holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement ADD and DEL in the mangle file.

Browse Source 
- Also document the parameter to SAME

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-02-18 12:04:01 -08:00
parent 18c8f1f835
commit cdc2d52208
3 changed files with 149 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -334,7 +334,31 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
} }
} }
sub ipset_command() {
my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
require_capability( 'IPSET_MATCH', "$cmd rules", '' );
fatal_error "$cmd rules require a set name parameter" unless $params;
my ( $setname, $flags, $rest ) = split ':', $params, 3;
fatal_error "Invalid ADD/DEL parameter ($params)" if $rest;
$setname =~ s/^\+//;
fatal_error "Expected ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*$/;
fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
$target = join( ' ', 'SET --' . $xlate{$cmd} , $setname , $flags );
}
my %commands = ( my %commands = (
ADD => {
defaultchain => PREROUTING,
allowedchains => ALLCHAINS,
minparams => 1,
maxparams => 1,
function => sub() {
ipset_command();
}
},
CHECKSUM => { CHECKSUM => {
defaultchain => 0, defaultchain => 0,
allowedchains => ALLCHAINS, allowedchains => ALLCHAINS,
@ -397,6 +421,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
}, },
}, },
DEL => {
defaultchain => PREROUTING,
allowedchains => ALLCHAINS,
minparams => 1,
maxparams => 1,
function => sub() {
ipset_command();
}
},
DIVERT => { DIVERT => {
defaultchain => REALPREROUTING, defaultchain => REALPREROUTING,
allowedchains => PREROUTING | REALPREROUTING, allowedchains => PREROUTING | REALPREROUTING,
@ -860,7 +894,11 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
our %tccmd; our %tccmd;
unless ( %tccmd ) { unless ( %tccmd ) {
%tccmd = ( SAVE => { match => sub ( $ ) { $_[0] eq 'SAVE' } , %tccmd = ( ADD => { match => sub ( $ ) { $_[0] =~ /^ADD/ }
},
DEL => { match => sub ( $ ) { $_[0] =~ /^DEL/ }
},
SAVE => { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
} , } ,
RESTORE => { match => sub ( $ ) { $_[0] eq 'RESTORE' }, RESTORE => { match => sub ( $ ) { $_[0] eq 'RESTORE' },
} , } ,

62
Shorewall/manpages/shorewall-mangle.xml
View File

@ -123,6 +123,28 @@
following.</para> following.</para>
<variablelist> <variablelist>
<varlistentry>
<term><emphasis
role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
<listitem>
<para>Added in Shorewall 4.6.7. Causes addresses and/or port
numbers to be added to the named
<replaceable>ipset</replaceable>. The
<replaceable>flags</replaceable> specify the address or tuple
to be added to the set and must match the type of ipset
involved. For example, for an iphash ipset, either the SOURCE
or DESTINATION address can be added using
<replaceable>flags</replaceable> <emphasis
role="bold">src</emphasis> or <emphasis
role="bold">dst</emphasis> respectively (see the -A command in
ipset (8)).</para>
<para>ADD is non-terminating. Even if a packet matches the
rule, it is passed on to the next rule.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CHECKSUM</emphasis></term> <term><emphasis role="bold">CHECKSUM</emphasis></term>
@ -214,6 +236,27 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
<listitem>
<para>Added in Shorewall 4.6.7. Causes an entry to be deleted
from the named <replaceable>ipset</replaceable>. The
<replaceable>flags</replaceable> specify the address or tuple
to be deleted from the set and must match the type of ipset
involved. For example, for an iphash ipset, either the SOURCE
or DESTINATION address can be deleted using
<replaceable>flags</replaceable> <emphasis
role="bold">src</emphasis> or <emphasis
role="bold">dst</emphasis> respectively (see the -D command in
ipset (8)).</para>
<para>DEL is non-terminating. Even if a packet matches the
rule, it is passed on to the next rule.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DIVERT</emphasis></term> <term><emphasis role="bold">DIVERT</emphasis></term>
@ -509,7 +552,8 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SAME</emphasis></term> <term><emphasis
role="bold">SAME[(<replaceable>timeout</replaceable>)]</emphasis></term>
<listitem> <listitem>
<para>Some websites run applications that require multiple <para>Some websites run applications that require multiple
@ -533,12 +577,16 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
connections to an individual remote system to all use the same connections to an individual remote system to all use the same
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S) # PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting> SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>The
If the firewall attempts a connection on TCP port 80 or 443 optional <replaceable>timeout</replaceable> parameter was
and it has sent a packet on either of those ports in the last added in Shorewall 4.6.7 and specifies a number of seconds .
five minutes to the same remote system then the new connection When not specified, a value of 300 seconds (5 minutes) is
will use the same provider as the connection over which that assumed. If the firewall attempts a connection on TCP port 80
last packet was sent.</para> or 443 and it has sent a packet on either of those ports in
the last <replaceable>timeout</replaceable> seconds to the
same remote system then the new connection will use the same
provider as the connection over which that last packet was
sent.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

