forked from extern/shorewall_code
Compare commits
27 Commits
4.5.4-Beta
...
4.5.4-base
| Author | SHA1 | Date | |
|---|---|---|---|
|
db50454afc | ||
|
|
3a5875dc73 | ||
|
|
5211b32aa6 | ||
|
|
92ce190bf0 | ||
|
|
182a4c3080 | ||
|
|
ab2376d61d | ||
|
|
f147046288 | ||
|
|
daaf3c031f | ||
|
|
73e5bb0374 | ||
|
|
6b23eff650 | ||
|
|
ef974b5c8d | ||
|
|
d8ec051114 | ||
|
|
84f92aa87c | ||
|
|
70e4c26df1 | ||
|
|
db96f6ead2 | ||
|
|
f0a3e1652a | ||
|
|
56b8a9b9fa | ||
|
|
231c5dbca0 | ||
|
|
1a9789a3da | ||
|
|
f15e6d3995 | ||
|
|
3f42350a7b | ||
|
|
e8648c993d | ||
|
|
cb72948739 | ||
|
|
55c88e8e81 | ||
|
|
e086067567 | ||
|
|
f5f80d2ccc | ||
|
|
d1519345c4 |
11
Shorewall/Macros/macro.MSSQL
Normal file
11
Shorewall/Macros/macro.MSSQL
Normal file
@@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall version 4 - MSSQL Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.MSSQL
|
||||
#
|
||||
# This macro handles MSSQL (Microsoft SQL Server)
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 1433
|
||||
@@ -29,6 +29,7 @@ require Exporter;
|
||||
|
||||
use Scalar::Util 'reftype';
|
||||
use Digest::SHA qw(sha1);
|
||||
use File::Basename;
|
||||
use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::IPAddrs;
|
||||
@@ -565,7 +566,10 @@ my %aliases = ( protocol => 'p',
|
||||
|
||||
my @unique_options = ( qw/p dport sport icmp-type icmpv6-type s d i o/ );
|
||||
|
||||
our %isocodes;
|
||||
my %isocodes;
|
||||
|
||||
use constant { ISODIR => '/usr/share/xt_geoip/LE' };
|
||||
|
||||
#
|
||||
# Rather than initializing globals in an INIT block or during declaration,
|
||||
# we initialize them in a function. This is done for two reasons:
|
||||
@@ -635,453 +639,7 @@ sub initialize( $$$ ) {
|
||||
snmp => UDP,
|
||||
tftp => UDP);
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
%isocodes = (
|
||||
A1 => "Anonymous Proxy" ,
|
||||
A2 => "Satellite Provider" ,
|
||||
AD => "Andorra" ,
|
||||
AE => "United Arab Emirates" ,
|
||||
AF => "Afghanistan" ,
|
||||
AG => "Antigua and Barbuda" ,
|
||||
AI => "Anguilla" ,
|
||||
AL => "Albania" ,
|
||||
AM => "Armenia" ,
|
||||
AN => "Netherlands Antilles" ,
|
||||
AO => "Angola" ,
|
||||
AP => "Asia/Pacific Region" ,
|
||||
AQ => "Antarctica" ,
|
||||
AR => "Argentina" ,
|
||||
AS => "American Samoa" ,
|
||||
AT => "Austria" ,
|
||||
AU => "Australia" ,
|
||||
AW => "Aruba" ,
|
||||
AX => "Aland Islands" ,
|
||||
AZ => "Azerbaijan" ,
|
||||
BA => "Bosnia and Herzegovina" ,
|
||||
BB => "Barbados" ,
|
||||
BD => "Bangladesh" ,
|
||||
BE => "Belgium" ,
|
||||
BF => "Burkina Faso" ,
|
||||
BG => "Bulgaria" ,
|
||||
BH => "Bahrain" ,
|
||||
BI => "Burundi" ,
|
||||
BJ => "Benin" ,
|
||||
BM => "Bermuda" ,
|
||||
BN => "Brunei Darussalam" ,
|
||||
BO => "Bolivia" ,
|
||||
BR => "Brazil" ,
|
||||
BS => "Bahamas" ,
|
||||
BT => "Bhutan" ,
|
||||
BV => "Bouvet Island" ,
|
||||
BW => "Botswana" ,
|
||||
BY => "Belarus" ,
|
||||
BZ => "Belize" ,
|
||||
CA => "Canada" ,
|
||||
CC => "Cocos (Keeling) Islands" ,
|
||||
CD => "Congo, The Democratic Republic of the" ,
|
||||
CF => "Central African Republic" ,
|
||||
CG => "Congo" ,
|
||||
CH => "Switzerland" ,
|
||||
CI => "Cote D'Ivoire" ,
|
||||
CK => "Cook Islands" ,
|
||||
CL => "Chile" ,
|
||||
CM => "Cameroon" ,
|
||||
CN => "China" ,
|
||||
CO => "Colombia" ,
|
||||
CR => "Costa Rica" ,
|
||||
CU => "Cuba" ,
|
||||
