Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code

This commit is contained in:
Tom Eastep 2014-01-16 07:47:26 -08:00
commit a5906ece44
3 changed files with 91 additions and 63 deletions

View File

@ -1546,7 +1546,7 @@ do_dump_command() {
}
dump_command() {
do_dump_command | dump_filter
do_dump_command $@ | dump_filter
}
#
@ -3423,7 +3423,7 @@ usage() # $1 = exit status
echo " delete <interface>[:<host-list>] ... <zone>"
echo " disable <interface>"
echo " drop <address> ..."
echo " dump [ -x ]"
echo " dump [ -x ] [ -l ] [ -m ]"
echo " enable <interface>"
echo " forget [ <file name> ]"
echo " help"

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>Administrative Commands</refmiscinfo>
</refmeta>
<refnamediv>
@ -742,9 +744,9 @@
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
options are omitted, the amount of output is determined by the setting of
the VERBOSITY parameter in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
role="bold">v</emphasis> adds one to the effective verbosity and each
<emphasis role="bold">q</emphasis> subtracts one from the effective
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). Each
<emphasis role="bold">v</emphasis> adds one to the effective verbosity and
each <emphasis role="bold">q</emphasis> subtracts one from the effective
VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY.
There may be no white-space between <emphasis role="bold">v</emphasis> and
@ -784,10 +786,10 @@
<para>Beginning with Shorewall 4.5.9, the <emphasis
role="bold">dynamic_shared</emphasis> zone option (<ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)) allows a
single ipset to handle entries for multiple interfaces. When that
option is specified for a zone, the <command>add</command> command
has the alternative syntax in which the
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5))
allows a single ipset to handle entries for multiple interfaces.
When that option is specified for a zone, the <command>add</command>
command has the alternative syntax in which the
<replaceable>zone</replaceable> name precedes the
<replaceable>host-list</replaceable>.</para>
</listitem>
@ -839,7 +841,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -912,7 +915,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -931,11 +935,11 @@
<para>Beginning with Shorewall 4.5.9, the <emphasis
role="bold">dynamic_shared</emphasis> zone option (<ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)) allows a
single ipset to handle entries for multiple interfaces. When that
option is specified for a zone, the <command>delete</command>
command has the alternative syntax in which the
<replaceable>zone</replaceable> name precedes the
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5))
allows a single ipset to handle entries for multiple interfaces.
When that option is specified for a zone, the
<command>delete</command> command has the alternative syntax in
which the <replaceable>zone</replaceable> name precedes the
<replaceable>host-list</replaceable>.</para>
</listitem>
</varlistentry>
@ -954,8 +958,8 @@
any optional network interface. <replaceable>interface</replaceable>
may be either the logical or physical name of the interface. The
command removes any routes added from <ulink
url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5) and any
traffic shaping configuration for the interface.</para>
url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
and any traffic shaping configuration for the interface.</para>
</listitem>
</varlistentry>
@ -1001,8 +1005,9 @@
may be either the logical or physical name of the interface. The
command sets <filename>/proc</filename> entries for the interface,
adds any route specified in <ulink
url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5) and installs
the interface's traffic shaping configuration, if any.</para>
url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
and installs the interface's traffic shaping configuration, if
any.</para>
</listitem>
</varlistentry>
@ -1148,7 +1153,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -1159,7 +1165,8 @@
<para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then discarded. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
(5).</para>
</listitem>
</varlistentry>
@ -1168,16 +1175,16 @@
<listitem>
<para>Monitors the log file specified by the LOGFILE option in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and
produces an audible alarm when new Shorewall messages are logged.
The <emphasis role="bold">-m</emphasis> option causes the MAC
address of each packet source to be displayed if that information is
available. The <replaceable>refresh-interval</replaceable> specifies
the time in seconds between screen refreshes. You can enter a
negative number by preceding the number with "--" (e.g.,
<command>shorewall logwatch -- -30</command>). In this case, when a
packet count changes, you will be prompted to hit any key to resume
screen refreshes.</para>
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
and produces an audible alarm when new Shorewall messages are
logged. The <emphasis role="bold">-m</emphasis> option causes the
MAC address of each packet source to be displayed if that
information is available. The
<replaceable>refresh-interval</replaceable> specifies the time in
seconds between screen refreshes. You can enter a negative number by
preceding the number with "--" (e.g., <command>shorewall logwatch --
-30</command>). In this case, when a packet count changes, you will
be prompted to hit any key to resume screen refreshes.</para>
</listitem>
</varlistentry>
@ -1188,7 +1195,8 @@
<para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then rejected. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
