extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-18 19:48:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add new columns to macros

Browse Source
This commit is contained in:
Tom Eastep 2009-09-13 08:09:40 -07:00
parent 904754c074
commit 8fdebf0c38
5 changed files with 265 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
Shorewall/Macros/macro.template
View File

@ -269,7 +269,7 @@
# an action. See 'man shorewall-rules'. # an action. See 'man shorewall-rules'.
# #
# RATE LIMIT You may rate-limit the rule by placing a value in # RATE LIMIT You may rate-limit the rule by placing a value in
# this colume: # this column:
# #
# <rate>/<interval>[:<burst>] # <rate>/<interval>[:<burst>]
# #
@ -304,6 +304,100 @@
# #removed from Netfilter in kernel # #removed from Netfilter in kernel
# #version 2.6.14). # #version 2.6.14).
# #
# MARK Specifies a MARK value to match. Must be empty or
# '-' if the macro is to be used within an action.
#
# [!]value[/mask][:C]
#
# Defines a test on the existing packet or connection
# mark. The rule will match only if the test returns
# true.
#
# If you don't want to define a test but need to
# specify anything in the following columns,
# place a "-" in this field.
#
# !
#
# Inverts the test (not equal)
#
# value
#
# Value of the packet or connection mark.
#
# mask
#
# A mask to be applied to the mark before
# testing.
#
# :C
#
# Designates a connection mark. If omitted, the
# packet mark's value is tested.
#
# CONNLIMIT Must be empty or '-' if the macro is to be used within
# an action.
#
# [!]limit[:mask]
#
# May be used to limit the number of simultaneous
# connections from each individual host to limit
# connections. Requires connlimit match in your kernel
# and iptables. While the limit is only checked on rules
# specifying CONNLIMIT, the number of current connections
# is calculated over all current connections from the
# SOURCE host. By default, the limit is applied to each
# host but can be made to apply to networks of hosts by
# specifying a mask. The mask specifies the width of a
# VLSM mask to be applied to the source address; the
# number of current connections is then taken over all
# hosts in the subnet source-address/mask. When ! is
# specified, the rule matches when the number of
# connection exceeds the limit.
#
# TIME Must be empty or '-' if the macro is to be used within
# an action.
#
#
# <timeelement>[&...]
#
# timeelement may be:
#
# timestart=hh:mm[:ss]
#
# Defines the starting time of day.
#
# timestop=hh:mm[:ss]
#
# Defines the ending time of day.
#
# utc
#
# Times are expressed in Greenwich Mean
# Time.
#
# localtz
#
# Times are expressed in Local Civil Time
# (default).
#
# weekdays=ddd[,ddd]...
#
# where ddd is one of Mon, Tue, Wed, Thu,
# Fri, Sat or Sun
#
# monthdays=dd[,dd],...
#
# where dd is an ordinal day of the month#
#
# datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
#
# Defines the starting date and time.
#
# datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
#
# Defines the ending date and time.
#
# A few examples should help show how Macros work. # A few examples should help show how Macros work.
# #
# /etc/shorewall/macro.FwdFTP: # /etc/shorewall/macro.FwdFTP:

15
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -852,12 +852,13 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
while ( read_a_line ) { while ( read_a_line ) {
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ); my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime);
if ( $format == 1 ) { if ( $format == 1 ) {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands; ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
( $morigdest, $mmark, $mconnlimit, $mtime ) = qw/- - - -/;
} else { } else {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands; ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime ) = split_line1 1, 12, 'macro file', $macro_commands;
} }
if ( $mtarget eq 'COMMENT' ) { if ( $mtarget eq 'COMMENT' ) {
@ -871,8 +872,6 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
next; next;
} }
fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
$mtarget = merge_levels $target, $mtarget; $mtarget = merge_levels $target, $mtarget;
if ( $mtarget =~ /^PARAM(:.*)?$/ ) { if ( $mtarget =~ /^PARAM(:.*)?$/ ) {
@ -924,9 +923,9 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
merge_macro_column( $morigdest, $origdest ) , merge_macro_column( $morigdest, $origdest ) ,
merge_macro_column( $mrate, $rate ) , merge_macro_column( $mrate, $rate ) ,
merge_macro_column( $muser, $user ) , merge_macro_column( $muser, $user ) ,
$mark, merge_macro_column( $mmark, $mark ) ,
$connlimit, merge_macro_column( $mconnlimit, $connlimit) ,
$time, merge_macro_column( $mtime, $time ),
$wildcard $wildcard
); );

