mirror of
https://gitlab.com/shorewall/code.git
synced 2025-04-21 09:48:53 +02:00
Add the TRACK_RULES option
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
765b748283
commit
aabb22a50f
@ -287,6 +287,7 @@ our $VERSION = '4.5_18';
|
|||||||
# policy => <policy>
|
# policy => <policy>
|
||||||
# policychain => <name of policy chain> -- self-reference if this is a policy chain
|
# policychain => <name of policy chain> -- self-reference if this is a policy chain
|
||||||
# policypair => [ <policy source>, <policy dest> ] -- Used for reporting duplicated policies
|
# policypair => [ <policy source>, <policy dest> ] -- Used for reporting duplicated policies
|
||||||
|
# origin => <filename and line number of entry that created this policy chain>
|
||||||
# loglevel => <level>
|
# loglevel => <level>
|
||||||
# synparams => <burst/limit + connlimit>
|
# synparams => <burst/limit + connlimit>
|
||||||
# synchain => <name of synparam chain>
|
# synchain => <name of synparam chain>
|
||||||
@ -322,7 +323,7 @@ our $VERSION = '4.5_18';
|
|||||||
#
|
#
|
||||||
# Only 'referenced' chains get written to the iptables-restore input.
|
# Only 'referenced' chains get written to the iptables-restore input.
|
||||||
#
|
#
|
||||||
# 'loglevel', 'synparams', 'synchain', 'audit' and 'default' only apply to policy chains.
|
# 'loglevel', 'synparams', 'synchain', 'audit', 'default' abd 'origin' only apply to policy chains.
|
||||||
###########################################################################################################################################
|
###########################################################################################################################################
|
||||||
#
|
#
|
||||||
# For each ordered pair of zones, there may exist a 'canonical rules chain' in the filter table; the name of this chain is formed by
|
# For each ordered pair of zones, there may exist a 'canonical rules chain' in the filter table; the name of this chain is formed by
|
||||||
@ -1224,7 +1225,8 @@ sub push_rule( $$ ) {
|
|||||||
my $complete = 0;
|
my $complete = 0;
|
||||||
my $ruleref = transform_rule( $_[1], $complete );
|
my $ruleref = transform_rule( $_[1], $complete );
|
||||||
|
|
||||||
$ruleref->{comment} = "$comment" if $comment;
|
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
|
||||||
|
|
||||||
$ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
|
$ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
|
||||||
|
|
||||||
push @{$chainref->{rules}}, $ruleref;
|
push @{$chainref->{rules}}, $ruleref;
|
||||||
@ -1458,9 +1460,7 @@ sub create_irule( $$$;@ ) {
|
|||||||
$ruleref->{target} = '';
|
$ruleref->{target} = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $comment ) {
|
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $ruleref->{comment} || $comment;
|
||||||
$ruleref->{comment} = $comment unless $ruleref->{comment};
|
|
||||||
}
|
|
||||||
|
|
||||||
$iprangematch = 0;
|
$iprangematch = 0;
|
||||||
|
|
||||||
@ -1616,7 +1616,8 @@ sub insert_rule1($$$)
|
|||||||
|
|
||||||
my $ruleref = transform_rule( $rule );
|
my $ruleref = transform_rule( $rule );
|
||||||
|
|
||||||
$ruleref->{comment} = "$comment" if $comment;
|
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
|
||||||
|
|
||||||
assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) , $chainref->{name} );
|
assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) , $chainref->{name} );
|
||||||
$ruleref->{mode} = CAT_MODE;
|
$ruleref->{mode} = CAT_MODE;
|
||||||
|
|
||||||
