extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-10 23:58:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Document ICMP codes

Browse Source
This commit is contained in:
Tom Eastep 2009-11-05 11:44:40 -08:00
parent 28b660c853
commit b4199fd068
2 changed files with 79 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -2125,10 +2125,12 @@ sub setup_mss( ) {
for ( @$interfaces ) { for ( @$interfaces ) {
my $mss = get_interface_option( $_, 'mss' ); my $mss = get_interface_option( $_, 'mss' );
my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss"; my $source = match_source_dev $_;
add_rule $chainref, "-o $_ -j RETURN" if $clampmss; my $dest = match_dest_dev $_;
add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss"; add_rule $chainref, "$dest -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
add_rule $chainref, "-i $_ -j RETURN" if $clampmss; add_rule $chainref, "$dest -j RETURN" if $clampmss;
add_rule $chainref, "$source -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
add_rule $chainref, "$source -j RETURN" if $clampmss;
} }
} }

73
docs/configuration_file_basics.xml
View File

@ -1028,6 +1028,79 @@ Shorewall has detected the following iptables/netfilter capabilities:
"!tcp").</para> "!tcp").</para>
</section> </section>
<section>
<title>ICMP and ICMP6 Types and Codes</title>
<para>When dealing with ICMP, the DEST PORT specifies the type or type and
code. You may specify the numeric type, the numeric type and code
separated by a slash (e.g., 3/4) or you may use a type name. </para>
<para>Type names for IPv4 and their corresponding type or type/code
are:</para>
<programlisting>echo-reply' =&gt; 0
destination-unreachable =&gt; 3
network-unreachable =&gt; 3/0
host-unreachable =&gt; 3/1
protocol-unreachable =&gt; 3/2
port-unreachable =&gt; 3/3
fragmentation-needed =&gt; 3/4
source-route-failed =&gt; 3/5
network-unknown =&gt; 3/6
host-unknown =&gt; 3/7
network-prohibited =&gt; 3/9
host-prohibited =&gt; 3/10
TOS-network-unreachable =&gt; 3/11
TOS-host-unreachable =&gt; 3/12
communication-prohibited =&gt; 3/13
host-precedence-violation =&gt; 3/14
precedence-cutoff =&gt; 3/15
source-quench =&gt; 4
redirect =&gt; 5
network-redirect =&gt; 5/0
host-redirect =&gt; 5/1
TOS-network-redirect =&gt; 5/2
TOS-host-redirect =&gt; 5/3
echo-request =&gt; 8
router-advertisement =&gt; 9
router-solicitation =&gt; 10
time-exceeded =&gt; 11
ttl-zero-during-transit =&gt; 11/0
ttl-zero-during-reassembly=&gt; 11/1
parameter-problem =&gt; 12
ip-header-bad =&gt; 12/0
required-option-missing =&gt; 12/1
timestamp-request =&gt; 13
timestamp-reply =&gt; 14
address-mask-request =&gt; 17
address-mask-reply =&gt; 18</programlisting>
<para>Type names for IPv6 and their corresponding type or type/code
are:</para>
<programlisting>destination-unreachable =&gt; 1
no-route' =&gt; 1/0
communication-prohibited =&gt; 1/1
address-unreachable' =&gt; 1/2
port-unreachable' =&gt; 1/3
packet-too-big =&gt; 2
time-exceeded' =&gt; 3
ttl-exceeded' =&gt; 3
ttl-zero-during-transit =&gt; 3/0
ttl-zero-during-reassembly =&gt; 3/1
parameter-problem =&gt; 4
bad-header =&gt; 4/0
unknown-header-type =&gt; 4/1
unknown-option =&gt; 4/2
echo-request =&gt; 128
echo-reply =&gt; 129
router-solicitation =&gt; 133
router-advertisement =&gt; 134
neighbour-solicitation =&gt; 135
neighbour-advertisement =&gt; 136
redirect =&gt; 137</programlisting>
</section>
<section id="Ranges"> <section id="Ranges">
<title>Port Ranges</title> <title>Port Ranges</title>