasis role="bold">dmz</emphasis>
zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>net:^CN</term>
<listitem>
<para>China.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dmz:192.168.10.4:25</term>
<listitem>
<para>Port 25 on server 192.168.10.4 in the dmz zone (DNAT
rule).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net</term>
<listitem>
<para>Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the
packet arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12
in the dmz zone when the packet arrives through eth2 plus all
of the net zone.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para>The <emphasis>port</emphasis> may be specified as a service
name. You may specify a port range in the form
<emphasis>lowport-highport</emphasis> to cause connections to be
assigned to ports in the range in round-robin fashion. When a port
range is specified, <emphasis>lowport</emphasis> and
<emphasis>highport</emphasis> must be given as integers; service
names are not permitted. Additionally, the port range may be
optionally followed by <emphasis role="bold">:random</emphasis>
which causes assignment to ports in the list to be random.</para>
<para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
role="bold">REDIRECT</emphasis> or <emphasis
role="bold">REDIRECT-</emphasis>, this column needs only to contain
the port number on the firewall that the request should be
redirected to. That is equivalent to specifying
<option>$FW</option>::<replaceable>port</replaceable>.</para>
<para>Beginning with Shorewall 5.1.0, multiple
<replaceable>zone</replaceable>:[<replaceable>interface</replaceable>:](<replaceable>address-list</replaceable>)
tupples can be listed, separated by commas. Where the
<replaceable>address-list</replaceable> consists of more than a
single address, the list must be enclosed in parentheses. See the
example in the SOURCE section above.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -822,8 +822,8 @@
<para>If the <emphasis role="bold">ACTION</emphasis> names an <para>If the <emphasis role="bold">ACTION</emphasis> names an
<emphasis>action</emphasis> declared in <ulink <emphasis>action</emphasis> declared in <ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
or in /usr/share/shorewall/actions.std then:</para> /usr/share/shorewall/actions.std then:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -861,100 +861,187 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - <term><emphasis role="bold">SOURCE -
{<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|<emphasis <replaceable>source-spec</replaceable>[,...]</emphasis></term>
role="bold">{all|any}</emphasis>[<emphasis
role="bold">+</emphasis>][<emphasis
role="bold">-</emphasis>]}<emphasis
role="bold">[:</emphasis><emphasis>interface</emphasis>][(][<emphasis
role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}[)][,...]</term>
<listitem> <listitem>
<para>Source hosts to which the rule applies. May be a zone declared <para>Source hosts to which the rule applies.</para>
in /etc/shorewall6/zones, <emphasis role="bold">$FW</emphasis> to
indicate the firewall itself, <emphasis role="bold">all</emphasis>,
<emphasis role="bold">all+</emphasis>, <emphasis
role="bold">all-</emphasis>, <emphasis role="bold">all+-</emphasis>
or <emphasis role="bold">none</emphasis>.</para>
<para>Beginning with Shorewall 4.4.13, you may use a <para><replaceable>source-spec</replaceable> is one of the
<replaceable>zone-list </replaceable>which consists of a following:</para>
comma-separated list of zones declared in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
This <replaceable>zone-list</replaceable> may be optionally followed
by "+" to indicate that the rule is to apply to intra-zone traffic
as well as inter-zone traffic.</para>
<para>When <emphasis role="bold">none</emphasis> is used either in <variablelist>
the <emphasis role="bold">SOURCE</emphasis> or <emphasis <varlistentry>
role="bold">DEST</emphasis> column, the rule is ignored.</para> <term><emphasis
role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
<para><emphasis role="bold">all</emphasis> means "All Zones", <listitem>
including the firewall itself. <emphasis role="bold">all-</emphasis> <para>The name of a zone defined in <ulink
means "All Zones, except the firewall itself". When <emphasis url="shorewall6-zones.html">shorewall6-zones</ulink>(5). When
role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is only the zone name is specified, the packet source may be any
used either in the <emphasis role="bold">SOURCE</emphasis> or host in that zone.</para>
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
<ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
<para><emphasis role="bold">any</emphasis> is equivalent to <para>zone may also be one of the following:</para>
<emphasis role="bold">all</emphasis> when there are no nested zones.
