forked from extern/shorewall_code
Merge branch 'master' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
commit
d005536fcc
@ -9,6 +9,7 @@
|
||||
####################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
@ -13,6 +13,10 @@
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||
|
||||
|
@ -13,6 +13,14 @@
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
# Don't allow connection pickup from the net
|
||||
#
|
||||
Invalid(DROP) net all
|
||||
#
|
||||
# Accept DNS connections from the firewall to the Internet
|
||||
#
|
||||
|
@ -13,6 +13,14 @@
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
# Don't allow connection pickup from the net
|
||||
#
|
||||
Invalid(DROP) net all
|
||||
#
|
||||
# Accept DNS connections from the firewall to the network
|
||||
#
|
||||
|
@ -9,6 +9,7 @@
|
||||
####################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
@ -13,6 +13,10 @@
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||
|
||||
|
@ -13,6 +13,14 @@
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
# Don't allow connection pickup from the net
|
||||
#
|
||||
Invalid(DROP) net all
|
||||
#
|
||||
# Accept DNS connections from the firewall to the Internet
|
||||
#
|
||||
|
@ -13,6 +13,14 @@
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
# Don't allow connection pickup from the net
|
||||
#
|
||||
Invalid(DROP) net all
|
||||
#
|
||||
# Accept DNS connections from the firewall to the network
|
||||
#
|
||||
|
121
Shorewall-init/init.fedora.sh
Normal file
121
Shorewall-init/init.fedora.sh
Normal file
@ -0,0 +1,121 @@
|
||||
#! /bin/bash
|
||||
#
|
||||
# chkconfig: - 09 91
|
||||
# description: Initialize the shorewall firewall at boot time
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides: shorewall-init
|
||||
# Required-Start: $local_fs
|
||||
# Required-Stop: $local_fs
|
||||
# Default-Start:
|
||||
# Default-Stop: 0 1 2 3 4 5 6
|
||||
# Short-Description: Initialize the shorewall firewall at boot time
|
||||
# Description: Place the firewall in a safe state at boot time
|
||||
# prior to bringing up the network.
|
||||
### END INIT INFO
|
||||
prog="shorewall-init"
|
||||
logger="logger -i -t $prog"
|
||||
lockfile="/var/lock/subsys/shorewall-init"
|
||||
|
||||
# Source function library.
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
# Get startup options (override default)
|
||||
OPTIONS=
|
||||
|
||||
# check if shorewall-init is configured or not
|
||||
if [ -f "/etc/sysconfig/shorewall-init" ]; then
|
||||
. /etc/sysconfig/shorewall-init
|
||||
else
|
||||
echo "/etc/sysconfig/shorewall-init not found"
|
||||
exit 6
|
||||
fi
|
||||
|
||||
# Initialize the firewall
|
||||
start () {
|
||||
local product
|
||||
local vardir
|
||||
|
||||
if [ -z "$PRODUCTS" ]; then
|
||||
echo "No firewalls configured for shorewall-init"
|
||||
failure
|
||||
return 6 #Not configured
|
||||
fi
|
||||
|
||||
echo -n "Initializing \"Shorewall-based firewalls\": "
|
||||
for product in $PRODUCTS; do
|
||||
vardir=/var/lib/$product
|
||||
[ -f /etc/$product/vardir ] && . /etc/$product/vardir
|
||||
if [ -x ${vardir}/firewall ]; then
|
||||
${vardir}/firewall stop 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
[ retval -ne 0 ] && break
|
||||
fi
|
||||
done
|
||||
|
||||
if [ retval -eq 0 ]; then
|
||||
touch $lockfile
|
||||
success
|
||||
else
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
# Clear the firewall
|
||||
stop () {
|
||||
local product
|
||||
local vardir
|
||||
|
||||
echo -n "Clearing \"Shorewall-based firewalls\": "
|
||||
for product in $PRODUCTS; do
|
||||
vardir=/var/lib/$product
|
||||
[ -f /etc/$product/vardir ] && . /etc/$product/vardir
|
||||
if [ -x ${vardir}/firewall ]; then
|
||||
${vardir}/firewall clear 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
[ retval -ne 0 ] && break
|
||||
fi
|
||||
done
|
||||
|
||||
if [ retval -eq 0 ]; then
|
||||
rm -f $lockfile
|
||||
success
|
||||
else
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
status_q() {
|
||||
status > /dev/null 2>&1
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
status_q && exit 0
|
||||
$1
|
||||
;;
|
||||
stop)
|
||||
status_q || exit 0
|
||||
$1
|
||||
;;
|
||||
restart|reload|force-reload)
|
||||
echo "Not implemented"
|
||||
exit 3
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
echo "Not implemented"
|
||||
exit 3
|
||||
;;
|
||||
status)
|
||||
status $prog
|
||||
;;
|
||||
*)
|
||||
echo "Usage: /etc/init.d/shorewall-init {start|stop}"
|
||||
exit 1
|
||||
esac
|
||||
|
||||
exit 0
|
@ -160,6 +160,8 @@ elif [ -f /etc/debian_version ]; then
|
||||
DEBIAN=yes
|
||||
elif [ -f /etc/SuSE-release ]; then
|
||||
SUSE=Yes
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
FEDORA=Yes
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
echo "Shorewall-init is currently not supported on Slackware" >&2
|
||||
exit 1
|
||||
@ -181,6 +183,14 @@ else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
if [ -f /lib/systemd/system ]; then
|
||||
SYSTEMD=Yes
|
||||
fi
|
||||
elif [ -n "$SYSTEMD" ]; then
|
||||
mkdir -p ${DESTDIR}/lib/systemd/system
|
||||
fi
|
||||
|
||||
#
|
||||
# Change to the directory containing this script
|
||||
#
|
||||
@ -202,6 +212,8 @@ fi
|
||||
#
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
|
||||
elif [ -n "$FEDORA" ]; then
|
||||
install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
|
||||
#elif [ -n "$ARCHLINUX" ]; then
|
||||
# install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
|
||||
else
|
||||
@ -210,6 +222,14 @@ fi
|
||||
|
||||
echo "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
|
||||
|
||||
#
|
||||
# Install the .service file
|
||||
#
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
|
||||
echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
|
||||
fi
|
||||
|
||||
#
|
||||
# Create /usr/share/shorewall-init if needed
|
||||
#
|
||||
@ -297,7 +317,11 @@ if [ -z "$DESTDIR" ]; then
|
||||
|
||||
echo "Shorewall Init will start automatically at boot"
|
||||
else
|
||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
if systemctl enable shorewall-init; then
|
||||
echo "Shorewall Init will start automatically at boot"
|
||||
fi
|
||||
elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
if insserv /etc/init.d/shorewall-init ; then
|
||||
echo "Shorewall Init will start automatically at boot"
|
||||
else
|
||||
|
21
Shorewall-init/shorewall-init.service
Normal file
21
Shorewall-init/shorewall-init.service
Normal file
@ -0,0 +1,21 @@
|
||||
#
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
|
||||
#
|
||||
# Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
|
||||
#
|
||||
[Unit]
|
||||
Description=Shorewall IPv4 firewall
|
||||
After=syslog.target
|
||||
Before=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/sysconfig/shorewall-init
|
||||
StandardOutput=syslog
|
||||
ExecStart=/sbin/shorewall-init $OPTIONS start
|
||||
ExecReload=/sbin/shorewall-init $OPTIONS restart
|
||||
ExecStop=/sbin/shorewall-init $OPTIONS stop
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -73,6 +73,8 @@ if [ -n "$INITSCRIPT" ]; then
|
||||
insserv -r $INITSCRIPT
|
||||
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
|
||||
chkconfig --del $(basename $INITSCRIPT)
|
||||
elif [ -x /sbin/systemctl ]; then
|
||||
systemctl disable shorewall-init
|
||||
else
|
||||
rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
|
||||
fi
|
||||
@ -93,6 +95,7 @@ remove_file /etc/network/if-down.d/shorewall
|
||||
|
||||
remove_file /etc/sysconfig/network/if-up.d/shorewall
|
||||
remove_file /etc/sysconfig/network/if-down.d/shorewall
|
||||
remove_file /lib/systemd/system/shorewall.service
|
||||
|
||||
if [ -d /etc/ppp ]; then
|
||||
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
|
||||
|
112
Shorewall-lite/init.fedora.sh
Normal file
112
Shorewall-lite/init.fedora.sh
Normal file
@ -0,0 +1,112 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall init script
|
||||
#
|
||||
# chkconfig: - 28 90
|
||||
# description: Packet filtering firewall
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: shorewall-lite
|
||||
# Required-Start: $local_fs $remote_fs $syslog $network
|
||||
# Should-Start: VMware $time $named
|
||||
# Required-Stop:
|
||||
# Default-Start:
|
||||
# Default-Stop: 0 1 2 3 4 5 6
|
||||
# Short-Description: Packet filtering firewall
|
||||
# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
|
||||
# Netfilter (iptables) based firewall
|
||||
### END INIT INFO
|
||||
|
||||
# Source function library.
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
prog="shorewall-lite"
|
||||
shorewall="/sbin/$prog"
|
||||
logger="logger -i -t $prog"
|
||||
lockfile="/var/lock/subsys/$prog"
|
||||
|
||||
# Get startup options (override default)
|
||||
OPTIONS=
|
||||
|
||||
if [ -f /etc/sysconfig/$prog ]; then
|
||||
. /etc/sysconfig/$prog
|
||||
fi
|
||||
|
||||
start() {
|
||||
echo -n $"Starting Shorewall: "
|
||||
$shorewall $OPTIONS start 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
if [[ $retval == 0 ]]; then
|
||||
touch $lockfile
|
||||
success
|
||||
else
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
stop() {
|
||||
echo -n $"Stopping Shorewall: "
|
||||
$shorewall $OPTIONS stop 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
if [[ $retval == 0 ]]; then
|
||||
rm -f $lockfile
|
||||
success
|
||||
else
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
restart() {
|
||||
# Note that we don't simply stop and start since shorewall has a built in
|
||||
# restart which stops the firewall if running and then starts it.
|
||||
echo -n $"Restarting Shorewall: "
|
||||
$shorewall $OPTIONS restart 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
if [[ $retval == 0 ]]; then
|
||||
touch $lockfile
|
||||
success
|
||||
else # Failed to start, clean up lock file if present
|
||||
rm -f $lockfile
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
status(){
|
||||
$shorewall status
|
||||
return $?
|
||||
}
|
||||
|
||||
status_q() {
|
||||
status > /dev/null 2>&1
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
status_q && exit 0
|
||||
$1
|
||||
;;
|
||||
stop)
|
||||
status_q || exit 0
|
||||
$1
|
||||
;;
|
||||
restart|reload|force-reload)
|
||||
restart
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
status_q || exit 0
|
||||
restart
|
||||
;;
|
||||
status)
|
||||
$1
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 start|stop|reload|restart|force-reload|status"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
@ -136,7 +136,6 @@ esac
|
||||
#
|
||||
# Determine where to install the firewall script
|
||||
#
|
||||
DEBIAN=
|
||||
CYGWIN=
|
||||
INSTALLD='-D'
|
||||
T='-T'
|
||||
@ -173,6 +172,8 @@ if [ -n "$DESTDIR" ]; then
|
||||
install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
|
||||
elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
|
||||
DEBIAN=yes
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
FEDORA=yes
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
DEST="/etc/rc.d"
|
||||
INIT="rc.firewall"
|
||||
@ -182,6 +183,14 @@ elif [ -f /etc/arch-release ] ; then
|
||||
ARCHLINUX=yes
|
||||
fi
|
||||
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
if [ -f /lib/systemd/system ]; then
|
||||
SYSTEMD=Yes
|
||||
fi
|
||||
elif [ -n "$SYSTEMD" ]; then
|
||||
mkdir -p ${DESTDIR}/lib/systemd/system
|
||||
fi
|
||||
|
||||
#
|
||||
# Change to the directory containing this script
|
||||
#
|
||||
@ -223,12 +232,13 @@ echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite
|
||||
# Install the Firewall Script
|
||||
#
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
install_file init.debian.sh /etc/init.d/shorewall-lite 0544
|
||||
install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
|
||||
elif [ -n "$FEDORA" ]; then
|
||||
install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
|
||||
elif [ -n "$ARCHLINUX" ]; then
|
||||
install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
|
||||
|
||||
install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
|
||||
else
|
||||
install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
|
||||
install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
|
||||
fi
|
||||
|
||||
echo "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
|
||||
@ -249,6 +259,14 @@ if [ -n "$DESTDIR" ]; then
|
||||
chmod 755 ${DESTDIR}/etc/logrotate.d
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the .service file
|
||||
#
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
run_install $OWNERSHIP -m 600 shorewall-lite.service ${DESTDIR}/lib/systemd/system/shorewall-lite.service
|
||||
echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-lite.service"
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the config file
|
||||
#
|
||||
@ -389,7 +407,11 @@ if [ -z "$DESTDIR" ]; then
|
||||
|
||||
echo "Shorewall Lite will start automatically at boot"
|
||||
else
|
||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
if systemctl enable shorewall-lite; then
|
||||
echo "Shorewall Lite will start automatically at boot"
|
||||
fi
|
||||
elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
if insserv /etc/init.d/shorewall-lite ; then
|
||||
echo "Shorewall Lite will start automatically at boot"
|
||||
else
|
||||
|
21
Shorewall-lite/shorewall-lite.service
Normal file
21
Shorewall-lite/shorewall-lite.service
Normal file
@ -0,0 +1,21 @@
|
||||
#
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
|
||||
#
|
||||
# Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
|
||||
#
|
||||
[Unit]
|
||||
Description=Shorewall IPv4 firewall (lite)
|
||||
After=syslog.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/sysconfig/shorewall-lite
|
||||
StandardOutput=syslog
|
||||
ExecStart=/sbin/shorewall-lite $OPTIONS start
|
||||
ExecReload=/sbin/shorewall-lite $OPTIONS restart
|
||||
ExecStop=/sbin/shorewall-lite $OPTIONS stop
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -93,6 +93,8 @@ if [ -n "$FIREWALL" ]; then
|
||||
insserv -r $FIREWALL
|
||||
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
|
||||
chkconfig --del $(basename $FIREWALL)
|
||||
elif [ -x /sbin/systemctl ]; then
|
||||
systemctl disable shorewall-lite
|
||||
else
|
||||
rm -f /etc/rc*.d/*$(basename $FIREWALL)
|
||||
fi
|
||||
@ -112,6 +114,7 @@ rm -rf /usr/share/shorewall-lite
|
||||
rm -rf ${LIBEXEC}/shorewall-lite
|
||||
rm -rf /usr/share/shorewall-lite-*.bkout
|
||||
rm -f /etc/logrotate.d/shorewall-lite
|
||||
rm -f /lib/systemd/system/shorewall-lite.service
|
||||
|
||||
echo "Shorewall Lite Uninstalled"
|
||||
|
||||
|
@ -63,6 +63,7 @@ our @EXPORT = qw(
|
||||
|
||||
%chain_table
|
||||
$raw_table
|
||||
$rawpost_table
|
||||
$nat_table
|
||||
$mangle_table
|
||||
$filter_table
|
||||
@ -113,6 +114,8 @@ our %EXPORT_TAGS = (
|
||||
zone_input_chain
|
||||
use_input_chain
|
||||
output_chain
|
||||
prerouting_chain
|
||||
postrouting_chain
|
||||
zone_output_chain
|
||||
use_output_chain
|
||||
masq_chain
|
||||
@ -132,6 +135,7 @@ our %EXPORT_TAGS = (
|
||||
ensure_mangle_chain
|
||||
ensure_nat_chain
|
||||
ensure_raw_chain
|
||||
ensure_rawpost_chain
|
||||
new_standard_chain
|
||||
new_builtin_chain
|
||||
new_nat_chain
|
||||
@ -143,10 +147,13 @@ our %EXPORT_TAGS = (
|
||||
newexclusionchain
|
||||
newnonatchain
|
||||
source_exclusion
|
||||
source_iexclusion
|
||||
dest_exclusion
|
||||
dest_iexclusion
|
||||
clearrule
|
||||
port_count
|
||||
do_proto
|
||||
do_iproto
|
||||
do_mac
|
||||
do_imac
|
||||
verify_mark
|
||||
@ -262,6 +269,7 @@ our $VERSION = 'MODULEVERSION';
|
||||
#
|
||||
our %chain_table;
|
||||
our $raw_table;
|
||||
our $rawpost_table;
|
||||
our $nat_table;
|
||||
our $mangle_table;
|
||||
our $filter_table;
|
||||
@ -438,31 +446,33 @@ use constant { UNIQUE => 1,
|
||||
MATCH => 8,
|
||||
CONTROL => 16 };
|
||||
|
||||
my %opttype = ( rule => CONTROL,
|
||||
cmd => CONTROL,
|
||||
my %opttype = ( rule => CONTROL,
|
||||
cmd => CONTROL,
|
||||
|
||||
dhcp => UNIQUE,
|
||||
dhcp => UNIQUE,
|
||||
|
||||
mode => CONTROL,
|
||||
cmdlevel => CONTROL,
|
||||
simple => CONTROL,
|
||||
mode => CONTROL,
|
||||
cmdlevel => CONTROL,
|
||||
simple => CONTROL,
|
||||
|
||||
i => UNIQUE,
|
||||
s => UNIQUE,
|
||||
o => UNIQUE,
|
||||
d => UNIQUE,
|
||||
p => UNIQUE,
|
||||
dport => UNIQUE,
|
||||
sport => UNIQUE,
|
||||
i => UNIQUE,
|
||||
s => UNIQUE,
|
||||
o => UNIQUE,
|
||||
d => UNIQUE,
|
||||
p => UNIQUE,
|
||||
dport => UNIQUE,
|
||||
sport => UNIQUE,
|
||||
'icmp-type' => UNIQUE,
|
||||
'icmpv6-type' => UNIQUE,
|
||||
|
||||
comment => CONTROL,
|
||||
comment => CONTROL,
|
||||
|
||||
policy => MATCH,
|
||||
state => EXCLUSIVE,
|
||||
policy => MATCH,
|
||||
state => EXCLUSIVE,
|
||||
|
||||
jump => TARGET,
|
||||
target => TARGET,
|
||||
targetopts => TARGET,
|
||||
jump => TARGET,
|
||||
target => TARGET,
|
||||
targetopts => TARGET,
|
||||
);
|
||||
|
||||
my %aliases = ( protocol => 'p',
|
||||
@ -474,9 +484,11 @@ my %aliases = ( protocol => 'p',
|
||||
'out-interface' => 'o',
|
||||
dport => 'dport',
|
||||
sport => 'sport',
|
||||
'icmp-type' => 'icmp-type',
|
||||
'icmpv6-type' => 'icmpv6-type',
|
||||
);
|
||||
|
||||
my @unique_options = ( qw/p dport sport s d i o/ );
|
||||
my @unique_options = ( qw/p dport sport icmp-type icmpv6-type s d i o/ );
|
||||
|
||||
#
|
||||
# Rather than initializing globals in an INIT block or during declaration,
|
||||
@ -491,16 +503,18 @@ my @unique_options = ( qw/p dport sport s d i o/ );
|
||||
sub initialize( $$$ ) {
|
||||
( $family, my $hard, $export ) = @_;
|
||||
|
||||
%chain_table = ( raw => {},
|
||||
mangle => {},
|
||||
nat => {},
|
||||
filter => {} );
|
||||
%chain_table = ( raw => {},
|
||||
rawpost => {},
|
||||
mangle => {},
|
||||
nat => {},
|
||||
filter => {} );
|
||||
|
||||
$raw_table = $chain_table{raw};
|
||||
$nat_table = $chain_table{nat};
|
||||
$mangle_table = $chain_table{mangle};
|
||||
$filter_table = $chain_table{filter};
|
||||
%renamed = ();
|
||||
$raw_table = $chain_table{raw};
|
||||
$rawpost_table = $chain_table{rawpost};
|
||||
$nat_table = $chain_table{nat};
|
||||
$mangle_table = $chain_table{mangle};
|
||||
$filter_table = $chain_table{filter};
|
||||
%renamed = ();
