forked from extern/shorewall_code
Eliminate WIDE_TC_MARKS, HIGH_ROUTE_MARKS and BLACKLISTNEWONLY
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
80acdd2836
commit
f4776bf388
@ -599,16 +599,12 @@ our %validlevels; # Valid log levels.
|
|||||||
#
|
#
|
||||||
# Deprecated options with their default values
|
# Deprecated options with their default values
|
||||||
#
|
#
|
||||||
our %deprecated = ( WIDE_TC_MARKS => 'no',
|
our %deprecated = (
|
||||||
HIGH_ROUTE_MARKS => 'no',
|
|
||||||
BLACKLISTNEWONLY => 'yes',
|
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# Deprecated options that are eliminated via update
|
# Deprecated options that are eliminated via update
|
||||||
#
|
#
|
||||||
our %converted = ( WIDE_TC_MARKS => 1,
|
our %converted = (
|
||||||
HIGH_ROUTE_MARKS => 1,
|
|
||||||
BLACKLISTNEWONLY => 1,
|
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# Eliminated options
|
# Eliminated options
|
||||||
@ -618,6 +614,9 @@ our %eliminated = ( LOGRATE => 1,
|
|||||||
EXPORTPARAMS => 1,
|
EXPORTPARAMS => 1,
|
||||||
LEGACY_FASTSTART => 1,
|
LEGACY_FASTSTART => 1,
|
||||||
IPSECFILE => 1,
|
IPSECFILE => 1,
|
||||||
|
WIDE_TC_MARKS => 1,
|
||||||
|
HIGH_ROUTE_MARKS => 1,
|
||||||
|
BLACKLISTNEWONLY => 1,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# Variables involved in ?IF, ?ELSE ?ENDIF processing
|
# Variables involved in ?IF, ?ELSE ?ENDIF processing
|
||||||
@ -727,6 +726,8 @@ sub initialize( $;$$) {
|
|||||||
LOGFORMAT => undef,
|
LOGFORMAT => undef,
|
||||||
LOGTAGONLY => undef,
|
LOGTAGONLY => undef,
|
||||||
LOGLIMIT => undef,
|
LOGLIMIT => undef,
|
||||||
|
LOGRATE => undef,
|
||||||
|
LOGBURST => undef,
|
||||||
LOGALLNEW => undef,
|
LOGALLNEW => undef,
|
||||||
BLACKLIST_LOG_LEVEL => undef,
|
BLACKLIST_LOG_LEVEL => undef,
|
||||||
RELATED_LOG_LEVEL => undef,
|
RELATED_LOG_LEVEL => undef,
|
||||||
@ -4905,15 +4906,20 @@ sub process_shorewall_conf( $$$ ) {
|
|||||||
if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
|
if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
|
||||||
my ($var, $val) = ($1, $2);
|
my ($var, $val) = ($1, $2);
|
||||||
|
|
||||||
unless ( exists $config{$var} ) {
|
if ( exists $config{$var} ) {
|
||||||
if ( exists $renamed{$var} ) {
|
if ( $eliminated{$var} && ! $update ) {
|
||||||
|
fatal_error "The $var configuration option has been superceded - please run '$product update'";
|
||||||
|
}
|
||||||
|
} elsif ( exists $renamed{$var} ) {
|
||||||
$var = $renamed{$var};
|
$var = $renamed{$var};
|
||||||
} elsif ( $eliminated{$var} ) {
|
} else {
|
||||||
|
if ( $eliminated{$var} ) {
|
||||||
warning_message "The $var configuration option is no longer supported";
|
warning_message "The $var configuration option is no longer supported";
|
||||||
} else {
|
} else {
|
||||||
warning_message "Unknown configuration option ($var) ignored";
|
warning_message "Unknown configuration option ($var) ignored";
|
||||||
next ;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
next;
|
||||||
}
|
}
|
||||||
|
|
||||||
$config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
|
$config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
|
||||||
@ -5494,6 +5500,18 @@ sub get_configuration( $$$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$globals{LOGLIMIT} = $limit;
|
$globals{LOGLIMIT} = $limit;
|
||||||
|
} elsif ( $update && ( $config{LOGRATE} || $config{LOGBURST} ) ) {
|
||||||
|
if ( supplied $config{LOGRATE} ) {
|
||||||
|
fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( supplied $config{LOGBURST} ) {
|
||||||
|
fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/;
|
||||||
|
}
|
||||||
|
|
||||||
|
$globals{LOGLIMIT} = '-m limit ';
|
||||||
|
$globals{LOGLIMIT} .= "--limit $config{LOGRATE} " if supplied $config{LOGRATE};
|
||||||
|
$globals{LOGLIMIT} .= "--limit-burst $config{LOGBURST} " if supplied $config{LOGBURST};
|
||||||
} else {
|
} else {
|
||||||
$globals{LOGLIMIT} = '';
|
$globals{LOGLIMIT} = '';
|
||||||
}
|
}
|
||||||
@ -5680,8 +5698,11 @@ sub get_configuration( $$$$$ ) {
|
|||||||
default_yes_no 'USE_DEFAULT_RT' , '';
|
default_yes_no 'USE_DEFAULT_RT' , '';
|
||||||
default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes';
|
default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes';
|
||||||
default_yes_no 'AUTOMAKE' , '';
|
default_yes_no 'AUTOMAKE' , '';
|
||||||
|
|
||||||
|
if ($update) {
|
||||||
default_yes_no 'WIDE_TC_MARKS' , '';
|
default_yes_no 'WIDE_TC_MARKS' , '';
|
||||||
default_yes_no 'TRACK_PROVIDERS' , '';
|
