extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 06:10:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update documentation regarding Hack removal

Browse Source
This commit is contained in:
Tom Eastep 2010-12-14 11:19:17 -08:00
parent 999ef7105b
commit 880a94e42f
4 changed files with 507 additions and 478 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Shorewall/Perl/Shorewall/Actions.pm
View File

@ -437,8 +437,6 @@ sub find_logactionchain( $ ) {
fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"};
}
sub process_action1( $$ );
#
# The functions process_actions1-3() implement the three phases of action processing.
#
@ -508,7 +506,10 @@ sub process_actions1() {
while ( read_a_line ) {
my ($wholetarget, @rest ) = split_line1 1, 13, 'action file' , $rule_commands;
#
# When passed an action name in the first argument, process_rule_common() only
# deals with the target and the parameter.
#
process_rule_common( $action ,
$wholetarget ,
'' , # Current Param

2
Shorewall/changelog.txt
View File

@ -10,6 +10,8 @@ Changes in Shorewall 4.4.16 Beta 5
5) Allow DNAT and REDIRECT in actions.
6) Remove kludgy restrictions regarding Macros and Actions.
Changes in Shorewall 4.4.16 Beta 4
1) Only issue get_params() warnings under 'trace'

100
docs/Actions.xml
View File

@ -213,15 +213,24 @@ ACCEPT - - tcp 135,139,445
</listitem>
</orderedlist>
<para><emphasis role="bold">Beginning with Shorewall 4.4.16, the columns
in action.template are the same as those in <ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
</emphasis>The first non-commentary line in the template must be</para>
<section>
<title>Shorewall 4.4.16 and Later.</title>
<para>Beginning with Shorewall 4.4.16, the columns in action.template
are the same as those in shorewall-rules (5). The first non-commentary
line in the template must be</para>
<programlisting>FORMAT 2</programlisting>
<para>Prior to 4.4.16, columns in the <filename>action.template</filename>
file were as follows:</para>
<para>When using Shorewall 4.4.16 or later, there are no restrictions
regarding which targets can be used within your action.</para>
</section>
<section>
<title>Shorewall 4.4.15 and Earlier.</title>
<para>Prior to 4.4.16, columns in the
<filename>action.template</filename> file were as follows:</para>
<itemizedlist>
<listitem>
@ -229,15 +238,15 @@ ACCEPT - - tcp 135,139,445
an &lt;<emphasis>action</emphasis>&gt; where
&lt;<emphasis>action</emphasis>&gt; is a previously-defined action
(that is, it must precede the action being defined in this file in
your <filename>/etc/shorewall/actions</filename> file). These actions
have the same meaning as they do in the
your <filename>/etc/shorewall/actions</filename> file). These
actions have the same meaning as they do in the
<filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
processing of the current action and returns to the point where that
action was invoked). The TARGET may optionally be followed by a colon
(<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
action was invoked). The TARGET may optionally be followed by a
colon (<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
ACCEPT:debugging). This causes the packet to be logged at the
specified level. You may also specify ULOG (must be in upper case) as
a log level. This will log to the ULOG target for routing to a
specified level. You may also specify ULOG (must be in upper case)
as a log level. This will log to the ULOG target for routing to a
separate log through use of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
@ -256,14 +265,14 @@ ACCEPT - - tcp 135,139,445
<para>Alternatively, clients may be specified by interface name. For
example, eth1 specifies a client that communicates with the firewall
system through eth1. This may be optionally followed by another colon
(<quote>:</quote>) and an IP/MAC/subnet address as described above
(e.g., eth1:192.168.1.5).</para>
system through eth1. This may be optionally followed by another
colon (<quote>:</quote>) and an IP/MAC/subnet address as described
above (e.g., eth1:192.168.1.5).</para>
</listitem>
<listitem>
<para>DEST - Location of Server. Same as above with the exception that
MAC addresses are not allowed.</para>
<para>DEST - Location of Server. Same as above with the exception
that MAC addresses are not allowed.</para>
</listitem>
<listitem>
@ -273,23 +282,24 @@ ACCEPT - - tcp 135,139,445
</listitem>
<listitem>
<para>DEST PORT(S) - Destination Ports. A comma-separated list of Port
names (from <filename>/etc/services</filename>), port numbers or port
ranges; if the protocol is <quote>icmp</quote>, this column is
interpreted as the destination icmp-type(s).</para>
