From 5e48faad9ed61414692c745a3ff502cc133882ba Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 23 Nov 2010 15:01:20 -0800 Subject: [PATCH 1/2] Update manpages --- manpages/shorewall-actions.xml | 25 ++++++++++++------------- manpages/shorewall-blacklist.xml | 12 ++++++------ manpages/shorewall-hosts.xml | 23 ++++++++++++----------- manpages6/shorewall6-actions.xml | 16 +++++++--------- manpages6/shorewall6-blacklist.xml | 4 ++-- 5 files changed, 39 insertions(+), 41 deletions(-) diff --git a/manpages/shorewall-actions.xml b/manpages/shorewall-actions.xml index a8853b65b..a5dd0db2a 100644 --- a/manpages/shorewall-actions.xml +++ b/manpages/shorewall-actions.xml @@ -29,12 +29,10 @@ /etc/shorewall/action.action-name. ACTION names should begin with an upper-case letter to distinguish - them from Shorewall-generated chain names and they must meet the - requirements of a Netfilter chain. If you intend to log from the action - then the name must be no longer than 11 characters in length. Names must - also meet the requirements for a Bourne Shell identifier (must begin with - a letter and be composed of letters, digits and underscore - characters). + them from Shorewall-generated chain names and be composed of letters, + digits or numbers. If you intend to log from the action then the name must + be no longer than 11 characters in length if you use the standard + LOGFORMAT. @@ -50,12 +48,13 @@ url="http://shorewall.net/Actions.html">http://shorewall.net/Actions.html shorewall(8), shorewall-accounting(5), shorewall-blacklist(5), - shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), - shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), - shorewall-params(5), shorewall-policy(5), shorewall-providers(5), - shorewall-proxyarp(5), shorewall-route_rules(5), - shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), - shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), - shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) + shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), + shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), + shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), + shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), + shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), + shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), + shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), + shorewall-zones(5) diff --git a/manpages/shorewall-blacklist.xml b/manpages/shorewall-blacklist.xml index 09fe6bbfc..e7b83800a 100644 --- a/manpages/shorewall-blacklist.xml +++ b/manpages/shorewall-blacklist.xml @@ -113,8 +113,8 @@ 'blacklist' in the OPTIONS or OUT_OPTIONS column. - Trafficto this zone is passed against the entries in this file - that have the dst + Traffic to this zone is passed against the entries in this + file that have the dst option. @@ -168,10 +168,10 @@ url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm shorewall(8), shorewall-accounting(5), shorewall-actions(5), - shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), - shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), - shorewall-params(5), shorewall-policy(5), shorewall-providers(5), - shorewall-proxyarp(5), shorewall-route_rules(5), + shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), + shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), + shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), + shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), diff --git a/manpages/shorewall-hosts.xml b/manpages/shorewall-hosts.xml index e203f2d72..82ae3a397 100644 --- a/manpages/shorewall-hosts.xml +++ b/manpages/shorewall-hosts.xml @@ -100,7 +100,8 @@ - OPTIONS (Optional) - [option[OPTIONS (Optional) - + [option[,option]...] @@ -140,8 +141,8 @@ This option only makes sense for ports on a bridge. As - of Shoreawall 4.4.13, ithe option is no longer supported and - is ignored with a warning: + of Shoreawall 4.4.13, the option is no longer supported and is + ignored with a warning:
WARNING: The "blacklist" host @@ -263,13 +264,13 @@ vpn ppp+:192.168.3.0/24 See ALSO shorewall(8), shorewall-accounting(5), shorewall-actions(5), - shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), - shorewall-masq(5), shorewall-nat(5), shorewall-nesting(5), - shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), - shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), - shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), - shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), - shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), - shorewall-zones(5) + shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5), + shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), + shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5), + shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), + shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), + shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), + shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), + shorewall-tunnels(5), shorewall-zones(5) diff --git a/manpages6/shorewall6-actions.xml b/manpages6/shorewall6-actions.xml index f7ff772dd..789f9c351 100644 --- a/manpages6/shorewall6-actions.xml +++ b/manpages6/shorewall6-actions.xml @@ -29,12 +29,10 @@ /etc/shorewall6/action.action-name. ACTION names should begin with an upper-case letter to distinguish - them from shorewall6-generated chain names and they must meet the - requirements of a Netfilter chain. If you intend to log from the action - then the name must be no longer than 11 characters in length. Names must - also meet the requirements for a Bourne Shell identifier (must begin with - a letter and be composed of letters, digits and underscore - characters). + them from Shorewall-generated chain names and be composed of letters, + digits or numbers. If you intend to log from the action then the name must + be no longer than 11 characters in length if you use the standard + LOGFORMAT. @@ -53,8 +51,8 @@ shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), - shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), - shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), - shorewall6-tunnels(5), shorewall-zones(5) + shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), + shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), + shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5) diff --git a/manpages6/shorewall6-blacklist.xml b/manpages6/shorewall6-blacklist.xml index ec81ee78a..568af05b1 100644 --- a/manpages6/shorewall6-blacklist.xml +++ b/manpages6/shorewall6-blacklist.xml @@ -114,8 +114,8 @@ 'blacklist' in the OPTIONS or OUT_OPTIONS column. - Trafficto this zone is passed against the entries in this file - that have the dst + Traffic to this zone is passed against the entries in this + file that have the dst option. From 2702d7f2086f305e4527a1b2b42524c2028eb51c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 24 Nov 2010 10:46:06 -0800 Subject: [PATCH 2/2] Implement header matching --- Shorewall/Perl/Shorewall/Accounting.pm | 4 +- Shorewall/Perl/Shorewall/Chains.pm | 57 +++++++++- Shorewall/Perl/Shorewall/Config.pm | 8 +- Shorewall/Perl/Shorewall/Rules.pm | 26 +++-- Shorewall/Perl/Shorewall/Tc.pm | 5 +- Shorewall/changelog.txt | 6 +- Shorewall/configfiles/accounting | 2 +- Shorewall/lib.base | 2 +- Shorewall/lib.cli | 3 + Shorewall/releasenotes.txt | 31 +++++- Shorewall6/accounting | 4 +- Shorewall6/lib.base | 2 +- Shorewall6/lib.cli | 4 + Shorewall6/rules | 4 +- Shorewall6/tcrules | 4 +- docs/Accounting.xml | 140 +------------------------ docs/traffic_shaping.xml | 7 ++ manpages6/shorewall6-accounting.xml | 94 +++++++++++++++++ manpages6/shorewall6-rules.xml | 100 +++++++++++++++++- manpages6/shorewall6-tcrules.xml | 94 +++++++++++++++++ 20 files changed, 430 insertions(+), 167 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index 090b1e3e2..e0ba0c52e 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -52,7 +52,7 @@ sub process_accounting_rule( ) { our $jumpchainref; - my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File'; + my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File'; if ( $action eq 'COMMENT' ) { process_comment; @@ -95,7 +95,7 @@ sub process_accounting_rule( ) { $ports = '' if $ports eq 'any' || $ports eq 'all'; $sports = '' if $sports eq 'any' || $sports eq 'all'; - my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ); + my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers ); my $rule2 = 0; my $jump = 0; diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index f16cd5003..71361a3b4 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -143,6 +143,7 @@ our %EXPORT_TAGS = ( do_tos do_connbytes do_helper + do_headers have_ipset_rules match_source_dev match_dest_dev @@ -2522,7 +2523,7 @@ sub do_connbytes( $ ) { } # -# Create a "-m helper" match for the passed argument +# Create a soft "-m helper" match for the passed argument # sub do_helper( $ ) { my $helper = shift; @@ -2542,6 +2543,60 @@ sub do_length( $ ) { $length ne '-' ? "-m length --length $length " : ''; } +# +# Create a "-m -ipv6header" match for the passed argument +# +my %headers = ( hop => 1, + dst => 1, + route => 1, + frag => 1, + auth => 1, + esp => 1, + none => 1, + 'hop-by-hop' => 1, + 'ipv6-opts' => 1, + 'ipv6-route' => 1, + 'ipv6-frag' => 1, + ah => 1, + 'ipv6-nonxt' => 1, + 'protocol' => 1, + 0 => 1, + 43 => 1, + 44 => 1, + 50 => 1, + 51 => 1, + 59 => 1, + 60 => 1, + 255 => 1 ); + +sub do_headers( $ ) { + my $headers = shift; + + return '' if $headers eq '-'; + + require_capability 'HEADER_MATCH', 'A non-empty HEADER column', 's'; + + my $invert = $headers =~ s/^!