holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Merge branch '5.2.5'

Browse Source
This commit is contained in:
Tom Eastep 2020-06-26 15:31:51 -07:00
commit bac493c2c5
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
10 changed files with 70 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
Shorewall-core/lib.cli
View File

@ -937,11 +937,28 @@ show_events() {
fi fi
} }
sort_actions() {
local sep #separates sort keys from the action[.std] record
sep="##"
awk -v sep="$sep" \
'BEGIN { action = ""; ifrec = ""; nr = 0; };\
/^#/ { next; };\
/^\?(if|IF|If)/ { ifrec = $0; nr = NR; next; };\
/^( |\t|\?)/ { if ( action != "" ) print action, NR, sep $0; next; };\
{ action = $1; };\
nr != 0 { print action , nr, sep ifrec; nr = 0; };\
{ print action , NR, sep $0; }' | sort -k 1,2 | sed "s/^.*${sep}//"
}
show_actions() { show_actions() {
if [ -f ${g_confdir}/actions ]; then local actions
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$' actions=$(find_file actions)
if [ -f ${actions} ]; then
cat ${actions} ${g_sharedir}/actions.std | sort_actions
else else
grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std sort_actions < ${g_sharedir}/actions.std
fi fi
} }
@ -1108,10 +1125,6 @@ show_blacklists() {
show_bl; show_bl;
} }
show_actions_sorted() {
show_actions | sort -u -k 1,1
}
show_macros() { show_macros() {
for directory in $(split $CONFIG_PATH); do for directory in $(split $CONFIG_PATH); do
temp= temp=
@ -1543,7 +1556,7 @@ show_command() {
;; ;;
actions) actions)
[ $# -gt 1 ] && too_many_arguments $2 [ $# -gt 1 ] && too_many_arguments $2
eval show_actions_sorted $g_pager eval show_actions $g_pager
return return
;; ;;
macro) macro)
@ -4012,7 +4025,7 @@ get_config() {
ensure_config_path ensure_config_path
[ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

4
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -5970,9 +5970,9 @@ sub process_snat( )
{ {
my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
split_line2( 'snat file', split_line2( 'snat file',
{ action => 0, source => 1, dest => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 }, { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
{}, #Nopad {}, #Nopad
undef, #Columns 11, #Columns
1 ); #Allow inline matches 1 ); #Allow inline matches
fatal_error 'ACTION must be specified' if $action eq '-'; fatal_error 'ACTION must be specified' if $action eq '-';

2
Shorewall/Samples/three-interfaces/snat
View File

@ -13,7 +13,7 @@
# #
# See https://shorewall.org/manpages/shorewall-snat.html for more information # See https://shorewall.org/manpages/shorewall-snat.html for more information
########################################################################################################################################### ###########################################################################################################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY #ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
# #
# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
# #

2
Shorewall/Samples/two-interfaces/snat
View File

@ -13,7 +13,7 @@
# #
# See https://shorewall.org/manpages/shorewall-snat.html for more information # See https://shorewall.org/manpages/shorewall-snat.html for more information
########################################################################################################################################### ###########################################################################################################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY #ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
# #
# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
# #

2
Shorewall/Shorewall-targetname
View File

@ -1 +1 @@
5.2.5-Beta2 5.2.5.1

2
Shorewall/configfiles/snat
View File

@ -6,4 +6,4 @@
# See https://shorewall.org/manpages/shorewall-snat.html for more information # See https://shorewall.org/manpages/shorewall-snat.html for more information
# #
########################################################################################################################################### ###########################################################################################################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY #ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY

59
Shorewall/manpages/shorewall-snat.xml
View File

@ -39,8 +39,8 @@
<para>If you have more than one ISP link, adding entries to this file <para>If you have more than one ISP link, adding entries to this file
will <emphasis role="bold">not</emphasis> force connections to go out will <emphasis role="bold">not</emphasis> force connections to go out
through a particular link. You must use entries in <ulink through a particular link. You must use entries in <ulink
url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
PREROUTING entries in <ulink entries in <ulink
url="shorewall-mangle.html">shorewall-mangle</ulink>(5) to do url="shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
that.</para> that.</para>
</warning> </warning>
@ -68,10 +68,10 @@
<listitem> <listitem>
<para>where <replaceable>action</replaceable> is an action <para>where <replaceable>action</replaceable> is an action
declared in <ulink declared in <ulink
url="shorewall-actions.html">shorewall-actions(5)</ulink> url="shorewall-actions.html">shorewall-actions(5)</ulink> with
with the <option>nat</option> option. See <ulink the <option>nat</option> option. See <ulink
url="../Actions.html">https://shorewall.org/Actions.html</ulink> for url="../Actions.html">https://shorewall.org/Actions.html</ulink>
further information.</para> for further information.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -165,9 +165,9 @@
<para>If you specify an address here, matching packets will <para>If you specify an address here, matching packets will
have their source address set to that address. If have their source address set to that address. If
ADD_SNAT_ALIASES is set to Yes or yes in <ulink ADD_SNAT_ALIASES is set to Yes or yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) url="shorewall.conf.html">shorewall.conf</ulink>(5) then
then Shorewall will automatically add this address to the Shorewall will automatically add this address to the INTERFACE
INTERFACE named in the first column (IPv4 only).</para> named in the first column (IPv4 only).</para>
<para>You may also specify a range of up to 256 IP addresses <para>You may also specify a range of up to 256 IP addresses
if you want the SNAT address to be assigned from that range in if you want the SNAT address to be assigned from that range in
@ -237,10 +237,10 @@
<para>Normally Masq/SNAT rules are evaluated after those for <para>Normally Masq/SNAT rules are evaluated after those for
one-to-one NAT (defined in <ulink one-to-one NAT (defined in <ulink
url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
want the rule to be applied before one-to-one NAT rules, follow the rule to be applied before one-to-one NAT rules, follow the action
action name with "+": This feature should only be required if you name with "+": This feature should only be required if you need to
need to insert rules in this file that preempt entries in <ulink insert rules in this file that preempt entries in <ulink
url="shorewall-nat.html">shorewall-nat</ulink>(5).</para> url="shorewall-nat.html">shorewall-nat</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -279,23 +279,23 @@
networks. Multiple interfaces may be listed when the ACTION is networks. Multiple interfaces may be listed when the ACTION is
MASQUERADE, but this is usually just your internet interface. If MASQUERADE, but this is usually just your internet interface. If
ADD_SNAT_ALIASES=Yes in <ulink ADD_SNAT_ALIASES=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5), you url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
may add ":" and a <emphasis>digit</emphasis> to indicate that you and a <emphasis>digit</emphasis> to indicate that you want the alias
want the alias added with that name (e.g., eth0:0). This will allow added with that name (e.g., eth0:0). This will allow the alias to be
the alias to be displayed with ifconfig. <emphasis role="bold">That displayed with ifconfig. <emphasis role="bold">That is the only use
is the only use for the alias name; it may not appear in any other for the alias name; it may not appear in any other place in your
place in your Shorewall configuration.</emphasis></para> Shorewall configuration.</emphasis></para>
<para>Beginning with Shorewall 5.1.12, SNAT may be performed in the <para>Beginning with Shorewall 5.1.12, SNAT may be performed in the
nat table's INPUT chain by specifying $FW rather than one or more nat table's INPUT chain by specifying $FW rather than one or more
interfaces. </para> interfaces.</para>
<para>Each interface must match an entry in <ulink <para>Each interface must match an entry in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Shorewall allows loose matches to wildcard entries in <ulink Shorewall allows loose matches to wildcard entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
For example, <filename class="devicefile">ppp0</filename> in this example, <filename class="devicefile">ppp0</filename> in this file
file will match a <ulink will match a <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
entry that defines <filename entry that defines <filename
class="devicefile">ppp+</filename>.</para> class="devicefile">ppp+</filename>.</para>
@ -315,8 +315,8 @@
addresses to indicate that you only want to change the source IP addresses to indicate that you only want to change the source IP
address for packets being sent to those particular destinations. address for packets being sent to those particular destinations.
Exclusion is allowed (see <ulink Exclusion is allowed (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
as are ipset names preceded by a plus sign '+';</para> are ipset names preceded by a plus sign '+';</para>
<para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
entry then include the ":" but omit the digit:</para> entry then include the ":" but omit the digit:</para>
@ -341,8 +341,7 @@
<listitem> <listitem>
<para>If you wish to restrict this entry to a particular protocol <para>If you wish to restrict this entry to a particular protocol
then enter the protocol name (from protocols(5)) or number here. See then enter the protocol name (from protocols(5)) or number here. See
<ulink <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink> for
url="shorewall-rules.html">shorewall-rules(5)</ulink> for
details.</para> details.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a <para>Beginning with Shorewall 4.5.12, this column can accept a
@ -356,10 +355,14 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">PORT</emphasis> (Optional) - <term><emphasis role="bold">{PORT|DPORT}</emphasis> (Optional) -
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term> {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>The column was renamed to DPORT in Shorewall 5.2.5.2.
Beginning with that release, both PORT and DPORT are accepted in the
alternative input format, </para>
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33), <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
SCTP (132) or UDPLITE (136) then you may list one or more port SCTP (132) or UDPLITE (136) then you may list one or more port
numbers (or names from services(5)) or port ranges separated by numbers (or names from services(5)) or port ranges separated by

2
Shorewall6/configfiles/snat
View File

@ -6,4 +6,4 @@
# See https://shorewall.org/manpages/shorewall-snat.html for more information # See https://shorewall.org/manpages/shorewall-snat.html for more information
# #
########################################################################################################################################### ###########################################################################################################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY #ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY

10
docs/configuration_file_basics.xml
View File

@ -663,7 +663,7 @@ ACCEPT net:\
<row> <row>
<entry>mangle</entry> <entry>mangle</entry>
<entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry> <entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers,probability,dscp,switch</entry>
</row> </row>
<row> <row>
@ -738,6 +738,14 @@ ACCEPT net:\
<entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry> <entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
</row> </row>
<row>
<entry>snat</entry>
<entry>action,source,dest,proto,port,ipsec,mark,user,switch,origdest,probability
(Note: 'port' may be specified as 'dport' beginning with Shorewall
5.2.5.2).</entry>
</row>
<row> <row>
<entry>tcclasses</entry> <entry>tcclasses</entry>

2
docs/docs-targetname
View File

@ -1 +1 @@
5.2.5-RC1 5.2.5.1