diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index 6977c13d4..000000000
--- a/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-*targetname
diff --git a/Shorewall-core/Shorewall-core-targetname b/Shorewall-core/Shorewall-core-targetname
new file mode 100644
index 000000000..a29e62721
--- /dev/null
+++ b/Shorewall-core/Shorewall-core-targetname
@@ -0,0 +1 @@
+5.2.3.7
\ No newline at end of file
diff --git a/Shorewall-lite/Shorewall-lite-targetname b/Shorewall-lite/Shorewall-lite-targetname
new file mode 100644
index 000000000..a29e62721
--- /dev/null
+++ b/Shorewall-lite/Shorewall-lite-targetname
@@ -0,0 +1 @@
+5.2.3.7
\ No newline at end of file
diff --git a/Shorewall/Actions/action.IfEvent b/Shorewall/Actions/action.IfEvent
index 83704d137..5959ebbc6 100644
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -114,8 +114,6 @@ if ( ( $targets{$action} || 0 ) & NATRULE ) {
if ( $command & $RESET_CMD ) {
require_capability 'MARK_ANYWHERE', '"reset"', 's';
-
- print "Resetting....\n";
my $mark = $globals{EVENT_MARK};
#
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index cc5a025fa..8df53f4d5 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1143,16 +1143,30 @@ sub set_rule_option( $$$ ) {
#
# Consider each subtype as a separate type
#
- my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
+ if ( have_capability( 'OLD_CONNTRACK_MATCH' ) ) {
+ my ( $subtype, $invert, $val, $rest ) = split ' ', $value;
- if ( $invert eq '!' ) {
- assert( ! supplied $rest );
- $option = join( ' ', $option, $invert, $subtype );
- $value = $val;
+ if ( $invert eq '!' ) {
+ assert( ! supplied $rest );
+ $option = join( ' ', $option, $subtype );
+ $value = join( ' ', $invert, $val );
+ } else {
+ assert( ! supplied $val );
+ $option = join( ' ', $invert , $option );
+ $value = $invert;
+ }
} else {
- assert( ! supplied $val );
- $option = join( ' ', $option, $invert );
- $value = $subtype;
+ my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
+
+ if ( $invert eq '!' ) {
+ assert( ! supplied $rest );
+ $option = join( ' ', $option, $invert, $subtype );
+ $value = $val;
+ } else {
+ assert( ! supplied $val );
+ $option = join( ' ', $option, $invert );
+ $value = $subtype;
+ }
}
$opttype = EXCLUSIVE;
@@ -3369,13 +3383,13 @@ sub initialize_chain_table($) {
add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
$chainref = new_standard_chain( 'DOCKER-INGRESS' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
- add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
- $chainref = new_standard_chain( 'DOCKER-USER' );
+ add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
+ $chainref = new_standard_chain( 'DOCKER-USER' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
- add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' );
+ add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' );
$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
- add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
+ add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
$chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' );
@@ -8718,20 +8732,15 @@ sub save_docker_rules($) {
qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING),
qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
- qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
- qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
+ qq( rm -f \${VARDIR}/.filter_DOCKER-*),
+ qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
+ qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
+ qq( [ -n "\$g_dockeriso" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
qq(),
- qq( case "\$g_dockernetwork" in),
- qq( One\)),
- qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
- qq( $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
- qq( ;;),
- qq( Two\)),
- qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
- qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
- qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
- qq( ;;),
- qq( esac),
+ qq( if [ -n "\$g_dockerisostage" ]; then),
+ qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
+ qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
+ qq( fi),
qq(),
);
@@ -9252,10 +9261,10 @@ sub create_netfilter_load( $ ) {
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
ensure_cmd_mode;
- emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
- } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+ emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+ } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode;
- emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+ emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
} elsif ( $name eq 'DOCKER-INGRESS' ) {
ensure_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
@@ -9367,11 +9376,11 @@ sub preview_netfilter_load() {
print "\n";
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
ensure_cmd_mode1;
- print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+ print( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
print "\n";
- } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+ } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode1;
- print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+ print( qq([ "\$g_dockeisostage" ] && echo ":$name - [0:0]" >&3) );
print "\n";
} elsif ( $name eq 'DOCKER-INGRESS' ) {
ensure_cmd_mode1;
@@ -9468,10 +9477,10 @@ sub create_stop_load( $ ) {
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
ensure_cmd_mode;
- emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
- } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+ emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+ } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode;
- emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+ emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
} elsif ( $name eq 'DOCKER-INGRESS' ) {
ensure_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index 9a2f91d0d..0b7eed381 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -268,13 +268,10 @@ sub generate_script_2() {
emit( '',
'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
);
- emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
- emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
- emit( 'if chain_exists DOCKER-ISOLATION; then',
- ' g_dockernetwork=One',
- 'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
- ' g_dockernetwork=Two',
- 'fi' );
+ emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
+ emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
+ emit( 'chain_exists DOCKER-ISOLATION && g_dockeriso=Yes' );
+ emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && g_dockerisostage=Yes' );
}
pop_indent;
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 40d8d654a..ff3003c9e 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -162,6 +162,7 @@ our @EXPORT = qw(
have_capability
require_capability
+ require_mangle_capability
report_used_capabilities
kernel_version
@@ -804,7 +805,7 @@ sub add_variables( \% );
