diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 03f0bc9ee..40d8d654a 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5441,6 +5441,7 @@ sub update_config_file( $ ) { update_default( 'PAGER', $shorewallrc1{DEFAULT_PAGER} ); update_default( 'LOGFORMAT', 'Shorewall:%s:%s:' ); update_default( 'LOGLIMIT', '' ); + update_default( 'AUTOMAKE', 'No' ); if ( $family == F_IPV4 ) { update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' ); diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 7499b692c..2744c2e7a 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -721,7 +721,13 @@ sub process_a_policy1($$$$$$$) { require_capability 'AUDIT_TARGET', ":audit", "s" if $audit; - my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 ); + my ( $policy, $pactions ); + + if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) { + ( $policy, $pactions ) = ( "NFQUEUE($1)", $2 ); + } else { + ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 ); + } fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy; @@ -1604,8 +1610,8 @@ sub merge_levels ($$) { return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/; - my @supparts = split /:/, $superior; - my @subparts = split /:/, $subordinate; + my @supparts = split_list2( $superior , 'Action' ); + my @subparts = split_list2( $subordinate , 'Action' ); my $subparts = @subparts; diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index 98d600f32..d5cc8ee60 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -674,15 +674,15 @@ the keyword bypass can be given. By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued are dropped. - When this option is used, the NFQUEUE rule is silently - bypassed instead. The packet will move on to the next rule. - Also beginning in Shorewall 4.6.10, a second queue number - (queuenumber2) may be specified. - This specifies a range of queues to use. Packets are then - balanced across the given queues. This is useful for multicore - systems: start multiple instances of the userspace program on - queues x, x+1, .. x+n and use "x:x+n". Packets belonging to - the same connection are put into the same nfqueue. + When this option is used, the NFQUEUE rule behaves like ACCEPT + instead. Also beginning in Shorewall 4.6.10, a second queue + number (queuenumber2) may be + specified. This specifies a range of queues to use. Packets + are then balanced across the given queues. This is useful for + multicore systems: start multiple instances of the userspace + program on queues x, x+1, .. x+n and use "x:x+n". Packets + belonging to the same connection are put into the same + nfqueue. Beginning with Shorewall 5.1.0, queuenumber2 may be followed by the letter 'c' to indicate that the CPU ID will be diff --git a/docs/FTP.xml b/docs/FTP.xml index d2c13d953..55b16eb1e 100644 --- a/docs/FTP.xml +++ b/docs/FTP.xml @@ -431,7 +431,7 @@ CT:helper:ftp loc - tcp 21/etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT -DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the +DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp } That entry will accept ftp connections on port 12345 from the net and forward them to host 192.168.1..2 and port 21 in the loc zone.