Merge branch '5.2.5'

This commit is contained in:
Tom Eastep 2020-06-26 15:31:51 -07:00
commit bac493c2c5
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
10 changed files with 70 additions and 46 deletions

View File

@ -937,11 +937,28 @@ show_events() {
fi
}
sort_actions() {
local sep #separates sort keys from the action[.std] record
sep="##"
awk -v sep="$sep" \
'BEGIN { action = ""; ifrec = ""; nr = 0; };\
/^#/ { next; };\
/^\?(if|IF|If)/ { ifrec = $0; nr = NR; next; };\
/^( |\t|\?)/ { if ( action != "" ) print action, NR, sep $0; next; };\
{ action = $1; };\
nr != 0 { print action , nr, sep ifrec; nr = 0; };\
{ print action , NR, sep $0; }' | sort -k 1,2 | sed "s/^.*${sep}//"
}
show_actions() {
if [ -f ${g_confdir}/actions ]; then
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
local actions
actions=$(find_file actions)
if [ -f ${actions} ]; then
cat ${actions} ${g_sharedir}/actions.std | sort_actions
else
grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
sort_actions < ${g_sharedir}/actions.std
fi
}
@ -1108,10 +1125,6 @@ show_blacklists() {
show_bl;
}
show_actions_sorted() {
show_actions | sort -u -k 1,1
}
show_macros() {
for directory in $(split $CONFIG_PATH); do
temp=
@ -1543,7 +1556,7 @@ show_command() {
;;
actions)
[ $# -gt 1 ] && too_many_arguments $2
eval show_actions_sorted $g_pager
eval show_actions $g_pager
return
;;
macro)
@ -4012,7 +4025,7 @@ get_config() {
ensure_config_path
[ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
[ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

View File

@ -5970,9 +5970,9 @@ sub process_snat( )
{
my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
split_line2( 'snat file',
{ action => 0, source => 1, dest => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
{ action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
{}, #Nopad
undef, #Columns
11, #Columns
1 ); #Allow inline matches
fatal_error 'ACTION must be specified' if $action eq '-';

View File

@ -13,7 +13,7 @@
#
# See https://shorewall.org/manpages/shorewall-snat.html for more information
###########################################################################################################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
#
# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
#

View File

@ -13,7 +13,7 @@
#
# See https://shorewall.org/manpages/shorewall-snat.html for more information
###########################################################################################################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
#
# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
#

View File

@ -1 +1 @@
5.2.5-Beta2
5.2.5.1

View File

@ -6,4 +6,4 @@
# See https://shorewall.org/manpages/shorewall-snat.html for more information
#
###########################################################################################################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY

View File

@ -39,8 +39,8 @@
<para>If you have more than one ISP link, adding entries to this file
will <emphasis role="bold">not</emphasis> force connections to go out
through a particular link. You must use entries in <ulink
url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
PREROUTING entries in <ulink
url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
entries in <ulink
url="shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
that.</para>
</warning>
@ -68,10 +68,10 @@
<listitem>
<para>where <replaceable>action</replaceable> is an action
declared in <ulink
url="shorewall-actions.html">shorewall-actions(5)</ulink>
with the <option>nat</option> option. See <ulink
url="../Actions.html">https://shorewall.org/Actions.html</ulink> for
further information.</para>
url="shorewall-actions.html">shorewall-actions(5)</ulink> with
the <option>nat</option> option. See <ulink
url="../Actions.html">https://shorewall.org/Actions.html</ulink>
for further information.</para>
</listitem>
</varlistentry>
@ -165,9 +165,9 @@
<para>If you specify an address here, matching packets will
have their source address set to that address. If
ADD_SNAT_ALIASES is set to Yes or yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
then Shorewall will automatically add this address to the
INTERFACE named in the first column (IPv4 only).</para>
url="shorewall.conf.html">shorewall.conf</ulink>(5) then
Shorewall will automatically add this address to the INTERFACE
named in the first column (IPv4 only).</para>
<para>You may also specify a range of up to 256 IP addresses
if you want the SNAT address to be assigned from that range in
@ -237,10 +237,10 @@
<para>Normally Masq/SNAT rules are evaluated after those for
one-to-one NAT (defined in <ulink
url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you
want the rule to be applied before one-to-one NAT rules, follow the
action name with "+": This feature should only be required if you
need to insert rules in this file that preempt entries in <ulink
url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
rule to be applied before one-to-one NAT rules, follow the action
name with "+": This feature should only be required if you need to
insert rules in this file that preempt entries in <ulink
url="shorewall-nat.html">shorewall-nat</ulink>(5).</para>
</listitem>
</varlistentry>
@ -279,23 +279,23 @@
networks. Multiple interfaces may be listed when the ACTION is
MASQUERADE, but this is usually just your internet interface. If
ADD_SNAT_ALIASES=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5), you
may add ":" and a <emphasis>digit</emphasis> to indicate that you
want the alias added with that name (e.g., eth0:0). This will allow
the alias to be displayed with ifconfig. <emphasis role="bold">That
is the only use for the alias name; it may not appear in any other
place in your Shorewall configuration.</emphasis></para>
url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
and a <emphasis>digit</emphasis> to indicate that you want the alias
added with that name (e.g., eth0:0). This will allow the alias to be
displayed with ifconfig. <emphasis role="bold">That is the only use
for the alias name; it may not appear in any other place in your
Shorewall configuration.</emphasis></para>
<para>Beginning with Shorewall 5.1.12, SNAT may be performed in the
nat table's INPUT chain by specifying $FW rather than one or more
interfaces. </para>
interfaces.</para>
<para>Each interface must match an entry in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Shorewall allows loose matches to wildcard entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
For example, <filename class="devicefile">ppp0</filename> in this
file will match a <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
@ -315,8 +315,8 @@
addresses to indicate that you only want to change the source IP
address for packets being sent to those particular destinations.
Exclusion is allowed (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
as are ipset names preceded by a plus sign '+';</para>
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
are ipset names preceded by a plus sign '+';</para>
<para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
entry then include the ":" but omit the digit:</para>
@ -341,8 +341,7 @@
<listitem>
<para>If you wish to restrict this entry to a particular protocol
then enter the protocol name (from protocols(5)) or number here. See
<ulink
url="shorewall-rules.html">shorewall-rules(5)</ulink> for
<ulink url="shorewall-rules.html">shorewall-rules(5)</ulink> for
details.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
@ -356,10 +355,14 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PORT</emphasis> (Optional) -
<term><emphasis role="bold">{PORT|DPORT}</emphasis> (Optional) -
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>The column was renamed to DPORT in Shorewall 5.2.5.2.
Beginning with that release, both PORT and DPORT are accepted in the
alternative input format, </para>
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
SCTP (132) or UDPLITE (136) then you may list one or more port
numbers (or names from services(5)) or port ranges separated by

View File

@ -6,4 +6,4 @@
# See https://shorewall.org/manpages/shorewall-snat.html for more information
#
###########################################################################################################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY

View File

@ -663,7 +663,7 @@ ACCEPT net:\
<row>
<entry>mangle</entry>
<entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
<entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers,probability,dscp,switch</entry>
</row>
<row>
@ -738,6 +738,14 @@ ACCEPT net:\
<entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
</row>
<row>
<entry>snat</entry>
<entry>action,source,dest,proto,port,ipsec,mark,user,switch,origdest,probability
(Note: 'port' may be specified as 'dport' beginning with Shorewall
5.2.5.2).</entry>
</row>
<row>
<entry>tcclasses</entry>

View File

@ -1 +1 @@
5.2.5-RC1
5.2.5.1