holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement CHECKSUM action in the tcrules file.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-10-22 15:42:13 -07:00
parent f24e194819
commit 0387b16983
5 changed files with 389 additions and 338 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall-core/lib.cli
View File

@ -25,7 +25,7 @@
# loaded after this one and replaces some of the functions declared here.
#
SHOREWALL_CAPVERSION=40507
SHOREWALL_CAPVERSION=40509
[ -n "${g_program:=shorewall}" ]
@ -2103,6 +2103,7 @@ determine_capabilities() {
GEOIP_MATCH=
RPFILTER_MATCH=
NFACCT_MATCH=
CHECKSUM_TARGET=
AMANDA_HELPER=
FTP_HELPER=
FTP0_HELPER=
@ -2264,6 +2265,7 @@ determine_capabilities() {
qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
qt $g_tool -t mangle -A $chain -j CHECKSUM --checksum-fill && CHECKSUM_TARGET=Yes
qt $g_tool -t mangle -F $chain
qt $g_tool -t mangle -X $chain
@ -2500,6 +2502,8 @@ report_capabilities() {
report_capability "Geo IP match" $GEOIP_MATCH
report_capability "RPFilter match" $RPFILTER_MATCH
report_capability "NFAcct match" $NFACCT_MATCH
report_capability "Checksum Target" $CHECKSUM_TARGET
report_capability "Amanda Helper" $AMANDA_HELPER
report_capability "FTP Helper" $FTP_HELPER
report_capability "FTP-0 Helper" $FTP0_HELPER
@ -2611,6 +2615,8 @@ report_capabilities1() {
report_capability1 GEOIP_MATCH
report_capability1 RPFILTER_MATCH
report_capability1 NFACCT_MATCH
report_capability1 CHECKSUM_TARGET
report_capability1 AMANDA_HELPER
report_capability1 FTP_HELPER
report_capability1 FTP0_HELPER

11
Shorewall/Perl/Shorewall/Config.pm
View File

@ -339,6 +339,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
GEOIP_MATCH => 'GeoIP Match' ,
RPFILTER_MATCH => 'RPFilter Match',
NFACCT_MATCH => 'NFAcct Match',
CHECKSUM_TARGET => 'Checksum Target',
AMANDA_HELPER => 'Amanda Helper',
FTP_HELPER => 'FTP Helper',
FTP0_HELPER => 'FTP-0 Helper',
@ -607,7 +608,7 @@ sub initialize( $;$$) {
KLUDGEFREE => '',
STATEMATCH => '-m state --state',
VERSION => "4.5.8-Beta2",
CAPVERSION => 40507 ,
CAPVERSION => 40509 ,
);
#
# From shorewall.conf file
@ -848,6 +849,8 @@ sub initialize( $;$$) {
GEOIP_MATCH => undef,
RPFILTER_MATCH => undef,
NFACCT_MATCH => undef,
CHECKSUM_TARGET => undef,
AMANDA_HELPER => undef,
FTP_HELPER => undef,
FTP0_HELPER => undef,
@ -3492,12 +3495,17 @@ sub GeoIP_Match() {
qt1( "$iptables -A $sillyname -m geoip --src-cc US" );
}
sub Checksum_Target() {
have_capability 'MANGLE_ENABLED' && qt1( "iptables -m mangle -A $sillyname -j CHECKSUM --checksum-fill" );
}
our %detect_capability =
( ACCOUNT_TARGET =>\&Account_Target,
AMANDA_HELPER => \&Amanda_Helper,
AUDIT_TARGET => \&Audit_Target,
ADDRTYPE => \&Addrtype,
BASIC_FILTER => \&Basic_Filter,
CHECKSUM_TARGET => \&Checksum_Target,
CLASSIFY_TARGET => \&Classify_Target,
CONDITION_MATCH => \&Condition_Match,
COMMENTS => \&Comments,
@ -3707,6 +3715,7 @@ sub determine_capabilities() {
$capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' );
$capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' );
$capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' );
$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
if ( have_capability 'CT_TARGET' ) {
$capabilities{$_} = detect_capability $_ for ( values( %helpers_map ) );

10
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -457,6 +457,10 @@ sub process_tc_rule( ) {
assert( $cmd =~ /^TOS\((.+)\)$/ );
$target .= decode_tos( $1 , 2 );
},
CHECKSUM => sub()
{ require_capability 'CHECKSUM_TARGET', 'The CHECKSUM action', 's';
$target .= ' --checksum-fill';
},
);
if ( $source ) {
@ -2319,6 +2323,12 @@ sub setup_tc() {
mask => '',
connmark => 0
},
{ match => sub( $ ) { $_[0] eq 'CHECKSUM' },
target => 'CHECKSUM' ,
mark => NOMARK,
mask => '',
connmark => 0,
}
);
if ( my $fn = open_file 'tcrules' ) {

373
Shorewall/manpages/shorewall-tcrules.xml
View File

@ -255,27 +255,27 @@
</listitem>
<listitem>
<para><emphasis
role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
restore the packet's mark from the connection's mark using the
supplied mask if any. Your kernel and iptables must include
CONNMARK support.</para>
<para><emphasis role="bold">CHECKSUM</emphasis></para>
<para>As in 1) above, may be followed by <emphasis
role="bold">:P</emphasis> or <emphasis
role="bold">:F</emphasis></para>
<para>Added in Shorewall 4.5.9. Compute and fill in the checksum
