forked from extern/shorewall_code
Implement header matching
This commit is contained in:
parent
5e48faad9e
commit
2702d7f208
@ -52,7 +52,7 @@ sub process_accounting_rule( ) {
|
||||
|
||||
our $jumpchainref;
|
||||
|
||||
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
|
||||
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File';
|
||||
|
||||
if ( $action eq 'COMMENT' ) {
|
||||
process_comment;
|
||||
@ -95,7 +95,7 @@ sub process_accounting_rule( ) {
|
||||
$ports = '' if $ports eq 'any' || $ports eq 'all';
|
||||
$sports = '' if $sports eq 'any' || $sports eq 'all';
|
||||
|
||||
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
|
||||
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
|
||||
my $rule2 = 0;
|
||||
my $jump = 0;
|
||||
|
||||
|
@ -143,6 +143,7 @@ our %EXPORT_TAGS = (
|
||||
do_tos
|
||||
do_connbytes
|
||||
do_helper
|
||||
do_headers
|
||||
have_ipset_rules
|
||||
match_source_dev
|
||||
match_dest_dev
|
||||
@ -2522,7 +2523,7 @@ sub do_connbytes( $ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Create a "-m helper" match for the passed argument
|
||||
# Create a soft "-m helper" match for the passed argument
|
||||
#
|
||||
sub do_helper( $ ) {
|
||||
my $helper = shift;
|
||||
@ -2542,6 +2543,60 @@ sub do_length( $ ) {
|
||||
$length ne '-' ? "-m length --length $length " : '';
|
||||
}
|
||||
|
||||
#
|
||||
# Create a "-m -ipv6header" match for the passed argument
|
||||
#
|
||||
my %headers = ( hop => 1,
|
||||
dst => 1,
|
||||
route => 1,
|
||||
frag => 1,
|
||||
auth => 1,
|
||||
esp => 1,
|
||||
none => 1,
|
||||
'hop-by-hop' => 1,
|
||||
'ipv6-opts' => 1,
|
||||
'ipv6-route' => 1,
|
||||
'ipv6-frag' => 1,
|
||||
ah => 1,
|
||||
'ipv6-nonxt' => 1,
|
||||
'protocol' => 1,
|
||||
0 => 1,
|
||||
43 => 1,
|
||||
44 => 1,
|
||||
50 => 1,
|
||||
51 => 1,
|
||||
59 => 1,
|
||||
60 => 1,
|
||||
255 => 1 );
|
||||
|
||||
sub do_headers( $ ) {
|
||||
my $headers = shift;
|
||||
|
||||
return '' if $headers eq '-';
|
||||
|
||||
require_capability 'HEADER_MATCH', 'A non-empty HEADER column', 's';
|
||||
|
||||
my $invert = $headers =~ s/^!// ? '! ' : "";
|
||||
|
||||
my $soft = '--soft ';
|
||||
|
||||
if ( $headers =~ s/^exactly:// ) {
|
||||
$soft = '';
|
||||
} else {
|
||||
$headers =~ s/^any://;
|
||||
}
|
||||
|
||||
for ( split_list $headers, "Header" ) {
|
||||
if ( $_ eq 'proto' ) {
|
||||
$_ = 'protocol';
|
||||
} else {
|
||||
fatal_error "Unknown IPv6 Header ($_)" unless $headers{$_};
|
||||
}
|
||||
}
|
||||
|
||||
"-m ipv6header ${invert}--header ${headers} ${soft}";
|
||||
}
|
||||
|
||||
#
|
||||
# Match Source Interface
|
||||
#
|
||||
|
@ -254,6 +254,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
FLOW_FILTER => 'Flow Classifier',
|
||||
FWMARK_RT_MASK => 'fwmark route mask',
|
||||
MARK_ANYWHERE => 'Mark in any table',
|
||||
HEADER_MATCH => 'Header Match',
|
||||
CAPVERSION => 'Capability Version',
|
||||
KERNELVERSION => 'Kernel Version',
|
||||
);
|
||||
@ -353,7 +354,7 @@ sub initialize( $ ) {
|
||||
STATEMATCH => '-m state --state',
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.4.15-RC1",
|
||||
CAPVERSION => 40413 ,
|
||||
CAPVERSION => 40415 ,
|
||||
);
|
||||
|
||||
#
|
||||
@ -2503,6 +2504,10 @@ sub Mark_Anywhere() {
|
||||
qt1( "$iptables -A $sillyname -j MARK --set-mark 5" );
|
||||
}
|
||||
|
||||
