Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code

This commit is contained in:
Tom Eastep 2014-01-16 07:47:26 -08:00
commit a5906ece44
3 changed files with 91 additions and 63 deletions

View File

@ -1546,7 +1546,7 @@ do_dump_command() {
} }
dump_command() { dump_command() {
do_dump_command | dump_filter do_dump_command $@ | dump_filter
} }
# #
@ -3423,7 +3423,7 @@ usage() # $1 = exit status
echo " delete <interface>[:<host-list>] ... <zone>" echo " delete <interface>[:<host-list>] ... <zone>"
echo " disable <interface>" echo " disable <interface>"
echo " drop <address> ..." echo " drop <address> ..."
echo " dump [ -x ]" echo " dump [ -x ] [ -l ] [ -m ]"
echo " enable <interface>" echo " enable <interface>"
echo " forget [ <file name> ]" echo " forget [ <file name> ]"
echo " help" echo " help"

View File

@ -6,6 +6,8 @@
<refentrytitle>shorewall</refentrytitle> <refentrytitle>shorewall</refentrytitle>
<manvolnum>8</manvolnum> <manvolnum>8</manvolnum>
<refmiscinfo>Administrative Commands</refmiscinfo>
</refmeta> </refmeta>
<refnamediv> <refnamediv>
@ -742,9 +744,9 @@
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
options are omitted, the amount of output is determined by the setting of options are omitted, the amount of output is determined by the setting of
the VERBOSITY parameter in <ulink the VERBOSITY parameter in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). Each
role="bold">v</emphasis> adds one to the effective verbosity and each <emphasis role="bold">v</emphasis> adds one to the effective verbosity and
<emphasis role="bold">q</emphasis> subtracts one from the effective each <emphasis role="bold">q</emphasis> subtracts one from the effective
VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY. followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY.
There may be no white-space between <emphasis role="bold">v</emphasis> and There may be no white-space between <emphasis role="bold">v</emphasis> and
@ -784,10 +786,10 @@
<para>Beginning with Shorewall 4.5.9, the <emphasis <para>Beginning with Shorewall 4.5.9, the <emphasis
role="bold">dynamic_shared</emphasis> zone option (<ulink role="bold">dynamic_shared</emphasis> zone option (<ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)) allows a url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5))
single ipset to handle entries for multiple interfaces. When that allows a single ipset to handle entries for multiple interfaces.
option is specified for a zone, the <command>add</command> command When that option is specified for a zone, the <command>add</command>
has the alternative syntax in which the command has the alternative syntax in which the
<replaceable>zone</replaceable> name precedes the <replaceable>zone</replaceable> name precedes the
<replaceable>host-list</replaceable>.</para> <replaceable>host-list</replaceable>.</para>
</listitem> </listitem>
@ -839,7 +841,8 @@
warning message to be issued if the line current line contains warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para> <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -912,7 +915,8 @@
warning message to be issued if the line current line contains warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para> <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -931,11 +935,11 @@
<para>Beginning with Shorewall 4.5.9, the <emphasis <para>Beginning with Shorewall 4.5.9, the <emphasis
role="bold">dynamic_shared</emphasis> zone option (<ulink role="bold">dynamic_shared</emphasis> zone option (<ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5)) allows a url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5))
single ipset to handle entries for multiple interfaces. When that allows a single ipset to handle entries for multiple interfaces.
option is specified for a zone, the <command>delete</command> When that option is specified for a zone, the
command has the alternative syntax in which the <command>delete</command> command has the alternative syntax in
<replaceable>zone</replaceable> name precedes the which the <replaceable>zone</replaceable> name precedes the
<replaceable>host-list</replaceable>.</para> <replaceable>host-list</replaceable>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -954,8 +958,8 @@
any optional network interface. <replaceable>interface</replaceable> any optional network interface. <replaceable>interface</replaceable>
may be either the logical or physical name of the interface. The may be either the logical or physical name of the interface. The
command removes any routes added from <ulink command removes any routes added from <ulink
url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5) and any url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
traffic shaping configuration for the interface.</para> and any traffic shaping configuration for the interface.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1001,8 +1005,9 @@
may be either the logical or physical name of the interface. The may be either the logical or physical name of the interface. The
command sets <filename>/proc</filename> entries for the interface, command sets <filename>/proc</filename> entries for the interface,
adds any route specified in <ulink adds any route specified in <ulink
url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5) and installs url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