default_yes_no 'TRACK_PROVIDERS' , '';
|
||||||
|
}
|
||||||
|
|
||||||
unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
|
unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
|
||||||
default_yes_no( 'NULL_ROUTE_RFC1918', '' );
|
default_yes_no( 'NULL_ROUTE_RFC1918', '' );
|
||||||
@ -5715,10 +5736,18 @@ sub get_configuration( $$$$$ ) {
|
|||||||
|
|
||||||
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
|
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
|
||||||
|
|
||||||
|
if ( $update ) {
|
||||||
numeric_option 'TC_BITS', $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
|
numeric_option 'TC_BITS', $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
|
||||||
numeric_option 'MASK_BITS', $config{WIDE_TC_MARKS} ? 16 : 8, $config{TC_BITS};
|
numeric_option 'MASK_BITS', $config{WIDE_TC_MARKS} ? 16 : 8, $config{TC_BITS};
|
||||||
numeric_option 'PROVIDER_BITS' , 8, 0;
|
numeric_option 'PROVIDER_BITS' , 8, 0;
|
||||||
numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
|
numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
|
||||||
|
} else {
|
||||||
|
numeric_option 'TC_BITS' , 8, 0;
|
||||||
|
numeric_option 'MASK_BITS' , 8, 0;
|
||||||
|
numeric_option 'PROVIDER_OFFSET' , 8, 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
numeric_option 'PROVIDER_BITS' , 8, 0;
|
||||||
numeric_option 'ZONE_BITS' , 0, 0;
|
numeric_option 'ZONE_BITS' , 0, 0;
|
||||||
|
|
||||||
require_capability 'MARK_ANYWHERE', 'A non-zero ZONE_BITS setting', 's' if $config{ZONE_BITS};
|
require_capability 'MARK_ANYWHERE', 'A non-zero ZONE_BITS setting', 's' if $config{ZONE_BITS};
|
||||||
|
@ -473,10 +473,10 @@
|
|||||||
UNTRACKED.</para>
|
UNTRACKED.</para>
|
||||||
|
|
||||||
<para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
|
<para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
|
||||||
option below. Specifies the connection tracking states that are to
|
option. Specifies the connection tracking states that are to be
|
||||||
be subject to blacklist screening. If neither BLACKLIST nor
|
subject to blacklist screening. If BLACKLIST is not specified then
|
||||||
BLACKLISTNEWONLY are specified then the states subject to
|
the states subject to blacklisting are
|
||||||
blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
|
NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
|
||||||
|
|
||||||
<para>ALL sends all packets through the blacklist chains.</para>
|
<para>ALL sends all packets through the blacklist chains.</para>
|
||||||
|
|
||||||
@ -529,37 +529,6 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">BLACKLISTNEWONLY=</emphasis>{<emphasis
|
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
|
|
||||||
above.</para>
|
|
||||||
|
|
||||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
|
||||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
|
||||||
connections and for packets in the INVALID connection state (such as
|
|
||||||
TCP SYN,ACK when there has been no corresponding SYN). That includes
|
|
||||||
entries in the <ulink
|
|
||||||
url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)
|
|
||||||
file and in the BLACKLIST section of <ulink
|
|
||||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
|
|
||||||
(5).</para>
|
|
||||||
|
|
||||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
|
||||||
role="bold">no</emphasis>, blacklists are consulted for every packet
|
|
||||||
(will slow down your firewall noticeably if you have large
|
|
||||||
blacklists). If the BLACKLISTNEWONLY option is not set or is set to
|
|
||||||
the empty value then BLACKLISTNEWONLY=No is assumed.</para>
|
|
||||||
|
|
||||||
<note>
|
|
||||||
<para>BLACKLISTNEWONLY=No is incompatible with
|
|
||||||
FASTACCEPT=Yes.</para>
|
|
||||||
</note>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
|
<term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
@ -844,11 +813,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
|
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
|
||||||
or RELATED sections of <ulink
|
or RELATED sections of <ulink
|
||||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
||||||
|
|
||||||
<note>
|
|
||||||
<para>FASTACCEPT=Yes is incompatible with
|
|
||||||
BLACKLISTNEWONLY=No.</para>
|
|
||||||
</note>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -952,74 +916,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
|
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Deprecated in Shorewall 4.4.26 in favor of
|
|
||||||
PROVIDER_OFFSET.</para>
|
|
||||||
|
|
||||||