|
||||
#
|
||||
# Contents of last COMMENT line.
|
||||
#
|
||||
@ -1582,6 +1596,22 @@ sub output_chain($)
|
||||
$_[0] . '_out';
|
||||
}
|
||||
|
||||
#
|
||||
# Prerouting Chain for an interface
|
||||
#
|
||||
sub prerouting_chain($)
|
||||
{
|
||||
$_[0] . '_pre';
|
||||
}
|
||||
|
||||
#
|
||||
# Prerouting Chain for an interface
|
||||
#
|
||||
sub postrouting_chain($)
|
||||
{
|
||||
$_[0] . '_post';
|
||||
}
|
||||
|
||||
#
|
||||
# Output Chain for a zone
|
||||
#
|
||||
@ -2044,6 +2074,14 @@ sub ensure_raw_chain($) {
|
||||
$chainref;
|
||||
}
|
||||
|
||||
sub ensure_rawpost_chain($) {
|
||||
my $chain = $_[0];
|
||||
|
||||
my $chainref = ensure_chain 'rawpost', $chain;
|
||||
$chainref->{referenced} = 1;
|
||||
$chainref;
|
||||
}
|
||||
|
||||
#
|
||||
# Add a builtin chain
|
||||
#
|
||||
@ -2110,7 +2148,7 @@ sub ensure_audit_chain( $;$$ ) {
|
||||
|
||||
$tgt ||= $action;
|
||||
|
||||
add_ijump $ref, j => 'AUDIT --type ' . lc $action;
|
||||
add_ijump $ref, j => 'AUDIT', targetopts => '--type ' . lc $action;
|
||||
|
||||
if ( $tgt eq 'REJECT' ) {
|
||||
add_ijump $ref , g => 'reject';
|
||||
@ -2200,6 +2238,8 @@ sub initialize_chain_table($) {
|
||||
new_builtin_chain 'raw', $chain, 'ACCEPT';
|
||||
}
|
||||
|
||||
new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
|
||||
|
||||
for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
|
||||
new_builtin_chain 'filter', $chain, 'DROP';
|
||||
}
|
||||
@ -2243,6 +2283,8 @@ sub initialize_chain_table($) {
|
||||
new_builtin_chain 'raw', $chain, 'ACCEPT';
|
||||
}
|
||||
|
||||
new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
|
||||
|
||||
for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
|
||||
new_builtin_chain 'filter', $chain, 'DROP';
|
||||
}
|
||||
@ -2718,7 +2760,7 @@ sub optimize_level8( $$$ ) {
|
||||
}
|
||||
|
||||
sub optimize_ruleset() {
|
||||
for my $table ( qw/raw mangle nat filter/ ) {
|
||||
for my $table ( qw/raw rawpost mangle nat filter/ ) {
|
||||
|
||||
next if $family == F_IPV6 && $table eq 'nat';
|
||||
|
||||
@ -2862,6 +2904,42 @@ sub source_exclusion( $$ ) {
|
||||
reftype $target ? $chainref : $chainref->{name};
|
||||
}
|
||||
|
||||
sub source_iexclusion( $$$$$;@ ) {
|
||||
my $chainref = shift;
|
||||
my $jump = shift;
|
||||
my $target = shift;
|
||||
my $targetopts = shift;
|
||||
my $source = shift;
|
||||
my $table = $chainref->{table};
|
||||
|
||||
my @exclusion;
|
||||
|
||||
if ( $source =~ /^([^!]+)!([^!]+)$/ ) {
|
||||
$source = $1;
|
||||
@exclusion = mysplit( $2 );
|
||||
|
||||
my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
|
||||
|
||||
add_ijump( $chainref1 , j => 'RETURN', imatch_source_net( $_ ) ) for @exclusion;
|
||||
|
||||
if ( $targetopts ) {
|
||||
add_ijump( $chainref1, $jump => $target, targetopts => $targetopts );
|
||||
} else {
|
||||
add_ijump( $chainref1, $jump => $target );
|
||||
}
|
||||
|
||||
add_ijump( $chainref , j => $chainref1, imatch_source_net( $source ), @_ );
|
||||
} elsif ( $targetopts ) {
|
||||
add_ijump( $chainref,
|
||||
$jump => $target,
|
||||
targetopts => $targetopts,
|
||||
imatch_source_net( $source ),
|
||||
@_ );
|
||||
} else {
|
||||
add_ijump( $chainref, $jump => $target, imatch_source_net( $source ), @_ );
|
||||
}
|
||||
}
|
||||
|
||||
sub dest_exclusion( $$ ) {
|
||||
my ( $exclusions, $target ) = @_;
|
||||
|
||||
@ -2877,6 +2955,38 @@ sub dest_exclusion( $$ ) {
|
||||
reftype $target ? $chainref : $chainref->{name};
|
||||
}
|
||||
|
||||
sub dest_iexclusion( $$$$$;@ ) {
|
||||
my $chainref = shift;
|
||||
my $jump = shift;
|
||||
my $target = shift;
|
||||
my $targetopts = shift;
|
||||
my $dest = shift;
|
||||
my $table = $chainref->{table};
|
||||
|
||||
my @exclusion;
|
||||
|
||||
if ( $dest =~ /^([^!]+)!([^!]+)$/ ) {
|
||||
$dest = $1;
|
||||
@exclusion = mysplit( $2 );
|
||||
|
||||
my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
|
||||
|
||||
add_ijump( $chainref1 , j => 'RETURN', imatch_dest_net( $_ ) ) for @exclusion;
|
||||
|
||||
if ( $targetopts ) {
|
||||
add_ijump( $chainref1, $jump => $target, targetopts => $targetopts, @_ );
|
||||
} else {
|
||||
add_ijump( $chainref1, $jump => $target, @_ );
|
||||
}
|
||||
|
||||
add_ijump( $chainref , j => $chainref1, imatch_dest_net( $dest ), @_ );
|
||||
} elsif ( $targetopts ) {
|
||||
add_ijump( $chainref, $jump => $target, imatch_dest_net( $dest ), targetopts => $targetopts , @_ );
|
||||
} else {
|
||||
add_ijump( $chainref, $jump => $target, imatch_dest_net( $dest ), @_ );
|
||||
}
|
||||
}
|
||||
|
||||
sub clearrule() {
|
||||
$iprangematch = 0;
|
||||
}
|
||||
@ -2894,7 +3004,9 @@ sub port_count( $ ) {
|
||||
sub state_imatch( $ ) {
|
||||
my $state = shift;
|
||||
|
||||
have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => $state );
|
||||
unless ( $state eq 'ALL' ) {
|
||||
have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" );
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
@ -3000,6 +3112,7 @@ sub do_proto( $$$;$ )
|
||||
|
||||
if ( $ports =~ /,/ ) {
|
||||
fatal_error "An inverted ICMP list may only contain a single type" if $invert;
|
||||
fatal_error "An ICMP type list is not allowed in this context" if $restricted;
|
||||
$types = '';
|
||||
for my $type ( split_list( $ports, 'ICMP type list' ) ) {
|
||||
$types = $types ? join( ',', $types, validate_icmp( $type ) ) : $type;
|
||||
@ -3024,6 +3137,7 @@ sub do_proto( $$$;$ )
|
||||
|
||||
if ( $ports =~ /,/ ) {
|
||||
fatal_error "An inverted ICMP list may only contain a single type" if $invert;
|
||||
fatal_error "An ICMP type list is not allowed in this context" if $restricted;
|
||||
$types = '';
|
||||
for my $type ( list_split( $ports, 'ICMP type list' ) ) {
|
||||
$types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type;
|
||||
@ -3088,6 +3202,183 @@ sub do_mac( $ ) {
|
||||
"-m mac ${invert}--mac-source $mac ";
|
||||
}
|
||||
|
||||
sub do_iproto( $$$ )
|
||||
{
|
||||
my ($proto, $ports, $sports ) = @_;
|
||||
|
||||
my @output = ();
|
||||
|
||||
my $restricted = 1;
|
||||
|
||||
$proto = '' if $proto eq '-';
|
||||
$ports = '' if $ports eq '-';
|
||||
$sports = '' if $sports eq '-';
|
||||
|
||||
if ( $proto ne '' ) {
|
||||
|
||||
my $synonly = ( $proto =~ s/:syn$//i );
|
||||
my $invert = ( $proto =~ s/^!// ? '! ' : '' );
|
||||
my $protonum = resolve_proto $proto;
|
||||
|
||||
if ( defined $protonum ) {
|
||||
#
|
||||
# Protocol is numeric and <= 255 or is defined in /etc/protocols or NSS equivalent
|
||||
#
|
||||
fatal_error "'!0' not allowed in the PROTO column" if $invert && ! $protonum;
|
||||
|
||||
my $pname = proto_name( $proto = $protonum );
|
||||
#
|
||||
# $proto now contains the protocol number and $pname contains the canonical name of the protocol
|
||||
#
|
||||
unless ( $synonly ) {
|
||||
@output = ( p => "${invert}${proto}" );
|
||||
} else {
|
||||
fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
|
||||
@output = ( p => "$proto --syn" );
|
||||
}
|
||||
|
||||
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
|
||||
|
||||
PROTO:
|
||||
{
|
||||
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
|
||||
my $multiport = 0;
|
||||
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
|
||||
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
|
||||
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
||||
|
||||
if ( port_count ( $ports ) > 15 ) {
|
||||
if ( $restricted ) {
|
||||
fatal_error "A port list in this file may only have up to 15 ports";
|
||||
} elsif ( $invert ) {
|
||||
fatal_error "An inverted port list may only have up to 15 ports";
|
||||
}
|
||||
}
|
||||
|
||||
$ports = validate_port_list $pname , $ports;
|
||||
push @output, multiport => "${invert}--dports ${ports}";
|
||||
$multiport = 1;
|
||||
} else {
|
||||
fatal_error "Missing DEST PORT" unless supplied $ports;
|
||||
$ports = validate_portpair $pname , $ports;
|
||||
push @output, dport => "${invert}${ports}";
|
||||
}
|
||||
} else {
|
||||
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
|
||||
}
|
||||
|
||||
if ( $sports ne '' ) {
|
||||
$invert = $sports =~ s/^!// ? '! ' : '';
|
||||
if ( $multiport ) {
|
||||
|
||||
if ( port_count( $sports ) > 15 ) {
|
||||
if ( $restricted ) {
|
||||
fatal_error "A port list in this file may only have up to 15 ports";
|
||||
} elsif ( $invert ) {
|
||||
fatal_error "An inverted port list may only have up to 15 ports";
|
||||
}
|
||||
}
|
||||
|
||||
$sports = validate_port_list $pname , $sports;
|
||||
push @output, multiport => "${invert}--sports ${sports}";
|
||||
} else {
|
||||
fatal_error "Missing SOURCE PORT" unless supplied $sports;
|
||||
$sports = validate_portpair $pname , $sports;
|
||||
push @output, sport => "${invert}${sports}";
|
||||
}
|
||||
}
|
||||
|
||||
last PROTO; }
|
||||
|
||||
if ( $proto == ICMP ) {
|
||||
fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6; #User specified proto 1 rather than 'icmp'
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
|
||||
my $types;
|
||||
|
||||
if ( $ports =~ /,/ ) {
|
||||
fatal_error "An inverted ICMP list may only contain a single type" if $invert;
|
||||
fatal_error "An ICMP type list is not allowed in this context" if $restricted;
|
||||
$types = '';
|
||||
for my $type ( split_list( $ports, 'ICMP type list' ) ) {
|
||||
$types = $types ? join( ',', $types, validate_icmp( $type ) ) : $type;
|
||||
}
|
||||
} else {
|
||||
$types = validate_icmp $ports;
|
||||
}
|
||||
|
||||
push @output, 'icmp-type' => "${invert}${types}";
|
||||
}
|
||||
|
||||
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
|
||||
|
||||
last PROTO; }
|
||||
|
||||
if ( $proto == IPv6_ICMP ) {
|
||||
fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4;
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
|
||||
my $types;
|
||||
|
||||
if ( $ports =~ /,/ ) {
|
||||
fatal_error "An inverted ICMP list may only contain a single type" if $invert;
|
||||
fatal_error "An ICMP type list is not allowed in this context" if $restricted;
|
||||
$types = '';
|
||||
for my $type ( split_list( $ports, 'ICMP type list' ) ) {
|
||||
$types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type;
|
||||
}
|
||||
} else {
|
||||
$types = validate_icmp6 $ports;
|
||||
}
|
||||
|
||||
push @output, 'icmpv6-type' => "${invert}${types}";
|
||||
}
|
||||
|
||||
fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
|
||||
|
||||
last PROTO; }
|
||||
|
||||
|
||||
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne '';
|
||||
|
||||
} # PROTO
|
||||
|
||||
} else {
|
||||
fatal_error '":syn" is only allowed with tcp' if $synonly;
|
||||
|
||||
if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
|
||||
my $p = $2 ? lc $3 : 'tcp';
|
||||
require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
|
||||
$proto = '-p ' . proto_name($p) . ' ';
|
||||
|
||||
my $options = '';
|
||||
|
||||
if ( $ports ne 'ipp2p' ) {
|
||||
$options .= " --$_" for split /,/, $ports;
|
||||
}
|
||||
|
||||
$options = have_capability( 'OLD_IPP2P_MATCH' ) ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
|
||||
|
||||
push @output, ipp2p => "${proto}${options}";
|
||||
} else {
|
||||
fatal_error "Invalid/Unknown protocol ($proto)"
|
||||
}
|
||||
}
|
||||
} else {
|
||||
#
|
||||
# No protocol
|
||||
#
|
||||
fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO" if $ports ne '' || $sports ne '';
|
||||
}
|
||||
|
||||
@output;
|
||||
}
|
||||
|
||||
sub do_imac( $ ) {
|
||||
my $mac = $_[0];
|
||||
|
||||
@ -3101,7 +3392,7 @@ sub do_imac( $ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Mark validatation functions
|
||||
# Mark validation functions
|
||||
#
|
||||
sub verify_mark( $ ) {
|
||||
my $mark = $_[0];
|
||||
@ -4786,7 +5077,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
|
||||
if ( $origdest ) {
|
||||
if ( $origdest eq '-' || ! have_capability( 'CONNTRACK_MATCH' ) ) {
|
||||
$origdest = '';
|
||||
$onets = $oexcl = '';
|
||||
} elsif ( $origdest =~ /^detect:(.*)$/ ) {
|
||||
#
|
||||
# Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column
|
||||
@ -4816,7 +5107,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
$rule .= "-m conntrack --ctorigdst $variable ";
|
||||
}
|
||||
|
||||
$origdest = '';
|
||||
$onets = $oexcl = '';
|
||||
} else {
|
||||
fatal_error "Invalid ORIGINAL DEST" if $origdest =~ /^([^!]+)?,!([^!]+)$/ || $origdest =~ /.*!.*!/;
|
||||
|
||||
@ -4903,7 +5194,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# Clear the exclusion bit
|
||||
#
|
||||
add_ijump $chainref , j => 'MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
|
||||
add_ijump $chainref , j => 'MARK', targetopts => '--and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
|
||||
#
|
||||
# Mark packet if it matches any of the exclusions
|
||||
#
|
||||
@ -5432,9 +5723,10 @@ sub create_netfilter_load( $ ) {
|
||||
|
||||
my @table_list;
|
||||
|
||||
push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
|
||||
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
|
||||
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
|
||||
push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
|
||||
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
|
||||
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'filter';
|
||||
|
||||
$mode = NULL_MODE;
|
||||
@ -5534,9 +5826,10 @@ sub preview_netfilter_load() {
|
||||
|
||||
my @table_list;
|
||||
|
||||
push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
|
||||
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
|
||||
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
|
||||
push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
|
||||
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
|
||||
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'filter';
|
||||
|
||||
$mode = NULL_MODE;
|
||||
@ -5644,7 +5937,7 @@ sub create_chainlist_reload($) {
|
||||
for my $chain ( @chains ) {
|
||||
( $table , $chain ) = split ':', $chain if $chain =~ /:/;
|
||||
|
||||
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
|
||||
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/;
|
||||
|
||||
$chains{$table} = {} unless $chains{$table};
|
||||
|
||||
@ -5673,7 +5966,7 @@ sub create_chainlist_reload($) {
|
||||
|
||||
enter_cat_mode;
|
||||
|
||||
for $table ( qw(raw nat mangle filter) ) {
|
||||
for $table ( qw(raw rawpost nat mangle filter) ) {
|
||||
my $tableref=$chains{$table};
|
||||
|
||||
next unless $tableref;
|
||||
@ -5748,9 +6041,10 @@ sub create_stop_load( $ ) {
|
||||
|
||||
my @table_list;
|
||||
|
||||
push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
|
||||
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
|
||||
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
|
||||
push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
|
||||
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
|
||||
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'filter';
|
||||
|
||||
my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
|
||||
|
@ -38,6 +38,8 @@ use Shorewall::IPAddrs;
|
||||
use Shorewall::Raw;
|
||||
use Shorewall::Misc;
|
||||
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( compiler );
|
||||
our @EXPORT_OK = qw( $export );
|
||||
@ -263,9 +265,9 @@ sub generate_script_2() {
|
||||
push_indent;
|
||||
|
||||
if ( $global_variables & NOT_RESTORE ) {
|
||||
emit( 'start|restart|refresh)' );
|
||||
emit( 'start|restart|refresh|disable|enable)' );
|
||||
} else {
|
||||
emit( 'start|restart|refresh|restore)' );
|
||||
emit( 'start|restart|refresh|disable|enable|restore)' );
|
||||
}
|
||||
|
||||
push_indent;
|
||||
@ -613,7 +615,6 @@ sub compiler {
|
||||
# shorewall.conf has been processed and the capabilities have been determined.
|
||||
#
|
||||
initialize_chain_table(1);
|
||||
|
||||
#
|
||||
# Allow user to load Perl modules
|
||||
#
|
||||
@ -695,7 +696,7 @@ sub compiler {
|
||||
if ( $scriptfilename || $debug ) {
|
||||
emit 'return 0';
|
||||
pop_indent;
|
||||
emit '}';
|
||||
emit '}'; # End of setup_common_rules()
|
||||
}
|
||||
|
||||
disable_script;
|
||||
@ -704,7 +705,17 @@ sub compiler {
|
||||
# (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
|
||||
#
|
||||
enable_script;
|
||||
|
||||
#
|
||||
# Validate the TC files so that the providers will know what interfaces have TC
|
||||
#
|
||||
my $tcinterfaces = process_tc;
|
||||
#
|
||||
# Generate a function to bring up each provider
|
||||
#
|
||||
process_providers( $tcinterfaces );
|
||||
#
|
||||
# [Re-]establish Routing
|
||||
#
|
||||
if ( $scriptfilename || $debug ) {
|
||||
emit( "\n#",
|
||||
'# Setup routing and traffic shaping',
|
||||
@ -714,9 +725,7 @@ sub compiler {
|
||||
|
||||
push_indent;
|
||||
}
|
||||
#
|
||||
# [Re-]establish Routing
|
||||
#
|
||||
|
||||
setup_providers;
|
||||
#
|
||||
# TCRules and Traffic Shaping
|
||||
@ -725,7 +734,7 @@ sub compiler {
|
||||
|
||||
if ( $scriptfilename || $debug ) {
|
||||
pop_indent;
|
||||
emit "}\n";
|
||||
emit "}\n"; # End of setup_routing_and_traffic_shaping()
|
||||
}
|
||||
|
||||
disable_script;
|
||||
@ -748,12 +757,12 @@ sub compiler {
|
||||
# Setup Nat
|
||||
#
|
||||
setup_nat;
|
||||
#
|
||||
# Setup NETMAP
|
||||
#
|
||||
setup_netmap;
|
||||
}
|
||||
|
||||
#
|
||||
# Setup NETMAP
|
||||
#
|
||||
setup_netmap;
|
||||
#
|
||||
# MACLIST Filtration
|
||||
#
|
||||
|
@ -279,6 +279,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
HEADER_MATCH => 'Header Match',
|
||||
ACCOUNT_TARGET => 'ACCOUNT Target',
|
||||
AUDIT_TARGET => 'AUDIT Target',
|
||||
RAWPOST_TABLE => 'Rawpost Table',
|
||||
CAPVERSION => 'Capability Version',
|
||||
KERNELVERSION => 'Kernel Version',
|
||||
);
|
||||
@ -306,6 +307,7 @@ our %config_files = ( #accounting => 1,
|
||||
refresh => 1,
|
||||
refreshed => 1,
|
||||
restored => 1,
|
||||
rawnat => 1,
|
||||
route_rules => 1,
|
||||
routes => 1,
|
||||
routestopped => 1,
|
||||
@ -381,6 +383,12 @@ my $iptables; # Path to iptables/ip6tables
|
||||
my $tc; # Path to tc
|
||||
my $ip; # Path to ip
|
||||
|
||||
my $shell; # Type of shell that processed the params file
|
||||
|
||||
use constant { BASH => 1,
|
||||
OLDBASH => 2,
|
||||
ASH => 3 };
|
||||
|
||||
use constant { MIN_VERBOSITY => -1,
|
||||
MAX_VERBOSITY => 2 ,
|
||||
F_IPV4 => 4,
|
||||
@ -436,7 +444,7 @@ sub initialize( $ ) {
|
||||
STATEMATCH => '-m state --state',
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.4.22.1",
|
||||
CAPVERSION => 40421 ,
|
||||
CAPVERSION => 40423 ,
|
||||
);
|
||||
#
|
||||
# From shorewall.conf file
|
||||
@ -624,6 +632,7 @@ sub initialize( $ ) {
|
||||
CONNMARK_MATCH => undef,
|
||||
XCONNMARK_MATCH => undef,
|
||||
RAW_TABLE => undef,
|
||||
RAWPOST_TABLE => undef,
|
||||
IPP2P_MATCH => undef,
|
||||
OLD_IPP2P_MATCH => undef,
|
||||
CLASSIFY_TARGET => undef,
|
||||
@ -2525,6 +2534,10 @@ sub Raw_Table() {
|
||||
qt1( "$iptables -t raw -L -n" );
|
||||
}
|
||||
|
||||
sub Rawpost_Table() {
|
||||
qt1( "$iptables -t rawpost -L -n" );
|
||||
}
|
||||
|
||||
sub Old_IPSet_Match() {
|
||||
my $ipset = $config{IPSET} || 'ipset';
|
||||
my $result = 0;
|
||||
@ -2707,6 +2720,7 @@ our %detect_capability =
|
||||
PHYSDEV_MATCH => \&Physdev_Match,
|
||||
POLICY_MATCH => \&Policy_Match,
|
||||
RAW_TABLE => \&Raw_Table,
|
||||
RAWPOST_TABLE => \&Rawpost_Table,
|
||||
REALM_MATCH => \&Realm_Match,
|
||||
RECENT_MATCH => \&Recent_Match,
|
||||
TCPMSS_MATCH => \&Tcpmss_Match,
|
||||
@ -2820,6 +2834,7 @@ sub determine_capabilities() {
|
||||
|
||||
$capabilities{MANGLE_FORWARD} = detect_capability( 'MANGLE_FORWARD' );
|
||||
$capabilities{RAW_TABLE} = detect_capability( 'RAW_TABLE' );
|
||||
$capabilities{RAWPOST_TABLE} = detect_capability( 'RAWPOST_TABLE' );
|
||||
$capabilities{IPSET_MATCH} = detect_capability( 'IPSET_MATCH' );
|
||||
$capabilities{USEPKTTYPE} = detect_capability( 'USEPKTTYPE' );
|
||||
$capabilities{ADDRTYPE} = detect_capability( 'ADDRTYPE' );
|
||||
@ -3054,8 +3069,19 @@ EOF
|
||||
|
||||
fatal_error "Can't rename $configfile to $configfile.bak: $!" unless rename $configfile, "$configfile.bak";
|
||||
fatal_error "Can't rename $configfile.updated to $configfile: $!" unless rename "$configfile.updated", $configfile;
|
||||
|
||||
if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
|
||||
progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
|
||||
} else {
|
||||
if ( unlink "$configfile.bak" ) {
|
||||
progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
|
||||
} else {
|
||||
warning_message "Unable to unlink $configfile.bak";
|
||||
progress_message3 "No update required to configuration file $configfile; $configfile.b";
|
||||
}
|
||||
|
||||
progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
|
||||
exit 0;
|
||||
}
|
||||
} else {
|
||||
fatal_error "$fn does not exist";
|
||||
}
|
||||
@ -3249,6 +3275,8 @@ sub get_params() {
|
||||
# - Embedded double quotes are escaped with '\\'
|
||||
# - Valueless variables are supported (e.g., 'declare -x foo')
|
||||
#
|
||||
$shell = BASH;
|
||||
|
||||
for ( @params ) {
|
||||
if ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
|
||||
$params{$1} = $2 unless $1 eq '_';
|
||||
@ -3257,11 +3285,11 @@ sub get_params() {
|
||||
} elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) {
|
||||
$params{$1} = '';
|
||||
} else {
|
||||
chomp;
|
||||
if ($variable) {
|
||||
s/"$//;
|
||||
$params{$variable} .= $_;
|
||||
} else {
|
||||
chomp;
|
||||
warning_message "Param line ($_) ignored" unless $bug++;
|
||||
}
|
||||
}
|
||||
@ -3275,6 +3303,8 @@ sub get_params() {
|
||||
# - Embedded single quotes are escaped with '\'
|
||||
# - Valueless variables ( e.g., 'export foo') are supported
|
||||
#
|
||||
$shell = OLDBASH;
|
||||
|
||||
for ( @params ) {
|
||||
if ( /^export (.*?)="(.*[^\\])"$/ ) {
|
||||
$params{$1} = $2 unless $1 eq '_';
|
||||
@ -3283,11 +3313,11 @@ sub get_params() {
|
||||
} elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) {
|
||||
$params{$1} = '';
|
||||
} else {
|
||||
chomp;
|
||||
if ($variable) {
|
||||
s/"$//;
|
||||
$params{$variable} .= $_;
|
||||
} else {
|
||||
chomp;
|
||||
warning_message "Param line ($_) ignored" unless $bug++;
|
||||
}
|
||||
}
|
||||
@ -3300,6 +3330,8 @@ sub get_params() {
|
||||
# - Param values are delimited by single quotes.
|
||||
# - Embedded single quotes are transformed to the five characters '"'"'
|
||||
#
|
||||
$shell = ASH;
|
||||
|
||||
for ( @params ) {
|
||||
if ( /^export (.*?)='(.*'"'"')$/ ) {
|
||||
$params{$variable=$1}="${2}\n";
|
||||
@ -3308,11 +3340,11 @@ sub get_params() {
|
||||
} elsif ( /^export (.*?)='(.*)$/ ) {
|
||||
$params{$variable=$1}="${2}\n";
|
||||
} else {
|
||||
chomp;
|
||||
if ($variable) {
|
||||
s/'$//;
|
||||
$params{$variable} .= $_;
|
||||
} else {
|
||||
chomp;
|
||||
warning_message "Param line ($_) ignored" unless $bug++;
|
||||
}
|
||||
}
|
||||
@ -3351,15 +3383,29 @@ sub export_params() {
|
||||
#
|
||||
next if exists $compiler_params{$param};
|
||||
#
|
||||
# Values in %params are generated from the output of 'export -p'.
|
||||
# The different shells have different conventions for delimiting
|
||||
# the value and for escaping embedded instances of the delimiter.
|
||||
# The following logic removes the escape characters.
|
||||
#
|
||||
if ( $shell == BASH ) {
|
||||
$value =~ s/\\"/"/g;
|
||||
} elsif ( $shell == OLDBASH ) {
|
||||
$value =~ s/\\'/'/g;
|
||||
} else {
|
||||
$value =~ s/'"'"'/'/g;
|
||||
}
|
||||
#
|
||||
# Don't export pairs from %ENV
|
||||
#
|
||||
if ( exists $ENV{$param} && defined $ENV{$param} ) {
|
||||
next if $value eq $ENV{$param};
|
||||
}
|
||||
next if defined $ENV{$param} && $value eq $ENV{$param};
|
||||
|
||||
emit "#\n# From the params file\n#" unless $count++;
