diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index ebc28db26..553cf6e63 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -3319,26 +3319,26 @@ sub Amanda_Helper() {
have_helper( 'amanda', 'udp', 10080 );
}
-sub FTP_Helper() {
- have_helper( 'ftp', 'tcp', 21 );
-}
-
sub FTP0_Helper() {
have_helper( 'ftp-0', 'tcp', 21 ) and $helpers_aliases{ftp} = 'ftp-0';
}
+sub FTP_Helper() {
+ have_helper( 'ftp', 'tcp', 21 ) || FTP0_Helper;
+}
+
sub H323_Helpers() {
have_helper( 'RAS', 'udp', 1719 );
}
-sub IRC_Helper() {
- have_helper( 'irc', 'tcp', 6667 );
-}
-
sub IRC0_Helper() {
have_helper( 'irc-0', 'tcp', 6667 ) and $helpers_aliases{irc} = 'irc-0';
}
+sub IRC_Helper() {
+ have_helper( 'irc', 'tcp', 6667 ) || IRC0_Helper;
+}
+
sub Netbios_ns_Helper() {
have_helper( 'netbios-ns', 'udp', 137 );
}
@@ -3347,34 +3347,34 @@ sub PPTP_Helper() {
have_helper( 'pptp', 'tcp', 1729 );
}
-sub SANE_Helper() {
- have_helper( 'sane', 'tcp', 6566 );
-}
-
sub SANE0_Helper() {
have_helper( 'sane-0', 'tcp', 6566 ) and $helpers_aliases{sane} = 'sane-0';
}
-sub SIP_Helper() {
- have_helper( 'sip', 'udp', 5060 );
+sub SANE_Helper() {
+ have_helper( 'sane', 'tcp', 6566 ) || SANE0_Helper;
}
sub SIP0_Helper() {
have_helper( 'sip-0', 'udp', 5060 ) and $helpers_aliases{sip} = 'sip-0';
}
+sub SIP_Helper() {
+ have_helper( 'sip', 'udp', 5060 ) || SIP0_Helper;
+}
+
sub SNMP_Helper() {
have_helper( 'snmp', 'udp', 161 );
}
-sub TFTP_Helper() {
- have_helper( 'tftp', 'udp', 69 );
-}
-
sub TFTP0_Helper() {
have_helper( 'tftp-0', 'udp', 69 ) and $helpers_aliases{tftp} = 'tftp-0';
}
+sub TFTP_Helper() {
+ have_helper( 'tftp', 'udp', 69 ) || TFTP0_Helper;
+}
+
sub Connlimit_Match() {
qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" );
}
@@ -3624,17 +3624,6 @@ sub determine_capabilities() {
$globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE';
- if ( have_capability 'CT_TARGET' ) {
- $capabilities{$_} = detect_capability $_ for ( values( %helpers_map ),
- 'FTP0_HELPER',
- 'IRC0_HELPER',
- 'SANE0_HELPER',
- 'SIP0_HELPER',
- 'TFTP0_HELPER' );
- } else {
- $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
- }
-
unless ( $config{ LOAD_HELPERS_ONLY } ) {
#
# Using 'detect_capability()' is a bit less efficient than calling the individual detection
@@ -3718,6 +3707,12 @@ sub determine_capabilities() {
$capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' );
$capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' );
+ if ( have_capability 'CT_TARGET' ) {
+ $capabilities{$_} = detect_capability $_ for ( values( %helpers_map ) );
+ } else {
+ $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
+ }
+
qt1( "$iptables -F $sillyname" );
qt1( "$iptables -X $sillyname" );
qt1( "$iptables -F $sillyname1" );
diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml
index e43ce44d5..eaeffa86e 100644
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -515,7 +515,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443
role="bold">-|+]number)
- Added in Shorewall 4.4.24.
+ Added in Shorewall 4.4.24.Prior to Shorewall 4.5.7.2, may be optionally followed by
:F but the resulting rule is
@@ -1014,10 +1014,7 @@ Normal-Service => 0x00
Names a Netfiler protocol helper module
such as , ,
, etc. A packet will match if it was accepted
- by the named helper module. You can also append "-" and a port
- number to the helper module name (e.g., ftp-21) to specify the port number that the
- original connection was made on.