sub Header_Match() {
|
||||
qt1( "$iptables -A $sillyname -m ipv6header --header 255 -j ACCEPT" );
|
||||
}
|
||||
|
||||
our %detect_capability =
|
||||
( ADDRTYPE => \&Addrtype,
|
||||
CLASSIFY_TARGET => \&Classify_Target,
|
||||
@ -2517,6 +2522,7 @@ our %detect_capability =
|
||||
FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
|
||||
GOTO_TARGET => \&Goto_Target,
|
||||
HASHLIMIT_MATCH => \&Hashlimit_Match,
|
||||
HEADER_MATCH => \&Header_Match,
|
||||
HELPER_MATCH => \&Helper_Match,
|
||||
IPMARK_TARGET => \&IPMark_Target,
|
||||
IPP2P_MATCH => \&Ipp2p_Match,
|
||||
|
@ -888,13 +888,13 @@ sub setup_mac_lists( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
sub process_rule1 ( $$$$$$$$$$$$$ );
|
||||
sub process_rule1 ( $$$$$$$$$$$$$$ );
|
||||
|
||||
#
|
||||
# Expand a macro rule from the rules file
|
||||
#
|
||||
sub process_macro ( $$$$$$$$$$$$$$$ ) {
|
||||
my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $wildcard ) = @_;
|
||||
sub process_macro ( $$$$$$$$$$$$$$$$ ) {
|
||||
my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_;
|
||||
|
||||
my $nocomment = no_comment;
|
||||
|
||||
@ -912,13 +912,13 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime);
|
||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders );
|
||||
|
||||
if ( $format == 1 ) {
|
||||
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
|
||||
( $morigdest, $mmark, $mconnlimit, $mtime ) = qw/- - - -/;
|
||||
( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders ) = qw/- - - - -/;
|
||||
} else {
|
||||
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime ) = split_line1 1, 12, 'macro file', $macro_commands;
|
||||
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders ) = split_line1 1, 13, 'macro file', $macro_commands;
|
||||
}
|
||||
|
||||
if ( $mtarget eq 'COMMENT' ) {
|
||||
@ -986,6 +986,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
|
||||
merge_macro_column( $mmark, $mark ) ,
|
||||
merge_macro_column( $mconnlimit, $connlimit) ,
|
||||
merge_macro_column( $mtime, $time ),
|
||||
merge_macro_column( $mheaders, $headers ),
|
||||
$wildcard
|
||||
);
|
||||
|
||||
@ -1005,8 +1006,8 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
|
||||
# Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
|
||||
# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
|
||||
#
|
||||
sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wildcard ) = @_;
|
||||
sub process_rule1 ( $$$$$$$$$$$$$$ ) {
|
||||
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_;
|
||||
my ( $action, $loglevel) = split_action $target;
|
||||
my ( $basictarget, $param ) = get_target_param $action;
|
||||
my $rule = '';
|
||||
@ -1051,6 +1052,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
$mark,
|
||||
$connlimit,
|
||||
$time,
|
||||
$headers,
|
||||
$wildcard );
|
||||
|
||||
$macro_nest_level--;
|
||||
@ -1244,7 +1246,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
do_user( $user ) ,
|
||||
do_test( $mark , $globals{TC_MASK} ) ,
|
||||
do_connlimit( $connlimit ),
|
||||
do_time( $time ) );
|
||||
do_time( $time ) ,
|
||||
do_headers( $headers )
|
||||
);
|
||||
}
|
||||
|
||||
unless ( $section eq 'NEW' ) {
|
||||
@ -1606,7 +1610,7 @@ sub build_zone_list( $$$\$\$ ) {
|
||||
# Process a Record in the rules file
|
||||
#
|
||||
sub process_rule ( ) {
|
||||
