extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-18 12:20:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code

Browse Source
This commit is contained in:
Roberto C. Sanchez 2013-12-24 09:59:47 -05:00
commit f4e2602c89
37 changed files with 779 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-core/lib.cli
View File

@ -582,7 +582,7 @@ show_routing() {
determine_ipset_version() {
local setname
if [ -z "$IPSET" -o $IPSET = ipset ]; then
if [ -z "$IPSET" -o "$IPSET" = "ipset" ]; then
IPSET=$(mywhich ipset)
[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
fi
@ -3506,6 +3506,8 @@ shorewall_cli() {
g_conditional=
g_file=
g_doing="Compiling"
g_directives=
g_inline=
VERBOSE=
VERBOSITY=1

3
Shorewall/Perl/Shorewall/ARP.pm
View File

@ -82,7 +82,8 @@ sub match_arp_net( $$$ ) {
# Process a rule in the arprules file
#
sub process_arprule() {
my ( $originalaction, $source, $dest, $opcode ) = split_line( 'arprules file entry', {action => 0, source => 1, dest => 2, opcode => 3 } );
my ( $originalaction, $source, $dest, $opcode ) = split_line( 'arprules file entry',
{action => 0, source => 1, dest => 2, opcode => 3 } );
my $chainref;
my $iifaceref;

9
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -243,7 +243,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
}
}
} elsif ( $action eq 'INLINE' ) {
$rule .= get_inline_matches;
$rule .= get_inline_matches(1);
} else {
( $action, my $cmd ) = split /:/, $action;
@ -424,8 +424,11 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
sub process_accounting_rule( ) {
my ($action, $chain, $source, $dest, $protos, $ports, $sports, $user, $mark, $ipsec, $headers ) =
split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 };
split_line2( 'Accounting File',
{ action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 },
{}, #nopad
undef, #Max columns
1 );
my $nonempty = 0;
for my $proto ( split_list $protos, 'Protocol' ) {

71
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -80,6 +80,10 @@ our @EXPORT = ( qw(
add_interface_options
state_match
state_imatch
split_action
get_target_param
get_inline_matches
handle_inline
STANDARD
NATRULE
@ -8397,4 +8401,71 @@ sub initialize_switches() {
}
}
#
# Return ( action, level[:tag] ) from passed full action
#
sub split_action ( $ ) {
my $action = $_[0];
my @list = split_list2( $action, 'ACTION' );
fatal_error "Invalid ACTION ($action)" if @list > 3;
( shift @list, join( ':', @list ) );
}
#
# Get inline matches and conditionally verify the absense of -j
#
sub get_inline_matches( $ ) {
if ( $_[0] ) {
fetch_inline_matches;
} else {
my $inline_matches = fetch_inline_matches;
fatal_error "-j is only allowed when the ACTION is INLINE with no parameter" if $inline_matches =~ /\s-j\s/;
$inline_matches;
}
}
#
# Split the passed target into the basic target and parameter (previously duplicated in this file)
#
sub get_target_param( $ ) {
my ( $target, $param ) = split '/', $_[0];
unless ( defined $param ) {
( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
}
( $target, $param );
}
sub handle_inline( $$$$ ) {
my ( $action, $basictarget, $param, $loglevel ) = @_;
my $inline_matches = get_inline_matches(1);
my $raw_matches = '';
if ( $inline_matches =~ /^(.*\s+)?-j\s+(.+) $/ ) {
$raw_matches .= $1 if supplied $1;
$action = $2;
my ( $target ) = split ' ', $action;
fatal_error "Unknown jump target ($action)" unless $targets{$target} || $target eq 'MARK';
fatal_error "INLINE may not have a parameter when '-j' is specified in the free-form area" if $param ne '';
} else {
$raw_matches .= $inline_matches;
if ( $param eq '' ) {
$action = $loglevel ? 'LOG' : '';
} else {
( $action, $loglevel ) = split_action $param;
( $basictarget, $param ) = get_target_param $action;
$param = '' unless defined $param;
}
}
return ( $action, $basictarget, $param, $loglevel, $raw_matches );
}
1;

7
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -581,8 +581,8 @@ EOF
#
sub compiler {
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 , $directives ) =
( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' , 0 );
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 , $directives, $inline ) =
( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' , 0 , 0 );
$export = 0;
$test = 0;
@ -620,6 +620,7 @@ sub compiler {
update => { store => \$update, validate=> \&validate_boolean } ,
convert => { store => \$convert, validate=> \&validate_boolean } ,
annotate => { store => \$annotate, validate=> \&validate_boolean } ,
inline => { store => \$inline, validate=> \&validate_boolean } ,
directives => { store => \$directives, validate=> \&validate_boolean } ,
config_path => { store => \$config_path } ,
shorewallrc => { store => \$shorewallrc } ,
@ -659,7 +660,7 @@ sub compiler {
#
# S H O R E W A L L . C O N F A N D C A P A B I L I T I E S
#
get_configuration( $export , $update , $annotate , $directives );
get_configuration( $export , $update , $annotate , $directives , $inline );
#
# Create a temp file to hold the script
#

