From 6da498510ca4a1074002241efe90791ed2df7d4c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 16 Oct 2019 11:41:21 -0700 Subject: [PATCH 1/7] Correct mss specification when using ipcomp Signed-off-by: Tom Eastep --- docs/IPSEC-2.6.xml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml index 301c508f5..0d0902483 100644 --- a/docs/IPSEC-2.6.xml +++ b/docs/IPSEC-2.6.xml @@ -364,6 +364,12 @@ ACCEPT vpn:134.28.54.2 $FW #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS vpn ipsec mode=tunnel mss=1400 + Note that if you are using ipcomp, you should omit the mode + specification: + + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS +vpn ipsec - mss=1400 + You should also set FASTACCEPT=No in shorewall.conf to ensure that both the SYN and SYN,ACK packets have their MSS field adjusted. From 157abcbd37436864549550300edb2f012108427c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 21 Oct 2019 14:34:37 -0700 Subject: [PATCH 2/7] Allow NFQUEUE 'bypass' in the policy file Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 14 ++++---------- Shorewall/manpages/shorewall-policy.xml | 15 +++++++++++++-- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 6470bca79..32049fabd 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -611,8 +611,8 @@ sub process_policy_actions( $$$ ) { # # Verify an NFQUEUE specification and return the appropriate ip[6]tables target # -sub handle_nfqueue( $$ ) { - my ($params, $allow_bypass ) = @_; +sub handle_nfqueue( $ ) { + my ($params) = @_; my ( $action, $bypass, $fanout ); my ( $queue1, $queue2, $queuenum1, $queuenum2 ); @@ -625,7 +625,6 @@ sub handle_nfqueue( $$ ) { if ( supplied $queue ) { if ( $queue eq 'bypass' ) { - fatal_error "'bypass' is not allowed in this context" unless $allow_bypass; fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass; return 'NFQUEUE --queue-bypass'; } @@ -653,7 +652,6 @@ sub handle_nfqueue( $$ ) { if ( supplied $bypass ) { fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass'; - fatal_error "'bypass' is not allowed in this context" unless $allow_bypass; $bypass =' --queue-bypass'; } else { @@ -742,9 +740,7 @@ sub process_a_policy1($$$$$$$) { my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions ); if ( defined $queue ) { - $policy = handle_nfqueue( $queue, - 0 # Don't allow 'bypass' - ); + $policy = handle_nfqueue( $queue ); } elsif ( $policy eq 'NONE' ) { fatal_error "NONE policy not allowed with \"all\"" if $clientwild || $serverwild; @@ -2704,9 +2700,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) { $macro_nest_level--; goto EXIT; } elsif ( $actiontype & NFQ ) { - $action = handle_nfqueue( $param, - 1 # Allow 'bypass' - ); + $action = handle_nfqueue( $param ); } elsif ( $actiontype & SET ) { require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' ); fatal_error "$action rules require a set name parameter" unless $param; diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml index 1f7d7cfac..e97d38a06 100644 --- a/Shorewall/manpages/shorewall-policy.xml +++ b/Shorewall/manpages/shorewall-policy.xml @@ -131,7 +131,7 @@ role="bold">BLACKLIST|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2])]|NFQUEUE[([queuenumber1[:queuenumber2[c]][,bypass]]|bypass)]|NONE}[:{[+]policy-action[:level][,...]|None}] @@ -236,7 +236,18 @@ given queues. This is useful for multicore systems: start multiple instances of the userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets belonging to the same - connection are put into the same nfqueue. + connection are put into the same nfqueue. Beginning with + Shorewall 5.1.0, queuenumber2 may be followed by the letter + 'c' to indicate that the CPU ID will be used as an index to + map packets to the queues. The idea is that you can improve + performance if there's a queue per CPU. Requires the NFQUEUE + CPU Fanout capability in your kernel and iptables. + + Beginning with Shorewall 4.6.10, the keyword bypass can be given. By default, if no + userspace program is listening on an NFQUEUE, then all packets + that are to be queued are dropped. When this option is used, + the NFQUEUE rule behaves like ACCEPT instead. From 9213d7e707d2421eb85254e91de8d6b83b63e222 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 27 Nov 2019 