Merge branch '5.2.3'

# Conflicts:
#	docs/Introduction.xml
This commit is contained in:
Tom Eastep 2020-03-06 09:37:41 -08:00
commit fa1aa4b481
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
20 changed files with 336 additions and 90 deletions

1
.gitignore vendored
View File

@ -1 +0,0 @@
*targetname

View File

@ -0,0 +1 @@
5.2.3.7

View File

@ -0,0 +1 @@
5.2.3.7

View File

@ -115,8 +115,6 @@ if ( ( $targets{$action} || 0 ) & NATRULE ) {
if ( $command & $RESET_CMD ) { if ( $command & $RESET_CMD ) {
require_capability 'MARK_ANYWHERE', '"reset"', 's'; require_capability 'MARK_ANYWHERE', '"reset"', 's';
print "Resetting....\n";
my $mark = $globals{EVENT_MARK}; my $mark = $globals{EVENT_MARK};
# #
# The event mark bit must be within 32 bits # The event mark bit must be within 32 bits

View File

@ -1143,6 +1143,19 @@ sub set_rule_option( $$$ ) {
# #
# Consider each subtype as a separate type # Consider each subtype as a separate type
# #
if ( have_capability( 'OLD_CONNTRACK_MATCH' ) ) {
my ( $subtype, $invert, $val, $rest ) = split ' ', $value;
if ( $invert eq '!' ) {
assert( ! supplied $rest );
$option = join( ' ', $option, $subtype );
$value = join( ' ', $invert, $val );
} else {
assert( ! supplied $val );
$option = join( ' ', $invert , $option );
$value = $invert;
}
} else {
my ( $invert, $subtype, $val, $rest ) = split ' ', $value; my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
if ( $invert eq '!' ) { if ( $invert eq '!' ) {
@ -1154,6 +1167,7 @@ sub set_rule_option( $$$ ) {
$option = join( ' ', $option, $invert ); $option = join( ' ', $option, $invert );
$value = $subtype; $value = $subtype;
} }
}
$opttype = EXCLUSIVE; $opttype = EXCLUSIVE;
} }
@ -8718,20 +8732,15 @@ sub save_docker_rules($) {
qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT), qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING), qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING),
qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER), qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
qq( rm -f \${VARDIR}/.filter_DOCKER-*),
qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS), qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER), qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
qq( [ -n "\$g_dockeriso" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
qq(), qq(),
qq( case "\$g_dockernetwork" in), qq( if [ -n "\$g_dockerisostage" ]; then),
qq( One\)),
qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
qq( $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
qq( ;;),
qq( Two\)),
qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1), qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2), qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
qq( ;;), qq( fi),
qq( esac),
qq(), qq(),
); );
@ -9252,10 +9261,10 @@ sub create_netfilter_load( $ ) {
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
} elsif ( $name eq 'DOCKER-ISOLATION' ) { } elsif ( $name eq 'DOCKER-ISOLATION' ) {
ensure_cmd_mode; ensure_cmd_mode;
emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode; ensure_cmd_mode;
emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
} elsif ( $name eq 'DOCKER-INGRESS' ) { } elsif ( $name eq 'DOCKER-INGRESS' ) {
ensure_cmd_mode; ensure_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' ); emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
@ -9367,11 +9376,11 @@ sub preview_netfilter_load() {
print "\n"; print "\n";
} elsif ( $name eq 'DOCKER-ISOLATION' ) { } elsif ( $name eq 'DOCKER-ISOLATION' ) {
ensure_cmd_mode1; ensure_cmd_mode1;
print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); print( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
print "\n"; print "\n";
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode1; ensure_cmd_mode1;
print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); print( qq([ "\$g_dockeisostage" ] && echo ":$name - [0:0]" >&3) );
print "\n"; print "\n";
} elsif ( $name eq 'DOCKER-INGRESS' ) { } elsif ( $name eq 'DOCKER-INGRESS' ) {
ensure_cmd_mode1; ensure_cmd_mode1;
@ -9468,10 +9477,10 @@ sub create_stop_load( $ ) {
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
} elsif ( $name eq 'DOCKER-ISOLATION' ) { } elsif ( $name eq 'DOCKER-ISOLATION' ) {
ensure_cmd_mode; ensure_cmd_mode;
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode; ensure_cmd_mode;
emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
} elsif ( $name eq 'DOCKER-INGRESS' ) { } elsif ( $name eq 'DOCKER-INGRESS' ) {
ensure_cmd_mode; ensure_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' ); emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );

View File

@ -270,11 +270,8 @@ sub generate_script_2() {
); );
emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' ); emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' ); emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
emit( 'if chain_exists DOCKER-ISOLATION; then', emit( 'chain_exists DOCKER-ISOLATION && g_dockeriso=Yes' );
' g_dockernetwork=One', emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && g_dockerisostage=Yes' );
'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
' g_dockernetwork=Two',
'fi' );
} }
pop_indent; pop_indent;

View File

@ -162,6 +162,7 @@ our @EXPORT = qw(
have_capability have_capability
require_capability require_capability
require_mangle_capability
report_used_capabilities report_used_capabilities
kernel_version kernel_version
@ -804,7 +805,7 @@ sub add_variables( \% );
# 2. The compiler can run multiple times in the same process so it has to be # 2. The compiler can run multiple times in the same process so it has to be
# able to re-initialize its dependent modules' state. # able to re-initialize its dependent modules' state.
# #
sub initialize( $;$$$) { sub initialize($;$$$) {
( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_; ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@ -4603,7 +4604,11 @@ sub New_Conntrack_Match() {
} }
sub Old_Conntrack_Match() { sub Old_Conntrack_Match() {
if ( $family == F_IPV4 ) {
! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" ); ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
} else {
! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst ::1" );
}
} }
sub Multiport() { sub Multiport() {
@ -5263,6 +5268,16 @@ sub require_capability( $$$ ) {
fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability, 1; fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability, 1;
} }
sub require_mangle_capability( $$$ ) {
my ( $capability, $description, $singular ) = @_;
if ( $config{MANGLE_ENABLED} ) {
&require_capability( @_ );
} else {
fatal_error "$description " . ( $singular ? 'is' : 'are' ) . " not available when MANGLE_ENABLED=No in $shorewallrc{PRODUCT}.conf";
}
}
# #
# Return Kernel Version # Return Kernel Version
# #
@ -6607,6 +6622,7 @@ sub get_configuration( $$$ ) {
if ( supplied $config{ACCOUNTING_TABLE} ) { if ( supplied $config{ACCOUNTING_TABLE} ) {
my $value = $config{ACCOUNTING_TABLE}; my $value = $config{ACCOUNTING_TABLE};
fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle'; fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle';
fatal_error "ACCOUNTING_TABLE=mangle not allowed with MANGLE_ENABLED=No" if $value eq 'mangle' and ! $config{MANGLE_ENABLED};
} else { } else {
$config{ACCOUNTING_TABLE} = 'filter'; $config{ACCOUNTING_TABLE} = 'filter';
} }
@ -6682,7 +6698,7 @@ sub get_configuration( $$$ ) {
$config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset'; $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; require_mangle_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
numeric_option 'TC_BITS' , 8, 0; numeric_option 'TC_BITS' , 8, 0;
numeric_option 'MASK_BITS' , 8, 0; numeric_option 'MASK_BITS' , 8, 0;
@ -6926,7 +6942,7 @@ sub get_configuration( $$$ ) {
if ( $config{TC_ENABLED} ) { if ( $config{TC_ENABLED} ) {
fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED}; fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's'; require_mangle_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
} }
if ( supplied( $val = $config{TC_PRIOMAP} ) ) { if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
@ -6943,9 +6959,7 @@ sub get_configuration( $$$ ) {
} }
default 'RESTOREFILE' , 'restore'; default 'RESTOREFILE' , 'restore';
default 'DROP_DEFAULT' , 'none'; default 'DROP_DEFAULT' , 'none';
default 'REJECT_DEFAULT' , 'none'; default 'REJECT_DEFAULT' , 'none';
default 'BLACKLIST_DEFAULT' , 'none'; default 'BLACKLIST_DEFAULT' , 'none';
default 'QUEUE_DEFAULT' , 'none'; default 'QUEUE_DEFAULT' , 'none';

