forked from extern/shorewall_code
Documentation updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7825 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1deb277832
commit
dea79aa763
@ -86,13 +86,28 @@ Other changes in Shorewall 4.1.2.
|
|||||||
|
|
||||||
Messages in the log are always timestamped.
|
Messages in the log are always timestamped.
|
||||||
|
|
||||||
|
This change implemented two new options to the Shorewall-perl
|
||||||
|
compiler (/usr/share/shorewall-perl/compiler.pl).
|
||||||
|
|
||||||
|
--log=<logfile>
|
||||||
|
--log_verbosity={-1|0-2}
|
||||||
|
|
||||||
|
The --log option is ignored when --log_verbosity is not supplied or
|
||||||
|
is supplied with value -1.
|
||||||
|
|
||||||
|
2) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
|
||||||
|
mark values < 256 to be assigned in the OUTPUT chain. This has been
|
||||||
|
changed so that only high mark values may be assigned
|
||||||
|
there. Packet marking rules for traffic shaping of packets
|
||||||
|
originating on the firewall must be coded in the POSTROUTING table.
|
||||||
|
|
||||||
Migration Issues.
|
Migration Issues.
|
||||||
|
|
||||||
1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed mark
|
1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
|
||||||
values < 256 to be assigned in the OUTPUT chain. This has been
|
mark values < 256 to be assigned in the OUTPUT chain. This has been
|
||||||
changed so that only high mark values may be assigned
|
changed so that only high mark values may be assigned
|
||||||
there. Traffic shaping rules for traffic originating on the
|
there. Packet marking rules for traffic shaping of packets
|
||||||
firewall must be coded in the POSTROUTING table.
|
originating on the firewall must be coded in the POSTROUTING table.
|
||||||
|
|
||||||
New Features in Shorewall 4.1.
|
New Features in Shorewall 4.1.
|
||||||
|
|
||||||
@ -154,9 +169,9 @@ New Features in Shorewall 4.1.
|
|||||||
206.124.146.177 - Blarg 26000
|
206.124.146.177 - Blarg 26000
|
||||||
|
|
||||||
2) You may now include the name of a table (nat, mangle or filter) in
|
2) You may now include the name of a table (nat, mangle or filter) in
|
||||||
a 'shorewall refresh' command by following the name with a colon
|
a 'shorewall refresh' command by following the table name with a
|
||||||
(e.g., mangle:). This causes all non-builtin chains in the table to
|
colon (e.g., mangle:). This causes all non-builtin chains in the
|
||||||
be reloaded.
