holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Merge branch '5.2.3' into 5.2.4

Browse Source 
# Conflicts:
#	docs/SharedConfig.xml

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2020-02-06 14:08:33 -08:00
commit 5f50b70618
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
38 changed files with 155 additions and 303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*targetname

64
Shorewall-core/manpages/shorewall.xml
View File

@ -1141,7 +1141,7 @@
setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
<para>When no <replaceable>verbosity</replaceable> is specified,
each instance of this option causes 1 to be added to the effective
@ -1162,7 +1162,7 @@
setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
<para>Each instance of this option causes 1 to be subtracted from
the effective verbosity.</para>
@ -1199,7 +1199,7 @@
defined in the <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
(<ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))file.
url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5))file.
A <emphasis>host-list</emphasis> is comma-separated list whose
elements are host or network addresses.<caution>
<para>The <command>add</command> command is not very robust. If
@ -1214,7 +1214,7 @@
<para>Beginning with Shorewall 4.5.9, the <emphasis
role="bold">dynamic_shared</emphasis> zone option (<ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),<ulink
url="???">shorewall6-zones</ulink>(5)) allows a single ipset to
url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5)) allows a single ipset to
handle entries for multiple interfaces. When that option is
specified for a zone, the <command>add</command> command has the
alternative syntax in which the <replaceable>zone</replaceable> name
@ -1332,7 +1332,7 @@
set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
</listitem>
</varlistentry>
@ -1440,7 +1440,7 @@
set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
</listitem>
</varlistentry>
@ -1458,7 +1458,7 @@
defined in the <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
(<ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
file. A <emphasis>host-list</emphasis> is comma-separated list whose
elements are a host or network address.</para>
@ -1466,7 +1466,7 @@
role="bold">dynamic_shared</emphasis> zone option (<ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
<ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5))
allows a single ipset to handle entries for multiple interfaces.
When that option is specified for a zone, the
<command>delete</command> command has the alternative syntax in
@ -1493,7 +1493,7 @@
command removes any routes added from <ulink
url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
(<ulink
url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))and
url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))and
any traffic shaping configuration for the interface.</para>
</listitem>
</varlistentry>
@ -1554,7 +1554,7 @@
adds any route specified in <ulink
url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
(<ulink
url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))
url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))
and installs the interface's traffic shaping configuration, if
any.</para>
</listitem>
@ -1599,7 +1599,7 @@
given then the file specified by RESTOREFILE in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
assumed.</para>
</listitem>
</varlistentry>
@ -1684,7 +1684,7 @@
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
This command requires that the firewall be in the started state and
that DYNAMIC_BLACKLIST=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf
@ -1700,7 +1700,7 @@
<para>Monitors the log file specified by the LOGFILE option in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))
and produces an audible alarm when new Shorewall messages are
logged. The <emphasis role="bold">-m</emphasis> option causes the
MAC address of each packet source to be displayed if that
@ -1723,7 +1723,7 @@
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
This command requires that the firewall be in the started state and
that DYNAMIC_BLACKLIST=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf
@ -1878,13 +1878,13 @@
INLINE_MATCHES is set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))..</para>
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))..</para>
<para>The <option>-C</option> option was added in Shorewall
4.6.5 and is only meaningful when AUTOMAKE=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
If an existing firewall script is used and if that script was
the one that generated the current running configuration, then
the running netfilter configuration will be reloaded as is so
@ -2006,7 +2006,7 @@
<replaceable>system</replaceable> is omitted, then the FIREWALL
option setting in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) (<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>) is
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>) is
assumed. In that case, if you want to specify a
<replaceable>directory</replaceable>, then the <option>-D</option>
option must be given.</para>
@ -2071,8 +2071,8 @@
Beginning with Shorewall 5.0.13, if
<replaceable>system</replaceable> is omitted, then the FIREWALL
option setting in <ulink
url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> (<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
assumed. In that case, if you want to specify a
<replaceable>directory</replaceable>, then the <option>-D</option>
option must be given.</para>
@ -2104,7 +2104,7 @@
set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
</listitem>
</varlistentry>
@ -2144,8 +2144,8 @@
Beginning with Shorewall 5.0.13, if
<replaceable>system</replaceable> is omitted, then the FIREWALL
option setting in <ulink
url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> (<ulink
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
assumed. In that case, if you want to specify a
<replaceable>directory</replaceable>, then the <option>-D</option>
option must be given.</para>
@ -2177,7 +2177,7 @@
set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -2304,7 +2304,7 @@
restored from the file specified by the RESTOREFILE option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
<caution>
<para>If your iptables ruleset depends on variables that are
@ -2460,7 +2460,7 @@
in the file specified by the RESTOREFILE option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
<para>The <option>-C</option> option, added in Shorewall 4.6.5,
causes the iptables packet and byte counters to be saved along with
@ -2477,7 +2477,7 @@
the SAVE_IPSETS option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
This command may be used to proactively save your ipset contents in
the event that a system failure occurs prior to issuing a
<command>stop</command> command.</para>
@ -2645,7 +2645,7 @@
accounting counters (<ulink
url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>
(5), <ulink
url="/manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).</para>
url="/manpages/shorewall-accounting.html">shorewall6-accounting</ulink>(5)).</para>
</listitem>
</varlistentry>
@ -2669,7 +2669,7 @@
file specified by the LOGFILE option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
The <emphasis role="bold">-m</emphasis> option causes the MAC
address of each packet source to be displayed if that
information is available.</para>
@ -2851,7 +2851,7 @@
in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))
will be restored if that saved configuration exists and has
been modified more recently than the files in
/etc/shorewall. When <emphasis role="bold">-f</emphasis> is
@ -2862,7 +2862,7 @@
option was added to <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
When LEGACY_FASTSTART=No, the modification times of files in
/etc/shorewall are compared with that of
/var/lib/shorewall/firewall (the compiled script that last
@ -2881,7 +2881,7 @@
overriding the AUTOMAKE setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
When both <option>-f</option> and <option>-c</option>are
present, the result is determined by the option that appears
last.</para>
@ -2897,7 +2897,7 @@
INLINE_MATCHES is set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
(<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
<para>The <option>-C</option> option was added in Shorewall
4.6.5 and is only meaningful when the <option>-f</option>