in a packet that lacks a checksum. This is particularly useful,
if you need to work around old applications such as dhcp
clients, that do not work well with check sum offloads, but
don't want to disable checksum offload in your device.</para>
<para>Requires 'Checksum Target' support in your kernel and
iptables.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
the packet's mark to the connection's mark using the supplied
mask if any. Your kernel and iptables must include CONNMARK
support.</para>
<para><emphasis role="bold">COMMENT</emphasis> -- the rest of
the line will be attached as a comment to the Netfilter rule(s)
generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of <command>shorewall
show mangle</command></para>
<para>As in 1) above, may be followed by <emphasis
role="bold">:P</emphasis> or <emphasis
role="bold">:F</emphasis></para>
<para>To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.</para>
</listitem>
<listitem>
@ -291,44 +291,85 @@
</listitem>
<listitem>
<para><emphasis role="bold">SAME</emphasis> Some websites run
applications that require multiple connections from a client
browser. Where multiple 'balanced' providers are configured,
this can lead to problems when some of the connections are
routed through one provider and some through another. The SAME
target allows you to work around that problem. SAME may be used
in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
causes matching connections from an individual local system to
all use the same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the
last five minutes then the new connection will use the same
provider as the connection over which that last packet was
sent.</para>
<para><emphasis role="bold">DIVERT</emphasis></para>
<para>When used in the OUTPUT chain, it causes all matching
connections to an individual remote system to all use the same
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
If the firewall attempts a connection on TCP port 80 or 443 and
it has sent a packet on either of those ports in the last five
minutes to the same remote system then the new connection will
use the same provider as the connection over which that last
packet was sent.</para>
<para>Added in Shorewall 4.5.4 and only available when FORMAT is
2. Two DIVERT rule should preceed the TPROXY rule and should
select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
(assuming that tcp port 80 is being proxied). DIVERT avoids
sending packets to the TPROXY target once a socket connection to
Squid3 has been established by TPROXY. DIVERT marks the packet
with a unique mark and exempts it from any rules that
follow.</para>
</listitem>
<listitem>
<para><emphasis role="bold">COMMENT</emphasis> -- the rest of
the line will be attached as a comment to the Netfilter rule(s)
generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of <command>shorewall
show mangle</command></para>
<para><emphasis
role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
<para>To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.</para>
<para>Added in Shorewall 4.5.1. Sets the
<firstterm>Differentiated Services Code Point</firstterm> field
in the IP header. The <replaceable>dscp</replaceable> value may
be given as an even number (hex or decimal) or as the name of a
DSCP class. Valid class names and their associated hex numeric
values are:</para>
<programlisting> CS0 =&gt; 0x00
CS1 =&gt; 0x08
CS2 =&gt; 0x10
CS3 =&gt; 0x18
CS4 =&gt; 0x20
CS5 =&gt; 0x28
CS6 =&gt; 0x30
CS7 =&gt; 0x38
BE =&gt; 0x00
AF11 =&gt; 0x0a
AF12 =&gt; 0x0c
AF13 =&gt; 0x0e
AF21 =&gt; 0x12
AF22 =&gt; 0x14
AF23 =&gt; 0x16
AF31 =&gt; 0x1a
AF32 =&gt; 0x1c
AF33 =&gt; 0x1e
AF41 =&gt; 0x22
AF42 =&gt; 0x24
AF43 =&gt; 0x26
EF =&gt; 0x2e</programlisting>
<para>To indicate more than one class, add their hex values
together and specify the result.</para>
<para>May be optionally followed by ':' and a capital letter
designating the chain where classification is to occur.</para>
<variablelist>
<varlistentry>
<term>F</term>
<listitem>
<para>FORWARD chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>T</term>
<listitem>
<para>POSTROUTING chain (default).</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
<listitem>
<para><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Specifies that the packet should
be passed to the IMQ identified by
