forked from extern/shorewall_code
Merge branch 'master' into 4.5.2
This commit is contained in:
Tom Eastep
commit
25bca70ff2
@ -1548,6 +1548,8 @@ sub close_file() {
|
|||||||
#
|
#
|
||||||
# Process an ?IF, ?ELSE or ?END directive
|
# Process an ?IF, ?ELSE or ?END directive
|
||||||
#
|
#
|
||||||
|
sub have_capability( $ );
|
||||||
|
|
||||||
sub process_conditional( $$$ ) {
|
sub process_conditional( $$$ ) {
|
||||||
my ( $omitting, $line, $linenumber ) = @_;
|
my ( $omitting, $line, $linenumber ) = @_;
|
||||||
|
|
||||||
@ -1582,7 +1584,7 @@ sub process_conditional( $$$ ) {
|
|||||||
$omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} :
|
$omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} :
|
||||||
exists $params{$rest} ? $params{$rest} :
|
exists $params{$rest} ? $params{$rest} :
|
||||||
exists $config{$rest} ? $config{$rest} :
|
exists $config{$rest} ? $config{$rest} :
|
||||||
exists $capdesc{$cap} ? have_capability $cap : 0 );
|
exists $capdesc{$cap} ? have_capability( $cap ) : 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
$omitting = ! $omitting if $invert;
|
$omitting = ! $omitting if $invert;
|
||||||
@ -1953,12 +1955,12 @@ sub embedded_shell( $ ) {
|
|||||||
my $last = 0;
|
my $last = 0;
|
||||||
|
|
||||||
while ( read_a_line( 0, 0, 1 ) ) {
|
while ( read_a_line( 0, 0, 1 ) ) {
|
||||||
last if $last = $currentline =~ s/^\s*\??END(\s+SHELL)?\s*;?//;
|
last if $last = $currentline =~ s/^\s*END(\s+SHELL)?\s*;?//;
|
||||||
$command .= $currentline;
|
$command .= $currentline;
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error ( "Missing END SHELL" ) unless $last;
|
fatal_error ( "Missing END SHELL" ) unless $last;
|
||||||
fatal_error ( "Invalid END SHELL directive" ) unless /^\s*$/;
|
fatal_error ( "Invalid END SHELL directive" ) unless $currentline =~ /^\s*$/;
|
||||||
}
|
}
|
||||||
|
|
||||||
$command .= q(');
|
$command .= q(');
|
||||||
@ -1989,12 +1991,12 @@ sub embedded_perl( $ ) {
|
|||||||
my $last = 0;
|
my $last = 0;
|
||||||
|
|
||||||
while ( read_a_line( 0, 0, 1 ) ) {
|
while ( read_a_line( 0, 0, 1 ) ) {
|
||||||
last if $last = $currentline =~ s/^\s*\??END(\s+PERL)?\s*;?//;
|
last if $last = $currentline =~ s/^\s*END(\s+PERL)?\s*;?//;
|
||||||
$command .= $currentline;
|
$command .= $currentline;
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error ( "Missing END PERL" ) unless $last;
|
fatal_error ( "Missing END PERL" ) unless $last;
|
||||||
fatal_error ( "Invalid END PERL directive" ) unless /^\s*$/;
|
fatal_error ( "Invalid END PERL directive" ) unless $currentline =~ /^\s*$/;
|
||||||
}
|
}
|
||||||
|
|
||||||
unless (my $return = eval $command ) {
|
unless (my $return = eval $command ) {
|
||||||
@ -2208,12 +2210,12 @@ sub read_a_line(;$$$) {
|
|||||||
# Must check for shell/perl before doing variable expansion
|
# Must check for shell/perl before doing variable expansion
|
||||||
#
|
#
|
||||||
if ( $embedded_enabled ) {
|
if ( $embedded_enabled ) {
|
||||||
if ( $currentline =~ s/^\s*\??(BEGIN\s+)?SHELL\s*;?// ) {
|
if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
|
||||||
embedded_shell( $1 );
|
embedded_shell( $1 );
|
||||||
next;
|
next;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $currentline =~ s/^\s*\??(BEGIN\s+)?PERL\s*\;?// ) {
|
if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
|
||||||
embedded_perl( $1 );
|
embedded_perl( $1 );
|
||||||
next;
|
next;
