diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index 878984218..7260c6cfb 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -743,6 +743,14 @@ sub compiler {
# Setup Masquerading/SNAT
#
setup_masq;
+ #
+ # Setup Nat
+ #
+ setup_nat;
+ #
+ # Setup NETMAP
+ #
+ setup_netmap;
}
#
@@ -770,17 +778,6 @@ sub compiler {
# Apply Policies
#
apply_policy_rules;
-
- if ( $family == F_IPV4 ) {
- #
- # Setup Nat
- #
- setup_nat;
- #
- # Setup NETMAP
- #
- setup_netmap;
- }
#
# Accounting.
#
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 380d9141a..bc36bf41e 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1303,7 +1303,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
my $chn;
- for ( zone_interfaces $sourcezone ) {
+ for ( keys %{zone_interfaces $sourcezone} ) {
my $ichain = input_chain $_;
if ( $nat_table->{$ichain} ) {
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 3a7401109..18c6ed70e 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -4,6 +4,10 @@ Changes in Shorewall 4.4.0-RC1
2) Fix routing when no providers.
+3) Add 'any' as a SOURCE/DEST in rules.
+
+4) Fix NONAT on child zone.
+
Changes in Shorewall 4.4.0-Beta4
1) Add more macros.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index e0e8496d8..20cd58108 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -118,6 +118,9 @@ Shorewall 4.4.0 RC1
2) Previously, Shorewall might alter the routing when there were no
providers, even if the "-n" option was given.
+3) Previously, NONAT rules on a sub-zone were not exempted from
+ DNAT/REDIRECT rules of a parent zone.
+
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
@@ -128,7 +131,11 @@ None.
N E W F E A T U R E S I N 4 . 4 . 0 RC1
----------------------------------------------------------------------------
-None.
+1) A new keyword 'any' may be used in the SOURCE and DEST columns of
+ the rules file. In the absense of nested zones, 'any' works the
+ same as 'all'. When there are nested zones, 'any' only selects the
+ top-level zones. 'any' is intended to be used with
+ IMPLICIT_CONTINUE=Yes in shorewall.conf.
----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 4
diff --git a/manpages/shorewall-accounting.xml b/manpages/shorewall-accounting.xml
index 068d08263..d6c9ccaf9 100644
--- a/manpages/shorewall-accounting.xml
+++ b/manpages/shorewall-accounting.xml
@@ -300,8 +300,7 @@
Designates a connection mark. If omitted, the packet
- mark's value is tested. This option is only supported by
- Shorewall-perl.
+ mark's value is tested.
diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml
index 569d84252..adc7b73ad 100644
--- a/manpages/shorewall-interfaces.xml
+++ b/manpages/shorewall-interfaces.xml
@@ -79,16 +79,15 @@ loc eth2 -
url="shorewall-nesting.html">shorewall-nesting(5) for a
discussion of this problem.
- Beginning with Shorewall 4.2.3, Shorewall-perl allows '+' as
- an interface name.
+ Shorewall allows '+' as an interface name.There is no need to define the loopback interface (lo) in this
file.
- (Shorewall-perl only) If a port is
- given, then the interface must have been
- defined previously with the option. The
- OPTIONS column may not contain the following options when a
+ If a port is given, then the
+ interface must have been defined
+ previously with the option. The OPTIONS
+ column may not contain the following options when a
port is given.
@@ -134,12 +133,6 @@ loc eth2 -
If you don't want to give a value for this column but you want
to enter a value in the OPTIONS column, enter - in this column.
-
- Note to Shorewall-perl users:
- Shorewall-perl only supports or - in this column. If you specify
- addresses, a compilation warning will be
- issued.
@@ -164,12 +157,10 @@ loc eth2 -
requests for IP addresses on any of the firewall's interface.
The interface must be up when Shorewall is started.
- The option value (0 or 1) may only be specified if you
- are using Shorewall-perl. With Shorewall-perl, only those
- interfaces with the option will
- have their setting changes; the value assigned to the setting
- will be the value specified (if any) or 1 if no value is
- given.
+ Only those interfaces with the
+ option will have their setting
+ changes; the value assigned to the setting will be the value
+ specified (if any) or 1 if no value is given.
@@ -237,8 +228,7 @@ loc eth2 -
bridge
- (Shorewall-perl only) Designates the interface as a
- bridge.
+ Designates the interface as a bridge.
@@ -300,12 +290,10 @@ loc eth2 -
specify because your distribution
may be enabling route filtering without you knowing it.
- The option value (0 or 1) may only be specified if you
- are using Shorewall-perl. With Shorewall-perl, only those
- interfaces with the option will
- have their setting changes; the value assigned to the setting
- will be the value specified (if any) or 1 if no value is
- given.