<replaceable>number</replaceable>. Requires IMQ Target support
in your kernel and iptables.</para>
</listitem>
<listitem>
@ -436,16 +477,110 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</listitem>
<listitem>
<para><emphasis role="bold">DIVERT</emphasis></para>
<para><emphasis
role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
restore the packet's mark from the connection's mark using the
supplied mask if any. Your kernel and iptables must include
CONNMARK support.</para>
<para>Added in Shorewall 4.5.4 and only available when FORMAT is
2. Two DIVERT rule should preceed the TPROXY rule and should
select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
(assuming that tcp port 80 is being proxied). DIVERT avoids
sending packets to the TPROXY target once a socket connection to
Squid3 has been established by TPROXY. DIVERT marks the packet
with a unique mark and exempts it from any rules that
follow.</para>
<para>As in 1) above, may be followed by <emphasis
role="bold">:P</emphasis> or <emphasis
role="bold">:F</emphasis></para>
</listitem>
<listitem>
<para><emphasis role="bold">SAME</emphasis> Some websites run
applications that require multiple connections from a client
browser. Where multiple 'balanced' providers are configured,
this can lead to problems when some of the connections are
routed through one provider and some through another. The SAME
target allows you to work around that problem. SAME may be used
in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
causes matching connections from an individual local system to
all use the same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the
last five minutes then the new connection will use the same
provider as the connection over which that last packet was
sent.</para>
<para>When used in the OUTPUT chain, it causes all matching
connections to an individual remote system to all use the same
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
If the firewall attempts a connection on TCP port 80 or 443 and
it has sent a packet on either of those ports in the last five
minutes to the same remote system then the new connection will
use the same provider as the connection over which that last
packet was sent.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
the packet's mark to the connection's mark using the supplied
mask if any. Your kernel and iptables must include CONNMARK
support.</para>
<para>As in 1) above, may be followed by <emphasis
role="bold">:P</emphasis> or <emphasis
role="bold">:F</emphasis></para>
</listitem>
<listitem>
<para><emphasis
role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
<para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
Service</firstterm> field in the IP header. The
<replaceable>tos</replaceable> value may be given as an number
(hex or decimal) or as the name of a TOS type. Valid type names
and their associated hex numeric values are:</para>
<programlisting>Minimize-Delay =&gt; 0x10,
Maximize-Throughput =&gt; 0x08,
Maximize-Reliability =&gt; 0x04,
Minimize-Cost =&gt; 0x02,
Normal-Service =&gt; 0x00</programlisting>
<para>To indicate more than one class, add their hex values
together and specify the result.</para>
<para>When <replaceable>tos</replaceable> is given as a number,
it may be optionally followed by '/' and a
<replaceable>mask</replaceable>. When no
<replaceable>mask</replaceable> is given, the value 0xff is
assumed. When <replaceable>tos</replaceable> is given as a type
name, the <replaceable>mask</replaceable> 0x3f is
assumed.</para>
<para>The action performed is to zero out the bits specified by
the <replaceable>mask</replaceable>, then set the bits specified
by <replaceable>tos</replaceable>.</para>
<para>May be optionally followed by ':' and a capital letter
designating the chain where classification is to occur.</para>
<variablelist>
<varlistentry>
<term>F</term>
<listitem>
<para>FORWARD chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>T</term>
<listitem>
<para>POSTROUTING chain.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
<listitem>
@ -534,128 +669,6 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
is set to <replaceable>number</replaceable>. The valid range of
values for <replaceable>number</replaceable> is 1-255.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Specifies that the packet should
be passed to the IMQ identified by
