diff --git a/.gitignore b/.gitignore
new file mode 100644
index 000000000..6977c13d4
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+*targetname
diff --git a/Shorewall-core/manpages/shorewall.xml b/Shorewall-core/manpages/shorewall.xml
index 9419b5c7f..012d06b55 100644
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -1141,7 +1141,7 @@
setting in shorewall.conf(5)
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
When no verbosity is specified,
each instance of this option causes 1 to be added to the effective
@@ -1162,7 +1162,7 @@
setting in shorewall.conf(5)
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
Each instance of this option causes 1 to be subtracted from
the effective verbosity.
@@ -1199,7 +1199,7 @@
defined in the shorewall-interfaces(5)
(shorewall6-interfaces(5))file.
+ url="/manpages/shorewall-interfaces.html">shorewall6-interfaces(5))file.
A host-list is comma-separated list whose
elements are host or network addresses.The add command is not very robust. If
@@ -1214,7 +1214,7 @@
Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall-zones(5),shorewall6-zones(5)) allows a single ipset to
+ url="/manpages/shorewall-zones.html">shorewall6-zones(5)) allows a single ipset to
handle entries for multiple interfaces. When that option is
specified for a zone, the add command has the
alternative syntax in which the zone name
@@ -1332,7 +1332,7 @@
set to Yes in shorewall.conf(5)
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
@@ -1440,7 +1440,7 @@
set to Yes in shorewall.conf(5)
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
@@ -1458,7 +1458,7 @@
defined in the shorewall-interfaces(5)
(shorewall6-interfaces(5)
+ url="/manpages/shorewall-interfaces.html">shorewall6-interfaces(5)
file. A host-list is comma-separated list whose
elements are a host or network address.
@@ -1466,7 +1466,7 @@
role="bold">dynamic_shared zone option (shorewall-zones(5),
shorewall6-zones(5))
+ url="/manpages/shorewall-zones.html">shorewall6-zones(5))
allows a single ipset to handle entries for multiple interfaces.
When that option is specified for a zone, the
delete command has the alternative syntax in
@@ -1493,7 +1493,7 @@
command removes any routes added from shorewall-routes(5)
(shorewall6-routes(5))and
+ url="/manpages/shorewall-routes.html">shorewall6-routes(5))and
any traffic shaping configuration for the interface.
@@ -1554,7 +1554,7 @@
adds any route specified in shorewall-routes(5)
(shorewall6-routes(5))
+ url="/manpages/shorewall-routes.html">shorewall6-routes(5))
and installs the interface's traffic shaping configuration, if
any.
@@ -1599,7 +1599,7 @@
given then the file specified by RESTOREFILE in shorewall.conf(5)
(shorewall6.conf(5)) is
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)) is
assumed.
@@ -1684,7 +1684,7 @@
specified by the BLACKLIST_LOGLEVEL setting in shorewall.conf (5)
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
This command requires that the firewall be in the started state and
that DYNAMIC_BLACKLIST=Yes in shorewall.conf
@@ -1700,7 +1700,7 @@
Monitors the log file specified by the LOGFILE option in
shorewall.conf(5)
(shorewall6.conf(5))
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5))
and produces an audible alarm when new Shorewall messages are
logged. The -m option causes the
MAC address of each packet source to be displayed if that
@@ -1723,7 +1723,7 @@
specified by the BLACKLIST_LOGLEVEL setting in shorewall.conf (5),
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
This command requires that the firewall be in the started state and
that DYNAMIC_BLACKLIST=Yes in shorewall.conf
@@ -1878,13 +1878,13 @@
INLINE_MATCHES is set to Yes in shorewall.conf(5)
(shorewall6.conf(5))..
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5))..
The option was added in Shorewall
4.6.5 and is only meaningful when AUTOMAKE=Yes in shorewall.conf(5)
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
If an existing firewall script is used and if that script was
the one that generated the current running configuration, then
the running netfilter configuration will be reloaded as is so
@@ -2006,7 +2006,7 @@
system is omitted, then the FIREWALL
option setting in shorewall.conf(5) (shorewall6.conf(5)) is
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)) is
assumed. In that case, if you want to specify a
directory, then the
option must be given.
@@ -2071,8 +2071,8 @@
Beginning with Shorewall 5.0.13, if
system is omitted, then the FIREWALL
option setting in shorewall6.conf(5) (shorewall6.conf(5)) is
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5) (shorewall6.conf(5)) is
assumed. In that case, if you want to specify a
directory, then the
option must be given.
