holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Finish up ipset extensions.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-01-03 09:23:14 -08:00
parent 1771bb75cf
commit 78ecf9bdc8
9 changed files with 116 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -5474,18 +5474,15 @@ sub get_set_flags( $$ ) {
my %typemap = ( src => 'Source', dst => 'Destination' ); my %typemap = ( src => 'Source', dst => 'Destination' );
if ( $config{IPSET_WARNINGS} ) { if ( $config{IPSET_WARNINGS} ) {
for ( @options ) { warning_message( "The '$options[0]' ipset flag is used in a $option column" ), unless $options[0] eq $option;
warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
} }
} }
}
if ( $rest ) { if ( $rest ) {
my @extensions = split_list($rest, 'ipset option'); my @extensions = split_list($rest, 'ipset option');
for ( @extensions ) { for ( @extensions ) {
my ($extension, $relop, $value) = split /(!=|=|<|>)/, $_; my ($extension, $relop, $value) = split /(<>|=|<|>)/, $_;
my $match = $ipset_extensions{$extension}; my $match = $ipset_extensions{$extension};
@ -5505,15 +5502,14 @@ sub get_set_flags( $$ ) {
fatal_error "Invalid number ($value)" unless defined ( $val = numeric_value($value) ); fatal_error "Invalid number ($value)" unless defined ( $val = numeric_value($value) );
$extension = "--$extension"; $extension = "--$extension";
if ( $relop =~ s/!// ) {
$extension = join( ' ', '!', $extension );
}
if ( $relop eq '<' ) { if ( $relop eq '<' ) {
$extension .= '-lt'; $extension .= '-lt';
} elsif ( $relop eq '>' ) { } elsif ( $relop eq '>' ) {
$extension .= '-gt'; $extension .= '-gt';
} elsif ( $relop eq '=' ) {
$extension .= '-eq';
} else { } else {
$extension = join( ' ', '!', $extension );
$extension .= '-eq'; $extension .= '-eq';
} }
@ -5678,7 +5674,7 @@ sub match_source_net( $;$\$ ) {
fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE}; fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
for $net ( @sets ) { for $net ( @sets ) {
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/; fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
$result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'src' ) ); $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'src' ) );
if ( $3 ) { if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's'; require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@ -5747,7 +5743,7 @@ sub imatch_source_net( $;$\$ ) {
return do_imac $net; return do_imac $net;
} }
if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/ ) { if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/ ) {
my @result = ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'src' ) ) ); my @result = ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'src' ) ) );
if ( $3 ) { if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's'; require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@ -5767,7 +5763,7 @@ sub imatch_source_net( $;$\$ ) {
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE}; fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
for $net ( @sets ) { for $net ( @sets ) {
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/; fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'src' ) ) ); push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'src' ) ) );
if ( $3 ) { if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's'; require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@ -5832,7 +5828,7 @@ sub match_dest_net( $;$ ) {
return iprange_match . "${invert}--dst-range $net "; return iprange_match . "${invert}--dst-range $net ";
} }
if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/ ) { if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/ ) {
my $result = join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) ); my $result = join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) );
if ( $3 ) { if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's'; require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@ -5852,9 +5848,8 @@ sub match_dest_net( $;$ ) {
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE}; fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
for $net ( @sets ) { for $net ( @sets ) {
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/; fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
$result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) ); $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) );
}
if ( $3 ) { if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's'; require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@ -5863,6 +5858,7 @@ sub match_dest_net( $;$ ) {
$result .= do_nfacct( $_ ); $result .= do_nfacct( $_ );
} }
} }
}
return $result; return $result;
} }
@ -5916,7 +5912,7 @@ sub imatch_dest_net( $;$ ) {
return ( iprange => "${invert}--dst-range $net" ); return ( iprange => "${invert}--dst-range $net" );
} }
if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/ ) { if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/ ) {
my @result = ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) ) ); my @result = ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) ) );
if ( $3 ) { if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's'; require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
@ -5936,7 +5932,7 @@ sub imatch_dest_net( $;$ ) {
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE}; fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
for $net ( @sets ) { for $net ( @sets ) {
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\]))?(?:\((.+)\))?$/; fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) ) ); push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) ) );
if ( $3 ) { if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's'; require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';