15:46:57 -0800 Subject: [PATCH 3/7] Clean up Shorewall6[-lite] manpage links - there were many links pointing to /manpages6/shorewall6... that should have been updated to point to /manpages/shorewall... - this commit corrects those links Signed-off-by: Tom Eastep --- Shorewall-core/manpages/shorewall.xml | 64 +++---- Shorewall/manpages/shorewall-files.xml | 2 +- Shorewall/manpages/shorewall-init.xml | 4 +- Shorewall/manpages/shorewall-interfaces.xml | 2 +- Shorewall/manpages/shorewall-logging.xml | 4 +- Shorewall/manpages/shorewall-nat.xml | 2 +- Shorewall/manpages/shorewall-rules.xml | 2 +- docs/Accounting.xml | 4 +- docs/Actions.xml | 8 +- docs/Documentation_Index.xml | 6 +- docs/IPv6Support.xml | 6 +- docs/ISO-3661.xml | 2 +- docs/Manpages.xml | 9 +- docs/Manpages6.xml | 182 -------------------- docs/PacketMarking.xml | 3 +- docs/ProxyARP.xml | 2 +- docs/SharedConfig.xml | 2 +- docs/ipsets.xml | 14 +- docs/shorewall_logging.xml | 6 +- docs/traffic_shaping.xml | 2 +- docs/upgrade_issues.xml | 4 +- 21 files changed, 69 insertions(+), 261 deletions(-) delete mode 100644 docs/Manpages6.xml diff --git a/Shorewall-core/manpages/shorewall.xml b/Shorewall-core/manpages/shorewall.xml index d3f90505d..d776b43a1 100644 --- a/Shorewall-core/manpages/shorewall.xml +++ b/Shorewall-core/manpages/shorewall.xml @@ -1141,7 +1141,7 @@ setting in shorewall.conf(5) (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). When no verbosity is specified, each instance of this option causes 1 to be added to the effective @@ -1162,7 +1162,7 @@ setting in shorewall.conf(5) (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). Each instance of this option causes 1 to be subtracted from the effective verbosity. @@ -1199,7 +1199,7 @@ defined in the shorewall-interfaces(5) (shorewall6-interfaces(5))file. + url="/manpages/shorewall-interfaces.html">shorewall6-interfaces(5))file. A host-list is comma-separated list whose elements are host or network addresses. The add command is not very robust. If @@ -1214,7 +1214,7 @@ Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall-zones(5),shorewall6-zones(5)) allows a single ipset to + url="/manpages/shorewall-zones.html">shorewall6-zones(5)) allows a single ipset to handle entries for multiple interfaces. When that option is specified for a zone, the add command has the alternative syntax in which the zone name @@ -1332,7 +1332,7 @@ set to Yes in shorewall.conf(5) (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). @@ -1440,7 +1440,7 @@ set to Yes in shorewall.conf(5) (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). @@ -1458,7 +1458,7 @@ defined in the shorewall-interfaces(5) (shorewall6-interfaces(5) + url="/manpages/shorewall-interfaces.html">shorewall6-interfaces(5) file. A host-list is comma-separated list whose elements are a host or network address. @@ -1466,7 +1466,7 @@ role="bold">dynamic_shared zone option (shorewall-zones(5), shorewall6-zones(5)) + url="/manpages/shorewall-zones.html">shorewall6-zones(5)) allows a single ipset to handle entries for multiple interfaces. When that option is specified for a zone, the delete command has the alternative syntax in @@ -1493,7 +1493,7 @@ command removes any routes added from shorewall-routes(5) (shorewall6-routes(5))and + url="/manpages/shorewall-routes.html">shorewall6-routes(5))and any traffic shaping configuration for the interface. @@ -1554,7 +1554,7 @@ adds any route specified in shorewall-routes(5) (shorewall6-routes(5)) + url="/manpages/shorewall-routes.html">shorewall6-routes(5)) and installs the interface's traffic shaping configuration, if any. @@ -1599,7 +1599,7 @@ given then the file specified by RESTOREFILE in shorewall.conf(5) (shorewall6.conf(5)) is + url="/manpages/shorewall.conf.html">shorewall6.conf(5)) is assumed. @@ -1684,7 +1684,7 @@ specified by the BLACKLIST_LOGLEVEL setting in shorewall.conf (5) (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). This command requires that the firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in shorewall.conf @@ -1700,7 +1700,7 @@ Monitors the log file specified by the LOGFILE option in shorewall.conf(5) (shorewall6.conf(5)) + url="/manpages/shorewall.conf.html">shorewall6.conf(5)) and produces an audible