@ -1656,9 +1657,8 @@ sub insert_irule( $$$$;@ ) {
|
|||||||
$chainref->{optflags} |= push_matches( $ruleref, @matches );
|
$chainref->{optflags} |= push_matches( $ruleref, @matches );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $comment ) {
|
|
||||||
$ruleref->{comment} = $comment unless $ruleref->{comment};
|
$ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
|
||||||
}
|
|
||||||
|
|
||||||
splice( @{$chainref->{rules}}, $number, 0, $ruleref );
|
splice( @{$chainref->{rules}}, $number, 0, $ruleref );
|
||||||
|
|
||||||
@ -3027,8 +3027,8 @@ sub calculate_digest( $ ) {
|
|||||||
#
|
#
|
||||||
# Replace jumps to the passed chain with jumps to the passed target
|
# Replace jumps to the passed chain with jumps to the passed target
|
||||||
#
|
#
|
||||||
sub replace_references( $$$;$ ) {
|
sub replace_references( $$$$;$ ) {
|
||||||
my ( $chainref, $target, $targetopts, $digest ) = @_;
|
my ( $chainref, $target, $targetopts, $comment, $digest ) = @_;
|
||||||
my $tableref = $chain_table{$chainref->{table}};
|
my $tableref = $chain_table{$chainref->{table}};
|
||||||
my $count = 0;
|
my $count = 0;
|
||||||
my $name = $chainref->{name};
|
my $name = $chainref->{name};
|
||||||
@ -3045,6 +3045,7 @@ sub replace_references( $$$;$ ) {
|
|||||||
if ( $_->{target} eq $name ) {
|
if ( $_->{target} eq $name ) {
|
||||||
$_->{target} = $target;
|
$_->{target} = $target;
|
||||||
$_->{targetopts} = $targetopts if $targetopts;
|
$_->{targetopts} = $targetopts if $targetopts;
|
||||||
|
$_->{comment} = $comment unless $_->{comment};
|
||||||
|
|
||||||
if ( $targetref ) {
|
if ( $targetref ) {
|
||||||
add_reference ( $fromref, $targetref );
|
add_reference ( $fromref, $targetref );
|
||||||
@ -3291,7 +3292,10 @@ sub optimize_level4( $$ ) {
|
|||||||
#
|
#
|
||||||
# Replace all references to this chain with references to the target
|
# Replace all references to this chain with references to the target
|
||||||
#
|
#
|
||||||
replace_references $chainref, $firstrule->{target}, $firstrule->{targetopts};
|
replace_references( $chainref,
|
||||||
|
$firstrule->{target},
|
||||||
|
$firstrule->{targetopts},
|
||||||
|
$firstrule->{comment} );
|
||||||
$progress = 1;
|
$progress = 1;
|
||||||
}
|
}
|
||||||
} elsif ( $firstrule->{target} ) {
|
} elsif ( $firstrule->{target} ) {
|
||||||
@ -3511,7 +3515,7 @@ sub optimize_level8( $$$ ) {
|
|||||||
if ( $chainref->{digest} eq $chainref1->{digest} ) {
|
if ( $chainref->{digest} eq $chainref1->{digest} ) {
|
||||||
progress_message " Chain $chainref1->{name} combined with $chainref->{name}";
|
progress_message " Chain $chainref1->{name} combined with $chainref->{name}";
|
||||||
$progress = 1;
|
$progress = 1;
|
||||||
replace_references $chainref1, $chainref->{name}, undef, 1;
|
replace_references $chainref1, $chainref->{name}, undef, '', 1;
|
||||||
|
|
||||||
unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
|
unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
|
||||||
#
|
#
|
||||||
@ -7599,7 +7603,9 @@ sub add_interface_options( $ ) {
|
|||||||
} else {
|
} else {
|
||||||
for my $interface ( @input_interfaces ) {
|
for my $interface ( @input_interfaces ) {
|
||||||
$chain1ref = $input_chains{$interface};
|
$chain1ref = $input_chains{$interface};
|
||||||
add_ijump ( $chainref , j => $chain1ref->{name}, @input_interfaces > 1 ? imatch_source_dev( $interface ) : () ) if @{$chain1ref->{rules}};
|
add_ijump ( $chainref ,
|
||||||
|
j => $chain1ref->{name},
|
||||||
|
@input_interfaces > 1 ? imatch_source_dev( $interface ) : () )->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