17
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -536,6 +536,9 @@ our $ipset_rules;
#
use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
#
# Chain optimization flags
#
use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 };
our %dscpmap = ( CS0 => 0x00,
@ -1422,7 +1425,7 @@ sub compatible( $$ ) {
}
}
#
# Don't combine chains where each specifies
# Don't combine rules where each specifies
# -m policy and the policies are different
# or when one specifies
# -m multiport
@ -4991,10 +4994,10 @@ sub do_proto( $$$;$ )
$invert = $sports =~ s/^!// ? '! ' : '';
if ( $ports =~ /^\+/ ) {
if ( $sports =~ /^\+/ ) {
$output .= $invert;
$output .= '-m set ';
$output .= get_set_flags( $ports, 'src' );
$output .= get_set_flags( $sports, 'src' );
} elsif ( $multiport ) {
if ( port_count( $sports ) > 15 ) {
if ( $restricted ) {
@ -5207,8 +5210,8 @@ sub do_iproto( $$$ )
fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
$invert = $sports =~ s/^!// ? '! ' : '';
if ( $ports =~ /^\+/ ) {
push @output, set => ${invert} . get_set_flags( $ports, 'src' );
if ( $sports =~ /^\+/ ) {
push @output, set => ${invert} . get_set_flags( $sports, 'src' );
} elsif ( $multiport ) {
if ( port_count( $sports ) > 15 ) {
if ( $restricted ) {
@ -7667,11 +7670,13 @@ sub isolate_source_interface( $ ) {
) {
$iiface = $1;
$inets = $2;
$inets =~ s/\]-\[/-/;
} elsif ( $source =~ /:/ ) {
if ( $source =~ /^\[(?:.+),\[(?:.+)\]$/ ){
$inets = $source;
} elsif ( $source =~ /^\[(.+)\]$/ ) {
$inets = $1;
$inets =~ s/\]-\[/-/;
} else {
$inets = $source;
}
@ -7789,6 +7794,7 @@ sub isolate_dest_interface( $$$$ ) {
if ( $dest =~ /^(.+?):(\[(?:.+),\[(?:.+)\])$/ ) {
$diface = $1;
$dnets = $2;
$dnets =~ s/\]-\[/-/;
} elsif ( $dest =~ /^(.+?):\[(.+)\]\s*$/ ||
$dest =~ /^(.+?):(!?\+.+)$/ ||
$dest =~ /^(.+?):(!?[&%].+)$/ ||
@ -7801,6 +7807,7 @@ sub isolate_dest_interface( $$$$ ) {
$dnets = $dest;
} elsif ( $dest =~ /^\[(.+)\]$/ ) {
$dnets = $1;
$dnets =~ s/\]-\[/-/;
} else {
$dnets = $dest;
}

