forked from extern/shorewall_code
Add IPP2P UDP support
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2793 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
340053a6bc
commit
7277150a46
@ -47,9 +47,9 @@
|
||||
# Format the same as the SOURCE column.
|
||||
#
|
||||
# PROTOCOL A protocol name (from /etc/protocols), a protocol
|
||||
# number, or "ipp2p"
|
||||
# number, "ipp2p", "ipp2p-udp" or "ipp2p-all"
|
||||
#
|
||||
# DEST PORT(S) Destination Port number. If the PROTOCOL is "ipp2p"
|
||||
# DEST PORT(S) Destination Port number. If the PROTOCOL is "ipp2p*"
|
||||
# then this column must contain an ipp2p option
|
||||
# ("iptables -m ipp2p --help") without the leading
|
||||
# "--". If no option is given in this column, "ipp2p"
|
||||
@ -60,7 +60,7 @@
|
||||
# or 17).
|
||||
#
|
||||
# You may place a comma-separated list of port numbers in
|
||||
# this column if your kernel and iptables include
|
||||
# this column if your kernel and iptables include
|
||||
# multiport match support.
|
||||
#
|
||||
# SOURCE PORT(S) Source Port number
|
||||
@ -70,12 +70,12 @@
|
||||
# or 17).
|
||||
#
|
||||
# You may place a comma-separated list of port numbers in
|
||||
# this column if your kernel and iptables include
|
||||
# this column if your kernel and iptables include
|
||||
# multiport match support.
|
||||
#
|
||||
# USER/GROUP This column may only be non-empty if the CHAIN is
|
||||
# OUTPUT.
|
||||
#
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>][+<program name>]
|
||||
|
||||
@ -3213,11 +3213,21 @@ process_tc_rule()
|
||||
multiport=
|
||||
|
||||
case $proto in
|
||||
ipp2p|IPP2P)
|
||||
ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP)
|
||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
|
||||
[ "x$port" = "x-" ] && port="ipp2p"
|
||||
r="${r}-p tcp -m ipp2p --${port} "
|
||||
;;
|
||||
ipp2p-udp|IPP2P-UDP)
|
||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
|
||||
[ "x$port" = "x-" ] && port="ipp2p"
|
||||
r="${r}-p udp -m ipp2p --${port} "
|
||||
;;
|
||||
ipp2p-both|IPP2P-both)
|
||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
|
||||
[ "x$port" = "x-" ] && port="ipp2p"
|
||||
r="${r}-m ipp2p --${port} "
|
||||
;;
|
||||
icmp|ICMP|1)
|
||||
r="${r}-p icmp "
|
||||
[ "x$port" = "x-" ] || r="${r}--icmp-type $port"
|
||||
@ -3566,11 +3576,21 @@ process_accounting_rule() {
|
||||
[ -n "$proto" ] && case $proto in
|
||||
-|any|all)
|
||||
;;
|
||||
ipp2p)
|
||||
ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP)
|
||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support"
|
||||
rule="$rule -p tcp -m ipp2p --${port:-ipp2p}"
|
||||
port=
|
||||
;;
|
||||
ipp2p-udp|IPP2P-udp)
|
||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support"
|
||||
rule="$rule -p udp -m ipp2p --${port:-ipp2p}"
|
||||
port=
|
||||
;;
|
||||
ipp2p-all|IPP2P-all)
|
||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support"
|
||||
rule="$rule -m ipp2p --${port:-ipp2p}"
|
||||
port=
|
||||
;;
|
||||
*)
|
||||
rule="$rule -p $proto"
|
||||
;;
|
||||
@ -3988,12 +4008,25 @@ add_an_action()
|
||||
icmp|ICMP|1)
|
||||
[ -n "$port" ] && dports="--icmp-type $port"
|
||||
;;
|
||||
ipp2p)
|
||||
ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP)
|
||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
|
||||
dports="-m ipp2p --${port:-ipp2p}"
|
||||
port=
|
||||
proto=tcp
|
||||
do_ports
|
||||
ipp2p-udpIPP2P-udp)
|
||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
|
||||
dports="-m ipp2p --${port:-ipp2p}"
|
||||
port=
|
||||
proto=udp
|
||||
do_ports
|
||||
ipp2p-all|IPP2P-all)
|
||||
[ -n "$port" ] && \
|
||||
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
|
||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
|
||||
dports="-m ipp2p --${port:-ipp2p}"
|
||||
port=
|
||||
proto=all
|
||||
;;
|
||||
*)
|
||||
[ -n "$port" ] && \
|
||||
@ -5314,13 +5347,28 @@ process_rule() # $1 = target
|
||||
fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
|
||||
proto=
|
||||
;;
|
||||
ipp2p)
|
||||
ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP)
|
||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
|
||||
dports="-m ipp2p --${port:-ipp2p}"
|
||||
port=
|
||||
proto=tcp
|
||||
do_ports
|
||||
;;
|
||||
ipp2p-udp|IPP2P-UDP)
|
||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
|
||||
dports="-m ipp2p --${port:-ipp2p}"
|
||||
port=
|
||||
proto=udp
|
||||
do_ports
|
||||
;;
|
||||
ipp2p-all|IPP2P-ALL)
|
||||
[ -n "$port" ] && \
|
||||
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
|
||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
|
||||
dports="-m ipp2p --${port:-ipp2p}"
|
||||
port=
|
||||
proto=all
|
||||
;;
|
||||
*)
|
||||
[ -n "$port" ] && \
|
||||
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
|
||||
|
||||
@ -214,16 +214,17 @@
|
||||
# contain the port number on the firewall that the
|
||||
# request should be redirected to.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# a number, or "all". "ipp2p" requires ipp2p match
