diff --git a/Shorewall/accounting b/Shorewall/accounting index c1445fdf2..4640c6342 100755 --- a/Shorewall/accounting +++ b/Shorewall/accounting @@ -47,9 +47,9 @@ # Format the same as the SOURCE column. # # PROTOCOL A protocol name (from /etc/protocols), a protocol -# number, or "ipp2p" +# number, "ipp2p", "ipp2p-udp" or "ipp2p-all" # -# DEST PORT(S) Destination Port number. If the PROTOCOL is "ipp2p" +# DEST PORT(S) Destination Port number. If the PROTOCOL is "ipp2p*" # then this column must contain an ipp2p option # ("iptables -m ipp2p --help") without the leading # "--". If no option is given in this column, "ipp2p" @@ -60,7 +60,7 @@ # or 17). # # You may place a comma-separated list of port numbers in -# this column if your kernel and iptables include +# this column if your kernel and iptables include # multiport match support. # # SOURCE PORT(S) Source Port number @@ -70,12 +70,12 @@ # or 17). # # You may place a comma-separated list of port numbers in -# this column if your kernel and iptables include +# this column if your kernel and iptables include # multiport match support. # # USER/GROUP This column may only be non-empty if the CHAIN is # OUTPUT. -# +# # The column may contain: # # [!][][:][+] diff --git a/Shorewall/firewall b/Shorewall/firewall index e30c8a867..d399c12a9 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -3213,11 +3213,21 @@ process_tc_rule() multiport= case $proto in - ipp2p|IPP2P) + ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" [ "x$port" = "x-" ] && port="ipp2p" r="${r}-p tcp -m ipp2p --${port} " ;; + ipp2p-udp|IPP2P-UDP) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + [ "x$port" = "x-" ] && port="ipp2p" + r="${r}-p udp -m ipp2p --${port} " + ;; + ipp2p-both|IPP2P-both) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + [ "x$port" = "x-" ] && port="ipp2p" + r="${r}-m ipp2p --${port} " + ;; icmp|ICMP|1) r="${r}-p icmp " [ "x$port" = "x-" ] || r="${r}--icmp-type $port" @@ -3566,11 +3576,21 @@ process_accounting_rule() { [ -n "$proto" ] && case $proto in -|any|all) ;; - ipp2p) + ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support" rule="$rule -p tcp -m ipp2p --${port:-ipp2p}" port= ;; + ipp2p-udp|IPP2P-udp) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support" + rule="$rule -p udp -m ipp2p --${port:-ipp2p}" + port= + ;; + ipp2p-all|IPP2P-all) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support" + rule="$rule -m ipp2p --${port:-ipp2p}" + port= + ;; *) rule="$rule -p $proto" ;; @@ -3988,12 +4008,25 @@ add_an_action() icmp|ICMP|1) [ -n "$port" ] && dports="--icmp-type $port" ;; - ipp2p) + ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" dports="-m ipp2p --${port:-ipp2p}" port= proto=tcp do_ports + ipp2p-udpIPP2P-udp) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + dports="-m ipp2p --${port:-ipp2p}" + port= + proto=udp + do_ports + ipp2p-all|IPP2P-all) + [ -n "$port" ] && \ + fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + dports="-m ipp2p --${port:-ipp2p}" + port= + proto=all ;; *) [ -n "$port" ] && \ @@ -5314,13 +5347,28 @@ process_rule() # $1 = target fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\"" proto= ;; - ipp2p) + ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" dports="-m ipp2p --${port:-ipp2p}" port= proto=tcp do_ports ;; + ipp2p-udp|IPP2P-UDP) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + dports="-m ipp2p --${port:-ipp2p}" + port= + proto=udp + do_ports + ;; + ipp2p-all|IPP2P-ALL) + [ -n "$port" ] && \ + fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + dports="-m ipp2p --${port:-ipp2p}" + port= + proto=all + ;; *) [ -n "$port" ] && \ fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" diff --git a/Shorewall/macro.template b/Shorewall/macro.template index a984ddec2..acaeeb7c2 100644 --- a/Shorewall/macro.template +++ b/Shorewall/macro.template @@ -214,16 +214,17 @@ # contain the port number on the firewall that the # request should be redirected to. # -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. +# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", +# "ipp2p-udp", "ipp2p-all" a