// ? '! ' : ""; + + my $soft = '--soft '; + + if ( $headers =~ s/^exactly:// ) { + $soft = ''; + } else { + $headers =~ s/^any://; + } + + for ( split_list $headers, "Header" ) { + if ( $_ eq 'proto' ) { + $_ = 'protocol'; + } else { + fatal_error "Unknown IPv6 Header ($_)" unless $headers{$_}; + } + } + + "-m ipv6header ${invert}--header ${headers} ${soft}"; +} + # # Match Source Interface # diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 89c3c78a7..cabbb24e6 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -254,6 +254,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', FLOW_FILTER => 'Flow Classifier', FWMARK_RT_MASK => 'fwmark route mask', MARK_ANYWHERE => 'Mark in any table', + HEADER_MATCH => 'Header Match', CAPVERSION => 'Capability Version', KERNELVERSION => 'Kernel Version', ); @@ -353,7 +354,7 @@ sub initialize( $ ) { STATEMATCH => '-m state --state', UNTRACKED => 0, VERSION => "4.4.15-RC1", - CAPVERSION => 40413 , + CAPVERSION => 40415 , ); # @@ -2503,6 +2504,10 @@ sub Mark_Anywhere() { qt1( "$iptables -A $sillyname -j MARK --set-mark 5" ); } +sub Header_Match() { + qt1( "$iptables -A $sillyname -m ipv6header --header 255 -j ACCEPT" ); +} + our %detect_capability = ( ADDRTYPE => \&Addrtype, CLASSIFY_TARGET => \&Classify_Target, @@ -2517,6 +2522,7 @@ our %detect_capability = FWMARK_RT_MASK => \&Fwmark_Rt_Mask, GOTO_TARGET => \&Goto_Target, HASHLIMIT_MATCH => \&Hashlimit_Match, + HEADER_MATCH => \&Header_Match, HELPER_MATCH => \&Helper_Match, IPMARK_TARGET => \&IPMark_Target, IPP2P_MATCH => \&Ipp2p_Match, diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 2e8c87fcb..d4939495c 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -888,13 +888,13 @@ sub setup_mac_lists( $ ) { } } -sub process_rule1 ( $$$$$$$$$$$$$ ); +sub process_rule1 ( $$$$$$$$$$$$$$ ); # # Expand a macro rule from the rules file # -sub process_macro ( $$$$$$$$$$$$$$$ ) { - my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $wildcard ) = @_; +sub process_macro ( $$$$$$$$$$$$$$$$ ) { + my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_; my $nocomment = no_comment; @@ -912,13 +912,13 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) { while ( read_a_line ) { - my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime); + my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders ); if ( $format == 1 ) { ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands; - ( $morigdest, $mmark, $mconnlimit, $mtime ) = qw/- - - -/; + ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders ) = qw/- - - - -/; } else { - ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime ) = split_line1 1, 12, 'macro file', $macro_commands; + ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders ) = split_line1 1, 13, 'macro file', $macro_commands; } if ( $mtarget eq 'COMMENT' ) { @@ -986,6 +986,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) { merge_macro_column( $mmark, $mark ) , merge_macro_column( $mconnlimit, $connlimit) , merge_macro_column( $mtime, $time ), + merge_macro_column( $mheaders, $headers ), $wildcard ); @@ -1005,8 +1006,8 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) { # Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion. # -sub process_rule1 ( $$$$$$$$$$$$$ ) { - my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wildcard ) = @_; +sub process_rule1 ( $$$$$$$$$$$$$$ ) { + my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_; my ( $action, $loglevel) = split_action $target; my ( $basictarget, $param ) = get_target_param $action; my $rule = ''; @@ -1051,6 +1052,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { $mark, $connlimit, $time, + $headers, $wildcard ); $macro_nest_level--; @@ -1244,7 +1246,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { do_user( $user ) , do_test( $mark , $globals{TC_MASK} ) , do_connlimit( $connlimit ), - do_time( $time ) ); + do_time( $time ) , + do_headers( $headers ) + ); } unless ( $section eq 'NEW' ) { @@ -1606,7 +1610,7 @@ sub build_zone_list( $$$\$\$ ) { # Process a Record in the rules file # sub process_rule ( ) { - my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time ) = split_line1 1, 12, 'rules file', \%rules_commands; + my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'rules file', \%rules_commands; process_comment, return 1 if $target eq 'COMMENT'; process_section( $source ), return 1 if $target eq 'SECTION'; @@ -1638,7 +1642,7 @@ sub process_rule ( ) { my $destzone = (split( /:/, $dest, 2 ) )[0]; $destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone; if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) { - $generated |= process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild; + $generated |= process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $wild; } } } diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 0ca832fd8..1d4f5c95c 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -195,7 +195,7 @@ sub initialize( $ ) { } sub process_tc_rule( ) { - my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file'; + my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = split_line1 2, 13, 'tcrules file'; our @tccmd; @@ -412,7 +412,8 @@ sub process_tc_rule( ) { do_length( $length ) . do_tos( $tos ) . do_connbytes( $connbytes ) . - do_helper( $helper ), + do_helper( $helper ) . + do_headers( $headers ) , $source , $dest , '' , diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 5e87482eb..bec4ce612 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,10 +1,12 @@ Changes in Shorewall 4.4.15 -Beta 3 +RC 1 1) Another Perl 5.12 warning. -2) Avoid anomalous behavior regarding syn flood chains. +2) Avoid anomalous behavior regarding syn flood chains. + +3) Add HEADERS column for IPv6 Beta 2 diff --git a/Shorewall/configfiles/accounting b/Shorewall/configfiles/accounting index 72f6f7862..f31059fc0 100644 --- a/Shorewall/configfiles/accounting +++ b/Shorewall/configfiles/accounting @@ -6,6 +6,6 @@ # Please see http://shorewall.net/Accounting.html for examples and # additional information about how to use this file. # -##################################################################################################### +################################################################################################################# #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC # PORT(S) PORT(S) GROUP diff --git a/Shorewall/lib.base b/Shorewall/lib.base index 60db03a80..d3ba701fc 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -29,7 +29,7 @@ # SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40413 +SHOREWALL_CAPVERSION=40415 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index 5b1275cac..d928cfa74 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -1659,6 +1659,7 @@ determine_capabilities() { FLOW_FILTER= FWMARK_RT_MASK= MARK_ANYWHERE= + HEADER_MATCH= chain=fooX$$ @@ -1877,6 +1878,7 @@ report_capabilities() { report_capability "FLOW Classifier" $FLOW_FILTER report_capability "fwmark route mask" $FWMARK_RT_MASK report_capability "Mark in any table" $MARK_ANYWHERE + report_capability "Header Match" $HEADER_MATCH fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -1942,6 +1944,7 @@ report_capabilities1() { report_capability1 FLOW_FILTER report_capability1 FWMARK_RT_MASK report_capability1 MARK_ANYWHERE + report_capability1 HEADER_MATCH echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index c7f1adc66..f72e6cd9b 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -85,7 +85,36 @@ Beta 1. RC 1 - A Munin macro has been contributed by Tuomo Soini. +1) A Munin macro has been contributed by Tuomo Soini. + +2) The Shorewall6 accounting, tcrules and rules files now include a + HEADERS column which allows matching based on the IPv6 extension and + protocol headers included in a packet. + + The contents of the column are: + + [any:|exactly:]
+ + where
is a comma-separated list of headers from the + following: + + Long Name Short Name Number + -------------------------------------- + auth ah 50 + esp esp 51 + hop-by-hop hop 0 + route ipv6-route 41 + frag ipv6-frag 44 + none ipv6-nonxt 59 + protocol proto 255 + + If 'any:' is specified, the rule will match if any of the listed + headers are present. If 'exactly:' is specified, the will match + packets that exactly include all specified headers. If neither is + given, 'any:' is assumed. + + This change adds a new capability (Header Match) so if you use a + capabilities file, you will need to regenerate using this release. Beta 2 diff --git a/Shorewall6/accounting b/Shorewall6/accounting index 5c931fda0..176b90b47 100644 --- a/Shorewall6/accounting +++ b/Shorewall6/accounting @@ -6,6 +6,6 @@ # Please see http://shorewall.net/Accounting.html for examples and # additional information about how to use this file. # -##################################################################################### -#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK +############################################################################################################### +#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC HEADERS # PORT(S) PORT(S) GROUP diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base index 709fe24ec..30698be6c 100644 --- a/Shorewall6/lib.base +++ b/Shorewall6/lib.base @@ -33,7 +33,7 @@ # SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40413 +SHOREWALL_CAPVERSION=40415 [ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ] diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index 1da8b49bf..8745951d4 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -1334,6 +1334,7 @@ determine_capabilities() { FLOW_FILTER= FWMARK_RT_MASK= MARK_ANYWHERE= + HEADER_MATCH= chain=fooX$$ @@ -1476,6 +1477,7 @@ determine_capabilities() { qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes qt $IP6TABLES -A $chain -j LOG || LOG_TARGET= qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes + qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes qt $IP6TABLES -F $chain qt $IP6TABLES -X $chain @@ -1553,6 +1555,7 @@ report_capabilities() { report_capability "FLOW Classifier" $FLOW_FILTER report_capability "fwmark route mask" $FWMARK_RT_MASK report_capability "Mark in any table" $MARK_ANYWHERE + report_capability "Header Match" $HEADER_MATCH fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -1615,6 +1618,7 @@ report_capabilities1() { report_capability1 FLOW_FILTER report_capability1 FWMARK_RT_MASK report_capability1 MARK_ANYWHERE + report_capability1 HEADER_MATCH echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION diff --git a/Shorewall6/rules b/Shorewall6/rules index 5dd65cedf..a4ae986f9 100644 --- a/Shorewall6/rules +++ b/Shorewall6/rules @@ -6,8 +6,8 @@ # The manpage is also online at # http://www.shorewall.net/manpages6/shorewall6-rules.html # -#################################################################################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME +####################################################################################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED diff --git a/Shorewall6/tcrules b/Shorewall6/tcrules index e709d1534..1c5b86025 100644 --- a/Shorewall6/tcrules +++ b/Shorewall6/tcrules @@ -9,6 +9,6 @@ # # See http://shorewall.net/PacketMarking.html for a detailed description of # the Netfilter/Shorewall packet marking mechanism. -###################################################################################################################### -#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER +################################################################################################################################## +#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS # PORT(S) PORT(S) diff --git a/docs/Accounting.xml b/docs/Accounting.xml index cd6e92d85..950cdd691 100644 --- a/docs/Accounting.xml +++ b/docs/Accounting.xml @@ -53,141 +53,11 @@ including traffic that will later be rejected by interface options such as tcpflags and maclist. - The columns in the accounting file are as follows: - - - - ACTION - What to do when a - match is found. Possible values are: - - - - COUNT- Simply count the match and continue trying to match - the packet with the following accounting rules - - - - DONE- Count the match and don't attempt to match any - following accounting rules. - - - - <chain> - The name of a chain; - Shorewall will create the chain automatically if it doesn't - already exist. A jump to this chain will be generated from the - chain specified by the CHAIN column. If the name of the chain is - followed by :COUNT then a COUNT rule matching this - entry will automatically be added to <chain>. Chain names - must start with a letter, must be composed of letters and digits, - and may contain underscores (_) and periods - (.). Beginning with Shorewall version 1.4.8, chain - names may also contain embedded dashes (-) and are - not required to start with a letter. - - - - COMMENT - (Shorewall-perl only) - The remainder of the line - is treated as a comment which is attached to subsequent - rules until another COMMENT line is found or until the end - of the file is reached. To stop adding comments to rules, use a - line with only the word COMMENT. - - - - - - CHAIN - The name of the chain - where the accounting rule is to be added. If empty or - - then the accounting chain is assumed (see below for exceptions). - - - - SOURCE - Packet Source. The - name of an interface, an address (host or net), or an interface name - followed by : and a host or net address. - - - - DESTINATION - Packet - Destination. Format the same as the SOURCE column. - - - - PROTOCOL - A protocol name - (from /etc/protocols), a protocol number or - ipp2p. For ipp2p, your kernel and - iptables must have ipp2p match support from xtables-addons. - - - - DEST PORT - Destination Port - number. Service name from /etc/services or port - number. May only be specified if the protocol is TCP (6), UDP (17), - DCCP (33), SCTP (132) or UDPLITE (136). If the PROTOCOL is - ipp2p, then this column is interpreted as an ipp2p - option without the leading -- (default - ipp2p). For a list of value ipp2p options, as root type - iptables -m ipp2p --help. - - - - SOURCE PORT- Source Port - number. Service name from /etc/services or port number. May only be - specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) - or UDPLITE (136). - - - - USER/GROUP - This column may - only be non-empty if the CHAIN is OUTPUT. The column may - contain: - - [!][<user name or number>][:<group name or number>] - - When this column is non-empty, the rule applies only if the - program generating the output is running under the effective - <user> and/or <group> specified (or is NOT running under - that id if ! is given). - - Examples: - - - joe #program must be run by joe - - :kids #program must be run by a member of the - kids group. - - !:kids #program must not be run by a member of the - kids group - - - - - MARK - Only count packets with - particular mark values. [!]