@ -7612,7 +7618,7 @@ sub add_interface_options( $ ) {
|
|||||||
} else {
|
} else {
|
||||||
for my $interface ( @forward_interfaces ) {
|
for my $interface ( @forward_interfaces ) {
|
||||||
$chain1ref = $forward_chains{$interface};
|
$chain1ref = $forward_chains{$interface};
|
||||||
add_ijump ( $chainref , j => $chain1ref->{name}, @forward_interfaces > 1 ? imatch_source_dev( $interface ) : () ) if @{$chain1ref->{rules}};
|
add_ijump ( $chainref , j => $chain1ref->{name}, @forward_interfaces > 1 ? imatch_source_dev( $interface ) : () )->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -48,6 +48,7 @@ our @EXPORT = qw(
|
|||||||
fatal_error
|
fatal_error
|
||||||
assert
|
assert
|
||||||
currentlineinfo
|
currentlineinfo
|
||||||
|
shortlineinfo
|
||||||
clear_currentfilename
|
clear_currentfilename
|
||||||
validate_level
|
validate_level
|
||||||
|
|
||||||
@ -213,7 +214,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
|||||||
|
|
||||||
Exporter::export_ok_tags('internal');
|
Exporter::export_ok_tags('internal');
|
||||||
|
|
||||||
our $VERSION = 'MODULEVERSION';
|
our $VERSION = '4.5.20-Beta1';
|
||||||
|
|
||||||
#
|
#
|
||||||
# describe the current command, it's present progressive, and it's completion.
|
# describe the current command, it's present progressive, and it's completion.
|
||||||
@ -800,6 +801,7 @@ sub initialize( $;$$) {
|
|||||||
DEFER_DNS_RESOLUTION => undef,
|
DEFER_DNS_RESOLUTION => undef,
|
||||||
USE_RT_NAMES => undef,
|
USE_RT_NAMES => undef,
|
||||||
CHAIN_SCRIPTS => undef,
|
CHAIN_SCRIPTS => undef,
|
||||||
|
TRACK_RULES => undef,
|
||||||
#
|
#
|
||||||
# Packet Disposition
|
# Packet Disposition
|
||||||
#
|
#
|
||||||
@ -1116,6 +1118,22 @@ sub currentlineinfo() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub shortlineinfo( $ ) {
|
||||||
|
if ( $config{TRACK_RULES} ) {
|
||||||
|
if ( $currentfile ) {
|
||||||
|
my $comment = '@@@ '. join( ':', $currentfilename, $currentlinenumber ) . ' @@@';
|
||||||
|
$comment = '@@@ ' . join( ':' , basename($currentfilename), $currentlinenumber) . ' @@@' if length $comment > 255;
|
||||||
|
$comment = '@@@ Filename Too Long @@@' if length $comment > 255;
|
||||||
|
$comment;
|
||||||
|
} else {
|
||||||
|
#
|
||||||
|
# Alternate lineinfo may have been passed
|
||||||
|
#
|
||||||
|
$_[0] || ''
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
sub handle_first_entry();
|
sub handle_first_entry();
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -5354,6 +5372,9 @@ sub get_configuration( $$$$ ) {
|
|||||||
default_yes_no 'MULTICAST' , '';
|
default_yes_no 'MULTICAST' , '';
|
||||||
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||||
default_yes_no 'CHAIN_SCRIPTS' , 'Yes';
|
default_yes_no 'CHAIN_SCRIPTS' , 'Yes';
|
||||||
|
default_yes_no 'TRACK_RULES' , '';
|
||||||
|
|
||||||
|
require_capability 'COMMENTS', 'TRACK_RULES=Yes', 's' if $config{TRACK_RULES};
|
||||||
|
|
||||||
default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
|
default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
|
||||||
default_yes_no 'USE_DEFAULT_RT' , '';
|
default_yes_no 'USE_DEFAULT_RT' , '';
|
||||||
|
|||||||
@ -832,7 +832,8 @@ sub add_common_rules ( $ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
for $interface ( all_real_interfaces ) {
|
for $interface ( all_real_interfaces ) {
|
||||||
ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
|
ensure_chain( 'filter', $_ )->{origin} = interface_origin( $interface )
|
||||||
|