1
Shorewall/Perl/Shorewall/Config.pm
View File

@ -5441,6 +5441,7 @@ sub update_config_file( $ ) {
update_default( 'PAGER', $shorewallrc1{DEFAULT_PAGER} );
update_default( 'LOGFORMAT', 'Shorewall:%s:%s:' );
update_default( 'LOGLIMIT', '' );
update_default( 'AUTOMAKE', 'No' );
if ( $family == F_IPV4 ) {
update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );

4
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -316,9 +316,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
$addr = $1;
$addr =~ s/\]-\[/-/;
if ( $addr =~ /^(.+)-(.+)$/ ) {
fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
validate_range( $1, $2 );
} else {
validate_address $addr, 0;
@ -930,7 +930,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
if ( $server =~ /^\[(.+)\]$/ ) {
$server = $1;
fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $server =~ /]-\[/;
$server =~ s/\]-\[/-/;
assert( $server =~ /^(.+)-(.+)$/ );
( $addr1, $addr2 ) = ( $1, $2 );
}

28
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -611,8 +611,8 @@ sub process_policy_actions( $$$ ) {
#
# Verify an NFQUEUE specification and return the appropriate ip[6]tables target
#
sub handle_nfqueue( $$ ) {
my ($params, $allow_bypass ) = @_;
sub handle_nfqueue( $ ) {
my ($params) = @_;
my ( $action, $bypass, $fanout );
my ( $queue1, $queue2, $queuenum1, $queuenum2 );
@ -625,7 +625,6 @@ sub handle_nfqueue( $$ ) {
if ( supplied $queue ) {
if ( $queue eq 'bypass' ) {
fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
return 'NFQUEUE --queue-bypass';
}
@ -653,7 +652,6 @@ sub handle_nfqueue( $$ ) {
if ( supplied $bypass ) {
fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
$bypass =' --queue-bypass';
} else {
@ -721,7 +719,13 @@ sub process_a_policy1($$$$$$$) {
require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
my ( $policy, $pactions );
if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
} else {
( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
}
fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
@ -736,9 +740,7 @@ sub process_a_policy1($$$$$$$) {
my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
if ( defined $queue ) {
$policy = handle_nfqueue( $queue,
0 # Don't allow 'bypass'
);
$policy = handle_nfqueue( $queue );
} elsif ( $policy eq 'NONE' ) {
fatal_error "NONE policy not allowed with \"all\""
if $clientwild || $serverwild;
@ -1604,8 +1606,8 @@ sub merge_levels ($$) {
return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
my @supparts = split /:/, $superior;
my @subparts = split /:/, $subordinate;
my @supparts = split_list2( $superior , 'Action' );
my @subparts = split_list2( $subordinate , 'Action' );
my $subparts = @subparts;
@ -2698,9 +2700,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
$macro_nest_level--;
goto EXIT;
} elsif ( $actiontype & NFQ ) {
$action = handle_nfqueue( $param,
1 # Allow 'bypass'
);
$action = handle_nfqueue( $param );
} elsif ( $actiontype & SET ) {
require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
fatal_error "$action rules require a set name parameter" unless $param;
@ -5767,9 +5767,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
$addr = $1;
$addr =~ s/\]-\[/-/;
if ( $addr =~ /^(.+)-(.+)$/ ) {
fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
validate_range( $1, $2 );
} else {
validate_address $addr, 0;

2
Shorewall/manpages/shorewall-files.xml
View File

@ -901,7 +901,7 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
reload</command> or <command>shorewall restart</command>. This may be
accomplished using the SWITCH column in <ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) or <ulink
url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). Using
url="manpages/shorewall-rules.html">shorewall6-rules</ulink> (5). Using
this column requires that your kernel and iptables include
<firstterm>Condition Match Support</firstterm> and you must be running
Shorewall 4.4.24 or later. See the output of <command>shorewall show

4
Shorewall/manpages/shorewall-init.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/init.d/shorewall-init</command>
<command>shorewall-init</command>
<arg>start|stop</arg>
</cmdsynopsis>
@ -149,7 +149,7 @@
want to make both interfaces optional and set the REQUIRE_INTERFACE option
to Yes in <ulink url="/manpages/shorewall.conf.html">shorewall.conf
</ulink>(5) or <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5). This
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink> (5). This
causes the firewall to remain stopped until at least one of the interfaces
comes up.</para>
</refsect1>

2
Shorewall/manpages/shorewall-interfaces.xml
View File

@ -155,7 +155,7 @@ loc eth2 -</programlisting>
<para>Beginning with Shorewall 4.5.17, if you specify a zone for the
'lo' interface, then that zone must be defined as type
<option>local</option> in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5).</para>
</listitem>
</varlistentry>