When there are nested zones, <emphasis role="bold">any</emphasis>
only refers to top-level zones (those with no parent zones). Note
that <emphasis role="bold">any</emphasis> excludes all vserver
zones, since those zones are nested within the firewall zone.</para>
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis <variablelist>
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or <varlistentry>
<emphasis role="bold">any</emphasis>[<emphasis <term>all[+][-]</term>
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
specified, clients may be further restricted to a list of networks
and/or hosts by appending ":" and a comma-separated list of network
and/or host addresses. Hosts may be specified by IP or MAC address;
mac addresses must begin with "~" and must use "-" as a
separator.</para>
<para>Hosts may also be specified as an IP address range using the <listitem>
syntax <para><emphasis role="bold">all</emphasis>, without the
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>. "-" means "All Zones, including the firewall zone". If
This requires that your kernel and ip6tables contain iprange match the "-" is included, the firewall zone is omitted.
support. If your kernel and ip6tables have ipset match support then Normally all omits intra-zone traffic, but intra-zone
you may give the name of an ipset prefaced by "+". The ipset name traffic can be included specifying "+".</para>
may be optionally followed by a number from 1 to 6 enclosed in </listitem>
square brackets ([]) to indicate the number of levels of source </varlistentry>
bindings to be matched.</para>
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a <varlistentry>
firewall interface can be specified by an ampersand ('&amp;') <term>any[+][-]</term>
followed by the logical name of the interface as found in the
INTERFACE column of <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
(5).</para>
<para>Beginning with Shorewall 4.5.4, A <listitem>
<replaceable>countrycode-list</replaceable> may be specified. A <para><emphasis role="bold">any</emphasis> is equivalent
countrycode-list is a comma-separated list of up to 15 two-character to <emphasis role="bold">all</emphasis> when there are
ISO-3661 country codes enclosed in square brackets ('[...]') and no nested zones. When there are nested zones, <emphasis
preceded by a caret ('^'). When a single country code is given, the role="bold">any</emphasis> only refers to top-level
square brackets may be omitted. A list of country codes supported by zones (those with no parent zones). Note that <emphasis
Shorewall may be found at <ulink role="bold">any</emphasis> excludes all vserver zones,
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>. since those zones are nested within the firewall
Specifying a <replaceable>countrycode-list</replaceable> requires zone.</para>
<firstterm>GeoIP Match</firstterm> support in your ip6tables and </listitem>
Kernel.</para> </varlistentry>
<para>When an <replaceable>interface</replaceable> is not specified, <varlistentry>
you may omit the angled brackets ('&lt;' and '&gt;') around the <term>none</term>
address(es) or you may supply them to improve readability.</para>
<para>You may exclude certain hosts from the set already defined <listitem>
through use of an <emphasis>exclusion</emphasis> (see <ulink <para>When <emphasis role="bold">none</emphasis> is used
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para> either in the <emphasis role="bold">SOURCE</emphasis> or
<emphasis role="bold">DEST</emphasis> column, the rule
is ignored.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Similar to with <emphasis role="bold">all</emphasis> and
<emphasis role="bold">any</emphasis>, intra-zone traffic is
normally excluded when multiple zones are listed. Intra-zone
traffic may be included by following the list with a plus sign
("+").</para>
<para><emphasis role="bold">all</emphasis> and <emphasis
role="bold">any</emphasis> may be followed by an exclamation
point ("!") and a comma-separated list of zone names to be
omitted.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
<listitem>
<para>When this form is used,
<replaceable>interface</replaceable> must be the name of an
interface associated with the named
<replaceable>zone</replaceable> in either <ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
or <ulink
url="shorewall6.hosts.html">shorewall6-hosts</ulink>(5). Only
packets from hosts in the <replaceable>zone</replaceable> that
arrive through the named interface will match the rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
<listitem>
<para>where address can be:</para>
<itemizedlist>
<listitem>
<para>A host or network IP address. IPv6 ddresses must
follow the standard convention and be enclosed in square
brackets (e.g., [2001:470:b:227::0]/64). A network address
may be followed by exclusion (see <ulink
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
</listitem>
<listitem>
<para>An address range, specified using the syntax
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
</listitem>
<listitem>
<para>+<replaceable>ipset</replaceable> where
<replaceable>ipset</replaceable> is the name of an ipset
and must be preceded by a plus sign ("+").</para>
</listitem>
<listitem>
<para>A MAC address in Shorewall format (preceded by a
tilde ("~") and with the hex byte values separated by
dashes (e.g., "~00-0a-f6-04-9c-7d").</para>
</listitem>
<listitem>
<para>^<replaceable>country-code</replaceable> where
country-code is a two-character ISO-3661 country code
preceded by a caret ("^").</para>
</listitem>
<listitem>
<para>^<replaceable>country-code-list</replaceable> where
<replaceable>country-code-list</replaceable> is a
comma-separated list of up to 15 ISO-3661 country codes
enclosed in square brackets ("[...]").</para>
</listitem>
<listitem>
<para>The primary IP address of a firewall interface can
be specified by an ampersand ('&amp;') followed by the
logical name of the interface as found in the INTERFACE
