mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Add support for UDP Lite
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
5ac2b16936
commit
a01fa345b7
@ -1846,12 +1846,12 @@ sub do_proto( $$$;$ )
|
||||
|
||||
PROTO:
|
||||
{
|
||||
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP ) {
|
||||
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
|
||||
my $multiport = 0;
|
||||
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
|
||||
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
|
||||
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
|
||||
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
||||
fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $ports ) > 15;
|
||||
|
@ -47,6 +47,7 @@ our @EXPORT = qw( ALLIPv4
|
||||
ALL
|
||||
TCP
|
||||
UDP
|
||||
UDPLITE
|
||||
ICMP
|
||||
DCCP
|
||||
IPv6_ICMP
|
||||
@ -103,7 +104,8 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
|
||||
UDP => 17,
|
||||
DCCP => 33,
|
||||
IPv6_ICMP => 58,
|
||||
SCTP => 132 };
|
||||
SCTP => 132,
|
||||
UDPLITE => 136 };
|
||||
|
||||
our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
|
||||
|
||||
|
@ -29,6 +29,8 @@ Changes in Shorewall 4.4.8
|
||||
14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES
|
||||
default optimizations.
|
||||
|
||||
15) Add support for UDPLITE
|
||||
|
||||
Changes in Shorewall 4.4.7
|
||||
|
||||
1) Backport optimization changes from 4.5.
|
||||
|
@ -55,7 +55,7 @@ get_script_version() { # $1 = script
|
||||
|
||||
echo $version
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Do required exports or create the required option string and run the passed script using
|
||||
# $SHOREWALL_SHELL
|
||||
|
@ -345,6 +345,9 @@ None.
|
||||
|
||||
ERROR: The separator for a port range is ':', not '-' (21-22) :
|
||||
/etc/shorewall/rules (line 3)
|
||||
|
||||
5) Support has been added for UDPLITE (proto 136) in that DEST PORT(S)
|
||||
and SOURCE PORT(S) may be specified for that protocol.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
|
@ -126,17 +126,19 @@
|
||||
<listitem>
|
||||
<para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
|
||||
number. Service name from <filename>/etc/services</filename> or port
|
||||
number. May only be specified if the protocol is TCP or UDP (6 or 17).
|
||||
If the PROTOCOL is <quote>ipp2p</quote>, then this column is
|
||||
interpreted as an ipp2p option without the leading <quote>--</quote>
|
||||
(default <quote>ipp2p</quote>). For a list of value ipp2p options, as
|
||||
root type <command>iptables -m ipp2p --help</command>.</para>
|
||||
number. May only be specified if the protocol is TCP (6), UDP (17),
|
||||
DCCP (33), SCTP (132) or UDPLITE (136). If the PROTOCOL is
|
||||
<quote>ipp2p</quote>, then this column is interpreted as an ipp2p
|
||||
option without the leading <quote>--</quote> (default
|
||||
<quote>ipp2p</quote>). For a list of value ipp2p options, as root type
|
||||
<command>iptables -m ipp2p --help</command>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">SOURCE PORT</emphasis>- Source Port
|
||||
number. Service name from /etc/services or port number. May only be
|
||||
specified if the protocol is TCP or UDP (6 or 17).</para>
|
||||
specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132)
|
||||
or UDPLITE (136).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -165,8 +165,8 @@
|
||||
<listitem>
|
||||
<para>Destination Port number. Service name from services(5) or
|
||||
<emphasis>port number</emphasis>. May only be specified if the
|
||||
protocol is <emphasis role="bold">tcp</emphasis> or <emphasis
|
||||
role="bold">udp</emphasis> (6 or 17).</para>
|
||||
protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
|
||||
(136).</para>
|
||||
|
||||
<para>You may place a comma-separated list of port names or numbers
|
||||
in this column if your kernel and iptables include multiport match
|
||||
@ -188,8 +188,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>Service name from services(5) or <emphasis>port
|
||||
number</emphasis>. May only be specified if the protocol is TCP or
|
||||
UDP (6 or 17).</para>
|
||||
number</emphasis>. May only be specified if the protocol is TCP (6),
|
||||
UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).</para>
|
||||
|
||||
<para>You may place a comma-separated list of port numbers in this
|
||||
column if your kernel and iptables include multiport match
|
||||
|