<para>Prior to version 3.2.0, it was not possible to use connection
|
|
||||||
marking in <ulink
|
|
||||||
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5)
|
|
||||||
if you had a multi-ISP configuration that uses the track
|
|
||||||
option.</para>
|
|
||||||
|
|
||||||
<para>You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
|
|
||||||
packet mark and connection mark into two mark fields.</para>
|
|
||||||
|
|
||||||
<para>The width of the fields are determined by the setting of
|
|
||||||
WIDE_TC_MARKS. If WIDE_TC_MARKS=No (the default):</para>
|
|
||||||
|
|
||||||
<orderedlist numeration="loweralpha">
|
|
||||||
<listitem>
|
|
||||||
<para>The MARK field in the providers file must have a value
|
|
||||||
that is less than 65536 and that is a multiple of 256 (using hex
|
|
||||||
representation, the values are 0x0100-0xFF00 with the low-order
|
|
||||||
8 bits being zero).</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>You may only set those mark values in the PREROUTING
|
|
||||||
chain.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Marks used for traffic shaping must still be in the range
|
|
||||||
of 1-255 and may still not be set in the PREROUTING
|
|
||||||
chain.</para>
|
|
||||||
</listitem>
|
|
||||||
</orderedlist>
|
|
||||||
|
|
||||||
<para>When WIDE_TC_MARKS=Yes:</para>
|
|
||||||
|
|
||||||
<orderedlist numeration="loweralpha">
|
|
||||||
<listitem>
|
|
||||||
<para>The MARK field in the providers file must have a value
|
|
||||||
that is a multiple of 65536 (using hex representation, the
|
|
||||||
values are 0x010000-0xFF0000 with the low-order 16 bits being
|
|
||||||
zero).</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>You may only set those mark values in the PREROUTING
|
|
||||||
chain.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Marks used for traffic shaping must be in the range of
|
|
||||||
1-16383 and may still not be set in the PREROUTING chain.</para>
|
|
||||||
</listitem>
|
|
||||||
</orderedlist>
|
|
||||||
|
|
||||||
<para>Regardless of the setting of WIDE_TC_MARKS, when you SAVE or
|
|
||||||
RESTORE in tcrules, only the TC mark value is saved or restored.
|
|
||||||
Shorewall handles saving and restoring the routing (provider)
|
|
||||||
marks.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">IGNOREUNKNOWNVARIABLES=</emphasis>[<emphasis
|
role="bold">IGNOREUNKNOWNVARIABLES=</emphasis>[<emphasis
|
||||||
@ -1652,11 +1548,11 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
PREROUTING chain. This permits you to mark inbound traffic based on
|
PREROUTING chain. This permits you to mark inbound traffic based on
|
||||||
its destination address when DNAT is in use. To determine if your
|
its destination address when DNAT is in use. To determine if your
|
||||||
kernel has a FORWARD chain in the mangle table, use the <emphasis
|
kernel has a FORWARD chain in the mangle table, use the <emphasis
|
||||||
role="bold">/sbin/shorewall show mangle</emphasis> command; if a
|
role="bold">shorewall show mangle</emphasis> command; if a FORWARD
|
||||||
FORWARD chain is displayed then your kernel will support this
|
chain is displayed then your kernel will support this option. If
|
||||||
option. If this option is not specified or if it is given the empty
|
this option is not specified or if it is given the empty value
|
||||||
value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No
|
(e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is
|
||||||
is assumed.</para>
|
assumed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1668,8 +1564,9 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<para>Added in Shorewall 4.4.26. Number of bits on the right of the
|
<para>Added in Shorewall 4.4.26. Number of bits on the right of the
|
||||||
32-bit packet mark to be masked when clearing the traffic shaping
|
32-bit packet mark to be masked when clearing the traffic shaping
|
||||||
mark. Must be >= TC_BITS and <= PROVIDER_OFFSET (if
|
mark. Must be >= TC_BITS and <= PROVIDER_OFFSET (if
|
||||||
PROVIDER_OFFSET > 0). Default value and the default values of the
|
PROVIDER_OFFSET > 0). Prior to Shorewall 5.0.0, default value and
|
||||||
other mark layout options is determined as follows:</para>
|
the default values of the other mark layout options is determined as
|
||||||
|
follows:</para>
|
||||||
|
|
||||||
<table frame="none">
|
<table frame="none">
|
||||||
<title>Default Packet Mark Layout</title>
|
<title>Default Packet Mark Layout</title>
|
||||||
