forked from extern/shorewall_code
change 'marks' file to 'mangle'
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
45f64aefd7
commit
a1222d10cb
@ -165,7 +165,7 @@ sub initialize( $ ) {
|
||||
$divertref = 0;
|
||||
}
|
||||
|
||||
sub process_mark_rule1( $$$$$$$$$$$$$$$$ ) {
|
||||
sub process_mangle_rule1( $$$$$$$$$$$$$$$$ ) {
|
||||
our ( $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
|
||||
|
||||
use constant {
|
||||
@ -1449,16 +1449,16 @@ sub process_tc_rule( ) {
|
||||
}
|
||||
}
|
||||
|
||||
sub process_mark_rule( ) {
|
||||
sub process_mangle_rule( ) {
|
||||
my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) =
|
||||
split_line2( 'marks file',
|
||||
split_line2( 'mangle file',
|
||||
{ mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 },
|
||||
{},
|
||||
16,
|
||||
1 );
|
||||
|
||||
for my $proto (split_list( $protos, 'Protocol' ) ) {
|
||||
process_mark_rule1( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
|
||||
process_mangle_rule1( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
|
||||
}
|
||||
}
|
||||
|
||||
@ -3207,14 +3207,14 @@ sub setup_tc() {
|
||||
|
||||
}
|
||||
|
||||
if ( -f find_file 'marks' ) {
|
||||
if ( -f find_file 'mangle' ) {
|
||||
if ( $have_tcrules ) {
|
||||
warning_message "The 'tcrules' file is non-empty -- 'marks' file ignored";
|
||||
} elsif ( my $fn = open_file( 'marks', 2, 1 ) ) {
|
||||
warning_message "The 'tcrules' file is non-empty -- 'mangle' file ignored";
|
||||
} elsif ( my $fn = open_file( 'mangle', 2, 1 ) ) {
|
||||
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
process_mark_rule while read_a_line( NORMAL_READ );
|
||||
process_mangle_rule while read_a_line( NORMAL_READ );
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -3,7 +3,7 @@
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall-marks</refentrytitle>
|
||||
<refentrytitle>shorewall-mangle</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
@ -11,12 +11,12 @@
|
||||
<refnamediv>
|
||||
<refname>marks</refname>
|
||||
|
||||
<refpurpose>Shorewall Packet Marking rules file</refpurpose>
|
||||
<refpurpose>Shorewall Packet marking/mangling rules file</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>/etc/shorewall/marks</command>
|
||||
<command>/etc/shorewall/mangle</command>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
@ -24,8 +24,8 @@
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file was introduced in Shorewall 4.6.0 and is intended to
|
||||
replace shorewall-tcrules(5). This file is only processed by the compiler
|
||||
if:</para>
|
||||
replace <ulink url="shorewall-tcrules.html">shorewall-tcrules(5)</ulink>.
|
||||
This file is only processed by the compiler if:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
@ -110,7 +110,7 @@
|
||||
<para>A chain-designator may not be specified if the SOURCE or DEST
|
||||
columns begin with '$FW'. When the SOURCE is $FW, the generated rule
|
||||
is always placed in the OUTPUT chain. If DEST is '$FW', then the
|
||||
rule is placed in the OUTPUT chain.</para>
|
||||
rule is placed in the INPUT chain.</para>
|
||||
|
||||
<para>Where a command takes parameters, those parameters are
|
||||
enclosed in parentheses ("(....)") and separated by commas.</para>
|
||||
@ -1069,8 +1069,8 @@ Normal-Service => 0x00</programlisting>
|
||||
role="bold">INVALID</emphasis>} [,...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.9. The rule will only match if the
|
||||
packet's connection is in one of the listed states.</para>
|
||||
<para>The rule will only match if the packet's connection is in one
|
||||
of the listed states.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@ -1138,7 +1138,7 @@ Normal-Service => 0x00</programlisting>
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
<para>/etc/shorewall/tcrules</para>
|
||||
<para>/etc/shorewall/mangle</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
1148
Shorewall6/manpages/shorewall6-mangle.xml
Normal file
1148
Shorewall6/manpages/shorewall6-mangle.xml
Normal file
File diff suppressed because it is too large
Load Diff
@ -134,7 +134,9 @@
|
||||
<para><filename>/etc/shorewall/tcrules </filename>- The file has a
|
||||
rather unfortunate name because it is used to define marking of
|
||||
packets for later use by both traffic control/shaping and policy
|
||||
routing.</para>
|
||||
routing. This file is superceded by
|
||||
<filename>/etc/shorewall/mangle</filename> in Shorewall
|
||||
4.6.0.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -275,6 +277,12 @@
|
||||
<para><filename>/usr/share/arprules</filename> — Added in Shorewall
|
||||
4.5.12. Allows specification of arptables rules.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/mangle</filename> -- Added in
|
||||
Shorewall 4.6.0. Supercedes<filename>
|
||||
/etc/shorewall/tcrules</filename>.</para>
|
||||
</listitem>
|
||||
</itemizedlist></para>
|
||||
|
||||
<para><emphasis role="bold">If you need to change a file in
|
||||
@ -356,10 +364,14 @@ ACCEPT net $FW tcp www #This is an end-of-line comment</progra
|
||||
<para>Example: Traffic from zone A to zone B would go through chain A2B
|
||||
(think "A to B") or "A-B".</para>
|
||||
|
||||
<para>The default separator is "2" but you can override that by setting
|
||||
ZONE_SEPARATOR="-" in <ulink
|
||||
<para>In Shorewall 4.6, the default separator is "-" but you can override
|
||||
that by setting ZONE_SEPARATOR="2" in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||||
|
||||
<note>
|
||||
<para>Prior to Shorewall 4.6, the default separator was "2".</para>
|
||||
</note>
|
||||
|
||||
<para>Zones themselves have names that begin with a letter and are
|
||||
composed of letters, numerals, and "_". The maximum length of a name is