# 2. The compiler can run multiple times in the same process so it has to be
# able to re-initialize its dependent modules' state.
#
-sub initialize( $;$$$) {
+sub initialize($;$$$) {
( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
if ( $family == F_IPV4 ) {
@@ -4603,7 +4604,11 @@ sub New_Conntrack_Match() {
}
sub Old_Conntrack_Match() {
- ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+ if ( $family == F_IPV4 ) {
+ ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+ } else {
+ ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst ::1" );
+ }
}
sub Multiport() {
@@ -5263,6 +5268,16 @@ sub require_capability( $$$ ) {
fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability, 1;
}
+sub require_mangle_capability( $$$ ) {
+ my ( $capability, $description, $singular ) = @_;
+
+ if ( $config{MANGLE_ENABLED} ) {
+ &require_capability( @_ );
+ } else {
+ fatal_error "$description " . ( $singular ? 'is' : 'are' ) . " not available when MANGLE_ENABLED=No in $shorewallrc{PRODUCT}.conf";
+ }
+}
+
#
# Return Kernel Version
#
@@ -6607,6 +6622,7 @@ sub get_configuration( $$$ ) {
if ( supplied $config{ACCOUNTING_TABLE} ) {
my $value = $config{ACCOUNTING_TABLE};
fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle';
+ fatal_error "ACCOUNTING_TABLE=mangle not allowed with MANGLE_ENABLED=No" if $value eq 'mangle' and ! $config{MANGLE_ENABLED};
} else {
$config{ACCOUNTING_TABLE} = 'filter';
}
@@ -6682,7 +6698,7 @@ sub get_configuration( $$$ ) {
$config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
- require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
+ require_mangle_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
numeric_option 'TC_BITS' , 8, 0;
numeric_option 'MASK_BITS' , 8, 0;
@@ -6926,7 +6942,7 @@ sub get_configuration( $$$ ) {
if ( $config{TC_ENABLED} ) {
fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
- require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
+ require_mangle_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
}
if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
@@ -6943,9 +6959,7 @@ sub get_configuration( $$$ ) {
}
default 'RESTOREFILE' , 'restore';
-
default 'DROP_DEFAULT' , 'none';
-
default 'REJECT_DEFAULT' , 'none';
default 'BLACKLIST_DEFAULT' , 'none';
default 'QUEUE_DEFAULT' , 'none';
@@ -7009,9 +7023,9 @@ sub get_configuration( $$$ ) {
}
require_capability( 'MULTIPORT' , "Shorewall $globals{VERSION}" , 's' );
- require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL};
- require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{PROVIDER_OFFSET} > 0;
- require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED};
+ require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL};
+ require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{PROVIDER_OFFSET} > 0;
+ require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED};
if ( $config{WARNOLDCAPVERSION} ) {
if ( $capabilities{CAPVERSION} ) {
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index ccc5306b6..4505c8a19 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -97,7 +97,7 @@ sub setup_ecn()
if ( my $fn = open_file 'ecn' ) {
first_entry( sub { progress_message2 "$doing $fn...";
- require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
+ require_mangle_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
} );
@@ -679,18 +679,10 @@ sub create_docker_rules() {
my $chainref = $filter_table->{FORWARD};
- add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
- add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3', );
- add_commands( $chainref ,
- '',
- 'case "$g_dockernetwork" in',
- ' One)',
- ' echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
- ' ;;',
- ' Two)',
- ' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
- ' ;;',
- 'esac' );
+ add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3' );
+ add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3' );
+ add_commands( $chainref, '[ -n "$g_dockeriso" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' );
+ add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' );
if ( my $dockerref = known_interface('docker0') ) {
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index e4e0fec81..745a331ef 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -594,7 +594,7 @@ sub process_a_provider( $ ) {
