From 8fdebf0c38b3836680b624e442d4aa308fc901fd Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 13 Sep 2009 08:09:40 -0700 Subject: [PATCH] Add new columns to macros --- Shorewall/Macros/macro.template | 96 +++++++++++++++++++- Shorewall/Perl/Shorewall/Rules.pm | 27 +++--- Shorewall/changelog.txt | 2 + Shorewall/releasenotes.txt | 10 +++ docs/Macros.xml | 145 ++++++++++++++++++++++++++++++ 5 files changed, 265 insertions(+), 15 deletions(-) diff --git a/Shorewall/Macros/macro.template b/Shorewall/Macros/macro.template index 130517212..215405306 100644 --- a/Shorewall/Macros/macro.template +++ b/Shorewall/Macros/macro.template @@ -269,7 +269,7 @@ # an action. See 'man shorewall-rules'. # # RATE LIMIT You may rate-limit the rule by placing a value in -# this colume: +# this column: # # /[:] # @@ -304,6 +304,100 @@ # #removed from Netfilter in kernel # #version 2.6.14). # +# MARK Specifies a MARK value to match. Must be empty or +# '-' if the macro is to be used within an action. +# +# [!]value[/mask][:C] +# +# Defines a test on the existing packet or connection +# mark. The rule will match only if the test returns +# true. +# +# If you don't want to define a test but need to +# specify anything in the following columns, +# place a "-" in this field. +# +# ! +# +# Inverts the test (not equal) +# +# value +# +# Value of the packet or connection mark. +# +# mask +# +# A mask to be applied to the mark before +# testing. +# +# :C +# +# Designates a connection mark. If omitted, the +# packet mark's value is tested. +# +# CONNLIMIT Must be empty or '-' if the macro is to be used within +# an action. +# +# [!]limit[:mask] +# +# May be used to limit the number of simultaneous +# connections from each individual host to limit +# connections. Requires connlimit match in your kernel +# and iptables. While the limit is only checked on rules +# specifying CONNLIMIT, the number of current connections +# is calculated over all current connections from the +# SOURCE host. By default, the limit is applied to each +# host but can be made to apply to networks of hosts by +# specifying a mask. The mask specifies the width of a +# VLSM mask to be applied to the source address; the +# number of current connections is then taken over all +# hosts in the subnet source-address/mask. When ! is +# specified, the rule matches when the number of +# connection exceeds the limit. +# +# TIME Must be empty or '-' if the macro is to be used within +# an action. +# +# +# [&...] +# +# timeelement may be: +# +# timestart=hh:mm[:ss] +# +# Defines the starting time of day. +# +# timestop=hh:mm[:ss] +# +# Defines the ending time of day. +# +# utc +# +# Times are expressed in Greenwich Mean +# Time. +# +# localtz +# +# Times are expressed in Local Civil Time +# (default). +# +# weekdays=ddd[,ddd]... +# +# where ddd is one of Mon, Tue, Wed, Thu, +# Fri, Sat or Sun +# +# monthdays=dd[,dd],... +# +# where dd is an ordinal day of the month# +# +# datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] +# +# Defines the starting date and time. +# +# datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] +# +# Defines the ending date and time. +# # A few examples should help show how Macros work. # # /etc/shorewall/macro.FwdFTP: diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index cb3187d75..b06acedba 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -852,12 +852,13 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) { while ( read_a_line ) { - my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ); + my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime); if ( $format == 1 ) { - ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands; + ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands; + ( $morigdest, $mmark, $mconnlimit, $mtime ) = qw/- - - -/; } else { - ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands; + ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime ) = split_line1 1, 12, 'macro file', $macro_commands; } if ( $mtarget eq 'COMMENT' ) { @@ -871,8 +872,6 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) { next; } - fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1; - $mtarget = merge_levels $target, $mtarget; if ( $mtarget =~ /^PARAM(:.