+ Only those interfaces with the
+ option will have their setting
+ changes; the value assigned to the setting will be the value
+ specified (if any) or 1 if no value is given.To find out if route filtering is set on a given
interface, check the contents of
@@ -377,9 +365,8 @@ loc eth2 -
optional
- Only supported by Shorewall-perl. When
- is specified for an interface,
- Shorewall will be silent when:
+ When is specified for an
+ interface, Shorewall will be silent when:
@@ -436,12 +423,10 @@ loc eth2 -
not work with a wild-card interface
name (e.g., eth0.+) in the INTERFACE column.
- The option value (0 or 1) may only be specified if you
- are using Shorewall-perl. With Shorewall-perl, only those
- interfaces with the option will have
- their setting changed; the value assigned to the setting will
- be the value specified (if any) or 1 if no value is
- given.
+ Only those interfaces with the
+ option will have their setting changed; the value assigned to
+ the setting will be the value specified (if any) or 1 if no
+ value is given.
@@ -466,12 +451,10 @@ loc eth2 -
Turn on kernel route filtering for this interface
(anti-spoofing measure).
- The option value (0 or 1) may only be specified if you
- are using Shorewall-perl. With Shorewall-perl, only those
- interfaces with the option will
- have their setting changes; the value assigned to the setting
- will be the value specified (if any) or 1 if no value is
- given.
+ Only those interfaces with the
+ option will have their setting
+ changes; the value assigned to the setting will be the value
+ specified (if any) or 1 if no value is given.
@@ -502,12 +485,10 @@ loc eth2 -
This might represent a security risk and is not usually
needed.
- The option value (0 or 1) may only be specified if you
- are using Shorewall-perl. With Shorewall-perl, only those
- interfaces with the option will
- have their setting changes; the value assigned to the setting
- will be the value specified (if any) or 1 if no value is
- given.
+ Only those interfaces with the
+ option will have their setting
+ changes; the value assigned to the setting will be the value
+ specified (if any) or 1 if no value is given.
@@ -551,7 +532,7 @@ loc eth2 -
causes Shorewall to detect the default gateway through the
interface and to accept UDP packets from that gateway. Note
that, like all aspects of UPnP, this is a security hole so use
- this option at your own risk.
+ this option at your own risk.
diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml
index b763a36e6..aba5a2f48 100644
--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@@ -50,22 +50,19 @@
role="bold">,address]...[exclusion]]|COMMENT}
- Outgoing interfacelist. Prior to
- Shorewall 4.1.4, this must be a single interface name; in 4.1.4 and
- later, this may be a comma-separated list of interface names. This
- is usually your internet interface. If ADD_SNAT_ALIASES=Yes in
- shorewall.conf(5), you may
- add ":" and a digit to indicate that you want
- the alias added with that name (e.g., eth0:0). This will allow the
- alias to be displayed with ifconfig. That is
- the only use for the alias name; it may not appear in any other
- place in your Shorewall configuration.
+ Outgoing interfacelist. This may be a
+ comma-separated list of interface names. This is usually your
+ internet interface. If ADD_SNAT_ALIASES=Yes in shorewall.conf(5), you may add ":"
+ and a digit to indicate that you want the alias
+ added with that name (e.g., eth0:0). This will allow the alias to be
+ displayed with ifconfig. That is the only use
+ for the alias name; it may not appear in any other place in your
+ Shorewall configuration.Each interface must match an entry in shorewall-interfaces(5).
- Prior to Shorewall 4.1.4, this must be an exact match.
- Shorewall-perl 4.1.4 and later allow loose matches to wildcard
- entries in shorewall-interfaces(5). For
example, ppp0 in this file
will match a SOURCE (Formerly called SUBNET)
-
- {interface[[:]exclusion]|address[interface[:exclusion]|address[,address][exclusion]}
@@ -131,15 +128,11 @@
list of IP addresses (host or net) that you wish to exclude (see
shorewall-exclusion(5))).
- Note that with Shorewall-perl, a colon (":") must appear between an
+ Note that a colon (":") must appear between an
interface name and the
exclusion;
- Example (shorewall-shell):
- eth1!192.168.1.4,192.168.32.0/27
-
- Example (shorewall-perl):
- eth1:!192.168.1.4,192.168.32.0/27
+ Example: eth1:!192.168.1.4,192.168.32.0/27In that example traffic from eth1 would be masqueraded unless
it came from 192.168.1.4 or 196.168.32.0/27
@@ -166,12 +159,11 @@
want the SNAT address to be assigned from that range in a
round-robin fashion by connection. The range is specified by
first.ip.in.range-last.ip.in.range.