View File

@ -97,7 +97,7 @@ sub setup_ecn()
if ( my $fn = open_file 'ecn' ) { if ( my $fn = open_file 'ecn' ) {
first_entry( sub { progress_message2 "$doing $fn..."; first_entry( sub { progress_message2 "$doing $fn...";
require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', ''; require_mangle_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD'; warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
} ); } );
@ -679,18 +679,10 @@ sub create_docker_rules() {
my $chainref = $filter_table->{FORWARD}; my $chainref = $filter_table->{FORWARD};
add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', ); add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3' );
add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3', ); add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3' );
add_commands( $chainref , add_commands( $chainref, '[ -n "$g_dockeriso" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' );
'', add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' );
'case "$g_dockernetwork" in',
' One)',
' echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
' ;;',
' Two)',
' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
' ;;',
'esac' );
if ( my $dockerref = known_interface('docker0') ) { if ( my $dockerref = known_interface('docker0') ) {
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' ); add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );

View File

@ -594,7 +594,7 @@ sub process_a_provider( $ ) {
unless ( $options eq '-' ) { unless ( $options eq '-' ) {
for my $option ( split_list $options, 'option' ) { for my $option ( split_list $options, 'option' ) {
if ( $option eq 'track' ) { if ( $option eq 'track' ) {
require_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' ); require_mangle_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
$track = 1; $track = 1;
} elsif ( $option eq 'notrack' ) { } elsif ( $option eq 'notrack' ) {
$track = 0; $track = 0;
@ -714,7 +714,7 @@ sub process_a_provider( $ ) {
$mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track; $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
if ( $mark ne '-' ) { if ( $mark ne '-' ) {
require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' ); require_mangle_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
if ( $tproxy && ! $local ) { if ( $tproxy && ! $local ) {
$val = $globals{TPROXY_MARK}; $val = $globals{TPROXY_MARK};
@ -1180,14 +1180,14 @@ CEOF
emit "fi\n"; emit "fi\n";
if ( get_interface_option( $interface, 'used_address_variable' ) ) { if ( get_interface_option( $interface, 'used_address_variable' ) ) {
my $variable = interface_address( $interface ); my $variable = get_interface_address( $interface );
emit( "echo \$$variable > \${VARDIR}/${physical}.address" ); emit( "echo $variable > \${VARDIR}/${physical}.address" );
} }
if ( get_interface_option( $interface, 'used_gateway_variable' ) ) { if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
my $variable = interface_gateway( $interface ); my $variable = get_interface_gateway( $interface );
emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) ); emit( qq(echo "$variable" > \${VARDIR}/${physical}.gateway\n) );
} }
} else { } else {
emit( qq(progress_message "Provider $table ($number) Started") ); emit( qq(progress_message "Provider $table ($number) Started") );
@ -2323,22 +2323,22 @@ sub handle_optional_interfaces() {
emit( 'fi' ); emit( 'fi' );
if ( get_interface_option( $interface, 'used_address_variable' ) ) { if ( get_interface_option( $interface, 'used_address_variable' ) ) {
my $variable = interface_address( $interface ); my $variable = get_interface_address( $interface );
emit( '', emit( '',
"if [ -f \${VARDIR}/${physical}.address ]; then", "if [ -f \${VARDIR}/${physical}.address ]; then",
" if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then", " if [ \$(cat \${VARDIR}/${physical}.address) != $variable ]; then",
' g_forcereload=Yes', ' g_forcereload=Yes',
' fi', ' fi',
'fi' ); 'fi' );
} }
if ( get_interface_option( $interface, 'used_gateway_variable' ) ) { if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
my $variable = interface_gateway( $interface ); my $variable = get_interface_gateway( $interface );
emit( '', emit( '',
"if [ -f \${VARDIR}/${physical}.gateway ]; then", "if [ -f \${VARDIR}/${physical}.gateway ]; then",
" if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then", " if [ \$(cat \${VARDIR}/${physical}.gateway) != \"$variable\" ]; then",
' g_forcereload=Yes', ' g_forcereload=Yes',
' fi', ' fi',
'fi' ); 'fi' );

View File

@ -2455,7 +2455,7 @@ sub setup_tc( $ ) {
} }
} }
} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) { } elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
warning_message "The tcrules file is no longer supported -- use '$product update' to convert $fn to an equivalent 'mangle' file"; warning_message "The tcrules file is no longer supported -- use '$shorewallrc{product} update' to convert $fn to an equivalent 'mangle' file";
} }
if ( my $fn = open_file( 'mangle', 1, 1 ) ) { if ( my $fn = open_file( 'mangle', 1, 1 ) ) {