4
Shorewall/manpages/shorewall-logging.xml
View File

@ -276,7 +276,7 @@
<para>By setting the LOGTAGONLY option to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>, the
disposition ('DROP' in the above example) will be omitted. Consider the
following rule:</para>
@ -373,7 +373,7 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net
<para>Beginning with Shorewall 4.6.4, you can configure the backend using
the LOG_BACKEND option in <ulink
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>.</para>
</refsect1>
<refsect1>

2
Shorewall/manpages/shorewall-nat.xml
View File

@ -35,7 +35,7 @@
in many cases, Proxy ARP (<ulink
url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
or Proxy-NDP(<ulink
url="/manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp</ulink>(5))
url="/manpages/shorewall-proxyndp.html">shorewall6-proxyndp</ulink>(5))
is a better solution that one-to-one NAT.</para>
</warning>

15
Shorewall/manpages/shorewall-policy.xml
View File

@ -131,7 +131,7 @@
role="bold">BLACKLIST</emphasis>|<emphasis
role="bold">CONTINUE</emphasis>|<emphasis
role="bold">QUEUE</emphasis>|<emphasis
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]|<emphasis
role="bold">NONE</emphasis>}[<emphasis
role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
role="bold">None</emphasis>}]</term>
@ -236,7 +236,18 @@
given queues. This is useful for multicore systems: start
multiple instances of the userspace program on queues x, x+1,
.. x+n and use "x:x+n". Packets belonging to the same
connection are put into the same nfqueue.</para>
connection are put into the same nfqueue. Beginning with
Shorewall 5.1.0, queuenumber2 may be followed by the letter
'c' to indicate that the CPU ID will be used as an index to
map packets to the queues. The idea is that you can improve
performance if there's a queue per CPU. Requires the NFQUEUE
CPU Fanout capability in your kernel and iptables.</para>
<para>Beginning with Shorewall 4.6.10, the keyword <emphasis
role="bold">bypass</emphasis> can be given. By default, if no
userspace program is listening on an NFQUEUE, then all packets
that are to be queued are dropped. When this option is used,
the NFQUEUE rule behaves like ACCEPT instead.</para>
</listitem>
</varlistentry>

20
Shorewall/manpages/shorewall-rules.xml
View File

@ -545,7 +545,7 @@
the<replaceable>
ip6tables-</replaceable><replaceable>target</replaceable> as a
builtin action in <ulink
url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
<important>
<para>If you specify REJECT as the
@ -674,15 +674,15 @@
the keyword <emphasis role="bold">bypass</emphasis> can be
given. By default, if no userspace program is listening on an
NFQUEUE, then all packets that are to be queued are dropped.
When this option is used, the NFQUEUE rule is silently
bypassed instead. The packet will move on to the next rule.
Also beginning in Shorewall 4.6.10, a second queue number
(<replaceable>queuenumber2</replaceable>) may be specified.
This specifies a range of queues to use. Packets are then
balanced across the given queues. This is useful for multicore
systems: start multiple instances of the userspace program on
queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
the same connection are put into the same nfqueue.</para>
When this option is used, the NFQUEUE rule behaves like ACCEPT
instead. Also beginning in Shorewall 4.6.10, a second queue
number (<replaceable>queuenumber2</replaceable>) may be
specified. This specifies a range of queues to use. Packets
are then balanced across the given queues. This is useful for
multicore systems: start multiple instances of the userspace
program on queues x, x+1, .. x+n and use "x:x+n". Packets
belonging to the same connection are put into the same
nfqueue.</para>
<para>Beginning with Shorewall 5.1.0, queuenumber2 may be
followed by the letter 'c' to indicate that the CPU ID will be

4
docs/Accounting.xml
View File

@ -54,9 +54,7 @@
<quote>tcpflags</quote> and <quote>maclist</quote>.</para>
<para>The columns in the accounting file are described in <ulink
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink> (5)
and <ulink
url="manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
(5).</para>
<para>In all columns except ACTION and CHAIN, the values <quote>-</quote>,

8
docs/Actions.xml
View File

@ -499,16 +499,12 @@ REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
<title>Mangle Actions</title>
<para>Beginning with Shorewall 5.0.7, actions may be used in <ulink
url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> and
<ulink
url="manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.
url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>.
Because the rules and mangle files have different column layouts,
actions can be defined to be used in one file or the other but not in
both. To designate an action to be used in the mangle file, specify the
<option>mangle</option> option in the action's entry in <ulink
url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
<ulink
url="manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
<para>To create a mangle action, follow the steps in the preceding
section, but use the

36
docs/Build.xml
View File

@ -46,7 +46,7 @@
<section>
<title>Git Taxonomy</title>
<para>The Shorewall Git tree at Sourceforge serves as the master
<para>The Shorewall Git tree at Gitlab serves as the master
repository for Shorewall 4.4 and later versions. It is not possible to
simply export a directory from Git and run the
<command>install.sh</command> script in that directory. A build step is
@ -56,7 +56,7 @@
<para>My local git repositories are:</para>
<section>
<title>trunk (clone of Code)</title>
<title>code (clone of Code)</title>
<para>The development branch of each product is kept here.</para>
@ -91,7 +91,7 @@
</section>
<section>
<title>trunk/docs</title>
<title>code/docs</title>
<para>The stable release XML documents. Depending on the point in the
release cycle, these documents may also apply to the current development
@ -101,7 +101,7 @@
<section>
<title>tools (Clone of Tools)</title>
<para>This is where the release and build tools are kept. There are two
<para>This is where the release and build tools are kept. There are four
subordinate directories:</para>
<variablelist>
@ -113,6 +113,24 @@
</listitem>
</varlistentry>
<variablelist>
<varlistentry>
<term>tools/files</term>
<listitem>
<para>Files that are used during the release process.</para>
</listitem>
</varlistentry>
<variablelist>
<varlistentry>
<term>tools/testing</term>
<listitem>
<para>Tools for testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>tools/web</term>
@ -167,7 +185,7 @@
<title>build45, build46 and build50</title>
<para>These are the scripts that respectively build Shorewall 4.5,
Shorewall 4.6 and Shorewall 5.0 packages from Git.</para>
Shorewall 4.6 and Shorewall 5.[012] packages from Git.</para>
<para>The scripts copy content from Git using the <command>git
archive</command> command. They then use that content to build the
@ -432,7 +450,7 @@
<term><emphasis>products</emphasis></term>
<listitem>
<para>specifes the products to upload. If not given, all products
<para>specifies the products to upload. If not given, all products
are uploaded. This option is generally given only when uploading a
patch release.</para>
@ -559,12 +577,12 @@
</listitem>
<listitem>
<para>OPENWRT - OpenWRT (Shorewall-core, Shorewall6-lite ad
Shorewall6-lite only)</para>
<para>OPENWRT - OpenWRT (Shorewall-core, Shorewall-lite,
Shorewall6-lite and Shorewall-init only)</para>
</listitem>
</itemizedlist>
<para>See the <ulink url="Insall.htm">installation article</ulink> for
<para>See the <ulink url="Install.htm">installation article</ulink> for
additional information</para>
</section>
</section>

6
docs/Documentation_Index.xml
View File

@ -45,11 +45,7 @@
</row>
<row>
<entry><ulink url="Manpages.html">IPv4 Manpages</ulink></entry>
</row>
<row>
<entry><ulink url="Manpages6.html">IPv6 Manpages</ulink></entry>
<entry><ulink url="Manpages.html">Manpages</ulink></entry>
</row>
<row>

2
docs/FTP.xml
View File

@ -431,7 +431,7 @@ CT:helper:ftp loc - tcp 21</programlisti
<para><filename>/etc/shorewall/rules:</filename></para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the</programlisting>
DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }</programlisting>
<para>That entry will accept ftp connections on port 12345 from the net
and forward them to host 192.168.1..2 and port 21 in the loc zone.</para>

6
docs/IPSEC-2.6.xml
View File

@ -364,6 +364,12 @@ ACCEPT vpn:134.28.54.2 $FW</programlisting>
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
vpn ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting>
<para>Note that if you are using ipcomp, you should omit the mode
specification:</para>
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
vpn ipsec - <emphasis role="bold">mss=1400</emphasis></programlisting>
<para>You should also set FASTACCEPT=No in shorewall.conf to ensure that
both the SYN and SYN,ACK packets have their MSS field adjusted.</para>