- Beginning with Shorewall 4.0.6, you may follow the port range
- with :random in which case
- assignment of ports from the list will be random. random may also be specified by itself in
- this column in which case random local port assignments are made for
- the outgoing connections.
+ You may follow the port range with
+ :random in which case assignment of ports from the list
+ will be random. random may also be
+ specified by itself in this column in which case random local port
+ assignments are made for the outgoing connections.
Example: 206.124.146.177-206.124.146.180
@@ -379,8 +371,7 @@
Designates a connection mark. If omitted, the packet
- mark's value is tested. This option is only supported by
- Shorewall-perl.
+ mark's value is tested.
diff --git a/manpages/shorewall-nat.xml b/manpages/shorewall-nat.xml
index 7578559a7..20bf493a6 100644
--- a/manpages/shorewall-nat.xml
+++ b/manpages/shorewall-nat.xml
@@ -85,9 +85,7 @@
Each interface must match an entry in shorewall-interfaces(5).
- Prior to Shorewall 4.1.4, this must be an exact match.
- Shorewall-perl 4.1.4 and later allow loose matches to wildcard
- entries in shorewall-interfaces(5). For
example, ppp0 in this file
will match a ppp+.
- Prior to Shorewall 4.1.4,
- interfacelist must be a single interface
- name. Beginning with Shorewall-perl 4.1.4, Shorewall-perl users may
- specify a comma-separated list of interfaces.
-
If you want to override ADD_IP_ALIASES=Yes for a particular
entry, follow the interface name with ":" and no digit (e.g.,
"eth0:").
diff --git a/manpages/shorewall-netmap.xml b/manpages/shorewall-netmap.xml
index a2955a13d..bf3eb0c53 100644
--- a/manpages/shorewall-netmap.xml
+++ b/manpages/shorewall-netmap.xml
@@ -1,4 +1,6 @@
+
shorewall-netmap
@@ -66,10 +68,8 @@
The name of a network interface. The interface must be defined
in shorewall-interfaces(5)
- Prior to Shorewall 4.1.4, this must be an exact match.
- Shorewall-perl 4.1.4 and later allow loose matches to wildcard
- entries in shorewall-interfaces(5).
+ Shorewall allows loose matches to wildcard entries in shorewall-interfaces(5). For
example, ppp0 in this file
will match a
-
\ No newline at end of file
+
diff --git a/manpages/shorewall-notrack.xml b/manpages/shorewall-notrack.xml
index af1821173..4b6c38dd6 100644
--- a/manpages/shorewall-notrack.xml
+++ b/manpages/shorewall-notrack.xml
@@ -27,9 +27,6 @@
connection tracking. Traffic matching entries in this fill will not be
tracked.
- The file was added in shorewall-perl 4.2.7 and is not supported by
- shorewall-shell or by earlier versions of shorewall-perl.
-
The columns in the file are as follows.
diff --git a/manpages/shorewall-policy.xml b/manpages/shorewall-policy.xml
index 9efe9f67a..87e010b0d 100644
--- a/manpages/shorewall-policy.xml
+++ b/manpages/shorewall-policy.xml
@@ -165,9 +165,9 @@
NFQUEUE
- Added in Shorewall-perl 4.0.3. Queue the request for a
- user-space application using the nfnetlink_queue mechanism. If
- a queuenumber is not given, queue
+ Queue the request for a user-space application using the
+ nfnetlink_queue mechanism. If a
+ queuenumber is not given, queue
zero (0) is assumed.
@@ -256,17 +256,17 @@
limit[:mask]
- Added in Shorewall-perl 4.2.1. May be used to limit the number
- of simultaneous connections from each individual host to
- limit connections. While the limit is
- only checked on connections to which this policy could apply, the
- number of current connections is calculated over all current
- connections from the SOURCE host. By default, the limit is applied
- to each host individually but can be made to apply to networks of
- hosts by specifying a mask. The
- mask specifies the width of a VLSM mask
- to be applied to the source address; the number of current
- connections is then taken over all hosts in the subnet
+ May be used to limit the number of simultaneous connections
+ from each individual host to limit
+ connections. While the limit is only checked on connections to which
+ this policy could apply, the number of current connections is
+ calculated over all current connections from the SOURCE host. By
+ default, the limit is applied to each host individually but can be
+ made to apply to networks of hosts by specifying a
+ mask. The mask
+ specifies the width of a VLSM mask to be applied to the source
+ address; the number of current connections is then taken over all
+ hosts in the subnet
source-address/mask.
diff --git a/manpages/shorewall-providers.xml b/manpages/shorewall-providers.xml
index adf3b30f5..d5f8f9fe9 100644
--- a/manpages/shorewall-providers.xml
+++ b/manpages/shorewall-providers.xml
@@ -214,13 +214,13 @@
role="bold">src=source-address
- Added in Shorewall-perl 4.1.5. Specifies the source
- address to use when routing to this provider and none is known
- (the local client has bound to the 0 address). May not be
- specified when an address is given
- in the INTERFACE column. If this option is not used, Shorewall
- substitutes the primary IP address on the interface named in
- the INTERFACE column.