<replaceable>number</replaceable>. Requires IMQ Target support
in your kernel and iptables.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Sets the
<firstterm>Differentiated Services Code Point</firstterm> field
in the IP header. The <replaceable>dscp</replaceable> value may
be given as an even number (hex or decimal) or as the name of a
DSCP class. Valid class names and their associated hex numeric
values are:</para>
<programlisting> CS0 =&gt; 0x00
CS1 =&gt; 0x08
CS2 =&gt; 0x10
CS3 =&gt; 0x18
CS4 =&gt; 0x20
CS5 =&gt; 0x28
CS6 =&gt; 0x30
CS7 =&gt; 0x38
BE =&gt; 0x00
AF11 =&gt; 0x0a
AF12 =&gt; 0x0c
AF13 =&gt; 0x0e
AF21 =&gt; 0x12
AF22 =&gt; 0x14
AF23 =&gt; 0x16
AF31 =&gt; 0x1a
AF32 =&gt; 0x1c
AF33 =&gt; 0x1e
AF41 =&gt; 0x22
AF42 =&gt; 0x24
AF43 =&gt; 0x26
EF =&gt; 0x2e</programlisting>
<para>To indicate more than one class, add their hex values
together and specify the result.</para>
<para>May be optionally followed by ':' and a capital letter
designating the chain where classification is to occur.</para>
<variablelist>
<varlistentry>
<term>F</term>
<listitem>
<para>FORWARD chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>T</term>
<listitem>
<para>POSTROUTING chain (default).</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
<listitem>
<para><emphasis
role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
<para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
Service</firstterm> field in the IP header. The
<replaceable>tos</replaceable> value may be given as an number
(hex or decimal) or as the name of a TOS type. Valid type names
and their associated hex numeric values are:</para>
<programlisting>Minimize-Delay =&gt; 0x10,
Maximize-Throughput =&gt; 0x08,
Maximize-Reliability =&gt; 0x04,
Minimize-Cost =&gt; 0x02,
Normal-Service =&gt; 0x00</programlisting>
<para>To indicate more than one class, add their hex values
together and specify the result.</para>
<para>When <replaceable>tos</replaceable> is given as a number,
it may be optionally followed by '/' and a
<replaceable>mask</replaceable>. When no
<replaceable>mask</replaceable> is given, the value 0xff is
assumed. When <replaceable>tos</replaceable> is given as a type
name, the <replaceable>mask</replaceable> 0x3f is
assumed.</para>
<para>The action performed is to zero out the bits specified by
the <replaceable>mask</replaceable>, then set the bits specified
by <replaceable>tos</replaceable>.</para>
<para>May be optionally followed by ':' and a capital letter
designating the chain where classification is to occur.</para>
<variablelist>
<varlistentry>
<term>F</term>
<listitem>
<para>FORWARD chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>T</term>
<listitem>
<para>POSTROUTING chain.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</orderedlist>
</listitem>
</varlistentry>

325
Shorewall6/manpages/shorewall6-tcrules.xml
View File

@ -255,27 +255,27 @@
</listitem>
<listitem>
<para><emphasis
role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
restore the packet's mark from the connection's mark using the
supplied mask if any. Your kernel and ip6tables must include
CONNMARK support.</para>
<para><emphasis role="bold">CHECKSUM</emphasis></para>
<para>As in 1) above, may be followed by <emphasis
role="bold">:P</emphasis> or <emphasis
role="bold">:F</emphasis></para>
<para>Added in Shorewall 4.5.9. Compute and fill in the checksum
in a packet that lacks a checksum. This is particularly useful,
if you need to work around old applications such as dhcp
clients, that do not work well with check sum offloads, but
don't want to disable checksum offload in your device.</para>
<para>Requires 'Checksum Target' support in your kernel and
ip6tables.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
the packet's mark to the connection's mark using the supplied
mask if any. Your kernel and ip6tables must include CONNMARK
support.</para>
<para><emphasis role="bold">COMMENT</emphasis> -- the rest of
the line will be attached as a comment to the Netfilter rule(s)
generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of <command>shorewall6
show mangle</command></para>
<para>As in 1) above, may be followed by <emphasis
role="bold">:P</emphasis> or <emphasis
role="bold">:F</emphasis></para>
<para>To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.</para>
</listitem>
<listitem>
@ -290,48 +290,6 @@
ip6tables/Netfilter provides the necessary support.</para>
