forked from extern/shorewall_code
Merge branch '5.2.5'
This commit is contained in:
commit
bac493c2c5
@ -937,11 +937,28 @@ show_events() {
|
||||
fi
|
||||
}
|
||||
|
||||
sort_actions() {
|
||||
local sep #separates sort keys from the action[.std] record
|
||||
sep="##"
|
||||
|
||||
awk -v sep="$sep" \
|
||||
'BEGIN { action = ""; ifrec = ""; nr = 0; };\
|
||||
/^#/ { next; };\
|
||||
/^\?(if|IF|If)/ { ifrec = $0; nr = NR; next; };\
|
||||
/^( |\t|\?)/ { if ( action != "" ) print action, NR, sep $0; next; };\
|
||||
{ action = $1; };\
|
||||
nr != 0 { print action , nr, sep ifrec; nr = 0; };\
|
||||
{ print action , NR, sep $0; }' | sort -k 1,2 | sed "s/^.*${sep}//"
|
||||
}
|
||||
|
||||
show_actions() {
|
||||
if [ -f ${g_confdir}/actions ]; then
|
||||
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
|
||||
local actions
|
||||
actions=$(find_file actions)
|
||||
|
||||
if [ -f ${actions} ]; then
|
||||
cat ${actions} ${g_sharedir}/actions.std | sort_actions
|
||||
else
|
||||
grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
|
||||
sort_actions < ${g_sharedir}/actions.std
|
||||
fi
|
||||
}
|
||||
|
||||
@ -1108,10 +1125,6 @@ show_blacklists() {
|
||||
show_bl;
|
||||
}
|
||||
|
||||
show_actions_sorted() {
|
||||
show_actions | sort -u -k 1,1
|
||||
}
|
||||
|
||||
show_macros() {
|
||||
for directory in $(split $CONFIG_PATH); do
|
||||
temp=
|
||||
@ -1543,7 +1556,7 @@ show_command() {
|
||||
;;
|
||||
actions)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_actions_sorted $g_pager
|
||||
eval show_actions $g_pager
|
||||
return
|
||||
;;
|
||||
macro)
|
||||
@ -4012,7 +4025,7 @@ get_config() {
|
||||
|
||||
ensure_config_path
|
||||
|
||||
[ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
|
||||
[ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
|
||||
|
||||
[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
|
@ -5970,9 +5970,9 @@ sub process_snat( )
|
||||
{
|
||||
my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
|
||||
split_line2( 'snat file',
|
||||
{ action => 0, source => 1, dest => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
|
||||
{ action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
|
||||
{}, #Nopad
|
||||
undef, #Columns
|
||||
11, #Columns
|
||||
1 ); #Allow inline matches
|
||||
|
||||
fatal_error 'ACTION must be specified' if $action eq '-';
|
||||
|
@ -13,7 +13,7 @@
|
||||
#
|
||||
# See https://shorewall.org/manpages/shorewall-snat.html for more information
|
||||
###########################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
|
||||
#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
|
||||
#
|
||||
# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
|
||||
#
|
||||
|
@ -13,7 +13,7 @@
|
||||
#
|
||||
# See https://shorewall.org/manpages/shorewall-snat.html for more information
|
||||
###########################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
|
||||
#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
|
||||
#
|
||||
# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
|
||||
#
|
||||
|
@ -1 +1 @@
|
||||
5.2.5-Beta2
|
||||
5.2.5.1
|
||||
|
@ -6,4 +6,4 @@
|
||||
# See https://shorewall.org/manpages/shorewall-snat.html for more information
|
||||
#
|
||||
###########################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
|
||||
#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
|
||||
|
@ -39,8 +39,8 @@
|
||||
<para>If you have more than one ISP link, adding entries to this file
|
||||
will <emphasis role="bold">not</emphasis> force connections to go out
|
||||
through a particular link. You must use entries in <ulink
|
||||
url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
|
||||
PREROUTING entries in <ulink
|
||||
url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
|
||||
entries in <ulink
|
||||
url="shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
|
||||
that.</para>
|
||||
</warning>
|
||||
@ -68,10 +68,10 @@
|
||||
<listitem>
|
||||
<para>where <replaceable>action</replaceable> is an action
|
||||
declared in <ulink
|
||||
url="shorewall-actions.html">shorewall-actions(5)</ulink>
|
||||
with the <option>nat</option> option. See <ulink
|
||||
url="../Actions.html">https://shorewall.org/Actions.html</ulink> for
|
||||
further information.</para>
|
||||
url="shorewall-actions.html">shorewall-actions(5)</ulink> with
|
||||
the <option>nat</option> option. See <ulink
|
||||
url="../Actions.html">https://shorewall.org/Actions.html</ulink>
|
||||
for further information.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -165,9 +165,9 @@
|
||||
<para>If you specify an address here, matching packets will
|
||||
have their source address set to that address. If
|
||||
ADD_SNAT_ALIASES is set to Yes or yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||
then Shorewall will automatically add this address to the
|
||||
INTERFACE named in the first column (IPv4 only).</para>
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) then
|
||||
Shorewall will automatically add this address to the INTERFACE
|
||||
named in the first column (IPv4 only).</para>
|
||||
|
||||
<para>You may also specify a range of up to 256 IP addresses
|
||||