number, or "all". +# "ipp2p*" requires ipp2p match support in your kernel +# and iptables. # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # -# If the protocol is ipp2p, this column is interpreted +# If the protocol is ipp2p*, this column is interpreted # as an ipp2p option without the leading "--" (example # "bit" for bit-torrent). If no port is given, "ipp2p" is # assumed. @@ -275,7 +276,7 @@ # # USER/GROUP This column may only be non-empty if the SOURCE is # the firewall itself. -# +# # The column may contain: # # [!][][:][+] @@ -312,7 +313,7 @@ # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # # PORT PORT(S) DEST LIMIT GROUP -# DNAT net loc:192.168.1.5 tcp 21 +# DNAT net loc:192.168.1.5 tcp 21 # # The substitution rules are as follows: # @@ -328,8 +329,8 @@ # contains PARAM. PARAM may be optionally # followed by a colon and a log level. # -# You may also follow the -# +# You may also follow the +# # Any logging specified when the macro is # invoked is applied to each entry in the macros. # @@ -346,11 +347,11 @@ # macro.FTP File PARAM net loc tcp 21 # rules File FTP/DNAT - 192.168.1.5 # Result DNAT net loc:192.168.1.5 tcp 21 -# +# # Remaining Any value in the rules file REPLACES the value # columns given in the macro file. # -# +# ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP diff --git a/Shorewall/rules b/Shorewall/rules index 7a623a94e..5df06e6b6 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -47,17 +47,17 @@ # NEW Packets in the NEW and INVALID states are # processed by rules in this section. # -# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the +# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the # ESTABLISHED and RELATED sections must be empty. # -# Note: If you are not familiar with Netfilter to the point where you are -# comfortable with the differences between the various connection +# Note: If you are not familiar with Netfilter to the point where you are +# comfortable with the differences between the various connection # tracking states, then I suggest that you omit the ESTABLISHED and # RELATED sections and place all of your rules in the NEW section. # # You may omit any section that you don't need. If no Section Headers appear # in the file then all rules are assumed to be in the NEW section. -# +# # Columns are: # # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, @@ -268,16 +268,17 @@ # contain the port number on the firewall that the # request should be redirected to. # -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. +# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", +# "ipp2p-udp", "ipp2p-all" a number, or "all". +# "ipp2p*" requires ipp2p match support in your kernel +# and iptables. # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # -# If the protocol is ipp2p, this column is interpreted +# If the protocol is ipp2p*, this column is interpreted # as an ipp2p option without the leading "--" (example # "bit" for bit-torrent). If no port is given, "ipp2p" is # assumed. @@ -343,7 +344,7 @@ # # See http://shorewall.net/PortKnocking.html for an # example of using an entry in this column with a -# user-defined action rule. +# user-defined action rule. # # RATE LIMIT You may rate-limit the rule by placing a value in # this colume: @@ -360,7 +361,7 @@ # # USER/GROUP This column may only be non-empty if the SOURCE is # the firewall itself. -# +# # The column may contain: # # [!][][:][+] diff --git a/Shorewall/tcrules b/Shorewall/tcrules index 466f1cf8d..5a83816f2 100755 --- a/Shorewall/tcrules +++ b/Shorewall/tcrules @@ -109,15 +109,16 @@ # contain an interface name. # # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. +# "ipp2p-udp", "ipp2p-all" a number, or "all". +# "ipp2p" requires ipp2p match support in your kernel +# and iptables. # # PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # -# If the protocol is ipp2p, this column is interpreted +# If the protocol is ipp2p*, this column is interpreted # as an ipp2p option without the leading "--" (example # "bit" for bit-torrent). If no PORT is given, "ipp2p" is # assumed.