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time ) = split_line1 1, 12, 'rules file', \%rules_commands;
|
||||
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'rules file', \%rules_commands;
|
||||
|
||||
process_comment, return 1 if $target eq 'COMMENT';
|
||||
process_section( $source ), return 1 if $target eq 'SECTION';
|
||||
@ -1638,7 +1642,7 @@ sub process_rule ( ) {
|
||||
my $destzone = (split( /:/, $dest, 2 ) )[0];
|
||||
$destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
|
||||
if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
|
||||
$generated |= process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild;
|
||||
$generated |= process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $wild;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -195,7 +195,7 @@ sub initialize( $ ) {
|
||||
}
|
||||
|
||||
sub process_tc_rule( ) {
|
||||
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
|
||||
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = split_line1 2, 13, 'tcrules file';
|
||||
|
||||
our @tccmd;
|
||||
|
||||
@ -412,7 +412,8 @@ sub process_tc_rule( ) {
|
||||
do_length( $length ) .
|
||||
do_tos( $tos ) .
|
||||
do_connbytes( $connbytes ) .
|
||||
do_helper( $helper ),
|
||||
do_helper( $helper ) .
|
||||
do_headers( $headers ) ,
|
||||
$source ,
|
||||
$dest ,
|
||||
'' ,
|
||||
|
@ -1,10 +1,12 @@
|
||||
Changes in Shorewall 4.4.15
|
||||
|
||||
Beta 3
|
||||
RC 1
|
||||
|
||||
1) Another Perl 5.12 warning.
|
||||
|
||||
2) Avoid anomalous behavior regarding syn flood chains.
|
||||
2) Avoid anomalous behavior regarding syn flood chains.
|
||||
|
||||
3) Add HEADERS column for IPv6
|
||||
|
||||
Beta 2
|
||||
|
||||
|
@ -6,6 +6,6 @@
|
||||
# Please see http://shorewall.net/Accounting.html for examples and
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
#####################################################################################################
|
||||
#################################################################################################################
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
|
||||
# PORT(S) PORT(S) GROUP
|
||||
|
@ -29,7 +29,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40407
|
||||
SHOREWALL_CAPVERSION=40413
|
||||
SHOREWALL_CAPVERSION=40415
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||
|
@ -1659,6 +1659,7 @@ determine_capabilities() {
|
||||
FLOW_FILTER=
|
||||
FWMARK_RT_MASK=
|
||||
MARK_ANYWHERE=
|
||||
HEADER_MATCH=
|
||||
|
||||
chain=fooX$$
|
||||
|
||||
@ -1877,6 +1878,7 @@ report_capabilities() {
|
||||
report_capability "FLOW Classifier" $FLOW_FILTER
|
||||
report_capability "fwmark route mask" $FWMARK_RT_MASK
|
||||
report_capability "Mark in any table" $MARK_ANYWHERE
|
||||
report_capability "Header Match" $HEADER_MATCH
|
||||
fi
|
||||
|
||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||
@ -1942,6 +1944,7 @@ report_capabilities1() {
|
||||
report_capability1 FLOW_FILTER
|
||||
report_capability1 FWMARK_RT_MASK
|
||||
report_capability1 MARK_ANYWHERE
|
||||
report_capability1 HEADER_MATCH
|
||||
|
||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||
echo KERNELVERSION=$KERNELVERSION
|
||||
|
@ -85,7 +85,36 @@ Beta 1.
|
||||
|
||||
RC 1
|
||||
|
||||
A Munin macro has been contributed by Tuomo Soini.
|
||||
1) A Munin macro has been contributed by Tuomo Soini.