+ Specifies the source address to use when routing to this
+ provider and none is known (the local client has bound to the
+ 0 address). May not be specified when an
+ address is given in the INTERFACE
+ column. If this option is not used, Shorewall substitutes the
+ primary IP address on the interface named in the INTERFACE
+ column.
@@ -229,9 +229,9 @@
role="bold">mtu=number
- Added in Shorewall-perl 4.1.5. Specifies the MTU when
- forwarding through this provider. If not given, the MTU of the
- interface named in the INTERFACE column is assumed.
+ Specifies the MTU when forwarding through this provider.
+ If not given, the MTU of the interface named in the INTERFACE
+ column is assumed.
@@ -240,9 +240,8 @@
role="bold">fallback[=weight]
- Added in Shorewall-perl 4.2.5. Indicates that a default
- route through the provider should be added to the default
- routing table (table 253). If a
+ Indicates that a default route through the provider
+ should be added to the default routing table (table 253). If a
weight is given, a balanced route
is added with the weight of this provider equal to the
specified weight. If the option is
diff --git a/manpages/shorewall-routestopped.xml b/manpages/shorewall-routestopped.xml
index c01acbbce..4749e837b 100644
--- a/manpages/shorewall-routestopped.xml
+++ b/manpages/shorewall-routestopped.xml
@@ -25,9 +25,7 @@
DescriptionThis file is used to define the hosts that are accessible when the
- firewall is stopped or is being stopped. When shorewall-shell is being
- used, the file also determines those hosts that are accessible when the
- firewall is in the process of being [re]started.
+ firewall is stopped or is being stopped.Changes to this file do not take effect until after the next
@@ -125,7 +123,7 @@
protocol-name-or-number
- Only available with Shorewall-perl 4.2.7 and later.
+ Protocol.
@@ -134,10 +132,9 @@
service-name/port-number-list
- Only available with Shorewall-perl 4.2.7 and later. A
- comma-separated list of port numbers and/or service names from
- /etc/services. May also include port ranges of
- the form
+ A comma-separated list of port numbers and/or service names
+ from /etc/services. May also include port
+ ranges of the form
low-port:high-port
if your kernel and iptables include port range support.
@@ -148,10 +145,9 @@
service-name/port-number-list
- Only available with Shorewall-perl 4.2.7 and later. A
- comma-separated list of port numbers and/or service names from
- /etc/services. May also include port ranges of
- the form
+ A comma-separated list of port numbers and/or service names
+ from /etc/services. May also include port
+ ranges of the form
low-port:high-port
if your kernel and iptables include port range support.
diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml
index 82a19d12b..5278f3be4 100644
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -343,8 +343,6 @@
NFQUEUE
- Only supported by Shorewall-perl >= 4.0.3.
-
Queues the packet to a user-space application using the
nfnetlink_queue mechanism. If a
queuenumber is not specified, queue
@@ -471,8 +469,9 @@
SOURCE -
- {zone|all[zone|{all|any}[+][-]}[:interface][
+ any is equivalent to
+ all when there are no nested zones.
+ When there are nested zones, any
+ only refers to top-level zones (those with no parent zones).
+
Hosts may also be specified as an IP address range using the
syntax
lowaddress-highaddress.
@@ -586,60 +590,14 @@
-
-
- Alternatively, clients may be specified by interface by
- appending ":" to the zone name followed by the interface name. For
- example, loc:eth1 specifies a
- client that communicates with the firewall system through eth1.
- This may be optionally followed by another colon (":") and an
- IP/MAC/subnet address as described above (e.g., loc:eth1:192.168.1.5).
-
- It is important to note that when using Shorewall-shell and specifying an
- address list that will be split (i.e., a comma separated list),
- there is a subtle behavior which has the potential to cause
- confusion. Consider the two examples below:
-
-
- Examples:
-
-
-
- loc:eth1:192.168.1.3,192.168.1.5
-
-
- Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
- with 192.168.1.3 coming from eth1 and 192.168.1.5 originating
- from any interface in the zone.
-
-
-
-
- loc:eth1:192.168.1.3,eth1:192.168.1.5
-
-
- Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
- with both originating from
- eth1.
-
-
-
-
-
- That is, the interface name must be explicitly stated for
- each member of the comma separated list. Again, this distinction
- in behavior only occurs when using
- Shorewall-shell.