column of <ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
(5).</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>zone:interface:address[,...]</term>
<listitem>
<para>This form combines the preceding two and requires that
both the incoming interface and source address match.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
<listitem>
<para>This form matches if the host IP address does not match
any of the entries in the exclusion (see <ulink
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
</variablelist>
<para>Beginning with Shorewall 5.1.0, multiple
<replaceable>source-spec</replaceable>s may be listed, provided that
extended forms of the source-spec are used:</para>
<blockquote>
<para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
<para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
<para>zone:(interface:address[,...])</para>
<para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
</blockquote>
<para>Examples:</para> <para>Examples:</para>
@ -1011,108 +1098,229 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para>Alternatively, clients may be specified by interface by
appending ":" to the zone name followed by the interface name. For
example, <emphasis role="bold">loc:eth1</emphasis> specifies a
client that communicates with the firewall system through eth1. This
may be optionally followed by another colon (":") and an
IP/MAC/subnet address as described above (e.g., <emphasis
role="bold">loc:eth1:&lt;2002:ce7c::92b4:1::2&gt;</emphasis>).</para>
<para>Examples:</para>
<variablelist>
<varlistentry>
<term>loc:eth1:[2002:cec792b4:1::2],[2002:cec792b4:1::44]</term>
<listitem>
<para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
Local zone, with <emphasis role="bold">both</emphasis>
originating from eth1</para>
</listitem>
</varlistentry>
</variablelist>
<para>Beginning with Shorewall 5.1.0, multiple
<replaceable>zone</replaceable>:[<replaceable>interface</replaceable>:](<replaceable>address-list</replaceable>)
tupples can be listed, separated by commas. Where the
<replaceable>address-list</replaceable> consists of more than a
single address, the list must be enclosed in parentheses.</para>
<para>Example:</para>
<variablelist>
<varlistentry>
<term>dmz:([2002:c37c:92b4:1::2],[2002:c37c:92b4:1::3]),loc:eth1:([2002:cec792b4:1::2],[2002:cec792b4:1::44])</term>
<listitem>
<para>Hosts 2002:c37c:92b4:1::2 and 2002:c37c:92b4:1::3 in the
dmz zone and hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44
in the loc zone via interface eth1</para>
</listitem>
</varlistentry>
</variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold"><emphasis role="bold">DEST</emphasis> - <term><emphasis role="bold">DEST -
{<emphasis>zone|zone-list</emphasis>[+]|<emphasis <replaceable>dest-spec</replaceable>[,...]</emphasis></term>
role="bold">all</emphasis>[<emphasis
role="bold">+</emphasis>][<emphasis
role="bold">-</emphasis>]}<emphasis
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis
role="bold">+</emphasis><emphasis>ipset</emphasis>|^<emphasis>countrycode-list</emphasis>}[<option>:</option><replaceable>port</replaceable>[:<emphasis
role="bold">random</emphasis>]]</emphasis></term>
<listitem> <listitem>
<para>Location of Server. May be a zone declared in <ulink <para>Destination hosts to which the rule applies.</para>
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
$<emphasis role="bold">FW</emphasis> to indicate the firewall
itself, <emphasis role="bold">all</emphasis>. <emphasis
role="bold">all+</emphasis> or <emphasis
role="bold">none</emphasis>.</para>
<para>Beginning with Shorewall 4.4.13, you may use a <para><replaceable>dest-spec</replaceable> is one of the
<replaceable>zone-list </replaceable>which consists of a following:</para>
comma-separated list of zones declared in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
Ths <replaceable>zone-list</replaceable> may be optionally followed
by "+" to indicate that the rule is to apply to intra-zone traffic
as well as inter-zone traffic. Beginning with Shorewall-4.4.13,
exclusion is supported -- see see <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a <variablelist>
firewall interface can be specified by an ampersand ('&amp;') <varlistentry>
followed by the logical name of the interface as found in the <term><emphasis
INTERFACE column of <ulink role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
(5).</para>
<para>Beginning with Shorewall 4.5.4, A <listitem>
<replaceable>countrycode-list</replaceable> may be specified. A <para>The name of a zone defined in <ulink
countrycode-list is a comma-separated list of up to 15 two-character url="shorewall6-zones.html">shorewall6-zones</ulink>(5). When
ISO-3661 country codes enclosed in square brackets ('[...]') and only the zone name is specified, the packet destination may be
preceded by a caret ('^'). When a single country code is given, the any host in that zone.</para>
square brackets may be omitted. A list of country codes supported by
Shorewall may be found at <ulink
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
Specifying a <replaceable>countrycode-list</replaceable> requires
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
Kernel.</para>
<para>When <emphasis role="bold">none</emphasis> is used either in <para>zone may also be one of the following:</para>
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
role="bold">DEST</emphasis> column, the rule is ignored.</para>
<para>When <emphasis role="bold">all</emphasis> is used either in <variablelist>
the <emphasis role="bold">SOURCE</emphasis> or <emphasis <varlistentry>
role="bold">DEST</emphasis> column intra-zone traffic is not <term>all[+][-]</term>
affected. When <emphasis role="bold">all+</emphasis> is used,
intra-zone traffic is affected.</para> <listitem>
<para><emphasis role="bold">all</emphasis>, without the
"-" means "All Zones, including the firewall zone". If
the "-" is included, the firewall zone is omitted.