116
Shorewall/Perl/Shorewall/Config.pm
View File

@ -70,7 +70,7 @@ our @EXPORT = qw(
get_action_disposition
set_action_disposition
set_action_param
get_inline_matches
fetch_inline_matches
set_inline_matches
set_comment
@ -125,6 +125,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
split_list2
split_line
split_line1
split_line2
first_entry
open_file
close_file
@ -226,7 +227,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
Exporter::export_ok_tags('internal');
our $VERSION = '4.5.20-Beta1';
our $VERSION = '4.6.0-Beta1';
#
# describe the current command, it's present progressive, and it's completion.
@ -553,6 +554,7 @@ our $warningcount; # Used to suppress duplicate warnings about missing
our $warningcount1; # Used to suppress duplicate warnings about COMMENT being deprecated
our $warningcount2; # Used to suppress duplicate warnings about FORMAT being deprecated
our $warningcount3; # Used to suppress duplicate warnings about SECTION being deprecated
our $checkinline; # The -i option to check/compile/etc.
our $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files.
@ -833,6 +835,7 @@ sub initialize( $;$$) {
CHAIN_SCRIPTS => undef,
TRACK_RULES => undef,
REJECT_ACTION => undef,
INLINE_MATCHES => undef,
#
# Packet Disposition
#
@ -1982,6 +1985,57 @@ sub split_list3( $$ ) {
@list2;
}
sub split_columns( $ ) {
my ($list) = @_;
return split ' ', $list unless $list =~ /\(/;
my @list1 = split ' ', $list;
my @list2;
my $element = '';
my $opencount = 0;
for ( @list1 ) {
my $count;
if ( ( $count = tr/(/(/ ) > 0 ) {
$opencount += $count;
if ( $element eq '' ) {
$element = $_;
} else {
$element = join( ',', $element, $_ );
}
if ( ( $count = tr/)/)/ ) > 0 ) {
if ( ! ( $opencount -= $count ) ) {
push @list2 , $element;
$element = '';
} else {
fatal_error "Mismatched parentheses ($_)" if $opencount < 0;
}
}
} elsif ( ( $count = tr/)/)/ ) > 0 ) {
$element = join (',', $element, $_ );
if ( ! ( $opencount -= $count ) ) {
push @list2 , $element;
$element = '';
} else {
fatal_error "Mismatched parentheses ($_)" if $opencount < 0;
}
} elsif ( $element eq '' ) {
push @list2 , $_;
} else {
$element = join ',', $element , $_;
}
}
unless ( $opencount == 0 ) {
fatal_error "Mismatched parentheses ($list)";
}
@list2;
}
#
# Determine if a value has been supplied
#
@ -1999,8 +2053,10 @@ sub supplied( $ ) {
# Handles all of the supported forms of column/pair specification
# Handles segragating raw iptables input in INLINE rules
#
sub split_line1( $$;$$ ) {
my ( $description, $columnsref, $nopad, $maxcolumns ) = @_;
sub split_line2( $$;$$$ ) {
my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;
my $inlinematches = $config{INLINE_MATCHES};
unless ( defined $maxcolumns ) {
my @maxcolumns = ( keys %$columnsref );
@ -2019,7 +2075,9 @@ sub split_line1( $$;$$ ) {
#
fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
if ( $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/) {
if ( $inlinematches ) {
fatal_error "The $description does not support inline matches (INLINE_MATCHES=Yes)" unless $inline;
$inline_matches = $pairs;
if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
@ -2031,6 +2089,26 @@ sub split_line1( $$;$$ ) {
} else {
$pairs = '';
}
} elsif ( $inline ) {
#
# This file supports INLINE
#
if ( $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/) {
$inline_matches = $pairs;
if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
#
# Pairs are enclosed in curly brackets.
#
$columns = $1;
$pairs = $2;
} else {
warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes" if $checkinline;
$pairs = '';
}
}
} elsif ( $checkinline ) {
warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
}
} elsif ( $currentline =~ /^(\s*|.*[^&@%]){(.*)}$/ ) {
#
@ -2045,7 +2123,7 @@ sub split_line1( $$;$$ ) {
fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
my @line = split( ' ', $columns );
my @line = split_columns( $columns );
$nopad = {} unless $nopad;
@ -2089,6 +2167,10 @@ sub split_line1( $$;$$ ) {
@line;
}
sub split_line1( $$;$$ ) {
&split_line2( @_, undef );
}
sub split_line($$) {
&split_line1( @_, {} );
}
@ -2989,7 +3071,7 @@ sub embedded_perl( $ ) {
#
# Return inline matches
#
sub get_inline_matches() {
sub fetch_inline_matches() {
"$inline_matches ";
}
@ -5115,12 +5197,13 @@ sub convert_to_directives() {
# writeable regular file
#
my $result = system << "EOF";
perl -pi.bak -e '/^\\s*FORMAT\\s*/ && s/FORMAT/?FORMAT/;
if ( /^\\s*COMMENT\\s+/ ) {
s/COMMENT/?COMMENT/;
} elsif ( /^\\s*COMMENT\\s*\$/ ) {
s/COMMENT/?COMMENT/;
}' $file
perl -pi.bak -e '/^\\s*FORMAT\\s+/ && s/FORMAT/?FORMAT/;
/^\\s*SECTION\\s+/ && s/SECTION/?SECTION/;
if ( /^\\s*COMMENT\\s+/ ) {
s/COMMENT/?COMMENT/;
} elsif ( /^\\s*COMMENT\\s*\$/ ) {
s/COMMENT/?COMMENT/;
}' $file
EOF
if ( $result == 0 ) {
if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) {
@ -5131,7 +5214,7 @@ EOF
warning message "Unable to rename ${file}.bak to $file:$!";
}
} else {
warning_message ("Unable to update file ${file}.bak:$!" );
warning_message ("Unable to update file $file" );
}
} else {
warning_message( "$file skipped (not writeable)" ) unless -d _;
@ -5151,9 +5234,9 @@ EOF
# - Read the capabilities file, if any
# - establish global hashes %params, %config , %globals and %capabilities
#
sub get_configuration( $$$$ ) {
sub get_configuration( $$$$$ ) {
my ( $export, $update, $annotate, $directives ) = @_;
( my ( $export, $update, $annotate, $directives ) , $checkinline ) = @_;
$globals{EXPORT} = $export;
@ -5471,6 +5554,7 @@ sub get_configuration( $$$$ ) {
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
default_yes_no 'CHAIN_SCRIPTS' , 'Yes';
default_yes_no 'TRACK_RULES' , '';
default_yes_no 'INLINE_MATCHES' , '';
if ( $val = $config{REJECT_ACTION} ) {
fatal_error "Invalid Reject Action Name ($val)" unless $val =~ /^[a-zA-Z][\w-]*$/;