alarm when new Shorewall messages are logged. The -m option causes the MAC address of each packet source to be displayed if that @@ -1723,7 +1723,7 @@ specified by the BLACKLIST_LOGLEVEL setting in shorewall.conf (5), (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). This command requires that the firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in shorewall.conf @@ -1878,13 +1878,13 @@ INLINE_MATCHES is set to Yes in shorewall.conf(5) (shorewall6.conf(5)).. + url="/manpages/shorewall.conf.html">shorewall6.conf(5)).. The option was added in Shorewall 4.6.5 and is only meaningful when AUTOMAKE=Yes in shorewall.conf(5) (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). If an existing firewall script is used and if that script was the one that generated the current running configuration, then the running netfilter configuration will be reloaded as is so @@ -2006,7 +2006,7 @@ system is omitted, then the FIREWALL option setting in shorewall.conf(5) (shorewall6.conf(5)) is + url="/manpages/shorewall.conf.html">shorewall6.conf(5)) is assumed. In that case, if you want to specify a directory, then the option must be given. @@ -2071,8 +2071,8 @@ Beginning with Shorewall 5.0.13, if system is omitted, then the FIREWALL option setting in shorewall6.conf(5) (shorewall6.conf(5)) is + url="/manpages/shorewall.conf.html">shorewall6.conf(5) (shorewall6.conf(5)) is assumed. In that case, if you want to specify a directory, then the option must be given. @@ -2104,7 +2104,7 @@ set to Yes in shorewall.conf(5) (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). @@ -2144,8 +2144,8 @@ Beginning with Shorewall 5.0.13, if system is omitted, then the FIREWALL option setting in shorewall6.conf(5) (shorewall6.conf(5)) is + url="/manpages/shorewall.conf.html">shorewall6.conf(5) (shorewall6.conf(5)) is assumed. In that case, if you want to specify a directory, then the option must be given. @@ -2177,7 +2177,7 @@ set to Yes in shorewall.conf(5) (shorewall6.conf(5). + url="/manpages/shorewall.conf.html">shorewall6.conf(5). @@ -2304,7 +2304,7 @@ restored from the file specified by the RESTOREFILE option in shorewall.conf(5) (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). If your iptables ruleset depends on variables that are @@ -2460,7 +2460,7 @@ in the file specified by the RESTOREFILE option in shorewall.conf(5) (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). The option, added in Shorewall 4.6.5, causes the iptables packet and byte counters to be saved along with @@ -2477,7 +2477,7 @@ the SAVE_IPSETS option in shorewall.conf (5) (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). This command may be used to proactively save your ipset contents in the event that a system failure occurs prior to issuing a stop command. @@ -2645,7 +2645,7 @@ accounting counters (shorewall-accounting (5), shorewall6-accounting(5)). + url="/manpages/shorewall-accounting.html">shorewall6-accounting(5)). @@ -2669,7 +2669,7 @@ file specified by the LOGFILE option in shorewall.conf(5) (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). The -m option causes the MAC address of each packet source to be displayed if that information is available. @@ -2851,7 +2851,7 @@ in shorewall.conf(5) (shorewall6.conf(5)) + url="/manpages/shorewall.conf.html">shorewall6.conf(5)) will be restored if that saved configuration exists and has been modified more recently than the files in /etc/shorewall. When -f is @@ -2862,7 +2862,7 @@ option was added to shorewall.conf(5) (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). When LEGACY_FASTSTART=No, the modification times of files in /etc/shorewall are compared with that of /var/lib/shorewall/firewall (the compiled script that last @@ -2881,7 +2881,7 @@ overriding the AUTOMAKE setting in shorewall.conf(5) (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). When both and are present, the result is determined by the option that appears last. @@ -2897,7 +2897,7 @@ INLINE_MATCHES is set to Yes in shorewall.conf(5) (shorewall6.conf(5)). + url="/manpages/shorewall.conf.html">shorewall6.conf(5)). The option was added in Shorewall 4.6.5 and is only meaningful when the diff --git a/Shorewall/manpages/shorewall-files.xml