@ -237,10 +237,10 @@
|
||||
[[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If the PROTO column specifies TCP (protocol 6) or UDP
|
||||
(protocol 17) then you may list one or more port numbers (or names
|
||||
from services(5)) separated by commas or you may list a single port
|
||||
range
|
||||
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
|
||||
SCTP (132) or UDPLITE (136) then you may list one or more port
|
||||
numbers (or names from services(5)) separated by commas or you may
|
||||
list a single port range
|
||||
(<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>).</para>
|
||||
|
||||
<para>Where a comma-separated list is given, your kernel and
|
||||
|
@ -84,9 +84,10 @@
|
||||
<term>PORT(S) - <replaceable>port</replaceable> [,...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Optional. May only be given if the the PROTO is tcp (6) or udp
|
||||
(17). A list of one or more port numbers or service names from
|
||||
/etc/services. Port ranges of the form
|
||||
<para>Optional. May only be given if the the PROTO is TCP (6), UDP
|
||||
(17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more
|
||||
port numbers or service names from /etc/services. Port ranges of the
|
||||
form
|
||||
<replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
|
||||
may also be included.</para>
|
||||
</listitem>
|
||||
|
@ -164,8 +164,8 @@
|
||||
<listitem>
|
||||
<para>Destination Port number. Service name from services(5) or
|
||||
<emphasis>port number</emphasis>. May only be specified if the
|
||||
protocol is <emphasis role="bold">tcp</emphasis> or <emphasis
|
||||
role="bold">udp</emphasis> (6 or 17).</para>
|
||||
protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
|
||||
(136).</para>
|
||||
|
||||
<para>You may place a comma-separated list of port names or numbers
|
||||
in this column if your kernel and ip6tables include multiport match
|
||||
@ -187,8 +187,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>Service name from services(5) or <emphasis>port
|
||||
number</emphasis>. May only be specified if the protocol is TCP or
|
||||
UDP (6 or 17).</para>
|
||||
number</emphasis>. May only be specified if the protocol is TCP (6),
|
||||
UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).</para>
|
||||
|
||||
<para>You may place a comma-separated list of port numbers in this
|
||||
column if your kernel and ip6tables include multiport match
|
||||
|
@ -37,8 +37,9 @@
|
||||
|
||||
<listitem>
|
||||
<para>Host address, network address, MAC address, IP address range
|
||||
(if your kernel and ip6tables contain iprange match support) or ipset
|
||||
name prefaced by "+" (if your kernel supports ipset match).</para>
|
||||
(if your kernel and ip6tables contain iprange match support) or
|
||||
ipset name prefaced by "+" (if your kernel supports ipset
|
||||
match).</para>
|
||||
|
||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||
separator.</para>
|
||||
@ -67,9 +68,9 @@
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
<listitem>
|
||||
<para>May only be specified if the protocol is TCP (6) or UDP (17).
|
||||
A comma-separated list of destination port numbers or service names
|
||||
from services(5).</para>
|
||||
<para>May only be specified if the protocol is TCP (6), UDP (17),
|
||||
DCCP (33), SCTP (132) or UDPLITE (136). A comma-separated list of
|
||||
destination port numbers or service names from services(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -84,9 +84,10 @@
|
||||
<term>PORT(S) - <replaceable>port</replaceable> [,...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Optional. May only be given if the the PROTO is tcp (6) or udp
|
||||
(17). A list of one or more port numbers or service names from
|
||||
/etc/services. Port ranges of the form
|
||||
<para>Optional. May only be given if the the PROTO is TCP (6), UDP
|
||||
(17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more
|
||||
port numbers or service names from /etc/services. Port ranges of the
|
||||
form
|
||||
<replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
|
||||
may also be included.</para>
|
||||
</listitem>
|
||||
@ -152,6 +153,6 @@
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-tcinterfaces(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
shorewall6-zones(5) </para>
|
||||
shorewall6-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
Loading…
Reference in New Issue
Block a user