Add 'tcpsyn'

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3480 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -65,3 +65,5 @@ Changes in 3.1.x.
 29) Automatically use capabilities file when non-root.
 
 30) Correct typo in help file ("help drop").
+
+31) Added 'tcpsyn'

Shorewall/compiler

@@ -3755,7 +3755,10 @@ add_an_action()
     case $proto in
 	tcp|TCP|6)
 	    do_ports
-	    [ "$target" = QUEUE ] && proto="$proto --syn"
+	    ;;
+	tcpsyn)
+	    proto="$proto --syn"
+	    do_ports
 	    ;;
 	udp|UDP|17)
 	    do_ports
@@ -5171,7 +5174,10 @@ process_rule() # $1 = target
 	case $proto in
 	    tcp|TCP|6)
 		do_ports
-		[ "$target" = QUEUE -a $SECTION != ESTABLISHED ] && proto="$proto --syn"
+		;;
+	    tcpsyn)
+		proto="tcp --syn"
+		do_ports
 		;;
 	    udp|UDP|17)
 		do_ports

Shorewall/releasenotes.txt

@@ -90,6 +90,14 @@ Other changes in 3.1.6
     For instructions about running shorecap, see the comments at the top
     of the program file (it's a simple shell script).
 
+5)  In the /etc/shorewall/rules file and in actions, you may now specify
+    'tcpsyn' in the PROTO column. 'tcpsyn' is equivalent to 'tcp' but also
+    requires that the SYN flag is set and the RST, FIN and ACK flags be
+    off ("--syn" is added to the iptables rule).
+
+    As part of this change, Shorewall no longer adds the "--syn" option
+    to TCP rules that specify QUEUE as their target.
+
 Migration Considerations:
 
 1)  A number of macros have been split into two.  The macros affected are:
@@ -124,6 +132,16 @@ Migration Considerations:
     Beginning with Shorewall 3.2.0, the special exclusion syntax will no
     longer be supported.
 
+3)  Important if you use the QUEUE target.
+
+    In the /etc/shorewall/rules file and in actions, you may now specify
+    'tcpsyn' in the PROTO column. 'tcpsyn' is equivalent to 'tcp' but also
+    requires that the SYN flag is set and the RST, FIN and ACK flags be
+    off ("--syn" is added to the iptables rule).
+
+    As part of this change, Shorewall no longer adds the "--syn" option
+    to TCP rules that specify QUEUE as their target.
+
 New Features:
 
 1)  A new 'shorewall compile' command has been added.

Shorewall/rules

@@ -267,10 +267,13 @@
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
-#                       "ipp2p:udp", "ipp2p:all" a number, or "all".
+#	PROTO		Protocol - Must be "tcp", "tcpsyn", "udp", "icmp",
+#			"ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all".
 #                       "ipp2p*" requires ipp2p match support in your kernel
 #                       and iptables.
+#
+			"tcpsyn" implies "tcp" plus the SYN flag must be
+			set and the RST,ACK and FIN flags must be reset.
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port