b/Shorewall/manpages/shorewall-files.xml index 2a8ecb380..9905ab4c2 100644 --- a/Shorewall/manpages/shorewall-files.xml +++ b/Shorewall/manpages/shorewall-files.xml @@ -901,7 +901,7 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 } or shorewall restart. This may be accomplished using the SWITCH column in shorewall-rules (5) or shorewall6-rules (5). Using + url="manpages/shorewall-rules.html">shorewall6-rules (5). Using this column requires that your kernel and iptables include Condition Match Support and you must be running Shorewall 4.4.24 or later. See the output of shorewall show diff --git a/Shorewall/manpages/shorewall-init.xml b/Shorewall/manpages/shorewall-init.xml index b1ef500d2..5c1139ef0 100644 --- a/Shorewall/manpages/shorewall-init.xml +++ b/Shorewall/manpages/shorewall-init.xml @@ -18,7 +18,7 @@ - /etc/init.d/shorewall-init + shorewall-init start|stop @@ -149,7 +149,7 @@ want to make both interfaces optional and set the REQUIRE_INTERFACE option to Yes in shorewall.conf (5) or shorewall6.conf (5). This + url="/manpages/shorewall.conf.html">shorewall6.conf (5). This causes the firewall to remain stopped until at least one of the interfaces comes up. diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml index 52acc7a7f..7e5a43c61 100644 --- a/Shorewall/manpages/shorewall-interfaces.xml +++ b/Shorewall/manpages/shorewall-interfaces.xml @@ -155,7 +155,7 @@ loc eth2 - Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo' interface, then that zone must be defined as type in shorewall6-zones(5). + url="/manpages/shorewall-zones.html">shorewall6-zones(5). diff --git a/Shorewall/manpages/shorewall-logging.xml b/Shorewall/manpages/shorewall-logging.xml index bbd0e3e23..e1e04055a 100644 --- a/Shorewall/manpages/shorewall-logging.xml +++ b/Shorewall/manpages/shorewall-logging.xml @@ -276,7 +276,7 @@ By setting the LOGTAGONLY option to Yes in shorewall.conf(5) or shorewall6.conf(5), the + url="/manpages/shorewall.conf.html">shorewall6.conf(5), the disposition ('DROP' in the above example) will be omitted. Consider the following rule: @@ -373,7 +373,7 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net Beginning with Shorewall 4.6.4, you can configure the backend using the LOG_BACKEND option in shorewall.conf(5) and shorewall6.conf(5). + url="manpages/shorewall.conf.html">shorewall6.conf(5). diff --git a/Shorewall/manpages/shorewall-nat.xml b/Shorewall/manpages/shorewall-nat.xml index c57e1d94a..341056318 100644 --- a/Shorewall/manpages/shorewall-nat.xml +++ b/Shorewall/manpages/shorewall-nat.xml @@ -35,7 +35,7 @@ in many cases, Proxy ARP (shorewall-proxyarp(5)) or Proxy-NDP(shorewall6-proxyndp(5)) + url="/manpages/shorewall-proxyndp.html">shorewall6-proxyndp(5)) is a better solution that one-to-one NAT. diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index ff7fffd46..3e7202c8a 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -545,7 +545,7 @@ the ip6tables-target as a builtin action in shorewall-actions(5). + url="/manpages/shorewall-actions.html">shorewall-actions(5). If you specify REJECT as the diff --git a/docs/Accounting.xml b/docs/Accounting.xml index 6e3663547..62635fabc 100644 --- a/docs/Accounting.xml +++ b/docs/Accounting.xml @@ -54,9 +54,7 @@ tcpflags and maclist. The columns in the accounting file are described in shorewall-accounting (5) - and shorewall6-accounting + url="manpages/shorewall-accounting.html">shorewall-accounting (5). In all columns except ACTION and CHAIN, the values -, diff --git a/docs/Actions.xml b/docs/Actions.xml index c591be9df..6763960ba 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -499,16 +499,12 @@ REDIRECT net - tcp 80 - 1.2.3.4 Mangle Actions Beginning with Shorewall 5.0.7, actions may be used in shorewall-mangle(5) and - shorewall6-mangle(5). + url="manpages/shorewall-mangle.html">shorewall-mangle(5). Because the rules and mangle files have different column layouts, actions can be defined to be used in one file or the other but not in both. To designate an action to be used in the mangle file, specify the option in the action's entry in shorewall-actions(5) or - shorewall6-actions(5). + url="manpages/shorewall-actions.html">shorewall-actions(5). To create a mangle action, follow the steps in the