holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement CHECKSUM action in the tcrules file.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-10-22 15:42:13 -07:00
parent f24e194819
commit 0387b16983
5 changed files with 389 additions and 338 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall-core/lib.cli
View File

@ -25,7 +25,7 @@
# loaded after this one and replaces some of the functions declared here. # loaded after this one and replaces some of the functions declared here.
# #
SHOREWALL_CAPVERSION=40507 SHOREWALL_CAPVERSION=40509
[ -n "${g_program:=shorewall}" ] [ -n "${g_program:=shorewall}" ]
@ -2103,6 +2103,7 @@ determine_capabilities() {
GEOIP_MATCH= GEOIP_MATCH=
RPFILTER_MATCH= RPFILTER_MATCH=
NFACCT_MATCH= NFACCT_MATCH=
CHECKSUM_TARGET=
AMANDA_HELPER= AMANDA_HELPER=
FTP_HELPER= FTP_HELPER=
FTP0_HELPER= FTP0_HELPER=
@ -2264,6 +2265,7 @@ determine_capabilities() {
qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
qt $g_tool -t mangle -A $chain -j CHECKSUM --checksum-fill && CHECKSUM_TARGET=Yes
qt $g_tool -t mangle -F $chain qt $g_tool -t mangle -F $chain
qt $g_tool -t mangle -X $chain qt $g_tool -t mangle -X $chain
@ -2500,6 +2502,8 @@ report_capabilities() {
report_capability "Geo IP match" $GEOIP_MATCH report_capability "Geo IP match" $GEOIP_MATCH
report_capability "RPFilter match" $RPFILTER_MATCH report_capability "RPFilter match" $RPFILTER_MATCH
report_capability "NFAcct match" $NFACCT_MATCH report_capability "NFAcct match" $NFACCT_MATCH
report_capability "Checksum Target" $CHECKSUM_TARGET
report_capability "Amanda Helper" $AMANDA_HELPER report_capability "Amanda Helper" $AMANDA_HELPER
report_capability "FTP Helper" $FTP_HELPER report_capability "FTP Helper" $FTP_HELPER
report_capability "FTP-0 Helper" $FTP0_HELPER report_capability "FTP-0 Helper" $FTP0_HELPER
@ -2611,6 +2615,8 @@ report_capabilities1() {
report_capability1 GEOIP_MATCH report_capability1 GEOIP_MATCH
report_capability1 RPFILTER_MATCH report_capability1 RPFILTER_MATCH
report_capability1 NFACCT_MATCH report_capability1 NFACCT_MATCH
report_capability1 CHECKSUM_TARGET
report_capability1 AMANDA_HELPER report_capability1 AMANDA_HELPER
report_capability1 FTP_HELPER report_capability1 FTP_HELPER
report_capability1 FTP0_HELPER report_capability1 FTP0_HELPER

11
Shorewall/Perl/Shorewall/Config.pm
View File

@ -339,6 +339,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
GEOIP_MATCH => 'GeoIP Match' , GEOIP_MATCH => 'GeoIP Match' ,
RPFILTER_MATCH => 'RPFilter Match', RPFILTER_MATCH => 'RPFilter Match',
NFACCT_MATCH => 'NFAcct Match', NFACCT_MATCH => 'NFAcct Match',
CHECKSUM_TARGET => 'Checksum Target',
AMANDA_HELPER => 'Amanda Helper', AMANDA_HELPER => 'Amanda Helper',
FTP_HELPER => 'FTP Helper', FTP_HELPER => 'FTP Helper',
FTP0_HELPER => 'FTP-0 Helper', FTP0_HELPER => 'FTP-0 Helper',
@ -607,7 +608,7 @@ sub initialize( $;$$) {
KLUDGEFREE => '', KLUDGEFREE => '',
STATEMATCH => '-m state --state', STATEMATCH => '-m state --state',
VERSION => "4.5.8-Beta2", VERSION => "4.5.8-Beta2",
CAPVERSION => 40507 , CAPVERSION => 40509 ,
); );
# #
# From shorewall.conf file # From shorewall.conf file
@ -848,6 +849,8 @@ sub initialize( $;$$) {
GEOIP_MATCH => undef, GEOIP_MATCH => undef,
RPFILTER_MATCH => undef, RPFILTER_MATCH => undef,
NFACCT_MATCH => undef, NFACCT_MATCH => undef,
CHECKSUM_TARGET => undef,
AMANDA_HELPER => undef, AMANDA_HELPER => undef,
FTP_HELPER => undef, FTP_HELPER => undef,
FTP0_HELPER => undef, FTP0_HELPER => undef,
@ -3492,12 +3495,17 @@ sub GeoIP_Match() {
qt1( "$iptables -A $sillyname -m geoip --src-cc US" ); qt1( "$iptables -A $sillyname -m geoip --src-cc US" );
} }
sub Checksum_Target() {
have_capability 'MANGLE_ENABLED' && qt1( "iptables -m mangle -A $sillyname -j CHECKSUM --checksum-fill" );
}
our %detect_capability = our %detect_capability =
( ACCOUNT_TARGET =>\&Account_Target, ( ACCOUNT_TARGET =>\&Account_Target,
AMANDA_HELPER => \&Amanda_Helper, AMANDA_HELPER => \&Amanda_Helper,
AUDIT_TARGET => \&Audit_Target, AUDIT_TARGET => \&Audit_Target,
ADDRTYPE => \&Addrtype, ADDRTYPE => \&Addrtype,
BASIC_FILTER => \&Basic_Filter, BASIC_FILTER => \&Basic_Filter,
CHECKSUM_TARGET => \&Checksum_Target,
CLASSIFY_TARGET => \&Classify_Target, CLASSIFY_TARGET => \&Classify_Target,
CONDITION_MATCH => \&Condition_Match, CONDITION_MATCH => \&Condition_Match,
COMMENTS => \&Comments, COMMENTS => \&Comments,
@ -3707,6 +3715,7 @@ sub determine_capabilities() {
$capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' ); $capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' );
$capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' ); $capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' );
$capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' ); $capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' );
