holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Support protocol lists in most files.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-01-07 16:06:54 -08:00
parent 0526863e66
commit 414a74d23c
20 changed files with 230 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -141,22 +141,14 @@ sub process_section ($) {
#
# Accounting
#
sub process_accounting_rule( ) {
sub process_accounting_rule1( $$$$$$$$$$$ ) {
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
$acctable = $config{ACCOUNTING_TABLE};
$jumpchainref = 0;
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 };
fatal_error 'ACTION must be specified' if $action eq '-';
if ( $action eq 'SECTION' ) {
process_section( $chain );
return 0;
}
$asection = LEGACY if $asection < 0;
our $disposition = '';
@ -409,6 +401,28 @@ sub process_accounting_rule( ) {
return 1;
}
sub process_accounting_rule( ) {
my ($action, $chain, $source, $dest, $protos, $ports, $sports, $user, $mark, $ipsec, $headers ) =
split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 };
my $nonempty = 0;
for my $proto ( split_list $protos, 'Protocol' ) {
fatal_error 'ACTION must be specified' if $action eq '-';
if ( $action eq 'SECTION' ) {
process_section( $chain );
} else {
for my $proto ( split_list $protos, 'Protocol' ) {
$nonempty |= process_accounting_rule1( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers );
}
}
}
$nonempty;
}
sub setup_accounting() {
if ( my $fn = open_file 'accounting', 1, 1 ) {

24
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -682,7 +682,7 @@ sub process_stoppedrules() {
$result = 1;
my ( $target, $source, $dest, $proto, $ports, $sports ) =
my ( $target, $source, $dest, $protos, $ports, $sports ) =
split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 };
fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/;
@ -730,16 +730,18 @@ sub process_stoppedrules() {
unless ( $restriction == OUTPUT_RESTRICT
&& $target eq 'ACCEPT'
&& $config{ADMINISABSENTMINDED} ) {
expand_rule( $chainref ,
$restriction ,
do_proto( $proto, $ports, $sports ) ,
$source ,
$dest ,
'' ,
$target,
'',
$disposition,
do_proto( $proto, '-', '-' ) );
for my $proto ( split_list $protos, 'Protocol' ) {
expand_rule( $chainref ,
$restriction ,
do_proto( $proto, $ports, $sports ) ,
$source ,
$dest ,
'' ,
$target,
'',
$disposition,
do_proto( $proto, '-', '-' ) );
}
} else {
warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";
}

19
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -56,12 +56,9 @@ sub initialize() {
#
# Process a single rule from the the masq file
#
sub process_one_masq( )
sub process_one_masq1( $$$$$$$$$$ )
{
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) = @_;
my $pre_nat;
my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
@ -272,6 +269,18 @@ sub process_one_masq( )
}
sub process_one_masq( )
{
my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
for my $proto ( split_list $protos, 'Protocol' ) {
process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest );
}
}
#
# Process the masq file
#

56
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -234,44 +234,46 @@ sub setup_conntrack() {
first_entry( "$doing $fn..." );
while ( read_a_line( NORMAL_READ ) ) {
my ( $source, $dest, $proto, $ports, $sports, $user, $switch );
my ( $source, $dest, $protos, $ports, $sports, $user, $switch );
if ( $file_format == 1 ) {
( $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
( $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
$action = 'NOTRACK';
} else {
( $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
}
$empty = 0;
if ( $file_format < 3 ) {
if ( $source =~ /^all(-)?(:(.+))?$/ ) {
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
for my $zone ( $1 ? off_firewall_zones : all_zones ) {
process_conntrack_rule( undef ,
undef,
$action,
$zone . ( $2 || ''),
$dest,
$proto,
$ports,
$sports,
$user ,
$switch );
for my $proto ( split_list $protos, 'Protocol' ) {
if ( $file_format < 3 ) {
if ( $source =~ /^all(-)?(:(.+))?$/ ) {
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
for my $zone ( $1 ? off_firewall_zones : all_zones ) {
process_conntrack_rule( undef ,
undef,
$action,
$zone . ( $2 || ''),
$dest,
$proto,
$ports,
$sports,
$user ,
$switch );
}
} else {
process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
} elsif ( $action =~ s/:O$// ) {
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} else {
process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
$action =~ s/:P//;
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
} elsif ( $action =~ s/:O$// ) {
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} else {
$action =~ s/:P//;
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
}
}
if ( $name eq 'notrack') {