</listitem>
<listitem>
<para><emphasis role="bold">SAME</emphasis> (Added in Shorewall
4.3.5) -- Some websites run applications that require multiple
connections from a client browser. Where multiple 'balanced'
providers are configured, this can lead to problems when some of
the connections are routed through one provider and some through
another. The SAME target allows you to work around that problem.
SAME may be used in the PREROUTING and OUTPUT chains. When used
in PREROUTING, it causes matching connections from an individual
local system to all use the same provider. For example:
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the
last five minutes then the new connection will use the same
provider as the connection over which that last packet was
sent.</para>
<para>When used in the OUTPUT chain, it causes all matching
connections to an individual remote system to all use the same
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
If the firewall attempts a connection on TCP port 80 or 443 and
it has sent a packet on either of those ports in the last five
minutes to the same remote system then the new connection will
use the same provider as the connection over which that last
packet was sent.</para>
</listitem>
<listitem>
<para><emphasis role="bold">COMMENT</emphasis> -- the rest of
the line will be attached as a comment to the Netfilter rule(s)
generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of <command>shorewall6
show mangle</command></para>
<para>To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.</para>
</listitem>
<listitem>
<para><emphasis role="bold">DIVERT</emphasis></para>
@ -344,103 +302,6 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
it from any rules that follow.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-- FORMAT 1</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first
(mark) is required:</para>
<itemizedlist>
<listitem>
<para><replaceable>mark</replaceable> - the MARK value
corresponding to the local provider in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
</listitem>
<listitem>
<para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original
destination port.</para>
</listitem>
<listitem>
<para><replaceable>address</replaceable> - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-- FORMAT 2</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first
(mark) is required:</para>
<itemizedlist>
<listitem>
<para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original
destination port.</para>
</listitem>
<listitem>
<para><replaceable>address</replaceable> - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><emphasis role="bold">HL</emphasis>([<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.4.24.</para>
<para>Prior to Shorewall 4.5.7.2, may be optionally followed by
<emphasis role="bold">:F</emphasis> but the resulting rule is
always added to the FORWARD chain. Beginning with Shorewall
4.5.7.s, it may be optionally followed by <emphasis
role="bold">:P</emphasis>, in which case the rule is added to
the PREROUTING chain.</para>
<para>If <emphasis role="bold">+</emphasis> is included, packets
matching the rule will have their HL (hop limit) incremented by
<replaceable>number</replaceable>. Similarly, if <emphasis
role="bold">-</emphasis> is included, matching packets have
their HL decremented by <replaceable>number</replaceable>. If
neither <emphasis role="bold">+</emphasis> nor <emphasis
role="bold">-</emphasis> is given, the HL of matching packets is
set to <replaceable>number</replaceable>. The valid range of
values for <replaceable>number</replaceable> is 1-255.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Specifies that the packet should
be passed to the IMQ identified by
<replaceable>number</replaceable>. Requires IMQ Target support
in your kernel and ip6tables.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
@ -500,6 +361,96 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</variablelist>
</listitem>
<listitem>
<para><emphasis role="bold">HL</emphasis>([<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.4.24.</para>
<para>Prior to Shorewall 4.5.7.2, may be optionally followed by
<emphasis role="bold">:F</emphasis> but the resulting rule is
always added to the FORWARD chain. Beginning with Shorewall
4.5.7.s, it may be optionally followed by <emphasis
