Document tos file changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5687 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-25 19:43:33 +00:00
parent 307e82a2f4
commit eff828015c
2 changed files with 25 additions and 10 deletions

View File

@ -88,8 +88,11 @@ sub process_tos() {
$restriction = OUTPUT_RESTRICT;
} else {
$chainref = $pretosref;
$src =~ s/^all://;
}
dst =~ s/^all://;
expand_rule
$chainref ,
$restriction ,
@ -104,8 +107,6 @@ sub process_tos() {
}
close TOS;
$comment = '';
}
}
@ -784,12 +785,6 @@ sub process_rule1 ( $$$$$$$$$ ) {
my $rule = '';
my $actionchainref;
$ports = '' unless defined $ports;
$sports = '' unless defined $sports;
$origdest = '' unless defined $origdest;
$ratelimit = '' unless defined $ratelimit;
$user = '' unless defined $user;
#
# Determine the validity of the action
#
@ -863,6 +858,14 @@ sub process_rule1 ( $$$$$$$$$ ) {
fatal_error "Unknown source zone ($sourcezone) in rule \"$line\"" unless $zones{$sourcezone};
fatal_error "Unknown destination zone ($destzone) in rule \"$line\"" unless $zones{$destzone};
my $restriction = NO_RESTRICT;
if ( $sourcezone eq $firewall_zone ) {
$restriction = $destzone eq $firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT;
} else {
$restriction = INPUT_RESTRICT if $destzone eq $firewall_zone;
}
#
# Take care of chain
#
@ -996,7 +999,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
expand_rule
ensure_chain ('filter', $chain ) ,
NO_RESTRICT ,
$restriction ,
$rule ,
$source ,
$dest ,

View File

@ -73,7 +73,19 @@ f) Some run-time extension scripts are no longer supported because they
refresh
refreshed
g) Currently, support for ipsets is untested. That will change with
g) The /etc/shorewall/tos file now has a format similar to the tcrules.
The SOURCE column may be one of the following:
[all:]<address>[,...]
[all:]<interface>[:<address>[,...]]
$FW[:<address>[,...]]
The DEST column may be one of the following:
[all:]<address>[,...]
[all:]<interface>[:<address>[,...]]
h) Currently, support for ipsets is untested. That will change with
future releases but one thing is certain -- Shorewall is now out of the
ipset load/reload business. If the Netfilter ruleset is never cleared,
then there is no opportunity for Shorewall to load/reload your