|
||||
|
||||
if ( $value =~ /[\s()[]/ ) {
|
||||
#
|
||||
# We will use double quotes and escape embedded quotes with \.
|
||||
#
|
||||
if ( $value =~ /[\s()['"]/ ) {
|
||||
$value =~ s/"/\\"/g;
|
||||
emit "$param='$value'";
|
||||
} else {
|
||||
emit "$param=$value";
|
||||
@ -3368,9 +3414,10 @@ sub export_params() {
|
||||
}
|
||||
|
||||
#
|
||||
# - Process the params file
|
||||
# - Read the shorewall.conf file
|
||||
# - Read the capabilities file, if any
|
||||
# - establish global hashes %config , %globals and %capabilities
|
||||
# - establish global hashes %params, %config , %globals and %capabilities
|
||||
#
|
||||
sub get_configuration( $$$ ) {
|
||||
|
||||
|
@ -152,7 +152,10 @@ sub setup_ecn()
|
||||
|
||||
if ( my $fn = open_file 'ecn' ) {
|
||||
|
||||
first_entry "$doing $fn...";
|
||||
first_entry( sub { progress_message2 "$doing $fn...";
|
||||
require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
|
||||
warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
|
||||
} );
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
@ -178,12 +181,12 @@ sub setup_ecn()
|
||||
for my $interface ( @interfaces ) {
|
||||
my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
|
||||
|
||||
add_ijump $mangle_table->{POSTROUTING} , j => $chainref, p => 'tcp', imatch_dest_dev( $interface );
|
||||
add_ijump $mangle_table->{POSTROUTING} , j => $chainref, p => 'tcp', imatch_dest_dev( $interface ) if have_capability 'MANGLE_FORWARD';
|
||||
add_ijump $mangle_table->{OUTPUT}, j => $chainref, p => 'tcp', imatch_dest_dev( $interface );
|
||||
}
|
||||
|
||||
for my $host ( @hosts ) {
|
||||
add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN --ecn-tcp-remove', p => 'tcp', imatch_dest_net( $host->[1] ) );
|
||||
add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', targetopts => '--ecn-tcp-remove', p => 'tcp', imatch_dest_net( $host->[1] ) );
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -223,7 +226,7 @@ sub setup_blacklist() {
|
||||
|
||||
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
||||
|
||||
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $target ) if $audit;
|
||||
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
||||
add_ijump( $logchainref, g => $target );
|
||||
|
||||
$target = 'blacklog';
|
||||
@ -498,34 +501,45 @@ sub add_common_rules() {
|
||||
my $audit = $policy =~ s/^A_//;
|
||||
my @ipsec = have_ipsec ? ( policy => '--pol none --dir in' ) : ();
|
||||
|
||||
if ( $level || $audit || @ipsec ) {
|
||||
if ( $level || $audit ) {
|
||||
#
|
||||
# Create a chain to log and/or audit and apply the policy
|
||||
#
|
||||
$chainref = new_standard_chain 'sfilter';
|
||||
|
||||
log_rule $level , $chainref , $policy , '' if $level ne '';
|
||||
|
||||
add_ijump( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit;
|
||||
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
|
||||
|
||||
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
|
||||
|
||||
$target = 'sfilter';
|
||||
|
||||
if ( @ipsec ) {
|
||||
$chainref = new_standard_chain 'sfilter1';
|
||||
|
||||
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
|
||||
log_rule $level , $chainref , $policy , '' if $level ne '';
|
||||
|
||||
add_ijump( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit;
|
||||
|
||||
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
|
||||
|
||||
$target1 = 'sfilter1';
|
||||
}
|
||||
} elsif ( ( $target = $policy ) eq 'REJECT' ) {
|
||||
$target = 'reject';
|
||||
} else {
|
||||
$target = $policy eq 'REJECT' ? 'reject' : $policy;
|
||||
}
|
||||
|
||||
$target1 = $target unless $target1;
|
||||
if ( @ipsec ) {
|
||||
#
|
||||
# sfilter1 will be used in the FORWARD chain where we allow traffic entering the interface
|
||||
# to leave the interface encrypted. We need a separate chain because '--dir out' cannot be
|
||||
# used in the input chain
|
||||
#
|
||||
$chainref = new_standard_chain 'sfilter1';
|
||||
|
||||
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
|
||||
log_rule $level , $chainref , $policy , '' if $level ne '';
|
||||
|
||||
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
|
||||
|
||||
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
|
||||
|
||||
$target1 = 'sfilter1';
|
||||
} else {
|
||||
#
|
||||
# No IPSEC -- use the same target in both INPUT and FORWARD
|
||||
#
|
||||
$target1 = $target;
|
||||
}
|
||||
|
||||
for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
|
||||
ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
|
||||
@ -540,9 +554,15 @@ sub add_common_rules() {
|
||||
|
||||
if ( @filters ) {
|
||||
add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
|
||||
$interfaceref->{options}{use_forward_chain} = 1;
|
||||
} elsif ( $interfaceref->{bridge} eq $interface ) {
|
||||
add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
|
||||
unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter} || $interfaceref->{physical} eq '+';
|
||||
unless( $config{ROUTE_FILTER} eq 'on' ||
|
||||
$interfaceref->{options}{routeback} ||
|
||||
$interfaceref->{options}{routefilter} ||
|
||||
$interfaceref->{physical} eq '+' );
|
||||
|
||||
$interfaceref->{options}{use_forward_chain} = 1;
|
||||
}
|
||||
|
||||
add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT};
|
||||
@ -552,6 +572,7 @@ sub add_common_rules() {
|
||||
|
||||
if ( @filters ) {
|
||||
add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
|
||||
$interfaceref->{options}{use_input_chain} = 1;
|
||||
}
|
||||
|
||||
add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT};
|
||||
@ -592,7 +613,7 @@ sub add_common_rules() {
|
||||
'',
|
||||
'add',
|
||||
'' );
|
||||
add_ijump( $smurfref, j => 'AUDIT --type drop' ) if $smurfdest eq 'A_DROP';
|
||||
add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
|
||||
add_ijump( $smurfref, j => 'DROP' );
|
||||
|
||||
$smurfdest = 'smurflog';
|
||||
@ -666,7 +687,7 @@ sub add_common_rules() {
|
||||
}
|
||||
|
||||
add_ijump $rejectref , j => 'DROP', p => 2;
|
||||
add_ijump $rejectref , j => 'REJECT --reject-with tcp-reset', p => 6;
|
||||
add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
|
||||
|
||||
if ( have_capability( 'ENHANCED_REJECT' ) ) {
|
||||
add_ijump $rejectref , j => 'REJECT', p => 17;
|
||||
@ -729,11 +750,11 @@ sub add_common_rules() {
|
||||
|
||||
if ( $audit ) {
|
||||
$disposition =~ s/^A_//;
|
||||
add_ijump( $logflagsref, j => 'AUDIT --type ' . lc $disposition );
|
||||
add_ijump( $logflagsref, j => 'AUDIT', targetopts => '--type ' . lc $disposition );
|
||||
}
|
||||
|
||||
if ( $disposition eq 'REJECT' ) {
|
||||
add_ijump $logflagsref , j => 'REJECT --reject-with tcp-reset', p => 6;
|
||||
add_ijump $logflagsref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
|
||||
} else {
|
||||
add_ijump $logflagsref , j => $disposition;
|
||||
}
|
||||
@ -906,14 +927,14 @@ sub setup_mac_lists( $ ) {
|
||||
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
|
||||
if supplied $level;
|
||||
|
||||
add_ijump( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
|
||||
add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
|
||||
add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
|
||||
}
|
||||
} else {
|
||||
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
|
||||
if supplied $level;
|
||||
|
||||
add_ijump( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
|
||||
add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
|
||||
add_jump ( $chainref , $targetref->{target}, 0, "$mac" );
|
||||
}
|
||||
|
||||
@ -1163,6 +1184,12 @@ sub add_interface_jumps {
|
||||
addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface );
|
||||
addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
|
||||
addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
|
||||
|
||||
if ( have_capability 'RAWPOST_TABLE' ) {
|
||||
insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface};
|
||||
insert_ijump ( $raw_table->{PREROUTING}, j => prerouting_chain( $interface ), 0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
|
||||
insert_ijump ( $raw_table->{OUTPUT}, j => output_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $raw_table->{output_chain $interface};
|
||||
}
|
||||
}
|
||||
#
|
||||
# Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
|
||||
@ -1821,10 +1848,10 @@ sub setup_mss( ) {
|
||||
|
||||
if ( $clampmss ) {
|
||||
if ( "\L$clampmss" eq 'yes' ) {
|
||||
$option = ' --clamp-mss-to-pmtu';
|
||||
$option = '--clamp-mss-to-pmtu';
|
||||
} else {
|
||||
@match = ( tcpmss => "--mss $clampmss:" ) if have_capability( 'TCPMSS_MATCH' );
|
||||
$option = " --set-mss $clampmss";
|
||||
$option = "--set-mss $clampmss";
|
||||
}
|
||||
|
||||
push @match, ( policy => '--pol none --dir out' ) if have_ipsec;
|
||||
@ -1855,14 +1882,14 @@ sub setup_mss( ) {
|
||||
my @mssmatch = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
|
||||
my @source = imatch_source_dev $_;
|
||||
my @dest = imatch_dest_dev $_;
|
||||
add_ijump $chainref, j => "TCPMSS --set-mss $mss", @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @out_match;
|
||||
add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @out_match;
|
||||
add_ijump $chainref, j => 'RETURN', @dest if $clampmss;
|
||||
add_ijump $chainref, j => "TCPMSS --set-mss $mss", @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @in_match;
|
||||
add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @in_match;
|
||||
add_ijump $chainref, j => 'RETURN', @source if $clampmss;
|
||||
}
|
||||
}
|
||||
|
||||
add_ijump $chainref , j => "TCPMSS${option}", p => 'tcp --tcp-flags SYN,RST SYN', @match if $clampmss;
|
||||
add_ijump $chainref , j => 'TCPMSS', targetopts => $option, p => 'tcp --tcp-flags SYN,RST SYN', @match if $clampmss;
|
||||
}
|
||||
|
||||
#
|
||||
@ -1928,6 +1955,9 @@ EOF
|
||||
refresh)
|
||||
logger -p kern.err "ERROR:$g_product refresh failed"
|
||||
;;
|
||||
enable)
|
||||
logger -p kern.err "ERROR:$g_product 'enable $g_interface' failed"
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ "$RESTOREFILE" = NONE ]; then
|
||||
|
@ -403,36 +403,101 @@ sub setup_netmap() {
|
||||
|
||||
if ( my $fn = open_file 'netmap' ) {
|
||||
|
||||
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
|
||||
my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 4, 8, 'netmap file';
|
||||
|
||||
$net3 = ALLIP if $net3 eq '-';
|
||||
|
||||
for my $interface ( split_list $interfacelist, 'interface' ) {
|
||||
|
||||
my @rulein;
|
||||
my @ruleout;
|
||||
my $iface = $interface;
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
|
||||
|
||||
unless ( $interfaceref->{root} ) {
|
||||
@rulein = imatch_source_dev( $interface );
|
||||
@ruleout = imatch_dest_dev( $interface );
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
my @rule = do_iproto( $proto, $dport, $sport );
|
||||
|
||||
if ( $type eq 'DNAT' ) {
|
||||
add_ijump ensure_chain( 'nat' , input_chain $interface ) , j => "NETMAP --to $net2", @rulein , imatch_source_net( $net3 ), d => $net1;
|
||||
} elsif ( $type eq 'SNAT' ) {
|
||||
add_ijump ensure_chain( 'nat' , output_chain $interface ) , j => "NETMAP --to $net2", @ruleout , imatch_dest_net( $net3 ) , s => $net1;
|
||||
unless ( $type =~ /:/ ) {
|
||||
my @rulein;
|
||||
my @ruleout;
|
||||
|
||||
validate_net $net1, 0;
|
||||
validate_net $net2, 0;
|
||||
|
||||
unless ( $interfaceref->{root} ) {
|
||||
@rulein = imatch_source_dev( $interface );
|
||||
@ruleout = imatch_dest_dev( $interface );
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
|
||||
|
||||
if ( $type eq 'DNAT' ) {
|
||||
dest_iexclusion( ensure_chain( 'nat' , input_chain $interface ) ,
|
||||
j => 'NETMAP' ,
|
||||
"--to $net2",
|
||||
$net1 ,
|
||||
@rulein ,
|
||||
imatch_source_net( $net3 ) );
|
||||
} elsif ( $type eq 'SNAT' ) {
|
||||
source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
|
||||
j => 'NETMAP' ,
|
||||
"--to $net2" ,
|
||||
$net1 ,
|
||||
@ruleout ,
|
||||
imatch_dest_net( $net3 ) );
|
||||
} else {
|
||||
fatal_error "Invalid type ($type)";
|
||||
}
|
||||
} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
|
||||
my ( $target , $chain ) = ( $1, $2 );
|
||||
my $table = 'raw';
|
||||
my @match;
|
||||
|
||||
require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
|
||||
|
||||
unless ( $interfaceref->{root} ) {
|
||||
@match = imatch_dest_dev( $interface );
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
if ( $chain eq 'P' ) {
|
||||
$chain = prerouting_chain $interface;
|
||||
@match = imatch_source_dev( $iface ) unless $iface eq $interface;
|
||||
} elsif ( $chain eq 'O' ) {
|
||||
$chain = output_chain $interface;
|
||||
} else {
|
||||
$chain = postrouting_chain $interface;
|
||||
$table = 'rawpost';
|
||||
}
|
||||
|
||||
my $chainref = ensure_chain( $table, $chain );
|
||||
|
||||
|
||||
if ( $target eq 'DNAT' ) {
|
||||
dest_iexclusion( $chainref ,
|
||||
j => 'RAWDNAT' ,
|
||||
"--to-dest $net2" ,
|
||||
$net1 ,
|
||||
imatch_source_net( $net3 ) ,
|
||||
@rule ,
|
||||
@match
|
||||
);
|
||||
} else {
|
||||
source_iexclusion( $chainref ,
|
||||
j => 'RAWSNAT' ,
|
||||
"--to-source $net2" ,
|
||||
$net1 ,
|
||||
imatch_dest_net( $net3 ) ,
|
||||
@rule ,
|
||||
@match );
|
||||
}
|
||||
} else {
|
||||
fatal_error "Invalid type ($type)";
|
||||
}
|
||||
|
||||
|
||||
progress_message " Network $net1 on $iface mapped to $net2 ($type)";
|
||||
}
|
||||
}
|
||||
|
@ -40,7 +40,7 @@ our @EXPORT = qw(
|
||||
setup_source_routing
|
||||
setup_forwarding
|
||||
);
|
||||
our @EXPORT_OK = qw( );
|
||||
our @EXPORT_OK = qw( setup_interface_proc );
|
||||
our $VERSION = 'MODULEVERSION';
|
||||
|
||||
#
|
||||
@ -277,4 +277,45 @@ sub setup_forwarding( $$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_interface_proc( $ ) {
|
||||
my $interface = shift;
|
||||
my $physical = get_physical $interface;
|
||||
my $value;
|
||||
my @emitted;
|
||||
|
||||
if ( interface_has_option( $interface, 'arp_filter' , $value ) ) {
|
||||
push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter";
|
||||
}
|
||||
|
||||
if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) {
|
||||
push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore";
|
||||
}
|
||||
|
||||
if ( interface_has_option( $interface, 'routefilter' , $value ) ) {
|
||||
push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/rp_filter";
|
||||
}
|
||||
|
||||
if ( interface_has_option( $interface, 'logmartians' , $value ) ) {
|
||||
push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/log_martians";
|
||||
}
|
||||
|
||||
if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
|
||||
push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
|
||||
}
|
||||
|
||||
if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
|
||||
push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
|
||||
}
|
||||
|
||||
if ( @emitted ) {
|
||||
emit( '',
|
||||
'if [ $COMMAND = enable ]; then' );
|
||||
push_indent;
|
||||
emit "$_" for @emitted;
|
||||
pop_indent;
|
||||
emit "fi\n";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
1;
|
||||
|
@ -29,11 +29,16 @@ use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::Chains qw(:DEFAULT :internal);
|
||||
use Shorewall::Proc qw( setup_interface_proc );
|
||||
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
|
||||
our @EXPORT = qw( process_providers
|
||||
setup_providers
|
||||
@routemarked_interfaces
|
||||
handle_stickiness
|
||||
handle_optional_interfaces );
|
||||
our @EXPORT_OK = qw( initialize lookup_provider );
|
||||
our $VERSION = 'MODULEVERSION';
|
||||
|
||||
@ -85,10 +90,10 @@ sub initialize( $ ) {
|
||||
$first_default_route = 1;
|
||||
$first_fallback_route = 1;
|
||||
|
||||
%providers = ( local => { number => LOCAL_TABLE , mark => 0 , optional => 0 } ,
|
||||
main => { number => MAIN_TABLE , mark => 0 , optional => 0 } ,
|
||||
default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 } ,
|
||||
unspec => { number => UNSPEC_TABLE , mark => 0 , optional => 0 } );
|
||||
%providers = ( local => { number => LOCAL_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
|
||||
main => { number => MAIN_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
|
||||
default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
|
||||
unspec => { number => UNSPEC_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } );
|
||||
@providers = ();
|
||||
}
|
||||
|
||||
@ -100,7 +105,7 @@ sub setup_route_marking() {
|
||||
|
||||
require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
|
||||
|
||||
add_ijump $mangle_table->{$_} , j => "CONNMARK --restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
|
||||
add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
|
||||
|
||||
my $chainref = new_chain 'mangle', 'routemark';
|
||||
my $chainref1 = new_chain 'mangle', 'setsticky';
|
||||
@ -122,14 +127,14 @@ sub setup_route_marking() {
|
||||
|
||||
if ( $providerref->{shared} ) {
|
||||
add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
|
||||
add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
|
||||
add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
|
||||
decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
|
||||
} else {
|
||||
add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface );
|
||||
add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
|
||||
}
|
||||
}
|
||||
|
||||
add_ijump $chainref, j => "CONNMARK --save-mark --mask $mask", mark => "! --mark 0/$mask";
|
||||
add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
|
||||
}
|
||||
|
||||
sub copy_table( $$$ ) {
|
||||
@ -139,6 +144,8 @@ sub copy_table( $$$ ) {
|
||||
#
|
||||
my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
|
||||
|
||||
emit '';
|
||||
|
||||
if ( $realm ) {
|
||||
emit ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
||||
} else {
|
||||
@ -170,6 +177,8 @@ sub copy_and_edit_table( $$$$ ) {
|
||||
# Shell and iptables use a different wildcard character
|
||||
#
|
||||
$copy =~ s/\+/*/;
|
||||
|
||||
emit '';
|
||||
|
||||
if ( $realm ) {
|
||||
emit ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
|
||||
@ -242,21 +251,28 @@ sub balance_fallback_route( $$$$ ) {
|
||||
sub start_provider( $$$ ) {
|
||||
my ($table, $number, $test ) = @_;
|
||||
|
||||
emit "\n#\n# Add Provider $table ($number)\n#";
|
||||
|
||||
emit "start_provider_$table() {";
|
||||
push_indent;
|
||||
emit $test;
|
||||
push_indent;
|
||||
|
||||
emit "#\n# Add Provider $table ($number)\n#";
|
||||
|
||||
emit "qt ip -$family route flush table $number";
|
||||
emit "echo \"qt \$IP -$family route flush table $number\" >> \${VARDIR}/undo_routing";
|
||||
emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
|
||||
}
|
||||
|
||||
sub add_a_provider( ) {
|
||||
#
|
||||
# Process a record in the providers file
|
||||
#
|
||||
sub process_a_provider() {
|
||||
|
||||
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 6, 8, 'providers file';
|
||||
|
||||
fatal_error "Duplicate provider ($table)" if $providers{$table};
|
||||
|
||||
fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
|
||||
|
||||
my $num = numeric_value $number;
|
||||
|
||||
fatal_error "Invalid Provider number ($number)" unless defined $num;
|
||||
@ -281,7 +297,6 @@ sub add_a_provider( ) {
|
||||
fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
|
||||
|
||||
my $physical = get_physical $interface;
|
||||
my $base = uc chain_base $physical;
|
||||
my $gatewaycase = '';
|
||||
|
||||
if ( $gateway eq 'detect' ) {
|
||||
@ -303,6 +318,7 @@ sub add_a_provider( ) {
|
||||
unless ( $options eq '-' ) {
|
||||
for my $option ( split_list $options, 'option' ) {
|
||||
if ( $option eq 'track' ) {
|
||||
require_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
|
||||
$track = 1;
|
||||
} elsif ( $option eq 'notrack' ) {
|
||||
$track = 0;
|
||||
@ -351,6 +367,13 @@ sub add_a_provider( ) {
|
||||
|
||||
fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;
|
||||
|
||||
if ( $local ) {
|
||||
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
|
||||
fatal_error "'track' not valid with 'local'" if $track;
|
||||
fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-';
|
||||
fatal_error "MARK required with 'local'" unless $mark;
|
||||
}
|
||||
|
||||
my $val = 0;
|
||||
my $pref;
|
||||
|
||||
@ -358,6 +381,8 @@ sub add_a_provider( ) {
|
||||
|
||||
if ( $mark ne '-' ) {
|
||||
|
||||
require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
|
||||
|
||||
$val = numeric_value $mark;
|
||||
|
||||
fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
|
||||
@ -385,8 +410,18 @@ sub add_a_provider( ) {
|
||||
|
||||
$balance = $default_balance unless $balance;
|
||||
|
||||
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
|
||||
|
||||
if ( $duplicate ne '-' ) {
|
||||
fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
|
||||
} elsif ( $copy ne '-' ) {
|
||||
fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
|
||||
fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column';
|
||||
}
|
||||
|
||||
$providers{$table} = { provider => $table,
|
||||
number => $number ,
|
||||
rawmark => $mark ,
|
||||
mark => $val ? in_hex($val) : $val ,
|
||||
interface => $interface ,
|
||||
physical => $physical ,
|
||||
@ -394,7 +429,19 @@ sub add_a_provider( ) {
|
||||
gateway => $gateway ,
|
||||
gatewaycase => $gatewaycase ,
|
||||
shared => $shared ,
|
||||
default => $default };
|
||||
default => $default ,
|
||||
copy => $copy ,
|
||||
balance => $balance ,
|
||||
pref => $pref ,
|
||||
mtu => $mtu ,
|
||||
track => $track ,
|
||||
loose => $loose ,
|
||||
duplicate => $duplicate ,
|
||||
address => $address ,
|
||||
local => $local ,
|
||||
rules => [] ,
|
||||
routes => [] ,
|
||||
};
|
||||
|
||||
if ( $track ) {
|
||||
fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
|
||||
@ -410,9 +457,39 @@ sub add_a_provider( ) {
|
||||
push @routemarked_providers, $providers{$table};
|
||||
}
|
||||
|
||||
my $realm = '';
|
||||
push @providers, $table;
|
||||
|
||||
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
|
||||
}
|
||||
|
||||
#
|
||||
# Generate the start_provider_...() function for the passed provider
|
||||
#
|
||||
sub add_a_provider( $$ ) {
|
||||
|
||||
my ( $providerref, $tcdevices ) = @_;
|
||||
|
||||
my $table = $providerref->{provider};
|
||||
my $number = $providerref->{number};
|
||||
my $mark = $providerref->{rawmark};
|
||||
my $interface = $providerref->{interface};
|
||||
my $physical = $providerref->{physical};
|
||||
my $optional = $providerref->{optional};
|
||||
my $gateway = $providerref->{gateway};
|
||||
my $gatewaycase = $providerref->{gatewaycase};
|
||||
my $shared = $providerref->{shared};
|
||||
my $default = $providerref->{default};
|
||||
my $copy = $providerref->{copy};
|
||||
my $balance = $providerref->{balance};
|
||||
my $pref = $providerref->{pref};
|
||||
my $mtu = $providerref->{mtu};
|
||||
my $track = $providerref->{track};
|
||||
my $loose = $providerref->{loose};
|
||||
my $duplicate = $providerref->{duplicate};
|
||||
my $address = $providerref->{address};
|
||||
my $local = $providerref->{local};
|
||||
my $dev = chain_base $physical;
|
||||
my $base = uc $dev;
|
||||
my $realm = '';
|
||||
|
||||
if ( $shared ) {
|
||||
my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
|
||||
@ -426,7 +503,6 @@ sub add_a_provider( ) {
|
||||
} else {
|
||||
start_provider( $table, $number, "if interface_is_usable $physical; then" );
|
||||
}
|
||||
|
||||
$provider_interfaces{$interface} = $table;
|
||||
|
||||
if ( $gatewaycase eq 'none' ) {
|
||||
@ -437,6 +513,11 @@ sub add_a_provider( ) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# /proc for this interface
|
||||
#
|
||||
setup_interface_proc( $interface );
|
||||
|
||||
if ( $mark ne '-' ) {
|
||||
my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
|
||||
@ -444,12 +525,11 @@ sub add_a_provider( ) {
|
||||
emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
|
||||
|
||||
emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
|
||||
"echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing"
|
||||
"echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
|
||||
);
|
||||
}
|
||||
|
||||
if ( $duplicate ne '-' ) {
|
||||
fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
|
||||
if ( $copy eq '-' ) {
|
||||
copy_table ( $duplicate, $number, $realm );
|
||||
} else {
|
||||
@ -461,9 +541,6 @@ sub add_a_provider( ) {
|
||||
|
||||
copy_and_edit_table( $duplicate, $number ,$copy , $realm);
|
||||
}
|
||||
} elsif ( $copy ne '-' ) {
|
||||
fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
|
||||
fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column';
|
||||
}
|
||||
|
||||
if ( $gateway ) {
|
||||
@ -479,12 +556,12 @@ sub add_a_provider( ) {
|
||||
}
|
||||
|
||||
emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
|
||||
}
|
||||
}
|
||||
|
||||
balance_default_route $balance , $gateway, $physical, $realm if $balance;
|
||||
balance_default_route( $balance , $gateway, $physical, $realm ) if $balance;
|
||||
|
||||
if ( $default > 0 ) {
|
||||
balance_fallback_route $default , $gateway, $physical, $realm;
|
||||
balance_fallback_route( $default , $gateway, $physical, $realm );
|
||||
} elsif ( $default ) {
|
||||
emit '';
|
||||
if ( $gateway ) {
|
||||
@ -494,90 +571,163 @@ sub add_a_provider( ) {
|
||||
emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
|
||||
emit qq(run_ip route add default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
|
||||
}
|
||||
emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
|
||||
emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
|
||||
} else {
|
||||
emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
|
||||
emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
|
||||
emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
|
||||
}
|
||||
}
|
||||
|
||||
if ( $local ) {
|
||||
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
|
||||
fatal_error "'track' not valid with 'local'" if $track;
|
||||
fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-';
|
||||
fatal_error "MARK required with 'local'" unless $mark;
|
||||
} elsif ( $loose ) {
|
||||
if ( $config{DELETE_THEN_ADD} ) {
|
||||
emit ( "\nfind_interface_addresses $physical | while read address; do",
|
||||
" qt \$IP -$family rule del from \$address",
|
||||
'done'
|
||||
);
|
||||
unless ( $local ) {
|
||||
if ( $loose ) {
|
||||
if ( $config{DELETE_THEN_ADD} ) {
|
||||
emit ( "\nfind_interface_addresses $physical | while read address; do",
|
||||
" qt \$IP -$family rule del from \$address",
|
||||
'done'
|
||||
);
|
||||
}
|
||||
} elsif ( $shared ) {
|
||||
emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
|
||||
emit( "run_ip rule add from $address pref 20000 table $number" ,
|
||||
"echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_${table}_routing" );
|
||||
} else {
|
||||
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
|
||||
|
||||
emit "\nrulenum=$rulebase\n";
|
||||
|
||||
emit ( "find_interface_addresses $physical | while read address; do" );
|
||||
emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
|
||||
emit ( " run_ip rule add from \$address pref \$rulenum table $number",
|
||||
" echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_${table}_routing",
|
||||
' rulenum=$(($rulenum + 1))',
|
||||
'done'
|
||||
);
|
||||
}
|
||||
} elsif ( $shared ) {
|
||||
emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
|
||||
emit( "run_ip rule add from $address pref 20000 table $number" ,
|
||||
"echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_routing" );
|
||||
}
|
||||
|
||||
if ( @{$providerref->{rules}} ) {
|
||||
emit '';
|
||||
emit $_ for @{$providers{$table}->{rules}};
|
||||
}
|
||||
|
||||
if ( @{$providerref->{routes}} ) {
|
||||
emit '';
|
||||
emit $_ for @{$providers{$table}->{routes}};
|
||||
}
|
||||
|
||||
emit( '' );
|
||||
|
||||
my ( $tbl, $weight );
|
||||
|
||||
if ( $optional ) {
|
||||
emit( 'if [ $COMMAND = enable ]; then' );
|
||||
|
||||
push_indent;
|
||||
|
||||
if ( $balance || $default ) {
|
||||
$tbl = $default || $config{USE_DEFAULT_RT} ? DEFAULT_TABLE : MAIN_TABLE;
|
||||
$weight = $balance ? $balance : $default;
|
||||
|
||||
if ( $gateway ) {
|
||||
emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
|
||||
} else {
|
||||
emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
|
||||
}
|
||||
|
||||
} else {
|
||||
$weight = 1;
|
||||
}
|
||||
|
||||
emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
|
||||
|
||||
emit ( qq(progress_message2 " Provider $table ($number) Started") );
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit( 'else' ,
|
||||
qq( echo $weight > \${VARDIR}/${physical}_weight) ,
|
||||
qq( progress_message " Provider $table ($number) Started"),
|
||||
qq(fi\n)
|
||||
);
|
||||
} else {
|
||||
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
|
||||
|
||||
emit "\nrulenum=0\n";
|
||||
|
||||
emit ( "find_interface_addresses $physical | while read address; do" );
|
||||
emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
|
||||
emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
|
||||
" echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
|
||||
' rulenum=$(($rulenum + 1))',
|
||||
'done'
|
||||
);
|
||||
emit( qq(progress_message "Provider $table ($number) Started") );
|
||||
}
|
||||
|
||||
emit qq(\nprogress_message " Provider $table ($number) Added"\n);
|
||||
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit 'else';
|
||||
|
||||
push_indent;
|
||||
|
||||
if ( $optional ) {
|
||||
if ( $shared ) {
|
||||
emit ( " error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
|
||||
emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );
|
||||
} else {
|
||||
emit ( " error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Added\"" );
|
||||
emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
|
||||
}
|
||||
} else {
|
||||
if ( $shared ) {
|
||||
emit( " fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" );
|
||||
emit( "fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Started\"" );
|
||||
} else {
|
||||
emit( " fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Added\"" );
|
||||
emit( "fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Started\"" );
|
||||
}
|
||||
}
|
||||
|
||||
emit "fi\n";
|
||||
pop_indent;
|
||||
|
||||
push @providers, $table;
|
||||
emit 'fi';
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit '}'; # End of start_provider_$table();
|
||||
|
||||
if ( $optional ) {
|
||||
emit( '',
|
||||
'#',
|
||||
"# Stop provider $table",
|
||||
'#',
|
||||
"stop_provider_$table() {" );
|
||||
|
||||
push_indent;
|
||||
|
||||
my $undo = "\${VARDIR}/undo_${table}_routing";
|
||||
|
||||
emit( "if [ -f $undo ]; then",
|
||||
" . $undo",
|
||||
" > $undo" );
|
||||
|
||||
if ( $balance || $default ) {
|
||||
$tbl = $fallback || ( $config{USE_DEFAULT_RT} ? DEFAULT_TABLE : MAIN_TABLE );
|
||||
$weight = $balance ? $balance : $default;
|
||||
|
||||
my $via = 'via';
|
||||
|
||||
$via .= " $gateway" if $gateway;
|
||||
$via .= " dev $physical";
|
||||
$via .= " weight $weight";
|
||||
$via .= " $realm" if $realm;
|
||||
|
||||
emit( qq( delete_gateway "$via" $tbl $physical) );
|
||||
}
|
||||
|
||||
emit( '',
|
||||
" qt \$TC qdisc del dev $physical root",
|
||||
" qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
|
||||
|
||||
emit( " progress_message2 \"Provider $table stopped\"",
|
||||
'else',
|
||||
" startup_error \"$undo does not exist\"",
|
||||
'fi'
|
||||
);
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit '}';
|
||||
}
|
||||
|
||||
progress_message " Provider \"$currentline\" $done";
|
||||
}
|
||||
|
||||
#
|
||||
# Begin an 'if' statement testing whether the passed interface is available
|
||||
#
|
||||
sub start_new_if( $ ) {
|
||||
our $current_if = shift;
|
||||
|
||||
emit ( '', qq(if [ -n "\$SW_${current_if}_IS_USABLE" ]; then) );
|
||||
push_indent;
|
||||
}
|
||||
|
||||
#
|
||||
# Complete any current 'if' statement in the output script
|
||||
#
|
||||
sub finish_current_if() {
|
||||
if ( our $current_if ) {
|
||||
pop_indent;
|
||||
emit ( "fi\n" );
|
||||
$current_if = '';
|
||||
}
|
||||
}
|
||||
|
||||
sub add_an_rtrule( ) {
|
||||
my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
|
||||
|
||||
@ -601,6 +751,11 @@ sub add_an_rtrule( ) {
|
||||
fatal_error "Unknown provider ($provider)" unless $found;
|
||||
}
|
||||
|
||||
my $providerref = $providers{$provider};
|
||||
|
||||
my $number = $providerref->{number};
|
||||
|
||||
fatal_error "You may not add rules for the $provider provider" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE;
|
||||
fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
|
||||
|
||||
if ( $dest eq '-' ) {
|
||||
@ -641,20 +796,9 @@ sub add_an_rtrule( ) {
|
||||
|
||||
$priority = "priority $priority";
|
||||
|
||||
finish_current_if, emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
|
||||
|
||||
my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
|
||||
|
||||
if ( $optional ) {
|
||||
my $base = uc chain_base( $providers{$provider}{physical} );
|
||||
finish_current_if if $base ne $current_if;
|
||||
start_new_if( $base ) unless $current_if;
|
||||
} else {
|
||||
finish_current_if;
|
||||
}
|
||||
|
||||
emit ( "run_ip rule add $source $dest $priority table $number",
|
||||
"echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
|
||||
push @{$providerref->{rules}}, "qt \$IP -$family rule del $source $dest $priority" if $config{DELETE_THEN_ADD};
|
||||
push @{$providerref->{rules}}, "run_ip rule add $source $dest $priority table $number";
|
||||
push @{$providerref->{rules}}, "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_${provider}_routing";
|
||||
|
||||
progress_message " Routing rule \"$currentline\" $done";
|
||||
}
|
||||
@ -673,7 +817,6 @@ sub add_a_route( ) {
|
||||
for ( keys %providers ) {
|
||||
if ( $providers{$_}{number} == $provider_number ) {
|
||||
$provider = $_;
|
||||
fatal_error "You may not add routes to the $provider table" if $provider_number == LOCAL_TABLE || $provider_number == UNSPEC_TABLE;
|
||||
$found = 1;
|
||||
last;
|
||||
}
|
||||
@ -687,30 +830,25 @@ sub add_a_route( ) {
|
||||
|
||||
validate_address ( $gateway, 1 ) if $gateway ne '-';
|
||||
|
||||
my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
|
||||
|
||||
my $providerref = $providers{$provider};
|
||||
my $number = $providerref->{number};
|
||||
my $physical = $device eq '-' ? $providers{$provider}{physical} : physical_name( $device );
|
||||
|
||||
if ( $providers{$provider}{optional} ) {
|
||||
my $base = uc chain_base( $physical );
|
||||
finish_current_if if $base ne $current_if;
|
||||
start_new_if ( $base ) unless $current_if;
|
||||
} else {
|
||||
finish_current_if;
|
||||
}
|
||||
my $routes = $providerref->{routes};
|
||||
|
||||
fatal_error "You may not add routes to the $provider table" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE;
|
||||
|
||||
if ( $gateway ne '-' ) {
|
||||
if ( $device ne '-' ) {
|
||||
emit qq(run_ip route add $dest via $gateway dev $physical table $number);
|
||||
emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE;
|
||||
push @$routes, qq(run_ip route add $dest via $gateway dev $physical table $number);
|
||||
emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
|
||||
} else {
|
||||
emit qq(run_ip route add $dest via $gateway table $number);
|
||||
emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE;
|
||||
push @$routes, qq(run_ip route add $dest via $gateway table $number);
|
||||
emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
|
||||
}
|
||||
} else {
|
||||
fatal_error "You must specify a device for this route" unless $physical;
|
||||
emit qq(run_ip route add $dest dev $physical table $number);
|
||||
emit qq(echo "\$IP -$family route del $dest dev $physical table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE;
|
||||
push @$routes, qq(run_ip route add $dest dev $physical table $number);
|
||||
emit qq(echo "\$IP -$family route del $dest dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
|
||||
}
|
||||
|
||||
progress_message " Route \"$currentline\" $done";
|
||||
@ -718,17 +856,16 @@ sub add_a_route( ) {
|
||||
|
||||
sub setup_null_routing() {
|
||||
save_progress_message "Null Routing the RFC 1918 subnets";
|
||||
emit "> \${VARDIR}undo_rfc1918_routing\n";
|
||||
for ( rfc1918_networks ) {
|
||||
emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
|
||||
qq( run_ip route replace unreachable $_),
|
||||
qq( echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_routing),
|
||||
qq( echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_rfc1918_routing),
|
||||
qq(fi\n) );
|
||||
}
|
||||
}
|
||||
|
||||
sub start_providers() {
|
||||
require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' );
|
||||
|
||||
emit ( '#',
|
||||
'# Undo any changes made since the last time that we [re]started -- this will not restore the default route',
|
||||
'#',
|
||||
@ -746,17 +883,22 @@ sub start_providers() {
|
||||
emit ( '#',
|
||||
'# Capture the default route(s) if we don\'t have it (them) already.',
|
||||
'#',
|
||||
"[ -f \${VARDIR}/default_route ] || \$IP -$family route list | save_default_route > \${VARDIR}/default_route",
|
||||
'#',
|
||||
'# Initialize the file that holds \'undo\' commands',
|
||||
'#',
|
||||
'> ${VARDIR}/undo_routing' );
|
||||
"[ -f \${VARDIR}/default_route ] || \$IP -$family route list | save_default_route > \${VARDIR}/default_route" );
|
||||
|
||||
save_progress_message 'Adding Providers...';
|
||||
|
||||
emit 'DEFAULT_ROUTE=';
|
||||
emit 'FALLBACK_ROUTE=';
|
||||
emit '';
|
||||
|
||||
for my $provider ( qw/main default/ ) {
|
||||
emit '';
|
||||
emit qq(> \${VARDIR}/undo_${provider}_routing );
|
||||
emit '';
|
||||
emit $_ for @{$providers{$provider}{routes}};
|
||||
emit '';
|
||||
emit $_ for @{$providers{$provider}{rules}};
|
||||
}
|
||||
}
|
||||
|
||||
sub finish_providers() {
|
||||
@ -766,8 +908,8 @@ sub finish_providers() {
|
||||
if ( $config{USE_DEFAULT_RT} ) {
|
||||
emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999',
|
||||
"\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
|
||||
qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing',
|
||||
qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing',
|
||||
qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_main_routing',
|
||||
qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_main_routing',
|
||||
'' );
|
||||
$table = DEFAULT_TABLE;
|
||||
}
|
||||
@ -844,58 +986,136 @@ sub finish_providers() {
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_providers() {
|
||||
my $providers = 0;
|
||||
sub process_providers( $ ) {
|
||||
my $tcdevices = shift;
|
||||
|
||||
our $providers = 0;
|
||||
|
||||
$lastmark = 0;
|
||||
|
||||
if ( my $fn = open_file 'providers' ) {
|
||||
|
||||
first_entry sub() {
|
||||
progress_message2 "$doing $fn...";
|
||||
emit "\nif [ -z \"\$g_noroutes\" ]; then";
|
||||
push_indent;
|
||||
start_providers; };
|
||||
|
||||
add_a_provider, $providers++ while read_a_line;
|
||||
first_entry "$doing $fn...";
|
||||
process_a_provider, $providers++ while read_a_line;
|
||||
}
|
||||
|
||||
if ( $providers ) {
|
||||
finish_providers;
|
||||
|
||||
my $fn = open_file 'routes';
|
||||
my $fn = open_file 'route_rules';
|
||||
|
||||
if ( $fn ) {
|
||||
our $current_if = '';
|
||||
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
emit '';
|
||||
|
||||
add_a_route while read_a_line;
|
||||
|
||||
finish_current_if;
|
||||
}
|
||||
|
||||
$fn = open_file 'route_rules';
|
||||
|
||||
if ( $fn ) {
|
||||
our $current_if = '';
|
||||
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
|
||||
emit '';
|
||||
|
||||
add_an_rtrule while read_a_line;
|
||||
|
||||
finish_current_if;
|
||||
}
|
||||
|
||||
$fn = open_file 'routes';
|
||||
|
||||
if ( $fn ) {
|
||||
first_entry "$doing $fn...";
|
||||
emit '';
|
||||
add_a_route while read_a_line;
|
||||
}
|
||||
}
|
||||
|
||||
add_a_provider( $providers{$_}, $tcdevices ) for @providers;
|
||||
|
||||
emit << 'EOF';;
|
||||
|
||||
#
|
||||
# Enable an optional provider
|
||||
#
|
||||
enable_provider() {
|
||||
g_interface=$1;
|
||||
|
||||
case $g_interface in
|
||||
EOF
|
||||
|
||||
push_indent;
|
||||
push_indent;
|
||||
|
||||
for my $provider (@providers ) {
|
||||
my $providerref = $providers{$provider};
|
||||
|
||||
emit( "$providerref->{physical})",
|
||||
" if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
|
||||
" start_provider_$provider",
|
||||
' else',
|
||||
' startup_error "Interface $g_interface is already enabled"',
|
||||
' fi',
|
||||
' ;;'
|
||||
) if $providerref->{optional};
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
pop_indent;
|
||||
|
||||
emit << 'EOF';;
|
||||
*)
|
||||
startup_error "$g_interface is not an optional provider interface"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
# Disable an optional provider
|
||||
#
|
||||
disable_provider() {
|
||||
g_interface=$1;
|
||||
|
||||
case $g_interface in
|
||||
EOF
|
||||
|
||||
push_indent;
|
||||
push_indent;
|
||||
|
||||
for my $provider (@providers ) {
|
||||
my $providerref = $providers{$provider};
|
||||
|
||||
emit( "$providerref->{physical})",
|
||||
" if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
|
||||
" stop_provider_$provider",
|
||||
' else',
|
||||
' startup_error "Interface $g_interface is already disabled"',
|
||||
' fi',
|
||||
' ;;'
|
||||
) if $providerref->{optional};
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
pop_indent;
|
||||
|
||||
emit << 'EOF';;
|
||||
*)
|
||||
startup_error "$g_interface is not an optional provider interface"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
sub setup_providers() {
|
||||
our $providers;
|
||||
|
||||
if ( $providers ) {
|
||||
emit "\nif [ -z \"\$g_noroutes\" ]; then";
|
||||
|
||||
push_indent;
|
||||
|
||||
start_providers;
|
||||
|
||||
emit '';
|
||||
|
||||
emit "start_provider_$_" for @providers;
|
||||
|
||||
emit '';
|
||||
|
||||
finish_providers;
|
||||
|
||||
setup_null_routing if $config{NULL_ROUTE_RFC1918};
|
||||
emit "\nrun_ip route flush cache";
|
||||
#
|
||||
# This completes the if-block begun in the first_entry closure above
|
||||
#
|
||||
|
||||
pop_indent;
|
||||
emit "fi\n";
|
||||
|
||||
@ -909,10 +1129,6 @@ sub setup_providers() {
|
||||
emit "restore_default_route $config{USE_DEFAULT_RT}";
|
||||
|
||||
if ( $config{NULL_ROUTE_RFC1918} ) {
|
||||
emit ( '#',
|
||||
'# Initialize the file that holds \'undo\' commands',
|
||||
'#',
|
||||
'> ${VARDIR}/undo_routing' );
|
||||
setup_null_routing;
|
||||
emit "\nrun_ip route flush cache";
|
||||
}
|
||||
|
@ -130,7 +130,8 @@ sub initialize( $ ) {
|
||||
#
|
||||
# These are set to 1 as sections are encountered.
|
||||
#
|
||||
%sections = ( ESTABLISHED => 0,
|
||||
%sections = ( ALL => 0,
|
||||
ESTABLISHED => 0,
|
||||
RELATED => 0,
|
||||
NEW => 0
|
||||
);
|
||||
@ -533,7 +534,7 @@ sub policy_rules( $$$$$ ) {
|
||||
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
|
||||
fatal_error "Null target in policy_rules()" unless $target;
|
||||
|
||||
add_ijump( $chainref , j => 'AUDIT --type ' . lc $target ) if $chainref->{audit};
|
||||
add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
|
||||
add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
|
||||
}
|
||||
}
|
||||
@ -1940,7 +1941,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
|
||||
unless ( $section eq 'NEW' || $inaction ) {
|
||||
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
||||
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
|
||||
$rule .= "$globals{STATEMATCH} $section "
|
||||
$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL';
|
||||
}
|
||||
|
||||
#
|
||||
@ -2230,11 +2231,13 @@ sub process_section ($) {
|
||||
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
|
||||
$sections{$sect} = 1;
|
||||
|
||||
if ( $sect eq 'RELATED' ) {
|
||||
$sections{ESTABLISHED} = 1;
|
||||
if ( $sect eq 'ESTABLISHED' ) {
|
||||
$sections{ALL} = 1;
|
||||
} elsif ( $sect eq 'RELATED' ) {
|
||||
@sections{'ALL','ESTABLISHED'} = ( 1, 1);
|
||||
finish_section 'ESTABLISHED';
|
||||
} elsif ( $sect eq 'NEW' ) {
|
||||
@sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
|
||||
@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
|
||||
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
|
||||
}
|
||||
|
||||
|
@ -38,7 +38,7 @@ use Shorewall::Providers;
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_tc );
|
||||
our @EXPORT = qw( process_tc setup_tc );
|
||||
our @EXPORT_OK = qw( process_tc_rule initialize );
|
||||
our $VERSION = 'MODULEVERSION';
|
||||
|
||||
@ -151,8 +151,8 @@ my $ipp2p;
|
||||
# leaf => 0|1
|
||||
# guarantee => <sum of rates of sub-classes>
|
||||
# options => { tos => [ <value1> , <value2> , ... ];
|
||||
# tcp_ack => 1 ,
|
||||
# ...
|
||||
# tcp_ack => 1 ,
|
||||
# filters => [ filter list ]
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
@ -504,6 +504,8 @@ sub process_simple_device() {
|
||||
my $physical = physical_name $device;
|
||||
my $dev = chain_base( $physical );
|
||||
|
||||
push @tcdevices, $device;
|
||||
|
||||
if ( $type ne '-' ) {
|
||||
if ( lc $type eq 'external' ) {
|
||||
$type = 'nfct-src';
|
||||
@ -530,6 +532,15 @@ sub process_simple_device() {
|
||||
$in_bandwidth = rate_to_kbit( $in_bandwidth );
|
||||
}
|
||||
|
||||
emit( '',
|
||||
'#',
|
||||
"# Setup Simple Traffic Shaping for $physical",
|
||||
'#',
|
||||
"setup_${dev}_tc() {"
|
||||
);
|
||||
|
||||
push_indent;
|
||||
|
||||
emit "if interface_is_up $physical; then";
|
||||
|
||||
push_indent;
|
||||
@ -607,7 +618,9 @@ sub process_simple_device() {
|
||||
emit qq(error_message "WARNING: Device $physical is not in the UP state -- traffic-shaping configuration skipped");
|
||||
emit "${dev}_exists=";
|
||||
pop_indent;
|
||||
emit "fi\n";
|
||||
emit 'fi';
|
||||
pop_indent;
|
||||
emit "}\n";
|
||||
|
||||
progress_message " Simple tcdevice \"$currentline\" $done.";
|
||||
}
|
||||
@ -711,7 +724,8 @@ sub validate_tc_device( ) {
|
||||
qdisc => $qdisc,
|
||||
guarantee => 0,
|
||||
name => $device,
|
||||
physical => physical_name $device
|
||||
physical => physical_name $device,
|
||||
filters => []
|
||||
} ,
|
||||
|
||||
push @tcdevices, $device;
|
||||
@ -1018,6 +1032,8 @@ sub process_tc_filter() {
|
||||
|
||||
my $tcref = $tcclasses{$device};
|
||||
|
||||
my $filtersref = $devref->{filters};
|
||||
|
||||
fatal_error "No Classes were defined for INTERFACE $device" unless $tcref;
|
||||
|
||||
my $classnum = hex_value $class;
|
||||
@ -1036,17 +1052,6 @@ sub process_tc_filter() {
|
||||
|
||||
my $have_rule = 0;
|
||||
|
||||
if ( $devref->{physical} ne $lastdevice ) {
|
||||
if ( $lastdevice ) {
|
||||
pop_indent;
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
$lastdevice = $devref->{physical};
|
||||
emit "if interface_is_up $lastdevice; then";
|
||||
push_indent;
|
||||
}
|
||||
|
||||
my $rule = "filter add dev $devref->{physical} protocol $ip parent $devnum:0 prio $prio u32";
|
||||
|
||||
if ( $source ne '-' ) {
|
||||
@ -1101,9 +1106,9 @@ sub process_tc_filter() {
|
||||
|
||||
if ( $portlist eq '-' && $sportlist eq '-' ) {
|
||||
if ( $have_rule ) {
|
||||
emit( "\nrun_tc $rule\\" ,
|
||||
" flowid $devnum:$class" ,
|
||||
'' );
|
||||
push @$filtersref , ( "\nrun_tc $rule\\" ,
|
||||
" flowid $devnum:$class" ,
|
||||
'' );
|
||||
} else {
|
||||
warning_message "Degenerate tcfilter ignored";
|
||||
}
|
||||
@ -1129,17 +1134,17 @@ sub process_tc_filter() {
|
||||
$lasttnum = $tnum;
|
||||
$lastrule = $rule;
|
||||
|
||||
emit( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol $ip prio $prio handle $tnum: u32 divisor 1" );
|
||||
push @$filtersref, ( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol $ip prio $prio handle $tnum: u32 divisor 1" );
|
||||
}
|
||||
#
|
||||
# And link to it using the current contents of $rule
|
||||
#
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit( "\nrun_tc $rule\\" ,
|
||||
" link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" );
|
||||
push @$filtersref, ( "\nrun_tc $rule\\" ,
|
||||
" link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" );
|
||||
} else {
|
||||
emit( "\nrun_tc $rule\\" ,
|
||||
" link $tnum:0 offset plus 40 eat" );
|
||||
push @$filtersref, ( "\nrun_tc $rule\\" ,
|
||||
" link $tnum:0 offset plus 40 eat" );
|
||||
}
|
||||
#
|
||||
# The rule to match the port(s) will be inserted into the new table
|
||||
@ -1165,9 +1170,9 @@ sub process_tc_filter() {
|
||||
$rule1 = "match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0" ,
|
||||
}
|
||||
|
||||
emit( "\nrun_tc $rule\\" ,
|
||||
" $rule1\\" ,
|
||||
" flowid $devnum:$class" );
|
||||
push @$filtersref, ( "\nrun_tc $rule\\" ,
|
||||
" $rule1\\" ,
|
||||
" flowid $devnum:$class" );
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@ -1183,9 +1188,9 @@ sub process_tc_filter() {
|
||||
|
||||
my $rule1 = " match icmp type $icmptype 0xff";
|
||||
$rule1 .= "\\\n match icmp code $icmpcode 0xff" if defined $icmpcode;
|
||||
emit( "\nrun_tc ${rule}\\" ,
|
||||
"$rule1\\" ,
|
||||
" flowid $devnum:$class" );
|
||||
push @$filtersref, ( "\nrun_tc ${rule}\\" ,
|
||||
"$rule1\\" ,
|
||||
" flowid $devnum:$class" );
|
||||
} elsif ( $protonumber == IPv6_ICMP ) {
|
||||
fatal_error "IPv6 ICMP not allowed with IPv4" unless $family == F_IPV4;
|
||||
fatal_error "SOURCE PORT(S) are not allowed with IPv6 ICMP" if $sportlist ne '-';
|
||||
@ -1194,9 +1199,9 @@ sub process_tc_filter() {
|
||||
|
||||
my $rule1 = " match icmp6 type $icmptype 0xff";
|
||||
$rule1 .= "\\\n match icmp6 code $icmpcode 0xff" if defined $icmpcode;
|
||||
emit( "\nrun_tc ${rule}\\" ,
|
||||
"$rule1\\" ,
|
||||
" flowid $devnum:$class" );
|
||||
push @$filtersref, ( "\nrun_tc ${rule}\\" ,
|
||||
"$rule1\\" ,
|
||||
" flowid $devnum:$class" );
|
||||
} else {
|
||||
my @portlist = expand_port_range $protonumber , $portrange;
|
||||
|
||||
@ -1214,9 +1219,9 @@ sub process_tc_filter() {
|
||||
}
|
||||
|
||||
if ( $sportlist eq '-' ) {
|
||||
emit( "\nrun_tc ${rule}\\" ,
|
||||
" $rule1\\" ,
|
||||
" flowid $devnum:$class" );
|
||||
push @$filtersref, ( "\nrun_tc ${rule}\\" ,
|
||||
" $rule1\\" ,
|
||||
" flowid $devnum:$class" );
|
||||
} else {
|
||||
for my $sportrange ( split_list $sportlist , 'port list' ) {
|
||||
my @sportlist = expand_port_range $protonumber , $sportrange;
|
||||
@ -1234,10 +1239,10 @@ sub process_tc_filter() {
|
||||
$rule2 = "match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0" ,
|
||||
}
|
||||
|
||||
emit( "\nrun_tc ${rule}\\",
|
||||
" $rule1\\" ,
|
||||
" $rule2\\" ,
|
||||
" flowid $devnum:$class" );
|
||||
push @$filtersref, ( "\nrun_tc ${rule}\\",
|
||||
" $rule1\\" ,
|
||||
" $rule2\\" ,
|
||||
" flowid $devnum:$class" );
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1254,30 +1259,27 @@ sub process_tc_filter() {
|
||||
progress_message " IPv4 TC Filter \"$currentline\" $done";
|
||||
|
||||
$currentline =~ s/\s+/ /g;
|
||||
|
||||
save_progress_message_short qq(' IPv4 TC Filter \"$currentline\" defined.');
|
||||
} else {
|
||||
progress_message " IPv6 TC Filter \"$currentline\" $done";
|
||||
|
||||
$currentline =~ s/\s+/ /g;
|
||||
|
||||
save_progress_message_short qq(' IPv6 TC Filter \"$currentline\" defined.');
|
||||
}
|
||||
|
||||
emit '';
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Process the tcfilter file storing the compiled filters in the %tcdevices table
|
||||
#
|
||||
sub process_tcfilters() {
|
||||
|
||||
my $fn = open_file 'tcfilters';
|
||||
|
||||
our $lastdevice = '';
|
||||
|
||||
if ( $fn ) {
|
||||
my @family = ( $family );
|
||||
|
||||
first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message q("Adding TC Filters"); } );
|
||||
first_entry( "$doing $fn..." );
|
||||
|
||||
while ( read_a_line ) {
|
||||
if ( $currentline =~ /^\s*IPV4\s*$/ ) {
|
||||
@ -1301,15 +1303,12 @@ sub process_tcfilters() {
|
||||
}
|
||||
|
||||
Shorewall::IPAddrs::initialize( $family = pop @family );
|
||||
|
||||
if ( $lastdevice ) {
|
||||
pop_indent;
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Process a tcpri record
|
||||
#
|
||||
sub process_tc_priority() {
|
||||
my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';
|
||||
|
||||
@ -1371,27 +1370,31 @@ sub process_tc_priority() {
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_simple_traffic_shaping() {
|
||||
my $interfaces;
|
||||
|
||||
save_progress_message q("Setting up Traffic Control...");
|
||||
#
|
||||
# Process tcinterfaces
|
||||
#
|
||||
sub process_tcinterfaces() {
|
||||
|
||||
my $fn = open_file 'tcinterfaces';
|
||||
|
||||
if ( $fn ) {
|
||||
first_entry "$doing $fn...";
|
||||
process_simple_device, $interfaces++ while read_a_line;
|
||||
} else {
|
||||
$fn = find_file 'tcinterfaces';
|
||||
process_simple_device while read_a_line;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Process tcpri
|
||||
#
|
||||
sub process_tcpri() {
|
||||
my $fn = find_file 'tcinterfaces';
|
||||
my $fn1 = open_file 'tcpri';
|
||||
|
||||
if ( $fn1 ) {
|
||||
first_entry
|
||||
sub {
|
||||
progress_message2 "$doing $fn1...";
|
||||
warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces || $family == F_IPV6;
|
||||
warning_message "There are entries in $fn1 but $fn was empty" unless @tcdevices || $family == F_IPV6;
|
||||
};
|
||||
|
||||
process_tc_priority while read_a_line;
|
||||
@ -1413,10 +1416,12 @@ sub setup_simple_traffic_shaping() {
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_traffic_shaping() {
|
||||
our $lastrule = '';
|
||||
#
|
||||
# Process the compilex traffic shaping files storing the configuration in %tcdevices and %tcclasses
|
||||
#
|
||||
sub process_traffic_shaping() {
|
||||
|
||||
save_progress_message q("Setting up Traffic Control...");
|
||||
our $lastrule = '';
|
||||
|
||||
my $fn = open_file 'tcdevices';
|
||||
|
||||
@ -1426,9 +1431,6 @@ sub setup_traffic_shaping() {
|
||||
validate_tc_device while read_a_line;
|
||||
}
|
||||
|
||||
my $sfq = 0;
|
||||
my $sfqinhex;
|
||||
|
||||
$devnum = $devnum > 10 ? 10 : 1;
|
||||
|
||||
$fn = open_file 'tcclasses';
|
||||
@ -1439,6 +1441,11 @@ sub setup_traffic_shaping() {
|
||||
validate_tc_class while read_a_line;
|
||||
}
|
||||
|
||||
process_tcfilters;
|
||||
|
||||
my $sfq = 0;
|
||||
my $sfqinhex;
|
||||
|
||||
for my $device ( @tcdevices ) {
|
||||
my $devref = $tcdevices{$device};
|
||||
my $defmark = in_hexp ( $devref->{default} || 0 );
|
||||
@ -1449,10 +1456,18 @@ sub setup_traffic_shaping() {
|
||||
|
||||
$device = physical_name $device;
|
||||
|
||||
my $dev = chain_base( $device );
|
||||
|
||||
unless ( $config{TC_ENABLED} eq 'Shared' ) {
|
||||
|
||||
my $dev = chain_base( $device );
|
||||
|
||||
emit( '',
|
||||
'#',
|
||||
"# Configure Traffic Shaping for $device",
|
||||
'#',
|
||||
"setup_${dev}_tc() {" );
|
||||
|
||||
push_indent;
|
||||
|
||||
emit "if interface_is_up $device; then";
|
||||
|
||||
push_indent;