the interface's traffic shaping configuration, if any.</para> and installs the interface's traffic shaping configuration, if
any.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1148,7 +1153,8 @@
warning message to be issued if the line current line contains warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para> <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1159,7 +1165,8 @@
<para>Causes traffic from the listed <emphasis>address</emphasis>es <para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then discarded. Logging occurs at the log level to be logged then discarded. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para> url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1168,16 +1175,16 @@
<listitem> <listitem>
<para>Monitors the log file specified by the LOGFILE option in <para>Monitors the log file specified by the LOGFILE option in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
produces an audible alarm when new Shorewall messages are logged. and produces an audible alarm when new Shorewall messages are
The <emphasis role="bold">-m</emphasis> option causes the MAC logged. The <emphasis role="bold">-m</emphasis> option causes the
address of each packet source to be displayed if that information is MAC address of each packet source to be displayed if that
available. The <replaceable>refresh-interval</replaceable> specifies information is available. The
the time in seconds between screen refreshes. You can enter a <replaceable>refresh-interval</replaceable> specifies the time in
negative number by preceding the number with "--" (e.g., seconds between screen refreshes. You can enter a negative number by
<command>shorewall logwatch -- -30</command>). In this case, when a preceding the number with "--" (e.g., <command>shorewall logwatch --
packet count changes, you will be prompted to hit any key to resume -30</command>). In this case, when a packet count changes, you will
screen refreshes.</para> be prompted to hit any key to resume screen refreshes.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1188,7 +1195,8 @@
<para>Causes traffic from the listed <emphasis>address</emphasis>es <para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then rejected. Logging occurs at the log level to be logged then rejected. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para> url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1238,7 +1246,8 @@
warning message to be issued if the line current line contains warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para> <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>The -<option>D</option> option was added in Shorewall 4.5.3 <para>The -<option>D</option> option was added in Shorewall 4.5.3
and causes Shorewall to look in the given and causes Shorewall to look in the given
@ -1306,7 +1315,8 @@
warning message to be issued if the line current line contains warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para> <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1348,9 +1358,9 @@
<para>The <option>-c</option> option was added in Shorewall 4.4.20 <para>The <option>-c</option> option was added in Shorewall 4.4.20
and performs the compilation step unconditionally, overriding the and performs the compilation step unconditionally, overriding the
AUTOMAKE setting in <ulink AUTOMAKE setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When both url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
<option>-f</option> and <option>-c</option>are present, the result both <option>-f</option> and <option>-c</option>are present, the
is determined by the option that appears last.</para> result is determined by the option that appears last.</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3 <para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each and causes a Perl stack trace to be included with each
@ -1360,7 +1370,8 @@
warning message to be issued if the line current line contains warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para> <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1575,8 +1586,8 @@
<listitem> <listitem>
<para>Displays the last 20 Shorewall messages from the log <para>Displays the last 20 Shorewall messages from the log
file specified by the LOGFILE option in <ulink file specified by the LOGFILE option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
<emphasis role="bold">-m</emphasis> option causes the MAC The <emphasis role="bold">-m</emphasis> option causes the MAC
address of each packet source to be displayed if that address of each packet source to be displayed if that
information is available.</para> information is available.</para>
</listitem> </listitem>
@ -1690,15 +1701,17 @@
Shorewall will look in that <emphasis>directory</emphasis> first for Shorewall will look in that <emphasis>directory</emphasis> first for
configuration files. If <emphasis role="bold">-f</emphasis> is configuration files. If <emphasis role="bold">-f</emphasis> is
specified, the saved configuration specified by the RESTOREFILE specified, the saved configuration specified by the RESTOREFILE
option in <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) option in <ulink
will be restored if that saved configuration exists and has been url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) will