(5).</para>
</listitem>
</varlistentry>
@ -1238,7 +1246,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>The -<option>D</option> option was added in Shorewall 4.5.3
and causes Shorewall to look in the given
@ -1306,7 +1315,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -1348,9 +1358,9 @@
<para>The <option>-c</option> option was added in Shorewall 4.4.20
and performs the compilation step unconditionally, overriding the
AUTOMAKE setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When both
<option>-f</option> and <option>-c</option>are present, the result
is determined by the option that appears last.</para>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
both <option>-f</option> and <option>-c</option>are present, the
result is determined by the option that appears last.</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
@ -1360,7 +1370,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
@ -1575,8 +1586,8 @@
<listitem>
<para>Displays the last 20 Shorewall messages from the log
file specified by the LOGFILE option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
<emphasis role="bold">-m</emphasis> option causes the MAC
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
The <emphasis role="bold">-m</emphasis> option causes the MAC
address of each packet source to be displayed if that
information is available.</para>
</listitem>
@ -1690,15 +1701,17 @@
Shorewall will look in that <emphasis>directory</emphasis> first for
configuration files. If <emphasis role="bold">-f</emphasis> is
specified, the saved configuration specified by the RESTOREFILE
option in <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
will be restored if that saved configuration exists and has been
modified more recently than the files in /etc/shorewall. When
<emphasis role="bold">-f</emphasis> is given, a
option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) will
be restored if that saved configuration exists and has been modified
more recently than the files in /etc/shorewall. When <emphasis
role="bold">-f</emphasis> is given, a
<replaceable>directory</replaceable> may not be specified.</para>
<para>Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
added to <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
When LEGACY_FASTSTART=No, the modification times of files in
added to <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
LEGACY_FASTSTART=No, the modification times of files in
/etc/shorewall are compared with that of /var/lib/shorewall/firewall
(the compiled script that last started/restarted the
firewall).</para>
@ -1713,9 +1726,9 @@
<para>The <option>-c</option> option was added in Shorewall 4.4.20
and performs the compilation step unconditionally, overriding the
AUTOMAKE setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When both
<option>-f</option> and <option>-c</option>are present, the result
is determined by the option that appears last.</para>
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
both <option>-f</option> and <option>-c</option>are present, the
result is determined by the option that appears last.</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
@ -1725,7 +1738,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -1737,9 +1751,9 @@
listed in <ulink
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or permitted by the ADMINISABSENTMINDED option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
The only new traffic permitted through the firewall is from systems
listed in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), are
taken down. The only new traffic permitted through the firewall is
from systems listed in <ulink
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or by ADMINISABSENTMINDED.</para>
@ -1814,14 +1828,16 @@
<para>The <option>-b</option> option was added in Shorewall 4.4.26
and causes legacy blacklisting rules (<ulink
url="/manpages/shorewall-blacklist.html">shorewall-blacklist</ulink> (5) ) to
be converted to entries in the blrules file (<ulink
url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5) ). The
blacklist keyword is removed from <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5), <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5) and
<ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink> (5). The
unmodified files are saved with a .bak suffix.</para>
url="/manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>
(5) ) to be converted to entries in the blrules file (<ulink
url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)
). The blacklist keyword is removed from <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5),
<ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
(5) and <ulink
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink> (5).
The unmodified files are saved with a .bak suffix.</para>
<para>The <option>-D</option> option was added in Shorewall 4.5.11.
When this option is specified, the compiler will walk through the
@ -1834,7 +1850,8 @@
warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>For a description of the other options, see the <emphasis
role="bold">check</emphasis> command above.</para>

View File

@ -3168,5 +3168,16 @@ EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
</listitem>
</orderedlist>
</section>
<section>
<title id="faq102">(FAQ 102) What is 'qt'? I see it in some of the older
documentation.</title>
<para><emphasis role="bold">Answer</emphasis>: 'qt' stands for 'quiet';
qt() is a shell function that accepts a command with arguments as
parameters. It redirects both standard out and standard error to
/dev/null. It is defined in the Shorewall-core shell library
lib.common.</para>
</section>
</section>
</article>