<para>DEST PORT(S) - Destination Ports. A comma-separated list of
Port names (from <filename>/etc/services</filename>), port numbers
or port ranges; if the protocol is <quote>icmp</quote>, this column
is interpreted as the destination icmp-type(s).</para>
<para>A port range is expressed as &lt;<emphasis>low
port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
<para>This column is ignored if PROTO = <quote>all</quote>, but must
be entered if any of the following fields are supplied. In that case,
it is suggested that this field contain <quote>-</quote>.</para>
be entered if any of the following fields are supplied. In that
case, it is suggested that this field contain
<quote>-</quote>.</para>
</listitem>
<listitem>
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
source port is acceptable. Specified as a comma-separated list of port
names, port numbers or port ranges.</para>
source port is acceptable. Specified as a comma-separated list of
port names, port numbers or port ranges.</para>
<para>If you don't want to restrict client ports but need to specify
any of the subsequent fields, then place <quote>-</quote> in this
@ -305,17 +315,17 @@ ACCEPT - - tcp 135,139,445
&lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
<quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
given, a value of 5 is assumed. There may be no whitespace embedded in
the specification.</para>
given, a value of 5 is assumed. There may be no whitespace embedded
in the specification.</para>
<para><programlisting> Example: 10/sec:20</programlisting></para>
</listitem>
<listitem>
<para>USER/GROUP - For output rules (those with the firewall as their
source), you may control connections based on the effective UID and/or
GID of the process requesting the connection. This column can contain
any of the following:</para>
<para>USER/GROUP - For output rules (those with the firewall as
their source), you may control connections based on the effective
UID and/or GID of the process requesting the connection. This column
can contain any of the following:</para>
<simplelist>
<member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
@ -339,10 +349,11 @@ ACCEPT - - tcp 135,139,445
name</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group name</emphasis>&gt;</member>
name</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note: support
for this form was removed from Netfilter in kernel version
<member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note:
support for this form was removed from Netfilter in kernel version
2.6.14).</member>
</simplelist>
</listitem>
@ -357,19 +368,19 @@ ACCEPT - - tcp 135,139,445
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you dont want to define a test but need to specify anything
in the subsequent columns, place a <quote>-</quote> in this
<para>If you dont want to define a test but need to specify
anything in the subsequent columns, place a <quote>-</quote> in this
field.<simplelist>
<member>! — Inverts the test (not equal)</member>
<member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
or connection mark.</member>
<member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied to
the mark before testing.</member>
<member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied
to the mark before testing.</member>
<member>:C — Designates a connection mark. If omitted, the packet
marks value is tested. This option is only supported by
<member>:C — Designates a connection mark. If omitted, the
packet marks value is tested. This option is only supported by
Shorewall-perl</member>
</simplelist></para>
</listitem>
@ -387,8 +398,8 @@ ACCEPT - - tcp 135,139,445
LogAndAccept # LOG and ACCEPT a connection</programlisting><emphasis
role="bold">Note:</emphasis> If your
<filename>/etc/shorewall/actions</filename> file doesn't have an
indication where to place the comment, put the <quote>#</quote> in column
21.</para>
indication where to place the comment, put the <quote>#</quote> in
column 21.</para>
<para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
ACCEPT</programlisting></para>
@ -396,12 +407,13 @@ ACCEPT - - tcp 135,139,445
<para>Placing a comment on the line causes the comment to appear in the
output of the <command>shorewall show actions</command> command.</para>
<para>To use your action, in <filename>/etc/shorewall/rules</filename> you
might do something like:</para>
<para>To use your action, in <filename>/etc/shorewall/rules</filename>
you might do something like:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc $FW tcp 22</programlisting>
</section>
</section>
<section id="Logging">
<title>Actions and Logging</title>