CV => "Cape Verde" ,
|
||||
CX => "Christmas Island" ,
|
||||
CY => "Cyprus" ,
|
||||
CZ => "Czech Republic" ,
|
||||
DE => "Germany" ,
|
||||
DJ => "Djibouti" ,
|
||||
DK => "Denmark" ,
|
||||
DM => "Dominica" ,
|
||||
DO => "Dominican Republic" ,
|
||||
DZ => "Algeria" ,
|
||||
EC => "Ecuador" ,
|
||||
EE => "Estonia" ,
|
||||
EG => "Egypt" ,
|
||||
EH => "Western Sahara" ,
|
||||
ER => "Eritrea" ,
|
||||
ES => "Spain" ,
|
||||
ET => "Ethiopia" ,
|
||||
EU => "Europe" ,
|
||||
FI => "Finland" ,
|
||||
FJ => "Fiji" ,
|
||||
FK => "Falkland Islands (Malvinas)" ,
|
||||
FM => "Micronesia, Federated States of" ,
|
||||
FO => "Faroe Islands" ,
|
||||
FR => "France" ,
|
||||
GA => "Gabon" ,
|
||||
GB => "United Kingdom" ,
|
||||
GD => "Grenada" ,
|
||||
GE => "Georgia" ,
|
||||
GF => "French Guiana" ,
|
||||
GG => "Guernsey" ,
|
||||
GH => "Ghana" ,
|
||||
GI => "Gibraltar" ,
|
||||
GL => "Greenland" ,
|
||||
GM => "Gambia" ,
|
||||
GN => "Guinea" ,
|
||||
GP => "Guadeloupe" ,
|
||||
GQ => "Equatorial Guinea" ,
|
||||
GR => "Greece" ,
|
||||
GS => "South Georgia and the South Sandwich Islands" ,
|
||||
GT => "Guatemala" ,
|
||||
GU => "Guam" ,
|
||||
GW => "Guinea-Bissau" ,
|
||||
GY => "Guyana" ,
|
||||
HK => "Hong Kong" ,
|
||||
HN => "Honduras" ,
|
||||
HR => "Croatia" ,
|
||||
HT => "Haiti" ,
|
||||
HU => "Hungary" ,
|
||||
ID => "Indonesia" ,
|
||||
IE => "Ireland" ,
|
||||
IL => "Israel" ,
|
||||
IM => "Isle of Man" ,
|
||||
IN => "India" ,
|
||||
IO => "British Indian Ocean Territory" ,
|
||||
IQ => "Iraq" ,
|
||||
IR => "Iran, Islamic Republic of" ,
|
||||
IS => "Iceland" ,
|
||||
IT => "Italy" ,
|
||||
JE => "Jersey" ,
|
||||
JM => "Jamaica" ,
|
||||
JO => "Jordan" ,
|
||||
JP => "Japan" ,
|
||||
KE => "Kenya" ,
|
||||
KG => "Kyrgyzstan" ,
|
||||
KH => "Cambodia" ,
|
||||
KI => "Kiribati" ,
|
||||
KM => "Comoros" ,
|
||||
KN => "Saint Kitts and Nevis" ,
|
||||
KP => "Korea, Democratic People's Republic of" ,
|
||||
KR => "Korea, Republic of" ,
|
||||
KW => "Kuwait" ,
|
||||
KY => "Cayman Islands" ,
|
||||
KZ => "Kazakhstan" ,
|
||||
LA => "Lao People's Democratic Republic" ,
|
||||
LB => "Lebanon" ,
|
||||
LC => "Saint Lucia" ,
|
||||
LI => "Liechtenstein" ,
|
||||
LK => "Sri Lanka" ,
|
||||
LR => "Liberia" ,
|
||||
LS => "Lesotho" ,
|
||||
LT => "Lithuania" ,
|
||||
LU => "Luxembourg" ,
|
||||
LV => "Latvia" ,
|
||||
LY => "Libyan Arab Jamahiriya" ,
|
||||
MA => "Morocco" ,
|
||||
MC => "Monaco" ,
|
||||
MD => "Moldova, Republic of" ,
|
||||
ME => "Montenegro" ,
|
||||
MG => "Madagascar" ,
|
||||
MH => "Marshall Islands" ,
|
||||
MK => "Macedonia" ,
|
||||
ML => "Mali" ,
|
||||
MM => "Myanmar" ,
|
||||
MN => "Mongolia" ,
|
||||
MO => "Macau" ,
|
||||
MP => "Northern Mariana Islands" ,
|
||||
MQ => "Martinique" ,
|
||||
MR => "Mauritania" ,
|
||||
MS => "Montserrat" ,
|
||||
MT => "Malta" ,
|
||||
MU => "Mauritius" ,
|
||||
MV => "Maldives" ,
|
||||
MW => "Malawi" ,
|
||||
MX => "Mexico" ,
|
||||
MY => "Malaysia" ,
|
||||
MZ => "Mozambique" ,
|
||||
NA => "Namibia" ,
|
||||
NC => "New Caledonia" ,
|
||||
NE => "Niger" ,
|
||||
NF => "Norfolk Island" ,
|
||||
NG => "Nigeria" ,
|
||||
NI => "Nicaragua" ,
|
||||
NL => "Netherlands" ,
|
||||
NO => "Norway" ,
|
||||
NP => "Nepal" ,
|
||||
NR => "Nauru" ,
|
||||
NU => "Niue" ,
|
||||
NZ => "New Zealand" ,
|
||||
OM => "Oman" ,
|
||||
PA => "Panama" ,
|
||||