@@ -2104,7 +2104,7 @@
set to Yes in shorewall.conf(5)
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
@@ -2144,8 +2144,8 @@
Beginning with Shorewall 5.0.13, if
system is omitted, then the FIREWALL
option setting in shorewall6.conf(5) (shorewall6.conf(5)) is
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5) (shorewall6.conf(5)) is
assumed. In that case, if you want to specify a
directory, then the
option must be given.
@@ -2177,7 +2177,7 @@
set to Yes in shorewall.conf(5)
(shorewall6.conf(5).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5).
@@ -2304,7 +2304,7 @@
restored from the file specified by the RESTOREFILE option in shorewall.conf(5)
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
If your iptables ruleset depends on variables that are
@@ -2460,7 +2460,7 @@
in the file specified by the RESTOREFILE option in shorewall.conf(5)
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
The option, added in Shorewall 4.6.5,
causes the iptables packet and byte counters to be saved along with
@@ -2477,7 +2477,7 @@
the SAVE_IPSETS option in shorewall.conf (5)
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
This command may be used to proactively save your ipset contents in
the event that a system failure occurs prior to issuing a
stop command.
@@ -2645,7 +2645,7 @@
accounting counters (shorewall-accounting
(5), shorewall6-accounting(5)).
+ url="/manpages/shorewall-accounting.html">shorewall6-accounting(5)).
@@ -2669,7 +2669,7 @@
file specified by the LOGFILE option in shorewall.conf(5)
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
The -m option causes the MAC
address of each packet source to be displayed if that
information is available.
@@ -2851,7 +2851,7 @@
in shorewall.conf(5)
(shorewall6.conf(5))
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5))
will be restored if that saved configuration exists and has
been modified more recently than the files in
/etc/shorewall. When -f is
@@ -2862,7 +2862,7 @@
option was added to shorewall.conf(5)
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
When LEGACY_FASTSTART=No, the modification times of files in
/etc/shorewall are compared with that of
/var/lib/shorewall/firewall (the compiled script that last
@@ -2881,7 +2881,7 @@
overriding the AUTOMAKE setting in shorewall.conf(5)
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
When both and are
present, the result is determined by the option that appears
last.
@@ -2897,7 +2897,7 @@
INLINE_MATCHES is set to Yes in shorewall.conf(5)
(shorewall6.conf(5)).
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5)).
The option was added in Shorewall
4.6.5 and is only meaningful when the
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index d5920a482..71c775583 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -536,6 +536,9 @@ our $ipset_rules;
#
use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
+#
+# Chain optimization flags
+#
use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 };
our %dscpmap = ( CS0 => 0x00,
@@ -1422,7 +1425,7 @@ sub compatible( $$ ) {
}
}
#
- # Don't combine chains where each specifies
+ # Don't combine rules where each specifies
# -m policy and the policies are different
# or when one specifies
# -m multiport
@@ -4991,10 +4994,10 @@ sub do_proto( $$$;$ )
$invert = $sports =~ s/^!// ? '! ' : '';
- if ( $ports =~ /^\+/ ) {
+ if ( $sports =~ /^\+/ ) {
$output .= $invert;
$output .= '-m set ';
- $output .= get_set_flags( $ports, 'src' );
+ $output .= get_set_flags( $sports, 'src' );
} elsif ( $multiport ) {
if ( port_count( $sports ) > 15 ) {
if ( $restricted ) {
@@ -5207,8 +5210,8 @@ sub do_iproto( $$$ )
fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
$invert = $sports =~ s/^!// ? '! ' : '';
- if ( $ports =~ /^\+/ ) {
- push @output, set => ${invert} . get_set_flags( $ports, 'src' );
+ if ( $sports =~ /^\+/ ) {
+ push @output, set => ${invert} . get_set_flags( $sports, 'src' );
} elsif ( $multiport ) {
if ( port_count( $sports ) > 15 ) {
if ( $restricted ) {
@@ -7667,11 +7670,13 @@ sub isolate_source_interface( $ ) {
) {
$iiface = $1;
$inets = $2;
+ $inets =~ s/\]-\[/-/;
} elsif ( $source =~ /:/ ) {