-
DEST -
- {zone|all[zone|{all|any}[+][-]}[:{interface|address-or-range[,address-or-range]...[exclusion]|exclusion|all+ is used,
intra-zone traffic is affected.
- Beginning with Shorewall 4.1.4, the
- zone should be omitted in DNAT-,
- REDIRECT- and NONAT rules.
+ any is equivalent to
+ all when there are no nested zones.
+ When there are nested zones, any
+ only refers to top-level zones (those with no parent zones).
+
+ The zone should be omitted in
+ DNAT-, REDIRECT- and NONAT rules.If the DEST zone is a bport zone,
then either:
@@ -702,12 +664,7 @@
1. MAC addresses are not allowed (this is a Netfilter
restriction).
- 2.Prior to Shorewall 4.1.4, only IP addresses are allowed in
- DNAT rules; no DNS names are
- permitted. In no case may a network be specified as the
- server.
-
- 3. You may not specify both an interface and an
+ 2. You may not specify both an interface and an
address.Like in the SOURCE column,
@@ -747,20 +704,15 @@
- If you are using Shorewall-shell or Shorewall-perl before
- version 4.0.5, then the port number MUST be specified as an
- integer and not as a name from services(5). Shorewall-perl 4.0.5
- and later permit the port to be specified as
- a service name. Additionally, Shorewall-perl 4.0.5 and later
- permit specifying a port range in the form
+ The port may be specified as a service
+ name. You may specify a port range in the form
lowport-highport to cause connections to be
assigned to ports in the range in round-robin fashion. When a port
range is specified, lowport and
highport must be given as integers; service
- names are not permitted. Beginning with Shorewall 4.0.6, the port
- range may be optionally followed by :random which causes assignment to ports in
- the list to be random.
+ names are not permitted. Additionally, the port range may be
+ optionally followed by :random
+ which causes assignment to ports in the list to be random.If the ACTION is REDIRECT or 2. No port ranges are included or your kernel and iptables
contain extended multiport match support.
-
- Otherwise, unless you are using Shorewall-perl, a separate rule
- will be generated for each port. Shorewall-perl does not
- automatically break up lists into individual rules.
@@ -864,11 +811,6 @@
2. No port ranges are included or your kernel and iptables
contain extended multiport match support.
-
- Otherwise, unless you are using Shorewall-perl, a separate
- rule will be generated for each port. Shorewall-perl does not
- automatically break up lists into individual rules.
@@ -1058,8 +1000,7 @@
Designates a connection mark. If omitted, the packet
- mark's value is tested. This option is only supported by
- Shorewall-perl.
+ mark's value is tested.
@@ -1178,18 +1119,7 @@
- Restrictions
-
- Unless you are using Shorewall-perl and your
- iptables/kernel have Repeat Match support (see the
- output of shorewall show capabilities), if you specify
- a list of DEST PORT(S), then you may not specify SOURCE PORT(S) and vice
- versa.
-
-
-
- Example
+ Examples
diff --git a/manpages/shorewall-tcclasses.xml b/manpages/shorewall-tcclasses.xml
index f3af8188d..18d6dea3a 100644
--- a/manpages/shorewall-tcclasses.xml
+++ b/manpages/shorewall-tcclasses.xml
@@ -236,8 +236,8 @@
role="bold">,option]...]
- Added in Shorewall-perl 4.1. A comma-separated list of options
- including the following:
+ A comma-separated list of options including the
+ following:
@@ -266,7 +266,7 @@
This lets you define a classifier for the given
value/mask
combination of the IP packet's TOS/Precedence/DiffSrv octet
- (aka the TOS byte).
+ (aka the TOS byte).
diff --git a/manpages/shorewall-tcdevices.xml b/manpages/shorewall-tcdevices.xml
index aead56559..2c2c7fc43 100644
--- a/manpages/shorewall-tcdevices.xml
+++ b/manpages/shorewall-tcdevices.xml
@@ -113,10 +113,9 @@
Shorewall assigns a sequential interface
number to each interface (the first entry in the file is
- interface 1, the second is interface 2 and so on) Beginning with
- Shorewall-perl 4.1.6, you can explicitly specify the interface
- number by prefixing the interface name with the number and a colon
- (":"). Example: 1:eth0.
+ interface 1, the second is interface 2 and so on) You can explicitly
+ specify the interface number by prefixing the interface name with
+ the number and a colon (":"). Example: 1:eth0.
@@ -176,13 +175,12 @@
[interface[,interface]...]
- Added in Shorewall-perl 4.1.6. May only be specified if the
- interface in the INTERFACE column is an Intermediate Frame Block
- (IFB) device. Causes packets that enter each listed interface to be
- passed through the egress filters defined for this device, thus
- providing a form of incoming traffic shaping. When this column is
- non-empty, the classify option is
- assumed.