26
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -82,7 +82,9 @@ sub process_tos() {
while ( read_a_line( NORMAL_READ ) ) {
my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ;
my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
split_line( 'tos file entry',
{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
$first_entry = 0;
@ -153,7 +155,10 @@ sub setup_ecn()
while ( read_a_line( NORMAL_READ ) ) {
my ($interface, $hosts ) = split_line1 'ecn file entry', { interface => 0, host => 1, hosts => 1 }, {}, 2;
my ($interface, $hosts ) = split_line1( 'ecn file entry',
{ interface => 0, host => 1, hosts => 1 },
{},
2 );
fatal_error 'INTERFACE must be specified' if $interface eq '-';
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@ -240,7 +245,8 @@ sub setup_blacklist() {
$first_entry = 0;
}
my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
my ( $networks, $protocol, $ports, $options ) = split_line( 'blacklist file',
{ networks => 0, proto => 1, port => 2, options => 3 } );
if ( $options eq '-' ) {
$options = 'src';
@ -400,7 +406,9 @@ sub convert_blacklist() {
first_entry "Converting $fn...";
while ( read_a_line( NORMAL_READ ) ) {
my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
my ( $networks, $protocol, $ports, $options ) =
split_line( 'blacklist file',
{ networks => 0, proto => 1, port => 2, options => 3 } );
if ( $options eq '-' ) {
$options = 'src';
@ -560,7 +568,8 @@ sub process_routestopped() {
while ( read_a_line ( NORMAL_READ ) ) {
my ($interface, $hosts, $options , $proto, $ports, $sports ) =
split_line 'routestopped file', { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 };
split_line( 'routestopped file',
{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
my $interfaceref;
@ -686,7 +695,8 @@ sub process_stoppedrules() {
$result = 1;
my ( $target, $source, $dest, $protos, $ports, $sports ) =
split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 };
split_line1( 'stoppedrules file',
{ target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 } );
fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/;
@ -1220,7 +1230,9 @@ sub setup_mac_lists( $ ) {
while ( read_a_line( NORMAL_READ ) ) {
my ( $original_disposition, $interface, $mac, $addresses ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };
my ( $original_disposition, $interface, $mac, $addresses ) =
split_line1( 'maclist file',
{ disposition => 0, interface => 1, mac => 2, addresses => 3 } );
my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 );

26
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -66,12 +66,22 @@ sub process_one_masq1( $$$$$$$$$$ )
my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
my $destnets = '';
my $baserule = '';
my $inlinematches = '';
#
# Leading '+'
#
$pre_nat = 1 if $interfacelist =~ s/^\+//;
#
# Check for INLINE
#
if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
$interfacelist = $1;
$inlinematches = get_inline_matches(0);
} elsif ( $config{INLINE_MATCHES} ) {
$inlinematches = get_inline_matches(0);
}
#
# Parse the remaining part of the INTERFACE column
#
if ( $family == F_IPV4 ) {
@ -325,7 +335,7 @@ sub process_one_masq1( $$$$$$$$$$ )
expand_rule( $chainref ,
POSTROUTE_RESTRICT ,
'' ,
$baserule . $rule ,
$baserule . $inlinematches . $rule ,
$networks ,
$destnets ,
$origdest ,
@ -366,7 +376,11 @@ sub process_one_masq1( $$$$$$$$$$ )
sub process_one_masq( )
{
my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
split_line2( 'masq file',
{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 },
{}, #Nopad
undef, #Columns
1 ); #Allow inline matches
fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
@ -481,7 +495,9 @@ sub setup_nat() {
while ( read_a_line( NORMAL_READ ) ) {
my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };
my ( $external, $interfacelist, $internal, $allints, $localnat ) =
split_line1( 'nat file',
{ external => 0, interface => 1, internal => 2, allints => 3, local => 4 } );
( $interfacelist, my $digit ) = split /:/, $interfacelist;
@ -511,7 +527,9 @@ sub setup_netmap() {
while ( read_a_line( NORMAL_READ ) ) {
my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };
my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) =
split_line( 'netmap file',
{ type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 } );
$net3 = ALLIP if $net3 eq '-';

11
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -416,7 +416,8 @@ sub process_a_provider( $ ) {
my $pseudo = $_[0]; # When true, this is an optional interface that we are treating somewhat like a provider.
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) =
split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
split_line('providers file',
{ table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 } );
fatal_error "Duplicate provider ($table)" if $providers{$table};
@ -1047,7 +1048,9 @@ CEOF
}
sub add_an_rtrule( ) {
my ( $source, $dest, $provider, $priority, $originalmark ) = split_line 'rtrules file', { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 };
my ( $source, $dest, $provider, $priority, $originalmark ) =
split_line( 'rtrules file',
{ source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
our $current_if;
@ -1137,7 +1140,9 @@ sub add_an_rtrule( ) {
}
sub add_a_route( ) {
my ( $provider, $dest, $gateway, $device ) = split_line 'routes file', { provider => 0, dest => 1, gateway => 2, device => 3 };
my ( $provider, $dest, $gateway, $device ) =
split_line( 'routes file',
{ provider => 0, dest => 1, gateway => 2, device => 3 } );
our $current_if;

4
Shorewall/Perl/Shorewall/Proxyarp.pm
View File

@ -123,7 +123,9 @@ sub setup_proxy_arp() {
while ( read_a_line( NORMAL_READ ) ) {
my ( $address, $interface, $external, $haveroute, $persistent ) =
split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };
split_line( $file_opt .
'file ',
{ address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 } );
if ( $first_entry ) {
progress_message2 "$doing $fn...";

4
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -240,7 +240,9 @@ sub setup_conntrack() {
my ( $source, $dest, $protos, $ports, $sports, $user, $switch );
if ( $file_format == 1 ) {
( $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
( $source, $dest, $protos, $ports, $sports, $user, $switch ) =
split_line1( 'Conntrack File',
{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
$action = 'NOTRACK';
} else {
( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };

92
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -299,19 +299,6 @@ sub new_rules_chain( $ ) {
###############################################################################
# Functions moved from the former Policy Module
###############################################################################
#
# Split the passed target into the basic target and parameter (previously duplicated in this file)
#
sub get_target_param( $ ) {
my ( $target, $param ) = split '/', $_[0];
unless ( defined $param ) {
( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
}
( $target, $param );
}
#
# Convert a chain into a policy chain.
#
@ -1104,19 +1091,6 @@ sub finish_section ( $ ) {
################################################################################
# Functions moved from the Actions module in 4.4.16
################################################################################
#
# Return ( action, level[:tag] ) from passed full action
#
sub split_action ( $ ) {
my $action = $_[0];
my @list = split_list2( $action, 'ACTION' );
fatal_error "Invalid ACTION ($action)" if @list > 3;
( shift @list, join( ':', @list ) );
}
#
# Create a normalized action name from the passed pieces.
#
@ -1675,11 +1649,16 @@ sub process_action($$) {
if ( $file_format == 1 ) {
($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
split_line1(
'action file',
{ target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 },
$rule_commands );
$origdest = $connlimit = $time = $headers = $condition = $helper = '-';
} else {
($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
= split_line1 'action file', \%rulecolumns, $action_commands;
= split_line1( 'action file',
\%rulecolumns,
$action_commands );
}
fatal_error 'TARGET must be specified' if $target eq '-';
@ -1746,7 +1725,11 @@ sub process_actions() {
open_file( $file, 2 );
while ( read_a_line( NORMAL_READ ) ) {
my ( $action, $options ) = split_line 'action file' , { action => 0, options => 1 };
my ( $action, $options ) = split_line2( 'action file',
{ action => 0, options => 1 },
{}, #Nopad
undef, #Columns
1 ); #Allow inline matches
my $type = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
my $noinline = 0;
@ -1889,7 +1872,12 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);
if ( $file_format == 1 ) {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) =
split_line2( 'macro file',
\%rulecolumns,
$rule_commands,
undef, #Columns
1 ); #Allow inline matches
( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = qw/- - - - - - -/;
} else {
( $mtarget,
@ -1906,7 +1894,11 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
$mtime,
$mheaders,
$mcondition,
$mhelper ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
$mhelper ) = split_line2( 'macro file',
\%rulecolumns,
$rule_commands,
undef, #Columns
1 ); #Allow inline matches
}
fatal_error 'TARGET must be specified' if $mtarget eq '-';
@ -2031,7 +2023,12 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
$mtime,
$mheaders,
$mcondition,
$mhelper ) = split_line1 'inline action file', \%rulecolumns, $rule_commands;
$mhelper ) = split_line2( 'inline action file',
\%rulecolumns,
$rule_commands,
undef, #Columns
1 ); #Allow inline matches
fatal_error 'TARGET must be specified' if $mtarget eq '-';
@ -2156,7 +2153,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
my ( $basictarget, $param ) = get_target_param $action;
my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 5 ) : 0;
my $actiontype;
my $inaction = ''; # Set to true when we are process rules in an action file
my $inaction = ''; # Set to true when we are processing rules in an action file
my $inchain = ''; # Set to true when a chain reference is passed.
my $normalized_target;
my $normalized_action;
@ -2171,25 +2168,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
$param = '' unless defined $param;
if ( $basictarget eq 'INLINE' ) {
my $inline_matches = get_inline_matches;
if ( $inline_matches =~ /^(.*\s+)?-j\s+(.+) $/ ) {
$raw_matches .= $1 if supplied $1;
$action = $2;
my ( $target ) = split ' ', $action;
fatal_error "Unknown jump target ($action)" unless $targets{$target} || $target eq 'MARK';
fatal_error "INLINE may not have a parameter when '-j' is specified in the free-form area" if $param ne '';
} else {
$raw_matches .= $inline_matches;
if ( $param eq '' ) {
$action = $loglevel ? 'LOG' : '';
} else {
( $action, $loglevel ) = split_action $param;
( $basictarget, $param ) = get_target_param $action;
$param = '' unless defined $param;
}
}
( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( $action, $basictarget, $param, $loglevel );
} elsif ( $config{INLINE_MATCHES} ) {
$raw_matches = get_inline_matches(0);
}
#
# Determine the validity of the action
@ -3116,7 +3097,12 @@ sub build_zone_list( $$$\$\$ ) {
#
sub process_raw_rule ( ) {
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
= split_line1 'rules file', \%rulecolumns, $rule_commands;
= split_line2( 'rules file',
\%rulecolumns,
$rule_commands,
undef, #Columns
1 ); #Allow inline matches
fatal_error 'ACTION must be specified' if $target eq '-';

56
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -207,7 +207,7 @@ sub initialize( $ ) {
sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
our %tccmd;
our %tccmd;
unless ( %tccmd ) {
%tccmd = ( SAVE => { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
@ -316,6 +316,16 @@ our %tccmd;
fatal_error 'MARK must be specified' if $originalmark eq '-';
my $raw = '';
if ( $originalmark =~ /^INLINE\((.+)\)(:.*)?$/ ) {
$originalmark = $1;
$originalmark .= $2 if $2;
$raw = get_inline_matches(0);
} elsif ( $config{INLINE_MATCHES} ) {
$raw = get_inline_matches(0);
}
my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
@ -555,11 +565,14 @@ our %tccmd;
INLINE => sub()
{
assert ( $cmd eq 'INLINE' );
$matches = get_inline_matches;
$matches = get_inline_matches(1);
if ( $matches =~ /^(.*\s+)-j\s+(.+) $/ ) {
$matches = $1;
$target = $2;
if ( $matches =~ /^(.*\s+)-j\s+(.+)$/ ) {
$matches = $1;
$target = $2;
my $action = $target;
$action = $1 if $action =~ /^(.+?)\s/;
fatal_error "Unknown target ($action)" unless $targets{$action} || $builtin_target{$action};
} else {
$target = '';
}
@ -816,11 +829,19 @@ sub process_tc_rule( ) {
my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
if ( $family == F_IPV4 ) {
( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, {}, 15;
split_line2( 'tcrules file',
{ mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 },
{},
15,
1 );
$headers = '-';
} else {
( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, {}, 16;
split_line2( 'tcrules file',
{ mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 },
{},
16,
1 );
}
for my $proto (split_list( $protos, 'Protocol' ) ) {
@ -947,7 +968,9 @@ sub process_flow($) {
}
sub process_simple_device() {
my ( $device , $type , $in_rate , $out_part ) = split_line 'tcinterfaces', { interface => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 };
my ( $device , $type , $in_rate , $out_part ) =
split_line( 'tcinterfaces',
{ interface => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 } );
fatal_error 'INTERFACE must be specified' if $device eq '-';
fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device};
@ -1076,7 +1099,9 @@ sub process_simple_device() {
my %validlinklayer = ( ethernet => 1, atm => 1, adsl => 1 );
sub validate_tc_device( ) {
my ( $device, $inband, $outband , $options , $redirected ) = split_line 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };
my ( $device, $inband, $outband , $options , $redirected ) =
split_line( 'tcdevices',
{ interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 } );
fatal_error 'INTERFACE must be specified' if $device eq '-';
fatal_error "Invalid tcdevices entry" if $outband eq '-';
@ -1287,7 +1312,8 @@ sub validate_filter_priority( $$ ) {
sub validate_tc_class( ) {
my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
split_line( 'tcclasses file',
{ interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 } );
my $classnumber = 0;
my $devref;
my $device = $devclass;
@ -1950,7 +1976,8 @@ sub process_tc_filter1( $$$$$$$$$ ) {
sub process_tc_filter() {
my ( $devclass, $source, $dest , $protos, $portlist , $sportlist, $tos, $length, $priority )
= split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };
= split_line( 'tcfilters file',
{ class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 } );
fatal_error 'CLASS must be specified' if $devclass eq '-';
@ -2049,7 +2076,9 @@ sub process_tc_priority1( $$$$$$ ) {
}
sub process_tc_priority() {
my ( $band, $protos, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
my ( $band, $protos, $ports , $address, $interface, $helper ) =
split_line1( 'tcpri',
{ band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 } );
fatal_error 'BAND must be specified' if $band eq '-';
@ -2493,7 +2522,8 @@ sub process_secmark_rule1( $$$$$$$$$ ) {
#
sub process_secmark_rule() {
my ( $secmark, $chainin, $source, $dest, $protos, $dport, $sport, $user, $mark ) =
split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
split_line1( 'Secmarks file' ,
{ secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
fatal_error 'SECMARK must be specified' if $secmark eq '-';