if ( $source =~ /^\[(?:.+),\[(?:.+)\]$/ ){
$inets = $source;
} elsif ( $source =~ /^\[(.+)\]$/ ) {
$inets = $1;
+ $inets =~ s/\]-\[/-/;
} else {
$inets = $source;
}
@@ -7789,6 +7794,7 @@ sub isolate_dest_interface( $$$$ ) {
if ( $dest =~ /^(.+?):(\[(?:.+),\[(?:.+)\])$/ ) {
$diface = $1;
$dnets = $2;
+ $dnets =~ s/\]-\[/-/;
} elsif ( $dest =~ /^(.+?):\[(.+)\]\s*$/ ||
$dest =~ /^(.+?):(!?\+.+)$/ ||
$dest =~ /^(.+?):(!?[&%].+)$/ ||
@@ -7801,6 +7807,7 @@ sub isolate_dest_interface( $$$$ ) {
$dnets = $dest;
} elsif ( $dest =~ /^\[(.+)\]$/ ) {
$dnets = $1;
+ $dnets =~ s/\]-\[/-/;
} else {
$dnets = $dest;
}
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 03f0bc9ee..40d8d654a 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -5441,6 +5441,7 @@ sub update_config_file( $ ) {
update_default( 'PAGER', $shorewallrc1{DEFAULT_PAGER} );
update_default( 'LOGFORMAT', 'Shorewall:%s:%s:' );
update_default( 'LOGLIMIT', '' );
+ update_default( 'AUTOMAKE', 'No' );
if ( $family == F_IPV4 ) {
update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm
index 6cfc1fae8..069897a3d 100644
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -316,9 +316,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
$addr = $1;
+ $addr =~ s/\]-\[/-/;
if ( $addr =~ /^(.+)-(.+)$/ ) {
- fatal_error "Correct address range syntax is '[-]'" if $addr =~ /]-\[/;
validate_range( $1, $2 );
} else {
validate_address $addr, 0;
@@ -930,7 +930,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
if ( $server =~ /^\[(.+)\]$/ ) {
$server = $1;
- fatal_error "Correct address range syntax is '[-]'" if $server =~ /]-\[/;
+ $server =~ s/\]-\[/-/;
assert( $server =~ /^(.+)-(.+)$/ );
( $addr1, $addr2 ) = ( $1, $2 );
}
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 7499b692c..bacb1da63 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -611,8 +611,8 @@ sub process_policy_actions( $$$ ) {
#
# Verify an NFQUEUE specification and return the appropriate ip[6]tables target
#
-sub handle_nfqueue( $$ ) {
- my ($params, $allow_bypass ) = @_;
+sub handle_nfqueue( $ ) {
+ my ($params) = @_;
my ( $action, $bypass, $fanout );
my ( $queue1, $queue2, $queuenum1, $queuenum2 );
@@ -625,7 +625,6 @@ sub handle_nfqueue( $$ ) {
if ( supplied $queue ) {
if ( $queue eq 'bypass' ) {
- fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
return 'NFQUEUE --queue-bypass';
}
@@ -653,7 +652,6 @@ sub handle_nfqueue( $$ ) {
if ( supplied $bypass ) {
fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
- fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
$bypass =' --queue-bypass';
} else {
@@ -721,7 +719,13 @@ sub process_a_policy1($$$$$$$) {
require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
- my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+ my ( $policy, $pactions );
+
+ if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
+ ( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
+ } else {
+ ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+ }
fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
@@ -736,9 +740,7 @@ sub process_a_policy1($$$$$$$) {
my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
if ( defined $queue ) {
- $policy = handle_nfqueue( $queue,
- 0 # Don't allow 'bypass'
- );
+ $policy = handle_nfqueue( $queue );
} elsif ( $policy eq 'NONE' ) {
fatal_error "NONE policy not allowed with \"all\""
if $clientwild || $serverwild;
@@ -1604,8 +1606,8 @@ sub merge_levels ($$) {
return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
- my @supparts = split /:/, $superior;
- my @subparts = split /:/, $subordinate;
+ my @supparts = split_list2( $superior , 'Action' );
+ my @subparts = split_list2( $subordinate , 'Action' );
my $subparts = @subparts;
@@ -2698,9 +2700,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
$macro_nest_level--;
goto EXIT;
} elsif ( $actiontype & NFQ ) {
- $action = handle_nfqueue( $param,
- 1 # Allow 'bypass'
- );
+ $action = handle_nfqueue( $param );
} elsif ( $actiontype & SET ) {
require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
fatal_error "$action rules require a set name parameter" unless $param;
@@ -5767,9 +5767,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
$addr = $1;
+ $addr =~ s/\]-\[/-/;
if ( $addr =~ /^(.+)-(.+)$/ ) {
- fatal_error "Correct address range syntax is '[-]'" if $addr =~ /]-\[/;
validate_range( $1, $2 );
} else {
validate_address $addr, 0;
diff --git a/Shorewall/manpages/shorewall-files.xml b/Shorewall/manpages/shorewall-files.xml
index 2a8ecb380..9905ab4c2 100644
--- a/Shorewall/manpages/shorewall-files.xml
+++ b/Shorewall/manpages/shorewall-files.xml
@@ -901,7 +901,7 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 } or shorewall restart. This may be
accomplished using the SWITCH column in shorewall-rules (5) or shorewall6-rules (5). Using
+ url="manpages/shorewall-rules.html">shorewall6-rules (5). Using
this column requires that your kernel and iptables include
Condition Match Support and you must be running
Shorewall 4.4.24 or later. See the output of shorewall show
diff --git a/Shorewall/manpages/shorewall-init.xml b/Shorewall/manpages/shorewall-init.xml
index b1ef500d2..5c1139ef0 100644
--- a/Shorewall/manpages/shorewall-init.xml
+++ b/Shorewall/manpages/shorewall-init.xml
@@ -18,7 +18,7 @@
- /etc/init.d/shorewall-init
+ shorewall-initstart|stop
@@ -149,7 +149,7 @@
want to make both interfaces optional and set the REQUIRE_INTERFACE option
to Yes in shorewall.conf
(5) or shorewall6.conf (5). This
+ url="/manpages/shorewall.conf.html">shorewall6.conf (5). This
causes the firewall to remain stopped until at least one of the interfaces
comes up.
diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml
index 729ef53d7..982805de4 100644
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -155,7 +155,7 @@ loc eth2 -
Beginning with Shorewall 4.5.17, if you specify a zone for the
'lo' interface, then that zone must be defined as type
in shorewall6-zones(5).
+ url="/manpages/shorewall-zones.html">shorewall6-zones(5).
diff --git a/Shorewall/manpages/shorewall-logging.xml b/Shorewall/manpages/shorewall-logging.xml
index 576363869..f76dfe6eb 100644
--- a/Shorewall/manpages/shorewall-logging.xml
+++ b/Shorewall/manpages/shorewall-logging.xml
@@ -276,7 +276,7 @@
By setting the LOGTAGONLY option to Yes in shorewall.conf(5) or shorewall6.conf(5), the
+ url="/manpages/shorewall.conf.html">shorewall6.conf(5), the
disposition ('DROP' in the above example) will be omitted. Consider the
following rule:
@@ -373,7 +373,7 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net
Beginning with Shorewall 4.6.4, you can configure the backend using
the LOG_BACKEND option in shorewall.conf(5) and shorewall6.conf(5).
+ url="manpages/shorewall.conf.html">shorewall6.conf(5).
diff --git a/Shorewall/manpages/shorewall-nat.xml b/Shorewall/manpages/shorewall-nat.xml
index 9b63a40ab..68fbaf4c2 100644
--- a/Shorewall/manpages/shorewall-nat.xml
+++ b/Shorewall/manpages/shorewall-nat.xml
@@ -35,7 +35,7 @@
in many cases, Proxy ARP (shorewall-proxyarp(5))
or Proxy-NDP(shorewall6-proxyndp(5))
+ url="/manpages/shorewall-proxyndp.html">shorewall6-proxyndp(5))
is a better solution that one-to-one NAT.
diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml
index 6012c4508..cc4e362a4 100644
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -131,7 +131,7 @@
role="bold">BLACKLIST|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2])]|NFQUEUE[([queuenumber1[:queuenumber2[c]][,bypass]]|bypass)]|NONE}[:{[+]policy-action[:level][,...]|None}]
@@ -236,7 +236,18 @@
given queues. This is useful for multicore systems: start
multiple instances of the userspace program on queues x, x+1,
.. x+n and use "x:x+n". Packets belonging to the same
- connection are put into the same nfqueue.
+ connection are put into the same nfqueue. Beginning with
+ Shorewall 5.1.0, queuenumber2 may be followed by the letter
+ 'c' to indicate that the CPU ID will be used as an index to
+ map packets to the queues. The idea is that you can improve
+ performance if there's a queue per CPU. Requires the NFQUEUE
+ CPU Fanout capability in your kernel and iptables.
+
+ Beginning with Shorewall 4.6.10, the keyword bypass can be given. By default, if no
+ userspace program is listening on an NFQUEUE, then all packets
+ that are to be queued are dropped. When this option is used,
+ the NFQUEUE rule behaves like ACCEPT instead.