|
||||
|
||||
2) The Shorewall6 accounting, tcrules and rules files now include a
|
||||
HEADERS column which allows matching based on the IPv6 extension and
|
||||
protocol headers included in a packet.
|
||||
|
||||
The contents of the column are:
|
||||
|
||||
[any:|exactly:]<header list>
|
||||
|
||||
where <header list> is a comma-separated list of headers from the
|
||||
following:
|
||||
|
||||
Long Name Short Name Number
|
||||
--------------------------------------
|
||||
auth ah 50
|
||||
esp esp 51
|
||||
hop-by-hop hop 0
|
||||
route ipv6-route 41
|
||||
frag ipv6-frag 44
|
||||
none ipv6-nonxt 59
|
||||
protocol proto 255
|
||||
|
||||
If 'any:' is specified, the rule will match if any of the listed
|
||||
headers are present. If 'exactly:' is specified, the will match
|
||||
packets that exactly include all specified headers. If neither is
|
||||
given, 'any:' is assumed.
|
||||
|
||||
This change adds a new capability (Header Match) so if you use a
|
||||
capabilities file, you will need to regenerate using this release.
|
||||
|
||||
Beta 2
|
||||
|
||||
|
@ -6,6 +6,6 @@
|
||||
# Please see http://shorewall.net/Accounting.html for examples and
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
#####################################################################################
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK
|
||||
###############################################################################################################