preceding section, but use the diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index afc5cc522..e3f2845d3 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -45,11 +45,7 @@ - IPv4 Manpages - - - - IPv6 Manpages + Manpages diff --git a/docs/IPv6Support.xml b/docs/IPv6Support.xml index 61a437eca..1bb237d73 100644 --- a/docs/IPv6Support.xml +++ b/docs/IPv6Support.xml @@ -178,7 +178,7 @@ Set KEEP_RT_TABLES=No in shorewall.conf(5) and set KEEP_RT_TABLES=Yes in shorewall6.conf(5). + url="manpages/shorewall.conf.html">shorewall6.conf(5). @@ -469,9 +469,9 @@ ACCEPT net:wlan0:<2002:ce7c:92b4::3> $FW tcp 22 The Linux IPv6 stack does not support balancing (multi-hop) routes. Thehe and options in shorewall6-providers(5) + url="manpages/shorewall-providers.html">shorewall6-providers(5) and USE_DEFAULT_RT=Yes in shorewall6.conf(5) are + url="manpages/shorewall.conf.html">shorewall6.conf(5) are supported, but at most one provider can have the option and at most one provider can have the option. diff --git a/docs/ISO-3661.xml b/docs/ISO-3661.xml index 5aaad88da..4f7bcfdfd 100644 --- a/docs/ISO-3661.xml +++ b/docs/ISO-3661.xml @@ -84,7 +84,7 @@ any future ability to install the database at another location, Shorewall supports a GEOIPDIR option in shorewall.conf (5) and shorewall6.conf (5). The + url="manpages/shorewall.conf.html">shorewall6.conf (5). The default value of that option is /usr/share/xt_geoip/LE. diff --git a/docs/Manpages.xml b/docs/Manpages.xml index 5667aecc0..695819ea3 100644 --- a/docs/Manpages.xml +++ b/docs/Manpages.xml @@ -131,9 +131,8 @@ proxyarp - Define Proxy ARP (IPv4) - proxyndp - Define - Proxy NDP (IPv6) + proxyndp + - Define Proxy NDP (IPv6) rtrules - Define routing rules. @@ -179,7 +178,7 @@ values for global Shorewall options. shorewall6.conf - Specify + url="manpages/shorewall.conf.html">shorewall6.conf - Specify values for global Shorewall6 options. shorewall - /sbin/shorewall, /sbin/shorewall6/, /sbin/shorewall-lite and - /sbin/shorewall6-line command syntax and semantics. + /sbin/shorewall6-lite command syntax and semantics. diff --git a/docs/Manpages6.xml b/docs/Manpages6.xml deleted file mode 100644 index 8dd027b3d..000000000 --- a/docs/Manpages6.xml +++ /dev/null @@ -1,182 +0,0 @@ - - -
- - - - Shorewall6 5.0 Manpages - - - - Tom - - Eastep - - - - - - - 2007-2014 - - Thomas M. Eastep - - - - Permission is granted to copy, distribute and/or modify this - document under the terms of the GNU Free Documentation License, Version - 1.2 or any later version published by the Free Software Foundation; with - no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled - GNU Free Documentation - License. - - - - - These manpages are for Shorewall6 5.0 and later only. They describe - features and options not available on earlier releases.The manpages for - Shorewall 4.4-4.6 are available here. - - -
- Section 5 — Files and Concepts - -
- - accounting - Define - IP accounting rules. - - actions - - Declare user-defined actions. - - blrules - - shorewall6 Blacklist file. - - conntrack - Specify - helpers for connections or exempt certain traffic from netfilter - connection tracking. - - exclusion - - Excluding hosts from a network or zone - - hosts - - Define multiple zones accessed through a single interface - - interfaces - Define - the interfaces on the system and optionally associate them with - zones. - - maclist - - Define MAC verification. - - mangle - - Supersedes tcrules and describes packet/connection marking. - - masq - - Define Masquerade/SNAT - - modules - - Specify which kernel modules to load. - - nat - - (added in Shorewall 4.6.4) Specify 1:1 NAT - - nesting - - How to define nested zones. - - params - - Assign values to shell variables used in other files. - - policy - - Define high-level policies for connections between zones. - - providers - Define - routing tables, usually for multiple Internet links. - - proxyndp - Defines - Proxy NDP - - rtrules - - Define routing rules. - - routes - - (Added in Shorewall 4.4.15) Add additional routes to provider routing - tables. - - rules - - Specify exceptions to policies, including DNAT and REDIRECT. - - secmarks - Attached - an SELinux context to a packet. - - stoppedrules - - Specify