holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Apply 4.2 changes to Trunk

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9476 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-02-22 15:11:11 +00:00
parent f4b2f68ea0
commit 45c6c2ad1f
9 changed files with 280 additions and 1305 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall-common/shorewall-common.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-common
%define version 4.2.6
%define version 4.2.7
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -114,6 +114,7 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcclasses
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcdevices
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcfilters
%attr(0600,root,root) %config(noreplace) /etc/shorewall/notrack
%attr(0600,root,root) /etc/shorewall/Makefile
%attr(0755,root,root) /sbin/shorewall
@ -169,6 +170,7 @@ fi
%attr(0644,root,root) /usr/share/shorewall/configfiles/tcclasses
%attr(0644,root,root) /usr/share/shorewall/configfiles/tcdevices
%attr(0644,root,root) /usr/share/shorewall/configfiles/tcfilters
%attr(0644,root,root) /usr/share/shorewall/configfiles/notrack
%attr(0644,root,root) /usr/share/shorewall/configfiles/Makefile
%attr(0644,root,root) %{_mandir}/man5/*
@ -177,6 +179,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples swping swping.init isusable
%changelog
* Sat Feb 21 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.7-0base
* Thu Feb 05 2009 Tom Eastep tom@shorewall.net
- Add 'restored' script
* Wed Feb 04 2009 Tom Eastep tom@shorewall.net