|
||||
@ -1500,6 +1515,85 @@ sub setup_traffic_shaping() {
|
||||
emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
|
||||
}
|
||||
|
||||
for my $class ( @tcclasses ) {
|
||||
#
|
||||
# The class number in the tcclasses array is expressed in decimal.
|
||||
#
|
||||
my ( $d, $decimalclassnum ) = split /:/, $class;
|
||||
|
||||
next unless $d eq $device;
|
||||
#
|
||||
# For inclusion in 'tc' commands, we also need the hex representation
|
||||
#
|
||||
my $classnum = in_hexp $decimalclassnum;
|
||||
#
|
||||
# The decimal value of the class number is also used as the key for the hash at $tcclasses{$device}
|
||||
#
|
||||
my $tcref = $tcclasses{$device}{$decimalclassnum};
|
||||
my $mark = $tcref->{mark};
|
||||
my $devicenumber = in_hexp $devref->{number};
|
||||
my $classid = join( ':', $devicenumber, $classnum);
|
||||
my $rate = "$tcref->{rate}kbit";
|
||||
my $quantum = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
|
||||
|
||||
$classids{$classid}=$device;
|
||||
$device = physical_name $device;
|
||||
|
||||
my $priority = $tcref->{priority} << 8;
|
||||
my $parent = in_hexp $tcref->{parent};
|
||||
|
||||
emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
|
||||
|
||||
if ( $devref->{qdisc} eq 'htb' ) {
|
||||
emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
|
||||
} else {
|
||||
my $dmax = $tcref->{dmax};
|
||||
|
||||
if ( $dmax ) {
|
||||
my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
|
||||
emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
|
||||
} else {
|
||||
emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
|
||||
}
|
||||
}
|
||||
|
||||
if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
|
||||
1 while $devnums[++$sfq];
|
||||
|
||||
$sfqinhex = in_hexp( $sfq);
|
||||
if ( $devref->{qdisc} eq 'htb' ) {
|
||||
emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
|
||||
} else {
|
||||
emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
|
||||
}
|
||||
}
|
||||
#
|
||||
# add filters
|
||||
#
|
||||
unless ( $devref->{classify} ) {
|
||||
emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
|
||||
}
|
||||
|
||||
emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
|
||||
#
|
||||
# options
|
||||
#
|
||||
emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
|
||||
|
||||
for my $tospair ( @{$tcref->{tos}} ) {
|
||||
my ( $tos, $mask ) = split q(/), $tospair;
|
||||
emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
|
||||
}
|
||||
|
||||
save_progress_message_short qq(" TC Class $classid defined.");
|
||||
emit '';
|
||||
|
||||
}
|
||||
|
||||
emit '';
|
||||
|
||||
emit "$_" for @{$devref->{filters}};
|
||||
|
||||
save_progress_message_short qq(" TC Device $device defined.");
|
||||
|
||||
pop_indent;
|
||||
@ -1510,106 +1604,44 @@ sub setup_traffic_shaping() {
|
||||
emit "${dev}_exists=";
|
||||
pop_indent;
|
||||
emit "fi\n";
|
||||
|
||||
pop_indent;
|
||||
emit "}\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
my $lastdevice = '';
|
||||
|
||||
for my $class ( @tcclasses ) {
|
||||
#
|
||||
# The class number in the tcclasses array is expressed in decimal.
|
||||
#
|
||||
my ( $device, $decimalclassnum ) = split /:/, $class;
|
||||
#
|
||||
# For inclusion in 'tc' commands, we also need the hex representation
|
||||
#
|
||||
my $classnum = in_hexp $decimalclassnum;
|
||||
my $devref = $tcdevices{$device};
|
||||
#
|
||||
# The decimal value of the class number is also used as the key for the hash at $tcclasses{$device}
|
||||
#
|
||||
my $tcref = $tcclasses{$device}{$decimalclassnum};
|
||||
my $mark = $tcref->{mark};
|
||||
my $devicenumber = in_hexp $devref->{number};
|
||||
my $classid = join( ':', $devicenumber, $classnum);
|
||||
my $rate = "$tcref->{rate}kbit";
|
||||
my $quantum = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
|
||||
|
||||
$classids{$classid}=$device;
|
||||
$device = physical_name $device;
|
||||
|
||||
unless ( $config{TC_ENABLED} eq 'Shared' ) {
|
||||
my $dev = chain_base $device;
|
||||
my $priority = $tcref->{priority} << 8;
|
||||
my $parent = in_hexp $tcref->{parent};
|
||||
|
||||
if ( $lastdevice ne $device ) {
|
||||
if ( $lastdevice ) {
|
||||
pop_indent;
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
emit qq(if [ -n "\$${dev}_exists" ]; then);
|
||||
push_indent;
|
||||
$lastdevice = $device;
|
||||
}
|
||||
|
||||
emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
|
||||
|
||||
if ( $devref->{qdisc} eq 'htb' ) {
|
||||
emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
|
||||
} else {
|
||||
my $dmax = $tcref->{dmax};
|
||||
|
||||
if ( $dmax ) {
|
||||
my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
|
||||
emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
|
||||
} else {
|
||||
emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
|
||||
}
|
||||
}
|
||||
|
||||
if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
|
||||
1 while $devnums[++$sfq];
|
||||
|
||||
$sfqinhex = in_hexp( $sfq);
|
||||
if ( $devref->{qdisc} eq 'htb' ) {
|
||||
emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
|
||||
} else {
|
||||
emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
|
||||
}
|
||||
}
|
||||
#
|
||||
# add filters
|
||||
#
|
||||
unless ( $devref->{classify} ) {
|
||||
emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
|
||||
}
|
||||
|
||||
emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
|
||||
#
|
||||
# options
|
||||
#
|
||||
emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
|
||||
|
||||
for my $tospair ( @{$tcref->{tos}} ) {
|
||||
my ( $tos, $mask ) = split q(/), $tospair;
|
||||
emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
|
||||
}
|
||||
|
||||
save_progress_message_short qq(" TC Class $classid defined.");
|
||||
emit '';
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Validate the TC configuration storing basic information in %tcdevices and %tcdevices
|
||||
#
|
||||
sub process_tc() {
|
||||
if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
|
||||
process_traffic_shaping;
|
||||
} elsif ( $config{TC_ENABLED} eq 'Simple' ) {
|
||||
process_tcinterfaces;
|
||||
}
|
||||
#
|
||||
# The Providers module needs to know which devices are tc-enabled so that
|
||||
# it can call the appropriate 'setup_x_tc" function when the device is
|
||||
# enabled.
|
||||
|
||||
if ( $lastdevice ) {
|
||||
pop_indent;
|
||||
emit "fi\n";
|
||||
my %empty;
|
||||
|
||||
$config{TC_ENABLED} eq 'Shared' ? \%empty : \%tcdevices;
|
||||
}
|
||||
|
||||
#
|
||||
# Call the setup_${dev}_tc functions
|
||||
#
|
||||
sub setup_traffic_shaping() {
|
||||
save_progress_message q("Setting up Traffic Control...");
|
||||
|
||||
for my $device ( @tcdevices ) {
|
||||
my $interfaceref = known_interface( $device );
|
||||
my $dev = chain_base( $interfaceref ? $interfaceref->{physical} : $device );
|
||||
|
||||
emit "setup_${dev}_tc";
|
||||
}
|
||||
|
||||
process_tcfilters;
|
||||
}
|
||||
|
||||
#
|
||||
@ -1723,10 +1755,9 @@ sub setup_tc() {
|
||||
if ( $globals{TC_SCRIPT} ) {
|
||||
save_progress_message q('Setting up Traffic Control...');
|
||||
append_file $globals{TC_SCRIPT};
|
||||
} elsif ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
|
||||
setup_traffic_shaping;
|
||||
} elsif ( $config{TC_ENABLED} eq 'Simple' ) {
|
||||
setup_simple_traffic_shaping;
|
||||
} else {
|
||||
process_tcpri if $config{TC_ENABLED} eq 'Simple';
|
||||
setup_traffic_shaping unless $config{TC_ENABLED} eq 'Shared';
|
||||
}
|
||||
|
||||
if ( $config{TC_ENABLED} ) {
|
||||
|
@ -73,6 +73,7 @@ our @EXPORT = qw( NOTHING
|
||||
find_interfaces_by_option
|
||||
find_interfaces_by_option1
|
||||
get_interface_option
|
||||
interface_has_option
|
||||
set_interface_option
|
||||
interface_zones
|
||||
verify_required_interfaces
|
||||
@ -1375,8 +1376,7 @@ sub find_interfaces_by_option1( $ ) {
|
||||
my @ints = ();
|
||||
my $wild = 0;
|
||||
|
||||
for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} }
|
||||
( grep $interfaces{$_}{root}, keys %interfaces ) ) {
|
||||
for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) {
|
||||
my $interfaceref = $interfaces{$interface};
|
||||
|
||||
next unless defined $interfaceref->{physical};
|
||||
@ -1410,6 +1410,22 @@ sub get_interface_option( $$ ) {
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Return the value of an option for an interface
|
||||
#
|
||||
sub interface_has_option( $$\$ ) {
|
||||
my ( $interface, $option, $value ) = @_;
|
||||
|
||||
my $ref = $interfaces{$interface};
|
||||
|
||||
$ref = known_interface( $interface ) unless $ref;
|
||||
|
||||
if ( exists $ref->{options}{$option} ) {
|
||||
$$value = $ref->{options}{$option};
|
||||
1;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Set an option for an interface
|
||||
#
|
||||
|
@ -20,7 +20,13 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
|
||||
#
|
||||
# Parameters:
|
||||
#
|
||||
# $1 = Path name of params file
|
||||
# $2 = $CONFIG_PATH
|
||||
# $3 = Address family (4 o4 6)
|
||||
#
|
||||
if [ "$3" = 6 ]; then
|
||||
. /usr/share/shorewall6/lib.base
|
||||
. /usr/share/shorewall6/lib.cli
|
||||
|
@ -5,7 +5,21 @@
|
||||
# Give Usage Information
|
||||
#
|
||||
usage() {
|
||||
echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
|
||||
echo "Usage: $0 [ options ] <command>"
|
||||
echo
|
||||
echo "<command> is one of:"
|
||||
echo " start"
|
||||
echo " stop"
|
||||
echo " clear"
|
||||
echo " disable <interface>"
|
||||
echo " down <interface>"
|
||||
echo " enable <interface>"
|
||||
echo " reset"
|
||||
echo " refresh"
|
||||
echo " restart"
|
||||
echo " status"
|
||||
echo " up <interface>"
|
||||
echo " version"
|
||||
echo
|
||||
echo "Options are:"
|
||||
echo
|
||||
@ -295,6 +309,26 @@ case "$COMMAND" in
|
||||
updown $@
|
||||
status=0;
|
||||
;;
|
||||
enable)
|
||||
[ $# -eq 1 ] && exit 0
|
||||
shift
|
||||
[ $# -ne 1 ] && usage 2
|
||||
if shorewall_is_started; then
|
||||
detect_configuration
|
||||
enable_provider $1
|
||||
fi
|
||||
status=0
|
||||
;;
|
||||
disable)
|
||||
[ $# -eq 1 ] && exit 0
|
||||
shift
|
||||
[ $# -ne 1 ] && usage 2
|
||||
if shorewall_is_started; then
|
||||
detect_configuration
|
||||
disable_provider $1
|
||||
fi
|
||||
status=0
|
||||
;;
|
||||
version)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
echo $SHOREWALL_VERSION
|
||||
|
@ -111,6 +111,17 @@ find_device() {
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Find the value 'weight' in the passed arguments then echo the next value
|
||||
#
|
||||
|
||||
find_weight() {
|
||||
while [ $# -gt 1 ]; do
|
||||
[ "x$1" = xweight ] && echo $2 && return
|
||||
shift
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Find the value 'via' in the passed arguments then echo the next value
|
||||
#
|
||||
@ -481,6 +492,8 @@ get_device_mtu1() # $1 = device
|
||||
# Undo changes to routing
|
||||
#
|
||||
undo_routing() {
|
||||
local undofiles
|
||||
local f
|
||||
|
||||
if [ -z "$g_noroutes" ]; then
|
||||
#
|
||||
@ -493,10 +506,16 @@ undo_routing() {
|
||||
#
|
||||
# Restore the rest of the routing table
|
||||
#
|
||||
if [ -f ${VARDIR}/undo_routing ]; then
|
||||
. ${VARDIR}/undo_routing
|
||||
progress_message "Shorewall-generated routing tables and routing rules removed"
|
||||
rm -f ${VARDIR}/undo_routing
|
||||
undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
|
||||
|
||||
if [ -n "$undofiles" ]; then
|
||||
for f in $undofiles; do
|
||||
. $f
|
||||
done
|
||||
|
||||
rm -f $undofiles
|
||||
|
||||
progress_message "Shorewall-generated routing tables and routing rules removed"
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -581,6 +600,60 @@ restore_default_route() # $1 = USE_DEFAULT_RT
|
||||
return $result
|
||||
}
|
||||
|
||||
#
|
||||
# Add an additional gateway to the default route
|
||||
#
|
||||
add_gateway() # $1 = Delta $2 = Table Number
|
||||
{
|
||||
local route
|
||||
local weight
|
||||
local delta
|
||||
local dev
|
||||
|
||||
route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
|
||||
|
||||
if [ -z "$route" ]; then
|
||||
run_ip route add default scope global table $2 $1
|
||||
else
|
||||
delta=$1
|
||||
|
||||
if ! echo $route | fgrep -q ' nexthop '; then
|
||||
route=`echo $route | sed 's/via/nexthop via/'`
|
||||
dev=$(find_device $route)
|
||||
if [ -f ${VARDIR}/${dev}_weight ]; then
|
||||
weight=`cat ${VARDIR}/${dev}_weight`
|
||||
route="$route weight $weight"
|
||||
fi
|
||||
fi
|
||||
|
||||
run_ip route replace default scope global table $2 $route $delta
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Remove a gateway from the default route
|
||||
#
|
||||
delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
|
||||
{
|
||||
local route
|
||||
local gateway
|
||||
local dev
|
||||
|
||||
route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
|
||||
gateway=$1
|
||||
|
||||
if [ -n "$route" ]; then
|
||||
if echo $route | fgrep -q ' nexthop '; then
|
||||
gateway="nexthop $gateway"
|
||||
eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
|
||||
run_ip route replace table $2 $route
|
||||
else
|
||||
dev=$(find_device $route)
|
||||
[ "$dev" = "$3" ] && run_ip route delete default table $2
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Determine the MAC address of the passed IP through the passed interface
|
||||
#
|
||||
@ -803,13 +876,17 @@ debug_restore_input() {
|
||||
qt1 $IPTABLES -t mangle -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt1 $IPTABLES -t raw -F
|
||||
qt1 $IPTABLES -t raw -X
|
||||
qt1 $IPTABLES -t raw -F
|
||||
qt1 $IPTABLES -t raw -X
|
||||
qt1 $IPTABLES -t rawpost -F
|
||||
qt1 $IPTABLES -t rawpost -X
|
||||
|
||||
for chain in PREROUTING OUTPUT; do
|
||||
qt1 $IPTABLES -t raw -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt1 $iptables -T rawpost -P POSTROUTING ACCEPT
|
||||
|
||||
run_iptables -t nat -F
|
||||
run_iptables -t nat -X
|
||||
|
||||
@ -859,6 +936,9 @@ debug_restore_input() {
|
||||
'*'raw)
|
||||
table=raw
|
||||
;;
|
||||
'*'rawpost)
|
||||
table=rawpost
|
||||
;;
|
||||
'*'mangle)
|
||||
table=mangle
|
||||
;;
|
||||
|
@ -484,7 +484,7 @@ undo_routing() {
|
||||
if [ -f ${VARDIR}/undo_routing ]; then
|
||||
. ${VARDIR}/undo_routing
|
||||
progress_message "Shorewall-generated routing tables and routing rules removed"
|
||||
rm -f ${VARDIR}/undo_routing
|
||||
rm -f ${VARDIR}/undo_*routing
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -822,6 +822,9 @@ debug_restore_input() {
|
||||
'*'raw)
|
||||
table=raw
|
||||
;;
|
||||
'*'rawpost)
|
||||
table=rawpost
|
||||
;;
|
||||
'*'mangle)
|
||||
table=mangle
|
||||
;;
|
||||
|
@ -6,5 +6,6 @@
|
||||
# See http://shorewall.net/netmap.html for an example and usage
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#TYPE NET1 INTERFACE NET2 NET3
|
||||
##############################################################################################
|
||||
#TYPE NET1 INTERFACE NET2 NET3 PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
|
@ -9,6 +9,7 @@
|
||||
####################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
112
Shorewall/init.fedora.sh
Normal file
112
Shorewall/init.fedora.sh
Normal file
@ -0,0 +1,112 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall init script
|
||||
#
|
||||
# chkconfig: - 28 90
|
||||
# description: Packet filtering firewall
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: shorewall
|
||||
# Required-Start: $local_fs $remote_fs $syslog $network
|
||||
# Should-Start: VMware $time $named
|
||||
# Required-Stop:
|
||||
# Default-Start:
|
||||
# Default-Stop: 0 1 2 3 4 5 6
|
||||
# Short-Description: Packet filtering firewall
|
||||
# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
|
||||
# Netfilter (iptables) based firewall
|
||||
### END INIT INFO
|
||||
|
||||
# Source function library.
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
prog="shorewall"
|
||||
shorewall="/sbin/$prog"
|
||||
logger="logger -i -t $prog"
|
||||
lockfile="/var/lock/subsys/$prog"
|
||||
|
||||
# Get startup options (override default)
|
||||
OPTIONS=
|
||||
|
||||
if [ -f /etc/sysconfig/$prog ]; then
|
||||
. /etc/sysconfig/$prog
|
||||
fi
|
||||
|
||||
start() {
|
||||
echo -n $"Starting Shorewall: "
|
||||
$shorewall $OPTIONS start 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
if [[ $retval == 0 ]]; then
|
||||
touch $lockfile
|
||||
success
|
||||
else
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
stop() {
|
||||
echo -n $"Stopping Shorewall: "
|
||||
$shorewall $OPTIONS stop 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
if [[ $retval == 0 ]]; then
|
||||
rm -f $lockfile
|
||||
success
|
||||
else
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
restart() {
|
||||
# Note that we don't simply stop and start since shorewall has a built in
|
||||
# restart which stops the firewall if running and then starts it.
|
||||
echo -n $"Restarting Shorewall: "
|
||||
$shorewall $OPTIONS restart 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
if [[ $retval == 0 ]]; then
|
||||
touch $lockfile
|
||||
success
|
||||
else # Failed to start, clean up lock file if present
|
||||
rm -f $lockfile
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
status(){
|
||||
$shorewall status
|
||||
return $?
|
||||
}
|
||||
|
||||
status_q() {
|
||||
status > /dev/null 2>&1
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
status_q && exit 0
|
||||
$1
|
||||
;;
|
||||
stop)
|
||||
status_q || exit 0
|
||||
$1
|
||||
;;
|
||||
restart|reload|force-reload)
|
||||
restart
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
status_q || exit 0
|
||||
restart
|
||||
;;
|
||||
status)
|
||||
$1
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 start|stop|reload|restart|force-reload|status"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
@ -248,6 +248,9 @@ else
|
||||
echo "Installing Debian-specific configuration..."
|
||||
DEBIAN=yes
|
||||
SPARSE=yes
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
echo "Installing Redhat/Fedora-specific configuration..."
|
||||
FEDORA=yes
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
echo "Installing Slackware-specific configuration..."
|
||||
DEST="/etc/rc.d"
|
||||
@ -262,6 +265,14 @@ else
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
if [ -f /lib/systemd/system ]; then
|
||||
SYSTEMD=Yes
|
||||
fi
|
||||
elif [ -n "$SYSTEMD" ]; then
|
||||
mkdir -p ${DESTDIR}/lib/systemd/system
|
||||
fi
|
||||
|
||||
#
|
||||
# Change to the directory containing this script
|
||||
#
|
||||
@ -301,6 +312,8 @@ fi
|
||||
#
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall 0544
|
||||
elif [ -n "$FEDORA" ]; then
|
||||
install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall 0544
|
||||
elif [ -n "$ARCHLINUX" ]; then
|
||||
install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
|
||||
elif [ -n "$SLACKWARE" ]; then
|
||||
@ -333,6 +346,14 @@ if [ -n "$DESTDIR" ]; then
|
||||
chmod 755 ${DESTDIR}/etc/logrotate.d
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the .service file
|
||||
#
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
run_install $OWNERSHIP -m 600 shorewall.service ${DESTDIR}/lib/systemd/system/shorewall.service
|
||||
echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall.service"
|
||||
fi
|
||||
|
||||
if [ -n "$ANNOTATED" ]; then
|
||||
suffix=.annotated
|
||||
else
|
||||
@ -997,7 +1018,11 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
|
||||
touch /var/log/shorewall-init.log
|
||||
perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall/shorewall.conf
|
||||
else
|
||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
if systemctl enable shorewall; then
|
||||
echo "Shorewall will start automatically at boot"
|
||||
fi
|
||||
elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
if insserv /etc/init.d/shorewall ; then
|
||||
echo "shorewall will start automatically at boot"
|
||||
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
|
||||
|
@ -525,7 +525,7 @@ show_command() {
|
||||
[ $# -eq 1 ] && usage 1
|
||||
|
||||
case $2 in
|
||||
mangle|nat|filter|raw)
|
||||
mangle|nat|filter|raw|rawpost)
|
||||
table=$2
|
||||
table_given=Yes
|
||||
;;
|
||||
@ -602,6 +602,13 @@ show_command() {
|
||||
show_reset
|
||||
$IPTABLES -t raw -L $g_ipt_options
|
||||
;;
|
||||
rawpost)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$IPTABLES -t rawpost -L $g_ipt_options
|
||||
;;
|
||||
tos|mangle)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
|
||||
@ -1500,6 +1507,7 @@ hits_command() {
|
||||
$g_logread | grep "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/
|
||||
t
|
||||
s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do
|
||||
[ -z "$port" ] && port=0
|
||||
printf '%7d %-15s %d\n' $count $address $port
|
||||
done
|
||||
|
||||
@ -1690,6 +1698,7 @@ determine_capabilities() {
|
||||
CONNMARK_MATCH=
|
||||
XCONNMARK_MATCH=
|
||||
RAW_TABLE=
|
||||
RAWPOST_TABLE=
|
||||
IPP2P_MATCH=
|
||||
OLD_IPP2P_MATCH=
|
||||
LENGTH_MATCH=
|
||||
@ -1722,7 +1731,6 @@ determine_capabilities() {
|
||||
HEADER_MATCH=
|
||||
ACCOUNT_TARGET=
|
||||
AUDIT_TARGET=
|
||||
QUOTA_MATCH=
|
||||
|
||||
chain=fooX$$
|
||||
|
||||
@ -1826,7 +1834,8 @@ determine_capabilities() {
|
||||
qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
|
||||
fi
|
||||
|
||||
qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
|
||||
qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
|
||||
qt $IPTABLES -t rawpost -L -n && RAWPOST_TABLE=Yes
|
||||
|
||||
if qt mywhich ipset; then
|
||||
qt ipset -X $chain # Just in case something went wrong the last time
|
||||
@ -1872,7 +1881,6 @@ determine_capabilities() {
|
||||
qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
|
||||
qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
|
||||
qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
|
||||
qt $IPTABLES -A $chain -m quota --quota 1000 & QUOTA_MATCH=Yes
|
||||
qt $IPTABLES -F $chain
|
||||
qt $IPTABLES -X $chain
|
||||
qt $IPTABLES -F $chain1
|
||||
@ -1934,6 +1942,7 @@ report_capabilities() {
|
||||
report_capability "Connmark Match" $CONNMARK_MATCH
|
||||
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
|
||||
report_capability "Raw Table" $RAW_TABLE
|
||||
report_capability "Rawpost Table" $RAWPOST_TABLE
|
||||
report_capability "IPP2P Match" $IPP2P_MATCH
|
||||
[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
|
||||
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
||||
@ -1965,7 +1974,6 @@ report_capabilities() {
|
||||
report_capability "Header Match" $HEADER_MATCH
|
||||
report_capability "ACCOUNT Target" $ACCOUNT_TARGET
|
||||
report_capability "AUDIT Target" $AUDIT_TARGET
|
||||
report_capability "Quota Match" $QUOTA_MATCH
|
||||
report_capability "ipset V5" $IPSET_V5
|
||||
fi
|
||||
|
||||
@ -2004,6 +2012,7 @@ report_capabilities1() {
|
||||
report_capability1 CONNMARK_MATCH
|
||||
report_capability1 XCONNMARK_MATCH
|
||||
report_capability1 RAW_TABLE
|
||||
report_capability1 RAWPOST_TABLE
|
||||
report_capability1 IPP2P_MATCH
|
||||
report_capability1 OLD_IPP2P_MATCH
|
||||
report_capability1 CLASSIFY_TARGET
|
||||
@ -2035,7 +2044,6 @@ report_capabilities1() {
|
||||
report_capability1 HEADER_MATCH
|
||||
report_capability1 ACCOUNT_TARGET
|
||||
report_capability1 AUDIT_TARGET
|
||||
report_capability1 QUOTA_MATCH
|
||||
report_capability1 IPSET_V5
|
||||
|
||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||
|
@ -225,7 +225,31 @@ loadmodule() # $1 = module name, $2 - * arguments
|
||||
local modulefile
|
||||
local suffix
|
||||
|
||||
if ! list_search $modulename $DONT_LOAD $MODULES; then
|
||||
if [ -d /sys/module/ ]; then
|
||||
if ! list_search $modulename $DONT_LOAD; then
|
||||
if [ ! -d /sys/module/$modulename ]; then
|
||||
shift
|
||||
|
||||
for suffix in $MODULE_SUFFIX ; do
|
||||
for directory in $moduledirectories; do
|
||||
modulefile=$directory/${modulename}.${suffix}
|
||||
|
||||
if [ -f $modulefile ]; then
|
||||
case $moduleloader in
|
||||
insmod)
|
||||
insmod $modulefile $*
|
||||
;;
|
||||
*)
|
||||
modprobe $modulename $*
|
||||
;;
|
||||
esac
|
||||
break 2
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
fi
|
||||
elif ! list_search $modulename $DONT_LOAD $MODULES; then
|
||||
shift
|
||||
|
||||
for suffix in $MODULE_SUFFIX ; do
|
||||
@ -272,7 +296,7 @@ reload_kernel_modules() {
|
||||
uname=$(uname -r) && \
|
||||
MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
||||
|
||||
MODULES=$(lsmod | cut -d ' ' -f1)
|
||||
[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
|
||||
|
||||
for directory in $(split $MODULESDIR); do
|
||||
[ -d $directory ] && moduledirectories="$moduledirectories $directory"
|
||||
@ -318,7 +342,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
||||
[ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
|
||||
|
||||
if [ -f $modules -a -n "$moduledirectories" ]; then
|
||||
MODULES=$(lsmod | cut -d ' ' -f1)
|
||||
[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
|
||||
progress_message "Loading Modules..."
