From ff8d354c1cb3911e6d902088612552815a1a36f6 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 20 Jun 2014 07:00:06 -0700 Subject: [PATCH 1/4] Allow INLINE_MATCHES=Yes and AUTOHELPERS=No to work correctly. Signed-off-by: Tom Eastep --- Shorewall/Macros/macro.Amanda | 2 +- Shorewall/Macros/macro.FTP | 2 +- Shorewall/Macros/macro.IRC | 2 +- Shorewall/Macros/macro.PPtP | 2 +- Shorewall/Macros/macro.SANE | 2 +- Shorewall/Macros/macro.SIP | 2 +- Shorewall/Macros/macro.SMB | 2 +- Shorewall/Macros/macro.SMBBI | 4 ++-- Shorewall/Macros/macro.SNMP | 2 +- Shorewall/Macros/macro.TFTP | 2 +- 10 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Shorewall/Macros/macro.Amanda b/Shorewall/Macros/macro.Amanda index f9cf8a714..b8d2aa3aa 100644 --- a/Shorewall/Macros/macro.Amanda +++ b/Shorewall/Macros/macro.Amanda @@ -14,7 +14,7 @@ # PORT(S) PORT(S) DEST LIMIT GROUP ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER ) - PARAM - - udp 10080 ; helper=amanda + PARAM - - udp 10080 { helper=amanda } ?else PARAM - - udp 10080 ?endif diff --git a/Shorewall/Macros/macro.FTP b/Shorewall/Macros/macro.FTP index ca1edd7b6..7133179a3 100644 --- a/Shorewall/Macros/macro.FTP +++ b/Shorewall/Macros/macro.FTP @@ -11,7 +11,7 @@ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ # PORT(S) PORT(S) DEST LIMIT GROUP ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER ) - PARAM - - tcp 21 ; helper=ftp + PARAM - - tcp 21 { helper=ftp } ?else PARAM - - tcp 21 ?endif diff --git a/Shorewall/Macros/macro.IRC b/Shorewall/Macros/macro.IRC index baf5e4f9c..f8faf92ca 100644 --- a/Shorewall/Macros/macro.IRC +++ b/Shorewall/Macros/macro.IRC @@ -12,7 +12,7 @@ # PORT(S) PORT(S) DEST LIMIT GROUP ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER ) - PARAM - - tcp 6667 ; helper=irc + PARAM - - tcp 6667 { helper=irc } ?else PARAM - - tcp 6667 ?endif diff --git a/Shorewall/Macros/macro.PPtP b/Shorewall/Macros/macro.PPtP index f932c4631..cf95bcbd2 100644 --- a/Shorewall/Macros/macro.PPtP +++ b/Shorewall/Macros/macro.PPtP @@ -14,7 +14,7 @@ PARAM - - 47 PARAM DEST SOURCE 47 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER ) - PARAM - - tcp 1723 ; helper=pptp + PARAM - - tcp 1723 { helper=pptp } ?else PARAM - - tcp 1723 ?endif diff --git a/Shorewall/Macros/macro.SANE b/Shorewall/Macros/macro.SANE index 6862b318d..d190c4b3e 100644 --- a/Shorewall/Macros/macro.SANE +++ b/Shorewall/Macros/macro.SANE @@ -12,7 +12,7 @@ # PORT(S) PORT(S) DEST LIMIT GROUP ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER ) - PARAM - - tcp 6566 ; helper=sane + PARAM - - tcp 6566 { helper=sane } ?else PARAM - - tcp 6566 ?endif diff --git a/Shorewall/Macros/macro.SIP b/Shorewall/Macros/macro.SIP index 7d87b2cc7..9a8c5654e 100644 --- a/Shorewall/Macros/macro.SIP +++ b/Shorewall/Macros/macro.SIP @@ -12,7 +12,7 @@ # PORT(S) PORT(S) DEST LIMIT GROUP ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER ) - PARAM - - udp 5060 ; helper=sip + PARAM - - udp 5060 { helper=sip } ?else PARAM - - udp 5060 ?endif diff --git a/Shorewall/Macros/macro.SMB b/Shorewall/Macros/macro.SMB index a6aa000a0..c33f40109 100644 --- a/Shorewall/Macros/macro.SMB +++ b/Shorewall/Macros/macro.SMB @@ -17,7 +17,7 @@ PARAM - - udp 135,445 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER ) - PARAM - - udp 137 ; helper=netbios-ns + PARAM - - udp 137 { helper=netbios-ns } PARAM - - udp 138:139 ?else PARAM - - udp 137:139 diff --git a/Shorewall/Macros/macro.SMBBI b/Shorewall/Macros/macro.SMBBI index ffb6bfa54..645732bcf 100644 --- a/Shorewall/Macros/macro.SMBBI +++ b/Shorewall/Macros/macro.SMBBI @@ -17,7 +17,7 @@ PARAM - - udp 135,445 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER ) - PARAM - - udp 137 ; helper=netbios-ns + PARAM - - udp 137 { helper=netbios-ns } PARAM - - udp 138:139 ?else PARAM - - udp 137:139 @@ -28,7 +28,7 @@ PARAM - - tcp 135,139,445 PARAM DEST SOURCE udp 135,445 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER ) - PARAM DEST SOURCE udp 137 ; helper=netbios-ns + PARAM DEST SOURCE udp 137 { helper=netbios-ns } PARAM DEST SOURCE udp 138:139 ?else PARAM DEST SOURCE udp 137:139 diff --git a/Shorewall/Macros/macro.SNMP b/Shorewall/Macros/macro.SNMP index 6e1e7fd9f..64a811bbe 100644 --- a/Shorewall/Macros/macro.SNMP +++ b/Shorewall/Macros/macro.SNMP @@ -14,7 +14,7 @@ # PORT(S) PORT(S) DEST LIMIT GROUP ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER ) - PARAM - - udp 161 ; helper=snmp + PARAM - - udp 161 { helper=snmp } ?else PARAM - - udp 161 ?endif diff --git a/Shorewall/Macros/macro.TFTP b/Shorewall/Macros/macro.TFTP index 723f9dc4b..e65b2824e 100644 --- a/Shorewall/Macros/macro.TFTP +++ b/Shorewall/Macros/macro.TFTP @@ -14,7 +14,7 @@ # PORT(S) PORT(S) DEST LIMIT GROUP ?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER ) - PARAM - - udp 69 ; helper=tftp + PARAM - - udp 69 { helper=tftp } ?else PARAM - - udp 69 ?endif From 61bb73fd8c644896736f6ddb19e950b8646b2a30 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 20 Jun 2014 14:28:17 -0700 Subject: [PATCH 2/4] Correct handling of matches in action_tcp_helper() Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index b228293f0..f7ecc41c8 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2950,7 +2950,7 @@ sub perl_action_helper($$;$) { $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/; - set_inline_matches $matches if $target =~ /^INLINE(?::.*)?$/; + set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' ); if ( $isstatematch ) { if ( $statematch ) { From 122d58b122d37264218e751a30c6f2eea5de51af Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 21 Jun 2014 07:58:27 -0700 Subject: [PATCH 3/4] Clear inline matches in perl_action_tcp_helper Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index f7ecc41c8..e00c94a5d 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -3023,6 +3023,8 @@ sub perl_action_tcp_helper($$) { $proto .= ' ' unless $proto =~ /^(?:.+\s)?$/; + set_inline_matches( '' ) if $config{INLINE_MATCHES}; + if ( $passedproto eq '-' || $passedproto eq 'tcp' || $passedproto eq '6' ) { # # For other protos, a 'no rule generated' warning will be issued From 824b14b714725069bbbbb3c69a27cdf842d0276e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 25 Jun 2014 07:05:12 -0700 Subject: [PATCH 4/4] Add a TIME column to the mangle file Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 23 ++++-- Shorewall/manpages/shorewall-mangle.xml | 98 +++++++++++++++++++++++ Shorewall6/manpages/shorewall6-mangle.xml | 98 +++++++++++++++++++++++ 3 files changed, 211 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 5662ecb38..ebfe3933c 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -174,8 +174,8 @@ sub initialize( $ ) { # # Process a rule from the tcrules or mangle file # -sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { - our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_; +sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) { + our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_; use constant { PREROUTING => 1, #Actually tcpre @@ -798,6 +798,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { do_probability( $probability ) . do_dscp( $dscp ) . state_match( $state ) . + do_time( $time ) . $raw_matches , $source , $dest , @@ -986,7 +987,9 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) { $headers, $probability, $dscp, - $state ); + $state, + '-', + ); } } @@ -1046,9 +1049,9 @@ sub process_tc_rule( ) { } sub process_mangle_rule( ) { - my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ); + my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ); if ( $family == F_IPV4 ) { - ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) = + ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) = split_line2( 'tcrules file', { mark => 0, action => 0, @@ -1065,7 +1068,9 @@ sub process_mangle_rule( ) { helper => 11, probability => 12 , scp => 13, - state => 14 }, + state => 14, + time => 15, + }, {}, 15, 1 ); @@ -1089,14 +1094,16 @@ sub process_mangle_rule( ) { headers => 12, probability => 13, dscp => 14, - state => 15 }, + state => 15, + time => 16, + }, {}, 16, 1 ); } for my $proto (split_list( $protos, 'Protocol' ) ) { - process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ); + process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ); } } diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml index b4cd5ba13..c2bfed664 100644 --- a/Shorewall/manpages/shorewall-mangle.xml +++ b/Shorewall/manpages/shorewall-mangle.xml @@ -1109,6 +1109,104 @@ Normal-Service => 0x00 of the listed states. + + + TIME - + timeelement[&timeelement...] + + + Added in Shorewall 4.6.2. + + May be used to limit the rule to a particular time period each + day, to particular days of the week or month, or to a range defined + by dates and times. Requires time match support in your kernel and + ip6tables. + + timeelement may be: + + + + timestart=hh:mm[:ss] + + + Defines the starting time of day. + + + + + timestop=hh:mm[:ss] + + + Defines the ending time of day. + + + + + utc + + + Times are expressed in Greenwich Mean Time. + + + + + localtz + + + Deprecated by the Netfilter team in favor of kerneltz. Times are expressed in Local + Civil Time (default). + + + + + kerneltz + + + Added in Shorewall 4.5.2. Times are expressed in Local + Kernel Time (requires iptables 1.4.12 or later). + + + + + weekdays=ddd[,ddd]... + + + where ddd is one of + , , + , , + , or + + + + + + monthdays=dd[,dd],... + + + where dd is an ordinal day of + the month + + + + + datestart=yyyy[-mm[-dd[hh[:mm[:ss]]]]] + + + Defines the starting date and time. + + + + + datestop=yyyy[-mm[-dd[hh[:mm[:ss]]]]] + + + Defines the ending date and time. + + + + + diff --git a/Shorewall6/manpages/shorewall6-mangle.xml b/Shorewall6/manpages/shorewall6-mangle.xml index 9772d079f..b10c01936 100644 --- a/Shorewall6/manpages/shorewall6-mangle.xml +++ b/Shorewall6/manpages/shorewall6-mangle.xml @@ -1194,6 +1194,104 @@ Normal-Service => 0x00 of the listed states. + + + TIME - + timeelement[&timeelement...] + + + Added in Shorewall 4.6.2. + + May be used to limit the rule to a particular time period each + day, to particular days of the week or month, or to a range defined + by dates and times. Requires time match support in your kernel and + ip6tables. + + timeelement may be: + + + + timestart=hh:mm[:ss] + + + Defines the starting time of day. + + + + + timestop=hh:mm[:ss] + + + Defines the ending time of day. + + + + + utc + + + Times are expressed in Greenwich Mean Time. + + + + + localtz + + + Deprecated by the Netfilter team in favor of kerneltz. Times are expressed in Local + Civil Time (default). + + + + + kerneltz + + + Added in Shorewall 4.5.2. Times are expressed in Local + Kernel Time (requires iptables 1.4.12 or later). + + + + + weekdays=ddd[,ddd]... + + + where ddd is one of + , , + , , + , or + + + + + + monthdays=dd[,dd],... + + + where dd is an ordinal day of + the month + + + + + datestart=yyyy[-mm[-dd[hh[:mm[:ss]]]]] + + + Defines the starting date and time. + + + + + datestop=yyyy[-mm[-dd[hh[:mm[:ss]]]]] + + + Defines the ending date and time. + + + + +