forked from extern/shorewall_code
Document tos file changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5687 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
307e82a2f4
commit
eff828015c
@ -88,8 +88,11 @@ sub process_tos() {
|
||||
$restriction = OUTPUT_RESTRICT;
|
||||
} else {
|
||||
$chainref = $pretosref;
|
||||
$src =~ s/^all://;
|
||||
}
|
||||
|
||||
dst =~ s/^all://;
|
||||
|
||||
expand_rule
|
||||
$chainref ,
|
||||
$restriction ,
|
||||
@ -104,8 +107,6 @@ sub process_tos() {
|
||||
}
|
||||
|
||||
close TOS;
|
||||
|
||||
$comment = '';
|
||||
}
|
||||
}
|
||||
|
||||
@ -784,12 +785,6 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
||||
my $rule = '';
|
||||
my $actionchainref;
|
||||
|
||||
$ports = '' unless defined $ports;
|
||||
$sports = '' unless defined $sports;
|
||||
$origdest = '' unless defined $origdest;
|
||||
$ratelimit = '' unless defined $ratelimit;
|
||||
$user = '' unless defined $user;
|
||||
|
||||
#
|
||||
# Determine the validity of the action
|
||||
#
|
||||
@ -863,6 +858,14 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
||||
|
||||
fatal_error "Unknown source zone ($sourcezone) in rule \"$line\"" unless $zones{$sourcezone};
|
||||
fatal_error "Unknown destination zone ($destzone) in rule \"$line\"" unless $zones{$destzone};
|
||||
|
||||
my $restriction = NO_RESTRICT;
|
||||
|
||||
if ( $sourcezone eq $firewall_zone ) {
|
||||
$restriction = $destzone eq $firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT;
|
||||
} else {
|
||||
$restriction = INPUT_RESTRICT if $destzone eq $firewall_zone;
|
||||
}
|
||||
#
|
||||
# Take care of chain
|
||||
#
|
||||
@ -996,7 +999,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
||||
|
||||
expand_rule
|
||||
ensure_chain ('filter', $chain ) ,
|
||||
NO_RESTRICT ,
|
||||
$restriction ,
|
||||
$rule ,
|
||||
$source ,
|
||||
$dest ,
|
||||
|
@ -73,7 +73,19 @@ f) Some run-time extension scripts are no longer supported because they
|
||||
refresh
|
||||
refreshed
|
||||
|
||||
g) Currently, support for ipsets is untested. That will change with
|
||||
g) The /etc/shorewall/tos file now has a format similar to the tcrules.
|
||||
|
||||
The SOURCE column may be one of the following:
|
||||
|
||||
[all:]<address>[,...]
|
||||
[all:]<interface>[:<address>[,...]]
|
||||
$FW[:<address>[,...]]
|
||||
|
||||
The DEST column may be one of the following:
|
||||
[all:]<address>[,...]
|
||||
[all:]<interface>[:<address>[,...]]
|
||||
|
||||
h) Currently, support for ipsets is untested. That will change with
|
||||
future releases but one thing is certain -- Shorewall is now out of the
|
||||
ipset load/reload business. If the Netfilter ruleset is never cleared,
|
||||
then there is no opportunity for Shorewall to load/reload your
|
||||
|
Loading…
Reference in New Issue
Block a user