PE => "Peru" ,
|
||||
PF => "French Polynesia" ,
|
||||
PG => "Papua New Guinea" ,
|
||||
PH => "Philippines" ,
|
||||
PK => "Pakistan" ,
|
||||
PL => "Poland" ,
|
||||
PM => "Saint Pierre and Miquelon" ,
|
||||
PR => "Puerto Rico" ,
|
||||
PS => "Palestinian Territory, Occupied" ,
|
||||
PT => "Portugal" ,
|
||||
PW => "Palau" ,
|
||||
PY => "Paraguay" ,
|
||||
QA => "Qatar" ,
|
||||
RE => "Reunion" ,
|
||||
RO => "Romania" ,
|
||||
RS => "Serbia" ,
|
||||
RU => "Russian Federation" ,
|
||||
RW => "Rwanda" ,
|
||||
SA => "Saudi Arabia" ,
|
||||
SB => "Solomon Islands" ,
|
||||
SC => "Seychelles" ,
|
||||
SD => "Sudan" ,
|
||||
SE => "Sweden" ,
|
||||
SG => "Singapore" ,
|
||||
SH => "Saint Helena" ,
|
||||
SI => "Slovenia" ,
|
||||
SJ => "Svalbard and Jan Mayen" ,
|
||||
SK => "Slovakia" ,
|
||||
SL => "Sierra Leone" ,
|
||||
SM => "San Marino" ,
|
||||
SN => "Senegal" ,
|
||||
SO => "Somalia" ,
|
||||
SR => "Suriname" ,
|
||||
ST => "Sao Tome and Principe" ,
|
||||
SV => "El Salvador" ,
|
||||
SY => "Syrian Arab Republic" ,
|
||||
SZ => "Swaziland" ,
|
||||
TC => "Turks and Caicos Islands" ,
|
||||
TD => "Chad" ,
|
||||
TF => "French Southern Territories" ,
|
||||
TG => "Togo" ,
|
||||
TH => "Thailand" ,
|
||||
TJ => "Tajikistan" ,
|
||||
TK => "Tokelau" ,
|
||||
TL => "Timor-Leste" ,
|
||||
TM => "Turkmenistan" ,
|
||||
TN => "Tunisia" ,
|
||||
TO => "Tonga" ,
|
||||
TR => "Turkey" ,
|
||||
TT => "Trinidad and Tobago" ,
|
||||
TV => "Tuvalu" ,
|
||||
TW => "Taiwan" ,
|
||||
TZ => "Tanzania, United Republic of" ,
|
||||
UA => "Ukraine" ,
|
||||
UG => "Uganda" ,
|
||||
UM => "United States Minor Outlying Islands" ,
|
||||
US => "United States" ,
|
||||
UY => "Uruguay" ,
|
||||
UZ => "Uzbekistan" ,
|
||||
VA => "Holy See (Vatican City State)" ,
|
||||
VC => "Saint Vincent and the Grenadines" ,
|
||||
VE => "Venezuela" ,
|
||||
VG => "Virgin Islands, British" ,
|
||||
VI => "Virgin Islands, U.S." ,
|
||||
VN => "Vietnam" ,
|
||||
VU => "Vanuatu" ,
|
||||
WF => "Wallis and Futuna" ,
|
||||
WS => "Samoa" ,
|
||||
YE => "Yemen" ,
|
||||
YT => "Mayotte" ,
|
||||
ZA => "South Africa" ,
|
||||
ZM => "Zambia" ,
|
||||
ZW => "Zimbabwe" ,
|
||||
)
|
||||
} else {
|
||||
%isocodes = (
|
||||
AD => "Andorra" ,
|
||||
AE => "United Arab Emirates" ,
|
||||
AF => "Afghanistan" ,
|
||||
AL => "Albania" ,
|
||||
AM => "Armenia" ,
|
||||
AO => "Angola" ,
|
||||
AP => "Asia/Pacific Region" ,
|
||||
AR => "Argentina" ,
|
||||
AS => "American Samoa" ,
|
||||
AT => "Austria" ,
|
||||
AU => "Australia" ,
|
||||
AW => "Aruba" ,
|
||||
AZ => "Azerbaijan" ,
|
||||
BA => "Bosnia and Herzegovina" ,
|
||||
BD => "Bangladesh" ,
|
||||
BE => "Belgium" ,
|
||||
BF => "Burkina Faso" ,
|
||||
BG => "Bulgaria" ,
|
||||
BH => "Bahrain" ,
|
||||
BI => "Burundi" ,
|
||||
BJ => "Benin" ,
|
||||
BM => "Bermuda" ,
|
||||
BN => "Brunei Darussalam" ,
|
||||
BO => "Bolivia" ,
|
||||
BR => "Brazil" ,
|
||||
BS => "Bahamas" ,
|
||||
BT => "Bhutan" ,
|
||||
BW => "Botswana" ,
|
||||
BY => "Belarus" ,
|
||||
BZ => "Belize" ,
|
||||
CA => "Canada" ,
|
||||
CD => "Congo, The Democratic Republic of the" ,
|
||||
CH => "Switzerland" ,
|
||||
CI => "Cote D'Ivoire" ,
|
||||
CK => "Cook Islands" ,
|
||||
CL => "Chile" ,
|
||||
CM => "Cameroon" ,
|
||||
CN => "China" ,
|
||||
CO => "Colombia" ,
|
||||
CR => "Costa Rica" ,
|
||||
CU => "Cuba" ,
|
||||
CW => "" ,
|
||||
