From f1fbb95d48a90cb691942f7d9e15383d20523a7c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 13 Aug 2012 08:16:36 -0700 Subject: [PATCH] Update documentation for content merged from the 4.5.8 (master) path Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-rules.xml | 43 +++++++++++++++++++++++- Shorewall/manpages/shorewall.conf.xml | 2 +- Shorewall6/manpages/shorewall6-rules.xml | 41 ++++++++++++++++++++++ Shorewall6/manpages/shorewall6.conf.xml | 2 +- docs/Helpers.xml | 17 ++++++++++ 5 files changed, 102 insertions(+), 3 deletions(-) diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index dc0de3a96..4690f6f2b 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -806,7 +806,7 @@
- + Except when all[+]|[-] is specified, the server may be @@ -1351,6 +1351,47 @@ restart. + + + HELPER - [helper] + + + Added in Shorewall 4.5.7. Causes the named conntrack + helper to be associated with this + connection. The contents of this column are ignored unless ACTION is + ACCEPT*, DNAT* or REDIRECT*. The helper + may be one of: + + + + + + + + + + + + + + + + + + + + + + + + + + If the HELPERS option is specified in shorewall.conf(5), then any module + specified in this column most be listed in the HELPERS + setting. + + diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index ef09c1dd6..d47f37cfe 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -304,7 +304,7 @@ role="bold">Yes|No] - Added in Shorewall 4.5.8. When set to + Added in Shorewall 4.5.7. When set to (the default), the generated ruleset will automatically associate helpers with applications that require them (FTP, IRC, etc.). When configuring your firewall on systems running kernel 3.5 or later, it diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index 12fc92b25..e9b9ab108 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -1189,6 +1189,47 @@ restart. + + + HELPER - [helper] + + + Added in Shorewall 4.5.7. Causes the named conntrack + helper to be associated with this + connection. The contents of this column are ignored unless ACTION is + ACCEPT*, DNAT* or REDIRECT*. The helper + may be one of: + + + + + + + + + + + + + + + + + + + + + + + + + + If the HELPERS option is specified in shorewall6.conf(5), then any + module specified in this column most be listed in the HELPERS + setting. + + diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 48d48d08b..37d7c5308 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -233,7 +233,7 @@ role="bold">Yes|No] - Added in Shorewall 4.5.8. When set to + Added in Shorewall 4.5.7. When set to (the default), the generated ruleset will automatically associate helpers with applications that require them (FTP, IRC, etc.). When configuring your firewall on systems running kernel 3.5 or later, it diff --git a/docs/Helpers.xml b/docs/Helpers.xml index b47d5f53b..589180f64 100644 --- a/docs/Helpers.xml +++ b/docs/Helpers.xml @@ -300,6 +300,17 @@ role="bold">tftp. + + + AUTOHELPERS + + + This option was also added in Shorewall 4.5.7. When enabled + on systems that support the CT Target capability, it provides + automatic association of helpers to connections in the same manner + as in pre-3.5 kernels (and with the same vulnerabilities). + + The helper modules to be loaded are listed in the file @@ -375,6 +386,12 @@ In these files, Shorewall supports the same module names as iptables; see the table above. + + Beginning with Shorewall 4.5.7, there is a HELPER column in shorewall-rules (5). This + column allows the explicit association of a helper with connections + allowed by a given rules. The column may contain any of the helper names + recognized by iptables (see the table above).