6
docs/IPv6Support.xml
View File

@ -178,7 +178,7 @@
<para>Set KEEP_RT_TABLES=No in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and
set KEEP_RT_TABLES=Yes in <ulink
url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</itemizedlist>
@ -469,9 +469,9 @@ ACCEPT net:wlan0:&lt;2002:ce7c:92b4::3&gt; $FW tcp 22
<para>The Linux IPv6 stack does not support balancing (multi-hop)
routes. Thehe <option>balance</option> and <option>fallback</option>
options in <ulink
url="manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5)
url="manpages/shorewall-providers.html">shorewall6-providers</ulink>(5)
and USE_DEFAULT_RT=Yes in <ulink
url="manpages6/shorewall.conf.html">shorewall6.conf</ulink>(5) are
url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5) are
supported, but at most one provider can have the
<option>balance</option> option and at most one provider can have
the <option>fallback</option> option.</para>

2
docs/ISO-3661.xml
View File

@ -84,7 +84,7 @@
any future ability to install the database at another location, Shorewall
supports a GEOIPDIR option in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5). The
url="manpages/shorewall.conf.html">shorewall6.conf</ulink> (5). The
default value of that option is
<filename>/usr/share/xt_geoip/LE</filename>.</para>

9
docs/Manpages.xml
View File

@ -131,9 +131,8 @@
<member><ulink url="manpages/shorewall-proxyarp.html">proxyarp</ulink>
- Define Proxy ARP (IPv4)</member>
<member><ulink
url="manpages6/shorewall-proxyndp.html">proxyndp</ulink> - Define
Proxy NDP (IPv6)</member>
<member><ulink url="manpages/shorewall-proxyndp.html">proxyndp</ulink>
- Define Proxy NDP (IPv6)</member>
<member><ulink url="manpages/shorewall-rtrules.html">rtrules</ulink> -
Define routing rules.</member>
@ -179,7 +178,7 @@
values for global Shorewall options.</member>
<member><ulink
url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink> - Specify
url="manpages/shorewall.conf.html">shorewall6.conf</ulink> - Specify
values for global Shorewall6 options.</member>
<member><ulink
@ -212,7 +211,7 @@
<simplelist>
<member><ulink url="manpages/shorewall.html">shorewall</ulink> -
/sbin/shorewall, /sbin/shorewall6/, /sbin/shorewall-lite and
/sbin/shorewall6-line command syntax and semantics.</member>
/sbin/shorewall6-lite command syntax and semantics.</member>
</simplelist>
</blockquote>
</section>