CY => "Cyprus" ,
|
||||
CZ => "Czech Republic" ,
|
||||
DE => "Germany" ,
|
||||
DJ => "Djibouti" ,
|
||||
DK => "Denmark" ,
|
||||
DO => "Dominican Republic" ,
|
||||
DZ => "Algeria" ,
|
||||
EC => "Ecuador" ,
|
||||
EE => "Estonia" ,
|
||||
EG => "Egypt" ,
|
||||
ES => "Spain" ,
|
||||
EU => "Europe" ,
|
||||
FI => "Finland" ,
|
||||
FJ => "Fiji" ,
|
||||
FM => "Micronesia, Federated States of" ,
|
||||
FO => "Faroe Islands" ,
|
||||
FR => "France" ,
|
||||
GB => "United Kingdom" ,
|
||||
GD => "Grenada" ,
|
||||
GE => "Georgia" ,
|
||||
GG => "Guernsey" ,
|
||||
GH => "Ghana" ,
|
||||
GI => "Gibraltar" ,
|
||||
GL => "Greenland" ,
|
||||
GM => "Gambia" ,
|
||||
GP => "Guadeloupe" ,
|
||||
GR => "Greece" ,
|
||||
GT => "Guatemala" ,
|
||||
GU => "Guam" ,
|
||||
GY => "Guyana" ,
|
||||
HK => "Hong Kong" ,
|
||||
HN => "Honduras" ,
|
||||
HR => "Croatia" ,
|
||||
HT => "Haiti" ,
|
||||
HU => "Hungary" ,
|
||||
ID => "Indonesia" ,
|
||||
IE => "Ireland" ,
|
||||
IL => "Israel" ,
|
||||
IM => "Isle of Man" ,
|
||||
IN => "India" ,
|
||||
IQ => "Iraq" ,
|
||||
IR => "Iran, Islamic Republic of" ,
|
||||
IS => "Iceland" ,
|
||||
IT => "Italy" ,
|
||||
JE => "Jersey" ,
|
||||
JM => "Jamaica" ,
|
||||
JO => "Jordan" ,
|
||||
JP => "Japan" ,
|
||||
KE => "Kenya" ,
|
||||
KG => "Kyrgyzstan" ,
|
||||
KH => "Cambodia" ,
|
||||
KN => "Saint Kitts and Nevis" ,
|
||||
KR => "Korea, Republic of" ,
|
||||
KW => "Kuwait" ,
|
||||
KY => "Cayman Islands" ,
|
||||
KZ => "Kazakhstan" ,
|
||||
LA => "Lao People's Democratic Republic" ,
|
||||
LB => "Lebanon" ,
|
||||
LI => "Liechtenstein" ,
|
||||
LK => "Sri Lanka" ,
|
||||
LS => "Lesotho" ,
|
||||
LT => "Lithuania" ,
|
||||
LU => "Luxembourg" ,
|
||||
LV => "Latvia" ,
|
||||
LY => "Libyan Arab Jamahiriya" ,
|
||||
MA => "Morocco" ,
|
||||
MC => "Monaco" ,
|
||||
MD => "Moldova, Republic of" ,
|
||||
ME => "Montenegro" ,
|
||||
MG => "Madagascar" ,
|
||||
MH => "Marshall Islands" ,
|
||||
MK => "Macedonia" ,
|
||||
ML => "Mali" ,
|
||||
MM => "Myanmar" ,
|
||||
MN => "Mongolia" ,
|
||||
MO => "Macau" ,
|
||||
MT => "Malta" ,
|
||||
MU => "Mauritius" ,
|
||||
MV => "Maldives" ,
|
||||
MW => "Malawi" ,
|
||||
MX => "Mexico" ,
|
||||
MY => "Malaysia" ,
|
||||
MZ => "Mozambique" ,
|
||||
NA => "Namibia" ,
|
||||
NC => "New Caledonia" ,
|
||||
NF => "Norfolk Island" ,
|
||||
NG => "Nigeria" ,
|
||||
NI => "Nicaragua" ,
|
||||
NL => "Netherlands" ,
|
||||
NO => "Norway" ,
|
||||
NP => "Nepal" ,
|
||||
NR => "Nauru" ,
|
||||
NU => "Niue" ,
|
||||
NZ => "New Zealand" ,
|
||||
OM => "Oman" ,
|
||||
PA => "Panama" ,
|
||||
PE => "Peru" ,
|
||||
PF => "French Polynesia" ,
|
||||
PG => "Papua New Guinea" ,
|
||||
PH => "Philippines" ,
|
||||
PK => "Pakistan" ,
|
||||
PL => "Poland" ,
|
||||
PR => "Puerto Rico" ,
|
||||
PS => "Palestinian Territory" ,
|
||||
PT => "Portugal" ,
|
||||
PW => "Palau" ,
|
||||
PY => "Paraguay" ,
|
||||
QA => "Qatar" ,
|
||||
RO => "Romania" ,
|
||||
RS => "Serbia" ,
|
||||
RU => "Russian Federation" ,
|
||||
RW => "Rwanda" ,
|
||||
SA => "Saudi Arabia" ,
|
||||
SB => "Solomon Islands" ,
|
||||
SC => "Seychelles" ,
|
||||
SD => "Sudan" ,
|
||||
SE => "Sweden" ,
|
||||
SG => "Singapore" ,
|
||||
SI => "Slovenia" ,
|
||||
SK => "Slovakia" ,
|
||||
SL => "Sierra Leone" ,
|
||||
SM => "San Marino" ,
|
||||
SN => "Senegal" ,
|
||||
SO => "Somalia" ,
|
||||
ST => "Sao Tome and Principe" ,