|
||||
. $modules
|
||||
if [ $savemoduleinfo = Yes ]; then
|
||||
|
@ -1435,7 +1435,7 @@ usage() # $1 = exit status
|
||||
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
|
||||
echo " restore [ -n ] [ <file name> ]"
|
||||
echo " save [ <file name> ]"
|
||||
echo " show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
|
||||
echo " show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
|
||||
echo " show actions"
|
||||
echo " show [ -f ] capabilities"
|
||||
echo " show classifiers"
|
||||
@ -1448,7 +1448,7 @@ usage() # $1 = exit status
|
||||
echo " show [ -m ] log [<regex>]"
|
||||
echo " show macro <macro>"
|
||||
echo " show macros"
|
||||
echo " show [ -x ] mangle|nat|raw|routing"
|
||||
echo " show [ -x ] mangle|nat|raw|rawpost|routing"
|
||||
echo " show policies"
|
||||
echo " show tc [ device ]"
|
||||
echo " show vardir"
|
||||
|
20
Shorewall/shorewall.service
Normal file
20
Shorewall/shorewall.service
Normal file
@ -0,0 +1,20 @@
|
||||
#
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
|
||||
#
|
||||
# Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
|
||||
#
|
||||
[Unit]
|
||||
Description=Shorewall IPv4 firewall
|
||||
After=syslog.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/sysconfig/shorewall
|
||||
StandardOutput=syslog
|
||||
ExecStart=/sbin/shorewall $OPTIONS start
|
||||
ExecReload=/sbin/shorewall $OPTIONS restart
|
||||
ExecStop=/sbin/shorewall $OPTIONS stop
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -92,6 +92,8 @@ if [ -n "$FIREWALL" ]; then
|
||||
updaterc.d shorewall remove
|
||||
elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
insserv -r $FIREWALL
|
||||
elif [ -x /sbin/systemctl ]; then
|
||||
systemctl disable shorewall
|
||||
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
|
||||
chkconfig --del $(basename $FIREWALL)
|
||||
else
|
||||
@ -116,6 +118,7 @@ rm -rf /usr/share/shorewall-*.bkout
|
||||
rm -rf /usr/share/man/man5/shorewall*
|
||||
rm -rf /usr/share/man/man8/shorewall*
|
||||
rm -f /etc/logrotate.d/shorewall
|
||||
rm -f /lib/systemd/system/shorewall.service
|
||||
|
||||
echo "Shorewall Uninstalled"
|
||||
|
||||
|
112
Shorewall6-lite/init.fedora.sh
Normal file
112
Shorewall6-lite/init.fedora.sh
Normal file
@ -0,0 +1,112 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall init script
|
||||
#
|
||||
# chkconfig: - 28 90
|
||||
# description: Packet filtering firewall
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: shorewall6-lite
|
||||
# Required-Start: $local_fs $remote_fs $syslog $network
|
||||
# Should-Start: VMware $time $named
|
||||
# Required-Stop:
|
||||
# Default-Start:
|
||||
# Default-Stop: 0 1 2 3 4 5 6
|
||||
# Short-Description: Packet filtering firewall
|
||||
# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
|
||||
# Netfilter (iptables) based firewall
|
||||
### END INIT INFO
|
||||
|
||||
# Source function library.
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
prog="shorewall6-lite"
|
||||
shorewall="/sbin/$prog"
|
||||
logger="logger -i -t $prog"
|
||||
lockfile="/var/lock/subsys/$prog"
|
||||
|
||||
# Get startup options (override default)
|
||||
OPTIONS=
|
||||
|
||||
if [ -f /etc/sysconfig/$prog ]; then
|
||||
. /etc/sysconfig/$prog
|
||||
fi
|
||||
|
||||
start() {
|
||||
echo -n $"Starting Shorewall: "
|
||||
$shorewall $OPTIONS start 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
if [[ $retval == 0 ]]; then
|
||||
touch $lockfile
|
||||
success
|
||||
else
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
stop() {
|
||||
echo -n $"Stopping Shorewall: "
|
||||
$shorewall $OPTIONS stop 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
if [[ $retval == 0 ]]; then
|
||||
rm -f $lockfile
|
||||
success
|
||||
else
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
restart() {
|
||||
# Note that we don't simply stop and start since shorewall has a built in
|
||||
# restart which stops the firewall if running and then starts it.
|
||||
echo -n $"Restarting Shorewall: "
|
||||
$shorewall $OPTIONS restart 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
if [[ $retval == 0 ]]; then
|
||||
touch $lockfile
|
||||
success
|
||||
else # Failed to start, clean up lock file if present
|
||||
rm -f $lockfile
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
status(){
|
||||
$shorewall status
|
||||
return $?
|
||||
}
|
||||
|
||||
status_q() {
|
||||
status > /dev/null 2>&1
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
status_q && exit 0
|
||||
$1
|
||||
;;
|
||||
stop)
|
||||
status_q || exit 0
|
||||
$1
|
||||
;;
|
||||
restart|reload|force-reload)
|
||||
restart
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
status_q || exit 0
|
||||
restart
|
||||
;;
|
||||
status)
|
||||
$1
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 start|stop|reload|restart|force-reload|status"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
@ -171,6 +171,8 @@ if [ -n "$DESTDIR" ]; then
|
||||
install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
|
||||
elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
|
||||
DEBIAN=yes
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
FEDORA=yes
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
DEST="/etc/rc.d"
|
||||
INIT="rc.firewall"
|
||||
@ -180,6 +182,14 @@ elif [ -f /etc/arch-release ] ; then
|
||||
ARCHLINUX=yes
|
||||
fi
|
||||
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
if [ -f /lib/systemd/system ]; then
|
||||
SYSTEMD=Yes
|
||||
fi
|
||||
elif [ -n "$SYSTEMD" ]; then
|
||||
mkdir -p ${DESTDIR}/lib/systemd/system
|
||||
fi
|
||||
|
||||
#
|
||||
# Change to the directory containing this script
|
||||
#
|
||||
@ -222,6 +232,8 @@ echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-li
|
||||
#
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall6-lite 0544
|
||||
elif [ -n "$FEDORA" ]; then
|
||||
install_file init.fedora.sh /etc/init.d/shorewall6-lite 0544
|
||||
elif [ -n "$ARCHLINUX" ]; then
|
||||
install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
|
||||
|
||||
@ -247,6 +259,14 @@ if [ -n "$DESTDIR" ]; then
|
||||
chmod 755 ${DESTDIR}/etc/logrotate.d
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the .service file
|
||||
#
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
run_install $OWNERSHIP -m 600 shorewall6-lite.service ${DESTDIR}/lib/systemd/system/shorewall6-lite.service
|
||||
echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall6-lite.service"
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the config file
|
||||
#
|
||||
@ -380,7 +400,11 @@ if [ -z "$DESTDIR" ]; then
|
||||
|
||||
echo "Shorewall6 Lite will start automatically at boot"
|
||||
else
|
||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
if systemctl enable shorewall6-lite; then
|
||||
echo "Shorewall6 Lite will start automatically at boot"
|
||||
fi
|
||||
elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
if insserv /etc/init.d/shorewall6-lite ; then
|
||||
echo "Shorewall6 Lite will start automatically at boot"
|
||||
else
|
||||
|
21
Shorewall6-lite/shorewall6-lite.service
Normal file
21
Shorewall6-lite/shorewall6-lite.service
Normal file
@ -0,0 +1,21 @@
|
||||
#
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
|
||||
#
|
||||
# Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
|
||||
#
|
||||
[Unit]
|
||||
Description=Shorewall IPv6 firewall (lite)
|
||||
After=syslog.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/sysconfig/shorewall6-lite
|
||||
StandardOutput=syslog
|
||||
ExecStart=/sbin/shorewall6-lite $OPTIONS start
|
||||
ExecReload=/sbin/shorewall6-lite $OPTIONS restart
|
||||
ExecStop=/sbin/shorewall6-lite $OPTIONS stop
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -81,6 +81,8 @@ if [ -n "$FIREWALL" ]; then
|
||||
insserv -r $FIREWALL
|
||||
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
|
||||
chkconfig --del $(basename $FIREWALL)
|
||||
elif [ -x /sbin/systemctl ]; then
|
||||
systemctl disable shorewall6-lite
|
||||
else
|
||||
rm -f /etc/rc*.d/*$(basename $FIREWALL)
|
||||
fi
|
||||
@ -100,6 +102,7 @@ rm -rf /usr/share/shorewall6-lite
|
||||
rm -rf ${LIBEXEC}/shorewall6-lite
|
||||
rm -rf /usr/share/shorewall6-lite-*.bkout
|
||||
rm -f /etc/logrotate.d/shorewall6-lite
|
||||
rm -f /lib/systemd/system/shorewall6-lite.service
|
||||
|
||||
echo "Shorewall6 Lite Uninstalled"
|
||||
|
||||
|
@ -62,7 +62,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
}
|
||||
|
||||
|
||||
log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) ) if $level ne '';
|
||||
add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
|
||||
|
||||
|
11
Shorewall6/configfiles/netmap
Normal file
11
Shorewall6/configfiles/netmap
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall6 version 4 - Netmap File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-netmap"
|
||||
#
|
||||
# See http://shorewall.net/netmap.html for an example and usage
|
||||
# information.
|
||||
#
|
||||
##############################################################################################
|
||||
#TYPE NET1 INTERFACE NET2 NET3 PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
@ -9,6 +9,7 @@
|
||||
#######################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
112
Shorewall6/init.fedora.sh
Normal file
112
Shorewall6/init.fedora.sh
Normal file
@ -0,0 +1,112 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall init script
|
||||
#
|
||||
# chkconfig: - 28 90
|
||||
# description: Packet filtering firewall
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: shorewall6
|
||||
# Required-Start: $local_fs $remote_fs $syslog $network
|
||||
# Should-Start: VMware $time $named
|
||||
# Required-Stop:
|
||||
# Default-Start:
|
||||
# Default-Stop: 0 1 2 3 4 5 6
|
||||
# Short-Description: Packet filtering firewall
|
||||
# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
|
||||
# Netfilter (iptables) based firewall
|
||||
### END INIT INFO
|
||||
|
||||
# Source function library.
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
prog="shorewall6"
|
||||
shorewall="/sbin/$prog"
|
||||
logger="logger -i -t $prog"
|
||||
lockfile="/var/lock/subsys/$prog"
|
||||
|
||||
# Get startup options (override default)
|
||||
OPTIONS=
|
||||
|
||||
if [ -f /etc/sysconfig/$prog ]; then
|
||||
. /etc/sysconfig/$prog
|
||||
fi
|
||||
|
||||
start() {
|
||||
echo -n $"Starting Shorewall: "
|
||||
$shorewall $OPTIONS start 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
if [[ $retval == 0 ]]; then
|
||||
touch $lockfile
|
||||
success
|
||||
else
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
stop() {
|
||||
echo -n $"Stopping Shorewall: "
|
||||
$shorewall $OPTIONS stop 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
if [[ $retval == 0 ]]; then
|
||||
rm -f $lockfile
|
||||
success
|
||||
else
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
restart() {
|
||||
# Note that we don't simply stop and start since shorewall has a built in
|
||||
# restart which stops the firewall if running and then starts it.
|
||||
echo -n $"Restarting Shorewall: "
|
||||
$shorewall $OPTIONS restart 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
if [[ $retval == 0 ]]; then
|
||||
touch $lockfile
|
||||
success
|
||||
else # Failed to start, clean up lock file if present
|
||||
rm -f $lockfile
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
status(){
|
||||
$shorewall status
|
||||
return $?
|
||||
}
|
||||
|
||||
status_q() {
|
||||
status > /dev/null 2>&1
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
status_q && exit 0
|
||||
$1
|
||||
;;
|
||||
stop)
|
||||
status_q || exit 0
|
||||
$1
|
||||
;;
|
||||
restart|reload|force-reload)
|
||||
restart
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
status_q || exit 0
|
||||
restart
|
||||
;;
|
||||
status)
|
||||
$1
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 start|stop|reload|restart|force-reload|status"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
@ -107,7 +107,6 @@ if [ -z "$INIT" ] ; then
|
||||
fi
|
||||
|
||||
ANNOTATED=
|
||||
DEBIAN=
|
||||
CYGWIN=
|
||||
MAC=
|
||||
MACHOST=
|
||||
@ -242,6 +241,9 @@ else
|
||||
echo "Installing Debian-specific configuration..."
|
||||
DEBIAN=yes
|
||||
SPARSE=yes
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
echo "Installing Redhat/Fedora-specific configuration..."
|
||||
FEDORA=yes
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
echo "Installing Slackware-specific configuration..."
|
||||
DEST="/etc/rc.d"
|
||||
@ -256,6 +258,14 @@ else
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
if [ -f /lib/systemd/system ]; then
|
||||
SYSTEMD=Yes
|
||||
fi
|
||||
elif [ -n "$SYSTEMD" ]; then
|
||||
mkdir -p ${DESTDIR}/lib/systemd/system
|
||||
fi
|
||||
|
||||
#
|
||||
# Change to the directory containing this script
|
||||
#
|
||||
@ -295,6 +305,8 @@ fi
|
||||
#
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
install_file init.debian.sh /etc/init.d/shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
|
||||
elif [ -n "$FEDORA" ]; then
|
||||
install_file init.fedora.sh /etc/init.d/shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
|
||||
elif [ -n "$SLACKWARE" ]; then
|
||||
install_file init.slackware.shorewall6.sh ${DESTDIR}${DEST}/rc.shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
|
||||
elif [ -n "$ARCHLINUX" ]; then
|
||||
@ -323,6 +335,14 @@ if [ -n "$DESTDIR" ]; then
|
||||
chmod 755 ${DESTDIR}/etc/logrotate.d
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the .service file
|
||||
#
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
run_install $OWNERSHIP -m 600 shorewall6.service ${DESTDIR}/lib/systemd/system/shorewall6.service
|
||||
echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall6.service"
|
||||
fi
|
||||
|
||||
delete_file ${DESTDIR}/usr/share/shorewall6/compiler
|
||||
delete_file ${DESTDIR}/usr/share/shorewall6/lib.accounting
|
||||
delete_file ${DESTDIR}/usr/share/shorewall6/lib.actions
|
||||
@ -874,7 +894,11 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
|
||||
touch /var/log/shorewall6-init.log
|
||||
perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall6/shorewall6.conf
|
||||
else
|
||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
if [ -n "$SYSTEMD" ]; then
|
||||
if systemctl enable shorewall6; then
|
||||
echo "Shorewall6 will start automatically at boot"
|
||||
fi
|
||||
elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
if insserv /etc/init.d/shorewall6 ; then
|
||||
echo "shorewall6 will start automatically at boot"
|
||||
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall6/shorewall6.conf to enable"
|
||||
|
@ -510,7 +510,7 @@ show_command() {
|
||||
[ $# -eq 1 ] && usage 1
|
||||
|
||||
case $2 in
|
||||
mangle|nat|filter|raw)
|
||||
mangle|nat|filter|raw|rawpost)
|
||||
table=$2
|
||||
table_given=Yes
|
||||
;;
|
||||
@ -575,6 +575,13 @@ show_command() {
|
||||
show_reset
|
||||
$IP6TABLES -t raw -L $g_ipt_options
|
||||
;;
|
||||
rawpost)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION rawpost Table at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$IP6TABLES -t rawpost -L $g_ipt_options
|
||||
;;
|
||||
log)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
|
||||
@ -1519,6 +1526,7 @@ determine_capabilities() {
|
||||
CONNMARK_MATCH=
|
||||
XCONNMARK_MATCH=
|
||||
RAW_TABLE=
|
||||
RAWPOST_TABLE=
|
||||
IPP2P_MATCH=
|
||||
OLD_IPP2P_MATCH=
|
||||
LENGTH_MATCH=
|
||||
@ -1549,7 +1557,6 @@ determine_capabilities() {
|
||||
HEADER_MATCH=
|
||||
ACCOUNT_TARGET=
|
||||
AUDIT_TARGET=
|
||||
QUOTA_MATCH=
|
||||
IPSET_V5=
|
||||
|
||||
chain=fooX$$
|
||||
@ -1664,6 +1671,7 @@ determine_capabilities() {
|
||||
fi
|
||||
|
||||
qt $IP6TABLES -t raw -L -n && RAW_TABLE=Yes
|
||||
qt $IP6TABLES -t rawpost -L -n && RAWPOST_TABLE=Yes
|
||||
|
||||
if qt mywhich ipset; then
|
||||
qt ipset -X $chain # Just in case something went wrong the last time
|
||||
@ -1701,7 +1709,6 @@ determine_capabilities() {
|
||||
qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
|
||||
qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes
|
||||
qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
|
||||
qt $IP6TABLES -A $chain -m quota --quota 1000 && QUOTA_MATCH=Yes
|
||||
|
||||
|
||||
qt $IP6TABLES -F $chain
|
||||
@ -1764,6 +1771,7 @@ report_capabilities() {
|
||||
report_capability "Connmark Match" $CONNMARK_MATCH
|
||||
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
|
||||
report_capability "Raw Table" $RAW_TABLE
|
||||
report_capability "Rawpost Table" $RAWPOST_TABLE
|
||||
report_capability "IPP2P Match" $IPP2P_MATCH
|
||||
[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
|
||||
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
||||
@ -1793,7 +1801,6 @@ report_capabilities() {
|
||||
report_capability "Header Match" $HEADER_MATCH
|
||||
report_capability "ACCOUNT Target" $ACCOUNT_TARGET
|
||||
report_capability "AUDIT Target" $AUDIT_TARGET
|
||||
report_capability "Quota Match" $QUOTA_MATCH
|
||||
report_capability "ipset V5" $IPSET_V5
|
||||
fi
|
||||
|
||||
@ -1831,6 +1838,7 @@ report_capabilities1() {
|
||||
report_capability1 CONNMARK_MATCH
|
||||
report_capability1 XCONNMARK_MATCH
|
||||
report_capability1 RAW_TABLE
|
||||
report_capability1 RAWPOST_TABLE
|
||||
report_capability1 IPP2P_MATCH
|
||||
report_capability1 OLD_IPP2P_MATCH
|
||||
report_capability1 CLASSIFY_TARGET
|
||||
@ -1860,7 +1868,6 @@ report_capabilities1() {
|
||||
report_capability1 HEADER_MATCH
|
||||
report_capability1 ACCOUNT_TARGET
|
||||
report_capability1 AUDIT_TARGET
|
||||
report_capability1 QUOTA_MATCH
|
||||
report_capability1 IPSET_V5
|
||||
|
||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||
|
@ -247,7 +247,31 @@ loadmodule() # $1 = module name, $2 - * arguments
|
||||
local modulefile
|
||||
local suffix
|
||||
|
||||
if ! list_search $modulename $MODULES $DONT_LOAD ; then
|
||||
if [ -d /sys/module/ ]; then
|
||||
if ! list_search $modulename $DONT_LOAD; then
|
||||
if [ ! -d /sys/module/$modulename ]; then
|
||||
shift
|
||||
|
||||
for suffix in $MODULE_SUFFIX ; do
|
||||
for directory in $moduledirectories; do
|
||||
modulefile=$directory/${modulename}.${suffix}
|
||||
|
||||
if [ -f $modulefile ]; then
|
||||
case $moduleloader in
|
||||
insmod)
|
||||
insmod $modulefile $*
|
||||
;;
|
||||
*)
|
||||
modprobe $modulename $*
|
||||
;;
|
||||
esac
|
||||
break 2
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
fi
|
||||
elif ! list_search $modulename $MODULES $DONT_LOAD ; then
|
||||
shift
|
||||
|
||||
for suffix in $MODULE_SUFFIX ; do
|
||||
@ -290,7 +314,7 @@ reload_kernel_modules() {
|
||||
[ -n "${MODULE_SUFFIX:=ko ko.gz o o.gz gz}" ]
|
||||
|
||||
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched
|
||||
MODULES=$(lsmod | cut -d ' ' -f1)
|
||||
[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
|
||||
|
||||
for directory in $(split $MODULESDIR); do
|
||||
[ -d $directory ] && moduledirectories="$moduledirectories $directory"
|
||||
@ -334,7 +358,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
||||
[ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
|
||||
|
||||
if [ -f $modules -a -n "$moduledirectories" ]; then
|
||||
MODULES=$(lsmod | cut -d ' ' -f1)
|
||||
[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
|
||||
progress_message "Loading Modules..."