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC HEADERS
|
||||
# PORT(S) PORT(S) GROUP
|
||||
|
@ -33,7 +33,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40407
|
||||
SHOREWALL_CAPVERSION=40413
|
||||
SHOREWALL_CAPVERSION=40415
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
||||
|
@ -1334,6 +1334,7 @@ determine_capabilities() {
|
||||
FLOW_FILTER=
|
||||
FWMARK_RT_MASK=
|
||||
MARK_ANYWHERE=
|
||||
HEADER_MATCH=
|
||||
|
||||
chain=fooX$$
|
||||
|
||||
@ -1476,6 +1477,7 @@ determine_capabilities() {
|
||||
qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
|
||||
qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
|
||||
qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
|
||||
qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
|
||||
|
||||
qt $IP6TABLES -F $chain
|
||||
qt $IP6TABLES -X $chain
|
||||
@ -1553,6 +1555,7 @@ report_capabilities() {
|
||||
report_capability "FLOW Classifier" $FLOW_FILTER
|
||||
report_capability "fwmark route mask" $FWMARK_RT_MASK
|
||||
report_capability "Mark in any table" $MARK_ANYWHERE
|
||||
report_capability "Header Match" $HEADER_MATCH
|
||||
fi
|
||||
|
||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||
@ -1615,6 +1618,7 @@ report_capabilities1() {
|
||||
report_capability1 FLOW_FILTER
|
||||
report_capability1 FWMARK_RT_MASK
|
||||
report_capability1 MARK_ANYWHERE
|
||||
report_capability1 HEADER_MATCH
|
||||
|
||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||
echo KERNELVERSION=$KERNELVERSION
|
||||
|
@ -6,8 +6,8 @@
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages6/shorewall6-rules.html
|
||||
#
|
||||
####################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||
#######################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
|
@ -9,6 +9,6 @@
|
||||
#
|
||||
# See http://shorewall.net/PacketMarking.html for a detailed description of
|
||||
# the Netfilter/Shorewall packet marking mechanism.
|
||||
######################################################################################################################
|
||||
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
##################################################################################################################################
|
||||
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS
|
||||
# PORT(S) PORT(S)
|
||||
|
@ -53,141 +53,11 @@
|
||||
including traffic that will later be rejected by interface options such as
|
||||
<quote>tcpflags</quote> and <quote>maclist</quote>.</para>
|
||||
|
||||
<para>The columns in the accounting file are as follows:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">ACTION </emphasis>- What to do when a
|
||||
match is found. Possible values are:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>COUNT- Simply count the match and continue trying to match
|
||||
the packet with the following accounting rules</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DONE- Count the match and don't attempt to match any
|
||||
following accounting rules.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis><chain></emphasis> - The name of a chain;
|
||||
Shorewall will create the chain automatically if it doesn't
|
||||
already exist. A jump to this chain will be generated from the
|
||||
chain specified by the CHAIN column. If the name of the chain is
|
||||
followed by <quote>:COUNT</quote> then a COUNT rule matching this
|
||||
entry will automatically be added to <chain>. Chain names
|
||||
must start with a letter, must be composed of letters and digits,
|
||||
and may contain underscores (<quote>_</quote>) and periods
|
||||
(<quote>.</quote>). Beginning with Shorewall version 1.4.8, chain
|
||||
names may also contain embedded dashes (<quote>-</quote>) and are
|
||||
not required to start with a letter.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>COMMENT - (Shorewall-perl only) - The remainder of the line
|
||||
is treated as a comment which is <ulink
|
||||
url="configuration_file_basics.htm#COMMENT">attached to subsequent
|
||||
rules</ulink> until another COMMENT line is found or until the end
|
||||
of the file is reached. To stop adding comments to rules, use a
|
||||
line with only the word COMMENT.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">CHAIN</emphasis> - The name of the chain
|
||||
where the accounting rule is to be added. If empty or <quote>-</quote>
|
||||
then the <quote>accounting</quote> chain is assumed (see <link
|
||||
linkend="Bridge">below</link> for exceptions).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">SOURCE</emphasis> - Packet Source. The
|
||||
name of an interface, an address (host or net), or an interface name
|
||||
followed by <quote>:</quote> and a host or net address.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">DESTINATION</emphasis> - Packet
|
||||
Destination. Format the same as the SOURCE column.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name
|
||||
(from <filename>/etc/protocols</filename>), a protocol number or
|
||||
<quote>ipp2p</quote>. For <quote>ipp2p</quote>, your kernel and
|
||||
iptables must have ipp2p match support from <ulink
|
||||
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
|
||||
number. Service name from <filename>/etc/services</filename> or port
|
||||
number. May only be specified if the protocol is TCP (6), UDP (17),
|
||||
DCCP (33), SCTP (132) or UDPLITE (136). If the PROTOCOL is
|
||||
<quote>ipp2p</quote>, then this column is interpreted as an ipp2p
|
||||
option without the leading <quote>--</quote> (default
|
||||
<quote>ipp2p</quote>). For a list of value ipp2p options, as root type
|
||||
<command>iptables -m ipp2p --help</command>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">SOURCE PORT</emphasis>- Source Port