|
||||
SV => "El Salvador" ,
|
||||
SY => "Syrian Arab Republic" ,
|
||||
SZ => "Swaziland" ,
|
||||
TH => "Thailand" ,
|
||||
TK => "Tokelau" ,
|
||||
TN => "Tunisia" ,
|
||||
TO => "Tonga" ,
|
||||
TR => "Turkey" ,
|
||||
TT => "Trinidad and Tobago" ,
|
||||
TV => "Tuvalu" ,
|
||||
TW => "Taiwan" ,
|
||||
TZ => "Tanzania, United Republic of" ,
|
||||
UA => "Ukraine" ,
|
||||
UG => "Uganda" ,
|
||||
US => "United States" ,
|
||||
UY => "Uruguay" ,
|
||||
UZ => "Uzbekistan" ,
|
||||
VA => "Holy See (Vatican City State)" ,
|
||||
VE => "Venezuela" ,
|
||||
VI => "Virgin Islands, U.S." ,
|
||||
VN => "Vietnam" ,
|
||||
VU => "Vanuatu" ,
|
||||
WS => "Samoa" ,
|
||||
YE => "Yemen" ,
|
||||
ZA => "South Africa" ,
|
||||
ZM => "Zambia" ,
|
||||
ZW => "Zimbabwe" ,
|
||||
);
|
||||
}
|
||||
%isocodes = ();
|
||||
|
||||
#
|
||||
# The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
|
||||
@@ -1297,7 +855,7 @@ sub set_rule_target( $$$ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Convert an trule into iptables input
|
||||
# Convert an irule into iptables input
|
||||
#
|
||||
# First, a helper function that formats a single option
|
||||
#
|
||||
@@ -2978,15 +2536,22 @@ sub optimize_chain( $ ) {
|
||||
my $chainref = shift;
|
||||
|
||||
if ( $chainref->{referenced} ) {
|
||||
my $rules = $chainref->{rules};
|
||||
my $count = 0;
|
||||
my $rules = $chainref->{rules};
|
||||
my $count = 0;
|
||||
my $rulecount = @$rules - 1;
|
||||
|
||||
pop @$rules; # Pop the plain -j ACCEPT rule at the end of the chain
|
||||
my $lastrule = pop @$rules; # Pop the plain -j ACCEPT rule at the end of the chain
|
||||
|
||||
pop @$rules, $count++ while @$rules && $rules->[-1]->{target} eq 'ACCEPT';
|
||||
while ( @$rules && $rules->[-1]->{target} eq 'ACCEPT' ) {
|
||||
my $rule = pop @$rules;
|
||||
|
||||
trace( $chainref, 'D', $rulecount , $rule ) if $debug;
|
||||
$count++;
|
||||
$rulecount--;
|
||||
}
|
||||
|
||||
if ( @${rules} ) {
|
||||
add_ijump $chainref, j => 'ACCEPT';
|
||||
push @$rules, $lastrule;
|
||||
my $type = $chainref->{builtin} ? 'builtin' : 'policy';
|
||||
progress_message " $count ACCEPT rules deleted from $type chain $chainref->{name}" if $count;
|
||||
} elsif ( $chainref->{builtin} ) {
|
||||
@@ -3302,6 +2867,47 @@ sub optimize_level4( $$ ) {
|
||||
$progress = 1 if replace_references1 $chainref, $firstrule;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
#
|
||||
# Chain has more than one rule. If the last rule is a simple jump, then delete
|
||||
# all immediately preceding rules that have the same target
|
||||
#
|
||||
my $rulesref = $chainref->{rules};
|
||||
my $lastref = $rulesref->[-1];
|
||||
|
||||
if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) {
|
||||
my $target = $lastref->{target};
|
||||
my $count = 0;
|
||||
my $rule = @$rulesref - 1;
|
||||
|
||||
pop @$rulesref; #Pop the last simple rule
|
||||
|
||||
while ( @$rulesref ) {
|
||||
my $rule1ref = $rulesref->[-1];
|
||||
|
||||
last unless ( $rule1ref->{target} || '' ) eq $target && ! $rule1ref->{targetopts};
|
||||
|
||||
trace ( $chainref, 'D', $rule, $rule1ref ) if $debug;
|
||||
|
||||
pop @$rulesref;
|
||||
$progress = 1;
|
||||
$count++;
|
||||
$rule--;
|
||||
}
|
||||
|
||||
if ( @$rulesref || ! $chainref->{builtin} || $target !~ /^(?:ACCEPT|DROP|REJECT)$/ ) {
|
||||