|
||||
. $modules
|
||||
if [ $savemoduleinfo = Yes ]; then
|
||||
|
21
Shorewall6/shorewall6.service
Normal file
21
Shorewall6/shorewall6.service
Normal file
@ -0,0 +1,21 @@
|
||||
#
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
|
||||
#
|
||||
# Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
|
||||
#
|
||||
[Unit]
|
||||
Description=Shorewall IPv6 firewall
|
||||
After=syslog.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/sysconfig/shorewall6
|
||||
StandardOutput=syslog
|
||||
ExecStart=/sbin/shorewall6 $OPTIONS start
|
||||
ExecReload=/sbin/shorewall6 $OPTIONS restart
|
||||
ExecStop=/sbin/shorewall6 $OPTIONS stop
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -93,6 +93,8 @@ if [ -n "$FIREWALL" ]; then
|
||||
insserv -r $FIREWALL
|
||||
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
|
||||
chkconfig --del $(basename $FIREWALL)
|
||||
elif [ -x /sbin/systemctl ]; then
|
||||
systemctl disable shorewall6
|
||||
else
|
||||
rm -f /etc/rc*.d/*$(basename $FIREWALL)
|
||||
fi
|
||||
@ -114,6 +116,7 @@ rm -rf /usr/share/shorewall6-*.bkout
|
||||
rm -rf /usr/share/man/man5/shorewall6*
|
||||
rm -rf /usr/share/man/man8/shorewall6*
|
||||
rm -f /etc/logrotate.d/shorewall6
|
||||
rm -f /lib/systemd/system/shorewall6.service
|
||||
|
||||
echo "Shorewall6 Uninstalled"
|
||||
|
||||
|
@ -18,7 +18,7 @@
|
||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2010</year>
|
||||
<year>2001-2011</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -57,16 +57,17 @@
|
||||
<row>
|
||||
<entry><ulink url="6to4.htm">6to4 and 6in4 Tunnels</ulink></entry>
|
||||
|
||||
<entry><ulink url="Vserver.html">Linux-vserver</ulink></entry>
|
||||
<entry><ulink url="LXC.html">Linux Containers
|
||||
(LXC)</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry><ulink url="Laptop.html">Shorewall on a
|
||||
Laptop</ulink></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="Accounting.html">Accounting</ulink></entry>
|
||||
|
||||
<entry><ulink url="ConnectionRate.html">Limiting Connection
|
||||
Rates</ulink></entry>
|
||||
<entry><ulink url="Vserver.html">Linux-vserver</ulink></entry>
|
||||
|
||||
<entry><ulink url="Shorewall-perl.html">Shorewall
|
||||
Perl</ulink></entry>
|
||||
@ -75,7 +76,8 @@
|
||||
<row>
|
||||
<entry><ulink url="Actions.html">Actions</ulink></entry>
|
||||
|
||||
<entry><ulink url="shorewall_logging.html">Logging</ulink></entry>
|
||||
<entry><ulink url="ConnectionRate.html">Limiting Connection
|
||||
Rates</ulink></entry>
|
||||
|
||||
<entry><ulink url="shorewall_setup_guide.htm">Shorewall Setup
|
||||
Guide</ulink></entry>
|
||||
@ -85,7 +87,7 @@
|
||||
<entry><ulink url="Shorewall_and_Aliased_Interfaces.html">Aliased
|
||||
(virtual) Interfaces (e.g., eth0:0)</ulink></entry>
|
||||
|
||||
<entry><ulink url="Macros.html">Macros</ulink></entry>
|
||||
<entry><ulink url="shorewall_logging.html">Logging</ulink></entry>
|
||||
|
||||
<entry><ulink url="samba.htm">SMB</ulink></entry>
|
||||
</row>
|
||||
@ -94,8 +96,7 @@
|
||||
<entry><ulink url="Anatomy.html">Anatomy of
|
||||
Shorewall</ulink></entry>
|
||||
|
||||
<entry><ulink url="MAC_Validation.html">MAC
|
||||
Verification</ulink></entry>
|
||||
<entry><ulink url="Macros.html">Macros</ulink></entry>
|
||||
|
||||
<entry><ulink url="two-interface.htm#SNAT">SNAT</ulink>
|
||||
(<firstterm>Source Network Address
|
||||
@ -106,7 +107,8 @@
|
||||
<entry><ulink url="Audit.html">AUDIT Target
|
||||
support</ulink></entry>
|
||||
|
||||
<entry><ulink url="Manpages.html">Man Pages</ulink></entry>
|
||||
<entry><ulink url="MAC_Validation.html">MAC
|
||||
Verification</ulink></entry>
|
||||
|
||||
<entry><ulink url="SplitDNS.html">Split DNS the Easy
|
||||
Way</ulink></entry>
|
||||
@ -116,8 +118,7 @@
|
||||
<entry><ulink url="traffic_shaping.htm">Bandwidth
|
||||
Control</ulink></entry>
|
||||
|
||||
<entry><ulink url="ManualChains.html">Manual
|
||||
Chains</ulink></entry>
|
||||
<entry><ulink url="Manpages.html">Man Pages</ulink></entry>
|
||||
|
||||
<entry><ulink url="Shorewall_Squid_Usage.html">Squid with
|
||||
Shorewall</ulink></entry>
|
||||
@ -127,8 +128,8 @@
|
||||
<entry><ulink
|
||||
url="blacklisting_support.htm">Blacklisting/Whitelisting</ulink></entry>
|
||||
|
||||
<entry><ulink
|
||||
url="two-interface.htm#SNAT">Masquerading</ulink></entry>
|
||||
<entry><ulink url="ManualChains.html">Manual
|
||||
Chains</ulink></entry>
|
||||
|
||||
<entry><ulink
|
||||
url="starting_and_stopping_shorewall.htm">Starting/stopping the
|
||||
@ -139,9 +140,8 @@
|
||||
<entry>Bridge: <ulink
|
||||
url="bridge-Shorewall-perl.html">Bridge/Firewall</ulink></entry>
|
||||
|
||||
<entry><ulink url="MultiISP.html">Multiple Internet Connections
|
||||
from a Single Firewall</ulink> (<ulink
|
||||
url="MultiISP_ru.html">Russian</ulink>)</entry>
|
||||
<entry><ulink
|
||||
url="two-interface.htm#SNAT">Masquerading</ulink></entry>
|
||||
|
||||
<entry><ulink url="NAT.htm">Static (one-to-one)
|
||||
NAT</ulink></entry>
|
||||
@ -151,8 +151,8 @@
|
||||
<entry>Bridge: <ulink url="SimpleBridge.html">No firewalling of
|
||||
traffic between bridge port</ulink></entry>
|
||||
|
||||
<entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
|
||||
Interface</ulink></entry>
|
||||
<entry><ulink url="MultiISP.html">Multiple Internet Connections
|
||||
from a Single Firewall</ulink></entry>
|
||||
|
||||
<entry><ulink url="support.htm">Support</ulink></entry>
|
||||
</row>
|
||||
@ -161,8 +161,8 @@
|
||||
<entry><ulink url="Build.html">Building Shorewall from
|
||||
GIT</ulink></entry>
|
||||
|
||||
<entry><ulink url="MyNetwork.html">My Shorewall
|
||||
Configuration</ulink></entry>
|
||||
<entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
|
||||
Interface</ulink></entry>
|
||||
|
||||
<entry><ulink url="configuration_file_basics.htm">Tips and
|
||||
Hints</ulink></entry>
|
||||
@ -172,8 +172,8 @@
|
||||
<entry><ulink
|
||||
url="starting_and_stopping_shorewall.htm">Commands</ulink></entry>
|
||||
|
||||
<entry><ulink url="NetfilterOverview.html">Netfilter
|
||||
Overview</ulink></entry>
|
||||
<entry><ulink url="MyNetwork.html">My Shorewall
|
||||
Configuration</ulink></entry>
|
||||
|
||||
<entry><ulink url="Accounting.html">Traffic
|
||||
Accounting</ulink></entry>
|
||||
@ -183,7 +183,8 @@
|
||||
<entry><ulink url="CompiledPrograms.html">Compiled Firewall
|
||||
Programs</ulink></entry>
|
||||
|
||||
<entry><ulink url="netmap.html">Network Mapping</ulink></entry>
|
||||
<entry><ulink url="NetfilterOverview.html">Netfilter
|
||||
Overview</ulink></entry>
|
||||
|
||||
<entry><ulink url="simple_traffic_shaping.html">Traffic
|
||||
Shaping/QOS - Simple</ulink></entry>
|
||||
@ -193,8 +194,7 @@
|
||||
<entry><ulink url="configuration_file_basics.htm">Configuration
|
||||
File Basics</ulink></entry>
|
||||
|
||||
<entry><ulink url="NAT.htm">One-to-one NAT</ulink> (Static
|
||||
NAT)</entry>
|
||||
<entry><ulink url="netmap.html">Network Mapping</ulink></entry>
|
||||
|
||||
<entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
|
||||
Complex</ulink></entry>
|
||||
@ -204,7 +204,7 @@
|
||||
<entry><ulink url="dhcp.htm">DHCP</ulink></entry>
|
||||
|
||||
<entry><ulink url="Multiple_Zones.html"><ulink
|
||||
url="OPENVPN.html">OpenVPN</ulink></ulink></entry>
|
||||
url="NAT.htm">One-to-one NAT</ulink> (Static NAT)</ulink></entry>
|
||||
|
||||
<entry><ulink url="Shorewall_Squid_Usage.html">Transparent
|
||||
Proxy</ulink></entry>
|
||||
@ -215,7 +215,7 @@
|
||||
url="two-interface.htm#DNAT">DNAT</ulink> (<firstterm>Destination
|
||||
Network Address Translation</firstterm>)</ulink></entry>
|
||||
|
||||
<entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
|
||||
<entry><ulink url="OPENVPN.html">OpenVPN</ulink></entry>
|
||||
|
||||
<entry><ulink url="UPnP.html">UPnP</ulink></entry>
|
||||
</row>
|
||||
@ -223,8 +223,7 @@
|
||||
<row>
|
||||
<entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
|
||||
|
||||
<entry><ulink url="starting_and_stopping_shorewall.htm">Operating
|
||||
Shorewall</ulink></entry>
|
||||
<entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
|
||||
|
||||
<entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
|
||||
</row>
|
||||
@ -233,8 +232,8 @@
|
||||
<entry><ulink url="ECN.html">ECN Disabling by host or
|
||||
subnet</ulink></entry>
|
||||
|
||||
<entry><ulink url="PacketMarking.html">Packet
|
||||
Marking</ulink></entry>
|
||||
<entry><ulink url="starting_and_stopping_shorewall.htm">Operating
|
||||
Shorewall</ulink></entry>
|
||||
|
||||
<entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
|
||||
(Upgrading Debian Lenny to Squeeze)</ulink></entry>
|
||||
@ -245,8 +244,8 @@
|
||||
url="shorewall_extension_scripts.htm">Extension Scripts</ulink>
|
||||
(User Exits)</ulink></entry>
|
||||
|
||||
<entry><ulink url="PacketHandling.html">Packet Processing in a
|
||||
Shorewall-based Firewall</ulink></entry>
|
||||
<entry><ulink url="PacketMarking.html">Packet
|
||||
Marking</ulink></entry>
|
||||
|
||||
<entry><ulink url="VPNBasics.html">VPN</ulink></entry>
|
||||
</row>
|
||||
@ -255,7 +254,8 @@
|
||||
<entry><ulink
|
||||
url="fallback.htm">Fallback/Uninstall</ulink></entry>
|
||||
|
||||
<entry><ulink url="ping.html">'Ping' Management</ulink></entry>
|
||||
<entry><ulink url="PacketHandling.html">Packet Processing in a
|
||||
Shorewall-based Firewall</ulink></entry>
|
||||
|
||||
<entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
|
||||
</row>
|
||||
@ -263,8 +263,7 @@
|
||||
<row>
|
||||
<entry><ulink url="FAQ.htm">FAQs</ulink></entry>
|
||||
|
||||
<entry><ulink url="two-interface.htm#DNAT">Port
|
||||
Forwarding</ulink></entry>
|
||||
<entry><ulink url="ping.html">'Ping' Management</ulink></entry>
|
||||
|
||||
<entry><ulink url="blacklisting_support.htm#whitelisting">White
|
||||
List Creation</ulink></entry>
|
||||
@ -274,7 +273,8 @@
|
||||
<entry><ulink
|
||||
url="shorewall_features.htm">Features</ulink></entry>
|
||||
|
||||
<entry><ulink url="ports.htm">Port Information</ulink></entry>
|
||||
<entry><ulink url="two-interface.htm#DNAT">Port
|
||||
Forwarding</ulink></entry>
|
||||
|
||||
<entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
|
||||
DomU</ulink></entry>
|
||||
@ -284,8 +284,7 @@
|
||||
<entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
|
||||
Same Interface</ulink></entry>
|
||||
|
||||
<entry><ulink url="PortKnocking.html">Port Knocking and Other Uses
|
||||
of the 'Recent Match'</ulink></entry>
|
||||
<entry><ulink url="ports.htm">Port Information</ulink></entry>
|
||||
|
||||
<entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
|
||||
Xen Dom0</ulink></entry>
|
||||
@ -294,7 +293,8 @@
|
||||
<row>
|
||||
<entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
|
||||
|
||||
<entry><ulink url="PPTP.htm">PPTP</ulink></entry>
|
||||
<entry><ulink url="PortKnocking.html">Port Knocking and Other Uses
|
||||
of the 'Recent Match'</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
@ -303,7 +303,7 @@
|
||||
<entry><ulink url="FoolsFirewall.html">Fool's
|
||||
Firewall</ulink></entry>
|
||||
|
||||
<entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
|
||||
<entry><ulink url="PPTP.htm">PPTP</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
@ -312,8 +312,7 @@
|
||||
<entry><ulink url="support.htm">Getting help or answers to
|
||||
questions</ulink></entry>
|
||||
|
||||
<entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides</ulink></entry>
|
||||
<entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
@ -322,7 +321,8 @@
|
||||
<entry><ulink
|
||||
url="Install.htm">Installation/Upgrade</ulink></entry>
|
||||
|
||||
<entry><ulink url="NewRelease.html">Release Model</ulink></entry>
|
||||
<entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
@ -330,6 +330,14 @@
|
||||
<row>
|
||||
<entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
|
||||
|
||||
<entry><ulink url="NewRelease.html">Release Model</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
|
||||
|
||||
<entry><ulink
|
||||
url="shorewall_prerequisites.htm">Requirements</ulink></entry>
|
||||
|
||||
@ -337,7 +345,7 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
|
||||
<entry><ulink url="ipsets.html">Ipsets</ulink></entry>
|
||||
|
||||
<entry><ulink url="Shorewall_and_Routing.html">Routing and
|
||||
Shorewall</ulink></entry>
|
||||
@ -346,7 +354,7 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="ipsets.html">Ipsets</ulink></entry>
|
||||
<entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
|
||||
|
||||
<entry><ulink url="Multiple_Zones.html">Routing on One
|
||||
Interface</ulink></entry>
|
||||
@ -354,20 +362,11 @@
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
|
||||
|
||||
<entry><ulink url="samba.htm">Samba</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
|
||||
Filtering</ulink></entry>
|
||||
|
||||
<entry><ulink url="Shorewall-init.html">Shorewall
|
||||
Init</ulink></entry>
|
||||
<entry><ulink url="samba.htm">Samba</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
@ -376,8 +375,8 @@
|
||||
<entry><ulink url="kernel.htm">Kernel
|
||||
Configuration</ulink></entry>
|
||||
|
||||
<entry><ulink url="CompiledPrograms.html#Lite">Shorewall
|
||||
Lite</ulink></entry>
|
||||
<entry><ulink url="Shorewall-init.html">Shorewall
|
||||
Init</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
@ -386,8 +385,8 @@
|
||||
<entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
|
||||
Machine)</ulink></entry>
|
||||
|
||||
<entry><ulink url="Laptop.html">Shorewall on a
|
||||
Laptop</ulink></entry>
|
||||
<entry><ulink url="CompiledPrograms.html#Lite">Shorewall
|
||||
Lite</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
51
docs/FAQ.xml
51
docs/FAQ.xml
@ -1596,7 +1596,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>filter</term>
|
||||
<term>sfilter</term>
|
||||
|
||||
<listitem>
|
||||
<para>On systems running Shorewall 4.4.20 or later, either the
|
||||
@ -1604,7 +1604,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
|
||||
url="manpages/shorewall-interfaces.html">interface option</ulink>
|
||||
or it is being routed out of the same interface on which it
|
||||
arrived and the interface does not have the
|
||||
<option>routeback</option> <ulink
|
||||
<option>routeback</option> or <option>routefilter</option> <ulink
|
||||
url="manpages/shorewall-interfaces.html">interface
|
||||
option</ulink>.</para>
|
||||
</listitem>
|
||||
@ -2000,7 +2000,11 @@ Creating input Chains...
|
||||
<para>Beginning with Shorewall 4.4, when the Shorewall tarballs are
|
||||
installed on a Debian (or derivative) system, the
|
||||
<filename>/etc/init.d/shorewall</filename> file is the same as would be
|
||||
installed by the .deb.</para>
|
||||
installed by the .deb. The behavior of <command>/etc/init.d/shorewall
|
||||
stop</command> is controlled by the setting of SAFESTOP in
|
||||
<filename>/etc/default/shorewall</filename>. When set to 0 (the
|
||||
default), the firewall is cleared; when set to 1, the firewall is placed
|
||||
in a safe state.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq78">
|
||||
@ -2188,6 +2192,47 @@ We have an error talking to the kernel
|
||||
<member>sch_sfq</member>
|
||||
</simplelist></para>
|
||||
</section>
|
||||
|
||||
<section id="faq97">
|
||||
<title>(FAQ 97) I enable Shorewall traffic shaping and now my upload
|
||||
rate is way below what I specified</title>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: This is likely due to TCP
|
||||
Segmentation Offload (TSO) and/or Generic Segmentation Offload (GSO)
|
||||
being enabled in the network adapter. To verify, install the
|
||||
<firstterm>ethtool</firstterm> package and use the -k command:</para>
|
||||
|
||||
<programlisting>root@gateway:~# ethtool -k eth1
|
||||
Offload parameters for eth1:
|
||||
rx-checksumming: on
|
||||
tx-checksumming: on
|
||||
scatter-gather: on
|
||||
tcp-segmentation-offload: <emphasis role="bold">on</emphasis>
|
||||
udp-fragmentation-offload: off
|
||||
generic-segmentation-offload: <emphasis role="bold">on</emphasis>
|
||||
generic-receive-offload: off
|
||||
large-receive-offload: off
|
||||
ntuple-filters: off
|
||||
receive-hashing: off
|
||||
root@gateway:~#</programlisting>
|
||||
|
||||
<para>If that is the case, you can correct the problem by adjusting the
|
||||
<replaceable>minburst</replaceable> setting in
|
||||
/etc/shorewall/tcinterfaces (complex traffic shaping) or
|
||||
/etc/shorewall/tcdevices (simple traffic shaping). We suggest starting
|
||||
at 10-12kb and adjust as necessary. Example (simple traffic
|
||||
shaping):</para>
|
||||
|
||||
<programlisting>#INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH
|
||||
eth0 External 50mbit:200kb 5.0mbit:100kb:200ms:100mbit:<emphasis
|
||||
role="bold">10kb</emphasis>
|
||||
</programlisting>
|
||||
|
||||
<para>Alternatively, you can turn off TSO and GSO using this command in
|
||||
<filename>/etc/shorewall/init</filename>:</para>
|
||||
|
||||
<programlisting><emphasis role="bold">ethtool -k eth<emphasis>N</emphasis> tso off gso off</emphasis></programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="About">
|
||||
|
@ -70,9 +70,9 @@
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Standard Macros. These macros are released as part of Shorewall.
|
||||
They are defined in macros.* files in <filename
|
||||
They are defined in macro.* files in <filename
|
||||
class="directory">/usr/share/shorewall</filename>. Each
|
||||
<filename>macros.*</filename> file has a comment at the beginning of
|
||||
<filename>macro.*</filename> file has a comment at the beginning of
|
||||
the file that describes what the macro does. As an example, here is
|
||||
the definition of the <firstterm>SMB</firstterm> standard
|
||||
macro.</para>
|
||||
@ -101,8 +101,8 @@ PARAM - - tcp 135,139,445
|
||||
|
||||
<listitem>
|
||||
<para>User-defined Macros. These macros are created by end-users. They
|
||||
are defined in macros.* files in /etc/shorewall or in another
|
||||
directory listed in your CONFIG_PATH (defined in <ulink
|
||||
are defined in macro.* files in /etc/shorewall or in another directory
|
||||
listed in your CONFIG_PATH (defined in <ulink
|
||||
url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>).</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
@ -1726,7 +1726,7 @@ defaults {
|
||||
min_successive_pkts_rcvd=10
|
||||
interval_ms=2000
|
||||
timeout_ms=2000
|
||||
warn_email=teastep@shorewall.net
|
||||
warn_email=you@yourdomain.com
|
||||
check_arp=0
|
||||
sourceip=
|
||||
ttl=0
|
||||
@ -1803,7 +1803,81 @@ echo $state > ${VARDIR}/${DEVICE}.status
|
||||
|
||||
exit 0
|
||||
|
||||
#EOF</programlisting>:</para>
|
||||
#EOF</programlisting>Beginning with Shorewall 4.4.23, it is not necessary to
|
||||
restart the firewall when an interface transitions between the usable
|
||||
and unusable
|
||||
states.<filename>/etc/lsm/script</filename><programlisting>#!/bin/sh
|
||||
#
|
||||
# (C) 2009 Mika Ilmaranta <ilmis@nullnet.fi>
|
||||
# (C) 2009 Tom Eastep <teastep@shorewall.net>
|
||||
#
|
||||
# License: GPLv2
|
||||
#
|
||||
|
||||
STATE=${1}
|
||||
NAME=${2}
|
||||
CHECKIP=${3}
|
||||
DEVICE=${4}
|
||||
WARN_EMAIL=${5}
|
||||
REPLIED=${6}
|
||||
WAITING=${7}
|
||||
TIMEOUT=${8}
|
||||
REPLY_LATE=${9}
|
||||
CONS_RCVD=${10}
|
||||
CONS_WAIT=${11}
|
||||
CONS_MISS=${12}
|
||||
AVG_RTT=${13}
|
||||
|
||||
if [ -f /usr/share/shorewall-lite/lib.base ]; then
|
||||
VARDIR=/var/lib/shorewall-lite
|
||||
STATEDIR=/etc/shorewall-lite
|
||||
else
|
||||
VARDIR=/var/lib/shorewall
|
||||
STATEDIR=/etc/shorewall
|
||||
fi
|
||||
|
||||
[ -f ${STATEDIR}/vardir ] && . ${STATEDIR}/vardir
|
||||
|
||||
cat <<EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}
|
||||
|
||||
Hi,
|
||||
|
||||
Connection ${NAME} is now ${STATE}.
|
||||
|
||||
Following parameters were passed:
|
||||
newstate = ${STATE}
|
||||
name = ${NAME}
|
||||
checkip = ${CHECKIP}
|
||||
device = ${DEVICE}
|
||||
warn_email = ${WARN_EMAIL}
|
||||
|
||||
Packet counters:
|
||||
replied = ${REPLIED} packets replied
|
||||
waiting = ${WAITING} packets waiting for reply
|
||||
timeout = ${TIMEOUT} packets that have timed out (= packet loss)
|
||||
reply_late = ${REPLY_LATE} packets that received a reply after timeout
|
||||
cons_rcvd = ${CONS_RCVD} consecutively received replies in sequence
|
||||
cons_wait = ${CONS_WAIT} consecutive packets waiting for reply
|
||||
cons_miss = ${CONS_MISS} consecutive packets that have timed out
|
||||
avg_rtt = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
|
||||
|
||||
Your LSM Daemon
|
||||
|
||||
EOM
|
||||
|
||||
<emphasis role="bold">if [ ${STATE} = up ]; then
|
||||
echo 0 > ${VARDIR}/${DEVICE}.status
|
||||
${VARDIR}/firewall enable ${DEVICE}
|
||||
else
|
||||
echo 1 > ${VARDIR}/${DEVICE}.status
|
||||
${VARDIR}/firewall disable ${DEVICE}
|
||||
fi
|
||||
</emphasis>
|
||||
/sbin/shorewall show routing >> /var/log/lsm
|
||||
|
||||
exit 0
|
||||
|
||||
#EOF</programlisting></para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
|
@ -108,7 +108,7 @@ if ( $level ) {
|
||||
'',
|
||||
$tag,
|
||||
'add',
|
||||
'-p tcp --dport ! 22 ' );
|
||||
'-p tcp ! --dport 22 ' );
|
||||
}
|
||||
|
||||
add_rule( $chainref, '-p tcp --dport 22 -m recent --rcheck --seconds 60 --name SSH -j ACCEPT' );
|
||||
|
@ -305,7 +305,7 @@ shorewall start</programlisting>
|
||||
<title>IPv6 - Proxy NDP</title>
|
||||
|
||||
<para>The IPv6 analog of Proxy ARP is Proxy NDP (Neighbor Discovery
|
||||
Protocol). Begiinning with Shorewall 4.4.16, Shorewall6 supports Proxy NDP
|
||||
Protocol). Beginning with Shorewall 4.4.16, Shorewall6 supports Proxy NDP
|
||||
in a manner similar to Proxy ARP support in Shorewall:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -328,8 +328,8 @@ shorewall start</programlisting>
|
||||
discoverey requests for IPv6 addresses configured on the interface
|
||||
receiving the request. So if eth0 has address 2001:470:b:227::44/128 and
|
||||
eth1 has address 2001:470:b:227::1/64 then in order for eth1 to respond to
|
||||
neighbor discovery requests for 2001:470:b:227::44, the following entry in
|
||||
/etc/shorewall6/proxyndp is required:</para>
|
||||
neighbor discoverey requests for 2001:470:b:227::44, the following entry
|
||||
in /etc/shorewall6/proxyndp is required:</para>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
2001:470:b:227::44 - eth1 Yes</programlisting>
|
||||
|
Binary file not shown.
BIN
docs/images/Network2011a.png
Normal file
BIN
docs/images/Network2011a.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 103 KiB |
BIN
docs/images/Network2011b.dia
Normal file
BIN
docs/images/Network2011b.dia
Normal file
Binary file not shown.