617
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -53,10 +53,6 @@ our $reused = 0;
our $family = F_IPV4;
our $rtc;
use constant { NORTC => 1, RTCONLY => 2 };
#
# Reinitilize the package-globals in the other modules
#
@ -574,74 +570,6 @@ EOF
}
#
# Compile stop_rtc()
#
sub compile_stop_rtc() {
emit <<'EOF';
#
# Stop/restore RTC after an error or because of a 'stop' or 'clear' command
#
stop_rtc() {
case $COMMAND in
stop|clear|restore)
;;
*)
set +x
case $COMMAND in
start)
logger -p kern.err "ERROR:$PRODUCT start failed"
;;
restart)
logger -p kern.err "ERROR:$PRODUCT restart failed"
;;
restore)
logger -p kern.err "ERROR:$PRODUCT restore failed"
;;
esac
;;
esac
STOPPING="Yes"
TERMINATOR=
run_stop_exit
EOF
push_indent;
emit 'delete_tc1';
emit( 'undo_routing',
'restore_default_route'
);
emit 'run_stopped_exit';
pop_indent;
emit '
logger -p kern.info "$PRODUCT Stopped"
case $COMMAND in
stop|clear)
;;
*)
#
# RTC is being stopped when we were trying to do something
# else. Kill the shell in case we\'re running in a subshell
#
kill $$
;;
esac
}
';
}
#
# Final stage of script generation.
#
@ -656,24 +584,18 @@ EOF
#
sub generate_script_2($) {
unless ( $rtc == RTCONLY ) {
if ( $family == F_IPV4 ) {
progress_message2 "Creating iptables-restore input...";
} else {
progress_message2 "Creating ip6tables-restore input...";
}
create_netfilter_load( $test );
create_chainlist_reload( $_[0] );
if ( $family == F_IPV4 ) {
progress_message2 "Creating iptables-restore input...";
} else {
progress_message2 "Creating ip6tables-restore input...";
}
create_netfilter_load( $test );
create_chainlist_reload( $_[0] );
emit "#\n# Start/Restart the Firewall\n#";
if ( $rtc == RTCONLY ) {
emit 'define_rtc() {';
} else {
emit 'define_firewall() {';
}
emit 'define_firewall() {';
push_indent;
@ -698,134 +620,129 @@ sub generate_script_2($) {
emit 'load_kernel_modules Yes';
}
unless ( $rtc == RTCONLY ) {
if ( $family == F_IPV4 ) {
emit ( '#',
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
'#',
'qt1 $IPTABLES -N foox1234',
'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
'result=$?',
'qt1 $IPTABLES -F foox1234',
'qt1 $IPTABLES -X foox1234',
'[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"',
'' );
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
'if [ -n "$addr" ]; then',
' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')',
' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do',
' if in_network $addr $network; then',
" error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"",
' fi',
' done',
"fi\n" );
}
if ( $family == F_IPV4 ) {
emit ( '#',
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
'#',
'qt1 $IPTABLES -N foox1234',
'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
'result=$?',
'qt1 $IPTABLES -F foox1234',
'qt1 $IPTABLES -X foox1234',
'[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"',
'' );
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
'',
'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall',
'',
'delete_proxyarp',
''
);
if ( $capabilities{NAT_ENABLED} ) {
emit( 'if [ -f ${VARDIR}/nat ]; then',
' while read external interface; do',
' del_ip_addr $external $interface',
' done < ${VARDIR}/nat',
'',
' rm -f ${VARDIR}/nat',
"fi\n" );
}
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
} else {
emit ( '#',
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
'#',
'qt1 $IP6TABLES -N foox1234',
'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
'result=$?',
'qt1 $IP6TABLES -F foox1234',
'qt1 $IP6TABLES -X foox1234',
'[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
'' );
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
'',
'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
''
);
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
'if [ -n "$addr" ]; then',
' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')',
' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do',
' if in_network $addr $network; then',
" error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"",
' fi',
' done',
"fi\n" );
}
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
'',
'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall',
'',
'delete_proxyarp',
''
);
if ( $capabilities{NAT_ENABLED} ) {
emit( 'if [ -f ${VARDIR}/nat ]; then',
' while read external interface; do',
' del_ip_addr $external $interface',
' done < ${VARDIR}/nat',
'',
' rm -f ${VARDIR}/nat',
"fi\n" );
}
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
} else {
emit ( '#',
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
'#',
'qt1 $IP6TABLES -N foox1234',
'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
'result=$?',
'qt1 $IP6TABLES -F foox1234',
'qt1 $IP6TABLES -X foox1234',
'[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
'' );
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
'',
'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
''
);
}
unless ( $rtc == NORTC ) {
emit qq(delete_tc1\n) if $config{CLEAR_TC};
}
emit qq(delete_tc1\n) if $config{CLEAR_TC};
set_global_variables;
emit '';
emit( 'setup_common_rules', '' ) unless $rtc == RTCONLY;
emit( 'setup_common_rules', '' );
emit( 'setup_routing_and_traffic_shaping', '' ) unless $rtc == NORTC;
emit( 'setup_routing_and_traffic_shaping', '' );
unless ( $rtc == RTCONLY ) {
emit 'cat > ${VARDIR}/proxyarp << __EOF__';
dump_proxy_arp;
emit_unindented '__EOF__';
emit( '',
'if [ "$COMMAND" != refresh ]; then' );
push_indent;
emit 'cat > ${VARDIR}/zones << __EOF__';
dump_zone_contents;
emit_unindented '__EOF__';
emit 'cat > ${VARDIR}/proxyarp << __EOF__';
dump_proxy_arp;
emit_unindented '__EOF__';
pop_indent;
emit( '',
'if [ "$COMMAND" != refresh ]; then' );
emit "fi\n";
push_indent;
emit '> ${VARDIR}/nat';
emit 'cat > ${VARDIR}/zones << __EOF__';
dump_zone_contents;
emit_unindented '__EOF__';
add_addresses;
pop_indent;
emit "fi\n";
emit '> ${VARDIR}/nat';
add_addresses;
emit( '',
'if [ $COMMAND = restore ]; then',
' iptables_save_file=${VARDIR}/$(basename $0)-iptables',
' if [ -f $iptables_save_file ]; then' );
emit( '',
'if [ $COMMAND = restore ]; then',
' iptables_save_file=${VARDIR}/$(basename $0)-iptables',
' if [ -f $iptables_save_file ]; then' );
if ( $family == F_IPV4 ) {
emit ' cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux'
} else {
emit ' cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
}
if ( $family == F_IPV4 ) {
emit ' cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux'
} else {
emit ' cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
}
emit<<'EOF';
emit<<'EOF';
else
fatal_error "$iptables_save_file does not exist"
fi
EOF
pop_indent;
setup_forwarding( $family );
push_indent;
emit<<'EOF';
pop_indent;