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index 9c89a635e..4281e6f66 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -545,7 +545,7 @@
the
ip6tables-target as a
builtin action in shorewall-actions(5).
+ url="/manpages/shorewall-actions.html">shorewall-actions(5).
If you specify REJECT as the
@@ -674,15 +674,15 @@
the keyword bypass can be
given. By default, if no userspace program is listening on an
NFQUEUE, then all packets that are to be queued are dropped.
- When this option is used, the NFQUEUE rule is silently
- bypassed instead. The packet will move on to the next rule.
- Also beginning in Shorewall 4.6.10, a second queue number
- (queuenumber2) may be specified.
- This specifies a range of queues to use. Packets are then
- balanced across the given queues. This is useful for multicore
- systems: start multiple instances of the userspace program on
- queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
- the same connection are put into the same nfqueue.
+ When this option is used, the NFQUEUE rule behaves like ACCEPT
+ instead. Also beginning in Shorewall 4.6.10, a second queue
+ number (queuenumber2) may be
+ specified. This specifies a range of queues to use. Packets
+ are then balanced across the given queues. This is useful for
+ multicore systems: start multiple instances of the userspace
+ program on queues x, x+1, .. x+n and use "x:x+n". Packets
+ belonging to the same connection are put into the same
+ nfqueue.
Beginning with Shorewall 5.1.0, queuenumber2 may be
followed by the letter 'c' to indicate that the CPU ID will be
diff --git a/docs/Accounting.xml b/docs/Accounting.xml
index 6e3663547..62635fabc 100644
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@@ -54,9 +54,7 @@
tcpflags and maclist.The columns in the accounting file are described in shorewall-accounting (5)
- and shorewall6-accounting
+ url="manpages/shorewall-accounting.html">shorewall-accounting
(5).In all columns except ACTION and CHAIN, the values -,
diff --git a/docs/Actions.xml b/docs/Actions.xml
index c591be9df..6763960ba 100644
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -499,16 +499,12 @@ REDIRECT net - tcp 80 - 1.2.3.4
Mangle ActionsBeginning with Shorewall 5.0.7, actions may be used in shorewall-mangle(5) and
- shorewall6-mangle(5).
+ url="manpages/shorewall-mangle.html">shorewall-mangle(5).
Because the rules and mangle files have different column layouts,
actions can be defined to be used in one file or the other but not in
both. To designate an action to be used in the mangle file, specify the
option in the action's entry in shorewall-actions(5) or
- shorewall6-actions(5).
+ url="manpages/shorewall-actions.html">shorewall-actions(5).To create a mangle action, follow the steps in the preceding
section, but use the
diff --git a/docs/Build.xml b/docs/Build.xml
index d8a6a2fb7..a8019e438 100644
--- a/docs/Build.xml
+++ b/docs/Build.xml
@@ -46,7 +46,7 @@
Git Taxonomy
- The Shorewall Git tree at Sourceforge serves as the master
+ The Shorewall Git tree at Gitlab serves as the master
repository for Shorewall 4.4 and later versions. It is not possible to
simply export a directory from Git and run the
install.sh script in that directory. A build step is
@@ -56,7 +56,7 @@
My local git repositories are:
- trunk (clone of Code)
+ code (clone of Code)The development branch of each product is kept here.
@@ -91,7 +91,7 @@
- trunk/docs
+ code/docsThe stable release XML documents. Depending on the point in the
release cycle, these documents may also apply to the current development
@@ -101,7 +101,7 @@
tools (Clone of Tools)
- This is where the release and build tools are kept. There are two
+ This is where the release and build tools are kept. There are four
subordinate directories:
@@ -113,6 +113,24 @@
+
+
+ tools/files
+
+
+ Files that are used during the release process.
+
+
+
+
+
+ tools/testing
+
+
+ Tools for testing.
+
+
+
tools/web
@@ -167,7 +185,7 @@
build45, build46 and build50These are the scripts that respectively build Shorewall 4.5,
- Shorewall 4.6 and Shorewall 5.0 packages from Git.
+ Shorewall 4.6 and Shorewall 5.[012] packages from Git.The scripts copy content from Git using the git
archive command. They then use that content to build the
@@ -432,7 +450,7 @@
products
- specifes the products to upload. If not given, all products
+ specifies the products to upload. If not given, all products
are uploaded. This option is generally given only when uploading a
patch release.
