diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 121bf76b6..1e1394283 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,4 +1,4 @@ -Changes in 3.1.0 +Changes in 3.1.x. 1) Removal of dynamic zones. @@ -16,3 +16,5 @@ Changes in 3.1.0 7) Remove some restrictions on remote compiles. 8) Add error checking to generated script. + +9) Merge Fabio Longerai's 'length' patch. diff --git a/Shorewall/firewall b/Shorewall/firewall index 34dc65357..be60c98f2 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -3656,6 +3656,11 @@ process_tc_rule() esac fi + if [ "x${length:=-}" != "x-" ]; then + [ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\"" + r="${r}-m length --length ${length} " + fi + multiport= case $proto in @@ -3853,9 +3858,9 @@ setup_tc1() { # strip_file tcrules - while read mark sources dests proto ports sports user testval; do - expandv mark sources dests proto ports sports user testval - rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval") + while read mark sources dests proto ports sports user testval length; do + expandv mark sources dests proto ports sports user testval length + rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length") process_tc_rule done < $TMP_DIR/tcrules # @@ -4320,9 +4325,9 @@ refresh_tc() { # strip_file tcrules - while read mark sources dests proto ports sports user testval; do - expandv mark sources dests proto ports sports user testval - rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval") + while read mark sources dests proto ports sports user testval length; do + expandv mark sources dests proto ports sports user testval length + rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length") process_tc_rule done < $TMP_DIR/tcrules else diff --git a/Shorewall/functions b/Shorewall/functions index 72d7d8b35..6cba9e79a 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -970,6 +970,7 @@ determine_capabilities() { CONNMARK_MATCH= RAW_TABLE= IPP2P_MATCH= + LENGTH_MATCH= CLASSIFY_TARGET= ENHANCED_REJECT= @@ -984,6 +985,7 @@ determine_capabilities() { qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes + qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes qt $IPTABLES -t mangle -N fooX1234 @@ -1032,6 +1034,7 @@ report_capabilities() { report_capability "Packet Type Match" $USEPKTTYPE report_capability "Policy Match" $POLICY_MATCH report_capability "Physdev Match" $PHYSDEV_MATCH + report_capability "Packet length Match" $LENGTH_MATCH report_capability "IP range Match" $IPRANGE_MATCH report_capability "Recent Match" $RECENT_MATCH report_capability "Owner Match" $OWNER_MATCH diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 571ef3db9..cb87ab496 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 3.1.2 +Shorewall 3.1.3 Note to users upgrading from Shorewall 2.x or 3.0 @@ -26,18 +26,10 @@ Note to users upgrading from Shorewall 2.x or 3.0 Please see the "Migration Considerations" below for additional upgrade information. -Changes in 3.1.2 +New Features in 3.1.3 -1) With the execption of 'detectnets', the restrictions on remote compilation - (compile on one system and execute on nother) have been removed. It is - doubtful that the 'detectnets' restriction will ever be lifted. - -2) The compiled script now contains the same error checking as would be done - during "shorewall [re]start" -- if an error occurs, a 'restore' or 'stop' - is done (requires that Shorewall be installed on the target system). - -3) The '-e' option now follows "compile" or "generate" on the command line - (it is specific to those commands). +1) A LENGTH column has been added to the /etc/shorewall/tcrules file to allow + packet marking by packet length. Patch courtesy of Fabio Longerai. Migration Considerations: diff --git a/Shorewall/tcrules b/Shorewall/tcrules index f0aaa1840..899010bc7 100755 --- a/Shorewall/tcrules +++ b/Shorewall/tcrules @@ -162,10 +162,23 @@ # omitted, the packet mark's value is # tested. # +# If you don't want to define a test but need to specify +# anything in the following columns, place a "-" in this +# field. +# +# LENGTH (Optional) Packet Length. This field, if present +# allow you to match the length of a packet against +# a specific value or range of values. You must have +# iptables length support for this to work. If you let +# it empy or place an "-" here, no length match will be +# done. +# +# Examples: 1024, 64:1500 +# # See http://shorewall.net/traffic_shaping.htm for additional information. # For usage in selecting among multiple ISPs, see # http://shorewall.net/Shorewall_and_Routing.html ############################################################################### -#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST +#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH # PORT(S) #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE