diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index b3b9553ad..0e5a120d7 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -204,7 +204,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
sub process_format( $ ) {
my $format = shift;
- fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
+ fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/;
$format;
}
@@ -252,13 +252,23 @@ sub setup_conntrack() {
$empty = 0;
- if ( $source =~ /^all(-)?(:(.+))?$/ ) {
- fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
- process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch ) unless $1;
- process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch );
+ if ( $format < 3 ) {
+ if ( $source =~ /^all(-)?(:(.+))?$/ ) {
+ fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
+ process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch ) unless $1;
+ process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch );
+ } else {
+ process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+ }
+ } elsif ( $action =~ s/:0$// ) {
+ process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+ } elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
+ process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+ process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} else {
- process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
- }
+ $action =~ s/:P//;
+ process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+ }
}
clear_comment;
diff --git a/Shorewall/configfiles/conntrack b/Shorewall/configfiles/conntrack
index 0a2084f4d..16ba33b38 100644
--- a/Shorewall/configfiles/conntrack
+++ b/Shorewall/configfiles/conntrack
@@ -4,50 +4,50 @@
# For information about entries in this file, type "man shorewall-conntrack"
#
##############################################################################################################
-FORMAT 2
+FORMAT 3
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
# PORT(S) PORT(S) GROUP
?if $AUTOHELPERS && __CT_TARGET
?if __AMANDA_HELPER
-CT:helper:amanda all - udp 10080
+CT:helper:amanda:PO - - udp 10080
?endif
?if __FTP_HELPER
-CT:helper:ftp all - tcp 21
+CT:helper:ftp:PO - - tcp 21
?endif
?if __H323_HELPER
-CT:helper:RAS all - udp 1719
-CT:helper:Q.931 all - tcp 1720
+CT:helper:RAS;PO - - udp 1719
+CT:helper:Q.931:PO - - tcp 1720
?endif
?if __IRC_HELPER
-CT:helper:irc all - tcp 6667
+CT:helper:irc:PO - - tcp 6667
?endif
?if __NETBIOS_NS_HELPER
-CT:helper:netbios-ns all - udp 137
+CT:helper:netbios-ns:PO - - udp 137
?endif
?if __PPTP_HELPER
-CT:helper:pptp all - tcp 1723
+CT:helper:pptp:PO - - tcp 1723
?endif
?if __SANE_HELPER
-CT:helper:sane all - tcp 6566
+CT:helper:sane:PO - - tcp 6566
?endif
?if __SIP_HELPER
-CT:helper:sip all - udp 5060
+CT:helper:sip:PO - - udp 5060
?endif
?if __SNMP_HELPER
-CT:helper:snmp all - udp 161
+CT:helper:snmp:PO - - udp 161
?endif
?if __TFTP_HELPER
-CT:helper:tftp all - udp 69
+CT:helper:tftp:PO - - udp 69
?endif
?endif
diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml
index bfd50866d..e2e6ae233 100644
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -32,11 +32,26 @@
role="bold">raw table. In 4.5.7, the file's name was changed to
conntrack.
- The file supports two different column layouts: FORMAT 1 and FORMAT
- 2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
- additional leading ACTION column. When an entry in the file of this form
- is encountered, the format of the following entries are assumed to be of
- the specified format.
+ The file supports two different column layouts: FORMAT 1, FORMAT 2,
+ and FORMAT 3, FORMAT 1 being the default. The three differ as
+ follows:
+
+
+
+ in FORMAT 2 and 3, there is an additional leading ACTION
+ column.
+
+
+
+ in FORMAT 3, the SOURCE column accepts no zone name; rather the
+ ACTION column allows a SUFFIX that determines the chain(s) that the
+ generated rule will be added to.
+
+
+
+ When an entry in the following form is encountered, the format of
+ the following entries are assumed to be of the specified
+ format.
FORMAT
@@ -44,7 +59,10 @@
where format is either 1 or 2.
+ role="bold">1,2 or 3.
+
+ Format 3 was introduced in Shorewall 4.5.10.
Comments may be attached to Netfilter rules generated from entries
in this file through the use of COMMENT lines. These lines begin with the
@@ -63,7 +81,7 @@
role="bold">NOTRACK|CT:helper:name[(arg=val[,...])|CT:notrack}
+ role="bold">CT:notrack}[:chain-designator]
This column is only present when FORMAT = 2. Values other than
@@ -151,10 +169,10 @@
-
+
-
+
@@ -232,11 +250,46 @@
When FORMAT = 1, this column is not present and the rule is
processed as if NOTRACK had been entered in this column.
+
+ Beginning with Shoreall 4.5.10, when FORMAT = 3, this column
+ can end with a colon followed by a
+ chain-designator. The
+ chain-designator can be one of the
+ following:
+
+
+
+ P
+
+
+ The rule is added to the raw table PREROUTING chain.
+ This is the default if no
+ chain-designator is present.
+
+
+
+
+ O
+
+
+ The rule is added to the raw table OUTPUT chain.
+
+
+
+
+ PO or OP
+
+
+ The rule is added to the raw table PREROUTING and OUTPUT
+ chains.