unless ( $options eq '-' ) {
for my $option ( split_list $options, 'option' ) {
if ( $option eq 'track' ) {
- require_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
+ require_mangle_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
$track = 1;
} elsif ( $option eq 'notrack' ) {
$track = 0;
@@ -714,7 +714,7 @@ sub process_a_provider( $ ) {
$mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
if ( $mark ne '-' ) {
- require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
+ require_mangle_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
if ( $tproxy && ! $local ) {
$val = $globals{TPROXY_MARK};
@@ -1180,14 +1180,14 @@ CEOF
emit "fi\n";
if ( get_interface_option( $interface, 'used_address_variable' ) ) {
- my $variable = interface_address( $interface );
+ my $variable = get_interface_address( $interface );
- emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
+ emit( "echo $variable > \${VARDIR}/${physical}.address" );
}
if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
- my $variable = interface_gateway( $interface );
- emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
+ my $variable = get_interface_gateway( $interface );
+ emit( qq(echo "$variable" > \${VARDIR}/${physical}.gateway\n) );
}
} else {
emit( qq(progress_message "Provider $table ($number) Started") );
@@ -2323,22 +2323,22 @@ sub handle_optional_interfaces() {
emit( 'fi' );
if ( get_interface_option( $interface, 'used_address_variable' ) ) {
- my $variable = interface_address( $interface );
+ my $variable = get_interface_address( $interface );
emit( '',
"if [ -f \${VARDIR}/${physical}.address ]; then",
- " if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
+ " if [ \$(cat \${VARDIR}/${physical}.address) != $variable ]; then",
' g_forcereload=Yes',
' fi',
'fi' );
}
if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
- my $variable = interface_gateway( $interface );
+ my $variable = get_interface_gateway( $interface );
emit( '',
"if [ -f \${VARDIR}/${physical}.gateway ]; then",
- " if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
+ " if [ \$(cat \${VARDIR}/${physical}.gateway) != \"$variable\" ]; then",
' g_forcereload=Yes',
' fi',
'fi' );
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 882db9112..68e5649e5 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -2455,7 +2455,7 @@ sub setup_tc( $ ) {
}
}
} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
- warning_message "The tcrules file is no longer supported -- use '$product update' to convert $fn to an equivalent 'mangle' file";
+ warning_message "The tcrules file is no longer supported -- use '$shorewallrc{product} update' to convert $fn to an equivalent 'mangle' file";
}
if ( my $fn = open_file( 'mangle', 1, 1 ) ) {
diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer
index f72f648c9..5b5ccba01 100644
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -148,7 +148,8 @@ g_compiled=
g_file=
g_docker=
g_dockeringress=
-g_dockernetwork=
+g_dockeriso=
+g_dockerisostage=
g_forcereload=
g_fallback=
diff --git a/Shorewall/Shorewall-targetname b/Shorewall/Shorewall-targetname
new file mode 100644
index 000000000..a29e62721
--- /dev/null
+++ b/Shorewall/Shorewall-targetname
@@ -0,0 +1 @@
+5.2.3.7
\ No newline at end of file
diff --git a/Shorewall6-lite/Shorewall-lite6-lite-targetname b/Shorewall6-lite/Shorewall-lite6-lite-targetname
new file mode 100644
index 000000000..e69de29bb
diff --git a/Shorewall6-lite/Shorewall6-lite-targetname b/Shorewall6-lite/Shorewall6-lite-targetname
new file mode 100644
index 000000000..a29e62721
--- /dev/null
+++ b/Shorewall6-lite/Shorewall6-lite-targetname
@@ -0,0 +1 @@
+5.2.3.7
\ No newline at end of file
diff --git a/Shorewall6/Shorewall6-targetname b/Shorewall6/Shorewall6-targetname
new file mode 100644
index 000000000..a29e62721
--- /dev/null
+++ b/Shorewall6/Shorewall6-targetname
@@ -0,0 +1 @@
+5.2.3.7
\ No newline at end of file
diff --git a/docs/Docker.xml b/docs/Docker.xml
index 92150c98e..02b9bd186 100644
--- a/docs/Docker.xml
+++ b/docs/Docker.xml
@@ -13,6 +13,10 @@
Eastep
+
+
+ J Cliff Armstrong
+
@@ -20,6 +24,8 @@
2016
+ 2020
+
Thomas M. Eastep
@@ -57,6 +63,35 @@
restart or reload operation and
restores those rules along with the Shorewall-generated ruleset.