$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
if ( have_capability 'CT_TARGET' ) { if ( have_capability 'CT_TARGET' ) {
$capabilities{$_} = detect_capability $_ for ( values( %helpers_map ) ); $capabilities{$_} = detect_capability $_ for ( values( %helpers_map ) );

10
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -457,6 +457,10 @@ sub process_tc_rule( ) {
assert( $cmd =~ /^TOS\((.+)\)$/ ); assert( $cmd =~ /^TOS\((.+)\)$/ );
$target .= decode_tos( $1 , 2 ); $target .= decode_tos( $1 , 2 );
}, },
CHECKSUM => sub()
{ require_capability 'CHECKSUM_TARGET', 'The CHECKSUM action', 's';
$target .= ' --checksum-fill';
},
); );
if ( $source ) { if ( $source ) {
@ -2319,6 +2323,12 @@ sub setup_tc() {
mask => '', mask => '',
connmark => 0 connmark => 0
}, },
{ match => sub( $ ) { $_[0] eq 'CHECKSUM' },
target => 'CHECKSUM' ,
mark => NOMARK,
mask => '',
connmark => 0,
}
); );
if ( my $fn = open_file 'tcrules' ) { if ( my $fn = open_file 'tcrules' ) {

373
Shorewall/manpages/shorewall-tcrules.xml
View File

@ -255,27 +255,27 @@
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis <para><emphasis role="bold">CHECKSUM</emphasis></para>
role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
restore the packet's mark from the connection's mark using the
supplied mask if any. Your kernel and iptables must include
CONNMARK support.</para>
<para>As in 1) above, may be followed by <emphasis <para>Added in Shorewall 4.5.9. Compute and fill in the checksum
role="bold">:P</emphasis> or <emphasis in a packet that lacks a checksum. This is particularly useful,
role="bold">:F</emphasis></para> if you need to work around old applications such as dhcp
clients, that do not work well with check sum offloads, but
don't want to disable checksum offload in your device.</para>
<para>Requires 'Checksum Target' support in your kernel and
iptables.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis <para><emphasis role="bold">COMMENT</emphasis> -- the rest of
role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save the line will be attached as a comment to the Netfilter rule(s)
the packet's mark to the connection's mark using the supplied generated by the following entries. The comment will appear
mask if any. Your kernel and iptables must include CONNMARK delimited by "/* ... */" in the output of <command>shorewall
support.</para> show mangle</command></para>
<para>As in 1) above, may be followed by <emphasis <para>To stop the comment from being attached to further rules,
role="bold">:P</emphasis> or <emphasis simply include COMMENT on a line by itself.</para>
role="bold">:F</emphasis></para>
</listitem> </listitem>
<listitem> <listitem>
@ -291,44 +291,85 @@
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis role="bold">SAME</emphasis> Some websites run <para><emphasis role="bold">DIVERT</emphasis></para>
applications that require multiple connections from a client
browser. Where multiple 'balanced' providers are configured,
this can lead to problems when some of the connections are
routed through one provider and some through another. The SAME
target allows you to work around that problem. SAME may be used
in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
causes matching connections from an individual local system to
all use the same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the
last five minutes then the new connection will use the same
provider as the connection over which that last packet was
sent.</para>
<para>When used in the OUTPUT chain, it causes all matching <para>Added in Shorewall 4.5.4 and only available when FORMAT is
connections to an individual remote system to all use the same 2. Two DIVERT rule should preceed the TPROXY rule and should
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
# PORT(S) (assuming that tcp port 80 is being proxied). DIVERT avoids
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting> sending packets to the TPROXY target once a socket connection to
If the firewall attempts a connection on TCP port 80 or 443 and Squid3 has been established by TPROXY. DIVERT marks the packet
it has sent a packet on either of those ports in the last five with a unique mark and exempts it from any rules that
minutes to the same remote system then the new connection will follow.</para>
use the same provider as the connection over which that last
packet was sent.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis role="bold">COMMENT</emphasis> -- the rest of <para><emphasis
the line will be attached as a comment to the Netfilter rule(s) role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of <command>shorewall
show mangle</command></para>
<para>To stop the comment from being attached to further rules, <para>Added in Shorewall 4.5.1. Sets the
simply include COMMENT on a line by itself.</para> <firstterm>Differentiated Services Code Point</firstterm> field
in the IP header. The <replaceable>dscp</replaceable> value may
be given as an even number (hex or decimal) or as the name of a
DSCP class. Valid class names and their associated hex numeric
values are:</para>
<programlisting> CS0 =&gt; 0x00
CS1 =&gt; 0x08
CS2 =&gt; 0x10
CS3 =&gt; 0x18
CS4 =&gt; 0x20
CS5 =&gt; 0x28
CS6 =&gt; 0x30
CS7 =&gt; 0x38
BE =&gt; 0x00
AF11 =&gt; 0x0a
AF12 =&gt; 0x0c
AF13 =&gt; 0x0e
AF21 =&gt; 0x12
AF22 =&gt; 0x14
AF23 =&gt; 0x16
AF31 =&gt; 0x1a
AF32 =&gt; 0x1c
AF33 =&gt; 0x1e
AF41 =&gt; 0x22
AF42 =&gt; 0x24
AF43 =&gt; 0x26
EF =&gt; 0x2e</programlisting>
<para>To indicate more than one class, add their hex values
together and specify the result.</para>
<para>May be optionally followed by ':' and a capital letter
designating the chain where classification is to occur.</para>
<variablelist>
<varlistentry>
<term>F</term>
<listitem>
<para>FORWARD chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>T</term>
<listitem>
<para>POSTROUTING chain (default).</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
<listitem>
<para><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Specifies that the packet should
be passed to the IMQ identified by
<replaceable>number</replaceable>. Requires IMQ Target support
in your kernel and iptables.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -436,16 +477,110 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis role="bold">DIVERT</emphasis></para> <para><emphasis
role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
restore the packet's mark from the connection's mark using the
supplied mask if any. Your kernel and iptables must include
CONNMARK support.</para>
<para>Added in Shorewall 4.5.4 and only available when FORMAT is <para>As in 1) above, may be followed by <emphasis
2. Two DIVERT rule should preceed the TPROXY rule and should role="bold">:P</emphasis> or <emphasis
select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively role="bold">:F</emphasis></para>
(assuming that tcp port 80 is being proxied). DIVERT avoids </listitem>
sending packets to the TPROXY target once a socket connection to
Squid3 has been established by TPROXY. DIVERT marks the packet <listitem>
with a unique mark and exempts it from any rules that <para><emphasis role="bold">SAME</emphasis> Some websites run
follow.</para> applications that require multiple connections from a client
browser. Where multiple 'balanced' providers are configured,
this can lead to problems when some of the connections are
routed through one provider and some through another. The SAME
target allows you to work around that problem. SAME may be used
in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
causes matching connections from an individual local system to
all use the same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the
last five minutes then the new connection will use the same
provider as the connection over which that last packet was
sent.</para>
<para>When used in the OUTPUT chain, it causes all matching
connections to an individual remote system to all use the same
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
If the firewall attempts a connection on TCP port 80 or 443 and
it has sent a packet on either of those ports in the last five
minutes to the same remote system then the new connection will
use the same provider as the connection over which that last
packet was sent.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
the packet's mark to the connection's mark using the supplied
mask if any. Your kernel and iptables must include CONNMARK
support.</para>
<para>As in 1) above, may be followed by <emphasis
role="bold">:P</emphasis> or <emphasis
role="bold">:F</emphasis></para>
</listitem>
<listitem>
<para><emphasis
role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
<para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
Service</firstterm> field in the IP header. The
<replaceable>tos</replaceable> value may be given as an number
(hex or decimal) or as the name of a TOS type. Valid type names
and their associated hex numeric values are:</para>
<programlisting>Minimize-Delay =&gt; 0x10,
Maximize-Throughput =&gt; 0x08,
Maximize-Reliability =&gt; 0x04,
Minimize-Cost =&gt; 0x02,
Normal-Service =&gt; 0x00</programlisting>
<para>To indicate more than one class, add their hex values
together and specify the result.</para>
<para>When <replaceable>tos</replaceable> is given as a number,
it may be optionally followed by '/' and a
<replaceable>mask</replaceable>. When no
<replaceable>mask</replaceable> is given, the value 0xff is
assumed. When <replaceable>tos</replaceable> is given as a type
name, the <replaceable>mask</replaceable> 0x3f is