setup_forwarding( $family );
push_indent;
emit<<'EOF';
set_state "Started"
run_restored_exit
else
if [ $COMMAND = refresh ]; then
chainlist_reload
EOF
setup_forwarding( $family );
emit<<'EOF';
setup_forwarding( $family );
emit<<'EOF';
run_refreshed_exit
do_iptables -N shorewall
set_state "Started"
@ -834,8 +751,8 @@ EOF
restore_dynamic_rules
conditionally_flush_conntrack
EOF
setup_forwarding( $family );
emit<<'EOF';
setup_forwarding( $family );
emit<<'EOF';
run_start_exit
do_iptables -N shorewall
set_state "Started"
@ -844,12 +761,8 @@ EOF
[ $0 = ${VARDIR}/.restore ] || cp -f $(my_pathname) ${VARDIR}/.restore
fi
EOF
}
emit<<'EOF';
date > ${VARDIR}/restarted
date > ${VARDIR}/restarted
case $COMMAND in
start)
@ -892,7 +805,6 @@ sub compiler {
$export = 0;
$test = 0;
$rtc = 1;
sub edit_boolean( $ ) {
my $val = numeric_value( shift );
@ -909,11 +821,6 @@ sub compiler {
defined($val) && ($val == F_IPV4 || $val == F_IPV6);
}
sub edit_rtc( $ ) {
my $val = numberic_value( shift );
defined($val) && ($val == 0 || $val == NORTC || $val == RTCONLY);
}
my %parms = ( object => { store => \$objectfile },
directory => { store => \$directory },
family => { store => \$family , edit => \&edit_family } ,
@ -925,7 +832,6 @@ sub compiler {
log => { store => \$log },
log_verbosity => { store => \$log_verbosity, edit => \&edit_verbosity } ,
test => { store => \$test },
rtc => { store => \$rtc , edit => \&edit_rtc } ,
);
#
# P A R A M E T E R P R O C E S S I N G
@ -977,33 +883,36 @@ sub compiler {
#
run_user_exit1 'compile';
#
# Z O N E D E F I N I T I O N
# (Produces no output to the compiled script)
# Z O N E D E F I N I T I O N
# (Produces no output to the compiled script)
#
unless ( $rtc == RTCONLY ) {
determine_zones;
#
# Process the interfaces file.
#
validate_interfaces_file ( $export );
#
# Process the hosts file.
#
validate_hosts_file;
#
# Report zone contents
#
zone_report;
#
# Do action pre-processing.
#
process_actions1;
#
# P O L I C Y
# (Produces no output to the compiled script)
#
validate_policy;
}
determine_zones;
#
# Process the interfaces file.
#
validate_interfaces_file ( $export );
#
# Process the hosts file.
#
validate_hosts_file;
#
# Report zone contents
#
zone_report;
#
# Do action pre-processing.
#
process_actions1;
#
# P O L I C Y
# (Produces no output to the compiled script)
#
validate_policy;
#
# N O T R A C K
# (Produces no output to the compiled script)
#
setup_notrack;
#
# I N I T I A L I Z E
# (Writes the initialize() function to the compiled script)
@ -1019,166 +928,154 @@ sub compiler {
#
unless ( $command eq 'check' ) {
enable_object;
if ( $rtc == RTCONLY ) {
compile_stop_rtc;
} else {
compile_stop_firewall;
}
compile_stop_firewall;
disable_object;
}
#
# C O M M O N _ R U L E S
# (Writes the setup_common_rules() function to the compiled script)
#
if ( $rtc != RTCONLY ) {
enable_object;
enable_object;
unless ( $command eq 'check' ) {
unless ( $test ) {
if ( $family == F_IPV4 ) {
copy $globals{SHAREDIRPL} . 'prog.functions';
} else {
copy $globals{SHAREDIRPL} . 'prog.functions6';
}
unless ( $command eq 'check' ) {
unless ( $test ) {
if ( $family == F_IPV4 ) {
copy $globals{SHAREDIRPL} . 'prog.functions';
} else {
copy $globals{SHAREDIRPL} . 'prog.functions6';
}
emit( "\n#",
'# Setup Common Rules (/proc)',
'#',
'setup_common_rules() {'
);
push_indent;
}
#
# Do all of the zone-independent stuff
#
add_common_rules;
#
# /proc stuff
#
if ( $family == F_IPV4 ) {
setup_arp_filtering;
setup_route_filtering;
setup_martian_logging;
}
emit( "\n#",
'# Setup Common Rules (/proc)',
'#',
'setup_common_rules() {'
);
setup_source_routing($family);
#
# Proxy Arp/Ndp
#
setup_proxy_arp;
#
# Handle MSS setings in the zones file
#
setup_zone_mss;
unless ( $command eq 'check' ) {
pop_indent;
emit '}';
}
disable_object;
push_indent;
}
#
# Do all of the zone-independent stuff
#
add_common_rules;
#
# /proc stuff
#
if ( $family == F_IPV4 ) {
setup_arp_filtering;
setup_route_filtering;
setup_martian_logging;
}
setup_source_routing($family);
#
# Proxy Arp/Ndp
#
setup_proxy_arp;
#
# Handle MSS setings in the zones file
#
setup_zone_mss;
unless ( $command eq 'check' ) {
pop_indent;
emit '}';
}
disable_object;
#
# R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
# (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
#
unless ( $rtc == NORTC ) {
enable_object;
enable_object;
unless ( $command eq 'check' ) {
emit( "\n#",
'# Setup routing and traffic shaping',
'#',
'setup_routing_and_traffic_shaping() {'
);
push_indent;
}
#
# [Re-]establish Routing
#
setup_providers;
#
# TCRules and Traffic Shaping
#
setup_tc;
unless ( $command eq 'check' ) {
pop_indent;
emit "}\n";
}
disable_object;
unless ( $command eq 'check' ) {
emit( "\n#",
'# Setup routing and traffic shaping',
'#',
'setup_routing_and_traffic_shaping() {'
);
push_indent;
}
#
# [Re-]establish Routing
#
setup_providers;
#
# TCRules and Traffic Shaping
#
setup_tc;
unless ( $command eq 'check' ) {
pop_indent;
emit "}\n";
}
disable_object;
#
# N E T F I L T E R
# (Produces no output to the compiled script)
#
unless ( $rtc == RTCONLY ) {
process_tos;
if ( $family == F_IPV4 ) {
#
# ECN
#
setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
#
# Setup Masquerading/SNAT
#
setup_masq;
}
process_tos;
if ( $family == F_IPV4 ) {
#
# MACLIST Filtration
# ECN
#
setup_mac_lists 1;
setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
#
# Process the rules file.
# Setup Masquerading/SNAT
#
process_rules;
#
# Add Tunnel rules.
#
setup_tunnels;
#
# Post-rules action processing.
#
process_actions2;
process_actions3;
#
# MACLIST Filtration again
#
setup_mac_lists 2;
#
# Apply Policies
#
apply_policy_rules;
if ( $family == F_IPV4 ) {
#
# Setup Nat
#
setup_nat;
#
# Setup NETMAP
#
setup_netmap;
}
#
# Accounting.
#
setup_accounting;
#
# We generate the matrix even though we don't write out the rules. That way, we insure that
# a compile of the script won't blow up during that step.
#
generate_matrix;
setup_masq;
}
#
# MACLIST Filtration
#
setup_mac_lists 1;
#
# Process the rules file.
#
process_rules;
#
# Add Tunnel rules.
#
setup_tunnels;
#
# Post-rules action processing.
#
process_actions2;
process_actions3;
#
# MACLIST Filtration again
#
setup_mac_lists 2;
#
# Apply Policies
#
apply_policy_rules;
if ( $family == F_IPV4 ) {
#
# Setup Nat
#
setup_nat;
#
# Setup NETMAP
#
setup_netmap;
}
#
# Accounting.
#
setup_accounting;
#
# We generate the matrix even though we don't write out the rules. That way, we insure that
# a compile of the script won't blow up during that step.
#
generate_matrix;
if ( $command eq 'check' ) {
if ( $family == F_IPV4 ) {
progress_message3 "Shorewall configuration verified";