View File

@ -148,7 +148,8 @@ g_compiled=
g_file= g_file=
g_docker= g_docker=
g_dockeringress= g_dockeringress=
g_dockernetwork= g_dockeriso=
g_dockerisostage=
g_forcereload= g_forcereload=
g_fallback= g_fallback=

View File

@ -0,0 +1 @@
5.2.3.7

View File

@ -0,0 +1 @@
5.2.3.7

View File

@ -0,0 +1 @@
5.2.3.7

View File

@ -13,6 +13,10 @@
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
<author>
<surname>J Cliff Armstrong</surname>
</author>
</authorgroup> </authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
@ -20,6 +24,8 @@
<copyright> <copyright>
<year>2016</year> <year>2016</year>
<year>2020</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -57,6 +63,35 @@
<command>restart</command> or <command>reload</command> operation and <command>restart</command> or <command>reload</command> operation and
restores those rules along with the Shorewall-generated ruleset.</para> restores those rules along with the Shorewall-generated ruleset.</para>
<important>
<para>Shorewall currently doesn't support Docker Swarm mode.</para>
</important>
<warning>
<para>On Debian and Debian-derived systems, <command>systemctl restart
shorewall</command> will lose Docker rules. You can work around this
issue using a method provided by J Cliff Armstrong:</para>
<para>Type as root:</para>
<programlisting><command>systemctl edit shorewall.service</command></programlisting>
<para>This will open the default terminal editor to a blank file in
which you can paste the following:</para>
<programlisting>[Service]
# reset ExecStop
ExecStop=
# set ExecStop to "stop" instead of "clear"
ExecStop=/sbin/shorewall $OPTIONS stop
</programlisting>
<para> Then type <command>systemctl daemon-reload </command>to activate
the changes. This change will survive future updates of the shorewall
package from apt repositories. The override file itself will be saved to
`/etc/systemd/system/shorewall.service.d/`. </para>
</warning>
<para>This support assumes that the default Docker bridge (docker0) is <para>This support assumes that the default Docker bridge (docker0) is
being used. It is recommended that this bridge be defined to Shorewall in being used. It is recommended that this bridge be defined to Shorewall in
<ulink <ulink

View File

@ -16,7 +16,7 @@
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright> <copyright>
<year>2003-2015</year> <year>2003-2020</year>
<year>2019</year> <year>2019</year>
@ -174,17 +174,21 @@ dmz ipv4</programlisting>
that file as follows:</para> that file as follows:</para>
<programlisting>#ZONE INTERFACE OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
net NET_IF dhcp,routefilter net NET_IF tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
loc LOC_IF loc LOC_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
dmz DMZ_IF</programlisting> dmz DMZ_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth2</programlisting>
<para>The above file defines the <emphasis>net</emphasis> zone as all IPv4 <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
hosts interfacing to the firewall through NET_IF, the hosts interfacing to the firewall through NET_IF, the
<emphasis>loc</emphasis> zone as all IPv4 hosts interfacing through LOC_IF <emphasis>loc</emphasis> zone as all IPv4 hosts interfacing through LOC_IF
and the <emphasis>dmz</emphasis> as all IPv4 hosts interfacing through and the <emphasis>dmz</emphasis> as all IPv4 hosts interfacing through
DMZ_IF. It is important to note that the composition of a zone is defined eth2. The interface names shown in the INTERFACE column are <emphasis>
in terms of a combination of addresses <emphasis logical</emphasis> names which are used throughout the configuration to
role="bold">and</emphasis> interfaces. When using the <ulink refer to the individual interfaces. The actual interface names are
specified using the <emphasis role="bold">physical</emphasis> option. It
is important to note that the composition of a zone is defined in terms of
a combination of addresses <emphasis role="bold">and</emphasis>
interfaces. When using the <ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink> url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
file to define a zone, all addresses are included; when you want to define file to define a zone, all addresses are included; when you want to define
a zone that contains a limited subset of the IPv4 address space, you use a zone that contains a limited subset of the IPv4 address space, you use
@ -193,10 +197,12 @@ dmz DMZ_IF</programlisting>
file or you may use the nets= option in file or you may use the nets= option in
<filename>/etc/shorewall/interfaces</filename>:</para> <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
net NET_IF detect dhcp,routefilter,nets=(!192.168.0.0/23),physical=eth0 net NET_IF tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
loc LOC_IF detect nets=(192.168.0.0/24),physical=eth1 loc LOC_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth1,<emphasis
dmz DMZ_IF detect nets=(192.168.1.0/24),physical=eth2</programlisting> role="bold">nets=172.20.1.0/24</emphasis>
dmz DMZ_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth2
</programlisting>
<para>The above file defines the <emphasis>net</emphasis> zone as all IPv4 <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
hosts interfacing to the firewall through eth0 <emphasis>except</emphasis> hosts interfacing to the firewall through eth0 <emphasis>except</emphasis>