+
+
+
- SOURCE ‒
+ SOURCE (formats 1 and 2) ‒
{zone[:interface][:address-list]|COMMENT}
@@ -267,6 +320,23 @@
+
+ SOURCE (formats 3) ‒
+ {-|[:interface][:address-list}
+
+
+ Where interface is an interface to
+ that zone, and address-list is a
+ comma-separated list of addresses (may contain exclusion - see
+ shorewall-exclusion
+ (5)).
+
+ COMMENT is only allowed in format 1; the remainder of the line
+ is treated as a comment that will be associated with the generated
+ rule(s).
+
+
+
DEST ‒
[interface|address-list]
@@ -393,9 +463,28 @@
EXAMPLE
+ Example 1:
+
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
CT:helper:ftp(expevents=new) fw - tcp 21
+
+ Example 2 (Shorewall 4.5.10 or later):
+
+ Drop traffic to/from all zones to IP address 1.2.3.4
+
+ FORMAT 2
+#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
+# PORT(S) PORT(S)
+DROP all-:1.2.3.4 -
+DROP all 1.2.3.4
+
+ orFORMAT 3
+#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
+# PORT(S) PORT(S)
+DROP:P 1.2.3.4 -
+DROP:PO - 1.2.3.4
+
diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml
index 0952ea788..2869d8b92 100644
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -25,25 +25,44 @@
The original intent of the notrack
file was to exempt certain traffic from Netfilter connection tracking.
- Traffic matching entries in that file were not to be tracked.
+ Traffic matching entries in the file were not to be tracked.
The role of the file was expanded in Shorewall 4.4.27 to include all
rules that can be added in the Netfilter raw table. In 4.5.7, the file's name was changed to
conntrack.
- The file supports two different column layouts: FORMAT 1 and FORMAT
- 2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
- additional leading ACTION column. When an entry in the file of this form
- is encountered, the format of the following entries are assumed to be of
- the specified format.
+ The file supports two different column layouts: FORMAT 1, FORMAT 2,
+ and FORMAT 3, FORMAT 1 being the default. The three differ as
+ follows:
+
+
+
+ in FORMAT 2 and 3, there is an additional leading ACTION
+ column.
+
+
+
+ in FORMAT 3, the SOURCE column accepts no zone name; rather the
+ ACTION column allows a SUFFIX that determines the chain(s) that the
+ generated rule will be added to.
+
+
+
+ When an entry in the following form is encountered, the format of
+ the following entries are assumed to be of the specified
+ format.
- FORMAT format
+ FORMAT
+ format
where format is either 1 or 2.
+ role="bold">1,2 or 3.
+
+ Format 3 was introduced in Shorewall 4.5.10.
Comments may be attached to Netfilter rules generated from entries
in this file through the use of COMMENT lines. These lines begin with the
@@ -62,7 +81,7 @@
role="bold">NOTRACK|CT:helper:name[(arg=val[,...])|CT:notrack}
+ role="bold">CT:notrack}[:chain-designator]
This column is only present when FORMAT = 2. Values other than
@@ -127,11 +146,46 @@
When FORMAT = 1, this column is not present and the rule is
processed as if NOTRACK had been entered in this column.
+
+ Beginning with Shoreall 4.5.10, when FORMAT = 3, this column
+ can end with a colon followed by a
+ chain-designator. The
+ chain-designator can be one of the
+ following:
+
+
+
+ P
+
+
+ The rule is added to the raw table PREROUTING chain.
+ This is the default if no
+ chain-designator is present.
+
+
+
+
+ O
+
+
+ The rule is added to the raw table OUTPUT chain.
+
+
+
+
+ PO or OP
+
+
+ The rule is added to the raw table PREROUTING and OUTPUT
+ chains.
+
+
+
- SOURCE ‒
+ SOURCE (formats 1 and 2) ‒
zone[:interface][:address-list]
@@ -162,6 +216,23 @@
+
+ SOURCE (formats 3) ‒
+ {-|[:interface][:address-list}
+
+
+ Where interface is an interface to
+ that zone, and address-list is a
+ comma-separated list of addresses (may contain exclusion - see
+ shorewall-exclusion
+ (5)).
+
+ COMMENT is only allowed in format 1; the remainder of the line
+ is treated as a comment that will be associated with the generated
+ rule(s).
+
+
+
DEST ‒
[interface|address-list]
@@ -277,11 +348,35 @@
- EXAMPLE
+ EXAMPLES
- #ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
+ Example 1:
+
+ Use the FTP helper for TCP port 21 connections from the firewall
+ itself.
+
+ FORMAT 2
+#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
CT:helper:ftp(expevents=new) fw - tcp 21
+
+ Example 2 (Shorewall 4.5.10 or later):
+
+ Drop traffic to/from all zones to IP address 2001:1.2.3::4
+
+ FORMAT 2
+#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
+# PORT(S) PORT(S)
+DROP all-:2001:1.2.3::4 -
+DROP all 2001:1.2.3::4
+
+
+ orFORMAT 3
+#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
+# PORT(S) PORT(S)
+DROP:P 2001:1.2.3::4 -
+DROP:PO - 2001:1.2.3::4
+