|
||||
# support in your kernel and iptables.
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# "ipp2p-udp", "ipp2p-all" a number, or "all".
|
||||
# "ipp2p*" requires ipp2p match support in your kernel
|
||||
# and iptables.
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# If the protocol is ipp2p, this column is interpreted
|
||||
# If the protocol is ipp2p*, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example
|
||||
# "bit" for bit-torrent). If no port is given, "ipp2p" is
|
||||
# assumed.
|
||||
@ -275,7 +276,7 @@
|
||||
#
|
||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>][+<program name>]
|
||||
@ -312,7 +313,7 @@
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# # PORT PORT(S) DEST LIMIT GROUP
|
||||
# DNAT net loc:192.168.1.5 tcp 21
|
||||
# DNAT net loc:192.168.1.5 tcp 21
|
||||
#
|
||||
# The substitution rules are as follows:
|
||||
#
|
||||
@ -328,8 +329,8 @@
|
||||
# contains PARAM. PARAM may be optionally
|
||||
# followed by a colon and a log level.
|
||||
#
|
||||
# You may also follow the
|
||||
#
|
||||
# You may also follow the
|
||||
#
|
||||
# Any logging specified when the macro is
|
||||
# invoked is applied to each entry in the macros.
|
||||
#
|
||||
@ -346,11 +347,11 @@
|
||||
# macro.FTP File PARAM net loc tcp 21
|
||||
# rules File FTP/DNAT - 192.168.1.5
|
||||
# Result DNAT net loc:192.168.1.5 tcp 21
|
||||
#
|
||||
#
|
||||
# Remaining Any value in the rules file REPLACES the value
|
||||
# columns given in the macro file.
|
||||
#
|
||||
#
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
|
||||
@ -47,17 +47,17 @@
|
||||
# NEW Packets in the NEW and INVALID states are
|
||||
# processed by rules in this section.
|
||||
#
|
||||
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
|
||||
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
|
||||
# ESTABLISHED and RELATED sections must be empty.
|
||||
#
|
||||
# Note: If you are not familiar with Netfilter to the point where you are
|
||||
# comfortable with the differences between the various connection
|
||||
# Note: If you are not familiar with Netfilter to the point where you are
|
||||
# comfortable with the differences between the various connection
|
||||
# tracking states, then I suggest that you omit the ESTABLISHED and
|
||||
# RELATED sections and place all of your rules in the NEW section.
|
||||
#
|
||||
# You may omit any section that you don't need. If no Section Headers appear
|
||||
# in the file then all rules are assumed to be in the NEW section.
|
||||
#
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
||||
@ -268,16 +268,17 @@
|
||||
# contain the port number on the firewall that the
|
||||
# request should be redirected to.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# a number, or "all". "ipp2p" requires ipp2p match
|
||||
# support in your kernel and iptables.
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# "ipp2p-udp", "ipp2p-all" a number, or "all".
|
||||
# "ipp2p*" requires ipp2p match support in your kernel
|
||||
# and iptables.
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# If the protocol is ipp2p, this column is interpreted
|
||||
# If the protocol is ipp2p*, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example
|
||||
# "bit" for bit-torrent). If no port is given, "ipp2p" is
|
||||
# assumed.
|
||||
@ -343,7 +344,7 @@
|
||||
#
|
||||
# See http://shorewall.net/PortKnocking.html for an
|
||||
# example of using an entry in this column with a
|
||||
# user-defined action rule.
|
||||
# user-defined action rule.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||
# this colume:
|
||||
@ -360,7 +361,7 @@
|
||||
#
|
||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>][+<program name>]
|
||||
|
||||
@ -109,15 +109,16 @@
|
||||
# contain an interface name.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# a number, or "all". "ipp2p" requires ipp2p match
|
||||
# support in your kernel and iptables.
|
||||
# "ipp2p-udp", "ipp2p-all" a number, or "all".
|
||||
# "ipp2p" requires ipp2p match support in your kernel
|
||||
# and iptables.
|
||||
#
|
||||
# PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# If the protocol is ipp2p, this column is interpreted
|
||||
# If the protocol is ipp2p*, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example
|
||||
# "bit" for bit-torrent). If no PORT is given, "ipp2p" is
|
||||
# assumed.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user