diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index a4248e630..0e07f37f5 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -5474,18 +5474,15 @@ sub get_set_flags( $$ ) {
my %typemap = ( src => 'Source', dst => 'Destination' );
if ( $config{IPSET_WARNINGS} ) {
- for ( @options ) {
- warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
- }
+ warning_message( "The '$options[0]' ipset flag is used in a $option column" ), unless $options[0] eq $option;
}
-
}
if ( $rest ) {
my @extensions = split_list($rest, 'ipset option');
for ( @extensions ) {
- my ($extension, $relop, $value) = split /(!=|=|<|>)/, $_;
+ my ($extension, $relop, $value) = split /(<>|=|<|>)/, $_;
my $match = $ipset_extensions{$extension};
@@ -5505,15 +5502,14 @@ sub get_set_flags( $$ ) {
fatal_error "Invalid number ($value)" unless defined ( $val = numeric_value($value) );
$extension = "--$extension";
- if ( $relop =~ s/!// ) {
- $extension = join( ' ', '!', $extension );
- }
-
if ( $relop eq '<' ) {
$extension .= '-lt';
} elsif ( $relop eq '>' ) {
$extension .= '-gt';
+ } elsif ( $relop eq '=' ) {
+ $extension .= '-eq';
} else {
+ $extension = join( ' ', '!', $extension );
$extension .= '-eq';
}
@@ -5678,7 +5674,7 @@ sub match_source_net( $;$\$ ) {
fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
for $net ( @sets ) {
- fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/;
+ fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
$result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'src' ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@@ -5747,7 +5743,7 @@ sub imatch_source_net( $;$\$ ) {
return do_imac $net;
}
- if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/ ) {
+ if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/ ) {
my @result = ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'src' ) ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@@ -5767,7 +5763,7 @@ sub imatch_source_net( $;$\$ ) {
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
for $net ( @sets ) {
- fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/;
+ fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'src' ) ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@@ -5832,7 +5828,7 @@ sub match_dest_net( $;$ ) {
return iprange_match . "${invert}--dst-range $net ";
}
- if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/ ) {
+ if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/ ) {
my $result = join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@@ -5852,15 +5848,15 @@ sub match_dest_net( $;$ ) {
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
for $net ( @sets ) {
- fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/;
+ fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
$result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) );
- }
- if ( $3 ) {
- require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
- for ( my @objects = split_list $3, 'nfacct' ) {
- validate_nfobject( $_ );
- $result .= do_nfacct( $_ );
+ if ( $3 ) {
+ require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
+ for ( my @objects = split_list $3, 'nfacct' ) {
+ validate_nfobject( $_ );
+ $result .= do_nfacct( $_ );
+ }
}
}
@@ -5916,7 +5912,7 @@ sub imatch_dest_net( $;$ ) {
return ( iprange => "${invert}--dst-range $net" );
}
- if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/ ) {
+ if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/ ) {
my @result = ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@@ -5936,7 +5932,7 @@ sub imatch_dest_net( $;$ ) {
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
for $net ( @sets ) {
- fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/;
+ fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
diff --git a/Shorewall/manpages/shorewall-ipsets.xml b/Shorewall/manpages/shorewall-ipsets.xml
index 2c3b0eac0..389363245 100644
--- a/Shorewall/manpages/shorewall-ipsets.xml
+++ b/Shorewall/manpages/shorewall-ipsets.xml
@@ -55,7 +55,8 @@
. Example: myset[src,dst].
- In a SOURCE column, the following pairs are equivalent:
+ In a SOURCE or SOURCE PORT(S) column, the following pairs are
+ equivalent:
@@ -63,7 +64,8 @@
- In a DEST column, the following pairs are equivalent:
+ In a DEST or DEST PORT(S) column, the following pairs are
+ equivalent:
@@ -102,7 +104,7 @@
nomatch
- If the set type supports the nomatch flag, then the matching
+ If the set type supports the nomatch flag, then the matching
is reversed: a match with an element flagged with nomatch returns
true, while a match with a plain element returns false. This option
requires the 'Ipset Match nomatch' capability in your kernel and
@@ -137,7 +139,7 @@
If the packet is matched an element in the set, match only if
the packet counter of the element matches the given
- value too.
+ value also.
@@ -167,7 +169,7 @@
If the packet is matched an element in the set, match only if
the packet counter of the element does not match the given
- value too.
+ value also.
@@ -177,7 +179,7 @@
If the packet is matched an element in the set, match only if
the byte counter of the element matches the given
- value too.
+ value also.