*)?$/ ) { @@ -918,15 +917,15 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) { $mtarget, $msource, $mdest, - merge_macro_column( $mproto, $proto ) , - merge_macro_column( $mports, $ports ) , - merge_macro_column( $msports, $sports ) , - merge_macro_column( $morigdest, $origdest ) , - merge_macro_column( $mrate, $rate ) , - merge_macro_column( $muser, $user ) , - $mark, - $connlimit, - $time, + merge_macro_column( $mproto, $proto ) , + merge_macro_column( $mports, $ports ) , + merge_macro_column( $msports, $sports ) , + merge_macro_column( $morigdest, $origdest ) , + merge_macro_column( $mrate, $rate ) , + merge_macro_column( $muser, $user ) , + merge_macro_column( $mmark, $mark ) , + merge_macro_column( $mconnlimit, $connlimit) , + merge_macro_column( $mtime, $time ), $wildcard ); diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index ccc9c1858..d9d699524 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -22,6 +22,8 @@ Changes in Shorewall 4.4.2 10) Add - to 'ip route del default' command. +11) Add three new columns to macro body. + Changes in Shorewall 4.4.1 1) Deleted extra 'use ...IPAddrs.pm' from Nat.pm. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 13b9756f7..d5d75138f 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -233,6 +233,16 @@ None. off (including any white-space preceding the '#'). Then if the line ends with '\', it is treated as a continuation line as normal. +2) Three new columns have been added to FORMAT-2 macro bodies. + + MARK + CONNLIMIT + TIME + + These three columns correspond to the similar columns in + /etc/shorewall/rules and must be empty in macros invoked from an + action. + ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 ---------------------------------------------------------------------------- diff --git a/docs/Macros.xml b/docs/Macros.xml index f32323fa8..755057fe7 100644 --- a/docs/Macros.xml +++ b/docs/Macros.xml @@ -554,6 +554,151 @@ ACCEPT fw loc tcp 135,139,445 2.6.14). + + + MARK - (Added in Shorewall-4.4.2) Defines a test on the existing + packet or connection mark. The rule will match only if the test + returns true. Must be empty or '-' if the macro is to be used within + an action. + + [!]value[/mask][:C] + + + + ! + + + Inverts the test (not equal) + + + + + value + + + Value of the packet or connection mark. + + + + + mask + + + A mask to be applied to the mark before testing. + + + + + :C + + + Designates a connection mark. If omitted, the # packet + mark's value is tested. + + + + + + + CONNLIMIT - (Added in Shorewall-4.4.2) Must be empty or '-' if + the macro is to be used within an action. + + [!]limit[:mask] + + May be used to limit the number of simultaneous connections from + each individual host to limit connections. Requires connlimit match in + your kernel and iptables. While the limit is only checked on rules + specifying CONNLIMIT, the number of current connections is calculated + over all current connections from the SOURCE host. By default, the + limit is applied to each host but can be + made to apply to networks of hosts by specifying a + mask. The mask specifies the width of a + VLSM mask to be applied to the source address; the number of current + connections is then taken over all hosts in the subnet + source-address/mask. + When ! is specified, the rule matches when the number of connection + exceeds the limit. + + + + TIME - (Added in Shorewall-4.4.2) Must be empty or '-' if the + macro is to be used within an action. + + <timeelement>[&...] + + timeelement may be: + + + + timestart=hh:mm[:ss] + + + Defines the starting time of day. + + + + + timestop=hh:mm[:ss] + + + Defines the ending time of day. + + + + + utc + + + Times are expressed in Greenwich Mean Time. + + + + + localtz + + + Times are expressed in Local Civil Time (default). + + + + + weekdays=ddd[,ddd]... + + + where ddd is one of + , , + , , + , or + + + + + + monthdays=dd[,dd],... + + + where dd is an ordinal day of + the month + + + + + datestart=yyyy[-mm[-dd[hh[:mm[:ss]]]]] + + + Defines the starting date and time. + + + + + datestop=yyyy[-mm[-dd[hh[:mm[:ss]]]]] + + + Defines the ending date and time. + + + + Omitted column entries should be entered using a dash ("-:).