Merge branch '5.2.3'

This commit is contained in:
Tom Eastep 2019-09-03 07:45:57 -07:00
commit cb56991fee
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
4 changed files with 20 additions and 13 deletions

View File

@ -5441,6 +5441,7 @@ sub update_config_file( $ ) {
update_default( 'PAGER', $shorewallrc1{DEFAULT_PAGER} ); update_default( 'PAGER', $shorewallrc1{DEFAULT_PAGER} );
update_default( 'LOGFORMAT', 'Shorewall:%s:%s:' ); update_default( 'LOGFORMAT', 'Shorewall:%s:%s:' );
update_default( 'LOGLIMIT', '' ); update_default( 'LOGLIMIT', '' );
update_default( 'AUTOMAKE', 'No' );
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' ); update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );

View File

@ -721,7 +721,13 @@ sub process_a_policy1($$$$$$$) {
require_capability 'AUDIT_TARGET', ":audit", "s" if $audit; require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 ); my ( $policy, $pactions );
if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
} else {
( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
}
fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy; fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
@ -1604,8 +1610,8 @@ sub merge_levels ($$) {
return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/; return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
my @supparts = split /:/, $superior; my @supparts = split_list2( $superior , 'Action' );
my @subparts = split /:/, $subordinate; my @subparts = split_list2( $subordinate , 'Action' );
my $subparts = @subparts; my $subparts = @subparts;

View File

@ -674,15 +674,15 @@
the keyword <emphasis role="bold">bypass</emphasis> can be the keyword <emphasis role="bold">bypass</emphasis> can be
given. By default, if no userspace program is listening on an given. By default, if no userspace program is listening on an
NFQUEUE, then all packets that are to be queued are dropped. NFQUEUE, then all packets that are to be queued are dropped.
When this option is used, the NFQUEUE rule is silently When this option is used, the NFQUEUE rule behaves like ACCEPT
bypassed instead. The packet will move on to the next rule. instead. Also beginning in Shorewall 4.6.10, a second queue
Also beginning in Shorewall 4.6.10, a second queue number number (<replaceable>queuenumber2</replaceable>) may be
(<replaceable>queuenumber2</replaceable>) may be specified. specified. This specifies a range of queues to use. Packets
This specifies a range of queues to use. Packets are then are then balanced across the given queues. This is useful for
balanced across the given queues. This is useful for multicore multicore systems: start multiple instances of the userspace
systems: start multiple instances of the userspace program on program on queues x, x+1, .. x+n and use "x:x+n". Packets
queues x, x+1, .. x+n and use "x:x+n". Packets belonging to belonging to the same connection are put into the same
the same connection are put into the same nfqueue.</para> nfqueue.</para>
<para>Beginning with Shorewall 5.1.0, queuenumber2 may be <para>Beginning with Shorewall 5.1.0, queuenumber2 may be
followed by the letter 'c' to indicate that the CPU ID will be followed by the letter 'c' to indicate that the CPU ID will be

View File

@ -431,7 +431,7 @@ CT:helper:ftp loc - tcp 21</programlisti
<para><filename>/etc/shorewall/rules:</filename></para> <para><filename>/etc/shorewall/rules:</filename></para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the</programlisting> DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }</programlisting>
<para>That entry will accept ftp connections on port 12345 from the net <para>That entry will accept ftp connections on port 12345 from the net
and forward them to host 192.168.1..2 and port 21 in the loc zone.</para> and forward them to host 192.168.1..2 and port 21 in the loc zone.</para>