62
Shorewall6/manpages/shorewall6-mangle.xml
View File

@ -124,6 +124,28 @@
following.</para> following.</para>
<variablelist> <variablelist>
<varlistentry>
<term><emphasis
role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
<listitem>
<para>Added in Shorewall 4.6.7. Causes addresses and/or port
numbers to be added to the named
<replaceable>ipset</replaceable>. The
<replaceable>flags</replaceable> specify the address or tuple
to be added to the set and must match the type of ipset
involved. For example, for an iphash ipset, either the SOURCE
or DESTINATION address can be added using
<replaceable>flags</replaceable> <emphasis
role="bold">src</emphasis> or <emphasis
role="bold">dst</emphasis> respectively (see the -A command in
ipset (8)).</para>
<para>ADD is non-terminating. Even if a packet matches the
rule, it is passed on to the next rule.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CHECKSUM</emphasis></term> <term><emphasis role="bold">CHECKSUM</emphasis></term>
@ -215,6 +237,27 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
<listitem>
<para>Added in Shorewall 4.6.7. Causes an entry to be deleted
from the named <replaceable>ipset</replaceable>. The
<replaceable>flags</replaceable> specify the address or tuple
to be deleted from the set and must match the type of ipset
involved. For example, for an iphash ipset, either the SOURCE
or DESTINATION address can be deleted using
<replaceable>flags</replaceable> <emphasis
role="bold">src</emphasis> or <emphasis
role="bold">dst</emphasis> respectively (see the -D command in
ipset (8)).</para>
<para>DEL is non-terminating. Even if a packet matches the
rule, it is passed on to the next rule.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DIVERT</emphasis></term> <term><emphasis role="bold">DIVERT</emphasis></term>
@ -510,7 +553,8 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SAME</emphasis></term> <term><emphasis
role="bold">SAME[(<replaceable>timeout</replaceable>)]</emphasis></term>
<listitem> <listitem>
<para>Some websites run applications that require multiple <para>Some websites run applications that require multiple
@ -534,12 +578,16 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
connections to an individual remote system to all use the same connections to an individual remote system to all use the same
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S) # PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting> SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>The
If the firewall attempts a connection on TCP port 80 or 443 optional <replaceable>timeout</replaceable> parameter was
and it has sent a packet on either of those ports in the last added in Shorewall 4.6.7 and specifies a number of seconds .
five minutes to the same remote system then the new connection When not specified, a value of 300 seconds (5 minutes) is
will use the same provider as the connection over which that assumed. If the firewall attempts a connection on TCP port 80
last packet was sent.</para> or 443 and it has sent a packet on either of those ports in
the last <replaceable>timeout</replaceable> seconds to the
same remote system then the new connection will use the same
provider as the connection over which that last packet was
sent.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>