+ May only be specified if the interface in the INTERFACE column
+ is an Intermediate Frame Block (IFB) device. Causes packets that
+ enter each listed interface to be passed through the egress filters
+ defined for this device, thus providing a form of incoming traffic
+ shaping. When this column is non-empty, the classify option is assumed.
diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml
index b05322357..5d601bce2 100644
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@@ -93,14 +93,11 @@
- If the SOURCE is $FW[:address-or-range[,address-or-range]...],
- then the rule is inserted into the OUTPUT chain. The behavior
- changed in Shorewall-perl 4.1. Previously, when
- HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero mark values
- < 256 to be assigned in the OUTPUT chain. This has been
- changed so that only high mark values may be assigned there.
- Packet marking rules for traffic shaping of packets originating
- on the firewall must be coded in the POSTROUTING chain (see
- below).
+ then the rule is inserted into the OUTPUT chain. When
+ HIGH_ROUTE_MARKS=Yes, only high mark values may be assigned
+ there. Packet marking rules for traffic shaping of packets
+ originating on the firewall must be coded in the POSTROUTING
+ chain (see below).
- Otherwise, the chain is determined by the setting of
MARK_IN_FORWARD_CHAIN in :F) or the OUTPUT chain
(SOURCE is $FW). With
HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
- permitted. Shorewall 4.1 and later versions prohibit non-zero
- mark values less that 256 in the OUTPUT chain when
- HIGH_ROUTE_MARKS=Yes. While earlier versions allow such values
- in the OUTPUT chain, it is strongly recommended that with
- HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to apply
- traffic shaping marks/classification.
+ permitted. Shorewall prohibits non-zero mark values less that
+ 256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier
+ versions allow such values in the OUTPUT chain, it is strongly
+ recommended that with HIGH_ROUTE_MARKS=Yes, you use the
+ POSTROUTING chain to apply traffic shaping
+ marks/classification.
@@ -239,16 +236,15 @@
- SAME (Added in Shorewall
- 4.3.5) -- Some websites run applications that require multiple
- connections from a client browser. Where multiple 'balanced'
- providers are configured, this can lead to problems when some of
- the connections are routed through one provider and some through
- another. The SAME target allows you to work around that problem.
- SAME may be used in the PREROUTING and OUTPUT chains. When used
- in PREROUTING, it causes matching connections from an individual
- local system to all use the same provider. For example:
- #MARK/ SOURCE DEST PROTO DEST
+ SAME Some websites run
+ applications that require multiple connections from a client
+ browser. Where multiple 'balanced' providers are configured,
+ this can lead to problems when some of the connections are
+ routed through one provider and some through another. The SAME
+ target allows you to work around that problem. SAME may be used
+ in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
+ causes matching connections from an individual local system to
+ all use the same provider. For example: #MARK/ SOURCE DEST PROTO DEST
#CLASSIFY PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
@@ -682,8 +678,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443Connection Bytes; defines a byte or packet range that the
- connection must fall within in order for the rule to match. Added in
- Shorewall-perl 4.2.0.
+ connection must fall within in order for the rule to match.A packet matches if the the packet/byte count is within the
range defined by min and
@@ -697,8 +692,8 @@ SAME $FW 0.0.0.0/0 tcp 80,443
O - The original
direction of the connection.
- R - The opposite
- direction from the original connection.
+ - The opposite direction from the original
+ connection.B - The total of both
directions.
@@ -725,13 +720,13 @@ SAME $FW 0.0.0.0/0 tcp 80,443
helper
- Added in Shorewall-perl 4.2.0. Names a Netfiler protocol
- helper module such as ,
- , , etc. A packet will
- match if it was accepted by the named helper module. You can also
- append "-" and a port number to the helper module name (e.g.,
- ftp-21) to specify the port number
- that the original connection was made on.
+ Names a Netfiler protocol helper module
+ such as , ,
+ , etc. A packet will match if it was accepted
+ by the named helper module. You can also append "-" and a port
+ number to the helper module name (e.g., ftp-21) to specify the port number that the
+ original connection was made on.Example: Mark all FTP data connections with mark
4:#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
diff --git a/manpages/shorewall-tos.xml b/manpages/shorewall-tos.xml
index d8a87e0a9..158691d21 100644
--- a/manpages/shorewall-tos.xml
+++ b/manpages/shorewall-tos.xml
@@ -141,8 +141,7 @@
Designates a connection mark. If omitted, the packet
- mark's value is tested. This option is only supported by
- Shorewall-perl.
