forked from extern/shorewall_code
Merge Fabio Longerai's LENGTH patch
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3296 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
5083f753c4
commit
9325925aef
@ -1,4 +1,4 @@
|
||||
Changes in 3.1.0
|
||||
Changes in 3.1.x.
|
||||
|
||||
1) Removal of dynamic zones.
|
||||
|
||||
@ -16,3 +16,5 @@ Changes in 3.1.0
|
||||
7) Remove some restrictions on remote compiles.
|
||||
|
||||
8) Add error checking to generated script.
|
||||
|
||||
9) Merge Fabio Longerai's 'length' patch.
|
||||
|
||||
@ -3656,6 +3656,11 @@ process_tc_rule()
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ "x${length:=-}" != "x-" ]; then
|
||||
[ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\""
|
||||
r="${r}-m length --length ${length} "
|
||||
fi
|
||||
|
||||
multiport=
|
||||
|
||||
case $proto in
|
||||
@ -3853,9 +3858,9 @@ setup_tc1() {
|
||||
#
|
||||
strip_file tcrules
|
||||
|
||||
while read mark sources dests proto ports sports user testval; do
|
||||
expandv mark sources dests proto ports sports user testval
|
||||
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval")
|
||||
while read mark sources dests proto ports sports user testval length; do
|
||||
expandv mark sources dests proto ports sports user testval length
|
||||
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length")
|
||||
process_tc_rule
|
||||
done < $TMP_DIR/tcrules
|
||||
#
|
||||
@ -4320,9 +4325,9 @@ refresh_tc() {
|
||||
#
|
||||
strip_file tcrules
|
||||
|
||||
while read mark sources dests proto ports sports user testval; do
|
||||
expandv mark sources dests proto ports sports user testval
|
||||
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval")
|
||||
while read mark sources dests proto ports sports user testval length; do
|
||||
expandv mark sources dests proto ports sports user testval length
|
||||
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length")
|
||||
process_tc_rule
|
||||
done < $TMP_DIR/tcrules
|
||||
else
|
||||
|
||||
@ -970,6 +970,7 @@ determine_capabilities() {
|
||||
CONNMARK_MATCH=
|
||||
RAW_TABLE=
|
||||
IPP2P_MATCH=
|
||||
LENGTH_MATCH=
|
||||
CLASSIFY_TARGET=
|
||||
ENHANCED_REJECT=
|
||||
|
||||
@ -984,6 +985,7 @@ determine_capabilities() {
|
||||
qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
|
||||
|
||||
qt $IPTABLES -t mangle -N fooX1234
|
||||
@ -1032,6 +1034,7 @@ report_capabilities() {
|
||||
report_capability "Packet Type Match" $USEPKTTYPE
|
||||
report_capability "Policy Match" $POLICY_MATCH
|
||||
report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||
report_capability "Packet length Match" $LENGTH_MATCH
|
||||
report_capability "IP range Match" $IPRANGE_MATCH
|
||||
report_capability "Recent Match" $RECENT_MATCH
|
||||
report_capability "Owner Match" $OWNER_MATCH
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
Shorewall 3.1.2
|
||||
Shorewall 3.1.3
|
||||
|
||||
Note to users upgrading from Shorewall 2.x or 3.0
|
||||
|
||||
@ -26,18 +26,10 @@ Note to users upgrading from Shorewall 2.x or 3.0
|
||||
Please see the "Migration Considerations" below for additional upgrade
|
||||
information.
|
||||
|
||||
Changes in 3.1.2
|
||||
New Features in 3.1.3
|
||||
|
||||
1) With the execption of 'detectnets', the restrictions on remote compilation
|
||||
(compile on one system and execute on nother) have been removed. It is
|
||||
doubtful that the 'detectnets' restriction will ever be lifted.
|
||||
|
||||
2) The compiled script now contains the same error checking as would be done
|
||||
during "shorewall [re]start" -- if an error occurs, a 'restore' or 'stop'
|
||||
is done (requires that Shorewall be installed on the target system).
|
||||
|
||||
3) The '-e' option now follows "compile" or "generate" on the command line
|
||||
(it is specific to those commands).
|
||||
1) A LENGTH column has been added to the /etc/shorewall/tcrules file to allow
|
||||
packet marking by packet length. Patch courtesy of Fabio Longerai.
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
|
||||
@ -162,10 +162,23 @@
|
||||
# omitted, the packet mark's value is
|
||||
# tested.
|
||||
#
|
||||
# If you don't want to define a test but need to specify
|
||||
# anything in the following columns, place a "-" in this
|
||||
# field.
|
||||
#
|
||||
# LENGTH (Optional) Packet Length. This field, if present
|
||||
# allow you to match the length of a packet against
|
||||
# a specific value or range of values. You must have
|
||||
# iptables length support for this to work. If you let
|
||||
# it empy or place an "-" here, no length match will be
|
||||
# done.
|
||||
#
|
||||
# Examples: 1024, 64:1500
|
||||
#
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
# For usage in selecting among multiple ISPs, see
|
||||
# http://shorewall.net/Shorewall_and_Routing.html
|
||||
###############################################################################
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH
|
||||
# PORT(S)
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
Loading…
Reference in New Issue
Block a user