push @$rulesref, $lastref; # Restore the last simple rule
|
||||
} else {
|
||||
#
|
||||
#empty builtin chain -- change it's policy
|
||||
#
|
||||
$chainref->{policy} = $target;
|
||||
trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug;
|
||||
$count++;
|
||||
}
|
||||
|
||||
progress_message " $count $target rules deleted from chain $chainref->{name}" if $count;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -3659,17 +3265,32 @@ sub optimize_level16( $$$ ) {
|
||||
$passes++;
|
||||
}
|
||||
|
||||
sub optimize_ruleset() {
|
||||
for my $table ( qw/raw rawpost mangle nat filter/ ) {
|
||||
#
|
||||
# Return an array of valid Netfilter tables
|
||||
#
|
||||
sub valid_tables() {
|
||||
my @table_list;
|
||||
|
||||
next if $family == F_IPV6 && $table eq 'nat';
|
||||
push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
|
||||
push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
|
||||
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
|
||||
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'filter';
|
||||
|
||||
@table_list;
|
||||
}
|
||||
|
||||
sub optimize_ruleset() {
|
||||
|
||||
for my $table ( valid_tables ) {
|
||||
|
||||
my $tableref = $chain_table{$table};
|
||||
my $passes = 0;
|
||||
my $optimize = $config{OPTIMIZE};
|
||||
|
||||
$passes = optimize_level4( $table, $tableref ) if $config{OPTIMIZE} & 4;
|
||||
$passes = optimize_level8( $table, $tableref , $passes ) if $config{OPTIMIZE} & 8;
|
||||
$passes = optimize_level16( $table, $tableref , $passes ) if $config{OPTIMIZE} & 16;
|
||||
$passes = optimize_level4( $table, $tableref ) if $optimize & 4;
|
||||
$passes = optimize_level8( $table, $tableref , $passes ) if $optimize & 8;
|
||||
$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16;
|
||||
|
||||
progress_message " Table $table Optimized -- Passes = $passes";
|
||||
progress_message '';
|
||||
@@ -3713,7 +3334,7 @@ sub set_mss( $$$ ) {
|
||||
sub imatch_source_dev( $;$ );
|
||||
sub imatch_dest_dev( $;$ );
|
||||
sub imatch_source_net( $;$\$ );
|
||||
sub imatch_dest_net( $ );
|
||||
sub imatch_dest_net( $;$ );
|
||||
|
||||
sub newmsschain( ) {
|
||||
my $seq = $chainseq{filter}++;
|
||||
@@ -5067,6 +4688,21 @@ sub conditional_rule_end( $ ) {
|
||||
add_commands( $chainref , "fi\n" );
|
||||
}
|
||||
|
||||
#
|
||||
# Populate %isocodes from the GeoIP database directory
|
||||
#
|
||||
sub load_isocodes() {
|
||||
my $isodir = $config{GEOIPDIR} || ISODIR;
|
||||
|
||||
fatal_error "GEOIPDIR ($isodir) does not exist" unless -d $isodir;
|
||||
|
||||
my @codes = `ls $isodir/*$family 2>/dev/null`;
|
||||
|
||||
fatal_error "$isodir contains no IPv${family} entries" unless @codes;
|
||||
|
||||
$isocodes{substr(basename($_),0,2)} = 1 for @codes;
|
||||
}
|
||||
|
||||
sub mysplit( $;$ );
|
||||
|
||||
#
|
||||
@@ -5109,11 +4745,19 @@ sub match_source_net( $;$\$ ) {
|
||||
return $result;
|
||||
}
|
||||
|
||||
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
|
||||
if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
|
||||
fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
|
||||
|
||||
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
||||
|
||||
load_isocodes unless %isocodes;
|
||||
|
||||
my @countries = split_list $2, 'country-code';
|
||||
|
||||
fatal_error "Too many Country Codes ($2)" if @countries > 15;
|
||||
|
||||
for ( split_list $2, 'cc' ) {
|
||||
fatal_error "Unknown or invalid Country Code" unless $isocodes{$_};
|
||||
for ( @countries ) {
|
||||
fatal_error "Unknown or invalid Country Code ($_)" unless $isocodes{$_};
|
||||
}
|
||||
|
||||
return join( '', '-m geoip ', $1 ? '! ' : '', '--src-cc ', $2 , ' ');
|
||||
@@ -5173,11 +4817,19 @@ sub imatch_source_net( $;$\$ ) {
|
||||
return \@result;
|
||||
}
|
||||
|
||||
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
|
||||
if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
|
||||
fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
|
||||
|
||||
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
||||
|
||||
for ( split_list $2, 'cc' ) {
|
||||
fatal_error "Unknown or invalid Country Code" unless $isocodes{$_};
|
||||
load_isocodes unless %isocodes;
|
||||
|
||||
my @countries = split_list $2, 'country-code';
|
||||
|
||||
fatal_error "Too many Country Codes ($2)" if @countries > 15;
|
||||
|
||||
for ( @countries ) {
|
||||
fatal_error "Unknown or invalid Country Code ($_)" unless $isocodes{$_};
|
||||
}
|
||||
|
||||
return ( geoip => , join( '', $1 ? '! ' : '', '--src-cc ', $2 ) );
|
||||
@@ -5203,8 +4855,10 @@ sub imatch_source_net( $;$\$ ) {
|
||||
#
|
||||
# Match a Destination.
|
||||
#
|
||||
sub match_dest_net( $ ) {
|
||||
my $net = $_[0];
|
||||
sub match_dest_net( $;$ ) {
|
||||
my ( $net, $restriction ) = @_;
|
||||
|
||||
$restriction |= 0;
|
||||
|
||||
if ( ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) ||
|
||||
( $family == F_IPV6 && $net =~ /^(!?)(.*:.*)-(.*:.*)$/ ) ) {
|
||||
@@ -5232,11 +4886,19 @@ sub match_dest_net( $ ) {
|
||||
return $result;
|
||||
}
|
||||
|
||||
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
|
||||
if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
|
||||
fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
|
||||
|
||||
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
||||
|
||||
for ( split_list $2, 'cc' ) {
|
||||
fatal_error "Unknown or invalid Country Code" unless $isocodes{$_};
|
||||
load_isocodes unless %isocodes;
|
||||
|
||||
my @countries = split_list $2, 'country-code';
|
||||
|
||||
fatal_error "Too many Country Codes ($2)" if @countries > 15;
|
||||
|
||||
for ( @countries ) {
|
||||
fatal_error "Unknown or invalid Country Code ($_)" unless $isocodes{$_};
|
||||
}
|
||||
|
||||
return join( '', '-m geoip ', $1 ? '! ' : '', '--dst-cc ', $2, ' ' );
|
||||
@@ -5259,8 +4921,10 @@ sub match_dest_net( $ ) {
|
||||
$net eq ALLIP ? '' : "-d $net ";
|
||||
}
|
||||
|
||||
sub imatch_dest_net( $ ) {
|
||||
my $net = $_[0];
|
||||
sub imatch_dest_net( $;$ ) {
|
||||
my ( $net, $restriction ) = @_;
|
||||
|
||||
$restriction |= NO_RESTRICT;
|
||||
|
||||
if ( ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) ||
|
||||
( $family == F_IPV6 && $net =~ /^(!?)(.*:.*)-(.*:.*)$/ ) ) {
|
||||
@@ -5289,11 +4953,19 @@ sub imatch_dest_net( $ ) {
|
||||
return \@result;
|
||||
}
|
||||
|
||||
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
|
||||
if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
|
||||
fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
|
||||
|
||||
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
||||
|
||||
for ( split_list $2, 'cc' ) {
|
||||
fatal_error "Unknown or invalid Country Code" unless $isocodes{$_};
|
||||
load_isocodes unless %isocodes;
|
||||
|
||||