|
||||
dependent on the setting of LOGFORMAT in <ulink
|
||||
@ -421,36 +433,36 @@ ACCEPT net $FW tcp www #This is an end-of-line comment</progra
|
||||
</itemizedlist>
|
||||
|
||||
<para>To attach a comment to one or more rules, insert a record above the
|
||||
rules that begins with the word COMMENT (must be in all caps). The
|
||||
rules that begins with the word ?COMMENT (must be in all caps). The
|
||||
remainder of the line is treated as a comment -- that comment will appear
|
||||
delimited by "/* ... */" in the output of the <command>shorewall[-lite]
|
||||
show</command> and <command>shorewall[-lite] dump</command> commands. The
|
||||
comment will be attached to each generated rule until another COMMENT line
|
||||
appears. To stop attaching comments to rules, simply insert a line that
|
||||
contains the single word COMMENT.</para>
|
||||
comment will be attached to each generated rule until another ?COMMENT
|
||||
line appears. To stop attaching comments to rules, simply insert a line
|
||||
that contains the single word ?COMMENT.</para>
|
||||
|
||||
<para>Example (<filename>/etc/shorewall/rules</filename>):</para>
|
||||
|
||||
<programlisting>COMMENT Stop NETBIOS noise
|
||||
<programlisting>?COMMENT Stop NETBIOS noise
|
||||
|
||||
REJECT loc net tcp 137,445
|
||||
REJECT loc net udp 137:139
|
||||
|
||||
COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
|
||||
?COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
|
||||
|
||||
DROP loc:!192.168.0.0/22 net
|
||||
|
||||
COMMENT</programlisting>
|
||||
?COMMENT</programlisting>
|
||||
|
||||
<para>Here's the corresponding output from
|
||||
<filename>/sbin/shorewall-lite</filename>:</para>
|
||||
|
||||
<programlisting>gateway:~ # <command>shorewall-lite show loc2net</command>
|
||||
<programlisting>gateway:~ # <command>shorewall-lite show loc-net</command>
|
||||
Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008
|
||||
|
||||
Counters reset Mon Oct 16 14:52:17 PDT 2006
|
||||
|
||||
Chain loc2net (1 references)
|
||||
Chain loc-net (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
|
||||
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
|
||||
@ -467,8 +479,8 @@ gateway:~ #
|
||||
|
||||
</programlisting>
|
||||
|
||||
<para>COMMENT lines in macro files work somewhat differently from other
|
||||
files. COMMENT lines in macros are ignored if COMMENT support is not
|
||||
<para>?COMMENT lines in macro files work somewhat differently from other
|
||||
files. ?COMMENT lines in macros are ignored if COMMENT support is not
|
||||
available or if there was a COMMENT in use when the top-level macro was
|
||||
invoked. This allows the following:</para>
|
||||
|
||||
@ -476,12 +488,12 @@ gateway:~ #
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
COMMENT SSH
|
||||
?COMMENT SSH
|
||||
PARAM - - tcp 22 </programlisting>
|
||||
<filename>/etc/shorewall/rules</filename>:<programlisting>COMMENT Allow SSH from home
|
||||
<filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
|
||||
SSH(ACCEPT) net:$MYIP $FW
|
||||
COMMENT</programlisting>The comment line in macro.SSH will not override the
|
||||
COMMENT line in the rules file and the generated rule will show <emphasis
|
||||
?COMMENT</programlisting>The comment line in macro.SSH will not override the
|
||||
?COMMENT line in the rules file and the generated rule will show <emphasis
|
||||
role="bold">/* Allow SSH from home */</emphasis> when displayed through
|
||||
the Shorewall show and dump commands.</para>
|
||||
</section>
|
||||
@ -571,8 +583,8 @@ ACCEPT net:\
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>At any point, you can enter a semicolon (';') followed by one or
|
||||
more specifications of the following forms:</para>
|
||||
<para>At any point, you can enter a left curly bracket ('{') followed
|
||||
by one or more specifications of the following forms:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><replaceable>column-name</replaceable>=<replaceable>value</replaceable></member>
|
||||
@ -582,6 +594,9 @@ ACCEPT net:\
|
||||
<member><replaceable>column-name</replaceable>:<replaceable>value</replaceable></member>
|
||||
</simplelist>
|
||||
|
||||
<para>The pairs must be followed by a right curly bracket
|
||||
("}").</para>
|
||||
|
||||
<para>The value may optionally be enclosed in double quotes.</para>
|
||||
|
||||
<para>The pairs must be separated by white space, but you can add a
|
||||
@ -589,19 +604,23 @@ ACCEPT net:\
|
||||
readability as in:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><emphasis role="bold">; proto=>udp,
|
||||
port=1024</emphasis></member>
|
||||
<member><emphasis role="bold">{ proto=>udp, port=1024
|
||||
}</emphasis></member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You can enclose the pairs in curly brackets ("{...}") rather
|
||||
than separating them from columns by a semicolon:</para>
|
||||
<para>You can also separate the pairs from columns by using a
|
||||
semicolon:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><emphasis role="bold">{ proto:udp, port:1024
|
||||
}</emphasis></member>
|
||||
<member><emphasis role="bold">; proto:udp,
|
||||
port:1024</emphasis></member>
|
||||
</simplelist>
|
||||
|
||||
<para>That usage is deprecated beginning with Shorewall 4.6.0. See the
|
||||
INLINE_MATCHES option in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -673,6 +692,12 @@ ACCEPT net:\
|
||||
<entry>disposition,interface,mac,addresses</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>mangle</entry>
|
||||
|
||||
<entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>masq</entry>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user