if you want the SNAT address to be assigned from that range in
|
||||
@ -237,10 +237,10 @@
|
||||
|
||||
<para>Normally Masq/SNAT rules are evaluated after those for
|
||||
one-to-one NAT (defined in <ulink
|
||||
url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you
|
||||
want the rule to be applied before one-to-one NAT rules, follow the
|
||||
action name with "+": This feature should only be required if you
|
||||
need to insert rules in this file that preempt entries in <ulink
|
||||
url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
|
||||
rule to be applied before one-to-one NAT rules, follow the action
|
||||
name with "+": This feature should only be required if you need to
|
||||
insert rules in this file that preempt entries in <ulink
|
||||
url="shorewall-nat.html">shorewall-nat</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -279,23 +279,23 @@
|
||||
networks. Multiple interfaces may be listed when the ACTION is
|
||||
MASQUERADE, but this is usually just your internet interface. If
|
||||
ADD_SNAT_ALIASES=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), you
|
||||
may add ":" and a <emphasis>digit</emphasis> to indicate that you
|
||||
want the alias added with that name (e.g., eth0:0). This will allow
|
||||
the alias to be displayed with ifconfig. <emphasis role="bold">That
|
||||
is the only use for the alias name; it may not appear in any other
|
||||
place in your Shorewall configuration.</emphasis></para>
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
|
||||
and a <emphasis>digit</emphasis> to indicate that you want the alias
|
||||
added with that name (e.g., eth0:0). This will allow the alias to be
|
||||
displayed with ifconfig. <emphasis role="bold">That is the only use
|
||||
for the alias name; it may not appear in any other place in your
|
||||
Shorewall configuration.</emphasis></para>
|
||||
|
||||
<para>Beginning with Shorewall 5.1.12, SNAT may be performed in the
|
||||
nat table's INPUT chain by specifying $FW rather than one or more
|
||||
interfaces. </para>
|
||||
interfaces.</para>
|
||||
|
||||
<para>Each interface must match an entry in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
Shorewall allows loose matches to wildcard entries in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
For example, <filename class="devicefile">ppp0</filename> in this
|
||||
file will match a <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
example, <filename class="devicefile">ppp0</filename> in this file
|
||||
will match a <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
@ -315,8 +315,8 @@
|
||||
addresses to indicate that you only want to change the source IP
|
||||
address for packets being sent to those particular destinations.
|
||||
Exclusion is allowed (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
|
||||
as are ipset names preceded by a plus sign '+';</para>
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
|
||||
are ipset names preceded by a plus sign '+';</para>
|
||||
|
||||
<para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
|
||||
entry then include the ":" but omit the digit:</para>
|
||||
@ -341,8 +341,7 @@
|
||||
<listitem>
|
||||
<para>If you wish to restrict this entry to a particular protocol
|
||||
then enter the protocol name (from protocols(5)) or number here. See
|
||||
<ulink
|
||||
url="shorewall-rules.html">shorewall-rules(5)</ulink> for
|
||||
<ulink url="shorewall-rules.html">shorewall-rules(5)</ulink> for
|
||||
details.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
||||
@ -356,10 +355,14 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORT</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">{PORT|DPORT}</emphasis> (Optional) -
|
||||
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>The column was renamed to DPORT in Shorewall 5.2.5.2.
|
||||
Beginning with that release, both PORT and DPORT are accepted in the
|
||||
alternative input format, </para>
|
||||
|
||||
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
|
||||
SCTP (132) or UDPLITE (136) then you may list one or more port
|
||||
numbers (or names from services(5)) or port ranges separated by
|
||||
|
@ -6,4 +6,4 @@
|
||||
# See https://shorewall.org/manpages/shorewall-snat.html for more information
|
||||
#
|
||||
###########################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
|
||||
#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
|
||||
|
@ -663,7 +663,7 @@ ACCEPT net:\
|
||||
<row>
|
||||
<entry>mangle</entry>
|
||||
|
||||
<entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
|
||||
<entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers,probability,dscp,switch</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -738,6 +738,14 @@ ACCEPT net:\
|
||||
<entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>snat</entry>
|
||||
|
||||
<entry>action,source,dest,proto,port,ipsec,mark,user,switch,origdest,probability
|
||||
(Note: 'port' may be specified as 'dport' beginning with Shorewall
|
||||
5.2.5.2).</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>tcclasses</entry>
|
||||
|
||||
|
@ -1 +1 @@
|
||||
5.2.5-RC1
|
||||
5.2.5.1
|
||||
|
Loading…
Reference in New Issue
Block a user