Add support for UDP Lite

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-03-16 09:42:50 -07:00
parent 5ac2b16936
commit a01fa345b7
12 changed files with 46 additions and 34 deletions

View File

@ -1846,12 +1846,12 @@ sub do_proto( $$$;$ )
PROTO:
{
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP ) {
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
my $multiport = 0;
if ( $ports ne '' ) {
$invert = $ports =~ s/^!// ? '! ' : '';
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $ports ) > 15;

View File

@ -47,6 +47,7 @@ our @EXPORT = qw( ALLIPv4
ALL
TCP
UDP
UDPLITE
ICMP
DCCP
IPv6_ICMP
@ -103,7 +104,8 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
UDP => 17,
DCCP => 33,
IPv6_ICMP => 58,
SCTP => 132 };
SCTP => 132,
UDPLITE => 136 };
our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

View File

@ -29,6 +29,8 @@ Changes in Shorewall 4.4.8
14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES
default optimizations.
15) Add support for UDPLITE
Changes in Shorewall 4.4.7
1) Backport optimization changes from 4.5.

View File

@ -55,7 +55,7 @@ get_script_version() { # $1 = script
echo $version
}
#
# Do required exports or create the required option string and run the passed script using
# $SHOREWALL_SHELL

View File

@ -345,6 +345,9 @@ None.
ERROR: The separator for a port range is ':', not '-' (21-22) :
/etc/shorewall/rules (line 3)
5) Support has been added for UDPLITE (proto 136) in that DEST PORT(S)
and SOURCE PORT(S) may be specified for that protocol.
----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S

View File

@ -126,17 +126,19 @@
<listitem>
<para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
number. Service name from <filename>/etc/services</filename> or port
number. May only be specified if the protocol is TCP or UDP (6 or 17).
If the PROTOCOL is <quote>ipp2p</quote>, then this column is
interpreted as an ipp2p option without the leading <quote>--</quote>
(default <quote>ipp2p</quote>). For a list of value ipp2p options, as
root type <command>iptables -m ipp2p --help</command>.</para>
number. May only be specified if the protocol is TCP (6), UDP (17),
DCCP (33), SCTP (132) or UDPLITE (136). If the PROTOCOL is
<quote>ipp2p</quote>, then this column is interpreted as an ipp2p
option without the leading <quote>--</quote> (default
<quote>ipp2p</quote>). For a list of value ipp2p options, as root type
<command>iptables -m ipp2p --help</command>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">SOURCE PORT</emphasis>- Source Port
number. Service name from /etc/services or port number. May only be
specified if the protocol is TCP or UDP (6 or 17).</para>
specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132)
or UDPLITE (136).</para>
</listitem>
<listitem>

View File

@ -165,8 +165,8 @@
<listitem>
<para>Destination Port number. Service name from services(5) or
<emphasis>port number</emphasis>. May only be specified if the
protocol is <emphasis role="bold">tcp</emphasis> or <emphasis
role="bold">udp</emphasis> (6 or 17).</para>
protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
(136).</para>
<para>You may place a comma-separated list of port names or numbers
in this column if your kernel and iptables include multiport match
@ -188,8 +188,8 @@
<listitem>
<para>Service name from services(5) or <emphasis>port
number</emphasis>. May only be specified if the protocol is TCP or
UDP (6 or 17).</para>
number</emphasis>. May only be specified if the protocol is TCP (6),
UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).</para>
<para>You may place a comma-separated list of port numbers in this
column if your kernel and iptables include multiport match

View File

@ -237,10 +237,10 @@
[[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...]</term>
<listitem>
<para>If the PROTO column specifies TCP (protocol 6) or UDP
(protocol 17) then you may list one or more port numbers (or names
from services(5)) separated by commas or you may list a single port
range
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
SCTP (132) or UDPLITE (136) then you may list one or more port
numbers (or names from services(5)) separated by commas or you may
list a single port range
(<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>).</para>
<para>Where a comma-separated list is given, your kernel and

View File

@ -84,9 +84,10 @@
<term>PORT(S) - <replaceable>port</replaceable> [,...]</term>
<listitem>
<para>Optional. May only be given if the the PROTO is tcp (6) or udp
(17). A list of one or more port numbers or service names from
/etc/services. Port ranges of the form
<para>Optional. May only be given if the the PROTO is TCP (6), UDP
(17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more
port numbers or service names from /etc/services. Port ranges of the
form
<replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
may also be included.</para>
</listitem>

View File

@ -164,8 +164,8 @@
<listitem>
<para>Destination Port number. Service name from services(5) or
<emphasis>port number</emphasis>. May only be specified if the
protocol is <emphasis role="bold">tcp</emphasis> or <emphasis
role="bold">udp</emphasis> (6 or 17).</para>
protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
(136).</para>
<para>You may place a comma-separated list of port names or numbers
in this column if your kernel and ip6tables include multiport match
@ -187,8 +187,8 @@
<listitem>
<para>Service name from services(5) or <emphasis>port
number</emphasis>. May only be specified if the protocol is TCP or
UDP (6 or 17).</para>
number</emphasis>. May only be specified if the protocol is TCP (6),
UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).</para>
<para>You may place a comma-separated list of port numbers in this
column if your kernel and ip6tables include multiport match

View File

@ -37,8 +37,9 @@
<listitem>
<para>Host address, network address, MAC address, IP address range
(if your kernel and ip6tables contain iprange match support) or ipset
name prefaced by "+" (if your kernel supports ipset match).</para>
(if your kernel and ip6tables contain iprange match support) or
ipset name prefaced by "+" (if your kernel supports ipset
match).</para>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
@ -67,9 +68,9 @@
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
<listitem>
<para>May only be specified if the protocol is TCP (6) or UDP (17).
A comma-separated list of destination port numbers or service names
from services(5).</para>
<para>May only be specified if the protocol is TCP (6), UDP (17),
DCCP (33), SCTP (132) or UDPLITE (136). A comma-separated list of
destination port numbers or service names from services(5).</para>
</listitem>
</varlistentry>
</variablelist>

View File

@ -84,9 +84,10 @@
<term>PORT(S) - <replaceable>port</replaceable> [,...]</term>
<listitem>
<para>Optional. May only be given if the the PROTO is tcp (6) or udp
(17). A list of one or more port numbers or service names from
/etc/services. Port ranges of the form
<para>Optional. May only be given if the the PROTO is TCP (6), UDP
(17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more
port numbers or service names from /etc/services. Port ranges of the
form
<replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
may also be included.</para>
</listitem>
@ -152,6 +153,6 @@
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcinterfaces(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5) </para>
shorewall6-zones(5)</para>
</refsect1>
</refentry>