8
Shorewall-perl/compiler.pl
View File

@ -36,9 +36,6 @@
# --log=<filename> # Log file
# --log_verbosity=<number> # Log Verbosity range -1 to 2
# --family=<number> # IP family; 4 = IPv4 (default), 6 = IPv6
# --rtc # 0 = Generate Routing and Traffic shaping + Normal Netfilter logic (default)
# # 1 = Do not Generate Routing and Traffic shaping
# # 2 = Generate only the Routing and Traffic shaping part
#
use strict;
use FindBin;
@ -78,7 +75,6 @@ my $log_verbose = 0;
my $help = 0;
my $test = 0;
my $family = 4; # F_IPV4
my $rtc = 0;
Getopt::Long::Configure ('bundling');
@ -101,7 +97,6 @@ my $result = GetOptions('h' => \$help,
'test' => \$test,
'f=i' => \$family,
'family=i' => \$family,
'rtc=i' => \$rtc,
);
usage(1) unless $result && @ARGV < 2;
@ -117,5 +112,4 @@ compiler( object => defined $ARGV[0] ? $ARGV[0] : '',
log => $log,
log_verbosity => $log_verbose,
test => $test,
family => $family ,
rtc => $rtc );
family => $family );

836
Shorewall-shell/diff-3.4-compiler
View File

@ -1,836 +0,0 @@
--- ../../3.4/Shorewall/compiler 2007-10-26 19:10:45.000000000 -0400
+++ compiler 2008-03-09 16:00:16.000000000 -0400
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V3.4
+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V4.0
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
@@ -35,6 +35,11 @@
# SHOREWALL_DIR A directory name was passed to /sbin/shorewall
# VERBOSE Standard Shorewall verbosity control.
+BASE_VERSION=40000
+BASE_VERSION_PRINTABLE=4.0.0
+CONFIG_VERSION=40000
+CONFIG_VERSION_PRINTABLE=4.0.0
+
#
# Fatal error -- stops the compiler after issuing the error message
#
@@ -128,7 +133,8 @@
#
append_file() # $1 = File Name
{
- local user_exit=$(find_file $1)
+ local user_exit
+ user_exit=$(find_file $1)
case $user_exit in
$SHAREDIR/*)
@@ -210,7 +216,8 @@
#
finish_chain_section() # $1 = canonical chain $2 = state list
{
- local policy policychain
+ local policy
+ local policychain
[ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
@@ -241,7 +248,9 @@
finish_section() # $1 = Section(s)
{
- local zone zone1 chain
+ local zone
+ local zone1
+ local chain
for zone in $ZONES $FW; do
for zone1 in $ZONES $FW; do
@@ -263,7 +272,8 @@
#
createchain() # $1 = chain name, $2 = If "yes", do section-end processing
{
- local c=$(chain_base $1)
+ local c
+ c=$(chain_base $1)
run_iptables -N $1
@@ -286,7 +296,8 @@
#
createchain2() # $1 = chain name, $2 = If "yes", create default rules
{
- local c=$(chain_base $1)
+ local c
+ c=$(chain_base $1)
ensurechain $1
@@ -313,7 +324,8 @@
#
havechain() # $1 = name of chain
{
- local c=$(chain_base $1)
+ local c
+ c=$(chain_base $1)
eval test \"\$exists_${c}\" = Yes
}
@@ -675,11 +687,11 @@
progress_message2 "Compiling IP Forwarding..."
case "$IP_FORWARDING" in
- On|on)
+ On|on|ON|Yes|yes|YES)
save_progress_message "IP Forwarding Enabled"
save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
;;
- Off|off)
+ Off|off|OFF|No|no|NO)
save_progress_message "IP Forwarding Disabled!"
save_command "echo 0 > /proc/sys/net/ipv4/ip_forward"
;;
@@ -719,16 +731,25 @@
#
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
{
- local level=$1
- local chain=$2
- local displayChain=$3
- local disposition=$4
- local rulenum=
- local limit=
- local tag=$6
- local command=${7:--A}
+ local level
+ level=$1
+ local chain
+ chain=$2
+ local displayChain
+ displayChain=$3
+ local disposition
+ disposition=$4
+ local rulenum
+ rulenum=
+ local limit
+ limit=
+ local tag
+ tag=$6
+ local command
+ command=${7:--A}
local prefix
- local base=$(chain_base $displayChain)
+ local base
+ base=$(chain_base $displayChain)
limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
@@ -739,9 +760,12 @@
log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
{
- local level=$1
- local chain=$2
- local disposition=$3
+ local level
+ level=$1
+ local chain
+ chain=$2
+ local disposition
+ disposition=$3
shift 3
@@ -756,9 +780,12 @@
# $2 = synparams
# $3 = loglevel
{
- local chain=@$1
- local limit=$2
- local limit_burst=
+ local chain
+ chain=@$1
+ local limit
+ limit=$2
+ local limit_burst
+ limit_burst=
case $limit in
*:*)
@@ -837,8 +864,10 @@
#
setup_ecn() # $1 = file name
{
- local interfaces=""
- local hosts=
+ local interfaces
+ interfaces=""
+ local hosts
+ hosts=
local h
if [ -s ${TMP_DIR}/ecn ]; then
@@ -886,7 +915,8 @@