|
||||
number. Service name from /etc/services or port number. May only be
|
||||
specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132)
|
||||
or UDPLITE (136).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">USER/GROUP</emphasis> - This column may
|
||||
only be non-empty if the CHAIN is OUTPUT. The column may
|
||||
contain:</para>
|
||||
|
||||
<programlisting>[!][<user name or number>][:<group name or number>]</programlisting>
|
||||
|
||||
<para>When this column is non-empty, the rule applies only if the
|
||||
program generating the output is running under the effective
|
||||
<user> and/or <group> specified (or is NOT running under
|
||||
that id if <quote>!</quote> is given).</para>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>joe #program must be run by joe</member>
|
||||
|
||||
<member>:kids #program must be run by a member of the
|
||||
<quote>kids</quote> group.</member>
|
||||
|
||||
<member>!:kids #program must not be run by a member of the
|
||||
<quote>kids</quote> group</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">MARK</emphasis> - Only count packets with
|
||||
particular mark values. <programlisting>[!]<value>[/<mask>][:C]</programlisting>
|
||||
Defines a test on the existing packet or connection mark. The rule
|
||||
will match only if the test returns true.</para>
|
||||
|
||||
<para>If you don’t want to define a test but need to specify anything
|
||||
in the following columns, place a <quote>-</quote> in this
|
||||
field.<simplelist>
|
||||
<member>! — Inverts the test (not equal)</member>
|
||||
|
||||
<member><value> — Value of the packet or connection
|
||||
mark.</member>
|
||||
|
||||
<member><mask> — A mask to be applied to the mark before
|
||||
testing.</member>
|
||||
|
||||
<member>:C — Designates a connection mark. If omitted, the packet
|
||||
mark’s value is tested. This option is only supported by
|
||||
Shorewall-perl.</member>
|
||||
</simplelist></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<para>The columns in the accounting file are described in <ulink
|
||||
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink> (5)
|
||||
and <ulink
|
||||
url="manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>In all columns except ACTION and CHAIN, the values <quote>-</quote>,
|
||||
<quote>any</quote> and <quote>all</quote> are treated as
|
||||
|
@ -1161,6 +1161,13 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
modules such as <emphasis>ftp</emphasis>, <emphasis>sip</emphasis>,
|
||||
<emphasis>amanda</emphasis>, etc.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>HEADERS (Optioinal, Shorewall6 only, added in Shorewall
|
||||
4.4.15). List of IPv6 headers that may appear in packets. See <ulink
|
||||
url="manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>
|
||||
(5) for details.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<example id="Example1">
|
||||
|
@ -455,6 +455,100 @@
|
||||
role="bold">accounting</emphasis> chain.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">HEADERS -
|
||||
[!][any:|exactly:]</emphasis><replaceable>header-list
|
||||
</replaceable>(Optional - Added in Shorewall 4.4.15)</term>
|
||||
|
||||
<listitem>
|
||||
<para>The <replaceable>header-list</replaceable> consists of a
|
||||
comma-separated list of headers from the following list. </para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">auth</emphasis>, <emphasis
|
||||
role="bold">ah</emphasis>, or <emphasis
|
||||
role="bold">50</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para><firstterm>Authentication Headers</firstterm> extension
|
||||
header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">esp</emphasis>, or <emphasis
|
||||
role="bold">51</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para><firstterm>Encrypted Security Payload</firstterm>
|
||||
extension header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">hop</emphasis>, <emphasis
|
||||
role="bold">hop-by-hop</emphasis> or <emphasis
|
||||
role="bold">0</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Hop-by-hop options extension header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">route</emphasis>, <emphasis
|
||||
role="bold">ipv6-route</emphasis> or <emphasis
|
||||
role="bold">41</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>IPv6 Route extension header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">frag</emphasis>, <emphasis
|
||||
role="bold">ipv6-frag</emphasis> or <emphasis
|
||||
role="bold">44</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>IPv6 fragmentation extension header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">none</emphasis>, <emphasis
|
||||
role="bold">ipv6-nonxt</emphasis> or <emphasis
|
||||
role="bold">59</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>No next header</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">proto</emphasis>, <emphasis
|
||||
role="bold">protocol</emphasis> or <emphasis
|
||||
role="bold">255</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Any protocol header. </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>If <emphasis role="bold">any:</emphasis> is specified, the
|
||||
rule will match if any of the listed headers are present. If
|
||||
<emphasis role="bold">exactly:</emphasis> is specified, the will
|
||||
match packets that exactly include all specified headers. If neither
|
||||
is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
|
||||
|
||||
<para>If <emphasis role="bold">!</emphasis> is entered, the rule
|
||||
will match those packets which would not be matched when <emphasis
|
||||
role="bold">!</emphasis> is omitted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>In all of the above columns except <emphasis
|
||||
|
@ -930,6 +930,100 @@