18
Shorewall/manpages/shorewall-ipsets.xml
View File

@ -55,7 +55,8 @@
<option>dst</option>. Example: myset[src,dst].</member> <option>dst</option>. Example: myset[src,dst].</member>
</simplelist> </simplelist>
<para>In a SOURCE column, the following pairs are equivalent:</para> <para>In a SOURCE or SOURCE PORT(S) column, the following pairs are
equivalent:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -63,7 +64,8 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>In a DEST column, the following pairs are equivalent:</para> <para>In a DEST or DEST PORT(S) column, the following pairs are
equivalent:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -137,7 +139,7 @@
<listitem> <listitem>
<para>If the packet is matched an element in the set, match only if <para>If the packet is matched an element in the set, match only if
the packet counter of the element matches the given the packet counter of the element matches the given
<replaceable>value</replaceable> too.</para> <replaceable>value</replaceable> also.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -167,7 +169,7 @@
<listitem> <listitem>
<para>If the packet is matched an element in the set, match only if <para>If the packet is matched an element in the set, match only if
the packet counter of the element does not match the given the packet counter of the element does not match the given
<replaceable>value</replaceable> too.</para> <replaceable>value</replaceable> also.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -177,7 +179,7 @@
<listitem> <listitem>
<para>If the packet is matched an element in the set, match only if <para>If the packet is matched an element in the set, match only if
the byte counter of the element matches the given the byte counter of the element matches the given
<replaceable>value</replaceable> too.</para> <replaceable>value</replaceable> also.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -202,12 +204,12 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>bytes!=<replaceable>value</replaceable></term> <term>bytes&lt;&gt;<replaceable>value</replaceable></term>
<listitem> <listitem>
<para>If the packet is matched an element in the set, match only if <para>If the packet is matched an element in the set, match only if
the byte counter of the element does not match the given the byte counter of the element does not match the given
<replaceable>value</replaceable> too.</para> <replaceable>value</replaceable> also.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -240,7 +242,7 @@
<para>/etc/shorewall/accounting</para> <para>/etc/shorewall/accounting</para>
<para>/etc/shorewall/blacklist</para> <para>/etc/shorewall/blrules</para>
<para>/etc/shorewall/hosts -- <emphasis role="bold">Note:</emphasis> <para>/etc/shorewall/hosts -- <emphasis role="bold">Note:</emphasis>
Multiple matches enclosed in +[...] may not be used in this file.</para> Multiple matches enclosed in +[...] may not be used in this file.</para>

18
Shorewall/manpages/shorewall-mangle.xml
View File

@ -772,9 +772,9 @@ Normal-Service =&gt; 0x00</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis <term><emphasis role="bold">PORT(S)</emphasis> (dport) - {<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term> role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>Optional destination Ports. A comma-separated list of Port <para>Optional destination Ports. A comma-separated list of Port
@ -795,14 +795,19 @@ Normal-Service =&gt; 0x00</programlisting>
<para>An entry in this field requires that the PROTO column specify <para>An entry in this field requires that the PROTO column specify
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
any of the following field is supplied.</para> any of the following field is supplied.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) - <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
[<emphasis {<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term> role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>Optional source port(s). If omitted, any source port is <para>Optional source port(s). If omitted, any source port is
@ -819,6 +824,11 @@ Normal-Service =&gt; 0x00</programlisting>
destination port in a packet matches one of the ports specified in destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multi-port match in your iptables DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.</para> and kernel.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

14
Shorewall/manpages/shorewall-masq.xml
View File

@ -233,7 +233,7 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]}</term> role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>If you wish to restrict this entry to a particular protocol <para>If you wish to restrict this entry to a particular protocol
@ -242,12 +242,17 @@
<para>Beginning with Shorewall 4.5.12, this column can accept a <para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para> comma-separated list of protocols.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) - <term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
[[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...]</term> {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33), <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
@ -257,6 +262,11 @@
<para>Port ranges are of the form <para>Port ranges are of the form
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para> <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

14
Shorewall/manpages/shorewall-rules.xml
View File

@ -1070,7 +1070,7 @@
<term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> - <term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
{<emphasis {<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term> role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>Optional destination Ports. A comma-separated list of Port <para>Optional destination Ports. A comma-separated list of Port
@ -1106,6 +1106,11 @@
<para>2. No port ranges are included or your kernel and iptables <para>2. No port ranges are included or your kernel and iptables
contain extended multi-port match support.</para> contain extended multi-port match support.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1113,7 +1118,7 @@
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) - <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
{<emphasis {<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term> role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>Optional port(s) used by the client. If omitted, any source <para>Optional port(s) used by the client. If omitted, any source
@ -1146,6 +1151,11 @@
<para>2. No port ranges are included or your kernel and iptables <para>2. No port ranges are included or your kernel and iptables
contain extended multi-port match support.</para> contain extended multi-port match support.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

14
Shorewall6/manpages/shorewall6-conntrack.xml
View File

@ -392,7 +392,8 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>DEST PORT(S) (dport) - port-number/service-name-list</term> <term>DEST PORT(S) (dport) -
{-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>A comma-separated list of port numbers and/or service names <para>A comma-separated list of port numbers and/or service names
@ -400,11 +401,16 @@
ranges of the form ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable> <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para> if your kernel and iptables include port range support.</para>
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
in this column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>SOURCE PORT(S) (sport) - port-number/service-name-list</term> <term>SOURCE PORT(S) (sport) -
{-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>A comma-separated list of port numbers and/or service names <para>A comma-separated list of port numbers and/or service names
@ -418,6 +424,10 @@
causes the rule to match when either the source port or the causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in destination port in a packet matches one of the ports specified in
DEST PORTS(S).</para> DEST PORTS(S).</para>
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
in this column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