connections to be permitted when Shorewall6 is in the stopped - state (Added in Shoreall 4.5.8). - - tcclasses - Define - htb classes for traffic shaping. - - tcdevices - Specify - speed of devices for traffic shaping. - - tcinterfaces - - Specify interfaces for simplified traffic shaping. - - tcpri - - Classify traffic for simplified traffic shaping. - - tunnels - - Define VPN connections with endpoints on the firewall. - - shorewall6.conf - Specify - values for global Shorewall6 options. - - shorewall6-lite.conf - - Specify values for global Shorewall6 Lite options. - - vardir - - Redefine the directory where Shorewall6 keeps its state - information. - - vardir-lite - - Redefine the directory where Shorewall6 Lite keeps its state - information. - - zones - - Declare Shorewall6 zones. - -
-
- -
- Section 8 — Administrative Commands - -
- - shorewall6 - - /sbin/shorewall6 command syntax and semantics. - - shorewall6-lite - - /sbin/shorewall6-lite command syntax and semantics. - -
-
-
diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml index 6dc1f4366..73e374559 100644 --- a/docs/PacketMarking.xml +++ b/docs/PacketMarking.xml @@ -63,8 +63,7 @@ ethereal or any other packet sniffing program. They can be seen in an iptables/ip6tables trace -- see the iptrace command in shorewall(8) and shorewall6(8). + url="manpages/shorewall.html">shorewall(8). Example (output has been folded for display ): diff --git a/docs/ProxyARP.xml b/docs/ProxyARP.xml index 396ba47b1..fe8f6446f 100644 --- a/docs/ProxyARP.xml +++ b/docs/ProxyARP.xml @@ -311,7 +311,7 @@ shorewall start The configuration file is /etc/shorewall6/proxyndp (see shorewall6-proxyndp + url="manpages/shorewall-proxyndp.html">shorewall6-proxyndp (5)). diff --git a/docs/SharedConfig.xml b/docs/SharedConfig.xml index 597322687..41a05e337 100644 --- a/docs/SharedConfig.xml +++ b/docs/SharedConfig.xml @@ -348,7 +348,7 @@ ZONE_BITS=0 # For information about the settings in this file, type "man shorewall6.conf" # # Manpage also online at -# http://www.shorewall.net/manpages6/shorewall6.conf.html +# http://www.shorewall.net/manpages/shorewall.conf.html ############################################################################### # S T A R T U P E N A B L E D ############################################################################### diff --git a/docs/ipsets.xml b/docs/ipsets.xml index 825fd1329..b91be93bf 100644 --- a/docs/ipsets.xml +++ b/docs/ipsets.xml @@ -28,6 +28,8 @@ 2017 + 2019 + Thomas M. Eastep @@ -182,7 +184,7 @@ ACCEPT net:+sshok $FW tcp 22 together with the ipsets supporting dynamic zones are saved. Shorewall6 support for the SAVE_IPSETS option was also added in 4.6.4. When SAVE_IPSETS=Yes in shorewall6.conf(5), only ipv6 + url="manpages/shorewall.conf.html">shorewall6.conf(5), only ipv6 ipsets are saved. For Shorewall, if SAVE_IPSETS=ipv4 in shorewall.conf(5), then only ipv4 ipsets are saved. Both features require ipset version 5 or @@ -201,9 +203,9 @@ ACCEPT net:+sshok $FW tcp 22 Ipset support in Shorewall6 was added in Shorewall 4.4.21. Beginning with Shorewall 4.6.4, SAVE_IPSETS is available in shorewall6-conf(5). When set - to Yes, the ipv6 ipsets will be saved. You can also save selective ipsets - by setting SAVE_IPSETS to a comma-separated list of ipset names. + url="manpages/shorewall.conf.html">shorewall6-conf(5). When set to + Yes, the ipv6 ipsets will be saved. You can also save selective ipsets by + setting SAVE_IPSETS to a comma-separated list of ipset names. Prior to Shorewall 4.6.4, SAVE_IPSETS=Yes in shorewall.conf(5) won't work @@ -221,7 +223,7 @@ ACCEPT net:+sshok $FW tcp 22 If you configure SAVE_IPSETS in shorewall.conf(5) and/or shorewall6.conf(5) then do - not set SAVE_IPSETS in shorewall-init. + url="manpages/shorewall.conf.html">shorewall6.conf(5) then do not + set SAVE_IPSETS in shorewall-init. diff --git a/docs/shorewall_logging.xml b/docs/shorewall_logging.xml index 7d51de586..833783770 100644 --- a/docs/shorewall_logging.xml +++ b/docs/shorewall_logging.xml @@ -431,7 +431,7 @@ sync=1 Beginning with Shorewall 4.6.4, you can configure the backend using the LOG_BACKEND option in shorewall.conf(5) and shorewall6.conf(5). + url="manpages/shorewall.conf.html">shorewall6.conf(5).
