forked from extern/shorewall_code
Document tos file changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5687 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
307e82a2f4
commit
eff828015c
@ -88,8 +88,11 @@ sub process_tos() {
|
|||||||
$restriction = OUTPUT_RESTRICT;
|
$restriction = OUTPUT_RESTRICT;
|
||||||
} else {
|
} else {
|
||||||
$chainref = $pretosref;
|
$chainref = $pretosref;
|
||||||
|
$src =~ s/^all://;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
dst =~ s/^all://;
|
||||||
|
|
||||||
expand_rule
|
expand_rule
|
||||||
$chainref ,
|
$chainref ,
|
||||||
$restriction ,
|
$restriction ,
|
||||||
@ -104,8 +107,6 @@ sub process_tos() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
close TOS;
|
close TOS;
|
||||||
|
|
||||||
$comment = '';
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -784,12 +785,6 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
|||||||
my $rule = '';
|
my $rule = '';
|
||||||
my $actionchainref;
|
my $actionchainref;
|
||||||
|
|
||||||
$ports = '' unless defined $ports;
|
|
||||||
$sports = '' unless defined $sports;
|
|
||||||
$origdest = '' unless defined $origdest;
|
|
||||||
$ratelimit = '' unless defined $ratelimit;
|
|
||||||
$user = '' unless defined $user;
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Determine the validity of the action
|
# Determine the validity of the action
|
||||||
#
|
#
|
||||||
@ -863,6 +858,14 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
|||||||
|
|
||||||
fatal_error "Unknown source zone ($sourcezone) in rule \"$line\"" unless $zones{$sourcezone};
|
fatal_error "Unknown source zone ($sourcezone) in rule \"$line\"" unless $zones{$sourcezone};
|
||||||
fatal_error "Unknown destination zone ($destzone) in rule \"$line\"" unless $zones{$destzone};
|
fatal_error "Unknown destination zone ($destzone) in rule \"$line\"" unless $zones{$destzone};
|
||||||
|
|
||||||
|
my $restriction = NO_RESTRICT;
|
||||||
|
|
||||||
|
if ( $sourcezone eq $firewall_zone ) {
|
||||||
|
$restriction = $destzone eq $firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT;
|
||||||
|
} else {
|
||||||
|
$restriction = INPUT_RESTRICT if $destzone eq $firewall_zone;
|
||||||
|
}
|
||||||
#
|
#
|
||||||
# Take care of chain
|
# Take care of chain
|
||||||
#
|
#
|
||||||
@ -996,7 +999,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
|||||||
|
|
||||||
expand_rule
|
expand_rule
|
||||||
ensure_chain ('filter', $chain ) ,
|
ensure_chain ('filter', $chain ) ,
|
||||||
NO_RESTRICT ,
|
$restriction ,
|
||||||
$rule ,
|
$rule ,
|
||||||
$source ,
|
$source ,
|
||||||
$dest ,
|
$dest ,
|
||||||
|
|||||||
@ -73,7 +73,19 @@ f) Some run-time extension scripts are no longer supported because they
|
|||||||
refresh
|
refresh
|
||||||
refreshed
|
refreshed
|
||||||
|
|
||||||
g) Currently, support for ipsets is untested. That will change with
|
g) The /etc/shorewall/tos file now has a format similar to the tcrules.
|
||||||
|
|
||||||
|
The SOURCE column may be one of the following:
|
||||||
|
|
||||||
|
[all:]<address>[,...]
|
||||||
|
[all:]<interface>[:<address>[,...]]
|
||||||
|
$FW[:<address>[,...]]
|
||||||
|
|
||||||
|
The DEST column may be one of the following:
|
||||||
|
[all:]<address>[,...]
|
||||||
|
[all:]<interface>[:<address>[,...]]
|
||||||
|
|
||||||
|
h) Currently, support for ipsets is untested. That will change with
|
||||||
future releases but one thing is certain -- Shorewall is now out of the
|
future releases but one thing is certain -- Shorewall is now out of the
|
||||||
ipset load/reload business. If the Netfilter ruleset is never cleared,
|
ipset load/reload business. If the Netfilter ruleset is never cleared,
|
||||||
then there is no opportunity for Shorewall to load/reload your
|
then there is no opportunity for Shorewall to load/reload your
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user