140
docs/Macros.xml
View File

@ -277,36 +277,45 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
</listitem>
</orderedlist>
<para><emphasis role="bold">Beginning with Shorewall 4.4.16, the columns
in macro.template are the same as those in <ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
</emphasis>The first non-commentary line in the template must be</para>
<section>
<title>Shorewall 4.4.16 and Later</title>
<para>Beginning with Shorewall 4.4.16, the columns in macro.template are
the same as those in shorewall-rules (5). The first non-commentary line
in the template must be</para>
<programlisting>FORMAT 2</programlisting>
<para>There are no restrictions regarding the ACTIONs that can be
performed in a macro.</para>
</section>
<section>
<title>Shorewall 4.4.15 and Earlier</title>
<para>Before 4.4.16, columns in the macro.template file were as
follows:</para>
<itemizedlist>
<listitem>
<para>ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
LOG, QUEUE, PARAM or an action name. Note that a macro may not invoke
another macro.</para>
<para>ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
CONTINUE, LOG, QUEUE, PARAM or an action name. Note that a macro may
not invoke another macro.</para>
<simplelist>
<member>ACCEPT - allow the connection request</member>
<member>ACCEPT+ - like ACCEPT but also excludes the connection from
any subsequent DNAT[-] or REDIRECT[-] rules.</member>
<member>ACCEPT+ - like ACCEPT but also excludes the connection
from any subsequent DNAT[-] or REDIRECT[-] rules.</member>
<member>NONAT - Excludes the connection from any subsequent DNAT[-]
or REDIRECT[-] rules but doesn't generate a rule to accept the
traffic.</member>
<member>NONAT - Excludes the connection from any subsequent
DNAT[-] or REDIRECT[-] rules but doesn't generate a rule to accept
the traffic.</member>
<member>DROP - ignore the request</member>
<member>REJECT - disallow the request and return an icmp unreachable
or an RST packet.</member>
<member>REJECT - disallow the request and return an icmp
unreachable or an RST packet.</member>
<member>DNAT - Forward the request to another address (and
optionally another port).</member>
@ -315,8 +324,9 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
the DNAT iptables rule and not the companion ACCEPT rule.</member>
<member>SAME - Similar to DNAT except that the port may not be
remapped and when multiple server addresses are listed, all requests
from a given remote system go to the same server.</member>
remapped and when multiple server addresses are listed, all
requests from a given remote system go to the same
server.</member>
<member>SAME- - Advanced users only. Like SAME but only generates
the SAME iptables rule and not the companion ACCEPT rule.</member>
@ -336,8 +346,8 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
<member>LOG - Simply log the packet and continue.</member>
<member>QUEUE - Queue the packet to a user-space application such as
ftwall (http://p2pwall.sf.net).</member>
<member>QUEUE - Queue the packet to a user-space application such
as ftwall (http://p2pwall.sf.net).</member>
</simplelist>
<para>The ACTION may optionally be followed by ":" and a syslog log
@ -353,16 +363,16 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
<para>Alternatively, clients may be specified by interface name. For
example, eth1 specifies a client that communicates with the firewall
system through eth1. This may be optionally followed by another colon
(<quote>:</quote>) and an IP/MAC/subnet address as described above
(e.g. eth1:192.168.1.5).</para>
system through eth1. This may be optionally followed by another
colon (<quote>:</quote>) and an IP/MAC/subnet address as described
above (e.g. eth1:192.168.1.5).</para>
<para>May also contain 'DEST' as described above.</para>
</listitem>
<listitem>
<para>DEST - Location of Server. Same as above with the exception that
MAC addresses are not allowed.</para>
<para>DEST - Location of Server. Same as above with the exception
that MAC addresses are not allowed.</para>
<para>Unlike in the SOURCE column, you may specify a range of up to
256 IP addresses using the syntax &lt;<emphasis>first
@ -378,16 +388,16 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
</listitem>
<listitem>
<para>DEST PORT(S) - Destination Ports. A comma-separated list of Port
names (from <filename>/etc/services</filename>), port numbers or port
ranges; if the protocol is <quote>icmp</quote>, this column is
interpreted as the destination icmp-type(s).</para>
<para>DEST PORT(S) - Destination Ports. A comma-separated list of
Port names (from <filename>/etc/services</filename>), port numbers
or port ranges; if the protocol is <quote>icmp</quote>, this column
is interpreted as the destination icmp-type(s).</para>
<para>A port range is expressed as &lt;<emphasis>low
port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
<para>This column is ignored if PROTOCOL = all but must be entered if
any of the following fields are supplied. In that case, it is
<para>This column is ignored if PROTOCOL = all but must be entered
if any of the following fields are supplied. In that case, it is
suggested that this field contain <quote>-</quote>.</para>
<para>If your kernel contains multi-port match support, then only a
@ -410,8 +420,8 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
<listitem>
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
source port is acceptable. Specified as a comma-separated list of port
names, port numbers or port ranges.</para>
source port is acceptable. Specified as a comma-separated list of
port names, port numbers or port ranges.</para>
<para>If you don't want to restrict client ports but need to specify
an ADDRESS in the next column, then place "-" in this column.</para>
@ -447,19 +457,19 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