6
Shorewall/Perl/Shorewall/Tunnels.pm
View File

@ -291,7 +291,11 @@ sub setup_tunnels() {
while ( read_a_line( NORMAL_READ ) ) {
my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, {}, 4;
my ( $kind, $zone, $gateway, $gatewayzones ) =
split_line1( 'tunnels file',
{ type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 },
{},
4 );
fatal_error 'TYPE must be specified' if $kind eq '-';

15
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -503,7 +503,8 @@ sub process_zone( \$ ) {
my @parents;
my ($zone, $type, $options, $in_options, $out_options ) =
split_line 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 };
split_line( 'zones file',
{ zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 } );
fatal_error 'ZONE must be specified' if $zone eq '-';
@ -1079,9 +1080,12 @@ sub process_interface( $$ ) {
my $bridge = '';
if ( $file_format == 1 ) {
($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
($zone, $originalinterface, $bcasts, $options ) =
split_line1( 'interfaces file',
{ zone => 0, interface => 1, broadcast => 2, options => 3 } );
} else {
($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 };
($zone, $originalinterface, $options ) = split_line1( 'interfaces file',
{ zone => 0, interface => 1, options => 2 } );
$bcasts = '-';
}
@ -1939,7 +1943,10 @@ sub verify_required_interfaces( $ ) {
#
sub process_host( ) {
my $ipsec = 0;
my ($zone, $hosts, $options ) = split_line1 'hosts file', { zone => 0, host => 1, hosts => 1, options => 2 }, {}, 3;
my ($zone, $hosts, $options ) = split_line1( 'hosts file',
{ zone => 0, host => 1, hosts => 1, options => 2 },
{},
3 );
fatal_error 'ZONE must be specified' if $zone eq '-';
fatal_error 'HOSTS must be specified' if $hosts eq '-';

8
Shorewall/Perl/compiler.pl
View File

@ -40,6 +40,7 @@
# --shorewallrc=<path> # Path to global shorewallrc file.
# --shorewallrc1=<path> # Path to export shorewallrc file.
# --config_path=<path-list> # Search path for config files
# --inline # Update alternative column specifications
#
use strict;
use FindBin;
@ -73,10 +74,10 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
[ --shorewallrc=<pathname> ]
[ --shorewallrc1=<pathname> ]
[ --config_path=<path-list> ]
[ --inline ]
_EOF_
exit shift @_;
exit shift @_;
}
#
@ -102,6 +103,7 @@ my $directives = 0;
my $config_path = '';
my $shorewallrc = '';
my $shorewallrc1 = '';
my $inline = 0;
Getopt::Long::Configure ('bundling');
@ -134,6 +136,7 @@ my $result = GetOptions('h' => \$help,
'u' => \$update,
'update' => \$update,
'convert' => \$convert,
'inline' => \$inline,
'config_path=s' => \$config_path,
'shorewallrc=s' => \$shorewallrc,
'shorewallrc1=s' => \$shorewallrc1,
@ -162,4 +165,5 @@ compiler( script => $ARGV[0] || '',
config_path => $config_path,
shorewallrc => $shorewallrc,
shorewallrc1 => $shorewallrc1,
inline => $inline
);

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -162,6 +162,8 @@ HELPERS=
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
IPSET_WARNINGS=Yes
IP_FORWARDING=On

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -173,6 +173,8 @@ HELPERS=
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
IPSET_WARNINGS=Yes
IP_FORWARDING=Off

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -171,6 +171,8 @@ HELPERS=
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
IPSET_WARNINGS=Yes
IP_FORWARDING=On

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -174,6 +174,8 @@ HELPERS=
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
IPSET_WARNINGS=Yes
IP_FORWARDING=On

2
Shorewall/configfiles/shorewall.conf
View File

@ -162,6 +162,8 @@ HELPERS=
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
IPSET_WARNINGS=Yes
IP_FORWARDING=On

43
Shorewall/lib.cli-std
View File

@ -422,6 +422,7 @@ compiler() {
[ -n "$g_convert" ] && options="$options --convert"
[ -n "$g_annotate" ] && options="$options --annotate"
[ -n "$g_directives" ] && options="$options --directives"
[ -n "$g_inline" ] && options="$options --inline"
if [ -n "$PERL" ]; then
if [ ! -x "$PERL" ]; then
@ -528,6 +529,10 @@ start_command() {
g_confess=Yes
option=${option#T}
;;
i*)
g_inline=Yes
option=${option#i}
;;
*)
usage 1
;;
@ -642,6 +647,10 @@ compile_command() {
g_confess=Yes
option=${option#T}
;;
i*)
g_inline=Yes
option=${option#i}
;;
-)
finished=1
option=
@ -732,6 +741,10 @@ check_command() {
g_confess=Yes
option=${option#T}
;;
i*)
g_inline=Yes
option=${option#i}
;;
*)
usage 1
;;
@ -812,6 +825,10 @@ update_command() {
g_confess=Yes
option=${option#T}
;;
i*)
g_inline=Yes
option=${option#i}
;;
a*)
g_annotate=Yes
option=${option#a}
@ -910,6 +927,10 @@ restart_command() {
g_confess=Yes
option=${option#T}
;;
i*)
g_inline=Yes
option=${option#i}
;;
*)
usage 1
;;
@ -1005,6 +1026,10 @@ refresh_command() {
g_confess=Yes
option=${option#T}
;;
i*)
g_inline=Yes
option=${option#i}
;;
D)
if [ $# -gt 1 ]; then
g_shorewalldir="$2"
@ -1394,6 +1419,10 @@ reload_command() # $* = original arguments less the command.
g_confess=Yes
option=${option#T}
;;
i*)
g_inline=Yes
option=${option#i}
;;
*)
usage 1
;;
@ -1583,9 +1612,9 @@ usage() # $1 = exit status
echo "where <command> is one of:"
echo " add <interface>[:<host-list>] ... <zone>"
echo " allow <address> ..."
echo " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ <directory> ]"
echo " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
echo " clear"
echo " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ <directory name> ] [ <path name> ]"
echo " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
echo " delete <interface>[:<host-list>] ... <zone>"
echo " disable <interface>"
echo " drop <address> ..."
@ -1608,7 +1637,7 @@ usage() # $1 = exit status
echo " iptrace <ip6tables match expression>"
fi
echo " load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ <directory> ] <system>"
echo " load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
echo " logdrop <address> ..."
echo " logreject <address> ..."
echo " logwatch [<refresh interval>]"
@ -1621,9 +1650,9 @@ usage() # $1 = exit status
echo " refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
echo " reject <address> ..."
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ <directory> ] <system>"
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
echo " reset [ <chain> ... ]"
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ <directory> ]"
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]"
echo " safe-restart [ -t <timeout> ] [ <directory> ]"
echo " safe-start [ -t <timeout> ] [ <directory> ]"
@ -1653,11 +1682,11 @@ usage() # $1 = exit status
echo " [ show | list | ls ] tc [ device ]"
echo " [ show | list | ls ] vardir"
echo " [ show | list | ls ] zones"
echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ <directory> ]"
echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
echo " status"
echo " stop"
echo " try <directory> [ <timeout> ]"
echo " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ <directory> ]"
echo " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [ <directory> ]"
echo " version [ -a ]"
echo
exit $1

51
Shorewall/manpages/shorewall-masq.xml
View File

@ -80,8 +80,8 @@
<programlisting> eth0(Avvanta)</programlisting>
<para>In that case, you will want to specify the interface's
address for that provider in the ADDRESS column.</para>
<para>In that case, you will want to specify the interface's address
for that provider in the ADDRESS column.</para>
<para>The interface may be qualified by adding the character ":"
followed by a comma-separated list of destination host or subnet
@ -123,12 +123,26 @@
<para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
COMMENT and is preferred.</para>
</note>
<para>Beginning with Shorewall 4.6.0, a new syntax is also accepted.
With the exception of the leading '+', the interfacelist and
qualifiers may appear within the parentheses of <emphasis
role="bold">INLINE</emphasis>(...).</para>
<para>Example:</para>
<programlisting> +INLINE(eth0)</programlisting>
<para>When this is done, you may augment the rule generated by
Shorewall with iptables matches of your own. These matches appear
after a semicolon (';') at the end of the line.</para>
<para>See example 8 below.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
-
<term>(Formerly called SUBNET) -
{<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
@ -647,6 +661,35 @@
eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 8:</term>
<listitem>
<para>Your eth1 has two public IP addresses: 70.90.191.121 and
70.90.191.123. You want to use the iptables statistics match to
masquerade outgoing connections evenly between these two
addresses.</para>
<programlisting>/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
INLINE(eth1) 0.0.0.0/0 70.90.191.121 ; -m statistic --mode random --probability 0.50
eth1 0.0.0.0/0 70.90.191.123
</programlisting>
<para>If INLINE_MATCHES=Yes in <ulink
url="shorewall.conf.html">shorewall.conf(5)</ulink>, then these
rules may be specified as follows:</para>
<programlisting>/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
eth1 0.0.0.0/0 70.90.191.121 ; -m statistic --mode random --probability 0.50
eth1 0.0.0.0/0 70.90.191.123
</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

33
Shorewall/manpages/shorewall-tcrules.xml
View File

@ -473,6 +473,39 @@
in your kernel and iptables.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">INLINE</emphasis>[(<replaceable>action</replaceable>)]</para>
<para>Added in Shorewall 4.6.0. Allows you to place your own
ip[6]tables matches at the end of the line following a semicolon
(";"). If an <replaceable>action</replaceable> is specified, the
compiler procedes as if that <replaceable>action</replaceable>
had been specified in this column. If no action is specified,
then you may include your own jump ("-j
<replaceable>target</replaceable>
[<replaceable>option</replaceable>] ...") after any matches
specified at the end of the rule. If the target is not one known
to Shorewall, then it must be defined as a builtin action in
<ulink url="shorewall-actions.html">shorewall-actions</ulink>
(5).</para>
<para>The following rules are equivalent:</para>
<programlisting>2:P eth0 - tcp 22
INLINE(2):P eth0 - tcp 22
INLINE(2):P eth0 - ; -p tcp
INLINE eth0 - tcp 22 ; -j MARK --set-mark 2
INLINE eth0 - ; -p tcp -j MARK --set-mark 2
</programlisting>
<para>If INLINE_MATCHES=Yes in <ulink
url="shorewall.conf.html">shorewall6.conf(5)</ulink> then the
third rule above can be specified as follows:</para>
<programlisting>2:P eth0 - ; -p tcp</programlisting>
</listitem>
<listitem>
<para><emphasis role="bold">IPMARK</emphasis> Assigns a mark
to each matching packet based on the either the source or

