diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli
index 975090a45..d10b600f7 100644
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -749,12 +749,8 @@ show_command() {
echo "dropBcast # Silently Drop Broadcast/multicast"
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
- echo "drop1918src # Drop packets with an RFC 1918 source address"
- echo "drop1918dst # Drop packets with an RFC 1918 original dest address"
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
- echo "rej1918src # Reject packets with an RFC 1918 source address"
- echo "rej1918dst # Reject packets with an RFC 1918 original dest address"
if [ -f ${CONFDIR}/actions ]; then
cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$'
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 434dfd470..26b6d8369 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -122,13 +122,16 @@ All bug fixes from 4.4.19.1 - 4.4.19.4.
the entryto be audited. 'audit' may not be specified together
with 'accept'.
- g) With the exception of 'Limit', the builtin actions
- (dropBroadcast, rejNonSyn, etc.) now support
+ g) The builtin actions (dropBroadcast, rejNonSyn, etc.) now support
an 'audit' parameter which causes all ACCEPT, DROP and REJECTs
performed by the action to be audited. This allows creation of
audited versions of the Shorewall-provided default actions
(action.Drop and action.Reject).
+ Note: The builtin actions are those actions listed in the
+ output of 'shorewall show actions' whose names begin with a
+ lower-case letter.
+
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------
diff --git a/manpages/shorewall-blacklist.xml b/manpages/shorewall-blacklist.xml
index b455cc00c..b8e9a2b48 100644
--- a/manpages/shorewall-blacklist.xml
+++ b/manpages/shorewall-blacklist.xml
@@ -78,7 +78,7 @@
OPTIONS (Optional - Added in 4.4.12) -
- {-|{dst|src|whitelist}[,...]}
+ {-|{dst|src|whitelist|audit}[,...]}
If specified, indicates whether traffic
@@ -128,6 +128,12 @@
role="bold">whitelist is specified, packets/connections
that match the entry are not matched against the remaining entries
in the file.
+
+ The audit option was also
+ added in 4.4.20 and causes packets matching the entry to be audited.
+ The audit option may not be
+ specified in whitelist entries and require AUDIT_TARGET support in
+ the kernel and iptables.
diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml
index 89323de82..118d8ce51 100644
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -173,6 +173,16 @@
+
+ A_ACCEPT, A_ACCEPT+ and A_ACCEPT!
+
+
+ Added in Shorewall 4.4.20. Audited versions of ACCEPT,
+ ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support
+ in the kernel and iptables.
+
+
+
NONAT
@@ -202,6 +212,16 @@
+
+ A_DROP and A_DROP!
+
+
+ Added in Shorewall 4.4.20. Audited versions of DROP and
+ DROP! respectively. Require AUDIT_TARGET support in the kernel
+ and iptables.
+
+
+
REJECT
@@ -221,6 +241,16 @@
+
+ A_REJECT AND A_REJECT!
+
+
+ Added in Shorewall 4.4.20. Audited versions of REJECT
+ and REJECT! respectively. Require AUDIT_TARGET support in the
+ kernel and iptables.
+
+
+
DNAT
diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml
index a243f6107..17c356c67 100644
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@@ -301,8 +301,8 @@
BLACKLIST_DISPOSITION=[DROP|REJECT]
+ role="bold">DROP|A_DROP|REJECT|A_REJECT]
This parameter determines the disposition of packets from
@@ -310,6 +310,10 @@
be dropped or REJECT if the packets are to be replied with an ICMP
port unreachable reply or a TCP RST (tcp only). If you do not assign
a value or if you assign an empty value then DROP is assumed.
+
+ A_DROP and A_REJECT are audited versions of DROP and REJECT
+ respectively and were added in Shorewall 4.4.20. They require
+ AUDIT_TARGET in the kernel and iptables.
@@ -1071,7 +1075,7 @@ net all DROP infothen the chain name is 'net2all'
MACLIST_DISPOSITION=[ACCEPT|DROP|REJECT]
+ role="bold">REJECT|A_DROP|A_REJECT]
Determines the disposition of connections requests that fail
@@ -1080,6 +1084,10 @@ net all DROP infothen the chain name is 'net2all'
or DROP (ignore the connection request). If not set or if set to the
empty value (e.g., MACLIST_DISPOSITION="") then
MACLIST_DISPOSITION=REJECT is assumed.
+
+ A_DROP and A_REJECT are audited versions of DROP and REJECT
+ respectively and were added in Shorewall 4.4.20. They require
+ AUDIT_TARGET in the kernel and iptables.
@@ -1108,8 +1116,8 @@ net all DROP infothen the chain name is 'net2all'
This problem can be worked around by setting
MACLIST_TABLE=mangle which will cause Mac verification to occur out
of the PREROUTING chain. Because REJECT isn't available in that
- environment, you may not specify MACLIST_DISPOSITION=REJECT with
- MACLIST_TABLE=mangle.
+ environment, you may not specify MACLIST_DISPOSITION=REJECT or
+ MACLIST_DISPOSITION=A_REJECT with MACLIST_TABLE=mangle.