modified more recently than the files in /etc/shorewall. When be restored if that saved configuration exists and has been modified
<emphasis role="bold">-f</emphasis> is given, a more recently than the files in /etc/shorewall. When <emphasis
role="bold">-f</emphasis> is given, a
<replaceable>directory</replaceable> may not be specified.</para> <replaceable>directory</replaceable> may not be specified.</para>
<para>Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was <para>Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
added to <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). added to <ulink
When LEGACY_FASTSTART=No, the modification times of files in url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
LEGACY_FASTSTART=No, the modification times of files in
/etc/shorewall are compared with that of /var/lib/shorewall/firewall /etc/shorewall are compared with that of /var/lib/shorewall/firewall
(the compiled script that last started/restarted the (the compiled script that last started/restarted the
firewall).</para> firewall).</para>
@ -1713,9 +1726,9 @@
<para>The <option>-c</option> option was added in Shorewall 4.4.20 <para>The <option>-c</option> option was added in Shorewall 4.4.20
and performs the compilation step unconditionally, overriding the and performs the compilation step unconditionally, overriding the
AUTOMAKE setting in <ulink AUTOMAKE setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When both url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
<option>-f</option> and <option>-c</option>are present, the result both <option>-f</option> and <option>-c</option>are present, the
is determined by the option that appears last.</para> result is determined by the option that appears last.</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3 <para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each and causes a Perl stack trace to be included with each
@ -1725,7 +1738,8 @@
warning message to be issued if the line current line contains warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para> <ulink
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1737,9 +1751,9 @@
listed in <ulink listed in <ulink
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5) url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or permitted by the ADMINISABSENTMINDED option in <ulink or permitted by the ADMINISABSENTMINDED option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), are taken down. url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), are
The only new traffic permitted through the firewall is from systems taken down. The only new traffic permitted through the firewall is
listed in <ulink from systems listed in <ulink
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5) url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or by ADMINISABSENTMINDED.</para> or by ADMINISABSENTMINDED.</para>
@ -1814,14 +1828,16 @@
<para>The <option>-b</option> option was added in Shorewall 4.4.26 <para>The <option>-b</option> option was added in Shorewall 4.4.26
and causes legacy blacklisting rules (<ulink and causes legacy blacklisting rules (<ulink
url="/manpages/shorewall-blacklist.html">shorewall-blacklist</ulink> (5) ) to url="/manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>
be converted to entries in the blrules file (<ulink (5) ) to be converted to entries in the blrules file (<ulink
url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5) ). The url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)
blacklist keyword is removed from <ulink ). The blacklist keyword is removed from <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5), <ulink url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5),
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5) and <ulink
<ulink url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink> (5). The url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
unmodified files are saved with a .bak suffix.</para> (5) and <ulink
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink> (5).
The unmodified files are saved with a .bak suffix.</para>
<para>The <option>-D</option> option was added in Shorewall 4.5.11. <para>The <option>-D</option> option was added in Shorewall 4.5.11.
When this option is specified, the compiler will walk through the When this option is specified, the compiler will walk through the
@ -1834,7 +1850,8 @@
warning message to be issued if the line current line contains warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para> <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>For a description of the other options, see the <emphasis <para>For a description of the other options, see the <emphasis
role="bold">check</emphasis> command above.</para> role="bold">check</emphasis> command above.</para>

View File

@ -3168,5 +3168,16 @@ EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>
<section>
<title id="faq102">(FAQ 102) What is 'qt'? I see it in some of the older
documentation.</title>
<para><emphasis role="bold">Answer</emphasis>: 'qt' stands for 'quiet';
qt() is a shell function that accepts a command with arguments as
parameters. It redirects both standard out and standard error to
/dev/null. It is defined in the Shorewall-core shell library
lib.common.</para>
</section>
</section> </section>
</article> </article>