From a01fa345b7bdbb684bcfd8640afa0f1c5d0a68be Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 16 Mar 2010 09:42:50 -0700 Subject: [PATCH] Add support for UDP Lite Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 4 ++-- Shorewall/Perl/Shorewall/IPAddrs.pm | 4 +++- Shorewall/changelog.txt | 2 ++ Shorewall/lib.common | 2 +- Shorewall/releasenotes.txt | 3 +++ docs/Accounting.xml | 14 ++++++++------ manpages/shorewall-accounting.xml | 8 ++++---- manpages/shorewall-masq.xml | 8 ++++---- manpages/shorewall-tcpri.xml | 7 ++++--- manpages6/shorewall6-accounting.xml | 8 ++++---- manpages6/shorewall6-blacklist.xml | 11 ++++++----- manpages6/shorewall6-tcpri.xml | 9 +++++---- 12 files changed, 46 insertions(+), 34 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index baef8d69c..d59a6f0dc 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1846,12 +1846,12 @@ sub do_proto( $$$;$ ) PROTO: { - if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP ) { + if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) { my $multiport = 0; if ( $ports ne '' ) { $invert = $ports =~ s/^!// ? '! ' : ''; - if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) { + if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) { fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' ); fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $ports ) > 15; diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm index 7356c9ca4..084170d9d 100644 --- a/Shorewall/Perl/Shorewall/IPAddrs.pm +++ b/Shorewall/Perl/Shorewall/IPAddrs.pm @@ -47,6 +47,7 @@ our @EXPORT = qw( ALLIPv4 ALL TCP UDP + UDPLITE ICMP DCCP IPv6_ICMP @@ -103,7 +104,8 @@ use constant { ALLIPv4 => '0.0.0.0/0' , UDP => 17, DCCP => 33, IPv6_ICMP => 58, - SCTP => 132 }; + SCTP => 132, + UDPLITE => 136 }; our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ); diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 9c87e4b4a..dd9d07a69 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -29,6 +29,8 @@ Changes in Shorewall 4.4.8 14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES default optimizations. +15) Add support for UDPLITE + Changes in Shorewall 4.4.7 1) Backport optimization changes from 4.5. diff --git a/Shorewall/lib.common b/Shorewall/lib.common index 1fa773069..1c3d304c4 100644 --- a/Shorewall/lib.common +++ b/Shorewall/lib.common @@ -55,7 +55,7 @@ get_script_version() { # $1 = script echo $version } - + # # Do required exports or create the required option string and run the passed script using # $SHOREWALL_SHELL diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 3a70a159c..43209f512 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -345,6 +345,9 @@ None. ERROR: The separator for a port range is ':', not '-' (21-22) : /etc/shorewall/rules (line 3) + +5) Support has been added for UDPLITE (proto 136) in that DEST PORT(S) + and SOURCE PORT(S) may be specified for that protocol. ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S diff --git a/docs/Accounting.xml b/docs/Accounting.xml index 0d8172cf4..d58e82a6e 100644 --- a/docs/Accounting.xml +++ b/docs/Accounting.xml @@ -126,17 +126,19 @@ DEST PORT - Destination Port number. Service name from /etc/services or port - number. May only be specified if the protocol is TCP or UDP (6 or 17). - If the PROTOCOL is ipp2p, then this column is - interpreted as an ipp2p option without the leading -- - (default ipp2p). For a list of value ipp2p options, as - root type iptables -m ipp2p --help. + number. May only be specified if the protocol is TCP (6), UDP (17), + DCCP (33), SCTP (132) or UDPLITE (136). If the PROTOCOL is + ipp2p, then this column is interpreted as an ipp2p + option without the leading -- (default + ipp2p). For a list of value ipp2p options, as root type + iptables -m ipp2p --help. SOURCE PORT- Source Port number. Service name from /etc/services or port number. May only be - specified if the protocol is TCP or UDP (6 or 17). + specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) + or UDPLITE (136). diff --git a/manpages/shorewall-accounting.xml b/manpages/shorewall-accounting.xml index d6c9ccaf9..f4870c01f 100644 --- a/manpages/shorewall-accounting.xml +++ b/manpages/shorewall-accounting.xml @@ -165,8 +165,8 @@ Destination Port number. Service name from services(5) or port number. May only be specified if the - protocol is tcp or udp (6 or 17). + protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE + (136). You may place a comma-separated list of port names or numbers in this column if your kernel and iptables include