Finish up ipset extensions.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-01-03 09:23:14 -08:00
parent 1771bb75cf
commit 78ecf9bdc8
9 changed files with 116 additions and 56 deletions

View File

@ -5474,18 +5474,15 @@ sub get_set_flags( $$ ) {
my %typemap = ( src => 'Source', dst => 'Destination' );
if ( $config{IPSET_WARNINGS} ) {
for ( @options ) {
warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
warning_message( "The '$options[0]' ipset flag is used in a $option column" ), unless $options[0] eq $option;
}
}
}
if ( $rest ) {
my @extensions = split_list($rest, 'ipset option');
for ( @extensions ) {
my ($extension, $relop, $value) = split /(!=|=|<|>)/, $_;
my ($extension, $relop, $value) = split /(<>|=|<|>)/, $_;
my $match = $ipset_extensions{$extension};
@ -5505,15 +5502,14 @@ sub get_set_flags( $$ ) {
fatal_error "Invalid number ($value)" unless defined ( $val = numeric_value($value) );
$extension = "--$extension";
if ( $relop =~ s/!// ) {
$extension = join( ' ', '!', $extension );
}
if ( $relop eq '<' ) {
$extension .= '-lt';
} elsif ( $relop eq '>' ) {
$extension .= '-gt';
} elsif ( $relop eq '=' ) {
$extension .= '-eq';
} else {
$extension = join( ' ', '!', $extension );
$extension .= '-eq';
}
@ -5678,7 +5674,7 @@ sub match_source_net( $;$\$ ) {
fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
for $net ( @sets ) {
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/;
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
$result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'src' ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@ -5747,7 +5743,7 @@ sub imatch_source_net( $;$\$ ) {
return do_imac $net;
}
if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/ ) {
if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/ ) {
my @result = ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'src' ) ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@ -5767,7 +5763,7 @@ sub imatch_source_net( $;$\$ ) {
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
for $net ( @sets ) {
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/;
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'src' ) ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@ -5832,7 +5828,7 @@ sub match_dest_net( $;$ ) {
return iprange_match . "${invert}--dst-range $net ";
}
if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/ ) {
if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/ ) {
my $result = join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@ -5852,9 +5848,8 @@ sub match_dest_net( $;$ ) {
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
for $net ( @sets ) {
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/;
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
$result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) );
}
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@ -5863,6 +5858,7 @@ sub match_dest_net( $;$ ) {
$result .= do_nfacct( $_ );
}
}
}
return $result;
}
@ -5916,7 +5912,7 @@ sub imatch_dest_net( $;$ ) {
return ( iprange => "${invert}--dst-range $net" );
}
if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/ ) {
if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/ ) {
my @result = ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@ -5936,7 +5932,7 @@ sub imatch_dest_net( $;$ ) {
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
for $net ( @sets ) {
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/;
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';

View File

@ -55,7 +55,8 @@
<option>dst</option>. Example: myset[src,dst].</member>
</simplelist>
<para>In a SOURCE column, the following pairs are equivalent:</para>
<para>In a SOURCE or SOURCE PORT(S) column, the following pairs are
equivalent:</para>
<itemizedlist>
<listitem>
@ -63,7 +64,8 @@
</listitem>
</itemizedlist>
<para>In a DEST column, the following pairs are equivalent:</para>
<para>In a DEST or DEST PORT(S) column, the following pairs are
equivalent:</para>
<itemizedlist>
<listitem>
@ -102,7 +104,7 @@
<term>nomatch</term>
<listitem>
<para> If the set type supports the nomatch flag, then the matching
<para>If the set type supports the nomatch flag, then the matching
is reversed: a match with an element flagged with nomatch returns
true, while a match with a plain element returns false. This option
requires the 'Ipset Match nomatch' capability in your kernel and
@ -137,7 +139,7 @@
<listitem>
<para>If the packet is matched an element in the set, match only if
the packet counter of the element matches the given
<replaceable>value</replaceable> too.</para>
<replaceable>value</replaceable> also.</para>
</listitem>
</varlistentry>
@ -167,7 +169,7 @@
<listitem>
<para>If the packet is matched an element in the set, match only if
the packet counter of the element does not match the given
<replaceable>value</replaceable> too.</para>
<replaceable>value</replaceable> also.</para>
</listitem>
</varlistentry>
@ -177,7 +179,7 @@
<listitem>
<para>If the packet is matched an element in the set, match only if
the byte counter of the element matches the given
<replaceable>value</replaceable> too.</para>
<replaceable>value</replaceable> also.</para>
</listitem>
</varlistentry>
@ -202,12 +204,12 @@
</varlistentry>
<varlistentry>
<term>bytes!=<replaceable>value</replaceable></term>
<term>bytes&lt;&gt;<replaceable>value</replaceable></term>
<listitem>
<para>If the packet is matched an element in the set, match only if
the byte counter of the element does not match the given
<replaceable>value</replaceable> too.</para>
<replaceable>value</replaceable> also.</para>
</listitem>
</varlistentry>
</variablelist>
@ -240,7 +242,7 @@
<para>/etc/shorewall/accounting</para>
<para>/etc/shorewall/blacklist</para>
<para>/etc/shorewall/blrules</para>
<para>/etc/shorewall/hosts -- <emphasis role="bold">Note:</emphasis>
Multiple matches enclosed in +[...] may not be used in this file.</para>

View File

@ -772,9 +772,9 @@ Normal-Service =&gt; 0x00</programlisting>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - {<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>Optional destination Ports. A comma-separated list of Port
@ -795,14 +795,19 @@ Normal-Service =&gt; 0x00</programlisting>
<para>An entry in this field requires that the PROTO column specify
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
any of the following field is supplied.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
[<emphasis
{<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>Optional source port(s). If omitted, any source port is
@ -819,6 +824,11 @@ Normal-Service =&gt; 0x00</programlisting>
destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>

View File

@ -233,7 +233,7 @@
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]}</term>
role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>If you wish to restrict this entry to a particular protocol
@ -242,12 +242,17 @@
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
[[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...]</term>
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
@ -257,6 +262,11 @@
<para>Port ranges are of the form
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>

View File

@ -1070,7 +1070,7 @@
<term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
{<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>Optional destination Ports. A comma-separated list of Port
@ -1106,6 +1106,11 @@
<para>2. No port ranges are included or your kernel and iptables
contain extended multi-port match support.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
@ -1113,7 +1118,7 @@
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
{<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>Optional port(s) used by the client. If omitted, any source
@ -1146,6 +1151,11 @@
<para>2. No port ranges are included or your kernel and iptables
contain extended multi-port match support.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>

View File

@ -392,7 +392,8 @@
</varlistentry>
<varlistentry>
<term>DEST PORT(S) (dport) - port-number/service-name-list</term>
<term>DEST PORT(S) (dport) -
{-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>A comma-separated list of port numbers and/or service names
@ -400,11 +401,16 @@
ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para>
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
in this column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>
<term>SOURCE PORT(S) (sport) -
{-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>A comma-separated list of port numbers and/or service names
@ -418,6 +424,10 @@
causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in
DEST PORTS(S).</para>
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
in this column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>

View File

@ -54,7 +54,8 @@
<option>dst</option>. Example: myset[src,dst].</member>
</simplelist>
<para>In a SOURCE column, the following pairs are equivalent:</para>
<para>In a SOURCE or SOURCE PORT(S) column, the following pairs are
equivalent:</para>
<itemizedlist>
<listitem>
@ -62,7 +63,8 @@
</listitem>
</itemizedlist>
<para>In a DEST column, the following pairs are equivalent:</para>
<para>In a DEST or DEST PORT(S) column, the following pairs are
equivalent:</para>
<itemizedlist>
<listitem>
@ -136,7 +138,7 @@
<listitem>
<para>If the packet is matched an element in the set, match only if
the packet counter of the element matches the given
<replaceable>value</replaceable> too.</para>
<replaceable>value</replaceable> also.</para>
</listitem>
</varlistentry>
@ -166,7 +168,7 @@
<listitem>
<para>If the packet is matched an element in the set, match only if
the packet counter of the element does not match the given
<replaceable>value</replaceable> too.</para>
<replaceable>value</replaceable> also.</para>
</listitem>
</varlistentry>
@ -176,7 +178,7 @@
<listitem>
<para>If the packet is matched an element in the set, match only if
the byte counter of the element matches the given
<replaceable>value</replaceable> too.</para>
<replaceable>value</replaceable> also.</para>
</listitem>
</varlistentry>
@ -201,12 +203,12 @@
</varlistentry>
<varlistentry>
<term>bytes!=<replaceable>value</replaceable></term>
<term>bytes&lt;&gt;<replaceable>value</replaceable></term>
<listitem>
<para>If the packet is matched an element in the set, match only if
the byte counter of the element does not match the given
<replaceable>value</replaceable> too.</para>
<replaceable>value</replaceable> also.</para>
</listitem>
</varlistentry>
</variablelist>
@ -233,7 +235,7 @@
<para>/etc/shorewall6/accounting</para>
<para>/etc/shorewall6/blacklist</para>
<para>/etc/shorewall6/blrules</para>
<para>/etc/shorewall6/hosts -- <emphasis role="bold">Note:</emphasis>
Multiple matches enclosed in +[...] may not be used in this file.</para>
@ -245,7 +247,7 @@
<para>/etc/shorewall6/secmarks</para>
<para>/etc/shorewall6/tcrules</para>
<para>/etc/shorewall6/mangle</para>
</refsect1>
<refsect1>

View File

@ -185,7 +185,7 @@
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]}</term>
role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>If you wish to restrict this entry to a particular protocol
@ -194,12 +194,17 @@
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
[[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...]</term>
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
@ -209,6 +214,11 @@
<para>Port ranges are of the form
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>

View File

@ -1015,7 +1015,7 @@
<term><emphasis role="bold">DEST PORT(S) </emphasis>(dport) -
{<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>Optional destination Ports. A comma-separated list of Port
@ -1044,13 +1044,19 @@
role="bold">-</emphasis>).</para>
<para>If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and the
<emphasis role="bold">CLIENT PORT(S)</emphasis> list below:</para>
single Netfilter rule will be generated in this list and the
<emphasis role="bold">CLIENT PORT(S)</emphasis> list below
if:</para>
<para>1. There are 15 or less ports listed.</para>
<para>2. No port ranges are included or your kernel and ip6tables
contain extended multi-port match support.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
@ -1058,7 +1064,7 @@
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
{<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>Optional source port(s). If omitted, any source port is
@ -1090,6 +1096,10 @@
<para>2. No port ranges are included or your kernel and ip6tables
contain extended multi-port match support.</para>
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
in this column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>