182
docs/Manpages6.xml
View File

@ -1,182 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
<!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
<articleinfo>
<title>Shorewall6 5.0 Manpages</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2007-2014</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<warning>
<para>These manpages are for Shorewall6 5.0 and later only. They describe
features and options not available on earlier releases.The manpages for
Shorewall 4.4-4.6 are available <ulink
url="/manpages4/Manpages.html">here</ulink>.</para>
</warning>
<section id="Section5">
<title>Section 5 — Files and Concepts</title>
<blockquote>
<simplelist>
<member><ulink
url="manpages6/shorewall6-accounting.html">accounting</ulink> - Define
IP accounting rules.</member>
<member><ulink url="manpages6/shorewall6-actions.html">actions</ulink>
- Declare user-defined actions.</member>
<member><ulink url="manpages6/shorewall6-blrules.html">blrules</ulink>
- shorewall6 Blacklist file.</member>
<member><ulink
url="manpages6/shorewall6-conntrack.html">conntrack</ulink> - Specify
helpers for connections or exempt certain traffic from netfilter
connection tracking.</member>
<member><ulink
url="manpages6/shorewall6-exclusion.html">exclusion</ulink> -
Excluding hosts from a network or zone</member>
<member><ulink url="manpages6/shorewall6-hosts.html">hosts</ulink> -
Define multiple zones accessed through a single interface</member>
<member><ulink
url="manpages6/shorewall6-interfaces.html">interfaces</ulink> - Define
the interfaces on the system and optionally associate them with
zones.</member>
<member><ulink url="manpages6/shorewall6-maclist.html">maclist</ulink>
- Define MAC verification.</member>
<member><ulink url="manpages6/shorewall6-mangle.html">mangle</ulink> -
Supersedes tcrules and describes packet/connection marking.</member>
<member><ulink url="manpages6/shorewall6-masq.html">masq</ulink> -
Define Masquerade/SNAT</member>
<member><ulink url="manpages6/shorewall6-modules.html">modules</ulink>
- Specify which kernel modules to load.</member>
<member><ulink url="manpages6/shorewall6-nat.html">nat</ulink> -
(added in Shorewall 4.6.4) Specify 1:1 NAT</member>
<member><ulink url="manpages6/shorewall6-nesting.html">nesting</ulink>
- How to define nested zones.</member>
<member><ulink url="manpages6/shorewall6-params.html">params</ulink> -
Assign values to shell variables used in other files.</member>
<member><ulink url="manpages6/shorewall6-policy.html">policy</ulink> -
Define high-level policies for connections between zones.</member>
<member><ulink
url="manpages6/shorewall6-providers.html">providers</ulink> - Define
routing tables, usually for multiple Internet links.</member>
<member><ulink
url="manpages6/shorewall6-proxyndp.html">proxyndp</ulink> - Defines
Proxy NDP</member>
<member><ulink url="manpages6/shorewall6-rtrules.html">rtrules</ulink>
- Define routing rules.</member>
<member><ulink url="manpages6/shorewall6-routes.html">routes</ulink> -
(Added in Shorewall 4.4.15) Add additional routes to provider routing
tables.</member>
<member><ulink url="manpages6/shorewall6-rules.html">rules</ulink> -
Specify exceptions to policies, including DNAT and REDIRECT.</member>
<member><ulink
url="manpages6/shorewall6-secmarks.html">secmarks</ulink> - Attached
an SELinux context to a packet.</member>
<member><ulink
url="manpages6/shorewall6-stoppedrules.html">stoppedrules</ulink> -
Specify connections to be permitted when Shorewall6 is in the stopped
state (Added in Shoreall 4.5.8).</member>
<member><ulink
url="manpages6/shorewall6-tcclasses.html">tcclasses</ulink> - Define
htb classes for traffic shaping.</member>
<member><ulink
url="manpages6/shorewall6-tcdevices.html">tcdevices</ulink> - Specify
speed of devices for traffic shaping.</member>
<member><ulink
url="manpages6/shorewall6-tcinterfaces.html">tcinterfaces</ulink> -
Specify interfaces for simplified traffic shaping.</member>
<member><ulink url="manpages6/shorewall6-tcpri.html">tcpri</ulink> -
Classify traffic for simplified traffic shaping.</member>
<member><ulink url="manpages6/shorewall6-tunnels.html">tunnels</ulink>
- Define VPN connections with endpoints on the firewall.</member>
<member><ulink
url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink> - Specify
values for global Shorewall6 options.</member>
<member><ulink
url="manpages6/shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>
- Specify values for global Shorewall6 Lite options.</member>
<member><ulink url="manpages6/shorewall6-vardir.html">vardir</ulink> -
Redefine the directory where Shorewall6 keeps its state
information.</member>
<member><ulink
url="manpages6/shorewall6-lite-vardir.html">vardir-lite</ulink> -
Redefine the directory where Shorewall6 Lite keeps its state
information.</member>
<member><ulink url="manpages6/shorewall6-zones.html">zones</ulink> -
Declare Shorewall6 zones.</member>
</simplelist>
</blockquote>
</section>
<section id="Section8">
<title>Section 8 — Administrative Commands</title>
<blockquote>
<simplelist>
<member><ulink url="manpages6/shorewall6.html">shorewall6</ulink> -
/sbin/shorewall6 command syntax and semantics.</member>
<member><ulink
url="manpages6/shorewall6-lite.html">shorewall6-lite</ulink> -
/sbin/shorewall6-lite command syntax and semantics.</member>
</simplelist>
</blockquote>
</section>
</article>

3
docs/PacketMarking.xml
View File

@ -63,8 +63,7 @@
<command>ethereal</command> or any other packet sniffing program. They can
be seen in an iptables/ip6tables trace -- see the
<command>iptrace</command> command in <ulink
url="manpages/shorewall.html">shorewall</ulink>(8) and <ulink
url="manpages6/shorewall6.html">shorewall6</ulink>(8).</para>
url="manpages/shorewall.html">shorewall</ulink>(8).</para>
<para>Example (output has been folded for display ):</para>

2
docs/ProxyARP.xml
View File

@ -311,7 +311,7 @@ shorewall start</programlisting>
<itemizedlist>
<listitem>
<para>The configuration file is /etc/shorewall6/proxyndp (see <ulink
url="manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp
url="manpages/shorewall-proxyndp.html">shorewall6-proxyndp
</ulink>(5)).</para>
</listitem>

2
docs/SharedConfig.xml
View File

@ -348,7 +348,7 @@ ZONE_BITS=0
# For information about the settings in this file, type "man shorewall6.conf"
#
# Manpage also online at
# http://www.shorewall.org/manpages6/shorewall6.conf.html
# http://www.shorewall.org/manpages/shorewall.conf.html
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################

0
docs/images/Network2013.dia Executable file → Normal file
View File

0
docs/images/Network2013.png Executable file → Normal file
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 102 KiB