+
+ Shorewall currently doesn't support Docker Swarm mode.
+
+
+
+ On Debian and Debian-derived systems, systemctl restart
+ shorewall will lose Docker rules. You can work around this
+ issue using a method provided by J Cliff Armstrong:
+
+ Type as root:
+
+ systemctl edit shorewall.service
+
+ This will open the default terminal editor to a blank file in
+ which you can paste the following:
+
+ [Service]
+# reset ExecStop
+ExecStop=
+# set ExecStop to "stop" instead of "clear"
+ExecStop=/sbin/shorewall $OPTIONS stop
+
+
+ Then type systemctl daemon-reload to activate
+ the changes. This change will survive future updates of the shorewall
+ package from apt repositories. The override file itself will be saved to
+ `/etc/systemd/system/shorewall.service.d/`.
+
+
This support assumes that the default Docker bridge (docker0) is
being used. It is recommended that this bridge be defined to Shorewall in
- 2003-2015
+ 2003-2020
2019
@@ -173,18 +173,22 @@ dmz ipv4
file. In the three-interface sample, the three zones are defined using
that file as follows:
- #ZONE INTERFACE OPTIONS
-net NET_IF dhcp,routefilter
-loc LOC_IF
-dmz DMZ_IF
+ #ZONE INTERFACE OPTIONS
+net NET_IF tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc LOC_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
+dmz DMZ_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth2
The above file defines the net zone as all IPv4
hosts interfacing to the firewall through NET_IF, the
loc zone as all IPv4 hosts interfacing through LOC_IF
and the dmz as all IPv4 hosts interfacing through
- DMZ_IF. It is important to note that the composition of a zone is defined
- in terms of a combination of addresses and interfaces. When using the
+ logical names which are used throughout the configuration to
+ refer to the individual interfaces. The actual interface names are
+ specified using the physical option. It
+ is important to note that the composition of a zone is defined in terms of
+ a combination of addresses and
+ interfaces. When using the /etc/shorewall/interfaces
file to define a zone, all addresses are included; when you want to define
a zone that contains a limited subset of the IPv4 address space, you use
@@ -193,10 +197,12 @@ dmz DMZ_IF
file or you may use the nets= option in
/etc/shorewall/interfaces:
- #ZONE INTERFACE BROADCAST OPTIONS
-net NET_IF detect dhcp,routefilter,nets=(!192.168.0.0/23),physical=eth0
-loc LOC_IF detect nets=(192.168.0.0/24),physical=eth1
-dmz DMZ_IF detect nets=(192.168.1.0/24),physical=eth2
+ #ZONE INTERFACE OPTIONS
+net NET_IF tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc LOC_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth1,nets=172.20.1.0/24
+dmz DMZ_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth2
+
The above file defines the net zone as all IPv4
hosts interfacing to the firewall through eth0 except
diff --git a/docs/docs-targetname b/docs/docs-targetname
new file mode 100644
index 000000000..a29e62721
--- /dev/null
+++ b/docs/docs-targetname
@@ -0,0 +1 @@
+5.2.3.7
\ No newline at end of file
diff --git a/docs/html.css b/docs/html.css
new file mode 100644
index 000000000..db17dd1f2
--- /dev/null
+++ b/docs/html.css
@@ -0,0 +1,188 @@
+/* global styles */
+body {
+ font-family: sans-serif;
+}
+div {
+ border: 0;
+ padding: 0.5em;
+}
+img {
+ border: 0;
+}
+hr {