@@ -559,12 +577,12 @@
- OPENWRT - OpenWRT (Shorewall-core, Shorewall6-lite ad
- Shorewall6-lite only)
+ OPENWRT - OpenWRT (Shorewall-core, Shorewall-lite,
+ Shorewall6-lite and Shorewall-init only)
- See the installation article for
+ See the installation article for
additional information
diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml
index afc5cc522..e3f2845d3 100644
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -45,11 +45,7 @@
- IPv4 Manpages
-
-
-
- IPv6 Manpages
+ Manpages
diff --git a/docs/FTP.xml b/docs/FTP.xml
index d2c13d953..55b16eb1e 100644
--- a/docs/FTP.xml
+++ b/docs/FTP.xml
@@ -431,7 +431,7 @@ CT:helper:ftp loc - tcp 21/etc/shorewall/rules:#ACTION SOURCE DEST PROTO DPORT
-DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the
+DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }
That entry will accept ftp connections on port 12345 from the net
and forward them to host 192.168.1..2 and port 21 in the loc zone.
diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml
index 301c508f5..0d0902483 100644
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -364,6 +364,12 @@ ACCEPT vpn:134.28.54.2 $FW
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
vpn ipsec mode=tunnel mss=1400
+ Note that if you are using ipcomp, you should omit the mode
+ specification:
+
+ #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
+vpn ipsec - mss=1400
+
You should also set FASTACCEPT=No in shorewall.conf to ensure that
both the SYN and SYN,ACK packets have their MSS field adjusted.
diff --git a/docs/IPv6Support.xml b/docs/IPv6Support.xml
index 61a437eca..1bb237d73 100644
--- a/docs/IPv6Support.xml
+++ b/docs/IPv6Support.xml
@@ -178,7 +178,7 @@
Set KEEP_RT_TABLES=No in shorewall.conf(5) and
set KEEP_RT_TABLES=Yes in shorewall6.conf(5).
+ url="manpages/shorewall.conf.html">shorewall6.conf(5).
@@ -469,9 +469,9 @@ ACCEPT net:wlan0:<2002:ce7c:92b4::3> $FW tcp 22
The Linux IPv6 stack does not support balancing (multi-hop)
routes. Thehe and
options in shorewall6-providers(5)
+ url="manpages/shorewall-providers.html">shorewall6-providers(5)
and USE_DEFAULT_RT=Yes in shorewall6.conf(5) are
+ url="manpages/shorewall.conf.html">shorewall6.conf(5) are
supported, but at most one provider can have the
option and at most one provider can have
the option.
diff --git a/docs/ISO-3661.xml b/docs/ISO-3661.xml
index 5aaad88da..4f7bcfdfd 100644
--- a/docs/ISO-3661.xml
+++ b/docs/ISO-3661.xml
@@ -84,7 +84,7 @@
any future ability to install the database at another location, Shorewall
supports a GEOIPDIR option in shorewall.conf (5) and shorewall6.conf (5). The
+ url="manpages/shorewall.conf.html">shorewall6.conf (5). The
default value of that option is
/usr/share/xt_geoip/LE.
diff --git a/docs/Manpages.xml b/docs/Manpages.xml
index 5667aecc0..695819ea3 100644
--- a/docs/Manpages.xml
+++ b/docs/Manpages.xml
@@ -131,9 +131,8 @@
proxyarp
- Define Proxy ARP (IPv4)
- proxyndp - Define
- Proxy NDP (IPv6)
+ proxyndp
+ - Define Proxy NDP (IPv6)rtrules -
Define routing rules.
@@ -179,7 +178,7 @@
values for global Shorewall options.
shorewall6.conf - Specify
+ url="manpages/shorewall.conf.html">shorewall6.conf - Specify
values for global Shorewall6 options.shorewall -
/sbin/shorewall, /sbin/shorewall6/, /sbin/shorewall-lite and
- /sbin/shorewall6-line command syntax and semantics.
+ /sbin/shorewall6-lite command syntax and semantics.
diff --git a/docs/Manpages6.xml b/docs/Manpages6.xml
deleted file mode 100644
index 8dd027b3d..000000000
--- a/docs/Manpages6.xml
+++ /dev/null
@@ -1,182 +0,0 @@
-
-
-
-
-
-
- Shorewall6 5.0 Manpages
-
-
-
- Tom
-
- Eastep
-
-
-
-
-
-
- 2007-2014
-
- Thomas M. Eastep
-
-
-
- Permission is granted to copy, distribute and/or modify this
- document under the terms of the GNU Free Documentation License, Version
- 1.2 or any later version published by the Free Software Foundation; with
- no Invariant Sections, with no Front-Cover, and with no Back-Cover
- Texts. A copy of the license is included in the section entitled
- GNU Free Documentation
- License.