|
||||||
}
|
}
|
||||||
@ -2626,8 +2628,6 @@ sub determine_kernelversion() {
|
|||||||
#
|
#
|
||||||
# Capability Reporting and detection.
|
# Capability Reporting and detection.
|
||||||
#
|
#
|
||||||
sub have_capability( $ );
|
|
||||||
|
|
||||||
sub Nat_Enabled() {
|
sub Nat_Enabled() {
|
||||||
$family == F_IPV4 ? qt1( "$iptables -t nat -L -n" ) : '';
|
$family == F_IPV4 ? qt1( "$iptables -t nat -L -n" ) : '';
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1601,19 +1601,16 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true</programlisting
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis role="bold">[?]PERL</emphasis> <<emphasis>perl
|
<para><emphasis role="bold">PERL</emphasis> <<emphasis>perl
|
||||||
script</emphasis>></para>
|
script</emphasis>></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis role="bold">[?]SHELL</emphasis> <<emphasis>shell
|
<para><emphasis role="bold">SHELL</emphasis> <<emphasis>shell
|
||||||
script</emphasis>></para>
|
script</emphasis>></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>The optional '?' is allowed in Shorewall versions 4.5.2 and
|
|
||||||
later.</para>
|
|
||||||
|
|
||||||
<para>Shell scripts run in a child shell process and their output is piped
|
<para>Shell scripts run in a child shell process and their output is piped
|
||||||
back to the compiler which processes that output as if it were embedded at
|
back to the compiler which processes that output as if it were embedded at
|
||||||
the point of the script.</para>
|
the point of the script.</para>
|
||||||
@ -1658,14 +1655,13 @@ use Shorewall::Config ( qw/shorewall/ );</programlisting>
|
|||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>Multi-line scripts use one of the following forms:<programlisting><emphasis
|
<para>Multi-line scripts use one of the following forms:<programlisting><emphasis
|
||||||
role="bold">[?]BEGIN SHELL</emphasis>
|
role="bold">BEGIN SHELL</emphasis>
|
||||||
<<emphasis>shell script</emphasis>>
|
<<emphasis>shell script</emphasis>>
|
||||||
<emphasis role="bold">[?]END</emphasis> [ <emphasis role="bold">SHELL</emphasis> ]</programlisting><programlisting><emphasis
|
<emphasis role="bold">END</emphasis> [ <emphasis role="bold">SHELL</emphasis> ]</programlisting><programlisting><emphasis
|
||||||
role="bold">[?]BEGIN PERL</emphasis> [;]
|
role="bold">BEGIN PERL</emphasis> [;]
|
||||||
<<emphasis>perl script</emphasis>>
|
<<emphasis>perl script</emphasis>>
|
||||||
<emphasis role="bold">[?]END</emphasis> [ <emphasis role="bold">PERL</emphasis> ] [<emphasis
|
<emphasis role="bold">END</emphasis> [ <emphasis role="bold">PERL</emphasis> ] [<emphasis
|
||||||
role="bold">;</emphasis>]</programlisting>As above, the optional
|
role="bold">;</emphasis>]</programlisting></para>
|
||||||
leading '?' is allowed in Shorewall versions 4.5.2 and later.</para>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="dnsnames">
|
<section id="dnsnames">
|
||||||
@ -2004,7 +2000,7 @@ redirect => 137</programlisting>
|
|||||||
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORTS(S)
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORTS(S)
|
||||||
DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
|
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting>
|
||||||
|
|
||||||
<para>If you omit the low port number, a value of zero is assumed; if you
|
<para>If you omit the low port number, a value of zero is assumed; if you
|
||||||
omit the high port number, a value of 65535 is assumed.</para>
|
omit the high port number, a value of 65535 is assumed.</para>
|
||||||
@ -2140,9 +2136,9 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
|
|||||||
Support requires that you install xtables-addons.</para>
|
Support requires that you install xtables-addons.</para>
|
||||||
|
|
||||||
<para>The SWITCH column contains the name of a
|
<para>The SWITCH column contains the name of a
|
||||||
<firstterm>switch.</firstterm> Each switch that is initially in the
|
<firstterm>switch.</firstterm> Each switch is initially in the <emphasis