31
Shorewall/manpages/shorewall.conf.xml
View File

@ -74,6 +74,20 @@
and can be configured to log all Shorewall messages to their own log
file.</para>
<note>
<para>If you want to specify parameters to ULOG or NFLOG (e.g.,
NFLOG(1,0,1)), then you must either quote the setting or you must escape
the parentheses.</para>
<para>Examples:</para>
<programlisting>MACLIST_LOG_LEVEL="NFLOG(1,0,1)"</programlisting>
<para>or</para>
<programlisting>MACLIST_LOG_LEVEL=NFLOG\(1,0,1\)</programlisting>
</note>
<para>Beginning with Shorewall 4.4.22, LOGMARK is also a valid level which
logs the packet's mark value along with the other usual information. The
syntax is:</para>
@ -991,6 +1005,23 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INLINE_MATCHES=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Added in Shorewall 4.6.0. Traditionally in <ulink
url="shorewall6-rules.html">shorewall-rules(5)</ulink>, a semicolon
separates column-oriented specifications on the left from <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#Pairs">alternative
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
specified, the specifications on the right are interpreted as if
INLINE had been specified in the ACTION column. If not specified or
if specified as the empty value, the value 'No' is assumed for
backward compatibility.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>

64
Shorewall/manpages/shorewall.xml
View File

@ -66,6 +66,8 @@
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
@ -100,6 +102,8 @@
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="opt"><replaceable>pathname</replaceable></arg>
@ -291,6 +295,8 @@
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
@ -358,7 +364,7 @@
<arg>-<replaceable>options</replaceable></arg>
<arg
choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg>-<option>D</option>
choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg><option>-i</option></arg><arg>-<option>D</option>
<replaceable>directory</replaceable> </arg><arg
rep="repeat"><replaceable>chain</replaceable></arg></arg>
</cmdsynopsis>
@ -393,6 +399,8 @@
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
@ -429,6 +437,8 @@
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
@ -628,7 +638,7 @@
<arg><option>-c</option></arg>
<arg><option>-T</option></arg>
<arg><option>-T</option><arg><option>-i</option></arg></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
@ -691,6 +701,8 @@
<arg><option>-D</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
@ -822,6 +834,12 @@
<para>The <option>-T</option> option was added in Shorewall 4.4.20
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -889,6 +907,12 @@
<para>The <option>-T</option> option was added in Shorewall 4.4.20
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -1119,6 +1143,12 @@
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -1204,6 +1234,12 @@
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
<para>The -<option>D</option> option was added in Shorewall 4.5.3
and causes Shorewall to look in the given
<emphasis>directory</emphasis> first for configuration files.</para>
@ -1265,6 +1301,12 @@
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -1313,6 +1355,12 @@
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -1672,6 +1720,12 @@
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -1776,6 +1830,12 @@
updated, the original is saved in a .bak file in the same
directory.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
<para>For a description of the other options, see the <emphasis
role="bold">check</emphasis> command above.</para>
</listitem>

2
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -151,6 +151,8 @@ HELPERS=
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
IPSET_WARNINGS=Yes
IP_FORWARDING=Off

2
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -151,6 +151,8 @@ HELPERS=
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
IPSET_WARNINGS=Yes
IP_FORWARDING=Off

2
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -151,6 +151,8 @@ HELPERS=
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
IPSET_WARNINGS=Yes
IP_FORWARDING=On

2
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -151,6 +151,8 @@ HELPERS=
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
IPSET_WARNINGS=Yes
IP_FORWARDING=On

2
Shorewall6/configfiles/shorewall6.conf
View File

@ -151,6 +151,8 @@ HELPERS=
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
IPSET_WARNINGS=Yes
IP_FORWARDING=Off

48
Shorewall6/manpages/shorewall6-masq.xml
View File

@ -73,8 +73,8 @@
<programlisting> eth0(Avvanta)</programlisting>
<para>In that case, you will want to specify the interface's
address for that provider in the ADDRESS column.</para>
<para>In that case, you will want to specify the interface's address
for that provider in the ADDRESS column.</para>
<para>The interface may be qualified by adding the character ":"
followed by a comma-separated list of destination host or subnet
@ -96,6 +96,21 @@
<para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
COMMENT and is preferred.</para>
</note>
<para>Beginning with Shorewall 4.6.0, a new syntax is also accepted.
With the exception of the leading '+', the interfacelist and
qualifiers may appear within the parentheses of <emphasis
role="bold">INLINE</emphasis>(...).</para>
<para>Example:</para>
<programlisting> +INLINE(eth0)</programlisting>
<para>When this is done, you may augment the rule generated by
Shorewall with iptables matches of your own. These matches appear
after a semicolon (';') at the end of the line.</para>
<para>See example 2 below.</para>
</listitem>
</varlistentry>
@ -502,6 +517,35 @@
eth0 2001:470:b:787::0/64 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 8:</term>
<listitem>
<para>Your sit1 interface has two public IP addresses:
2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
iptables statistics match to masquerade outgoing connections evenly
between these two addresses.</para>
<programlisting>/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
INLINE(sit1) 0.0.0.0/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
sit1 0.0.0.0/0 2001:470:a:227::2
</programlisting>
<para>If INLINE_MATCHES=Yes in <ulink
url="shorewall.conf.html">shorewall6.conf(5)</ulink>, then these
rules may be specified as follows:</para>
<programlisting>/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
sit1 0.0.0.0/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
sit1 0.0.0.0/0 2001:470:a:227::2
</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