assumed.</para>
<para>The action performed is to zero out the bits specified by
the <replaceable>mask</replaceable>, then set the bits specified
by <replaceable>tos</replaceable>.</para>
<para>May be optionally followed by ':' and a capital letter
designating the chain where classification is to occur.</para>
<variablelist>
<varlistentry>
<term>F</term>
<listitem>
<para>FORWARD chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>T</term>
<listitem>
<para>POSTROUTING chain.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem> </listitem>
<listitem> <listitem>
@ -534,128 +669,6 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
is set to <replaceable>number</replaceable>. The valid range of is set to <replaceable>number</replaceable>. The valid range of
values for <replaceable>number</replaceable> is 1-255.</para> values for <replaceable>number</replaceable> is 1-255.</para>
</listitem> </listitem>
<listitem>
<para><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Specifies that the packet should
be passed to the IMQ identified by
<replaceable>number</replaceable>. Requires IMQ Target support
in your kernel and iptables.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Sets the
<firstterm>Differentiated Services Code Point</firstterm> field
in the IP header. The <replaceable>dscp</replaceable> value may
be given as an even number (hex or decimal) or as the name of a
DSCP class. Valid class names and their associated hex numeric
values are:</para>
<programlisting> CS0 =&gt; 0x00
CS1 =&gt; 0x08
CS2 =&gt; 0x10
CS3 =&gt; 0x18
CS4 =&gt; 0x20
CS5 =&gt; 0x28
CS6 =&gt; 0x30
CS7 =&gt; 0x38
BE =&gt; 0x00
AF11 =&gt; 0x0a
AF12 =&gt; 0x0c
AF13 =&gt; 0x0e
AF21 =&gt; 0x12
AF22 =&gt; 0x14
AF23 =&gt; 0x16
AF31 =&gt; 0x1a
AF32 =&gt; 0x1c
AF33 =&gt; 0x1e
AF41 =&gt; 0x22
AF42 =&gt; 0x24
AF43 =&gt; 0x26
EF =&gt; 0x2e</programlisting>
<para>To indicate more than one class, add their hex values
together and specify the result.</para>
<para>May be optionally followed by ':' and a capital letter
designating the chain where classification is to occur.</para>
<variablelist>
<varlistentry>
<term>F</term>
<listitem>
<para>FORWARD chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>T</term>
<listitem>
<para>POSTROUTING chain (default).</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
<listitem>
<para><emphasis
role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
<para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
Service</firstterm> field in the IP header. The
<replaceable>tos</replaceable> value may be given as an number
(hex or decimal) or as the name of a TOS type. Valid type names
and their associated hex numeric values are:</para>
<programlisting>Minimize-Delay =&gt; 0x10,
Maximize-Throughput =&gt; 0x08,
Maximize-Reliability =&gt; 0x04,
Minimize-Cost =&gt; 0x02,
Normal-Service =&gt; 0x00</programlisting>
<para>To indicate more than one class, add their hex values
together and specify the result.</para>
<para>When <replaceable>tos</replaceable> is given as a number,
it may be optionally followed by '/' and a
<replaceable>mask</replaceable>. When no
<replaceable>mask</replaceable> is given, the value 0xff is
assumed. When <replaceable>tos</replaceable> is given as a type
name, the <replaceable>mask</replaceable> 0x3f is
assumed.</para>
<para>The action performed is to zero out the bits specified by
the <replaceable>mask</replaceable>, then set the bits specified
by <replaceable>tos</replaceable>.</para>
<para>May be optionally followed by ':' and a capital letter
designating the chain where classification is to occur.</para>
<variablelist>
<varlistentry>
<term>F</term>
<listitem>
<para>FORWARD chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>T</term>
<listitem>
<para>POSTROUTING chain.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>

323
Shorewall6/manpages/shorewall6-tcrules.xml
View File

@ -255,27 +255,27 @@
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis <para><emphasis role="bold">CHECKSUM</emphasis></para>
role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
restore the packet's mark from the connection's mark using the
supplied mask if any. Your kernel and ip6tables must include
CONNMARK support.</para>
<para>As in 1) above, may be followed by <emphasis <para>Added in Shorewall 4.5.9. Compute and fill in the checksum
role="bold">:P</emphasis> or <emphasis in a packet that lacks a checksum. This is particularly useful,
role="bold">:F</emphasis></para> if you need to work around old applications such as dhcp
clients, that do not work well with check sum offloads, but
don't want to disable checksum offload in your device.</para>
<para>Requires 'Checksum Target' support in your kernel and
ip6tables.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis <para><emphasis role="bold">COMMENT</emphasis> -- the rest of
role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save the line will be attached as a comment to the Netfilter rule(s)
the packet's mark to the connection's mark using the supplied generated by the following entries. The comment will appear
mask if any. Your kernel and ip6tables must include CONNMARK delimited by "/* ... */" in the output of <command>shorewall6
support.</para> show mangle</command></para>
<para>As in 1) above, may be followed by <emphasis <para>To stop the comment from being attached to further rules,
role="bold">:P</emphasis> or <emphasis simply include COMMENT on a line by itself.</para>
role="bold">:F</emphasis></para>
</listitem> </listitem>
<listitem> <listitem>
@ -290,48 +290,6 @@
ip6tables/Netfilter provides the necessary support.</para> ip6tables/Netfilter provides the necessary support.</para>
</listitem> </listitem>
<listitem>
<para><emphasis role="bold">SAME</emphasis> (Added in Shorewall
4.3.5) -- Some websites run applications that require multiple
connections from a client browser. Where multiple 'balanced'
providers are configured, this can lead to problems when some of
the connections are routed through one provider and some through
another. The SAME target allows you to work around that problem.
SAME may be used in the PREROUTING and OUTPUT chains. When used
in PREROUTING, it causes matching connections from an individual
local system to all use the same provider. For example:
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the
last five minutes then the new connection will use the same
provider as the connection over which that last packet was
sent.</para>
<para>When used in the OUTPUT chain, it causes all matching
connections to an individual remote system to all use the same
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
If the firewall attempts a connection on TCP port 80 or 443 and
it has sent a packet on either of those ports in the last five
minutes to the same remote system then the new connection will
use the same provider as the connection over which that last
packet was sent.</para>
</listitem>
<listitem>
<para><emphasis role="bold">COMMENT</emphasis> -- the rest of
the line will be attached as a comment to the Netfilter rule(s)
generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of <command>shorewall6
show mangle</command></para>
<para>To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.</para>
</listitem>
<listitem> <listitem>
<para><emphasis role="bold">DIVERT</emphasis></para> <para><emphasis role="bold">DIVERT</emphasis></para>
@ -344,103 +302,6 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
it from any rules that follow.</para> it from any rules that follow.</para>
</listitem> </listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-- FORMAT 1</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first
(mark) is required:</para>
<itemizedlist>
<listitem>
<para><replaceable>mark</replaceable> - the MARK value
corresponding to the local provider in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
</listitem>
<listitem>
<para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original
destination port.</para>
</listitem>
<listitem>
<para><replaceable>address</replaceable> - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-- FORMAT 2</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first
(mark) is required:</para>
<itemizedlist>
<listitem>
<para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original
destination port.</para>
</listitem>
<listitem>
<para><replaceable>address</replaceable> - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><emphasis role="bold">HL</emphasis>([<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.4.24.</para>
<para>Prior to Shorewall 4.5.7.2, may be optionally followed by
<emphasis role="bold">:F</emphasis> but the resulting rule is
always added to the FORWARD chain. Beginning with Shorewall
4.5.7.s, it may be optionally followed by <emphasis
role="bold">:P</emphasis>, in which case the rule is added to
the PREROUTING chain.</para>
<para>If <emphasis role="bold">+</emphasis> is included, packets
matching the rule will have their HL (hop limit) incremented by
<replaceable>number</replaceable>. Similarly, if <emphasis
role="bold">-</emphasis> is included, matching packets have
their HL decremented by <replaceable>number</replaceable>. If
neither <emphasis role="bold">+</emphasis> nor <emphasis
role="bold">-</emphasis> is given, the HL of matching packets is
set to <replaceable>number</replaceable>. The valid range of
values for <replaceable>number</replaceable> is 1-255.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Specifies that the packet should
be passed to the IMQ identified by