@ -1706,6 +1603,10 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
</tbody>
|
</tbody>
|
||||||
</tgroup>
|
</tgroup>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
<para>From 5.0.0 onward, the default value of MASK_BITS is 8, the
|
||||||
|
default value of PROVIDER_BITS, TC_BITS, MASK_BITS and
|
||||||
|
PROVIDER_OFFSET is 8.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -2900,22 +2801,6 @@ INLINE - - - ; -j REJECT
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>[<emphasis
|
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Deprecated in Shorewall 4.4.26 in favor of TC_BITS and
|
|
||||||
MASK_BITS.</para>
|
|
||||||
|
|
||||||
<para>When set to No (the default), traffic shaping marks are 8
|
|
||||||
bytes wide (possible values are 1-255). When WIDE_TC_MARKS=Yes,
|
|
||||||
traffic shaping marks are 14 bytes wide (values 1-16383). The
|
|
||||||
setting of WIDE_TC_MARKS also has an effect on the HIGH_ROUTE_MARKS
|
|
||||||
option (see above).</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">WORKAROUNDS=</emphasis>[<emphasis
|
<term><emphasis role="bold">WORKAROUNDS=</emphasis>[<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
@ -404,10 +404,10 @@
|
|||||||
UNTRACKED.</para>
|
UNTRACKED.</para>
|
||||||
|
|
||||||
<para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
|
<para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
|
||||||
option below. Specifies the connection tracking states that are to
|
option. Specifies the connection tracking states that are to be
|
||||||
be subject to blacklist screening. If neither BLACKLIST nor
|
subject to blacklist screening. If BLACKLIST is not specified then
|
||||||
BLACKLISTNEWONLY are specified then the states subject to
|
the states subject to blacklisting are
|
||||||
blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
|
NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
|
||||||
|
|
||||||
<para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
|
<para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
|
||||||
is specified.</para>
|
is specified.</para>
|
||||||
@ -449,39 +449,6 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">BLACKLISTNEWONLY=</emphasis>{<emphasis
|
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
|
|
||||||
above.</para>
|
|
||||||
|
|
||||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
|
||||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
|
||||||
connections, for packets in the INVALID connection state (such as a
|
|
||||||
TCP SYN,ACK when there has been no corresponding SYN), and for
|
|
||||||
packets that are UNTRACKED due to entries in <ulink
|
|
||||||
url="/manpages6/shorewall6-conntrack.html">shorewall6-conntrack</ulink>(5).
|
|
||||||
This includes entries in the <ulink
|
|
||||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>
|
|
||||||
(5) file and in the BLACKLIST section of <ulink
|
|
||||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>
|
|
||||||
(5).</para>
|
|
||||||
|
|
||||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
|
||||||
role="bold">no</emphasis>, blacklists are consulted for every packet
|
|
||||||
(will slow down your firewall noticeably if you have large
|
|
||||||
blacklists). If the BLACKLISTNEWONLY option is not set or is set to
|
|
||||||
the empty value then BLACKLISTNEWONLY=No is assumed.</para>
|
|
||||||
|
|
||||||
<note>
|
|
||||||
<para>BLACKLISTNEWONLY=No is incompatible with
|
|
||||||
FASTACCEPT=Yes.</para>
|
|
||||||
</note>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
|
<term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
@ -725,11 +692,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
|
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
|
||||||
or RELATED sections of <ulink
|
or RELATED sections of <ulink
|
||||||
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
|
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
|
||||||
|
|
||||||
<note>
|
|
||||||
<para>FASTACCEPT=Yes is incompatible with
|
|
||||||
BLACKLISTNEWONLY=No.</para>
|
|
||||||
</note>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -833,70 +795,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
|
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Deprecated in Shorewall 4.4.26 in favor of
|
|
||||||
PROVIDER_OFFSET.</para>
|
|
||||||
|
|
||||||
<para>You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
|
|
||||||
packet mark and connection mark into two mark fields.</para>
|
|
||||||
|
|
||||||
<para>The width of the fields are determined by the setting of the