@@ -1600,6 +1608,20 @@ net all DROP infothen the chain name is 'net2all'
+
+ SMURF_DISPOSITION=[DROP|A_DROP]
+
+
+ Added in Shorewall 4.4.20. The default setting is DROP which
+ causes smurf packets (see the nosmurfs option in shorewall-interfaces(5)) to
+ be dropped. A_DROP causes the packets to be audited prior to being
+ dropped and requires AUDIT_TARGET support in the kernel and
+ iptables.
+
+
+
SMURF_LOG_LEVEL=[log-level]
@@ -1744,7 +1766,7 @@ net all DROP infothen the chain name is 'net2all'
role="bold">TCP_FLAGS_DISPOSITION=[ACCEPT|DROP|REJECT]
+ role="bold">REJECT|A_DROP|A_REJECT]
Determines the disposition of TCP packets that fail the checks
@@ -1755,6 +1777,10 @@ net all DROP infothen the chain name is 'net2all'
response) or DROP (ignore the packet). If not set or if set to the
empty value (e.g., TCP_FLAGS_DISPOSITION="") then
TCP_FLAGS_DISPOSITION=DROP is assumed.
+
+ A_DROP and A_REJECT are audited versions of DROP and REJECT
+ respectively and were added in Shorewall 4.4.20. They require
+ AUDIT_TARGET in the kernel and iptables.
diff --git a/manpages6/shorewall6-blacklist.xml b/manpages6/shorewall6-blacklist.xml
index ac8a79ca5..a899b4424 100644
--- a/manpages6/shorewall6-blacklist.xml
+++ b/manpages6/shorewall6-blacklist.xml
@@ -78,7 +78,7 @@
OPTIONS (Optional - Added in 4.4.12) -
- {-|{dst|src|whitelist}[,...]}
+ {-|{dst|src|whitelist|audit}[,...]}
If specified, indicates whether traffic
@@ -128,6 +128,12 @@
role="bold">whitelist is specified, packets/connections
that match the entry are not matched against the remaining entries
in the file.
+
+ The audit option was also
+ added in 4.4.20 and causes packets matching the entry to be audited.
+ The audit option may not be
+ specified in whitelist entries and require AUDIT_TARGET support in
+ the kernel and ip6tables.
diff --git a/manpages6/shorewall6-rules.xml b/manpages6/shorewall6-rules.xml
index 8682588d5..fcf484f00 100644
--- a/manpages6/shorewall6-rules.xml
+++ b/manpages6/shorewall6-rules.xml
@@ -149,6 +149,16 @@
+
+ A_ACCEPT and A_ACCEPT!
+
+
+ Added in Shorewall 4.4.20. Audited versions of ACCEPT
+ and ACCEPT! respectively. Require AUDIT_TARGET support in the
+ kernel and ip6tables.
+
+
+
DROP
@@ -167,6 +177,16 @@
+
+ A_DROP and A_DROP!
+
+
+ Added in Shorewall 4.4.20. Audited versions of DROP and
+ DROP! respectively. Require AUDIT_TARGET support in the kernel
+ and ip6tables.
+
+
+
REJECT
@@ -186,6 +206,16 @@
+
+ A_REJECT AND A_REJECT!
+
+
+ Added in Shorewall 4.4.20. Audited versions of REJECT
+ and REJECT! respectively. Require AUDIT_TARGET support in the
+ kernel and ip6tables.
+
+
+
CONTINUE
diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml
index bc97109e4..1ca083c81 100644
--- a/manpages6/shorewall6.conf.xml
+++ b/manpages6/shorewall6.conf.xml
@@ -240,8 +240,8 @@
BLACKLIST_DISPOSITION=[DROP|REJECT]
+ role="bold">DROP|A_DROP|REJECT|A_REJECT]
This parameter determines the disposition of packets from
@@ -935,7 +935,7 @@
MACLIST_DISPOSITION=[ACCEPT|DROP|REJECT]
+ role="bold">REJECT|A_DROP|A_REJECT]
Determines the disposition of connections requests that fail
@@ -944,6 +944,10 @@
or DROP (ignore the connection request). If not set or if set to the
empty value (e.g., MACLIST_DISPOSITION="") then
MACLIST_DISPOSITION=REJECT is assumed.
+
+ A_DROP and A_REJECT are audited versions of DROP and REJECT
+ respectively and were added in Shorewall 4.4.20. They require
+ AUDIT_TARGET in the kernel and ip6tables.
@@ -1289,6 +1293,20 @@
+
+ SMURF_DISPOSITION=[DROP|A_DROP]
+
+
+ Added in Shorewall 4.4.20. The default setting is DROP which
+ causes smurf packets (see the nosmurfs option in shorewall-interfaces(5)) to
+ be dropped. A_DROP causes the packets to be audited prior to being
+ dropped and requires AUDIT_TARGET support in the kernel and
+ ip6tables.
+
+
+
SMURF_LOG_LEVEL=[log-level]