|
table to be reloaded.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
|
||||||
|
@ -28,11 +28,13 @@
|
|||||||
# Options:
|
# Options:
|
||||||
#
|
#
|
||||||
# --export # Compile for export
|
# --export # Compile for export
|
||||||
# --verbosity=<number> # Set VERBOSITY
|
# --verbosity=<number> # Set VERBOSITY range -1 to 2
|
||||||
# --directory=<directory> # Directory where configuration resides (default is /etc/shorewall)
|
# --directory=<directory> # Directory where configuration resides (default is /etc/shorewall)
|
||||||
# --timestamp # Timestamp all progress messages
|
# --timestamp # Timestamp all progress messages
|
||||||
# --debug # Print stack trace on warnings and fatal error.
|
# --debug # Print stack trace on warnings and fatal error.
|
||||||
# --refresh=<chainlist> # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
|
# --refresh=<chainlist> # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
|
||||||
|
# --log=<filename> # Log file
|
||||||
|
# --log_verbosity=<number> # Log Verbosity range -1 to 2
|
||||||
#
|
#
|
||||||
use strict;
|
use strict;
|
||||||
use FindBin;
|
use FindBin;
|
||||||
@ -46,12 +48,12 @@ sub usage() {
|
|||||||
options are:
|
options are:
|
||||||
[ --export ]
|
[ --export ]
|
||||||
[ --directory=<directory> ]
|
[ --directory=<directory> ]
|
||||||
[ --verbose={0-2} ]
|
[ --verbose={-1|0-2} ]
|
||||||
[ --timestamp ]
|
[ --timestamp ]
|
||||||
[ -- debug ]
|
[ --debug ]
|
||||||
[ --refresh=<chainlist> ]
|
[ --refresh=<chainlist> ]
|
||||||
[ --log=<filename> ]
|
[ --log=<filename> ]
|
||||||
[ --log-verbose={0-2} ]
|
[ --log-verbose={-1|0-2} ]
|
||||||
';
|
';
|
||||||
exit 1;
|
exit 1;
|
||||||
}
|
}
|
||||||
|
@ -241,7 +241,7 @@
|
|||||||
script failed and will abort the compilation.</para>
|
script failed and will abort the compilation.</para>
|
||||||
|
|
||||||
<para>When a script is invoked, the <emphasis
|
<para>When a script is invoked, the <emphasis
|
||||||
role="bold">$chainref</emphasis> scalar variable will hold a
|
role="bold">$chainref</emphasis> scalar variable will usually hold a
|
||||||
reference to a chain table entry.</para>
|
reference to a chain table entry.</para>
|
||||||
|
|
||||||
<simplelist>
|
<simplelist>
|
||||||
@ -255,16 +255,16 @@
|
|||||||
<para>To add a rule to the chain:</para>
|
<para>To add a rule to the chain:</para>
|
||||||
|
|
||||||
<simplelist>
|
<simplelist>
|
||||||
<member>add_rule $chainref, <<replaceable>the
|
<member>add_rule $chainref,
|
||||||
rule</replaceable>></member>
|
<replaceable>the-rule</replaceable></member>
|
||||||
</simplelist>
|
</simplelist>
|
||||||
|
|
||||||
<para>Where</para>
|
<para>Where</para>
|
||||||
|
|
||||||
<simplelist>
|
<simplelist>
|
||||||
<member><<replaceable>the rule</replaceable>> is a scalar
|
<member><replaceable>the rule</replaceable> is a scalar argument
|
||||||
argument holding the rule text. Do not include "-A
|
holding the rule text. Do not include "-A
|
||||||
<<replaceable>chain name</replaceable>>"</member>
|
<replaceable>chain-name</replaceable>"</member>
|
||||||
</simplelist>
|
</simplelist>
|
||||||
|
|
||||||
<para>Example:</para>
|
<para>Example:</para>
|
||||||
@ -276,9 +276,8 @@
|
|||||||
<para>To insert a rule into the chain:</para>
|
<para>To insert a rule into the chain:</para>
|
||||||
|
|
||||||
<simplelist>
|
<simplelist>
|
||||||
<member>insert_rule $chainref,
|
<member>insert_rule $chainref, <replaceable>rulenum</replaceable>,
|
||||||
<<replaceable>rulenum</replaceable>>, <<replaceable>the
|
<replaceable>the-rule</replaceable></member>
|
||||||
rule</replaceable>></member>
|
|
||||||
</simplelist>
|
</simplelist>
|
||||||
|
|
||||||
<para>The log_rule_limit function works like it does in the shell
|
<para>The log_rule_limit function works like it does in the shell
|
||||||
@ -448,8 +447,8 @@ fi</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The pre Shorewall-3.0 format of the zones file is not
|
<para>The pre Shorewall-3.0 format of the zones file is not
|
||||||
supported; neither is the <filename>/etc/shorewall/ipsec</filename>
|
supported (IPSECFILE=ipsec); neither is the
|
||||||
file.</para>
|
<filename>/etc/shorewall/ipsec</filename> file.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -984,8 +983,9 @@ fatal_error "You have made an error";
|
|||||||
progress_message "This will only be seen if VERBOSITY >= 2";
|
progress_message "This will only be seen if VERBOSITY >= 2";
|
||||||
progress_message2 "This will only be seen if VERBOSITY >= 1";
|
progress_message2 "This will only be seen if VERBOSITY >= 1";
|
||||||
progress_message3 "This will be seen unless VERBOSITY < 0";
|
progress_message3 "This will be seen unless VERBOSITY < 0";
|
||||||
</programlisting><programlisting>use lib '/usr/share/shorewall-perl';
|
</programlisting>The <emphasis role="bold">shorewall()</emphasis> function may
|
||||||
use Shorewall::Chains qw/shorewall/;
|
be optionally included.<programlisting>use lib '/usr/share/shorewall-perl';
|
||||||
|
use Shorewall::Config qw/shorewall/;
|
||||||
|
|
||||||
shorewall $config_file_entry;</programlisting>The Shorewall::Config module
|
shorewall $config_file_entry;</programlisting>The Shorewall::Config module
|
||||||
provides basic services to Shorewall-perl. By default, it exports the
|
provides basic services to Shorewall-perl. By default, it exports the
|
||||||
@ -998,13 +998,14 @@ shorewall $config_file_entry;</programlisting>The Shorewall::Config module
|
|||||||
|
|
||||||
<para>To raise a fatal error, call <emphasis
|
<para>To raise a fatal error, call <emphasis
|
||||||
role="bold">fatal_error()</emphasis>. Again, the single argument
|
role="bold">fatal_error()</emphasis>. Again, the single argument
|
||||||
described the error. </para>
|
described the error.</para>
|
||||||
|
|
||||||
<para>In both cases, the function will augment the warning/error with
|
<para>In both cases, the function will augment the warning/error with
|
||||||
the current configuration file and line number, if any. fatal_error()
|
the current configuration file and line number, if any. <emphasis
|
||||||
raised an exception via either <emphasis
|
role="bold">fatal_error()</emphasis> raised an exception via either
|
||||||
role="bold">confess()</emphasis> or <emphasis
|
<emphasis role="bold">confess()</emphasis> or <emphasis
|
||||||
role="bold">die()</emphasis>.</para>
|
role="bold">die()</emphasis>, depending on whether the debugging stack
|
||||||
|
trace is enabled or not..</para>
|
||||||
|
|
||||||
<para>The three 'progress message' functions conditionally produce
|
<para>The three 'progress message' functions conditionally produce
|
||||||
output depending on the current verbosity setting.</para>
|
output depending on the current verbosity setting.</para>
|
||||||
|
@ -72,17 +72,6 @@
|
|||||||
in your kernel and iptables; neither may be used with connection
|
in your kernel and iptables; neither may be used with connection
|
||||||
marks (see below).</para>
|
marks (see below).</para>
|
||||||
|
|
||||||
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
|
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) then you may
|
|
||||||
also specify a value in the range 0x0100-0xFF00 with the
|
|
||||||
low-order byte being zero. Such values may only be used in the
|
|
||||||
PREROUTING chain(value followed by <emphasis
|
|
||||||
role="bold">:P</emphasis> or you have set
|
|
||||||
MARK_IN_FORWARD_CHAIN=No in <ulink
|
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) and have not
|
|
||||||
followed the value with <option>:F</option>) or the OUTPUT chain
|
|
||||||
(SOURCE is <emphasis role="bold">$FW</emphasis>).</para>
|
|
||||||
|
|
||||||
<para>May optionally be followed by <emphasis
|
<para>May optionally be followed by <emphasis
|
||||||
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
|
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
|
||||||
or <emphasis role="bold">:T</emphasis> where<emphasis
|
or <emphasis role="bold">:T</emphasis> where<emphasis
|
||||||
@ -146,6 +135,26 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
|
<para><emphasis role="bold">Special considerations for If
|
||||||
|
HIGH_ROUTE_MARKS=Yes in <ulink
|
||||||
|
url="shorewall.conf.html">shorewall.conf</ulink>(5</emphasis>).</para>
|
||||||
|
|
||||||
|
<para>If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
|
||||||
|
in the range 0x0100-0xFF00 with the low-order byte being zero.
|
||||||
|
Such values may only be used in the PREROUTING chain (value
|
||||||
|
followed by <emphasis role="bold">:P</emphasis> or you have set
|
||||||
|
MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||||
|
url="shorewall.conf.html">shorewall.conf</ulink>(5) and have not
|
||||||
|
followed the value with <option>:F</option>) or the OUTPUT chain
|
||||||
|
(SOURCE is <emphasis role="bold">$FW</emphasis>). With
|
||||||
|
HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
|
||||||
|
permitted. Shorewall 4.1 and later versions prohibit non-zero
|
||||||
|
mark values less that 256 in the OUTPUT chain when
|
||||||
|
HIGH_ROUTE_MARKS=Yes. While earlier versions allow such values
|
||||||
|
in the OUTPUT chain, it is strongly recommended that with
|
||||||
|
HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to apply
|
||||||
|
traffic shaping marks/classification.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -167,7 +176,7 @@
|
|||||||
role="bold">$FW</emphasis>[:<emphasis>address</emphasis>] in
|
role="bold">$FW</emphasis>[:<emphasis>address</emphasis>] in
|
||||||
which case classification occurs in the OUTPUT chain.</para>
|
which case classification occurs in the OUTPUT chain.</para>
|
||||||
|
|
||||||
<para>When using Shorewall's built-in traffic tool, the
|
<para>When using Shorewall's built-in traffic shaping tool, the
|
||||||
<emphasis>major</emphasis> class is the device number (the first
|
<emphasis>major</emphasis> class is the device number (the first
|
||||||
device in <ulink
|
device in <ulink
|
||||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
|
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
|
||||||
|
Loading…
Reference in New Issue
Block a user