mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-23 11:11:32 +02:00
Merge branch '5.2.3'
This commit is contained in:
commit
cb56991fee
@ -5441,6 +5441,7 @@ sub update_config_file( $ ) {
|
|||||||
update_default( 'PAGER', $shorewallrc1{DEFAULT_PAGER} );
|
update_default( 'PAGER', $shorewallrc1{DEFAULT_PAGER} );
|
||||||
update_default( 'LOGFORMAT', 'Shorewall:%s:%s:' );
|
update_default( 'LOGFORMAT', 'Shorewall:%s:%s:' );
|
||||||
update_default( 'LOGLIMIT', '' );
|
update_default( 'LOGLIMIT', '' );
|
||||||
|
update_default( 'AUTOMAKE', 'No' );
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
|
update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
|
||||||
|
@ -721,7 +721,13 @@ sub process_a_policy1($$$$$$$) {
|
|||||||
|
|
||||||
require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
|
require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
|
||||||
|
|
||||||
my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
|
my ( $policy, $pactions );
|
||||||
|
|
||||||
|
if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
|
||||||
|
( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
|
||||||
|
} else {
|
||||||
|
( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
|
||||||
|
}
|
||||||
|
|
||||||
fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
|
fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
|
||||||
|
|
||||||
@ -1604,8 +1610,8 @@ sub merge_levels ($$) {
|
|||||||
|
|
||||||
return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
|
return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
|
||||||
|
|
||||||
my @supparts = split /:/, $superior;
|
my @supparts = split_list2( $superior , 'Action' );
|
||||||
my @subparts = split /:/, $subordinate;
|
my @subparts = split_list2( $subordinate , 'Action' );
|
||||||
|
|
||||||
my $subparts = @subparts;
|
my $subparts = @subparts;
|
||||||
|
|
||||||
|
@ -674,15 +674,15 @@
|
|||||||
the keyword <emphasis role="bold">bypass</emphasis> can be
|
the keyword <emphasis role="bold">bypass</emphasis> can be
|
||||||
given. By default, if no userspace program is listening on an
|
given. By default, if no userspace program is listening on an
|
||||||
NFQUEUE, then all packets that are to be queued are dropped.
|
NFQUEUE, then all packets that are to be queued are dropped.
|
||||||
When this option is used, the NFQUEUE rule is silently
|
When this option is used, the NFQUEUE rule behaves like ACCEPT
|
||||||
bypassed instead. The packet will move on to the next rule.
|
instead. Also beginning in Shorewall 4.6.10, a second queue
|
||||||
Also beginning in Shorewall 4.6.10, a second queue number
|
number (<replaceable>queuenumber2</replaceable>) may be
|
||||||
(<replaceable>queuenumber2</replaceable>) may be specified.
|
specified. This specifies a range of queues to use. Packets
|
||||||
This specifies a range of queues to use. Packets are then
|
are then balanced across the given queues. This is useful for
|
||||||
balanced across the given queues. This is useful for multicore
|
multicore systems: start multiple instances of the userspace
|
||||||
systems: start multiple instances of the userspace program on
|
program on queues x, x+1, .. x+n and use "x:x+n". Packets
|
||||||
queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
|
belonging to the same connection are put into the same
|
||||||
the same connection are put into the same nfqueue.</para>
|
nfqueue.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 5.1.0, queuenumber2 may be
|
<para>Beginning with Shorewall 5.1.0, queuenumber2 may be
|
||||||
followed by the letter 'c' to indicate that the CPU ID will be
|
followed by the letter 'c' to indicate that the CPU ID will be
|
||||||
|
@ -431,7 +431,7 @@ CT:helper:ftp loc - tcp 21</programlisti
|
|||||||
<para><filename>/etc/shorewall/rules:</filename></para>
|
<para><filename>/etc/shorewall/rules:</filename></para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the</programlisting>
|
DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }</programlisting>
|
||||||
|
|
||||||
<para>That entry will accept ftp connections on port 12345 from the net
|
<para>That entry will accept ftp connections on port 12345 from the net
|
||||||
and forward them to host 192.168.1..2 and port 21 in the loc zone.</para>
|
and forward them to host 192.168.1..2 and port 21 in the loc zone.</para>
|
||||||
|
Loading…
x
Reference in New Issue
Block a user