+ mark's value is tested.
diff --git a/manpages/shorewall-zones.xml b/manpages/shorewall-zones.xml
index a1bbab69b..c639908f7 100644
--- a/manpages/shorewall-zones.xml
+++ b/manpages/shorewall-zones.xml
@@ -158,8 +158,8 @@ c:a,b ipv4
bport (or bport4)
- (Shorewall-perl only) The zone is associated with one or
- more ports on a single bridge.
+ The zone is associated with one or more ports on a
+ single bridge.
diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml
index 3063487a5..f14368673 100644
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@@ -117,7 +117,7 @@
NFQUEUE_DEFAULT={action|macro|none} (Shorewall-perl 4.0.3 and later)
+ role="bold">none}
In earlier Shorewall versions, a "default action" for DROP and
@@ -140,10 +140,7 @@
a) The name of an
action.
- b) The name of a macro
- (Shorewall-shell only)
-
- c) None or b) None or none
@@ -334,22 +331,6 @@
-
- BRIDGING={Yes|No}
-
-
- When set to Yes or yes, enables Shorewall Bridging
- support.
-
-
- BRIDGING=Yes may not work properly with Linux kernel
- 2.6.20 or later and is not supported by Shorewall-perl.
-
-
-
-
CLAMPMSS=[Yes|
-
- DELAYBLACKLISTLOAD={Yes|No}
-
-
- Users with a large static black list (shorewall-blacklist(5)) may
- want to set the DELAYBLACKLISTLOAD option to Yes. When DELAYBLACKLISTLOAD=Yes, Shorewall
- will enable new connections before loading the blacklist rules.
- While this may allow connections from blacklisted hosts to slip by
- during construction of the blacklist, it can substantially reduce
- the time that all new connections are disabled during shorewall [re]start.
-
-
- DELAYBLACKLISTLOAD=Yes is not supported by
- Shorewall-perl.
-
-
-
-
DELETE_THEN_ADD={Yes|No}
- Added in Shorewall 4.0.4. If set to Yes (the default value),
- entries in the /etc/shorewall/route_stopped files cause an 'ip rule
- del' command to be generated in addition to an 'ip rule add'
- command. Setting this option to No, causes the 'ip rule del' command
- to be omitted.
+ If set to Yes (the default value), entries in the
+ /etc/shorewall/route_stopped files cause an 'ip rule del' command to
+ be generated in addition to an 'ip rule add' command. Setting this
+ option to No, causes the 'ip rule del' command to be omitted.
@@ -520,9 +476,6 @@
role="bold">yes, enables dynamic zones. DYNAMIC_ZONES=Yes
is not allowed in configurations that will run under Shorewall
Lite.
-
- DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 and
- later.
@@ -538,8 +491,8 @@
# LEVEL
net all DROP infothen the chain name is 'net2all'
which is also the chain named in Shorewall log messages generated as
- a result of the policy. If EXPAND_POLICIES=Yes, then Shorewall-perl
- will create a separate chain for each pair of zones covered by the
+ a result of the policy. If EXPAND_POLICIES=Yes, then Shorewall will
+ create a separate chain for each pair of zones covered by the
policy. This makes the resulting log messages easier to interpret
since the chain in the messages will have a name of the form 'a2b'
where 'a' is the SOURCE zone and 'b' is the DEST zone.
@@ -776,10 +729,10 @@ net all DROP infothen the chain name is 'net2all'
role="bold">Yes|No}
- Added in Shorewall 4.0.3. When set to ,
- this option prevents scripts generated by Shorewall-perl from
- altering the /etc/iproute2/rt_tables database when there are entries
- in /etc/shorewall/providers. If you set this
+ When set to , this option prevents
+ generated scripts from altering the /etc/iproute2/rt_tables database
+ when there are entries in
+ /etc/shorewall/providers. If you set this
option to while Shorewall (Shorewall-lite) is
running, you should remove the file
/var/lib/shorewall/rt_tables
@@ -1059,28 +1012,6 @@ net all DROP infothen the chain name is 'net2all'
-
- MAPOLDACTIONS=[Yes|No]
-
-
- Previously, Shorewall included a large number of standard
- actions (AllowPing, AllowFTP, ...). These have been replaced with
- parameterized macros. For compatibility, Shorewall can map the old
- names into invocations of the new macros if you set
- MAPOLDACTIONS=Yes. If this option is not set or is set to the empty
- value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed.
-
-
-
-
- MAPOLDACTIONS=Yes is not supported by Shorewall-perl. With
- Shorewall-perl, if MAPOLDACTIONS is not set or is set to the ampty
- value then MAPOLDACTIONS=No is assumed.
-
-
-
-
MARK_IN_FORWARD_CHAIN=[then the chain name is 'net2all'
In such cases, you will configure a
network on each zone receiving multicasts.
-
- The MULTICAST option is only recognized by Shorewall-perl and
- is ignored by Shorewall-shell.