+ color: #8b8b8b;
+}
+h4 {
+ text-align: center;
+ font-weight: bold;
+ padding: 0.25em 0.5em;
+ margin: 0 0 1px;
+}
+.quote {
+ font-style: italic;
+ text-align: center;
+}
+.strong {
+ font-weight: bold;
+}
+.warning {
+ font-weight: bold;
+ color: #ff0000;
+}
+a {
+ display: block;
+ border-width: 0;
+ text-decoration: none;
+ color: #0060b5;
+ background: #ffffff;
+}
+a:hover {
+ color: #ffffff;
+ background: #0060b5;
+}
+/* header styles */
+div#header {
+ position: absolute;
+ font-size: small;
+ top: 0;
+ left: 0;
+ height: 100px;
+ width: 95%;
+ margin: 10px;
+}
+div#header p {
+ text-align: center;
+}
+div#header div#search-form {
+ float: left;
+ margin: 0;
+ padding: 0;
+}
+div#header div#search-form input#search-text {
+ background-color: #ffffff;
+ color: #0060b5;
+ font-size: small;
+ border: 1px solid;
+ vertical-align: middle;
+}
+div#header div#search-form input#submit-button {
+ background-color: #ffffff;
+ color: #0060b5;
+ font-size: small;
+ font-weight: bold;
+ -moz-border-radius: 5px;
+ -webkit-border-radius: 5px;
+ border-radius:6px;
+ text-decoration: none;
+ cursor: pointer;
+ border: 1px solid;
+ vertical-align: middle;
+}
+div#header div#search-form input#submit-button:hover {
+ border: 1px solid;
+ background-color: #0060b5;
+ color: #ffffff;
+ box-shadow: 0px 0px 1px #777;
+}
+div#header div#ml-search {
+ float: right;
+ margin: 0;
+ padding: 0;
+}
+div#header div#logo {
+ margin: 0;
+ padding: 0;
+ clear: both;
+}
+/* sidebar styles */
+div#sidebar {
+ position: fixed;
+ top: 125px;
+ left: 0;
+ width: 15%;
+ margin: 10px;
+ font-size: small;
+}
+div#sidebar:hover {
+ background-position: 0px 0px;
+}
+div#sidebar a {
+ text-align: center;
+ -moz-border-radius: 5px;
+ -webkit-border-radius: 5px;
+ border-radius:6px;
+}
+/* menu styles */
+/* main panel styles */
+div#main {
+ position: absolute;
+ top: 150px;
+ left: 16%;
+ width: 62%;
+ margin: 10px;
+}
+div#main a {
+ display: inline;
+ padding: 0;
+}
+div#main a:hover {
+ color: #0060b5;
+ background: #ffffff;
+ text-decoration: underline;
+}
+/* content styles */
+div#content div {
+ padding: 0;
+}
+div#content code, pre {
+ font: 100% monospace;
+}
+div#content table {
+ width: 100%;
+}
+div#content table#changelog {
+ font-size: x-small;
+}
+/* footer styles */
+div#footer p {
+ text-align: center;
+ font-size: small;
+}
+div#footer table {
+ margin-left: auto;
+ margin-right: auto;
+}
+/* doc panel styles */
+div#doc {
+ float: right;
+ top: 125px;
+ left: 80%;
+ width: 15%;
+ margin: 125px 10px 10px 10px;
+ font-size: small;
+}
+div#doc:hover {
+ background-position: 0px 0px;
+}
+div#doc a {
+ padding: 0 5px 0 5px;
+ -moz-border-radius: 5px;
+ -webkit-border-radius: 5px;
+ border-radius:6px;
+}
+div#doc p.go-top, div#doc p.go-top a, div#doc p.go-top a:hover {
+ opacity: 0.75;
+ filter:alpha(opacity=75); /* For IE8 and earlier */
+ position: fixed;
+ bottom: 0.5em;
+ right: 0.5em;
+ text-decoration: none;
+ font-size: small;
+ padding: 0;
+ display: block;
+}
+div#doc p.go-top a:hover {
+ opacity: 1.0;
+ filter:alpha(opacity=100); /* For IE8 and earlier */
+}
+
diff --git a/docs/images/docs-images-targetname b/docs/images/docs-images-targetname
new file mode 100644
index 000000000..a29e62721
--- /dev/null
+++ b/docs/images/docs-images-targetname
@@ -0,0 +1 @@
+5.2.3.7
\ No newline at end of file