@@ -477,7 +477,7 @@ sync=1 By setting the LOGTAGONLY option to Yes in shorewall.conf(5) or shorewall6.conf(5), the + url="manpages/shorewall.conf.html">shorewall6.conf(5), the disposition ('DROP' in the above example) will be omitted. Consider the following rule: @@ -511,7 +511,7 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net shorewall.conf(5) and shorewall6.conf(5) have a + url="manpages/shorewall.conf.html">shorewall6.conf(5) have a number of options whose values are log levels. Beginning with Shorewall 5.0.0, these specifcations may include a log tag as described above. diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml index b85e14899..c7579cd4b 100644 --- a/docs/traffic_shaping.xml +++ b/docs/traffic_shaping.xml @@ -1049,7 +1049,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - Set TC_ENABLED=Shared in shorewall6.conf + url="manpages/shorewall.conf.html">shorewall6.conf (5). diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index d5ffa2f74..6070cdcba 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -771,7 +771,7 @@ If your /etc/shorewall/params (or /etc/shorewall6/params) + url="manpages/shorewall-params.html">/etc/shorewall6/params) file sends output to Standard Output, you need to be aware that the output will be redirected to Standard Error beginning with Shorewall 4.4.16. @@ -782,7 +782,7 @@ deprecated. With EXPORTPARAMS=No, the variables set by /etc/shorewall/params (/etc/shorewall6/params) + url="manpages/shorewall-params.html">/etc/shorewall6/params) at compile time are now available in the compiled firewall script. From 77cad81ba7ec1c93fa76f611fb1baaf21a54296b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 20 Dec 2019 13:33:39 -0800 Subject: [PATCH 4/7] Clean up comments Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index eb8af9dcb..1886b3088 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -536,6 +536,9 @@ our $ipset_rules; # use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 }; +# +# Chain optimization flags +# use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 }; our %dscpmap = ( CS0 => 0x00, @@ -1422,7 +1425,7 @@ sub compatible( $$ ) { } } # - # Don't combine chains where each specifies + # Don't combine rules where each specifies # -m policy and the policies are different # or when one specifies # -m multiport From 08da235896817645f5fdb5557440d7aad2c0f59a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 23 Dec 2019 10:02:48 -0800 Subject: [PATCH 5/7] Correct IPv6 Address Range parsing Previously, such ranges were required to be of the form [-] rather than the more standard form []-[]. In the snat file (and in nat actions), the latter form was actually flagged as an error while in other contexts, it resulted in a less obvious error being raised. With this change, both forms are accepted. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 4 ++++ Shorewall/Perl/Shorewall/Nat.pm | 4 ++-- Shorewall/Perl/Shorewall/Rules.pm | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 1886b3088..52864485f 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -7655,11 +7655,13 @@ sub isolate_source_interface( $ ) { ) { $iiface = $1; $inets = $2; + $inets =~ s/\]-\[/-/; } elsif ( $source =~ /:/ ) { if ( $source =~ /^\[(?:.+),\[(?:.+)\]$/ ){ $inets = $source; } elsif ( $source =~ /^\[(.+)\]$/ ) { $inets = $1; + $inets =~ s/\]-\[/-/; } else { $inets = $source; } @@ -7777,6 +7779,7 @@ sub isolate_dest_interface( $$$$ ) { if ( $dest =~ /^(.+?):(\[(?:.+),\[(?:.