From 79fead0fae2d96b3d4358fa384736c5cbbd59574 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Tue, 4 Oct 2005 18:46:35 +0000
Subject: [PATCH] Add IPP2P UDP support -- Take 3

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2795 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/accounting       |  4 +--
 Shorewall/changelog.txt    |  2 ++
 Shorewall/firewall         | 59 +++++++++++++++++---------------------
 Shorewall/releasenotes.txt | 10 +++++++
 Shorewall/rules            |  4 +--
 Shorewall/tcrules          |  4 +--
 6 files changed, 45 insertions(+), 38 deletions(-)

diff --git a/Shorewall/accounting b/Shorewall/accounting
index 4640c6342..8a3ba3e8e 100755
--- a/Shorewall/accounting
+++ b/Shorewall/accounting
@@ -47,9 +47,9 @@
 #			Format the same as the SOURCE column.
 #
 #	PROTOCOL	A protocol name (from /etc/protocols), a protocol
-#			number, "ipp2p", "ipp2p-udp" or "ipp2p-all"
+#			number, "ipp2p", "ipp2p:udp" or "ipp2p:all"
 #
-#	DEST PORT(S)	Destination Port number. If the PROTOCOL is "ipp2p*"
+#	DEST PORT(S)	Destination Port number. If the PROTOCOL is "ipp2p"
 #			then this column must contain an ipp2p option
 #			("iptables -m ipp2p --help") without the leading
 #			"--". If no option is given in this column, "ipp2p"
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 5a04793e0..4a83c16ee 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -18,6 +18,8 @@ Changes in 2.5.7
 
 9) Do not touch mangle chain during "refresh".
 
+10) Implement support for UDP IPP2P Matching.
+
 Changes in 2.5.6
 
 1) Finish install/fallback cleanup.
diff --git a/Shorewall/firewall b/Shorewall/firewall
index fd6e30945..08d39d8a0 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -3145,24 +3145,23 @@ process_tc_rule()
 
     do_ipp2p()
     {
+	[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
+
 	case $proto in
-	    ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP)
-		[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
+	    ipp2p|IPP2P|ipp2p:tcp|IPP2P:TCP)
 		[ "x$port" = "x-" ] && port="ipp2p"
 		r="${r}-p tcp -m ipp2p --${port} "
 		;;
-	    ipp2p-udp|IPP2P-UDP)
-		[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
+	    ipp2p:udp|IPP2P:UDP)
 		[ "x$port" = "x-" ] && port="ipp2p"
 		r="${r}-p udp -m ipp2p --${port} "
 		;;
-	    ipp2p-both|IPP2P-both)
-		[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
+	    ipp2p:all|IPP2P:ALL)
 		[ "x$port" = "x-" ] && port="ipp2p"
 		r="${r}-m ipp2p --${port} "
 		;;
 	    *)
-		fatal_error "Unknown Protocol $proto. Rule: \"$rule\""
+		fatal_error "Invalid IPP2P Protocol ${proto#*:}. Rule: \"$rule\""
 		;;
 	esac
     }
@@ -3237,7 +3236,7 @@ process_tc_rule()
 	multiport=
 
 	case $proto in
-	    ipp2p*|IPP2P*)
+	    ipp2p|IPP2P|ipp2p:*|IPP2P:*)
 		do_ipp2p
 		;;
 	    icmp|ICMP|1)
@@ -3551,24 +3550,22 @@ process_accounting_rule() {
     }
 
     do_ipp2p() {
+	[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support"
 	case $proto in
-	    ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP)
-		[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support"
+	    ipp2p|IPP2P|ipp2p:tcp|IPP2P:TCP)
 		rule="$rule -p tcp -m ipp2p --${port:-ipp2p}"
 		port=
 		;;
-	    ipp2p-udp|IPP2P-udp)
-		[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support"
+	    ipp2p:udp|IPP2P:UDP)
 		rule="$rule -p udp -m ipp2p --${port:-ipp2p}"
 		port=
 		;;
-	    ipp2p-all|IPP2P-all)
-		[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support"
+	    ipp2p:all|IPP2P:ALL)
 		rule="$rule -m ipp2p --${port:-ipp2p}"
 		port=
 		;;
 	    *)
-		fatal_error "Unknown Protocol $proto"
+		fatal_error "Invalid IPP2P Protocol ${proto#*:}"
 		;;
 	esac
     }
@@ -3610,7 +3607,7 @@ process_accounting_rule() {
     [ -n "$proto" ] && case $proto in
 	-|any|all)
 	    ;;
-	    ipp2p*|IPP2P*)
+	    ipp2p|IPP2P|ipp2p:*|IPP2P:*)
 		do_ipp2p
 		;;
 	*)
@@ -3960,31 +3957,30 @@ add_an_action()
     }
 
     do_ipp2p() {
+	[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
+
 	case $proto in
-	    ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP)
-		[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
+	    ipp2p|IPP2P|ipp2p:tcp|IPP2P:TCP)
 		dports="-m ipp2p --${port:-ipp2p}"
 		port=
 		proto=tcp
 		do_ports
 		;;
-	    ipp2p-udpIPP2P-udp)
-		[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
+	    ipp2p:udpIPP2P:UDP)
 		dports="-m ipp2p --${port:-ipp2p}"
 		port=
 		proto=udp
 		do_ports
 		;;
-	    ipp2p-all|IPP2P-all)
+	    ipp2p:all|IPP2P:ALL)
 		[ -n "$port" ] && \
 		    fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
-		[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
 		dports="-m ipp2p --${port:-ipp2p}"
 		port=
 		proto=all
 		;;
 	    *)
-		fatal_error "Unknown protocol $proto.  Rule: \"$rule\""
+		fatal_error "Invalid IPP2P protocol ${proto#*:}.  Rule: \"$rule\""
 		;;
 	esac
     }
@@ -4060,7 +4056,7 @@ add_an_action()
 	icmp|ICMP|1)
 	    [ -n "$port" ]  && 	dports="--icmp-type $port"
 	    ;;
-	ipp2p*|IPP2P*)
+	ipp2p|IPP2P|ipp2p:*|IPP2P:*)
 	    do_ipp2p
 	    ;;
 	*)
@@ -5302,31 +5298,30 @@ process_rule() # $1 = target
 	}
 
 	do_ipp2p() {
+	    [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
+
 	    case $proto in
-		ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP)
-		    [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
+		ipp2p|IPP2P|ipp2p:tcp|IPP2P:TCP)
 		    dports="-m ipp2p --${port:-ipp2p}"
 		    port=
 		    proto=tcp
 		    do_ports
 		    ;;
-		ipp2p-udp|IPP2P-UDP)
-		    [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
+		ipp2p:udp|IPP2P:UDP)
 		    dports="-m ipp2p --${port:-ipp2p}"
 		    port=
 		    proto=udp
 		    do_ports
 		    ;;
-		ipp2p-all|IPP2P-ALL)
+		ipp2p:all|IPP2P:ALL)
 		    [ -n "$port" ] && \
 			fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
-		    [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
 		    dports="-m ipp2p --${port:-ipp2p}"
 		    port=
 		    proto=all
 		    ;;
 		*)
-		    fatal_error "Unknown protocol $proto. Rule:  \"$rule\""
+		    fatal_error "Invalid IPP2P protocol ${proto#*:}. Rule:  \"$rule\""
 		    ;;
 	    esac
 	}
@@ -5412,7 +5407,7 @@ process_rule() # $1 = target
 		    fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
 		proto=
 		;;
-	    ipp2p*|IPP2P*)
+	    ipp2p|IPP2P|ipp2p:*|IPP2P:*)
 		do_ipp2p
 		;;
 	    *)
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index f2e099b72..5b0f607a1 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -39,6 +39,16 @@ New Features in 2.5.7:
    in shorewall.conf. This is done to ensure that "shorewall refresh" will
    work correctly.
 
+6) Shorewall now supports UDP IPP2P matching. In addition to the "ipp2p"
+   keyword in the PROTOCOL column of the relevant files, the following
+   values may be specified:
+
+	ipp2p:tcp           Equivalent to ipp2p and matches TCP traffic
+			    only.
+	ipp2p:udp           Matches UDP traffic.
+	ipp2p:all           Matches both UDP and TCP traffic. You may
+			    not specify a SOURCE PORT with this PROTOCOL.
+
 Migration Considerations:
 
 1) The "monitor" command has been eliminated.
diff --git a/Shorewall/rules b/Shorewall/rules
index 5df06e6b6..491a5642d 100755
--- a/Shorewall/rules
+++ b/Shorewall/rules
@@ -269,7 +269,7 @@
 #			request should be redirected to.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
-#                       "ipp2p-udp", "ipp2p-all" a number, or "all".
+#                       "ipp2p:udp", "ipp2p:all" a number, or "all".
 #                       "ipp2p*" requires ipp2p match support in your kernel
 #                       and iptables.
 #
@@ -278,7 +278,7 @@
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
-#			If the protocol is ipp2p*, this column is interpreted
+#			If the protocol is ipp2p, this column is interpreted
 #			as an ipp2p option without the leading "--" (example
 #			"bit" for bit-torrent). If no port is given, "ipp2p" is
 #			assumed.
diff --git a/Shorewall/tcrules b/Shorewall/tcrules
index 5a83816f2..3448678bf 100755
--- a/Shorewall/tcrules
+++ b/Shorewall/tcrules
@@ -109,7 +109,7 @@
 #			contain an interface name.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
-#                       "ipp2p-udp", "ipp2p-all" a number, or "all".
+#                       "ipp2p:udp", "ipp2p:all" a number, or "all".
 #                       "ipp2p" requires ipp2p match support in your kernel
 #                       and iptables.
 #
@@ -118,7 +118,7 @@
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
-#			If the protocol is ipp2p*, this column is interpreted
+#			If the protocol is ipp2p, this column is interpreted
 #			as an ipp2p option without the leading "--" (example
 #			"bit" for bit-torrent). If no PORT is given, "ipp2p" is
 #			assumed.