-
-
-
-
- These manpages are for Shorewall6 5.0 and later only. They describe
- features and options not available on earlier releases.The manpages for
- Shorewall 4.4-4.6 are available here.
-
-
-
- Section 5 — Files and Concepts
-
-
-
- accounting - Define
- IP accounting rules.
-
- actions
- - Declare user-defined actions.
-
- blrules
- - shorewall6 Blacklist file.
-
- conntrack - Specify
- helpers for connections or exempt certain traffic from netfilter
- connection tracking.
-
- exclusion -
- Excluding hosts from a network or zone
-
- hosts -
- Define multiple zones accessed through a single interface
-
- interfaces - Define
- the interfaces on the system and optionally associate them with
- zones.
-
- maclist
- - Define MAC verification.
-
- mangle -
- Supersedes tcrules and describes packet/connection marking.
-
- masq -
- Define Masquerade/SNAT
-
- modules
- - Specify which kernel modules to load.
-
- nat -
- (added in Shorewall 4.6.4) Specify 1:1 NAT
-
- nesting
- - How to define nested zones.
-
- params -
- Assign values to shell variables used in other files.
-
- policy -
- Define high-level policies for connections between zones.
-
- providers - Define
- routing tables, usually for multiple Internet links.
-
- proxyndp - Defines
- Proxy NDP
-
- rtrules
- - Define routing rules.
-
- routes -
- (Added in Shorewall 4.4.15) Add additional routes to provider routing
- tables.
-
- rules -
- Specify exceptions to policies, including DNAT and REDIRECT.
-
- secmarks - Attached
- an SELinux context to a packet.
-
- stoppedrules -
- Specify connections to be permitted when Shorewall6 is in the stopped
- state (Added in Shoreall 4.5.8).
-
- tcclasses - Define
- htb classes for traffic shaping.
-
- tcdevices - Specify
- speed of devices for traffic shaping.
-
- tcinterfaces -
- Specify interfaces for simplified traffic shaping.
-
- tcpri -
- Classify traffic for simplified traffic shaping.
-
- tunnels
- - Define VPN connections with endpoints on the firewall.
-
- shorewall6.conf - Specify
- values for global Shorewall6 options.
-
- shorewall6-lite.conf
- - Specify values for global Shorewall6 Lite options.
-
- vardir -
- Redefine the directory where Shorewall6 keeps its state
- information.
-
- vardir-lite -
- Redefine the directory where Shorewall6 Lite keeps its state
- information.
-
- zones -
- Declare Shorewall6 zones.
-
-
-
-
diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml
index 6dc1f4366..73e374559 100644
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -63,8 +63,7 @@
ethereal or any other packet sniffing program. They can
be seen in an iptables/ip6tables trace -- see the
iptrace command in shorewall(8) and shorewall6(8).
+ url="manpages/shorewall.html">shorewall(8).
Example (output has been folded for display ):
diff --git a/docs/ProxyARP.xml b/docs/ProxyARP.xml
index 396ba47b1..fe8f6446f 100644
--- a/docs/ProxyARP.xml
+++ b/docs/ProxyARP.xml
@@ -311,7 +311,7 @@ shorewall start
The configuration file is /etc/shorewall6/proxyndp (see shorewall6-proxyndp
+ url="manpages/shorewall-proxyndp.html">shorewall6-proxyndp
(5)).