99
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -204,16 +204,8 @@ sub initialize( $ ) {
$divertref = 0;
}
sub process_tc_rule( ) {
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
if ( $family == F_IPV4 ) {
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, {}, 15;
$headers = '-';
} else {
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, {}, 16;
}
sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
our %tccmd;
@ -693,6 +685,22 @@ sub process_tc_rule( ) {
}
sub process_tc_rule( ) {
my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
if ( $family == F_IPV4 ) {
( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, {}, 15;
$headers = '-';
} else {
( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, {}, 16;
}
for my $proto (split_list( $protos, 'Protocol' ) ) {
process_tc_rule1( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
}
}
sub rate_to_kbit( $ ) {
my $rate = $_[0];
@ -1539,11 +1547,9 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
#
# Process a record from the tcfilters file
#
sub process_tc_filter() {
sub process_tc_filter1( $$$$$$$$$ ) {
my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };
fatal_error 'CLASS must be specified' if $devclass eq '-';
my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority ) = @_;
my ($device, $class, $rest ) = split /:/, $devclass, 3;
@ -1814,6 +1820,18 @@ sub process_tc_filter() {
}
sub process_tc_filter() {
my ( $devclass, $source, $dest , $protos, $portlist , $sportlist, $tos, $length, $priority )
= split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };
fatal_error 'CLASS must be specified' if $devclass eq '-';
for my $proto ( split_list $protos, 'Protocol' ) {
process_tc_filter1( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority );
}
}
#
# Process the tcfilter file storing the compiled filters in the %tcdevices table
#
@ -1854,16 +1872,8 @@ sub process_tcfilters() {
#
# Process a tcpri record
#
sub process_tc_priority() {
my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
fatal_error 'BAND must be specified' if $band eq '-';
fatal_error "Invalid tcpri entry" if ( $proto eq '-' &&
$ports eq '-' &&
$address eq '-' &&
$interface eq '-' &&
$helper eq '-' );
sub process_tc_priority1( $$$$$$ ) {
my ( $band, $proto, $ports , $address, $interface, $helper ) = @_;
my $val = numeric_value $band;
@ -1911,6 +1921,26 @@ sub process_tc_priority() {
}
}
sub process_tc_priority() {
my ( $band, $protos, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
fatal_error 'BAND must be specified' if $band eq '-';
fatal_error "Invalid tcpri entry" if ( $protos eq '-' &&
$ports eq '-' &&
$address eq '-' &&
$interface eq '-' &&
$helper eq '-' );
my $val = numeric_value $band;
fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
for my $proto ( split_list $protos, 'Protocol' ) {
process_tc_priority1( $band, $proto, $ports , $address, $interface, $helper );
}
}
#
# Process tcinterfaces
#
@ -2267,11 +2297,8 @@ sub setup_traffic_shaping() {
#
# Process a record in the secmarks file
#
sub process_secmark_rule() {
my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) =
split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
fatal_error 'SECMARK must be specified' if $secmark eq '-';
sub process_secmark_rule1( $$$$$$$$$ ) {
my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = @_;
my %chns = ( T => 'tcpost' ,
P => 'tcpre' ,
@ -2331,6 +2358,20 @@ sub process_secmark_rule() {
}
#
# Process a record in the secmarks file
#
sub process_secmark_rule() {
my ( $secmark, $chainin, $source, $dest, $protos, $dport, $sport, $user, $mark ) =
split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
fatal_error 'SECMARK must be specified' if $secmark eq '-';
for my $proto ( split_list( $protos, 'Protocol' ) ) {
process_secmark_rule1( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark );
}
}
#
# Process the tcrules file and setup traffic shaping
#

7
Shorewall/manpages/shorewall-accounting.xml
View File

@ -392,12 +392,12 @@
<varlistentry>
<term><emphasis role="bold">PROTOCOL (proto)</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">any</emphasis>|<emphasis
role="bold">{any</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
role="bold">ipp2p</emphasis>[<emphasis
role="bold">:</emphasis>{<emphasis
role="bold">udp</emphasis>|<emphasis
role="bold">all</emphasis>}]}</term>
role="bold">all</emphasis>}]}[,...]}</term>
<listitem>
<para>A <emphasis>protocol-name</emphasis> (from protocols(5)), a
@ -405,6 +405,9 @@
role="bold">ipp2p</emphasis>, <emphasis
role="bold">ipp2p:udp</emphasis> or <emphasis
role="bold">ipp2p:all</emphasis></para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>

13
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -176,10 +176,10 @@
</varlistentry>
<varlistentry>
<term/>
<term></term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -348,11 +348,18 @@
<varlistentry>
<term>PROTO
<replaceable>protocol-name-or-number</replaceable></term>
<replaceable>protocol-name-or-number</replaceable>[,...]</term>
<listitem>
<para>A protocol name from <filename>/etc/protocols</filename> or a
protocol number.</para>
<para>Beginning with Shorewall 4.5.12, this column is labeled
<emphasis role="bold">PROTOS</emphasis> and can accept a
comma-separated list of protocols. Either <emphasis
role="bold">proto</emphasis> or <emphasis
role="bold">protos</emphasis> is accepted in the alternate input
format.</para>
</listitem>
</varlistentry>