#
build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list
{
- local c=excl_${EXCLUSION_SEQ} net
+ local c
+ c=excl_${EXCLUSION_SEQ} net
EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 ))
@@ -916,7 +946,10 @@
# Setup queuing and classes
#
setup_tc1() {
- local mark_part= comment=
+ local mark_part
+ mark_part=
+ local comment
+ comment=
#
# Create the TC mangle chains
#
@@ -1025,7 +1058,8 @@
#
refresh_tc() {
- local comment=
+ local comment
+ comment=
if [ -n "$CLEAR_TC" ]; then
delete_tc
@@ -1089,9 +1123,12 @@
#
compile_refresh_firewall()
{
- local INDENT=""
- local DOING="Compiling Refresh of"
- local DONE="Compiled"
+ local INDENT
+ INDENT=""
+ local DOING
+ DOING="Compiling Refresh of"
+ local DONE
+ DONE="Compiled"
local indent
save_command "refresh_firewall()"
@@ -1142,7 +1179,8 @@
process_action_file() # $1 = File Name
{
if ! list_search $1 $BUILTIN_ACTIONS; then
- local user_exit=$(find_file $1)
+ local user_exit
+ user_exit=$(find_file $1)
if [ -f $user_exit ]; then
progress_message "Processing $user_exit ..."
@@ -1173,7 +1211,12 @@
createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
{
- local actchain= action=$1 level=$2
+ local actchain
+ actchain=
+ local action
+ action=$1
+ local level
+ level=$2
eval actchain=\${${action}_actchain}
@@ -1259,7 +1302,14 @@
#
find_logactionchain() # $1 = Action, including log level and tag if any
{
- local fullaction=$1 action=${1%%:*} level= chains=
+ local fullaction
+ fullaction=$1
+ local action
+ action=${1%%:*}
+ local level
+ level=
+ local chains
+ chains=
find_simpleaction() {
havechain $action || fatal_error "Fatal error in find_logactionchain"
@@ -1302,7 +1352,10 @@
#
merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
{
- local superior=$1 subordinate=$2
+ local superior
+ superior=$1
+ local subordinate
+ subordinate=$2
set -- $(split $1)
@@ -1379,7 +1432,9 @@
#
map_old_action() # $1 = Potential Old Action
{
- local macro= aktion
+ local macro
+ macro=
+ local aktion
if [ -n "$MAPOLDACTIONS" ]; then
case $1 in
@@ -1432,7 +1487,8 @@
#
substitute_action() # $1 = parameter, $2 = action
{
- local logpart=${2#*:}
+ local logpart
+ logpart=${2#*:}
case $2 in
*:*)
@@ -1630,7 +1686,8 @@
# policy = Applicable Policy
#
add_a_rule() {
- local natrule=
+ local natrule
+ natrule=
do_ports() {
if [ -n "$port" ]; then
@@ -2118,19 +2175,32 @@
# $9 = userspec
# $10= mark
{
- local target="$1"
- local clients="$2"
- local servers="$3"
- local protocol="$4"
- local ports="$5"
- local cports="$6"
- local address="$7"
- local ratelimit="$8"
- local userspec="$9"
- local mark="${10}"
- local userandgroup=
- local logtag=
- local nonat=
+ local target
+ target="$1"
+ local clients
+ clients="$2"
+ local servers
+ servers="$3"
+ local protocol
+ protocol="$4"
+ local ports
+ ports="$5"
+ local cports
+ cports="$6"
+ local address
+ address="$7"
+ local ratelimit
+ ratelimit="$8"
+ local userspec
+ userspec="$9"
+ local mark
+ mark="${10}"
+ local userandgroup
+ userandgroup=
+ local logtag
+ logtag=
+ local nonat
+ nonat=
# # # # # F u n c t i o n B o d y # # # # #
@@ -2483,21 +2553,35 @@
# $9 = userspec
# $10= mark
{
- local itarget="$1"
- local param="$2"
- local iclients="$3"
- local iservers="$4"
- local iprotocol="$5"
- local iports="$6"
- local icports="$7"
- local iaddress="$8"
- local iratelimit="$9"
- local iuserspec="${10}"
- local imark="${11}"
+ local itarget
+ itarget="$1"
+ local param
+ param="$2"
+ local iclients
+ iclients="$3"
+ local iservers
+ iservers="$4"
+ local iprotocol
+ iprotocol="$5"
+ local iports
+ iports="$6"
+ local icports
+ icports="$7"
+ local iaddress
+ iaddress="$8"
+ local iratelimit
+ iratelimit="$9"
+ local iuserspec
+ iuserspec="${10}"
+ local imark
+ imark="${11}"
progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
+
+ [ $mtarget = COMMENT ] && continue
+
mtarget=$(merge_levels $itarget $mtarget)
case $mtarget in
@@ -2575,13 +2659,19 @@
#
process_rules()
{
- local comment= optimize
+ local comment
+ comment=
+ local optimize
#
# Process a rule where the source or destination is "all"
#
process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic
{
- local yclients yservers ysourcezone ydestzone ypolicy
+ local yclients
+ local yservers
+ local ysourcezone
+ local ydestzone
+ local ypolicy
for yclients in $xclients; do