BIN
docs/images/Network2011b.png
Normal file
BIN
docs/images/Network2011b.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 99 KiB |
352
docs/netmap.xml
352
docs/netmap.xml
@ -22,6 +22,8 @@
|
||||
|
||||
<year>2007</year>
|
||||
|
||||
<year>2011</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@ -113,8 +115,10 @@
|
||||
<term>NET1</term>
|
||||
|
||||
<listitem>
|
||||
<para>Must be expressed in CIDR format (e.g.,
|
||||
192.168.1.0/24).</para>
|
||||
<para>Must be expressed in CIDR format (e.g., 192.168.1.0/24).
|
||||
Beginning with Shorewall 4.4.24, <ulink
|
||||
url="manpages/shorewall-exclusion.html">exclusion</ulink> is
|
||||
supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -135,6 +139,71 @@
|
||||
<para>A second network expressed in CIDR format.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">NET3 (Optional)</emphasis> -
|
||||
<emphasis>network-address</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.11. If specified, qualifies INTERFACE.
|
||||
It specifies a SOURCE network for DNAT rules and a DESTINATON
|
||||
network for SNAT rules.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTO (Optional - Added in Shorewall
|
||||
4.4.23.2)</emphasis> -
|
||||
<emphasis>protocol-number-or-name</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Only packets specifying this protocol will have their IP
|
||||
header modified.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
|
||||
Shorewall 4.4.23.2)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A comma-separated list of Port names (from
|
||||
services(5)), <emphasis>port number</emphasis>s or <emphasis>port
|
||||
range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numberic type and code separated by a slash (e.g., 3/4), or
|
||||
a typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
this column is interpreted as an ipp2p option without the leading
|
||||
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
|
||||
If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
|
||||
assumed.</para>
|
||||
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
||||
any of the following field is supplied.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
|
||||
Shorewall 4.4.23.2)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port(s). If omitted, any source port is acceptable.
|
||||
Specified as a comma-separated list of port names, port numbers or
|
||||
port ranges.</para>
|
||||
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||
the following fields is supplied.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Referring to the figure above, lets suppose that systems in the top
|
||||
@ -165,155 +234,234 @@
|
||||
firewall 1.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</important> The entries in
|
||||
<filename><filename>/etc/shorewall/netmap</filename></filename> in
|
||||
firewall1 would be as follows:</para>
|
||||
</important></para>
|
||||
|
||||
<programlisting>#TYPE NET1 INTERFACE NET2
|
||||
<section>
|
||||
<title>If you are running Shorewall 4.4.22 or Earlier</title>
|
||||
|
||||
<para>The entries in
|
||||
<filename><filename>/etc/shorewall/netmap</filename></filename> in
|
||||
firewall1 would be as follows:</para>
|
||||
|
||||
<programlisting>#TYPE NET1 INTERFACE NET2
|
||||
SNAT 192.168.1.0/24 vpn 10.10.11.0/24 #RULE 1A
|
||||
DNAT 10.10.11.0/24 vpn 192.168.1.0/24 #RULE 1B</programlisting>
|
||||
|
||||
<para>The entry in <filename>/etc/shorewall/netmap</filename> in firewall2
|
||||
would be:</para>
|
||||
<para>The entry in <filename>/etc/shorewall/netmap</filename> in
|
||||
firewall2 would be:</para>
|
||||
|
||||
<programlisting>#TYPE NET1 INTERFACE NET2
|
||||
<programlisting>#TYPE NET1 INTERFACE NET2
|
||||
DNAT 10.10.10.0/24 vpn 192.168.1.0/24 #RULE 2A
|
||||
SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlisting>
|
||||
|
||||
<example id="Example1">
|
||||
<title>192.168.1.4 in the top cloud connects to 192.168.1.27 in the
|
||||
bottom cloud</title>
|
||||
<example id="Example1">
|
||||
<title>192.168.1.4 in the top cloud connects to 192.168.1.27 in the
|
||||
bottom cloud</title>
|
||||
|
||||
<para>In order to make this connection, the client attempts a connection
|
||||
to 10.10.10.27. The following table shows how the source and destination
|
||||
IP addresses are modified as requests are sent and replies are returned.
|
||||
The RULE column refers to the above
|
||||
<filename>/etc/shorewall/netmap</filename> entries and gives the rule
|
||||
which transforms the source and destination IP addresses to those shown
|
||||
on the next line. <informaltable>
|
||||
<tgroup cols="5">
|
||||
<thead>
|
||||
<row>
|
||||
<entry>FROM</entry>
|
||||
<para>In order to make this connection, the client attempts a
|
||||
connection to 10.10.10.27. The following table shows how the source
|
||||
and destination IP addresses are modified as requests are sent and
|
||||
replies are returned. The RULE column refers to the above
|
||||
<filename>/etc/shorewall/netmap</filename> entries and gives the rule
|
||||
which transforms the source and destination IP addresses to those
|
||||
shown on the next line. <informaltable>
|
||||
<tgroup cols="5">
|
||||
<thead>
|
||||
<row>
|
||||
<entry>FROM</entry>
|
||||
|
||||
<entry>TO</entry>
|
||||
<entry>TO</entry>
|
||||
|
||||
<entry>SOURCE IP ADDRESS</entry>
|
||||
<entry>SOURCE IP ADDRESS</entry>
|
||||
|
||||
<entry>DESTINATION IP ADDRESS</entry>
|
||||
<entry>DESTINATION IP ADDRESS</entry>
|
||||
|
||||
<entry>RULE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
<entry>RULE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>192.168.1.4 in upper cloud</entry>
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>192.168.1.4 in upper cloud</entry>
|
||||
|
||||
<entry>Firewall 1</entry>
|
||||
<entry>Firewall 1</entry>
|
||||
|
||||
<entry>192.168.1.4</entry>
|
||||
<entry>192.168.1.4</entry>
|
||||
|
||||
<entry>10.10.10.27</entry>
|
||||
<entry>10.10.10.27</entry>
|
||||
|
||||
<entry>1A</entry>
|
||||
</row>
|
||||
<entry>1A</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Firewall 1</entry>
|
||||
<row>
|
||||
<entry>Firewall 1</entry>
|
||||
|
||||
<entry>Firewall 2</entry>
|
||||
<entry>Firewall 2</entry>
|
||||
|
||||
<entry>10.10.11.4</entry>
|
||||
<entry>10.10.11.4</entry>
|
||||
|
||||
<entry>10.10.10.27</entry>
|
||||
<entry>10.10.10.27</entry>
|
||||
|
||||
<entry>2A</entry>
|
||||
</row>
|
||||
<entry>2A</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Firewall 2</entry>
|
||||
<row>
|
||||
<entry>Firewall 2</entry>
|
||||
|
||||
<entry>192.168.1.27 in lower cloud</entry>
|
||||
<entry>192.168.1.27 in lower cloud</entry>
|
||||
|
||||
<entry>10.10.11.4</entry>
|
||||
<entry>10.10.11.4</entry>
|
||||
|
||||
<entry>192.168.1.27</entry>
|
||||
<entry>192.168.1.27</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>192.168.1.27 in the lower cloud</entry>
|
||||
<row>
|
||||
<entry>192.168.1.27 in the lower cloud</entry>
|
||||
|
||||
<entry>Firewall 2</entry>
|
||||
<entry>Firewall 2</entry>
|
||||
|
||||
<entry>192.168.1.27</entry>
|
||||
<entry>192.168.1.27</entry>
|
||||
|
||||
<entry>10.10.11.4</entry>
|
||||
<entry>10.10.11.4</entry>
|
||||
|
||||
<entry>2B</entry>
|
||||
</row>
|
||||
<entry>2B</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Firewall 2</entry>
|
||||
<row>
|
||||
<entry>Firewall 2</entry>
|
||||
|
||||
<entry>Firewall 1</entry>
|
||||
<entry>Firewall 1</entry>
|
||||
|
||||
<entry>10.10.10.27</entry>
|
||||
<entry>10.10.10.27</entry>
|
||||
|
||||
<entry>10.10.11.4</entry>
|
||||
<entry>10.10.11.4</entry>
|
||||
|
||||
<entry>1B</entry>
|
||||
</row>
|
||||
<entry>1B</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Firewall 1</entry>
|
||||
<row>
|
||||
<entry>Firewall 1</entry>
|
||||
|
||||
<entry>192.168.1.4 in upper cloud</entry>
|
||||
<entry>192.168.1.4 in upper cloud</entry>
|
||||
|
||||
<entry>10.10.10.27</entry>
|
||||
<entry>10.10.10.27</entry>
|
||||
|
||||
<entry>192.168.1.4</entry>
|
||||
<entry>192.168.1.4</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable></para>
|
||||
</example>
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable></para>
|
||||
|
||||
<para>See the<ulink url="OPENVPN.html"> OpenVPN documentation</ulink>
|
||||
for a solution contributed by Nicola Moretti for resolving duplicate
|
||||
networks in a roadwarrior VPN environment.</para>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>If you are running Shorewall 4.4.23 or Later</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.23, you <emphasis>can</emphasis>
|
||||
bridge two duplicate networks with one router, provided that your kernel
|
||||
and iptables include <emphasis>Rawpost Table Support</emphasis>. That
|
||||
support is used to implement Stateless NAT which allows for performing
|
||||
DNAT in the rawpost table POSTROUTING and OUTPUT chains and for
|
||||
performing SNAT in the raw table PREROUTING chain. Using this support,
|
||||
only firewall1 requires <filename>/etc/shorewall/netmap</filename>. Two
|
||||
additional entries are added.</para>
|
||||
|
||||
<programlisting>#TYPE NET1 INTERFACE NET2
|
||||
SNAT 192.168.1.0/24 vpn 10.10.11.0/24
|
||||
DNAT 10.10.11.0/24 vpn 192.168.1.0/24
|
||||
<emphasis role="bold">SNAT:P 192.168.1.0/24 vpn 10.10.10.0/24
|
||||
DNAT:T 10.10.10.0/24 vpn 192.168.1.0/24</emphasis></programlisting>
|
||||
|
||||
<para>The last two entries define <firstterm>Stateless NAT</firstterm>
|
||||
by specifying a chain designator (:P for PREROUTING and :T for
|
||||
POSTROUTING respectively). See <ulink
|
||||
url="manpages/shorewall-netlink.html">shorewall-netmap</ulink> (5) for
|
||||
details.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="Notes">
|
||||
<title>Author's Notes</title>
|
||||
<section>
|
||||
<title>IPv6</title>
|
||||
|
||||
<para>This could all be made a bit simpler by eliminating the TYPE field
|
||||
and have Shorewall generate both the SNAT and DNAT rules from a single
|
||||
entry. I have chosen to include the TYPE in order to make the
|
||||
implementation a bit more flexible. If you find cases where you can use an
|
||||
SNAT or DNAT entry by itself, please let <ulink
|
||||
url="mailto:webmaster@shorewall.net">me</ulink> know and I'll add the
|
||||
example to this page.</para>
|
||||
<para>Beginning with Shorewall6 4.4.24, IPv6 support for Netmap is
|
||||
included. This provides a way to use private IPv6 addresses internally and
|
||||
still have access to the IPv6 internet.</para>
|
||||
|
||||
<para>In the previous section, the table in the example contains a bit of
|
||||
a lie. Because of Netfilter's connection tracking, rules 2B and 1B aren't
|
||||
needed to handle the replies. They ARE needed though for hosts in the
|
||||
bottom cloud to be able to establish connections with the 192.168.1.0/24
|
||||
network in the top cloud.</para>
|
||||
</section>
|
||||
<warning>
|
||||
<para>IPv6 netmap is <firstterm>stateless</firstterm> which means that
|
||||
there are no Netfilter helpers for applications that need them. As a
|
||||
consequence, applications that require a helper (FTP, IRC, etc.) may
|
||||
experience issues.</para>
|
||||
</warning>
|
||||
|
||||
<section id="WhyTwo">
|
||||
<title>Can't I do this with one router? Why do I need two?</title>
|
||||
<para>For IPv6, the chain designator (:P for PREROUTING or :T for
|
||||
POSTROUTING) is required in the TYPE column. Normally SNAT rules are
|
||||
placed in the POSTROUTING chain while DNAT rules are placed in
|
||||
PREROUTING.</para>
|
||||
|
||||
<para>I wrote this article before Shorewall included <ulink
|
||||
url="MultiISP.html">multiple provider support</ulink>. You should be able
|
||||
to accomplish the same thing with just one router through careful use of
|
||||
/etc/shorewall/netmap and <ulink url="MultiISP.html">multiple
|
||||
providers</ulink>. If you try it and get it working, please contribute an
|
||||
update to this article.</para>
|
||||
<para>To use IPv6 Netmap, your kernel and iptables must include
|
||||
<emphasis>Rawpost Table Support</emphasis>.</para>
|
||||
|
||||
<para>See the<ulink url="OPENVPN.html"> OpenVPN documentation</ulink> for
|
||||
a solution contributed by Nicola Moretti for resolving duplicate networks
|
||||
in a roadwarrior VPN environment.</para>
|
||||
<para>IPv6 Netmap has been verified at shorewall.net using the
|
||||
configuration shown below.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2011b.png" />
|
||||
|
||||
<para>IPv6 support is supplied from Hurricane Electric; the IPv6 address
|
||||
block is 2001:470:b:227::/64.</para>
|
||||
|
||||
<para>Because of the limitations of IPv6 NETMAP (no Netfilter helpers),
|
||||
the servers in the DMZ have public addresses in the block
|
||||
2001:470:b:227::/112. The local LAN uses the private network
|
||||
fd00:470:b:227::/64 with the hosts autoconfigured using radvd. This block
|
||||
is allocated from the range (fc00::/7) reserved for<firstterm> <ulink
|
||||
url="http://en.wikipedia.org/wiki/Unique_local_address">Unique Local
|
||||
Addresses</ulink></firstterm>.</para>
|
||||
|
||||
<para>The /etc/shorewall6/netmap file is as follows:</para>
|
||||
|
||||
<programlisting>#TYPE NET1 INTERFACE NET2 NET3 PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
SNAT:T fd00:470:b:227::/64 HE_IF 2001:470:b:227::/64
|
||||
DNAT:P 2001:470:b:227::/64!2001:470:b:227::/112\
|
||||
HE_IF fd00:470:b:227::/64
|
||||
</programlisting>
|
||||
|
||||
<para>HE_IF is the logical name for interface sit1. On output, the private
|
||||
address block is mapped to the public block. Because autoconfiguration is
|
||||
used, none of the local addresses falls into the range
|
||||
fd00:470:b:227::/112. That range can therefore be excluded from
|
||||
DNAT.</para>
|
||||
|
||||
<note>
|
||||
<para>While the site local network that was used is very similar to the
|
||||
public network (only the first word is different), that isn't a
|
||||
requirement. We could have just as well used
|
||||
fd00:bad:dead:beef::/64</para>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>The MacBook Pro running OS X Lion refused to autoconfigure when
|
||||
radvd advertised a <ulink
|
||||
url="http://tools.ietf.org/html/rfc3513">site-local</ulink> network
|
||||
(fec0:470:b:227/64) but worked fine with the unique-local network
|
||||
(fd00:470:b:227::/64). Note that site-local addresses were deprecated in
|
||||
<ulink url="http://tools.ietf.org/html/rfc3879">RFC3879</ulink>.</para>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>This whole scheme isn't quite as useful as it might appear. Many
|
||||
IPv6-enabled applications (web browsers, for example) are smart enough
|
||||
to recognize unique local addresses and will only use IPv6 to
|
||||
communicate with other such local addresses.</para>
|
||||
</note>
|
||||
</section>
|
||||
</article>
|
||||
|
@ -1308,7 +1308,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Set TC_ENABLED=SHARED in <ulink
|
||||
<para>Set TC_ENABLED=Shared in <ulink
|
||||
url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
||||
(5).</para>
|
||||
</listitem>
|
||||
|
@ -520,8 +520,10 @@ loc eth2 -</programlisting>
|
||||
the wildcard.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.20, if you specify this
|
||||
option, then you should also specify <option>filter</option>;
|
||||
see above.</para>
|
||||
option, then you should also specify either
|
||||
<option>sfilter</option> (see below) or
|
||||
<option>routefilter</option> on all interfaces (see
|
||||
below).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -36,19 +36,39 @@
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TYPE</emphasis> - <emphasis
|
||||
role="bold">DNAT</emphasis>|<emphasis
|
||||
role="bold">SNAT</emphasis></term>
|
||||
role="bold">{DNAT</emphasis>|<emphasis
|
||||
role="bold">SNAT}[:{P|O|T}</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Must be DNAT or SNAT.</para>
|
||||
<para>Must be DNAT or SNAT; beginning with Shorewall 4.4.23, may be
|
||||
optionally followed by :P, :O or :T to perform <firstterm>stateless
|
||||
NAT</firstterm>. Stateless NAT requires <firstterm>Rawpost Table
|
||||
support</firstterm> in your kernel and iptables (see the output of
|
||||
<command>shorewall show capabilities</command>).</para>
|
||||
|
||||
<para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
|
||||
its destination address rewritten to the corresponding address in
|
||||
NET2.</para>
|
||||
<para>If DNAT or DNAT:P, traffic entering INTERFACE and addressed to
|
||||
NET1 has its destination address rewritten to the corresponding
|
||||
address in NET2.</para>
|
||||
|
||||
<para>If SNAT, traffic leaving INTERFACE with a source address in
|
||||
NET1 has it's source address rewritten to the corresponding address
|
||||
in NET2.</para>
|
||||
<para>If SNAT or SNAT:T, traffic leaving INTERFACE with a source
|
||||
address in NET1 has it's source address rewritten to the
|
||||
corresponding address in NET2.</para>
|
||||
|
||||
<para>If DNAT:O, traffic originating on the firewall and leaving via
|
||||
INTERFACE and addressed to NET1 has its destination address
|
||||
rewritten to the corresponding address in NET2.</para>
|
||||
|
||||
<para>If DNAT:P, traffic entering via INTERFACE and addressed to
|
||||
NET1 has its destination address rewritten to the corresponding
|
||||
address in NET2.</para>
|
||||
|
||||
<para>If SNAT:P, traffic entering via INTERFACE with a destination
|
||||
address in NET1 has it's source address rewritten to the
|
||||
corresponding address in NET2.</para>
|
||||
|
||||
<para>If SNAT:O, traffic originating on the firewall and leaving via
|
||||
INTERFACE with a source address in NET1 has it's source address
|
||||
rewritten to the corresponding address in NET2.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -57,7 +77,10 @@
|
||||
<emphasis>network-address</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Network in CIDR format (e.g., 192.168.1.0/24).</para>
|
||||
<para>Network in CIDR format (e.g., 192.168.1.0/24). Beginning with
|
||||
Shorewall 4.4.24, <ulink
|
||||
url="shorewall-exclusion.html">exclusion</ulink> is
|
||||
supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -98,6 +121,60 @@
|
||||
network for SNAT rules.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTO (Optional - Added in Shorewall
|
||||
4.4.23.2)</emphasis> -
|
||||
<emphasis>protocol-number-or-name</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Only packets specifying this protocol will have their IP
|
||||
header modified.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
|
||||
Shorewall 4.4.23.2)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A comma-separated list of Port names (from
|
||||
services(5)), <emphasis>port number</emphasis>s or <emphasis>port
|
||||
range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numberic type and code separated by a slash (e.g., 3/4), or
|
||||
a typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
this column is interpreted as an ipp2p option without the leading
|
||||
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
|
||||
If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
|
||||
assumed.</para>
|
||||
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
||||
any of the following field is supplied.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
|
||||
Shorewall 4.4.23.2)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port(s). If omitted, any source port is acceptable.
|
||||
Specified as a comma-separated list of port names, port numbers or
|
||||
port ranges.</para>
|
||||
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||
the following fields is supplied.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
@ -114,12 +191,13 @@
|
||||
url="http://shorewall.net/netmap.html">http://shorewall.net/netmap.html</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
||||
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
|
||||
shorewall-proxyarp(5), shorewall-route_rules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
|
||||
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
|
||||
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
|
||||
shorewall-nat(5), shorewall-params(5), shorewall-policy(5),
|
||||
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
|
||||
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
||||
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
||||
shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -46,6 +46,16 @@
|
||||
<para>Sections are as follows and must appear in the order listed:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ALL</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This section was added in Shorewall 4.4.23. rules in this
|
||||
section are applied, regardless of the connection tracking state of
|
||||
the packet.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ESTABLISHED</emphasis></term>
|
||||
|
||||
|
@ -463,7 +463,7 @@
|
||||
<arg><option>-l</option></arg>
|
||||
|
||||
<arg><option>-t</option>
|
||||
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg>
|
||||
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>
|
||||
|
||||
<arg><arg><option>chain</option></arg><arg choice="plain"
|
||||
rep="repeat"><replaceable>chain</replaceable></arg></arg>
|
||||
@ -520,7 +520,7 @@
|
||||
|
||||
<arg><option>-x</option></arg>
|
||||
|
||||
<arg choice="req"><option>mangle|nat|raw</option></arg>
|
||||
<arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
|
@ -730,7 +730,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
@ -49,7 +49,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
@ -196,7 +196,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
@ -103,7 +103,7 @@ ACCEPT all!z2 net tcp 22</programlisting>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
@ -192,7 +192,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
@ -96,7 +96,7 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">UNICAST</emphasis> - <emphasis
|
||||
<term><emphasis role="bold">ANYCAST</emphasis> - <emphasis
|
||||
role="bold">-</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@ -318,8 +318,8 @@ loc eth2 -</programlisting>
|
||||
the wildcard.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.20, if you specify this
|
||||
option, then you should also specify <option>filter</option>;
|
||||
see above.</para>
|
||||
option, then you should also specify <option>sfilter</option>
|
||||
(see below).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -459,7 +459,7 @@ dmz eth2 -</programlisting>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
|
||||
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
@ -116,7 +116,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
@ -103,7 +103,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
|
||||
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
|
||||
|
@ -86,7 +86,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
|
@ -109,7 +109,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
193
manpages6/shorewall6-netmap.xml
Normal file
193
manpages6/shorewall6-netmap.xml
Normal file
@ -0,0 +1,193 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall6-netmap</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>netmap</refname>
|
||||
|
||||
<refpurpose>Shorewall6 NETMAP definition file</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>/etc/shorewall/netmap</command>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file is used to map addresses in one network to corresponding
|
||||
addresses in a second network. It was added in Shorewall6 iin
|
||||
4.4.23.3.</para>
|
||||
|
||||
<warning>
|
||||
<para>To use this file, your kernel and ip6tables must have RAWPOST
|
||||
table support included.</para>
|
||||
</warning>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TYPE</emphasis> - <emphasis
|
||||
role="bold">{DNAT</emphasis>|<emphasis
|
||||
role="bold">SNAT}:{P|O|T}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Must be DNAT or SNAT followed by :P, :O or :T to perform
|
||||
<firstterm>stateless NAT</firstterm>. Stateless NAT requires
|
||||
<firstterm>Rawpost Table support</firstterm> in your kernel and
|
||||
iptables (see the output of <command>shorewall6 show
|
||||
capabilities</command>).</para>
|
||||
|
||||
<para>If DNAT:P, traffic entering INTERFACE and addressed to NET1
|
||||
has its destination address rewritten to the corresponding address
|
||||
in NET2.</para>
|
||||
|
||||
<para>If SNAT:T, traffic leaving INTERFACE with a source address in
|
||||
NET1 has it's source address rewritten to the corresponding address
|
||||
in NET2.</para>
|
||||
|
||||
<para>If DNAT:O, traffic originating on the firewall and leaving via
|
||||
INTERFACE and addressed to NET1 has its destination address
|
||||
rewritten to the corresponding address in NET2.</para>
|
||||
|
||||
<para>If DNAT:P, traffic entering via INTERFACE and addressed to
|
||||
NET1 has its destination address rewritten to the corresponding
|
||||
address in NET2.</para>
|
||||
|
||||
<para>If SNAT:P, traffic entering via INTERFACE with a destination
|
||||
address in NET1 has it's source address rewritten to the
|
||||
corresponding address in NET2.</para>
|
||||
|
||||
<para>If SNAT:O, traffic originating on the firewall and leaving via
|
||||
INTERFACE with a source address in NET1 has it's source address
|
||||
rewritten to the corresponding address in NET2.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">NET1</emphasis> -
|
||||
<emphasis>network-address</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Network in CIDR format (e.g., 2001:470:b:227/64). Beginning in
|
||||
Shorewall6 4.4.24, <ulink
|
||||
url="shorewall6-exclusion.html">exclusion</ulink> is
|
||||
supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">INTERFACE</emphasis> -
|
||||
<emphasis>interface</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>The name of a network interface. The interface must be defined
|
||||
in <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||
Shorewall allows loose matches to wildcard entries in <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||
For example, <filename class="devicefile">ppp0</filename> in this
|
||||
file will match a <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(8)
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">NET2</emphasis> -
|
||||
<emphasis>network-address</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Network in CIDR format</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">NET3 (Optional)</emphasis> -
|
||||
<emphasis>network-address</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.11. If specified, qualifies INTERFACE.
|
||||
It specifies a SOURCE network for DNAT rules and a DESTINATON
|
||||
network for SNAT rules.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTO (Optional</emphasis> -
|
||||
<emphasis>protocol-number-or-name</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Only packets specifying this protocol will have their IP
|
||||
header modified.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A comma-separated list of Port names (from
|
||||
services(5)), <emphasis>port number</emphasis>s or <emphasis>port
|
||||
range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numberic type and code separated by a slash (e.g., 3/4), or
|
||||
a typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
this column is interpreted as an ipp2p option without the leading
|
||||
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
|
||||
If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
|
||||
assumed.</para>
|
||||
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
||||
any of the following field is supplied.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port(s). If omitted, any source port is acceptable.
|
||||
Specified as a comma-separated list of port names, port numbers or
|
||||
port ranges.</para>
|
||||
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||
the following fields is supplied.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
<para>/etc/shorewall/netmap</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/netmap.html">http://shorewall.net/netmap.html</ulink></para>
|
||||
|
||||
<para></para>
|
||||
</refsect1>
|
||||
</refentry>
|
@ -131,7 +131,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-ipsec(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-ipsec(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-proxyarp(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
|
||||
|
@ -3,7 +3,7 @@
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall6-params</refentrytitle>
|
||||
<refentrytitle>shoewall6-netmap(5),shorewall6-params</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
@ -315,7 +315,7 @@
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
|
||||
shorewall6-nat(5), shorewall6-netmap(5), shorewall6-params(5),
|
||||
shorewall6-nat(5), shorewall6-netmap(5), shoewall6-netmap(5),shorewall6-params(5),
|
||||
shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
|
||||
|
@ -290,7 +290,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
|
||||
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
|
||||
|
@ -135,7 +135,7 @@
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5),
|
||||
shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5),
|
||||
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
@ -149,7 +149,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-routestopped(5), shorewall6-rules(5),
|
||||
shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
|
@ -80,7 +80,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
@ -179,7 +179,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-rules(5),
|
||||
shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
|
@ -39,6 +39,16 @@
|
||||
<para>Sections are as follows and must appear in the order listed:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ALL</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This section was added in Shorewall 4.4.23. rules in this
|
||||
section are applied, regardless of the connection tracking state of
|
||||
the packet.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ESTABLISHED</emphasis></term>
|
||||
|
||||
@ -1152,7 +1162,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
@ -380,7 +380,7 @@ RESTORE I:ER</programlisting>
|
||||
|
||||
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
|
||||
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
|
||||
|
@ -453,7 +453,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
@ -229,7 +229,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcrules(5),
|
||||
|
@ -204,7 +204,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
|
||||
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcpri, shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
|
@ -149,7 +149,7 @@
|
||||
|
||||
<para>PRIO(8), shorewall6(8), shorewall6-accounting(5),
|
||||
shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5),
|
||||
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcinterfaces(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
|
@ -794,7 +794,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tos(5),
|
||||
|
@ -54,7 +54,7 @@
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5),
|
||||
shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5),
|
||||
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
|
||||
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
|
||||
|
@ -161,7 +161,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
@ -227,7 +227,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
@ -55,7 +55,7 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
|
@ -337,7 +337,7 @@ c:a,b ipv6</programlisting>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-nesting(8), shorewall6-params(5),
|
||||
shorewall6-maclist(5), shorewall6-nesting(8), shoewall6-netmap(5),shorewall6-params(5),
|
||||
shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
|
@ -1691,7 +1691,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
|
||||
shorewall6-nat(5), shorewall6-netmap(5), shorewall6-params(5),
|
||||
shorewall6-nat(5), shorewall6-netmap(5), shoewall6-netmap(5),shorewall6-params(5),
|
||||
shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user