multiport match @@ -188,8 +188,8 @@ Service name from services(5) or port - number. May only be specified if the protocol is TCP or - UDP (6 or 17). + number. May only be specified if the protocol is TCP (6), + UDP (17), DCCP (33), SCTP (132) or UDPLITE (136). You may place a comma-separated list of port numbers in this column if your kernel and iptables include multiport match diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml index d49ec61b6..d449c45c6 100644 --- a/manpages/shorewall-masq.xml +++ b/manpages/shorewall-masq.xml @@ -237,10 +237,10 @@ [[!]port-name-or-number[,port-name-or-number]...] - If the PROTO column specifies TCP (protocol 6) or UDP - (protocol 17) then you may list one or more port numbers (or names - from services(5)) separated by commas or you may list a single port - range + If the PROTO column specifies TCP (6), UDP (17), DCCP (33), + SCTP (132) or UDPLITE (136) then you may list one or more port + numbers (or names from services(5)) separated by commas or you may + list a single port range (lowport:highport). Where a comma-separated list is given, your kernel and diff --git a/manpages/shorewall-tcpri.xml b/manpages/shorewall-tcpri.xml index 2c730f0dc..6b9a335d2 100644 --- a/manpages/shorewall-tcpri.xml +++ b/manpages/shorewall-tcpri.xml @@ -84,9 +84,10 @@ PORT(S) - port [,...] - Optional. May only be given if the the PROTO is tcp (6) or udp - (17). A list of one or more port numbers or service names from - /etc/services. Port ranges of the form + Optional. May only be given if the the PROTO is TCP (6), UDP + (17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more + port numbers or service names from /etc/services. Port ranges of the + form lowport:highport may also be included. diff --git a/manpages6/shorewall6-accounting.xml b/manpages6/shorewall6-accounting.xml index 7032c3deb..b0518efd8 100644 --- a/manpages6/shorewall6-accounting.xml +++ b/manpages6/shorewall6-accounting.xml @@ -164,8 +164,8 @@ Destination Port number. Service name from services(5) or port number. May only be specified if the - protocol is tcp or udp (6 or 17). + protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE + (136). You may place a comma-separated list of port names or numbers in this column if your kernel and ip6tables include multiport match @@ -187,8 +187,8 @@ Service name from services(5) or port - number. May only be specified if the protocol is TCP or - UDP (6 or 17). + number. May only be specified if the protocol is TCP (6), + UDP (17), DCCP (33), SCTP (132) or UDPLITE (136). You may place a comma-separated list of port numbers in this column if your kernel and ip6tables include multiport match diff --git a/manpages6/shorewall6-blacklist.xml b/manpages6/shorewall6-blacklist.xml index 7078c6360..fa3f48a5b 100644 --- a/manpages6/shorewall6-blacklist.xml +++ b/manpages6/shorewall6-blacklist.xml @@ -37,8 +37,9 @@ Host address, network address, MAC address, IP address range - (if your kernel and ip6tables contain iprange match support) or ipset - name prefaced by "+" (if your kernel supports ipset match). + (if your kernel and ip6tables contain iprange match support) or + ipset name prefaced by "+" (if your kernel supports ipset + match). MAC addresses must be prefixed with "~" and use "-" as a separator. @@ -67,9 +68,9 @@ role="bold">-|port-name-or-number[,port-name-or-number]...} - May only be specified if the protocol is TCP (6) or UDP (17). - A comma-separated list of destination port numbers or service names - from services(5). + May only be specified if the protocol is TCP (6), UDP (17), + DCCP (33), SCTP (132) or UDPLITE (136). A comma-separated list of + destination port numbers or service names from services(5). diff --git a/manpages6/shorewall6-tcpri.xml b/manpages6/shorewall6-tcpri.xml index 2392f5324..c875e2d69 100644 --- a/manpages6/shorewall6-tcpri.xml +++ b/manpages6/shorewall6-tcpri.xml @@ -84,9 +84,10 @@ PORT(S) - port [,...] - Optional. May only be given if the the PROTO is tcp (6) or udp - (17). A list of one or more port numbers or service names from - /etc/services. Port ranges of the form + Optional. May only be given if the the PROTO is TCP (6), UDP + (17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more + port numbers or service names from /etc/services. Port ranges of the + form lowport:highport may also be included. @@ -152,6 +153,6 @@ shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcinterfaces(5), shorewall6-tos(5), shorewall6-tunnels(5), - shorewall6-zones(5) + shorewall6-zones(5)