for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
|
||||||
|
|
||||||
my $interfaceref = find_interface $interface;
|
my $interfaceref = find_interface $interface;
|
||||||
|
|
||||||
@ -860,7 +861,7 @@ sub add_common_rules ( $ ) {
|
|||||||
|
|
||||||
for ( option_chains( $interface ) ) {
|
for ( option_chains( $interface ) ) {
|
||||||
add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
|
add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
|
||||||
add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT};
|
add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -383,6 +383,7 @@ sub set_policy_chain($$$$$$)
|
|||||||
|
|
||||||
$chainref1->{policy} = $policy;
|
$chainref1->{policy} = $policy;
|
||||||
$chainref1->{policypair} = [ $source, $dest ];
|
$chainref1->{policypair} = [ $source, $dest ];
|
||||||
|
$chainref1->{origin} = $chainref->{origin};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -573,6 +574,8 @@ sub process_a_policy() {
|
|||||||
my $chainref1 = $usedactions{$default};
|
my $chainref1 = $usedactions{$default};
|
||||||
$chainref->{default} = $chainref1 ? $chainref1->{name} : $default;
|
$chainref->{default} = $chainref1 ? $chainref1->{name} : $default;
|
||||||
|
|
||||||
|
$chainref->{origin} = shortlineinfo('');
|
||||||
|
|
||||||
if ( $clientwild ) {
|
if ( $clientwild ) {
|
||||||
if ( $serverwild ) {
|
if ( $serverwild ) {
|
||||||
for my $zone ( @zonelist ) {
|
for my $zone ( @zonelist ) {
|
||||||
@ -880,11 +883,13 @@ sub complete_standard_chain ( $$$$ ) {
|
|||||||
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
|
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
|
||||||
|
|
||||||
if ( $policychainref ) {
|
if ( $policychainref ) {
|
||||||
( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' }
|
( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' };
|
||||||
|
$stdchainref->{origin} = $policychainref->{origin};
|
||||||
} elsif ( $defaultaction !~ /:/ ) {
|
} elsif ( $defaultaction !~ /:/ ) {
|
||||||
$defaultaction = join(":", $defaultaction, 'none', '', '' );
|
$defaultaction = join(":", $defaultaction, 'none', '', '' );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
|
policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -75,6 +75,7 @@ our @EXPORT = ( qw( NOTHING
|
|||||||
managed_interfaces
|
managed_interfaces
|
||||||
unmanaged_interfaces
|
unmanaged_interfaces
|
||||||
interface_number
|
interface_number
|
||||||
|
interface_origin
|
||||||
find_interface
|
find_interface
|
||||||
known_interface
|
known_interface
|
||||||
get_physical
|
get_physical
|
||||||
@ -1362,6 +1363,7 @@ sub process_interface( $$ ) {
|
|||||||
physical => $physical ,
|
physical => $physical ,
|
||||||
base => var_base( $physical ),
|
base => var_base( $physical ),
|
||||||
zones => {},
|
zones => {},
|
||||||
|
origin => shortlineinfo(''),
|
||||||
};
|
};
|
||||||
|
|
||||||
if ( $zone ) {
|
if ( $zone ) {
|
||||||
@ -1533,6 +1535,13 @@ sub interface_number( $ ) {
|
|||||||
$interfaces{$_[0]}{number} || 256;
|
$interfaces{$_[0]}{number} || 256;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Return interface origin
|
||||||
|
#
|
||||||
|
sub interface_origin( $ ) {
|
||||||
|
$interfaces{$_[0]}->{origin};
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Return the interfaces list
|
# Return the interfaces list
|
||||||
#
|
#
|
||||||
|
|||||||
@ -216,6 +216,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
|||||||
|
|
||||||
TRACK_PROVIDERS=Yes
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
|
TRACK_RULES=No
|
||||||
|
|
||||||
USE_DEFAULT_RT=No
|
USE_DEFAULT_RT=No
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
USE_PHYSICAL_NAMES=No
|
||||||
|
|||||||
@ -227,6 +227,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
|||||||
|
|
||||||
TRACK_PROVIDERS=Yes
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
|
TRACK_RULES=No
|
||||||
|
|
||||||
USE_DEFAULT_RT=No
|
USE_DEFAULT_RT=No
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
USE_PHYSICAL_NAMES=No
|
||||||
|
|||||||
@ -225,6 +225,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
|||||||
|
|
||||||
TRACK_PROVIDERS=Yes
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
|
TRACK_RULES=No
|
||||||
|
|
||||||
USE_DEFAULT_RT=No
|
USE_DEFAULT_RT=No
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
USE_PHYSICAL_NAMES=No
|
||||||
|
|||||||
@ -228,6 +228,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
|||||||
|
|
||||||
TRACK_PROVIDERS=Yes
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
|
TRACK_RULES=No
|
||||||
|
|
||||||
USE_DEFAULT_RT=No
|
USE_DEFAULT_RT=No
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
USE_PHYSICAL_NAMES=No
|
||||||
|
|||||||
@ -216,6 +216,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
|||||||
|
|
||||||
TRACK_PROVIDERS=No
|
TRACK_PROVIDERS=No
|
||||||
|
|
||||||
|
TRACK_RULES=No
|
||||||
|
|
||||||
USE_DEFAULT_RT=No
|
USE_DEFAULT_RT=No
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
USE_PHYSICAL_NAMES=No
|
||||||
|
|||||||
@ -1927,9 +1927,9 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Rules with comments <empty>, "FOO" and "BAR"
|
<para>Rules with comments <empty>, "FOO" and "BAR"
|
||||||
would result in the combined comment "Others and FOO, BAR".
|
would result in the combined comment "Others and FOO,
|
||||||
Note: Optimize level 16 requires "Extended Multi-port
|
BAR". Note: Optimize level 16 requires "Extended
|
||||||
Match" in your iptables and kernel.</para>
|
Multi-port Match" in your iptables and kernel.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
@ -2525,6 +2525,24 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">TRACK_RULES=</emphasis>{<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.20. If set to <emphasis
|
||||||
|
role="bold">Yes</emphasis>, causes the compiler to add a comment to
|
||||||
|
iptables rules to indicate the file name and line number of the
|
||||||
|
configuration entry that generated the rule. If set to <emphasis
|
||||||
|
role="bold">No</emphasis> (the default), then no such comments are
|
||||||
|
added.</para>
|
||||||
|
|
||||||
|
<para>Setting this option to <emphasis role="bold">Yes</emphasis>
|
||||||
|
requires the <firstterm>Comments</firstterm> capability in iptables
|
||||||
|
and kernel.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
|
role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
|
||||||
@ -2625,11 +2643,11 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.27. Normally, when Shorewall creates a
|
<para>Added in Shorewall 4.4.27. Normally, when Shorewall creates a
|
||||||
Netfilter chain that relates to an interface, it uses the
|
Netfilter chain that relates to an interface, it uses the
|
||||||
interface's logical name as the base of the chain name. For
|
interface's logical name as the base of the chain name. For example,
|
||||||
example, if the logical name for an interface is OAKLAND, then the
|
if the logical name for an interface is OAKLAND, then the input
|
||||||
input chain for traffic arriving on that interface would be
|
chain for traffic arriving on that interface would be 'OAKLAND_in'.