|
||||||
<emphasis role="bold">off</emphasis> position. You can turn on the switch
|
role="bold">off</emphasis> position. You can turn on the switch named
|
||||||
named <emphasis>switch1</emphasis> by:</para>
|
<emphasis>switch1</emphasis> by:</para>
|
||||||
|
|
||||||
<simplelist>
|
<simplelist>
|
||||||
<member><command>echo 1 >
|
<member><command>echo 1 >
|
||||||
@ -2186,7 +2182,8 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
|
|||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||||
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down </programlisting>
|
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - <emphasis
|
||||||
|
role="bold">primary_down</emphasis> </programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -2216,11 +2213,16 @@ DNAT net dmz:$BACKUP tcp 80 - -
|
|||||||
<para>Here is an example:</para>
|
<para>Here is an example:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
net COM_IF detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,physical=eth0
|
net <emphasis role="bold">COM_IF </emphasis> detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
|
||||||
net EXT_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,physical=eth2
|
role="bold">physical=eth0</emphasis>
|
||||||
loc INT_IF detect dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,physical=eth1
|
net <emphasis role="bold">EXT_IF</emphasis> detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
|
||||||
dmz VPS_IF detect logmartians=1,routefilter=0,routeback,physical=venet0
|
role="bold">physical=eth2</emphasis>
|
||||||
loc TUN_IF detect physical=tun+</programlisting>
|
loc <emphasis role="bold">INT_IF </emphasis> detect dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
|
||||||
|
role="bold">physical=eth1</emphasis>
|
||||||
|
dmz <emphasis role="bold">VPS_IF </emphasis> detect logmartians=1,routefilter=0,routeback,<emphasis
|
||||||
|
role="bold">physical=venet0</emphasis>
|
||||||
|
loc <emphasis role="bold">TUN_IF</emphasis> detect <emphasis
|
||||||
|
role="bold">physical=tun+</emphasis></programlisting>
|
||||||
|
|
||||||
<para>In this example, COM_IF is a logical interface name that refers to
|
<para>In this example, COM_IF is a logical interface name that refers to
|
||||||
Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is
|
Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is
|
||||||
@ -2235,16 +2237,18 @@ loc TUN_IF detect physical=tun+</programlisting>
|
|||||||
<programlisting>#INTERFACE SOURCE ADDRESS
|
<programlisting>#INTERFACE SOURCE ADDRESS
|
||||||
|
|
||||||
COMMENT Masquerade Local Network
|
COMMENT Masquerade Local Network
|
||||||
COM_IF 0.0.0.0/0
|
<emphasis role="bold">COM_IF</emphasis> 0.0.0.0/0
|
||||||
EXT_IF !206.124.146.0/24 206.124.146.179:persistent</programlisting>
|
<emphasis role="bold">EXT_IF </emphasis> !206.124.146.0/24 206.124.146.179:persistent</programlisting>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="manpages/shorewall-providers.html">shorewall-providers</ulink>
|
url="manpages/shorewall-providers.html">shorewall-providers</ulink>
|
||||||
(5)</para>
|
(5)</para>
|
||||||
|
|
||||||
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
||||||
Avvanta 1 0x10000 main EXT_IF 206.124.146.254 loose,fallback INT_IF,VPS_IF,TUN_IF
|
Avvanta 1 0x10000 main <emphasis role="bold">EXT_IF </emphasis> 206.124.146.254 loose,fallback <emphasis
|
||||||
Comcast 2 0x20000 main COM_IF detect balance INT_IF,VPS_IF,TUN_IF</programlisting>
|
role="bold">INT_IF,VPS_IF,TUN_IF</emphasis>
|
||||||
|
Comcast 2 0x20000 main <emphasis role="bold">COM_IF</emphasis> detect balance <emphasis
|
||||||
|
role="bold">INT_IF,VPS_IF,TUN_IF</emphasis></programlisting>
|
||||||
|
|
||||||
<para>Note in particular that Shorewall translates TUN_IF to <filename
|
<para>Note in particular that Shorewall translates TUN_IF to <filename
|
||||||
class="devicefile">tun*</filename> in the COPY column.</para>
|
class="devicefile">tun*</filename> in the COPY column.</para>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user