extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-11 08:08:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add IPP2P UDP support -- Take 3

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2795 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-10-04 18:46:35 +00:00
parent 8fe0a32fd3
commit 79fead0fae
6 changed files with 45 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/accounting
View File

@ -47,9 +47,9 @@
# Format the same as the SOURCE column. # Format the same as the SOURCE column.
# #
# PROTOCOL A protocol name (from /etc/protocols), a protocol # PROTOCOL A protocol name (from /etc/protocols), a protocol
# number, "ipp2p", "ipp2p-udp" or "ipp2p-all" # number, "ipp2p", "ipp2p:udp" or "ipp2p:all"
# #
# DEST PORT(S) Destination Port number. If the PROTOCOL is "ipp2p*" # DEST PORT(S) Destination Port number. If the PROTOCOL is "ipp2p"
# then this column must contain an ipp2p option # then this column must contain an ipp2p option
# ("iptables -m ipp2p --help") without the leading # ("iptables -m ipp2p --help") without the leading
# "--". If no option is given in this column, "ipp2p" # "--". If no option is given in this column, "ipp2p"

2
Shorewall/changelog.txt
View File

@ -18,6 +18,8 @@ Changes in 2.5.7
9) Do not touch mangle chain during "refresh". 9) Do not touch mangle chain during "refresh".
10) Implement support for UDP IPP2P Matching.
Changes in 2.5.6 Changes in 2.5.6
1) Finish install/fallback cleanup. 1) Finish install/fallback cleanup.

59
Shorewall/firewall
View File

@ -3145,24 +3145,23 @@ process_tc_rule()
do_ipp2p() do_ipp2p()
{ {
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
case $proto in case $proto in
ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) ipp2p|IPP2P|ipp2p:tcp|IPP2P:TCP)
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
[ "x$port" = "x-" ] && port="ipp2p" [ "x$port" = "x-" ] && port="ipp2p"
r="${r}-p tcp -m ipp2p --${port} " r="${r}-p tcp -m ipp2p --${port} "
;; ;;
ipp2p-udp|IPP2P-UDP) ipp2p:udp|IPP2P:UDP)
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
[ "x$port" = "x-" ] && port="ipp2p" [ "x$port" = "x-" ] && port="ipp2p"
r="${r}-p udp -m ipp2p --${port} " r="${r}-p udp -m ipp2p --${port} "
;; ;;
ipp2p-both|IPP2P-both) ipp2p:all|IPP2P:ALL)
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
[ "x$port" = "x-" ] && port="ipp2p" [ "x$port" = "x-" ] && port="ipp2p"
r="${r}-m ipp2p --${port} " r="${r}-m ipp2p --${port} "
;; ;;
*) *)
fatal_error "Unknown Protocol $proto. Rule: \"$rule\"" fatal_error "Invalid IPP2P Protocol ${proto#*:}. Rule: \"$rule\""
;; ;;
esac esac
} }
@ -3237,7 +3236,7 @@ process_tc_rule()
multiport= multiport=
case $proto in case $proto in
ipp2p*|IPP2P*) ipp2p|IPP2P|ipp2p:*|IPP2P:*)
do_ipp2p do_ipp2p
;; ;;
icmp|ICMP|1) icmp|ICMP|1)
@ -3551,24 +3550,22 @@ process_accounting_rule() {
} }
do_ipp2p() { do_ipp2p() {
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support"
case $proto in case $proto in
ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) ipp2p|IPP2P|ipp2p:tcp|IPP2P:TCP)
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support"
rule="$rule -p tcp -m ipp2p --${port:-ipp2p}" rule="$rule -p tcp -m ipp2p --${port:-ipp2p}"
port= port=
;; ;;
ipp2p-udp|IPP2P-udp) ipp2p:udp|IPP2P:UDP)
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support"
rule="$rule -p udp -m ipp2p --${port:-ipp2p}" rule="$rule -p udp -m ipp2p --${port:-ipp2p}"
port= port=
;; ;;
ipp2p-all|IPP2P-all) ipp2p:all|IPP2P:ALL)
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support"
rule="$rule -m ipp2p --${port:-ipp2p}" rule="$rule -m ipp2p --${port:-ipp2p}"
port= port=
;; ;;
*) *)
fatal_error "Unknown Protocol $proto" fatal_error "Invalid IPP2P Protocol ${proto#*:}"
;; ;;
esac esac
} }
@ -3610,7 +3607,7 @@ process_accounting_rule() {
[ -n "$proto" ] && case $proto in [ -n "$proto" ] && case $proto in
-|any|all) -|any|all)
;; ;;
ipp2p*|IPP2P*) ipp2p|IPP2P|ipp2p:*|IPP2P:*)
do_ipp2p do_ipp2p
;; ;;
*) *)
@ -3960,31 +3957,30 @@ add_an_action()
} }
do_ipp2p() { do_ipp2p() {
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
case $proto in case $proto in
ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) ipp2p|IPP2P|ipp2p:tcp|IPP2P:TCP)
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
dports="-m ipp2p --${port:-ipp2p}" dports="-m ipp2p --${port:-ipp2p}"
port= port=
proto=tcp proto=tcp
do_ports do_ports
;; ;;
ipp2p-udpIPP2P-udp) ipp2p:udpIPP2P:UDP)
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
dports="-m ipp2p --${port:-ipp2p}" dports="-m ipp2p --${port:-ipp2p}"
port= port=
proto=udp proto=udp
do_ports do_ports
;; ;;
ipp2p-all|IPP2P-all) ipp2p:all|IPP2P:ALL)
[ -n "$port" ] && \ [ -n "$port" ] && \
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
dports="-m ipp2p --${port:-ipp2p}" dports="-m ipp2p --${port:-ipp2p}"
port= port=
proto=all proto=all
;; ;;
*) *)
fatal_error "Unknown protocol $proto. Rule: \"$rule\"" fatal_error "Invalid IPP2P protocol ${proto#*:}. Rule: \"$rule\""
;; ;;
esac esac
} }
@ -4060,7 +4056,7 @@ add_an_action()
icmp|ICMP|1) icmp|ICMP|1)
[ -n "$port" ] && dports="--icmp-type $port" [ -n "$port" ] && dports="--icmp-type $port"
;; ;;
ipp2p*|IPP2P*) ipp2p|IPP2P|ipp2p:*|IPP2P:*)
do_ipp2p do_ipp2p
;; ;;
*) *)
@ -5302,31 +5298,30 @@ process_rule() # $1 = target
} }
do_ipp2p() { do_ipp2p() {
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
case $proto in case $proto in
ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) ipp2p|IPP2P|ipp2p:tcp|IPP2P:TCP)
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
dports="-m ipp2p --${port:-ipp2p}" dports="-m ipp2p --${port:-ipp2p}"
port= port=
proto=tcp proto=tcp
do_ports do_ports
;; ;;
ipp2p-udp|IPP2P-UDP) ipp2p:udp|IPP2P:UDP)
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
dports="-m ipp2p --${port:-ipp2p}" dports="-m ipp2p --${port:-ipp2p}"
port= port=
proto=udp proto=udp
do_ports do_ports
;; ;;
ipp2p-all|IPP2P-ALL) ipp2p:all|IPP2P:ALL)
[ -n "$port" ] && \ [ -n "$port" ] && \
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
dports="-m ipp2p --${port:-ipp2p}" dports="-m ipp2p --${port:-ipp2p}"
port= port=
proto=all proto=all
;; ;;
*) *)
fatal_error "Unknown protocol $proto. Rule: \"$rule\"" fatal_error "Invalid IPP2P protocol ${proto#*:}. Rule: \"$rule\""
;; ;;
esac esac
} }
@ -5412,7 +5407,7 @@ process_rule() # $1 = target
fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\"" fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
proto= proto=
;; ;;
ipp2p*|IPP2P*) ipp2p|IPP2P|ipp2p:*|IPP2P:*)
do_ipp2p do_ipp2p
;; ;;
*) *)

10
Shorewall/releasenotes.txt
View File

@ -39,6 +39,16 @@ New Features in 2.5.7:
in shorewall.conf. This is done to ensure that "shorewall refresh" will in shorewall.conf. This is done to ensure that "shorewall refresh" will
work correctly. work correctly.
6) Shorewall now supports UDP IPP2P matching. In addition to the "ipp2p"
keyword in the PROTOCOL column of the relevant files, the following
values may be specified:
ipp2p:tcp Equivalent to ipp2p and matches TCP traffic
only.
ipp2p:udp Matches UDP traffic.
ipp2p:all Matches both UDP and TCP traffic. You may
not specify a SOURCE PORT with this PROTOCOL.
Migration Considerations: Migration Considerations:
1) The "monitor" command has been eliminated. 1) The "monitor" command has been eliminated.

4
Shorewall/rules
View File

@ -269,7 +269,7 @@
# request should be redirected to. # request should be redirected to.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# "ipp2p-udp", "ipp2p-all" a number, or "all". # "ipp2p:udp", "ipp2p:all" a number, or "all".
# "ipp2p*" requires ipp2p match support in your kernel # "ipp2p*" requires ipp2p match support in your kernel
# and iptables. # and iptables.
# #
@ -278,7 +278,7 @@
# ranges; if the protocol is "icmp", this column is # ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
# #
# If the protocol is ipp2p*, this column is interpreted # If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example # as an ipp2p option without the leading "--" (example
# "bit" for bit-torrent). If no port is given, "ipp2p" is # "bit" for bit-torrent). If no port is given, "ipp2p" is
# assumed. # assumed.

4
Shorewall/tcrules
View File

@ -109,7 +109,7 @@
# contain an interface name. # contain an interface name.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# "ipp2p-udp", "ipp2p-all" a number, or "all". # "ipp2p:udp", "ipp2p:all" a number, or "all".
# "ipp2p" requires ipp2p match support in your kernel # "ipp2p" requires ipp2p match support in your kernel
# and iptables. # and iptables.
# #
@ -118,7 +118,7 @@
# ranges; if the protocol is "icmp", this column is # ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
# #
# If the protocol is ipp2p*, this column is interpreted # If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example # as an ipp2p option without the leading "--" (example
# "bit" for bit-torrent). If no PORT is given, "ipp2p" is # "bit" for bit-torrent). If no PORT is given, "ipp2p" is
# assumed. # assumed.