@@ -202,12 +204,12 @@
- bytes!=value
+ bytes<>valueIf the packet is matched an element in the set, match only if
the byte counter of the element does not match the given
- value too.
+ value also.
@@ -240,7 +242,7 @@
/etc/shorewall/accounting
- /etc/shorewall/blacklist
+ /etc/shorewall/blrules/etc/shorewall/hosts -- Note:
Multiple matches enclosed in +[...] may not be used in this file.
diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml
index e88b3db75..92df7d0b2 100644
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -772,9 +772,9 @@ Normal-Service => 0x00
- PORT(S) (dport) - [PORT(S) (dport) - {-|port-name-number-or-range[,port-name-number-or-range]...]
+ role="bold">,port-name-number-or-range]...|+ipset}
Optional destination Ports. A comma-separated list of Port
@@ -795,14 +795,19 @@ Normal-Service => 0x00
An entry in this field requires that the PROTO column specify
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
any of the following field is supplied.
+
+ Beginning with Shorewall 4.6.0, an
+ ipset name can be specified in this
+ column. This is intended to be used with
+ bitmap:port ipsets.SOURCE PORT(S) (sport) -
- [-|port-name-number-or-range[,port-name-number-or-range]...]
+ role="bold">,port-name-number-or-range]...|+ipset}
Optional source port(s). If omitted, any source port is
@@ -819,6 +824,11 @@ Normal-Service => 0x00
destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.
+
+ Beginning with Shorewall 4.6.0, an
+ ipset name can be specified in this
+ column. This is intended to be used with
+ bitmap:port ipsets.
diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml
index 7c4812018..ac884e4de 100644
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -233,7 +233,7 @@
PROTO (Optional) - {-|[!]{protocol-name|protocol-number}[,...]}
+ role="bold">-|[!]{protocol-name|protocol-number}[,...]|+ipset}
If you wish to restrict this entry to a particular protocol
@@ -242,12 +242,17 @@
Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.
+
+ Beginning with Shorewall 4.6.0, an
+ ipset name can be specified in this
+ column. This is intended to be used with
+ bitmap:port ipsets.PORT(S) (Optional) -
- [[!]port-name-or-number[,port-name-or-number]...]
+ {-|[!]port-name-or-number[,port-name-or-number]...|+ipset}
If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
@@ -257,6 +262,11 @@
Port ranges are of the form
lowport:highport.
+
+ Beginning with Shorewall 4.6.0, an
+ ipset name can be specified in this
+ column. This is intended to be used with
+ bitmap:port ipsets.
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index 88b4df638..79b239585 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -1070,7 +1070,7 @@
DEST PORT(S) (dport) -
{-|port-name-number-or-range[,port-name-number-or-range]...}
+ role="bold">,port-name-number-or-range]...|+ipset}
Optional destination Ports. A comma-separated list of Port
@@ -1106,6 +1106,11 @@
2. No port ranges are included or your kernel and iptables
contain extended multi-port match support.
+
+ Beginning with Shorewall 4.6.0, an
+ ipset name can be specified in this
+ column. This is intended to be used with
+ bitmap:port ipsets.
@@ -1113,7 +1118,7 @@
SOURCE PORT(S) (sport) -
{-|port-name-number-or-range[,port-name-number-or-range]...}
+ role="bold">,port-name-number-or-range]...|+ipset}
Optional port(s) used by the client. If omitted, any source
@@ -1146,6 +1151,11 @@
2. No port ranges are included or your kernel and iptables
contain extended multi-port match support.
+
+ Beginning with Shorewall 4.6.0, an
+ ipset name can be specified in this
+ column. This is intended to be used with
+ bitmap:port ipsets.
diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml
index 12184f741..e685742cd 100644
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -392,7 +392,8 @@
- DEST PORT(S) (dport) - port-number/service-name-list
+ DEST PORT(S) (dport) -
+ {-|port-number/service-name-list|+ipset}A comma-separated list of port numbers and/or service names
@@ -400,11 +401,16 @@
ranges of the form
low-port:high-port
if your kernel and iptables include port range support.
+
+ Beginning with Shorewall 4.6.0, an ipset name can be specified
+ in this column. This is intended to be used with
+ bitmap:port ipsets.
- SOURCE PORT(S) (sport) - port-number/service-name-list
+ SOURCE PORT(S) (sport) -
+ {-|port-number/service-name-list|+ipset}A comma-separated list of port numbers and/or service names
@@ -418,6 +424,10 @@
causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in
DEST PORTS(S).