2
Shorewall/changelog.txt
View File

@ -22,6 +22,8 @@ Changes in Shorewall 4.4.2
10) Add -<family> to 'ip route del default' command. 10) Add -<family> to 'ip route del default' command.
11) Add three new columns to macro body.
Changes in Shorewall 4.4.1 Changes in Shorewall 4.4.1
1) Deleted extra 'use ...IPAddrs.pm' from Nat.pm. 1) Deleted extra 'use ...IPAddrs.pm' from Nat.pm.

10
Shorewall/releasenotes.txt
View File

@ -233,6 +233,16 @@ None.
off (including any white-space preceding the '#'). Then if the line off (including any white-space preceding the '#'). Then if the line
ends with '\', it is treated as a continuation line as normal. ends with '\', it is treated as a continuation line as normal.
2) Three new columns have been added to FORMAT-2 macro bodies.
MARK
CONNLIMIT
TIME
These three columns correspond to the similar columns in
/etc/shorewall/rules and must be empty in macros invoked from an
action.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 0 N E W F E A T U R E S I N 4 . 4 . 0
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

145
docs/Macros.xml
View File

@ -554,6 +554,151 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
2.6.14).</member> 2.6.14).</member>
</simplelist> </simplelist>
</listitem> </listitem>
<listitem>
<para>MARK - (Added in Shorewall-4.4.2) Defines a test on the existing
packet or connection mark. The rule will match only if the test
returns true. Must be empty or '-' if the macro is to be used within
an action.</para>
<programlisting> [!]<replaceable>value</replaceable>[/<replaceable>mask</replaceable>][:C]</programlisting>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>value</replaceable></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>mask</replaceable></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>:C</term>
<listitem>
<para>Designates a connection mark. If omitted, the # packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
<listitem>
<para>CONNLIMIT - (Added in Shorewall-4.4.2) Must be empty or '-' if
the macro is to be used within an action.</para>
<programlisting> [!]<replaceable>limit</replaceable>[:<replaceable>mask</replaceable>]</programlisting>
<para>May be used to limit the number of simultaneous connections from
each individual host to limit connections. Requires connlimit match in
your kernel and iptables. While the limit is only checked on rules
specifying CONNLIMIT, the number of current connections is calculated
over all current connections from the SOURCE host. By default, the
<replaceable>limit</replaceable> is applied to each host but can be
made to apply to networks of hosts by specifying a
<replaceable>mask</replaceable>. The mask specifies the width of a
VLSM mask to be applied to the source address; the number of current
connections is then taken over all hosts in the subnet
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
When ! is specified, the rule matches when the number of connection
exceeds the limit. </para>
</listitem>
<listitem>
<para>TIME - (Added in Shorewall-4.4.2) Must be empty or '-' if the
macro is to be used within an action.</para>
<programlisting> &lt;timeelement&gt;[&amp;...]</programlisting>
<para><replaceable>timeelement</replaceable> may be:</para>
<variablelist>
<varlistentry>
<term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
<listitem>
<para>Defines the starting time of day.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
<listitem>
<para>Defines the ending time of day.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>utc</term>
<listitem>
<para>Times are expressed in Greenwich Mean Time.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>localtz</term>
<listitem>
<para>Times are expressed in Local Civil Time (default).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>weekdays=ddd[,ddd]...</term>
<listitem>
<para>where <replaceable>ddd</replaceable> is one of
<option>Mon</option>, <option>Tue</option>,
<option>Wed</option>, <option>Thu</option>,
<option>Fri</option>, <option>Sat</option> or
<option>Sun</option></para>
</listitem>
</varlistentry>
<varlistentry>
<term>monthdays=dd[,dd],...</term>
<listitem>
<para>where <replaceable>dd</replaceable> is an ordinal day of
the month</para>
</listitem>
</varlistentry>
<varlistentry>
<term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
<listitem>
<para>Defines the starting date and time.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
<listitem>
<para>Defines the ending date and time.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</itemizedlist> </itemizedlist>
<para>Omitted column entries should be entered using a dash ("-:).</para> <para>Omitted column entries should be entered using a dash ("-:).</para>