20
Shorewall6/manpages/shorewall6-ipsets.xml
View File

@ -54,7 +54,8 @@
<option>dst</option>. Example: myset[src,dst].</member> <option>dst</option>. Example: myset[src,dst].</member>
</simplelist> </simplelist>
<para>In a SOURCE column, the following pairs are equivalent:</para> <para>In a SOURCE or SOURCE PORT(S) column, the following pairs are
equivalent:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -62,7 +63,8 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>In a DEST column, the following pairs are equivalent:</para> <para>In a DEST or DEST PORT(S) column, the following pairs are
equivalent:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -136,7 +138,7 @@
<listitem> <listitem>
<para>If the packet is matched an element in the set, match only if <para>If the packet is matched an element in the set, match only if
the packet counter of the element matches the given the packet counter of the element matches the given
<replaceable>value</replaceable> too.</para> <replaceable>value</replaceable> also.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -166,7 +168,7 @@
<listitem> <listitem>
<para>If the packet is matched an element in the set, match only if <para>If the packet is matched an element in the set, match only if
the packet counter of the element does not match the given the packet counter of the element does not match the given
<replaceable>value</replaceable> too.</para> <replaceable>value</replaceable> also.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -176,7 +178,7 @@
<listitem> <listitem>
<para>If the packet is matched an element in the set, match only if <para>If the packet is matched an element in the set, match only if
the byte counter of the element matches the given the byte counter of the element matches the given
<replaceable>value</replaceable> too.</para> <replaceable>value</replaceable> also.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -201,12 +203,12 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>bytes!=<replaceable>value</replaceable></term> <term>bytes&lt;&gt;<replaceable>value</replaceable></term>
<listitem> <listitem>
<para>If the packet is matched an element in the set, match only if <para>If the packet is matched an element in the set, match only if
the byte counter of the element does not match the given the byte counter of the element does not match the given
<replaceable>value</replaceable> too.</para> <replaceable>value</replaceable> also.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -233,7 +235,7 @@
<para>/etc/shorewall6/accounting</para> <para>/etc/shorewall6/accounting</para>
<para>/etc/shorewall6/blacklist</para> <para>/etc/shorewall6/blrules</para>
<para>/etc/shorewall6/hosts -- <emphasis role="bold">Note:</emphasis> <para>/etc/shorewall6/hosts -- <emphasis role="bold">Note:</emphasis>
Multiple matches enclosed in +[...] may not be used in this file.</para> Multiple matches enclosed in +[...] may not be used in this file.</para>
@ -245,7 +247,7 @@
<para>/etc/shorewall6/secmarks</para> <para>/etc/shorewall6/secmarks</para>
<para>/etc/shorewall6/tcrules</para> <para>/etc/shorewall6/mangle</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

14
Shorewall6/manpages/shorewall6-masq.xml
View File

@ -185,7 +185,7 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]}</term> role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>If you wish to restrict this entry to a particular protocol <para>If you wish to restrict this entry to a particular protocol
@ -194,12 +194,17 @@
<para>Beginning with Shorewall 4.5.12, this column can accept a <para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para> comma-separated list of protocols.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) - <term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
[[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...]</term> {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33), <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
@ -209,6 +214,11 @@
<para>Port ranges are of the form <para>Port ranges are of the form
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para> <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

18
Shorewall6/manpages/shorewall6-rules.xml
View File

@ -1015,7 +1015,7 @@
<term><emphasis role="bold">DEST PORT(S) </emphasis>(dport) - <term><emphasis role="bold">DEST PORT(S) </emphasis>(dport) -
{<emphasis {<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term> role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>Optional destination Ports. A comma-separated list of Port <para>Optional destination Ports. A comma-separated list of Port
@ -1044,13 +1044,19 @@
role="bold">-</emphasis>).</para> role="bold">-</emphasis>).</para>
<para>If your kernel contains multi-port match support, then only a <para>If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and the single Netfilter rule will be generated in this list and the
<emphasis role="bold">CLIENT PORT(S)</emphasis> list below:</para> <emphasis role="bold">CLIENT PORT(S)</emphasis> list below
if:</para>
<para>1. There are 15 or less ports listed.</para> <para>1. There are 15 or less ports listed.</para>
<para>2. No port ranges are included or your kernel and ip6tables <para>2. No port ranges are included or your kernel and ip6tables
contain extended multi-port match support.</para> contain extended multi-port match support.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1058,7 +1064,7 @@
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) - <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
{<emphasis {<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term> role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>Optional source port(s). If omitted, any source port is <para>Optional source port(s). If omitted, any source port is
@ -1090,6 +1096,10 @@
<para>2. No port ranges are included or your kernel and ip6tables <para>2. No port ranges are included or your kernel and ip6tables
contain extended multi-port match support.</para> contain extended multi-port match support.</para>
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
in this column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>