+
+ Beginning with Shorewall 4.6.0, an ipset name can be specified
+ in this column. This is intended to be used with
+ bitmap:port ipsets.
diff --git a/Shorewall6/manpages/shorewall6-ipsets.xml b/Shorewall6/manpages/shorewall6-ipsets.xml
index 48342b67f..e1132a8f0 100644
--- a/Shorewall6/manpages/shorewall6-ipsets.xml
+++ b/Shorewall6/manpages/shorewall6-ipsets.xml
@@ -54,7 +54,8 @@
. Example: myset[src,dst].
- In a SOURCE column, the following pairs are equivalent:
+ In a SOURCE or SOURCE PORT(S) column, the following pairs are
+ equivalent:
@@ -62,7 +63,8 @@
- In a DEST column, the following pairs are equivalent:
+ In a DEST or DEST PORT(S) column, the following pairs are
+ equivalent:
@@ -136,7 +138,7 @@
If the packet is matched an element in the set, match only if
the packet counter of the element matches the given
- value too.
+ value also.
@@ -166,7 +168,7 @@
If the packet is matched an element in the set, match only if
the packet counter of the element does not match the given
- value too.
+ value also.
@@ -176,7 +178,7 @@
If the packet is matched an element in the set, match only if
the byte counter of the element matches the given
- value too.
+ value also.
@@ -201,12 +203,12 @@
- bytes!=value
+ bytes<>valueIf the packet is matched an element in the set, match only if
the byte counter of the element does not match the given
- value too.
+ value also.
@@ -233,7 +235,7 @@
/etc/shorewall6/accounting
- /etc/shorewall6/blacklist
+ /etc/shorewall6/blrules/etc/shorewall6/hosts -- Note:
Multiple matches enclosed in +[...] may not be used in this file.
@@ -245,7 +247,7 @@
/etc/shorewall6/secmarks
- /etc/shorewall6/tcrules
+ /etc/shorewall6/mangle
diff --git a/Shorewall6/manpages/shorewall6-masq.xml b/Shorewall6/manpages/shorewall6-masq.xml
index d9152b9fd..284b9448b 100644
--- a/Shorewall6/manpages/shorewall6-masq.xml
+++ b/Shorewall6/manpages/shorewall6-masq.xml
@@ -185,7 +185,7 @@
PROTO (Optional) - {-|[!]{protocol-name|protocol-number}[,...]}
+ role="bold">-|[!]{protocol-name|protocol-number}[,...]|+ipset}
If you wish to restrict this entry to a particular protocol
@@ -194,12 +194,17 @@
Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.
+
+ Beginning with Shorewall 4.6.0, an
+ ipset name can be specified in this
+ column. This is intended to be used with
+ bitmap:port ipsets.PORT(S) (Optional) -
- [[!]port-name-or-number[,port-name-or-number]...]
+ {-|[!]port-name-or-number[,port-name-or-number]...|+ipset}
If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
@@ -209,6 +214,11 @@
Port ranges are of the form
lowport:highport.
+
+ Beginning with Shorewall 4.6.0, an
+ ipset name can be specified in this
+ column. This is intended to be used with
+ bitmap:port ipsets.
diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml
index a3f57c01e..8782d6c05 100644
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -1015,7 +1015,7 @@
DEST PORT(S) (dport) -
{-|port-name-number-or-range[,port-name-number-or-range]...}
+ role="bold">,port-name-number-or-range]...|+ipset}
Optional destination Ports. A comma-separated list of Port
@@ -1044,13 +1044,19 @@
role="bold">-).If your kernel contains multi-port match support, then only a
- single Netfilter rule will be generated if in this list and the
- CLIENT PORT(S) list below:
+ single Netfilter rule will be generated in this list and the
+ CLIENT PORT(S) list below
+ if:
1. There are 15 or less ports listed.2. No port ranges are included or your kernel and ip6tables
contain extended multi-port match support.
+
+ Beginning with Shorewall 4.6.0, an
+ ipset name can be specified in this
+ column. This is intended to be used with
+ bitmap:port ipsets.
@@ -1058,7 +1064,7 @@
SOURCE PORT(S) (sport) -
{-|port-name-number-or-range[,port-name-number-or-range]...}
+ role="bold">,port-name-number-or-range]...|+ipset}
Optional source port(s). If omitted, any source port is
@@ -1090,6 +1096,10 @@
2. No port ranges are included or your kernel and ip6tables
contain extended multi-port match support.
+
+ Beginning with Shorewall 4.6.0, an ipset name can be specified
+ in this column. This is intended to be used with
+ bitmap:port ipsets.