Normally all omits intra-zone traffic, but intra-zone
traffic can be included specifying "+".</para>
</listitem>
</varlistentry>
<varlistentry>
<term>any[+][-]</term>
<listitem>
<para><emphasis role="bold">any</emphasis> is equivalent
to <emphasis role="bold">all</emphasis> when there are
no nested zones. When there are nested zones, <emphasis
role="bold">any</emphasis> only refers to top-level
zones (those with no parent zones). Note that <emphasis
role="bold">any</emphasis> excludes all vserver zones,
since those zones are nested within the firewall
zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>none</term>
<listitem>
<para>When <emphasis role="bold">none</emphasis> is used
either in the <emphasis role="bold">SOURCE</emphasis> or
<emphasis role="bold">DEST</emphasis> column, the rule
is ignored.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Similar to with <emphasis role="bold">all</emphasis> and
<emphasis role="bold">any</emphasis>, intra-zone traffic is
normally excluded when multiple zones are listed. Intra-zone
traffic may be included by following the list with a plus sign
("+").</para>
<para><emphasis role="bold">all</emphasis> and <emphasis
role="bold">any</emphasis> may be followed by an exclamation
point ("!") and a comma-separated list of zone names to be
omitted.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
<listitem>
<para>When this form is used,
<replaceable>interface</replaceable> must be the name of an
interface associated with the named
<replaceable>zone</replaceable> in either <ulink
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
or <ulink
url="shorewall.hosts.html">shorewall6-hosts</ulink>(5). Only
packets to hosts in the <replaceable>zone</replaceable> that
are sent through the named interface will match the
rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
<listitem>
<para>where address can be:</para>
<itemizedlist>
<listitem>
<para>A host or network IP address. A network address may
be followed by exclusion (see <ulink
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
</listitem>
<listitem>
<para>An address range, specified using the syntax
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
</listitem>
<listitem>
<para>+<replaceable>ipset</replaceable> where
<replaceable>ipset</replaceable> is the name of an ipset
and must be preceded by a plus sign ("+").</para>
</listitem>
<listitem>
<para>^<replaceable>country-code</replaceable> where
country-code is a two-character ISO-3661 country code
preceded by a caret ("^").</para>
</listitem>
<listitem>
<para>^<replaceable>country-code-list</replaceable> where
<replaceable>country-code-list</replaceable> is a
comma-separated list of up to 15 ISO-3661 country codes
enclosed in square brackets ("[...]").</para>
</listitem>
<listitem>
<para>The primary IP address of a firewall interface can
be specified by an ampersand ('&amp;') followed by the
logical name of the interface as found in the INTERFACE
column of <ulink
url="/manpages/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
(5).</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>zone:interface:address[,...]</term>
<listitem>
<para>This form combines the preceding two and requires that
both the outgoing interface and destinationaddress
match.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
<listitem>
<para>This form matches if the host IP address does not match
any of the entries in the exclusion (see <ulink
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>[<replaceable>zone</replaceable>]:[<replaceable>server-IP</replaceable>][:<replaceable>port-or-port-range</replaceable>[:random]]</term>
<listitem>
<para>This form applies when the ACTION is DNAT[-] or
REDIRECT[-]. The zone may be omitted in REDIRECT rules ($FW is
assumed) and must be omitted in DNAT-, REDIRECT- and NONAT
rules.</para>
<para><replaceable role="bold">server-IP</replaceable> is not
allowed in REDIRECT rules and may be omitted in DNAT[-] rules
provided that <replaceable>port-or-port-range</replaceable> is
included. When omitting the
<replaceable>server-IP</replaceable>, simply enter "[]" (e.g.,
<emphasis role="bold">loc:[]:3128</emphasis>).</para>
<itemizedlist>
<listitem>
<para>The IP address of the server to which the packet is
to be sent.</para>
</listitem>
<listitem>
<para>A range of IP address with the low and high address
separated by a dash (:"-"). Connections are distributed
among the IP addresses in the range.</para>
</listitem>