@@ -1320,9 +1248,9 @@ net all DROP infothen the chain name is 'net2all'
role="bold">Yes|No]
- Added in Shorewall 4.2.6, this option determines whether to
- restore the default route saved when here are 'balance' providers
- defined but all of them are down.
+ This option determines whether to restore the default route
+ saved when here are 'balance' providers defined but all of them are
+ down.The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the
pre-4.2.6 behavior.
@@ -1384,9 +1312,8 @@ net all DROP infothen the chain name is 'net2all'
state. The default value is no.
- The value Keep is only
- allowed under Shorewall-perl. It causes Shorewall to ignore the
- option. If the option is set to The value Keep causes
+ Shorewall to ignore the option. If the option is set to Yes, then route filtering occurs on all
interfaces. If the option is set to No, then route filtering is disabled on all
@@ -1408,35 +1335,6 @@ net all DROP infothen the chain name is 'net2all'
-
- SHOREWALL_COMPILER={perl|shell}
-
-
- Specifies the compiler to use to generate firewall scripts
- when both compilers are installed. The value of this option can be
- either or . If both
- compilers are installed and SHOREWALL_SHELL is not set, then
- SHOREWALL_SHELL=shell is assumed.
-
- If you add 'SHOREWALL_COMPILER=perl' to
- /etc/shorewall/shorewall.conf then by default,
- the Shorewall-perl compiler will be used on the system. If you add
- it to shorewall.conf in a separate directory
- (such as a Shorewall-lite export directory) then the Shorewall-perl
- compiler will only be used when you compile from that
- directory.
-
- If you only install one compiler, it is suggested that you do
- not set SHOREWALL_COMPILER.
-
- This setting may be overriden in those commands that invoke
- the compiler by using the -C command option (see shorewall(8)).
-
-
-
SHOREWALL_SHELL=[pathname]
@@ -1584,22 +1482,6 @@ net all DROP infothen the chain name is 'net2all'
-
- USE_ACTIONS={Yes|No}
-
-
- While Shorewall Actions can be very useful, they also require
- a sizable amount of code to implement. By setting USE_ACTIONS=No,
- embedded Shorewall installations can omit the large library
- /usr/share/shorewall-shell/lib.actions.
-
-
- USE_ACTIONS=No is not supported by Shorewall-perl.
-
-
-
-
USE_DEFAULT_RT=[Yes|No]
@@ -1644,10 +1526,9 @@ net all DROP infothen the chain name is 'net2all'
All provider gateways must be specified explicitly in the
GATEWAY column. detect may not
be specified.
- Beginning with Shorewall 4.2.6, detect may be specified for
- interfaces whose configuration is managed by dhcpcd.
- Shorewall will use dhcpcd's database to find the
+ detect may be
+ specified for interfaces whose configuration is managed by
+ dhcpcd. Shorewall will use dhcpcd's database to find the
interfaces's gateway.
diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml
index 6c9feff4a..6e38f3173 100644
--- a/manpages/shorewall.xml
+++ b/manpages/shorewall.xml
@@ -701,9 +701,8 @@
are untouched. Clear is often used to see if the firewall is causing
connection problems.
- The option was added in Shorewall 4.0.3.
- If is given, the command will be processed by
- the compiled script that executed the last successful If is given, the command will be processed
+ by the compiled script that executed the last successful start, restart or refresh command if that script exists.
@@ -736,9 +735,8 @@
capabilities on a system with Shorewall Lite
installed
- The option only works when the compiler is
- Shorewall-perl. It causes the compiler to be run under control of
- the Perl debugger.
+ The option causes the compiler to be run
+ under control of the Perl debugger.The option causes the compiler to be
profiled via the Perl command-line
@@ -995,13 +993,13 @@
Example:shorewall refresh net2fw nat:net_dnat #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table
- Beginning with Shorewall 4.1, the refresh command has slightly different
- behavior. When no chain name is given to the refresh command, the mangle table is
- refreshed along with the blacklist chain (if any). This allows you
- to modify /etc/shorewall/tcrules and install
- the changes using refresh.
+ The refresh command has
+ slightly different behavior. When no chain name is given to the
+ refresh command, the mangle table
+ is refreshed along with the blacklist chain (if any). This allows
+ you to modify /etc/shorewall/tcrules and
+ install the changes using refresh.
@@ -1346,9 +1344,8 @@
url="shorewall-routestopped.html">shorewall-routestopped(5)
or by ADMINISABSENTMINDED.
- The option was added in Shorewall 4.0.3.
- If is given, the command will be processed by
- the compiled script that executed the last successful If is given, the command will be processed
+ by the compiled script that executed the last successful start, restart or refresh command if that script exists.