diff --git a/docs/SharedConfig.xml b/docs/SharedConfig.xml
index 0ec259964..8298dd716 100644
--- a/docs/SharedConfig.xml
+++ b/docs/SharedConfig.xml
@@ -348,7 +348,7 @@ ZONE_BITS=0
# For information about the settings in this file, type "man shorewall6.conf"
#
# Manpage also online at
-# http://www.shorewall.org/manpages6/shorewall6.conf.html
+# http://www.shorewall.org/manpages/shorewall.conf.html
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
diff --git a/docs/images/Network2013.dia b/docs/images/Network2013.dia
old mode 100755
new mode 100644
diff --git a/docs/images/Network2013.png b/docs/images/Network2013.png
old mode 100755
new mode 100644
diff --git a/docs/images/Network2015.dia b/docs/images/Network2015.dia
old mode 100755
new mode 100644
diff --git a/docs/images/Network2015.png b/docs/images/Network2015.png
old mode 100755
new mode 100644
diff --git a/docs/images/Xen4a.png b/docs/images/Xen4a.png
old mode 100755
new mode 100644
diff --git a/docs/images/Xen4a.vdx b/docs/images/Xen4a.vdx
old mode 100755
new mode 100644
diff --git a/docs/images/network4a.png b/docs/images/network4a.png
old mode 100755
new mode 100644
diff --git a/docs/images/network4a.vdx b/docs/images/network4a.vdx
old mode 100755
new mode 100644
diff --git a/docs/ipsets.xml b/docs/ipsets.xml
index 825fd1329..b91be93bf 100644
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -28,6 +28,8 @@
2017
+ 2019
+
Thomas M. Eastep
@@ -182,7 +184,7 @@ ACCEPT net:+sshok $FW tcp 22
together with the ipsets supporting dynamic zones are saved. Shorewall6
support for the SAVE_IPSETS option was also added in 4.6.4. When
SAVE_IPSETS=Yes in shorewall6.conf(5), only ipv6
+ url="manpages/shorewall.conf.html">shorewall6.conf(5), only ipv6
ipsets are saved. For Shorewall, if SAVE_IPSETS=ipv4 in shorewall.conf(5), then only
ipv4 ipsets are saved. Both features require ipset version 5 or
@@ -201,9 +203,9 @@ ACCEPT net:+sshok $FW tcp 22
Ipset support in Shorewall6 was added in Shorewall 4.4.21.Beginning with Shorewall 4.6.4, SAVE_IPSETS is available in shorewall6-conf(5). When set
- to Yes, the ipv6 ipsets will be saved. You can also save selective ipsets
- by setting SAVE_IPSETS to a comma-separated list of ipset names.
+ url="manpages/shorewall.conf.html">shorewall6-conf(5). When set to
+ Yes, the ipv6 ipsets will be saved. You can also save selective ipsets by
+ setting SAVE_IPSETS to a comma-separated list of ipset names.
Prior to Shorewall 4.6.4, SAVE_IPSETS=Yes in shorewall.conf(5) won't work
@@ -221,7 +223,7 @@ ACCEPT net:+sshok $FW tcp 22If you configure SAVE_IPSETS in shorewall.conf(5) and/or shorewall6.conf(5) then do
- not set SAVE_IPSETS in shorewall-init.
+ url="manpages/shorewall.conf.html">shorewall6.conf(5) then do not
+ set SAVE_IPSETS in shorewall-init.
diff --git a/docs/shorewall_logging.xml b/docs/shorewall_logging.xml
index 7d51de586..833783770 100644
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -431,7 +431,7 @@ sync=1
Beginning with Shorewall 4.6.4, you can configure the backend using
the LOG_BACKEND option in shorewall.conf(5) and shorewall6.conf(5).
+ url="manpages/shorewall.conf.html">shorewall6.conf(5).
@@ -477,7 +477,7 @@ sync=1
By setting the LOGTAGONLY option to Yes in shorewall.conf(5) or shorewall6.conf(5), the
+ url="manpages/shorewall.conf.html">shorewall6.conf(5), the
disposition ('DROP' in the above example) will be omitted. Consider the
following rule:
@@ -511,7 +511,7 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net
shorewall.conf(5) and shorewall6.conf(5) have a
+ url="manpages/shorewall.conf.html">shorewall6.conf(5) have a
number of options whose values are log levels. Beginning with Shorewall
5.0.0, these specifcations may include a log tag as described above.
diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml
index b85e14899..c7579cd4b 100644
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -1049,7 +1049,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
Set TC_ENABLED=Shared in shorewall6.conf
+ url="manpages/shorewall.conf.html">shorewall6.conf
(5).
diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml
index be0a56d57..8889539a5 100644
--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@@ -771,7 +771,7 @@
If your /etc/shorewall/params (or
/etc/shorewall6/params)
+ url="manpages/shorewall-params.html">/etc/shorewall6/params)
file sends output to Standard Output, you need to be aware that the
output will be redirected to Standard Error beginning with Shorewall
4.4.16.
@@ -782,7 +782,7 @@
deprecated. With EXPORTPARAMS=No, the variables set by /etc/shorewall/params
(/etc/shorewall6/params)
+ url="manpages/shorewall-params.html">/etc/shorewall6/params)
at compile time are now available in the compiled firewall
script.