|
||||||
'OAKLAND_in'. If this option is set to Yes, then the physical name
|
If this option is set to Yes, then the physical name of the
|
||||||
of the interface will be used the base of the chain name.</para>
|
interface will be used the base of the chain name.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
@ -189,6 +189,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
|||||||
|
|
||||||
TRACK_PROVIDERS=Yes
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
|
TRACK_RULES=No
|
||||||
|
|
||||||
USE_DEFAULT_RT=No
|
USE_DEFAULT_RT=No
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
USE_PHYSICAL_NAMES=No
|
||||||
|
|||||||
@ -189,6 +189,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
|||||||
|
|
||||||
TRACK_PROVIDERS=Yes
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
|
TRACK_RULES=No
|
||||||
|
|
||||||
USE_DEFAULT_RT=No
|
USE_DEFAULT_RT=No
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
USE_PHYSICAL_NAMES=No
|
||||||
|
|||||||
@ -189,6 +189,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
|||||||
|
|
||||||
TRACK_PROVIDERS=Yes
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
|
TRACK_RULES=No
|
||||||
|
|
||||||
USE_DEFAULT_RT=No
|
USE_DEFAULT_RT=No
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
USE_PHYSICAL_NAMES=No
|
||||||
|
|||||||
@ -189,6 +189,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
|||||||
|
|
||||||
TRACK_PROVIDERS=Yes
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
|
TRACK_RULES=No
|
||||||
|
|
||||||
USE_DEFAULT_RT=No
|
USE_DEFAULT_RT=No
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
USE_PHYSICAL_NAMES=No
|
||||||
|
|||||||
@ -189,6 +189,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
|||||||
|
|
||||||
TRACK_PROVIDERS=No
|
TRACK_PROVIDERS=No
|
||||||
|
|
||||||
|
TRACK_RULES=No
|
||||||
|
|
||||||
USE_DEFAULT_RT=No
|
USE_DEFAULT_RT=No
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
USE_PHYSICAL_NAMES=No
|
||||||
|
|||||||
@ -1680,9 +1680,9 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Rules with comments <empty>, "FOO" and "BAR"
|
<para>Rules with comments <empty>, "FOO" and "BAR"
|
||||||
would result in the combined comment "Others and FOO, BAR".
|
would result in the combined comment "Others and FOO,
|
||||||
Note: Optimize level 16 requires "Extended Multi-port
|
BAR". Note: Optimize level 16 requires "Extended
|
||||||
Match" in your iptables and kernel.</para>
|
Multi-port Match" in your iptables and kernel.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
@ -2185,6 +2185,24 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">TRACK_RULES=</emphasis>{<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.20. If set to <emphasis
|
||||||
|
role="bold">Yes</emphasis>, causes the compiler to add a comment to
|
||||||
|
iptables rules to indicate the file name and line number of the
|
||||||
|
configuration entry that generated the rule. If set to <emphasis
|
||||||
|
role="bold">No</emphasis> (the default), then no such comments are
|
||||||
|
added.</para>
|
||||||
|
|
||||||
|
<para>Setting this option to <emphasis role="bold">Yes</emphasis>
|
||||||
|
requires the <firstterm>Comments</firstterm> capability in ip6tables
|
||||||
|
and kernel.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
|
role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
|
||||||
@ -2281,11 +2299,11 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.27. Normally, when Shorewall creates a
|
<para>Added in Shorewall 4.4.27. Normally, when Shorewall creates a
|
||||||
Netfilter chain that relates to an interface, it uses the
|
Netfilter chain that relates to an interface, it uses the
|
||||||
interface's logical name as the base of the chain name. For
|
interface's logical name as the base of the chain name. For example,
|
||||||
example, if the logical name for an interface is OAKLAND, then the
|
if the logical name for an interface is OAKLAND, then the input
|
||||||
input chain for traffic arriving on that interface would be
|
chain for traffic arriving on that interface would be 'OAKLAND_in'.
|
||||||
'OAKLAND_in'. If this option is set to Yes, then the physical name
|
If this option is set to Yes, then the physical name of the
|
||||||
of the interface will be used the base of the chain name.</para>
|
interface will be used the base of the chain name.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user