+)\])$/ ) { $diface = $1; $dnets = $2; + $dnets =~ s/\]-\[/-/; } elsif ( $dest =~ /^(.+?):\[(.+)\]\s*$/ || $dest =~ /^(.+?):(!?\+.+)$/ || $dest =~ /^(.+?):(!?[&%].+)$/ || @@ -7789,6 +7792,7 @@ sub isolate_dest_interface( $$$$ ) { $dnets = $dest; } elsif ( $dest =~ /^\[(.+)\]$/ ) { $dnets = $1; + $dnets =~ s/\]-\[/-/; } else { $dnets = $dest; } diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index ea8221d85..639617f51 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -316,9 +316,9 @@ sub process_one_masq1( $$$$$$$$$$$ ) fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/; $addr = $1; + $addr =~ s/\]-\[/-/; if ( $addr =~ /^(.+)-(.+)$/ ) { - fatal_error "Correct address range syntax is '[-]'" if $addr =~ /]-\[/; validate_range( $1, $2 ); } else { validate_address $addr, 0; @@ -930,7 +930,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) { if ( $server =~ /^\[(.+)\]$/ ) { $server = $1; - fatal_error "Correct address range syntax is '[-]'" if $server =~ /]-\[/; + $server =~ s/\]-\[/-/; assert( $server =~ /^(.+)-(.+)$/ ); ( $addr1, $addr2 ) = ( $1, $2 ); } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 32049fabd..1382f86ee 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -5767,9 +5767,9 @@ sub process_snat1( $$$$$$$$$$$$ ) { fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/; $addr = $1; + $addr =~ s/\]-\[/-/; if ( $addr =~ /^(.+)-(.+)$/ ) { - fatal_error "Correct address range syntax is '[-]'" if $addr =~ /]-\[/; validate_range( $1, $2 ); } else { validate_address $addr, 0; From c9eb4435747b4aa0d3dc1b4aff7d967841a2f20f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 29 Jan 2020 10:41:55 -0800 Subject: [PATCH 6/7] Add targetname files Signed-off-by: Tom Eastep --- Shorewall-lite/Shorewall-lite-targetname | 0 Shorewall/Shorewall-targetname | 0 Shorewall6-lite/Shorewall-lite6-lite-targetname | 0 Shorewall6/Shorewall6-targetname | 0 docs/docs-targetname | 0 docs/images/docs-images-targetname | 0 6 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 Shorewall-lite/Shorewall-lite-targetname create mode 100644 Shorewall/Shorewall-targetname create mode 100644 Shorewall6-lite/Shorewall-lite6-lite-targetname create mode 100644 Shorewall6/Shorewall6-targetname create mode 100644 docs/docs-targetname create mode 100644 docs/images/docs-images-targetname diff --git a/Shorewall-lite/Shorewall-lite-targetname b/Shorewall-lite/Shorewall-lite-targetname new file mode 100644 index 000000000..e69de29bb diff --git a/Shorewall/Shorewall-targetname b/Shorewall/Shorewall-targetname new file mode 100644 index 000000000..e69de29bb diff --git a/Shorewall6-lite/Shorewall-lite6-lite-targetname b/Shorewall6-lite/Shorewall-lite6-lite-targetname new file mode 100644 index 000000000..e69de29bb diff --git a/Shorewall6/Shorewall6-targetname b/Shorewall6/Shorewall6-targetname new file mode 100644 index 000000000..e69de29bb diff --git a/docs/docs-targetname b/docs/docs-targetname new file mode 100644 index 000000000..e69de29bb diff --git a/docs/images/docs-images-targetname b/docs/images/docs-images-targetname new file mode 100644 index 000000000..e69de29bb From 093e55083c44ade739ed73372d620253df59ad65 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille Date: Thu, 14 Nov 2019 11:35:02 +0100 Subject: [PATCH 7/7] Ignore empty target files Signed-off-by: Matt Darfeuille Signed-off-by: Tom Eastep --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000..6977c13d4 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*targetname