for yservers in $xservers; do
@@ -2614,7 +2704,8 @@
do_it() # $1 = "Yes" if the target is a macro.
{
- local intrazone=
+ local intrazone
+ intrazone=
if [ -z "$SECTIONS" ]; then
finish_section ESTABLISHED,RELATED
@@ -2794,17 +2885,35 @@
#
process_default_macro() # $1 = macro name
{
- local macro=$1
- local address=
- local multioption=
- local servport=
- local chain=$1
- local logchain=$1
- local userandgroup=
- local logtag=
- local excludesource=
- local target client server protocol port cport ratelimit userspec rule
- local f=$(find_file macro.${macro})
+ local macro
+ macro=$1
+ local address
+ address=
+ local multioption
+ multioption=
+ local servport
+ servport=
+ local chain
+ chain=$1
+ local logchain
+ logchain=$1
+ local userandgroup
+ userandgroup=
+ local logtag
+ logtag=
+ local excludesource
+ excludesource=
+ local target
+ local client
+ local server
+ local protocol
+ local port
+ local cport
+ local ratelimit
+ local userspec
+ local rule
+ local f
+ f=$(find_file macro.${macro})
havechain $macro && fatal_error "Illegal duplicate default macro name: $macro"
@@ -3062,7 +3171,10 @@
#
process_tos() # $1 = name of tos file
{
- local chain=pretos stdchain=PREROUTING
+ local chain
+ chain=pretos
+ local stdchain
+ stdchain=PREROUTING
if [ -n "$MANGLE_FORWARD" ]; then
chain=fortos
@@ -3093,8 +3205,10 @@
# $3 = loglevel
# $4 = Default Action/Macro
{
- local target="$2"
- local default="$4"
+ local target
+ target="$2"
+ local default
+ default="$4"
if [ -n "$default" ]; then
[ "$default" = none ] || run_iptables -A $1 -j $default
@@ -3131,9 +3245,12 @@
#
default_policy() # $1 = client $2 = server
{
- local chain="${1}2${2}"
- local policy=
- local loglevel=
+ local chain
+ chain="${1}2${2}"
+ local policy
+ policy=
+ local loglevel
+ loglevel=
local chain1
jump_to_policy_chain() {
@@ -3235,14 +3352,18 @@
#
complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
{
- local policy=
- local loglevel=
- local policychain=
- local default=
+ local policy
+ policy=
+ local loglevel
+ loglevel=
+ local policychain
+ policychain=
+ local default
+ default=
run_user_exit $1
- run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
eval policychain=\$${2}2${3}_policychain
@@ -3267,7 +3388,8 @@
#
rules_chain() # $1 = source zone, $2 = destination zone
{
- local chain=${1}2${2} local policy
+ local chain
+ chain=${1}2${2} local policy
havechain $chain && { echo $chain; return; }
@@ -3376,8 +3498,10 @@
process_blacklist()
{
- local disposition=$BLACKLIST_DISPOSITION
- local f=$(find_file blacklist)
+ local disposition
+ disposition=$BLACKLIST_DISPOSITION
+ local f
+ f=$(find_file blacklist)
local target
if [ -s $TMP_DIR/blacklist ]; then
@@ -3411,8 +3535,10 @@
# Setup the Black List
#
setup_blacklist() {
- local hosts="$(find_hosts_by_option blacklist)"
- local ipsec policy
+ local hosts
+ hosts="$(find_hosts_by_option blacklist)"
+ local ipsec
+ local policy
if [ -n "$hosts" -a -s ${TMP_DIR}/blacklist ]; then
progress_message2 "$DOING Blacklisting..."
@@ -3457,8 +3583,10 @@
# Construct zone-independent rules
#
add_common_rules() {
- local savelogparms="$LOGPARMS"
- local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
+ local savelogparms
+ savelogparms="$LOGPARMS"
+ local broadcasts
+ broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
#
# Populate the smurf chain
#
@@ -3788,7 +3916,7 @@
save_progress_message "Setting up Route Filtering..."
- if [ -z "$ROUTE_FILTER" ]; then
+ if [ "$ROUTE_FILTER" = no ]; then
indent >&3 << __EOF__
for f in /proc/sys/net/ipv4/conf/*; do
@@ -3812,8 +3940,10 @@
save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter"
- if [ -n "$ROUTE_FILTER" ]; then
+ if [ "$ROUTE_FILTER" = yes ]; then
save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter"
+ elif [ "$ROUTE_FILTER" = no ]; then
+ save_command "echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter"
fi
save_command "[ -n \"\$NOROUTES\" ] || ip route flush cache"
@@ -3829,7 +3959,7 @@
save_progress_message "Setting up Martian Logging..."
- if [ -z "$LOG_MARTIANS" ]; then
+ if [ "$LOG_MARTIANS" = no ]; then
indent >&3 << __EOF__
for f in /proc/sys/net/ipv4/conf/*; do
@@ -3852,9 +3982,12 @@
__EOF__
done
- if [ -n "$LOG_MARTIANS" ]; then
+ if [ "$LOG_MARTIANS" = yes ]; then
save_command "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians"
save_command "echo 1 > /proc/sys/net/ipv4/conf/default/log_martians"
+ elif [ "$LOG_MARTIANS" = no ]; then
+ save_command "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians"
+ save_command "echo 0 > /proc/sys/net/ipv4/conf/default/log_martians"
fi
fi
@@ -3984,14 +4117,19 @@
#
activate_rules()
{
- local PREROUTING_rule=1
- local POSTROUTING_rule=1
+ local PREROUTING_rule
+ PREROUTING_rule=1
+ local POSTROUTING_rule
+ POSTROUTING_rule=1
#
# Jump to a NAT chain from one of the builtin nat chains
#
addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
{
- local sourcechain=$1 destchain=$2
+ local sourcechain
+ sourcechain=$1
+ local destchain
+ destchain=$2
shift
shift
@@ -4009,7 +4147,10 @@
#
addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
{
- local sourcechain=$1 destchain=$2
+ local sourcechain
+ sourcechain=$1
+ local destchain
+ destchain=$2
shift
shift
@@ -4037,7 +4178,15 @@
#
insert_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
{
- local t=$1 c=$2 num=0 host1 interface1 networks1
+ local t
+ t=$1
+ local c
+ c=$2
+ local num
+ num=0
+ local host1
+ local interface1
+ local networks1
shift 2
@@ -4053,7 +4202,13 @@
#
add_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
{
- local t=$1 c=$2 host1 interface1 networks1
+ local t
+ t=$1
+ local c
+ c=$2
+ local host1
+ local interface1
+ local networks1
shift 2
@@ -4101,7 +4256,8 @@
eval exclusions=\"\$${zone}_exclusions\"
if [ -n "$exclusions" ]; then
- local num=1
+ local num
+ num=1
in_chain=${zone}_input
out_chain=${zone}_output
createchain $in_chain No
@@ -4549,8 +4705,10 @@
# from that script are available here
#
compile_stop_firewall() {
- local IPTABLES_COMMAND="\$IPTABLES"
- local INDENT=" "
+ local IPTABLES_COMMAND
+ IPTABLES_COMMAND="\$IPTABLES"
+ local INDENT
+ INDENT=" "
cat >&3 << __EOF__
@@ -4894,10 +5052,18 @@
#
compile_firewall() # $1 = File Name
{
- local IPTABLES_COMMAND=run_iptables
- local INDENT=""
- local checking= outfile=$1 dir=
- local match=
+ local IPTABLES_COMMAND
+ IPTABLES_COMMAND=run_iptables
+ local INDENT
+ INDENT=""
+ local checking
+ checking=
+ local outfile
+ outfile=$1
+ local dir
+ dir=
+ local match
+ match=
setup_mss()
{
@@ -4951,7 +5117,7 @@
cat >&3 << __EOF__
#
-# Compiled firewall script generated by Shorewall $VERSION - $(date)"
+# Compiled firewall script generated by Shorewall-shell $VERSION - $(date)"
#
__EOF__
@@ -4959,7 +5125,10 @@
cat >&3 << __EOF__
SHAREDIR=/usr/share/shorewall-lite
CONFDIR=/etc/shorewall-lite
-VARDIR=/var/lib/shorewall-lite
+
+[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir
+
+[ -n "\${VARDIR:=/var/lib/shorewall-lite}" ]
__EOF__
@@ -4976,7 +5145,10 @@
cat >&3 << __EOF__
SHAREDIR=/usr/share/shorewall
CONFDIR=/etc/shorewall
-VARDIR=/var/lib/shorewall
+
+[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir
+
+[ -n "\${VARDIR:=/var/lib/shorewall}" ]
. \${SHAREDIR}/lib.base
__EOF__
@@ -5139,7 +5311,8 @@
fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget "-e" when you compiled?)"
fi
- local version=\$(cat \${SHAREDIR}/version)
+ local version
+ version=\$(cat \${SHAREDIR}/version)
if [ \${SHOREWALL_LIBVERSION:-0} -lt 30203 ]; then
fatal_error "This script requires Shorewall version 3.3.3 or later; current version is \$version"
@@ -5178,6 +5351,7 @@
LOCKFILE="$LOCKFILE"
PATH="$PATH"
TERMINATOR=fatal_error
+ DONT_LOAD="$DONT_LOAD"
__EOF__
if [ -n "$IPTABLES" ]; then
@@ -5278,7 +5452,8 @@
# Start/Restart/Reload the firewall
#
define_firewall() {
- local restore_file=\$1
+ local restore_file
+ restore_file=\$1
__EOF__
INDENT=" "
@@ -5727,9 +5902,9 @@
# E X E C U T I O N B E G I N S H E R E
#
#
-# Start trace if first arg is "debug"
+# Start trace if first arg is "debug" or "trace"
#
-[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; }
+[ $# -gt 1 ] && [ "x$1" = xdebug -o "x$1" = xtrace ] && { set -x ; shift ; }
NOLOCK=
@@ -5754,6 +5929,11 @@
fi
done
+VERSION=$(cat $SHELLSHAREDIR/version)
+
+[ "$SHOREWALL_LIBVERSION" -eq $BASE_VERSION ] || fatal_error "Shorewall-shell $VERSION requires Shorewall-common lib.base version $BASE_VERSION_PRINTABLE"
+[ "$SHOREWALL_CONFIGVERSION" -eq $CONFIG_VERSION ] || fatal_error "Shorewall-shell $VERSION requires Shorewall-common lib.config version $CONFIG_VERSION_PRINTABLE"
+
PROGRAM=compiler
COMMAND="$1"