|
|
||||||
WIDE_TC_MARKS option.</para>
|
|
||||||
|
|
||||||
<para>When WIDE_TC_MARKS=No (the default):</para>
|
|
||||||
|
|
||||||
<orderedlist numeration="loweralpha">
|
|
||||||
<listitem>
|
|
||||||
<para>The MARK field in the providers file must have a value
|
|
||||||
that is less than 65536 and that is a multiple of 256 (using hex
|
|
||||||
representation, the values are 0x0100-0xFF00 with the low-order
|
|
||||||
8 bits being zero).</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>You may only set those mark values in the PREROUTING
|
|
||||||
chain.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Marks used for traffic shaping must still be in the range
|
|
||||||
of 1-255 and may still not be set in the PREROUTING
|
|
||||||
chain.</para>
|
|
||||||
</listitem>
|
|
||||||
</orderedlist>
|
|
||||||
|
|
||||||
<para>When WIDE_TC_MARKS=Yes:</para>
|
|
||||||
|
|
||||||
<orderedlist numeration="loweralpha">
|
|
||||||
<listitem>
|
|
||||||
<para>The MARK field in the providers file must have a value
|
|
||||||
that is a multiple of 65536 (using hex representation, the
|
|
||||||
values are 0x010000-0xFF0000 with the low-order 16 bits being
|
|
||||||
zero).</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>You may only set those mark values in the PREROUTING
|
|
||||||
chain.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Marks used for traffic shaping must be in the range of
|
|
||||||
1-16383 and may still not be set in the PREROUTING chain.</para>
|
|
||||||
</listitem>
|
|
||||||
</orderedlist>
|
|
||||||
|
|
||||||
<para>Regardless of the setting of WIDE_TC_MARKS, when you SAVE or
|
|
||||||
RESTORE in tcrules, only the TC mark value is saved or restored.
|
|
||||||
Shorewall handles saving and restoring the routing (provider)
|
|
||||||
marks.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">IMPLICIT_CONTINUE=</emphasis>{<emphasis
|
<term><emphasis role="bold">IMPLICIT_CONTINUE=</emphasis>{<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
@ -1465,11 +1363,11 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
PREROUTING chain. This permits you to mark inbound traffic based on
|
PREROUTING chain. This permits you to mark inbound traffic based on
|
||||||
its destination address when DNAT is in use. To determine if your
|
its destination address when DNAT is in use. To determine if your
|
||||||
kernel has a FORWARD chain in the mangle table, use the <emphasis
|
kernel has a FORWARD chain in the mangle table, use the <emphasis
|
||||||
role="bold">/sbin/shorewall6 show mangle</emphasis> command; if a
|
role="bold">/shorewall6 show mangle</emphasis> command; if a FORWARD
|
||||||
FORWARD chain is displayed then your kernel will support this
|
chain is displayed then your kernel will support this option. If
|
||||||
option. If this option is not specified or if it is given the empty
|
this option is not specified or if it is given the empty value
|
||||||
value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No
|
(e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is
|
||||||
is assumed.</para>
|
assumed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1481,8 +1379,9 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<para>Added in Shorewall 4.4.26. Number of bits on the right of the
|
<para>Added in Shorewall 4.4.26. Number of bits on the right of the
|
||||||
32-bit packet mark to be masked when clearing the traffic shaping
|
32-bit packet mark to be masked when clearing the traffic shaping
|
||||||
mark. Must be >= TC_BITS and <= PROVIDER_OFFSET (if
|
mark. Must be >= TC_BITS and <= PROVIDER_OFFSET (if
|
||||||
PROVIDER_OFFSET > 0). Default value and the default values of the
|
PROVIDER_OFFSET > 0). Prior to Shorewall 5.0.0, default value and
|
||||||
other mark layout options is determined as follows:</para>
|
the default values of the other mark layout options is determined as
|
||||||
|
follows:</para>
|
||||||
|
|
||||||
<table frame="none">
|
<table frame="none">
|
||||||
<title>Default Packet Mark Layout</title>
|
<title>Default Packet Mark Layout</title>
|
||||||
@ -1519,6 +1418,10 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
</tbody>
|
</tbody>
|
||||||
</tgroup>
|
</tgroup>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
<para>From 5.0.0 onward, the default value of MASK_BITS is 8, the
|
||||||
|
default value of PROVIDER_BITS, TC_BITS, MASK_BITS and
|
||||||
|
PROVIDER_OFFSET is 8.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user