After

Width:  |  Height:  |  Size: 102 KiB

0
docs/images/Network2015.dia Executable file → Normal file
View File

0
docs/images/Network2015.png Executable file → Normal file
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 109 KiB

After

Width:  |  Height:  |  Size: 109 KiB

0
docs/images/Xen4a.png Executable file → Normal file
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 29 KiB

After

Width:  |  Height:  |  Size: 29 KiB

0
docs/images/Xen4a.vdx Executable file → Normal file
View File

0
docs/images/network4a.png Executable file → Normal file
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 67 KiB

After

Width:  |  Height:  |  Size: 67 KiB

0
docs/images/network4a.vdx Executable file → Normal file
View File

14
docs/ipsets.xml
View File

@ -28,6 +28,8 @@
<year>2017</year>
<year>2019</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -182,7 +184,7 @@ ACCEPT net:+sshok $FW tcp 22</programlisting></para>
together with the ipsets supporting dynamic zones are saved. Shorewall6
support for the SAVE_IPSETS option was also added in 4.6.4. When
SAVE_IPSETS=Yes in <ulink
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, only ipv6
url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>, only ipv6
ipsets are saved. For Shorewall, if SAVE_IPSETS=ipv4 in <ulink
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then only
ipv4 ipsets are saved. Both features require ipset version 5 or
@ -201,9 +203,9 @@ ACCEPT net:+sshok $FW tcp 22</programlisting></para>
<para>Ipset support in Shorewall6 was added in Shorewall 4.4.21.</para>
<para>Beginning with Shorewall 4.6.4, SAVE_IPSETS is available in <ulink
url="manpages6/shorewall6.conf.html">shorewall6-conf(5)</ulink>. When set
to Yes, the ipv6 ipsets will be saved. You can also save selective ipsets
by setting SAVE_IPSETS to a comma-separated list of ipset names.</para>
url="manpages/shorewall.conf.html">shorewall6-conf(5)</ulink>. When set to
Yes, the ipv6 ipsets will be saved. You can also save selective ipsets by
setting SAVE_IPSETS to a comma-separated list of ipset names.</para>
<para>Prior to Shorewall 4.6.4, SAVE_IPSETS=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> won't work
@ -221,7 +223,7 @@ ACCEPT net:+sshok $FW tcp 22</programlisting></para>
<para>If you configure SAVE_IPSETS in <ulink
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and/or <ulink
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink> then do
not set SAVE_IPSETS in shorewall-init.</para>
url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> then do not
set SAVE_IPSETS in shorewall-init.</para>
</section>
</article>

6
docs/shorewall_logging.xml
View File

@ -431,7 +431,7 @@ sync=1</programlisting>
<para>Beginning with Shorewall 4.6.4, you can configure the backend using
the LOG_BACKEND option in <ulink
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>.</para>
</section>
<section id="Syslog-ng">
@ -477,7 +477,7 @@ sync=1</programlisting>
<para>By setting the LOGTAGONLY option to Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>, the
disposition ('DROP' in the above example) will be omitted. Consider the
following rule:</para>
@ -511,7 +511,7 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net
<para><ulink
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink> have a
url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> have a
number of options whose values are log levels. Beginning with Shorewall
5.0.0, these specifcations may include a log tag as described <link
linkend="LogTags">above</link>.</para>

2
docs/traffic_shaping.xml
View File

@ -1049,7 +1049,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
<listitem>
<para>Set TC_ENABLED=Shared in <ulink
url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
url="manpages/shorewall.conf.html">shorewall6.conf</ulink>
(5).</para>
</listitem>

4
docs/upgrade_issues.xml
View File

@ -771,7 +771,7 @@
<para>If your <ulink
url="manpages/shorewall-params.html">/etc/shorewall/params</ulink> (or
<ulink
url="manpages6/shorewall6-params.html">/etc/shorewall6/params</ulink>)
url="manpages/shorewall-params.html">/etc/shorewall6/params</ulink>)
file sends output to Standard Output, you need to be aware that the
output will be redirected to Standard Error beginning with Shorewall
4.4.16.</para>
@ -782,7 +782,7 @@
deprecated. With EXPORTPARAMS=No, the variables set by <ulink
url="manpages/shorewall-params.html">/etc/shorewall/params</ulink>
(<ulink
url="manpages6/shorewall6-params.html">/etc/shorewall6/params</ulink>)
url="manpages/shorewall-params.html">/etc/shorewall6/params</ulink>)
at compile time are now available in the compiled firewall
script.</para>
</listitem>