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">HEADERS -
|
||||
[!][any:|exactly:]</emphasis><replaceable>header-list
|
||||
</replaceable>(Optional - Added in Shorewall 4.4.15)</term>
|
||||
|
||||
<listitem>
|
||||
<para>The <replaceable>header-list</replaceable> consists of a
|
||||
comma-separated list of headers from the following list.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">auth</emphasis>, <emphasis
|
||||
role="bold">ah</emphasis>, or <emphasis
|
||||
role="bold">50</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para><firstterm>Authentication Headers</firstterm> extension
|
||||
header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">esp</emphasis>, or <emphasis
|
||||
role="bold">51</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para><firstterm>Encrypted Security Payload</firstterm>
|
||||
extension header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">hop</emphasis>, <emphasis
|
||||
role="bold">hop-by-hop</emphasis> or <emphasis
|
||||
role="bold">0</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Hop-by-hop options extension header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">route</emphasis>, <emphasis
|
||||
role="bold">ipv6-route</emphasis> or <emphasis
|
||||
role="bold">41</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>IPv6 Route extension header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">frag</emphasis>, <emphasis
|
||||
role="bold">ipv6-frag</emphasis> or <emphasis
|
||||
role="bold">44</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>IPv6 fragmentation extension header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">none</emphasis>, <emphasis
|
||||
role="bold">ipv6-nonxt</emphasis> or <emphasis
|
||||
role="bold">59</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>No next header</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">proto</emphasis>, <emphasis
|
||||
role="bold">protocol</emphasis> or <emphasis
|
||||
role="bold">255</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Any protocol header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>If <emphasis role="bold">any:</emphasis> is specified, the
|
||||
rule will match if any of the listed headers are present. If
|
||||
<emphasis role="bold">exactly:</emphasis> is specified, the will
|
||||
match packets that exactly include all specified headers. If neither
|
||||
is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
|
||||
|
||||
<para>If <emphasis role="bold">!</emphasis> is entered, the rule
|
||||
will match those packets which would not be matched when <emphasis
|
||||
role="bold">!</emphasis> is omitted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
@ -1004,8 +1098,8 @@
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
|
||||
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
|
||||
shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
||||
shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -600,6 +600,100 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
4 ::/0 ::/0 TCP - - - - - - - ftp</programlisting></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">HEADERS -
|
||||
[!][any:|exactly:]</emphasis><replaceable>header-list
|
||||
</replaceable>(Optional - Added in Shorewall 4.4.15)</term>
|
||||
|
||||
<listitem>
|
||||
<para>The <replaceable>header-list</replaceable> consists of a
|
||||
comma-separated list of headers from the following list.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">auth</emphasis>, <emphasis
|
||||
role="bold">ah</emphasis>, or <emphasis
|
||||
role="bold">50</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para><firstterm>Authentication Headers</firstterm> extension
|
||||
header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">esp</emphasis>, or <emphasis
|
||||
role="bold">51</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para><firstterm>Encrypted Security Payload</firstterm>
|
||||
extension header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">hop</emphasis>, <emphasis
|
||||
role="bold">hop-by-hop</emphasis> or <emphasis
|
||||
role="bold">0</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Hop-by-hop options extension header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">route</emphasis>, <emphasis
|
||||
role="bold">ipv6-route</emphasis> or <emphasis
|
||||
role="bold">41</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>IPv6 Route extension header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">frag</emphasis>, <emphasis
|
||||
role="bold">ipv6-frag</emphasis> or <emphasis
|
||||
role="bold">44</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>IPv6 fragmentation extension header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">none</emphasis>, <emphasis
|
||||
role="bold">ipv6-nonxt</emphasis> or <emphasis
|
||||
role="bold">59</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>No next header</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">proto</emphasis>, <emphasis
|
||||
role="bold">protocol</emphasis> or <emphasis
|
||||
role="bold">255</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Any protocol header.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>If <emphasis role="bold">any:</emphasis> is specified, the
|
||||
rule will match if any of the listed headers are present. If
|
||||
<emphasis role="bold">exactly:</emphasis> is specified, the will
|
||||
match packets that exactly include all specified headers. If neither
|
||||
is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
|
||||
|
||||
<para>If <emphasis role="bold">!</emphasis> is entered, the rule
|
||||
will match those packets which would not be matched when <emphasis
|
||||
role="bold">!</emphasis> is omitted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user