<para>A comma-separated list of addresses may also be used. This is
most useful with the REDIRECT target where you want to redirect
traffic destined for particular set of hosts. Finally, if the list of
addresses begins with "!" (exclusion) then the rule will be followed
only if the original destination address in the connection request
does not match any of the addresses listed.</para>
traffic destined for particular set of hosts. Finally, if the list
of addresses begins with "!" (exclusion) then the rule will be
followed only if the original destination address in the connection
request does not match any of the addresses listed.</para>
<para>For other actions, this column may be included and may contain
one or more addresses (host or network) separated by commas. Address
ranges are not allowed. When this column is supplied, rules are
generated that require that the original destination address matches
one of the listed addresses. This feature is most useful when you want
to generate a filter rule that corresponds to a DNAT- or REDIRECT-
rule. In this usage, the list of addresses should not begin with
"!".</para>
one of the listed addresses. This feature is most useful when you
want to generate a filter rule that corresponds to a DNAT- or
REDIRECT- rule. In this usage, the list of addresses should not
begin with "!".</para>
<para>It is also possible to specify a set of addresses then exclude
part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
@ -482,17 +492,17 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
&lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
<quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
given, a value of 5 is assumed. There may be no whitespace embedded in
the specification.</para>
given, a value of 5 is assumed. There may be no whitespace embedded
in the specification.</para>
<para><programlisting> Example: 10/sec:20</programlisting></para>
</listitem>
<listitem>
<para>USER/GROUP - For output rules (those with the firewall as their
source), you may control connections based on the effective UID and/or
GID of the process requesting the connection. This column can contain
any of the following:</para>
<para>USER/GROUP - For output rules (those with the firewall as
their source), you may control connections based on the effective
UID and/or GID of the process requesting the connection. This column
can contain any of the following:</para>
<simplelist>
<member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
@ -516,19 +526,20 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
name</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group name</emphasis>&gt;</member>
name</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note: support
for this form was removed from Netfilter in kernel version
<member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note:
support for this form was removed from Netfilter in kernel version
2.6.14).</member>
</simplelist>
</listitem>
<listitem>
<para>MARK - (Added in Shorewall-4.4.2) Defines a test on the existing
packet or connection mark. The rule will match only if the test
returns true. Must be empty or '-' if the macro is to be used within
an action.</para>
<para>MARK - (Added in Shorewall-4.4.2) Defines a test on the
existing packet or connection mark. The rule will match only if the
test returns true. Must be empty or '-' if the macro is to be used
within an action.</para>
<programlisting> [!]<replaceable>value</replaceable>[/<replaceable>mask</replaceable>][:C]</programlisting>
@ -574,13 +585,13 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
<programlisting> [!]<replaceable>limit</replaceable>[:<replaceable>mask</replaceable>]</programlisting>
<para>May be used to limit the number of simultaneous connections from
each individual host to limit connections. Requires connlimit match in
your kernel and iptables. While the limit is only checked on rules
specifying CONNLIMIT, the number of current connections is calculated
over all current connections from the SOURCE host. By default, the
<replaceable>limit</replaceable> is applied to each host but can be
made to apply to networks of hosts by specifying a
<para>May be used to limit the number of simultaneous connections
from each individual host to limit connections. Requires connlimit
match in your kernel and iptables. While the limit is only checked
on rules specifying CONNLIMIT, the number of current connections is
calculated over all current connections from the SOURCE host. By
default, the <replaceable>limit</replaceable> is applied to each
host but can be made to apply to networks of hosts by specifying a
<replaceable>mask</replaceable>. The mask specifies the width of a
VLSM mask to be applied to the source address; the number of current
connections is then taken over all hosts in the subnet
@ -626,7 +637,8 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
<term>localtz</term>
<listitem>
<para>Times are expressed in Local Civil Time (default).</para>
<para>Times are expressed in Local Civil Time
(default).</para>
</listitem>
</varlistentry>
@ -670,19 +682,21 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
</listitem>
</itemizedlist>
<para>Omitted column entries should be entered using a dash ("-:).</para>
<para>Omitted column entries should be entered using a dash
("-:).</para>
<para>Example:</para>
<para><phrase><filename>/etc/shorewall/macro.LogAndAccept</filename></phrase><programlisting> LOG:info
ACCEPT</programlisting></para>
<para>To use your macro, in <filename>/etc/shorewall/rules</filename> you
might do something like:</para>
<para>To use your macro, in <filename>/etc/shorewall/rules</filename>
you might do something like:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc $FW tcp 22</programlisting>
</section>
</section>
<section id="Logging">
<title>Macros and Logging</title>