<replaceable>number</replaceable>. Requires IMQ Target support
in your kernel and ip6tables.</para>
</listitem>
<listitem> <listitem>
<para><emphasis <para><emphasis
role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para> role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
@ -500,6 +361,96 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</variablelist> </variablelist>
</listitem> </listitem>
<listitem>
<para><emphasis role="bold">HL</emphasis>([<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.4.24.</para>
<para>Prior to Shorewall 4.5.7.2, may be optionally followed by
<emphasis role="bold">:F</emphasis> but the resulting rule is
always added to the FORWARD chain. Beginning with Shorewall
4.5.7.s, it may be optionally followed by <emphasis
role="bold">:P</emphasis>, in which case the rule is added to
the PREROUTING chain.</para>
<para>If <emphasis role="bold">+</emphasis> is included, packets
matching the rule will have their HL (hop limit) incremented by
<replaceable>number</replaceable>. Similarly, if <emphasis
role="bold">-</emphasis> is included, matching packets have
their HL decremented by <replaceable>number</replaceable>. If
neither <emphasis role="bold">+</emphasis> nor <emphasis
role="bold">-</emphasis> is given, the HL of matching packets is
set to <replaceable>number</replaceable>. The valid range of
values for <replaceable>number</replaceable> is 1-255.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Specifies that the packet should
be passed to the IMQ identified by
<replaceable>number</replaceable>. Requires IMQ Target support
in your kernel and ip6tables.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
restore the packet's mark from the connection's mark using the
supplied mask if any. Your kernel and ip6tables must include
CONNMARK support.</para>
<para>As in 1) above, may be followed by <emphasis
role="bold">:P</emphasis> or <emphasis
role="bold">:F</emphasis></para>
</listitem>
<listitem>
<para><emphasis role="bold">SAME</emphasis> (Added in Shorewall
4.3.5) -- Some websites run applications that require multiple
connections from a client browser. Where multiple 'balanced'
providers are configured, this can lead to problems when some of
the connections are routed through one provider and some through
another. The SAME target allows you to work around that problem.
SAME may be used in the PREROUTING and OUTPUT chains. When used
in PREROUTING, it causes matching connections from an individual
local system to all use the same provider. For example:
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the
last five minutes then the new connection will use the same
provider as the connection over which that last packet was
sent.</para>
<para>When used in the OUTPUT chain, it causes all matching
connections to an individual remote system to all use the same
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
If the firewall attempts a connection on TCP port 80 or 443 and
it has sent a packet on either of those ports in the last five
minutes to the same remote system then the new connection will
use the same provider as the connection over which that last
packet was sent.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
the packet's mark to the connection's mark using the supplied
mask if any. Your kernel and ip6tables must include CONNMARK
support.</para>
<para>As in 1) above, may be followed by <emphasis
role="bold">:P</emphasis> or <emphasis
role="bold">:F</emphasis></para>
</listitem>
<listitem> <listitem>
<para><emphasis <para><emphasis
role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para> role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
@ -552,6 +503,68 @@ Normal-Service =&gt; 0x00</programlisting>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</listitem> </listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-- FORMAT 1</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first
(mark) is required:</para>
<itemizedlist>
<listitem>
<para><replaceable>mark</replaceable> - the MARK value
corresponding to the local provider in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
</listitem>
<listitem>
<para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original
destination port.</para>
</listitem>
<listitem>
<para><replaceable>address</replaceable> - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-- FORMAT 2</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first
(mark) is required:</para>
<itemizedlist>
<listitem>
<para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original
destination port.</para>
</listitem>
<listitem>
<para><replaceable>address</replaceable> - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.</para>
</listitem>
</itemizedlist>
</listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>