<value>[/<mask>][:C] - Defines a test on the existing packet or connection mark. The rule - will match only if the test returns true. - - If you don’t want to define a test but need to specify anything - in the following columns, place a - in this - field. - ! — Inverts the test (not equal) - - <value> — Value of the packet or connection - mark. - - <mask> — A mask to be applied to the mark before - testing. - - :C — Designates a connection mark. If omitted, the packet - mark’s value is tested. This option is only supported by - Shorewall-perl. - - - + The columns in the accounting file are described in shorewall-accounting (5) + and shorewall6-accounting + (5). In all columns except ACTION and CHAIN, the values -, any and all are treated as diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml index ef3672ce8..36f6aa51c 100644 --- a/docs/traffic_shaping.xml +++ b/docs/traffic_shaping.xml @@ -1161,6 +1161,13 @@ ppp0 6000kbit 500kbit modules such as ftp, sip, amanda, etc. + + + HEADERS (Optioinal, Shorewall6 only, added in Shorewall + 4.4.15). List of IPv6 headers that may appear in packets. See shorewall6-tcrules + (5) for details. + diff --git a/manpages6/shorewall6-accounting.xml b/manpages6/shorewall6-accounting.xml index e106594cc..47baef7fa 100644 --- a/manpages6/shorewall6-accounting.xml +++ b/manpages6/shorewall6-accounting.xml @@ -455,6 +455,100 @@ role="bold">accounting chain. + + + HEADERS - + [!][any:|exactly:]header-list + (Optional - Added in Shorewall 4.4.15) + + + The header-list consists of a + comma-separated list of headers from the following list. + + + + auth, ah, or 50 + + + Authentication Headers extension + header. + + + + + esp, or 51 + + + Encrypted Security Payload + extension header. + + + + + hop, hop-by-hop or 0 + + + Hop-by-hop options extension header. + + + + + route, ipv6-route or 41 + + + IPv6 Route extension header. + + + + + frag, ipv6-frag or 44 + + + IPv6 fragmentation extension header. + + + + + none, ipv6-nonxt or 59 + + + No next header + + + + + proto, protocol or 255 + + + Any protocol header. + + + + + If any: is specified, the + rule will match if any of the listed headers are present. If + exactly: is specified, the will + match packets that exactly include all specified headers. If neither + is given, any: is assumed. + + If ! is entered, the rule + will match those packets which would not be matched when ! is omitted. + + In all of the above columns except + + + HEADERS - + [!][any:|exactly:]header-list + (Optional - Added in Shorewall 4.4.15) + + + The header-list consists of a + comma-separated list of headers from the following list. + + + + auth, ah, or 50 + + + Authentication Headers extension + header. + + + + + esp, or 51 + + + Encrypted Security Payload + extension header. + + + + + hop, hop-by-hop or 0 + + + Hop-by-hop options extension header. + + + + + route, ipv6-route or 41 + + + IPv6 Route extension header. + + + + + frag, ipv6-frag or 44 + + + IPv6 fragmentation extension header. + + + + + none, ipv6-nonxt or 59 + + + No next header + + + + + proto, protocol or 255 + + + Any protocol header. + + + + + If any: is specified, the + rule will match if any of the listed headers are present. If + exactly: is specified, the will + match packets that exactly include all specified headers. If neither + is given, any: is assumed. + + If ! is entered, the rule + will match those packets which would not be matched when ! is omitted. + + @@ -1004,8 +1098,8 @@ shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), - shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), - shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), - shorewall6-tunnels(5), shorewall6-zones(5) + shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5), + shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), + shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5) diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml index e6985ad36..639e78d31 100644 --- a/manpages6/shorewall6-tcrules.xml +++ b/manpages6/shorewall6-tcrules.xml @@ -600,6 +600,100 @@ SAME $FW 0.0.0.0/0 tcp 80,443 4 ::/0 ::/0 TCP - - - - - - - ftp + + + HEADERS - + [!][any:|exactly:]header-list + (Optional - Added in Shorewall 4.4.15) + + + The header-list consists of a + comma-separated list of headers from the following list. + + + + auth, ah, or 50 + + + Authentication Headers extension + header. + + + + + esp, or 51 + + + Encrypted Security Payload + extension header. + + + + + hop, hop-by-hop or 0 + + + Hop-by-hop options extension header. + + + + + route, ipv6-route or 41 + + + IPv6 Route extension header. + + + + + frag, ipv6-frag or 44 + + + IPv6 fragmentation extension header. + + + + + none, ipv6-nonxt or 59 + + + No next header + + + + + proto, protocol or 255 + + + Any protocol header. + + + + + If any: is specified, the + rule will match if any of the listed headers are present. If + exactly: is specified, the will + match packets that exactly include all specified headers. If neither + is given, any: is assumed. + + If ! is entered, the rule + will match those packets which would not be matched when ! is omitted. + +