+ by the named helper module.Example: Mark all FTP data connections with mark
4:#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml
index ee9914405..d5fc4f094 100644
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@@ -420,12 +420,12 @@ SAME $FW 0.0.0.0/0 tcp 80,443
role="bold">:P, in which case the rule is added to
the PREROUTING chain.
- If + is included,
- packets matching the rule will have their HL (hop limit)
- incremented by number. Similarly, if
- - is included, matching packets
- have their HL decremented by number.
- If neither + nor If + is included, packets
+ matching the rule will have their HL (hop limit) incremented by
+ number. Similarly, if - is included, matching packets have
+ their HL decremented by number. If
+ neither + nor - is given, the HL of matching packets is
set to number. The valid range of
values for number is 1-255.
@@ -870,10 +870,7 @@ Normal-Service => 0x00
Optional. Names a Netfiler protocol
helper module such as ,
, , etc. A packet will
- match if it was accepted by the named helper module. You can also
- append "-" and a port number to the helper module name (e.g.,
- ftp-21) to specify the port number
- that the original connection was made on.
+ match if it was accepted by the named helper module.
Example: Mark all FTP data connections with mark
4:#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
diff --git a/docs/Internals.xml b/docs/Internals.xml
index 40ad20390..7d3819e46 100644
--- a/docs/Internals.xml
+++ b/docs/Internals.xml
@@ -472,7 +472,380 @@ export -pConfig Module
-
+ As mentioned above, the Config module offers several related
+ services. Each will be described in a separate sub-section.
+
+
+ Pre-processor
+
+ Unlike preprocessors like ccp, the Shorewall pre-processor does
+ it's work each time that the higher-level modules asks for the next
+ line of input.
+
+ The major exported functions in the pre-processor are:
+
+
+
+ open_file( $ )
+
+
+ The single argument names the file to be opened and is
+ usually a simple filename such as
+ shorewall.conf. open_file calls find_file who traverses the CONFIG_PATH
+ looking for a file with the requested name. If the file is found
+ and has non-zero size, it is opened, module-global variables are
+ set as follows, and the fully-qualified name of the file is
+ returned by the function.
+
+
+
+ $currentfile
+
+
+ Handle for the file open
+
+
+
+
+ $currentfilename (exported)
+
+
+ The fully-qualified name of the file.
+
+
+
+
+ $currentlinenumber
+
+
+ Set to zero.
+
+
+
+
+ If the file is not found or if it has zero size, false
+ ('') is returned.
+
+
+
+
+ push_open( $ )
+
+
+ Sometimes, the higher-level modules need to suspend
+ processing of the current file and open another file. An obvious
+ example is when the Rules module encounters a macro invocation
+ and needs to process the corresponding macro file. The push_open
+ function is called in these cases.
+
+ push_open pushes
+ $currentfile, $currentfilename, $currentlinenumber and $ifstack onto @includestack, copies @includestack into a local array, pushes
+ a reference to the local array onto @openstack, and empties @includestack
+
+ As its final step, push_open calls open_file.
+
+
+
+
+ pop_open()
+
+
+ The pop_open function
+ must be called after the file opened by push_open is processed. This is true even
+ in the case where push_open
+ returned false.
+
+ pop_open pops @openstack and restores $currentfile, $currentfilename, $currentlinenumber, $ifstack and @includestack.
+
+
+
+
+ close_file()
+
+
+ close_file is called to
+ close the current file. Higher-level modules should only call
+ close_file to close the current
+ file prior to end-of-file.
+
+
+
+
+ first_entry( $ )
+
+
+ This function is called to specify what happens when the
+ first non-commentary and no-blank line is read from the open
+ file. The argument may be either a scalar or a function
+ reference. If the argument is a scalar then it is treaded as a
+ progress message that should be issued if the VERBOSITY setting
+ is >= 1. If the argument is a function reference, the
+ function (usually a closure) is called.
+
+ first_entry may called
+ after a successful call to open_file. If it is not called, then the
+ pre-processor takes no action when the first non-blank
+ non-commentary line is found.
+
+ first_entry returns no
+ significant value.
+
+
+
+
+ read_a_line( $ )
+
+
+ This function delivers the next logical input line to the
+ caller. The single argument is defined by the following
+ constants:
+
+ use constant { PLAIN_READ => 0, # No read_a_line options
+ EMBEDDED_ENABLED => 1, # Look for embedded Shell and Perl
+ EXPAND_VARIABLES => 2, # Expand Shell variables
+ STRIP_COMMENTS => 4, # Remove comments
+ SUPPRESS_WHITESPACE => 8, # Ignore blank lines
+ CHECK_GUNK => 16, # Look for unprintable characters
+ CONFIG_CONTINUATION => 32, # Suppress leading whitespace if
+ # continued line ends in ',' or ':'
+ DO_INCLUDE => 64, # Look for INCLUDE <filename>
+ NORMAL_READ => -1 # All options
+ };
+
+ The actual argument may be a bit-wise OR of any of these
+ constants.
+
+ The function does not return the logical line; that line
+ is rather stored in the module-global variable $currentline (exported). The function
+ simply returns true if a line was read or false if end-of-file
+ was reached. read_a_line
+ automatically calls close_file
+ at EOF.
+
+
+
+
+ split_line1
+
+
+ Most of the callers of read_a_line want to treat each line as
+ whitespace-separated columns. The split_line and split_line1 functions return an array
+ containing the contents of those columns.
+
+ The arguments to split_line1 are:
+
+
+
+ A =>
+ column-number pair for each of
+ the columns in the file. These are used to process lines
+ that use the alternate input
+ methods and also serve to define the number of
+ columns in the file's records.
+
+
+
+ A hash reference defining
+ => number-of-columns pairs.
+ For example "{ COMMENT => 0, FORMAT 2 }" allows COMMENT
+ lines of an unlimited number of space-separated tokens and
+ it allows FORMAT lines with exactly two columns. The hash
+ reference must be the last argument passed.
+
+
+
+ If there are fewer space-separated tokens on the line than
+ specified in the arguments, then "-" is returned for the omitted
+ trailing columns.
+
+
+
+
+ split_line
+
+
+ split_line simply returns
+ split_line1( @_, {} ).
+
+
+
+
+
+
+ Error and Progress Message Production
+
+ There are several exported functions dealing with error and
+ warning messages:
+
+
+
+ fatal_error
+
+
+ The argument(s) to this function describe the error. The
+ generated error message is:
+
+
+ "ERROR: @_" followed by the name of the file and the
+ line number where the error occurred.
+
+
+ The mesage is written to the STARTUP_LOG, if any.
+
+ The function does not return but rather passes the message
+ to die or to confess, depending on whether the "-T"
+ option was specified.
+
+
+
+
+ warning_message
+
+
+ The warning_message is very similar to fatal_error but
+ avoids calling die or confess. It also prefixes the argument(s)
+ with "WARNING: " rather than "ERROR: ".
+
+ It message is written to Standard Out and to the
+ STARTUP_LOG, if any.
+
+
+
+
+ progress_message, progress_message2, progress_message3 and
+ progress_message_nocompress
+
+
+ These procedures conditionally write their argument(s) to
+ Standard Out and to the STARTUP_LOG (if any), depending on the
+ settings of VERBOSITY and and LOG_VERBOSITY respectively.
+
+
+
+ progress_message only
+ write messages when the verbosity is 2. This function also
+ preserves leading whitespace while removing superflous
+ embedded whitespace from the messages.
+
+
+
+ progress_message2
+ writes messages with the verbosity is >= 1.
+
+
+
+ progress_message3
+ writes messages when the verbosity is >= 0.
+
+
+
+ progress_message_nocompress is like
+ progress_message except
+ that it does not preserve leading whitespace nor does it
+ eliminate superfluous embedded whitespacve from the
+ messages.
+
+
+
+
+
+
+
+
+ Script File Handling
+
+ The functions involved in script file creation are:
+
+
+
+ create_temp_script( $$ )
+
+
+ This function creates and opens a temporary file in the
+ directory where the final script is to be placed; this function
+ is not called when the check command is being
+ processed. The first argument is the fully-qualified name of the
+ output script; the second (boolean) argument determines if the
+ compilation is for export. The function returns no meaningful
+ value but sets module-global variables as follows:
+
+
+
+ $script
+
+
+ Handle of the open script file.
+
+
+
+
+ $dir
+
+
+ The directory in which the script was
+ created.
+
+
+
+
+ $tempfile
+
+
+ The name of the temporary file.
+
+
+
+
+ $file
+
+
+ This fully-qualified name of the script file.
+
+
+
+
+
+
+
+ finalize_script( $ )
+
+
+ This function closes the temporary file and renames it to
+ the
+
+
+
+
+
+