holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Rename condition->switch and add more documentation.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-09-23 12:33:55 -07:00
parent cf80dc8858
commit caddd65412
6 changed files with 99 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -3745,8 +3745,8 @@ sub do_condition( $ ) {
return '' if $condition eq '-';
require_capability 'CONDITION_MATCH', 'A non-empty CONDITION column', 's';
fatal_error "Invalid condition name ($condition)" unless $condition =~ /^[a-zA-Z]\w*$/;
require_capability 'CONDITION_MATCH', 'A non-empty SWITCH column', 's';
fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/;
"-m condition --condition $condition "
}

2
Shorewall/configfiles/rules
View File

@ -7,7 +7,7 @@
# http://www.shorewall.net/manpages/shorewall-rules.html
#
######################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS CONDITION
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED

4
Shorewall6/configfiles/rules
View File

@ -6,8 +6,8 @@
# The manpage is also online at
# http://www.shorewall.net/manpages6/shorewall6-rules.html
#
#######################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
###########################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED

48
docs/configuration_file_basics.xml
View File

@ -1604,7 +1604,7 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
LOGLIMIT.</para>
</note>
<para>Shorewall also supports per-IP rate limiting. </para>
<para>Shorewall also supports per-IP rate limiting.</para>
<para>Another example from <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
@ -1624,6 +1624,52 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
above.</para>
</section>
<section>
<title>Switches</title>
<para>There are times when you would like to enable or disable one or more
rules in the configuration without having to do a <command>shorewall
restart</command>. This may be accomplished using the SWITCH column in
<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) or
<ulink url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).
Using this column requires that your kernel and iptables include
<firstterm>Condition Match Support</firstterm> and you must be running
Shorewall 4.4.24 or later. See the output of <command>shorewall show
capabilities</command> and <command>shorewall version</command> to
determine if you can use this feature. As of this writing, Condition Match
Support requires that you install xtables-addons.</para>
<para>The SWITCH column contains the name of a
<firstterm>switch.</firstterm> Each switch that is normally initially in
the off position. You can turn on the switch condition named
<emphasis>switch1</emphasis> by:</para>
<simplelist>
<member><command>echo 1 &gt;
/proc/net/nf_condition/switch1</command></member>
</simplelist>
<para>You can turn it off again by:</para>
<simplelist>
<member><command>echo 0 &gt;
/proc/net/nf_condition/switch1</command></member>
</simplelist>
<para>If you simply include the switch name in the SWITCH column, then the
rule is enabled only when the switch is on. If you precede the switch name
with ! (e.g., !switch1), then the rule is enabled only when the switch is
off. </para>
<warning>
<para>The <command>shorewall restart</command> command resets all
switches to off.</para>
</warning>
<para>Shorewall requires that switch names begin with a letter and be
composed of letters, digits, underscore ('_') or hyphen ('-').</para>
</section>
<section id="Logical">
<title>Logical Interface Names</title>

33
manpages/shorewall-rules.xml
View File

@ -1279,16 +1279,33 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CONDITION -
[!]<replaceable>condition-name</replaceable></emphasis></term>
<term><emphasis role="bold">SWITCH -
[!]<replaceable>switch-name</replaceable></emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.24. Matches if the value stored in
<filename>/proc/net/nf_condition/<replaceable>condition-name</replaceable></filename>
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
is 1. Does not match if that file contains 0 (the default). If '!'
is supplied, the test is inverted such that there is a match if the
file contains 0. The condition-name must begin with a letter and be
composed of letters, decimal digits or underscores.</para>
file contains 0. The switch-name must begin with a letter and be
composed of letters, decimal digits, underscores or hyphens.</para>
<para>Switches are normally off. To turn on a switch:</para>
<simplelist>
<member><command>echo 1 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>To turn it off again:</para>
<simplelist>
<member><command>echo 0 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>The <command>shorewall restart</command> command turns all
switches off.</para>
</listitem>
</varlistentry>
</variablelist>
@ -1486,10 +1503,10 @@
<term>Example 12:</term>
<listitem>
<para>Forward port 80 to dmz host $BACKUP if condition
'primary_down' is set.</para>
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
is on.</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS CONDITION
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT(S) PORT(S) DEST LIMIT GROUP
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down</programlisting>
</listitem>

27
manpages6/shorewall6-rules.xml
View File

@ -1104,16 +1104,33 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CONDITION -
[!]<replaceable>condition-name</replaceable></emphasis></term>
<term><emphasis role="bold">SWITCH -
[!]<replaceable>switch-name</replaceable></emphasis></term>
<listitem>
<para>Added in Shorewall6 4.4.24. Matches if the value stored in
<filename>/proc/net/nf_condition/<replaceable>condition-name</replaceable></filename>
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
is 1. Does not match if that file contains 0 (the default). If '!'
is supplied, the test is inverted such that there is a match if the
file contains 0. The condition-name must begin with a letter and be
composed of letters, decimal digits or underscores.</para>
file contains 0. The switch-name must begin with a letter and be
composed of letters, decimal digits, underscores or hyphens.</para>
<para>Switches are normally off. To turn on a switch:</para>
<simplelist>
<member><command>echo 1 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>To turn it off again:</para>
<simplelist>
<member><command>echo 0 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>The <command>shorewall6 restart</command> command turns all
switches off.</para>
</listitem>
</varlistentry>
</variablelist>