35
Shorewall6/manpages/shorewall6-tcrules.xml
View File

@ -503,6 +503,41 @@
in your kernel and ip6tables.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">INLINE</emphasis>[(<replaceable>action</replaceable>)]</para>
<para>Added in Shorewall 4.6.0. Allows you to place your own
ip[6]tables matches at the end of the line following a semicolon
(";"). If an <replaceable>action</replaceable> is specified, the
compiler procedes as if that <replaceable>action</replaceable>
had been specified in this column. If no action is specified,
then you may include your own jump ("-j
<replaceable>target</replaceable>
[<replaceable>option</replaceable>] ...") after any matches
specified at the end of the rule. If the target is not one known
to Shorewall, then it must be defined as a builtin action in
<ulink url="shorewall6-actions.html">shorewall6-actions</ulink>
(5).</para>
<para>The following rules are equivalent:</para>
<programlisting>2:P eth0 - tcp 22
INLINE(2):P eth0 - tcp 22
INLINE(2):P eth0 - ; -p tcp
INLINE eth0 - tcp 22 ; -j MARK --set-mark 2
INLINE eth0 - ; -p tcp -j MARK --set-mark 2</programlisting>
<para>If INLINE_MATCHES=Yes in <ulink
url="shorewall.conf.html">shorewall.conf(5)</ulink> then the
third rule above can be specified as follows:</para>
<programlisting>2:P eth0 - ; -p tcp</programlisting>
<para>In other words, when only matches are given after the ';',
INLINE is unnecessary.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --

31
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -73,6 +73,20 @@
and can be configured to log all Shorewall6 message to their own log
file</para>
<note>
<para>If you want to specify parameters to ULOG or NFLOG (e.g.,
NFLOG(1,0,1)), then you must either quote the setting or you must escape
the parentheses.</para>
<para>Examples:</para>
<programlisting>MACLIST_LOG_LEVEL="NFLOG(1,0,1)"</programlisting>
<para>or</para>
<programlisting>MACLIST_LOG_LEVEL=NFLOG\(1,0,1\)</programlisting>
</note>
<para>The following options may be set in shorewall6.conf.</para>
<variablelist>
@ -862,6 +876,23 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INLINE_MATCHES=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Added in Shorewall 4.6.0. Traditionally in <ulink
url="shorewall6-rules.html">shorewall6-rules(5)</ulink>, a semicolon
separates column-oriented specifications on the left from <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#Pairs">alternative
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
specified, the specifications on the right are interpreted as if
INLINE had been specified in the ACTION column. If not specified or
if specified as the empty value, the value 'No' is assumed for
backward compatibility.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>

64
Shorewall6/manpages/shorewall6.xml
View File

@ -65,6 +65,8 @@
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
@ -94,6 +96,8 @@
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="opt"><replaceable>pathname</replaceable></arg>
@ -242,6 +246,8 @@
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
@ -309,7 +315,7 @@
<arg>-<replaceable>options</replaceable></arg>
<arg
choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg>-<option>D</option>
choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg><option>-i</option></arg><arg>-<option>D</option>
<replaceable>directory</replaceable> </arg><arg
rep="repeat"><replaceable>chain</replaceable></arg></arg>
</cmdsynopsis>
@ -344,6 +350,8 @@
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
@ -378,6 +386,8 @@
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
@ -546,6 +556,8 @@
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
@ -606,6 +618,8 @@
<arg><option>-D</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
@ -737,6 +751,12 @@
<para>The <option>-T</option> option was added in Shorewall 4.4.20
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -797,6 +817,12 @@
<para>The <option>-T</option> option was added in Shorewall 4.4.20
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -1001,6 +1027,12 @@
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -1088,6 +1120,12 @@
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
<para>The -<option>D</option> option was added in Shorewall 4.5.3
and causes Shorewall to look in the given
<emphasis>directory</emphasis> first for configuration files.</para>
@ -1141,6 +1179,12 @@
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -1192,6 +1236,12 @@
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -1514,6 +1564,12 @@
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -1612,6 +1668,12 @@
updated, the original is saved in a .bak file in the same
directory.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
<para>For a description of the other options, see the <emphasis
role="bold">check</emphasis> command above.</para>
</listitem>

10
docs/UPnP.xml
View File

@ -22,6 +22,8 @@
<year>2010</year>
<year>2013</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -120,6 +122,14 @@ forwardUPnP net loc</programlisting>
<para>Shorewall versions prior to 4.4.10 do not retain the dynamic rules
added by linux-idg over a <command>shorewall restart</command>.</para>
</caution>
<para>If your firewall-&gt;loc policy is not ACCEPT, then you also need to
allow UDP traffic from the fireawll to the local zone.</para>
<programlisting>ACCEPT $FW loc udp - &lt;<replaceable>dynamic port range</replaceable>&gt;</programlisting>
<para>The dynamic port range is obtained by <emphasis role="bold">cat
/proc/sys/net/ip_local_port_range</emphasis>.</para>
</section>
<section>

25
docs/shorewall_extension_scripts.xml
View File

@ -220,6 +220,13 @@ esac</programlisting><caution>
<programlisting>#! /bin/sh
cat -</programlisting>
</listitem>
<listitem>
<para><filename>postcompile</filename> -- Added in Shorewall 4.5.8.
This shell script is invoked by<emphasis role="bold">
/sbin/shorewall</emphasis> after a script has been compiled. $1 is the
path name of the compiled script.</para>
</listitem>
</itemizedlist>
<para><emphasis role="bold">If your version of Shorewall doesn't have the
@ -284,6 +291,13 @@ cat -</programlisting>
<entry>check, compile, export, refresh, restart, start</entry>
</row>
<row>
<entry>postcompile</entry>
<entry>compile, export, load, refresh, reload, restart, restore,
start</entry>
</row>
<row>
<entry>refresh</entry>
@ -498,7 +512,7 @@ cat -</programlisting>
</row>
<row>
<entry></entry>
<entry>postcompile</entry>
<entry>started</entry>
</row>
@ -548,10 +562,11 @@ cat -</programlisting>
</tgroup>
</informaltable></para>
<para>Compile-time extension scripts are executed using the Perl 'eval
`cat &lt;<emphasis>file</emphasis>&gt;`' mechanism. Be sure that each
script returns a 'true' value; otherwise, the compiler will assume that
the script failed and will abort the compilation.</para>
<para>With the exception of postcompile, compile-time extension scripts
are executed using the Perl 'eval `cat
&lt;<emphasis>file</emphasis>&gt;`' mechanism. Be sure that each script
returns a 'true' value; otherwise, the compiler will assume that the
script failed and will abort the compilation.</para>
<para>Each compile-time script is implicitly prefaced with:</para>