role="bold">:P</emphasis>, in which case the rule is added to
the PREROUTING chain.</para>
<para>If <emphasis role="bold">+</emphasis> is included, packets
matching the rule will have their HL (hop limit) incremented by
<replaceable>number</replaceable>. Similarly, if <emphasis
role="bold">-</emphasis> is included, matching packets have
their HL decremented by <replaceable>number</replaceable>. If
neither <emphasis role="bold">+</emphasis> nor <emphasis
role="bold">-</emphasis> is given, the HL of matching packets is
set to <replaceable>number</replaceable>. The valid range of
values for <replaceable>number</replaceable> is 1-255.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Specifies that the packet should
be passed to the IMQ identified by
<replaceable>number</replaceable>. Requires IMQ Target support
in your kernel and ip6tables.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
restore the packet's mark from the connection's mark using the
supplied mask if any. Your kernel and ip6tables must include
CONNMARK support.</para>
<para>As in 1) above, may be followed by <emphasis
role="bold">:P</emphasis> or <emphasis
role="bold">:F</emphasis></para>
</listitem>
<listitem>
<para><emphasis role="bold">SAME</emphasis> (Added in Shorewall
4.3.5) -- Some websites run applications that require multiple
connections from a client browser. Where multiple 'balanced'
providers are configured, this can lead to problems when some of
the connections are routed through one provider and some through
another. The SAME target allows you to work around that problem.
SAME may be used in the PREROUTING and OUTPUT chains. When used
in PREROUTING, it causes matching connections from an individual
local system to all use the same provider. For example:
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the
last five minutes then the new connection will use the same
provider as the connection over which that last packet was
sent.</para>
<para>When used in the OUTPUT chain, it causes all matching
connections to an individual remote system to all use the same
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
If the firewall attempts a connection on TCP port 80 or 443 and
it has sent a packet on either of those ports in the last five
minutes to the same remote system then the new connection will
use the same provider as the connection over which that last
packet was sent.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
the packet's mark to the connection's mark using the supplied
mask if any. Your kernel and ip6tables must include CONNMARK
support.</para>
<para>As in 1) above, may be followed by <emphasis
role="bold">:P</emphasis> or <emphasis
role="bold">:F</emphasis></para>
</listitem>
<listitem>
<para><emphasis
role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
@ -552,6 +503,68 @@ Normal-Service =&gt; 0x00</programlisting>
</varlistentry>
</variablelist>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-- FORMAT 1</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first
(mark) is required:</para>
<itemizedlist>
<listitem>
<para><replaceable>mark</replaceable> - the MARK value
corresponding to the local provider in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
</listitem>
<listitem>
<para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original
destination port.</para>
</listitem>
<listitem>
<para><replaceable>address</replaceable> - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-- FORMAT 2</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first
(mark) is required:</para>
<itemizedlist>
<listitem>
<para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original
destination port.</para>
</listitem>
<listitem>
<para><replaceable>address</replaceable> - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.</para>
</listitem>
</itemizedlist>
</listitem>
</orderedlist>
</listitem>
</varlistentry>
@ -870,7 +883,7 @@ Normal-Service =&gt; 0x00</programlisting>
<para>Optional. Names a Netfiler protocol
<firstterm>helper</firstterm> module such as <option>ftp</option>,
<option>sip</option>, <option>amanda</option>, etc. A packet will
match if it was accepted by the named helper module. </para>
match if it was accepted by the named helper module.</para>
<para>Example: Mark all FTP data connections with mark
4:<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER