diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 69c708f25..f16ff6935 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -334,7 +334,31 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) { } } + sub ipset_command() { + my %xlate = ( ADD => 'add-set' , DEL => 'del-set' ); + + require_capability( 'IPSET_MATCH', "$cmd rules", '' ); + fatal_error "$cmd rules require a set name parameter" unless $params; + + my ( $setname, $flags, $rest ) = split ':', $params, 3; + fatal_error "Invalid ADD/DEL parameter ($params)" if $rest; + $setname =~ s/^\+//; + fatal_error "Expected ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*$/; + fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/; + $target = join( ' ', 'SET --' . $xlate{$cmd} , $setname , $flags ); + } + my %commands = ( + ADD => { + defaultchain => PREROUTING, + allowedchains => ALLCHAINS, + minparams => 1, + maxparams => 1, + function => sub() { + ipset_command(); + } + }, + CHECKSUM => { defaultchain => 0, allowedchains => ALLCHAINS, @@ -397,6 +421,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) { }, }, + DEL => { + defaultchain => PREROUTING, + allowedchains => ALLCHAINS, + minparams => 1, + maxparams => 1, + function => sub() { + ipset_command(); + } + }, + DIVERT => { defaultchain => REALPREROUTING, allowedchains => PREROUTING | REALPREROUTING, @@ -860,7 +894,11 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) { our %tccmd; unless ( %tccmd ) { - %tccmd = ( SAVE => { match => sub ( $ ) { $_[0] eq 'SAVE' } , + %tccmd = ( ADD => { match => sub ( $ ) { $_[0] =~ /^ADD/ } + }, + DEL => { match => sub ( $ ) { $_[0] =~ /^DEL/ } + }, + SAVE => { match => sub ( $ ) { $_[0] eq 'SAVE' } , } , RESTORE => { match => sub ( $ ) { $_[0] eq 'RESTORE' }, } , diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml index 20adc4b03..a61b8ac0f 100644 --- a/Shorewall/manpages/shorewall-mangle.xml +++ b/Shorewall/manpages/shorewall-mangle.xml @@ -123,6 +123,28 @@ following. + + ADD(ipset:flags) + + + Added in Shorewall 4.6.7. Causes addresses and/or port + numbers to be added to the named + ipset. The + flags specify the address or tuple + to be added to the set and must match the type of ipset + involved. For example, for an iphash ipset, either the SOURCE + or DESTINATION address can be added using + flags src or dst respectively (see the -A command in + ipset (8)). + + ADD is non-terminating. Even if a packet matches the + rule, it is passed on to the next rule. + + + CHECKSUM @@ -214,6 +236,27 @@ + + DEL(ipset:flags) + + + Added in Shorewall 4.6.7. Causes an entry to be deleted + from the named ipset. The + flags specify the address or tuple + to be deleted from the set and must match the type of ipset + involved. For example, for an iphash ipset, either the SOURCE + or DESTINATION address can be deleted using + flags src or dst respectively (see the -D command in + ipset (8)). + + DEL is non-terminating. Even if a packet matches the + rule, it is passed on to the next rule. + + + DIVERT @@ -509,7 +552,8 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark - SAME + SAME[(timeout)] Some websites run applications that require multiple @@ -533,12 +577,16 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443 connections to an individual remote system to all use the same provider. For example:#ACTION SOURCE DEST PROTO DEST # PORT(S) -SAME $FW 0.0.0.0/0 tcp 80,443 - If the firewall attempts a connection on TCP port 80 or 443 - and it has sent a packet on either of those ports in the last - five minutes to the same remote system then the new connection - will use the same provider as the connection over which that - last packet was sent. +SAME $FW 0.0.0.0/0 tcp 80,443The + optional timeout parameter was + added in Shorewall 4.6.7 and specifies a number of seconds . + When not specified, a value of 300 seconds (5 minutes) is + assumed. If the firewall attempts a connection on TCP port 80 + or 443 and it has sent a packet on either of those ports in + the last timeout seconds to the + same remote system then the new connection will use the same + provider as the connection over which that last packet was + sent. diff --git a/Shorewall6/manpages/shorewall6-mangle.xml b/Shorewall6/manpages/shorewall6-mangle.xml index 74b3d5c73..f52db8668 100644 --- a/Shorewall6/manpages/shorewall6-mangle.xml +++ b/Shorewall6/manpages/shorewall6-mangle.xml @@ -124,6 +124,28 @@ following. + + ADD(ipset:flags) + + + Added in Shorewall 4.6.7. Causes addresses and/or port + numbers to be added to the named + ipset. The + flags specify the address or tuple + to be added to the set and must match the type of ipset + involved. For example, for an iphash ipset, either the SOURCE + or DESTINATION address can be added using + flags src or dst respectively (see the -A command in + ipset (8)). + + ADD is non-terminating. Even if a packet matches the + rule, it is passed on to the next rule. + + + CHECKSUM @@ -215,6 +237,27 @@ + + DEL(ipset:flags) + + + Added in Shorewall 4.6.7. Causes an entry to be deleted + from the named ipset. The + flags specify the address or tuple + to be deleted from the set and must match the type of ipset + involved. For example, for an iphash ipset, either the SOURCE + or DESTINATION address can be deleted using + flags src or dst respectively (see the -D command in + ipset (8)). + + DEL is non-terminating. Even if a packet matches the + rule, it is passed on to the next rule. + + + DIVERT @@ -510,7 +553,8 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark - SAME + SAME[(timeout)] Some websites run applications that require multiple @@ -534,12 +578,16 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443 connections to an individual remote system to all use the same provider. For example:#ACTION SOURCE DEST PROTO DEST # PORT(S) -SAME $FW 0.0.0.0/0 tcp 80,443 - If the firewall attempts a connection on TCP port 80 or 443 - and it has sent a packet on either of those ports in the last - five minutes to the same remote system then the new connection - will use the same provider as the connection over which that - last packet was sent. +SAME $FW 0.0.0.0/0 tcp 80,443The + optional timeout parameter was + added in Shorewall 4.6.7 and specifies a number of seconds . + When not specified, a value of 300 seconds (5 minutes) is + assumed. If the firewall attempts a connection on TCP port 80 + or 443 and it has sent a packet on either of those ports in + the last timeout seconds to the + same remote system then the new connection will use the same + provider as the connection over which that last packet was + sent.