1
docs/docs-targetname Normal file
View File

@ -0,0 +1 @@
5.2.3.7

188
docs/html.css Normal file
View File

@ -0,0 +1,188 @@
/* global styles */
body {
font-family: sans-serif;
}
div {
border: 0;
padding: 0.5em;
}
img {
border: 0;
}
hr {
color: #8b8b8b;
}
h4 {
text-align: center;
font-weight: bold;
padding: 0.25em 0.5em;
margin: 0 0 1px;
}
.quote {
font-style: italic;
text-align: center;
}
.strong {
font-weight: bold;
}
.warning {
font-weight: bold;
color: #ff0000;
}
a {
display: block;
border-width: 0;
text-decoration: none;
color: #0060b5;
background: #ffffff;
}
a:hover {
color: #ffffff;
background: #0060b5;
}
/* header styles */
div#header {
position: absolute;
font-size: small;
top: 0;
left: 0;
height: 100px;
width: 95%;
margin: 10px;
}
div#header p {
text-align: center;
}
div#header div#search-form {
float: left;
margin: 0;
padding: 0;
}
div#header div#search-form input#search-text {
background-color: #ffffff;
color: #0060b5;
font-size: small;
border: 1px solid;
vertical-align: middle;
}
div#header div#search-form input#submit-button {
background-color: #ffffff;
color: #0060b5;
font-size: small;
font-weight: bold;
-moz-border-radius: 5px;
-webkit-border-radius: 5px;
border-radius:6px;
text-decoration: none;
cursor: pointer;
border: 1px solid;
vertical-align: middle;
}
div#header div#search-form input#submit-button:hover {
border: 1px solid;
background-color: #0060b5;
color: #ffffff;
box-shadow: 0px 0px 1px #777;
}
div#header div#ml-search {
float: right;
margin: 0;
padding: 0;
}
div#header div#logo {
margin: 0;
padding: 0;
clear: both;
}
/* sidebar styles */
div#sidebar {
position: fixed;
top: 125px;
left: 0;
width: 15%;
margin: 10px;
font-size: small;
}
div#sidebar:hover {
background-position: 0px 0px;
}
div#sidebar a {
text-align: center;
-moz-border-radius: 5px;
-webkit-border-radius: 5px;
border-radius:6px;
}
/* menu styles */
/* main panel styles */
div#main {
position: absolute;
top: 150px;
left: 16%;
width: 62%;
margin: 10px;
}
div#main a {
display: inline;
padding: 0;
}
div#main a:hover {
color: #0060b5;
background: #ffffff;
text-decoration: underline;
}
/* content styles */
div#content div {
padding: 0;
}
div#content code, pre {
font: 100% monospace;
}
div#content table {
width: 100%;
}
div#content table#changelog {
font-size: x-small;
}
/* footer styles */
div#footer p {
text-align: center;
font-size: small;
}
div#footer table {
margin-left: auto;
margin-right: auto;
}
/* doc panel styles */
div#doc {
float: right;
top: 125px;
left: 80%;
width: 15%;
margin: 125px 10px 10px 10px;
font-size: small;
}
div#doc:hover {
background-position: 0px 0px;
}
div#doc a {
padding: 0 5px 0 5px;
-moz-border-radius: 5px;
-webkit-border-radius: 5px;
border-radius:6px;
}
div#doc p.go-top, div#doc p.go-top a, div#doc p.go-top a:hover {
opacity: 0.75;
filter:alpha(opacity=75); /* For IE8 and earlier */
position: fixed;
bottom: 0.5em;
right: 0.5em;
text-decoration: none;
font-size: small;
padding: 0;
display: block;
}
div#doc p.go-top a:hover {
opacity: 1.0;
filter:alpha(opacity=100); /* For IE8 and earlier */
}

View File

@ -0,0 +1 @@
5.2.3.7