5
Shorewall/manpages/shorewall-masq.xml
View File

@ -219,12 +219,15 @@
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|[!]<emphasis>protocol-name</emphasis>|[!]<emphasis>protocol-number</emphasis>}</term>
role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]}</term>
<listitem>
<para>If you wish to restrict this entry to a particular protocol
then enter the protocol name (from protocols(5)) or number
here.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>

5
Shorewall/manpages/shorewall-secmarks.xml
View File

@ -227,11 +227,14 @@
role="bold">ipp2p</emphasis>|<emphasis
role="bold">ipp2p:udp</emphasis>|<emphasis
role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
role="bold">all}</emphasis></term>
role="bold">all}[,...]</emphasis></term>
<listitem>
<para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
ipp2p match support in your kernel and iptables.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>

5
Shorewall/manpages/shorewall-stoppedrules.xml
View File

@ -92,10 +92,13 @@
<varlistentry>
<term>PROTO (Optional)
<replaceable>protocol-name-or-number</replaceable></term>
<replaceable>protocol-name-or-number</replaceable>[,...]</term>
<listitem>
<para>Protocol.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>

7
Shorewall/manpages/shorewall-tcfilters.xml
View File

@ -105,11 +105,14 @@
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
role="bold">all}</emphasis></term>
role="bold">-</emphasis>|{<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
role="bold">all}[,...]}</emphasis></term>
<listitem>
<para>Protocol.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>

14
Shorewall/manpages/shorewall-tcpri.xml
View File

@ -72,11 +72,14 @@
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> -
<replaceable>protocol</replaceable></term>
<replaceable>protocol</replaceable>[,...]</term>
<listitem>
<para>Optional. The name or number of an IPv4
<replaceable>protocol</replaceable>.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>
@ -155,10 +158,9 @@
shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

7
Shorewall/manpages/shorewall-tcrules.xml
View File

@ -877,15 +877,18 @@ Normal-Service =&gt; 0x00</programlisting>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">tcp:syn</emphasis>|<emphasis
role="bold">{tcp:syn</emphasis>|<emphasis
role="bold">ipp2p</emphasis>|<emphasis
role="bold">ipp2p:udp</emphasis>|<emphasis
role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
role="bold">all}</emphasis></term>
role="bold">all}[,...]}</emphasis></term>
<listitem>
<para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
ipp2p match support in your kernel and iptables.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>

3
Shorewall6/manpages/shorewall6-accounting.xml
View File

@ -346,6 +346,9 @@
role="bold">ipp2p</emphasis>, <emphasis
role="bold">ipp2p:udp</emphasis> or <emphasis
role="bold">ipp2p:all</emphasis></para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>

5
Shorewall6/manpages/shorewall6-conntrack.xml
View File

@ -244,11 +244,14 @@
<varlistentry>
<term>PROTO
<replaceable>protocol-name-or-number</replaceable></term>
<replaceable>protocol-name-or-number</replaceable>[,...]</term>
<listitem>
<para>A protocol name from <filename>/etc/protocols</filename> or a
protocol number.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>

3
Shorewall6/manpages/shorewall6-secmarks.xml
View File

@ -226,6 +226,9 @@
<listitem>
<para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
ipp2p match support in your kernel and iptables.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>

5
Shorewall6/manpages/shorewall6-stoppedrules.xml
View File

@ -92,10 +92,13 @@
<varlistentry>
<term>PROTO (Optional)
<replaceable>protocol-name-or-number</replaceable></term>
<replaceable>protocol-name-or-number</replaceable>[,...]</term>
<listitem>
<para>Protocol.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>

9
Shorewall6/manpages/shorewall6-tcfilters.xml
View File

@ -101,11 +101,14 @@
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
role="bold">all}</emphasis></term>
role="bold">-</emphasis>|{<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
role="bold">all}</emphasis>[,...]}</term>
<listitem>
<para>Protocol.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>
@ -317,6 +320,6 @@
<para><ulink
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
<para/>
<para></para>
</refsect1>
</refentry>

15
Shorewall6/manpages/shorewall6-tcpri.xml
View File

@ -72,11 +72,14 @@
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> -
<replaceable>protocol</replaceable></term>
<replaceable>protocol</replaceable>[,...]</term>
<listitem>
<para>Optional. The name or number of an IPv4
<replaceable>protocol</replaceable>.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>
@ -149,10 +152,10 @@
<para>PRIO(8), shorewall6(8), shorewall6-accounting(5),
shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcinterfaces(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcinterfaces(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

7
Shorewall6/manpages/shorewall6-tcrules.xml
View File

@ -753,15 +753,18 @@ Normal-Service =&gt; 0x00</programlisting>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">tcp:syn</emphasis>|<emphasis
role="bold">{tcp:syn</emphasis>|<emphasis
role="bold">ipp2p</emphasis>|<emphasis
role="bold">ipp2p:udp</emphasis>|<emphasis
role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
role="bold">all}</emphasis></term>
role="bold">all}[,...]}</emphasis></term>
<listitem>
<para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
ipp2p match support in your kernel and ip6tables.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>