From a9c42e1eaa08be90c30c3bbdcd7e7314671fad27 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 25 Aug 2019 14:18:06 -0700
Subject: [PATCH 1/5] Correct NFQUEUE policy with per-CPU queues
Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
Shorewall/Perl/Shorewall/Rules.pm | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 5793a8d5f..ca8418b93 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -721,7 +721,13 @@ sub process_a_policy1($$$$$$$) {
require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
- my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+ my ( $policy, $pactions );
+
+ if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
+ ( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
+ } else {
+ ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+ }
fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
From 7051daeb08aa0d6afe476e64bdf9e0912f54fe99 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 25 Aug 2019 14:18:54 -0700
Subject: [PATCH 2/5] Correct handle of multi-queue NFQUEUE when passed to a
macro
Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
Shorewall/Perl/Shorewall/Rules.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index ca8418b93..6470bca79 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1610,8 +1610,8 @@ sub merge_levels ($$) {
return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
- my @supparts = split /:/, $superior;
- my @subparts = split /:/, $subordinate;
+ my @supparts = split_list2( $superior , 'Action' );
+ my @subparts = split_list2( $subordinate , 'Action' );
my $subparts = @subparts;
From 40f6192e190c40f42819ba7e3554db314598870c Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 25 Aug 2019 14:20:54 -0700
Subject: [PATCH 3/5] Make 'AUTOMAKE=No' the update default
Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
Shorewall/Perl/Shorewall/Config.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 2b47fa714..27d1ea4d0 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -5441,6 +5441,7 @@ sub update_config_file( $ ) {
update_default( 'PAGER', $shorewallrc1{DEFAULT_PAGER} );
update_default( 'LOGFORMAT', 'Shorewall:%s:%s:' );
update_default( 'LOGLIMIT', '' );
+ update_default( 'AUTOMAKE', 'No' );
if ( $family == F_IPV4 ) {
update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
From c4d5bb904be43915e5149205c98f73e7644a3552 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 26 Aug 2019 15:45:26 -0700
Subject: [PATCH 4/5] Correct description of 'bypass' in shorewall-rules(5).
Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
Shorewall/manpages/shorewall-rules.xml | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index 35483eb20..ff7fffd46 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -674,15 +674,15 @@
the keyword <emphasis role="bold">bypass</emphasis> can be
given. By default, if no userspace program is listening on an
NFQUEUE, then all packets that are to be queued are dropped.
- When this option is used, the NFQUEUE rule is silently
- bypassed instead. The packet will move on to the next rule.
- Also beginning in Shorewall 4.6.10, a second queue number
- (<replaceable>queuenumber2</replaceable>) may be specified.
- This specifies a range of queues to use. Packets are then
- balanced across the given queues. This is useful for multicore
- systems: start multiple instances of the userspace program on
- queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
- the same connection are put into the same nfqueue.</para>
+ When this option is used, the NFQUEUE rule behaves like ACCEPT
+ instead. Also beginning in Shorewall 4.6.10, a second queue
+ number (<replaceable>queuenumber2</replaceable>) may be
+ specified. This specifies a range of queues to use. Packets
+ are then balanced across the given queues. This is useful for
+ multicore systems: start multiple instances of the userspace
+ program on queues x, x+1, .. x+n and use "x:x+n". Packets
+ belonging to the same connection are put into the same
+ nfqueue.</para>
<para>Beginning with Shorewall 5.1.0, queuenumber2 may be
followed by the letter 'c' to indicate that the CPU ID will be
From 54c7e1a607beab415715be910368cdfb53305c83 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Tue, 3 Sep 2019 07:42:06 -0700
Subject: [PATCH 5/5] Correct typo in FTP.xml
Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
docs/FTP.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/FTP.xml b/docs/FTP.xml
index f977e4102..ddca3cbbd 100644
--- a/docs/FTP.xml
+++ b/docs/FTP.xml
@@ -431,7 +431,7 @@ CT:helper:ftp loc - tcp 21</programlisti
<para><filename>/etc/shorewall/rules:</filename></para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT
-DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the</programlisting>
+DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }</programlisting>
<para>That entry will accept ftp connections on port 12345 from the net
and forward them to host 192.168.1..2 and port 21 in the loc zone.</para>