</itemizedlist>
<para>If <replaceable>server-IP </replaceable>is omitted in a
DNAT[-] rule, only the destination port number is modified by
the rule.</para>
<para>port-or-port-range may be:</para>
<itemizedlist>
<listitem>
<para>An integer port number in the range 1 -
65535.</para>
</listitem>
<listitem>
<para>The name of a service from
<filename>/etc/services</filename>.</para>
</listitem>
<listitem>
<para>A port range with the low and high integer port
numbers separated by a dash ("-"). Connections are
distributed among the ports in the range.</para>
</listitem>
</itemizedlist>
<para>If <emphasis role="bold">random</emphasis> is specified,
port mapping will be randomized.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If the DEST <replaceable>zone</replaceable> is a bport zone, <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
then either:<orderedlist numeration="loweralpha"> then either:<orderedlist numeration="loweralpha">
@ -1127,79 +1335,24 @@
<listitem> <listitem>
<para>the SOURCE <replaceable>zone</replaceable> must be an <para>the SOURCE <replaceable>zone</replaceable> must be an
ipv4 zone that is associated with only the same bridge.</para> ipv6 zone that is associated with only the same bridge.</para>
</listitem> </listitem>
</orderedlist></para> </orderedlist>Beginning with Shorewall 5.1.0, multiple
<replaceable>dest-spec</replaceable>s may be listed, provided that
extended forms of the source-spec are used:</para>
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis <blockquote>
role="bold">+]|[-</emphasis>] is specified, the server may be <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
further restricted to a particular network, host or interface by
appending ":" and the network, host or interface. See <emphasis
role="bold">SOURCE</emphasis> above.</para>
<para>You may exclude certain hosts from the set already defined <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
<para>Restriction: MAC addresses are not allowed (this is a <para>zone:(interface:address[,...])</para>
Netfilter restriction).</para>
<para>If your kernel and ip6tables have ipset match support then you <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
may give the name of an ipset prefaced by "+". The ipset name may be </blockquote>
optionally followed by a number from 1 to 6 enclosed in square
brackets ([]) to indicate the number of levels of destination
bindings to be matched. Only one of the <emphasis
role="bold">SOURCE</emphasis> and <emphasis
role="bold">DEST</emphasis> columns may specify an ipset
name.</para>
<para>The <replaceable>port</replaceable> that the server is <para>Multiple <replaceable>dest-spec</replaceable>s are not
listening on may be included and separated from the server's IP permitted in DNAT[-] and REDIRECT[-] rules.</para>
address by ":". If omitted, the firewall will not modify the
destination port. A destination port may only be included if the
<emphasis role="bold">ACTION</emphasis> is <emphasis
role="bold">DNAT</emphasis> or <emphasis
role="bold">REDIRECT</emphasis>.</para>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para><emphasis
role="bold">loc:[2001:470:b:227::44]:3128</emphasis> specifies
a local server at IP address 2001:470:b:227::44 and listening
on port 3128.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para><emphasis role="bold">loc:[]:3128</emphasis> specifies
that the destination port should be changed to 3128 but the IP
address should remain the same.</para>
</listitem>
</varlistentry>
</variablelist>
<para>The <emphasis>port</emphasis> may be specified as a service
name. You may specify a port range in the form
<emphasis>lowport-highport</emphasis> to cause connections to be
assigned to ports in the range in round-robin fashion. When a port
range is specified, <emphasis>lowport</emphasis> and
<emphasis>highport</emphasis> must be given as integers; service
names are not permitted. Additionally, the port range may be
optionally followed by <emphasis role="bold">:random</emphasis>
which causes assignment to ports in the list to be random.</para>
<para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
role="bold">REDIRECT</emphasis> or <emphasis
role="bold">REDIRECT-</emphasis>, this column needs only to contain
the port number on the firewall that the request should be
redirected to. That is equivalent to specifying
<option>$FW</option>::<replaceable>port</replaceable>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>