94
Shorewall-shell/diff-3.4-lib.tunnels
View File

@ -1,94 +0,0 @@
--- ../../3.4/Shorewall/lib.tunnels 2007-10-26 19:10:45.000000000 -0400
+++ lib.tunnels 2008-03-09 15:55:46.000000000 -0400
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Shorewall 3.4 -- /usr/share/shorewall/lib.tunnels
+# Shorewall 4.1 -- /usr/share/shorewall/lib.tunnels
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
@@ -37,19 +37,31 @@
setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
{
- local kind=$1 noah=
+ local kind
+ kind=$1
+ local noah
+ noah=noah
case $kind in
*:*)
noah=${kind#*:}
- [ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
+ case $noah in
+ ah|AH)
+ noah=
+ ;;
+ noah|NOAH)
+ ;;
+ *)
+ fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
+ ;;
+ esac
kind=${kind%:*}
;;
esac
[ $kind = IPSEC ] && kind=ipsec
- [ $kind = ipsec ] || noah=noah
+ [ $kind = ipsec ] || [ "$noah" = noah ] || fatal_error ":ah not allowed on ipsecnat tunnels"
options="-m state --state NEW -j ACCEPT"
addrule2 $inchain -p 50 $source -j ACCEPT
@@ -125,8 +137,10 @@
setup_one_openvpn() # $1 = kind[:port]
{
- local protocol=udp
- local p=1194
+ local protocol
+ protocol=udp
+ local p
+ p=1194
case $1 in
*:*:*)
@@ -150,8 +164,10 @@
setup_one_openvpn_server() # $1 = kind[:port]
{
- local protocol=udp
- local p=1194
+ local protocol
+ protocol=udp
+ local p
+ p=1194
case $1 in
*:*:*)
@@ -175,8 +191,10 @@
setup_one_openvpn_client() # $1 = kind[:port]
{
- local protocol=udp
- local p=1194
+ local protocol
+ protocol=udp
+ local p
+ p=1194
case $1 in
*:*:*)
@@ -201,7 +219,8 @@
setup_one_generic() # $1 = kind:protocol[:port]
{
local protocol
- local p=
+ local p
+ p=
case $1 in
*:*:*)

4
Shorewall6/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.2.6
VERSION=4.2.7
usage() # $1 = exit status
{
@ -478,7 +478,7 @@ fi
#
# Install the Notrack file
#
run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewal6/configfiles/notrack
run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewall6/configfiles/notrack
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/notrack ]; then
run_install $OWNERSHIP -m 0600 notrack ${PREFIX}/etc/shorewall6/notrack

6
Shorewall6/shorewall6.spec
View File

@ -1,5 +1,5 @@
%define name shorewall6
%define version 4.2.6
%define version 4.2.7
%define release 0base
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@ -91,6 +91,7 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall6/route_rules
%attr(0600,root,root) %config(noreplace) /etc/shorewall6/tcclasses
%attr(0600,root,root) %config(noreplace) /etc/shorewall6/tcdevices
%attr(0600,root,root) %config(noreplace) /etc/shorewall6/notrack
%attr(0600,root,root) /etc/shorewall6/Makefile
%attr(0755,root,root) /sbin/shorewall6
@ -134,6 +135,7 @@ fi
%attr(0644,root,root) /usr/share/shorewall6/configfiles/route_rules
%attr(0644,root,root) /usr/share/shorewall6/configfiles/tcclasses
%attr(0644,root,root) /usr/share/shorewall6/configfiles/tcdevices
%attr(0644,root,root) /usr/share/shorewall6/configfiles/notrack
%attr(0644,root,root) /usr/share/shorewall6/configfiles/Makefile
%attr(0644,root,root) %{_mandir}/man5/*
@ -142,6 +144,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog
* Sat Feb 21 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.7-0base
* Wed Feb 05 2009 Tom Eastep tom@shorewall.net
- Added 'restored' script
* Wed Feb 04 2009 Tom Eastep tom@shorewall.net

7
manpages/shorewall-providers.xml
View File

@ -72,7 +72,7 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> -
<term><emphasis role="bold">MARK</emphasis> (Optional) -
<emphasis>value</emphasis></term>
<listitem>
@ -85,7 +85,10 @@
must be a multiple of 256 between 256 and 65280 or their hexadecimal
equivalents (0x0100 and 0xff00 with the low-order byte of the value
being zero). Otherwise, the value must be between 1 and 255. Each
provider must be assigned a unique mark value.</para>
provider must be assigned a unique mark value. This column may be
omitted if you don't use packet marking to direct connections to a
particular provider and you don't specify <option>track</option> in
the OPTIONS column.</para>
</listitem>
</varlistentry>

7
manpages6/shorewall6-providers.xml
View File

@ -72,7 +72,7 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> -
<term><emphasis role="bold">MARK</emphasis> (Optional) -
<emphasis>value</emphasis></term>
<listitem>
@ -85,7 +85,10 @@
value must be a multiple of 256 between 256 and 65280 or their
hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
of the value being zero). Otherwise, the value must be between 1 and
255. Each provider must be assigned a unique mark value.</para>
255. Each provider must be assigned a unique mark value. This column
may be omitted if you don't use packet marking to direct connections
to a particular provider and you don't specify
<option>track</option> in the OPTIONS column.</para>
</listitem>
</varlistentry>