my @countries = split_list $2, 'country-code';
|
||||
|
||||
fatal_error "Too many Country Codes ($2)" if @countries > 15;
|
||||
|
||||
for ( @countries ) {
|
||||
fatal_error "Unknown or invalid Country Code ($_)" unless $isocodes{$_};
|
||||
}
|
||||
|
||||
return ( geoip => , join( '', $1 ? '! ' : '', '--dst-cc ', $2 ) );
|
||||
@@ -6097,8 +5769,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
} elsif ( $source =~ /^(.+?):(.+)$/ ) {
|
||||
$iiface = $1;
|
||||
$inets = $2;
|
||||
} elsif ( $source =~ /\+|&|~|\..*\./ ||
|
||||
( ! ( $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT ) ) && $source =~ /^!?{/ ) ) {
|
||||
} elsif ( $source =~ /\+|&|~|\..*\./ || $source =~ /^!?\^/ ) {
|
||||
$inets = $source;
|
||||
} else {
|
||||
$iiface = $source;
|
||||
@@ -6112,8 +5783,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
} else {
|
||||
$inets = $source;
|
||||
}
|
||||
} elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ ||
|
||||
( ! ( $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT ) ) && $source =~ /^!?{/ ) ) {
|
||||
} elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ || $source =~ /^!?\^/ ) {
|
||||
$inets = $source;
|
||||
} else {
|
||||
$iiface = $source;
|
||||
@@ -6198,8 +5868,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
if ( $dest =~ /^(.+?):(.+)$/ ) {
|
||||
$diface = $1;
|
||||
$dnets = $2;
|
||||
} elsif ( $dest =~ /\+|&|%|~|\..*\./ ||
|
||||
( ! ( $restriction & ( PREROUTE_RESTRICT | INPUT_RESTRICT ) ) && $dest =~ /^!?{/ ) ) {
|
||||
} elsif ( $dest =~ /\+|&|%|~|\..*\./ || $dest =~ /^!?\^/ ) {
|
||||
$dnets = $dest;
|
||||
} else {
|
||||
$diface = $dest;
|
||||
@@ -6213,8 +5882,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
} else {
|
||||
$dnets = $dest;
|
||||
}
|
||||
} elsif ( $dest =~ /(?:\+|&|\..*\.)/ ||
|
||||
( ! ( $restriction & ( PREROUTE_RESTRICT | INPUT_RESTRICT ) ) && $dest =~ /^!?{/ ) ) {
|
||||
} elsif ( $dest =~ /(?:\+|&|\..*\.)/ || $dest =~ /^!?\^/ ) {
|
||||
$dnets = $dest;
|
||||
} else {
|
||||
$diface = $dest;
|
||||
@@ -6347,7 +6015,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
unless ( $dnets || $dexcl =~ /^\+\[/ ) {
|
||||
my @dexcl = mysplit $dexcl, 1;
|
||||
if ( @dexcl == 1 ) {
|
||||
$rule .= match_dest_net "!$dexcl";
|
||||
$rule .= match_dest_net "!$dexcl", $restriction;
|
||||
$dexcl = '';
|
||||
$trivialdexcl = 1;
|
||||
}
|
||||
@@ -6394,7 +6062,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
|
||||
for ( mysplit $dexcl ) {
|
||||
my $cond = conditional_rule( $chainref, $_ );
|
||||
add_rule $chainref, ( match_dest_net $_ ) . $exclude;
|
||||
add_rule $chainref, ( match_dest_net $_, $restriction ) . $exclude;
|
||||
conditional_rule_end( $chainref ) if $cond;
|
||||
}
|
||||
|
||||
@@ -6431,7 +6099,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
|
||||
for my $dnet ( mysplit $dnets ) {
|
||||
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
|
||||
add_expanded_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ) );
|
||||
add_expanded_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet, $restriction ), $onet ) );
|
||||
}
|
||||
|
||||
conditional_rule_end( $chainref ) if $cond;
|
||||
@@ -6451,7 +6119,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
|
||||
for ( mysplit $dexcl ) {
|
||||
my $cond = conditional_rule( $echainref, $_ );
|
||||
add_rule $echainref, ( match_dest_net $_ ) . '-j RETURN';
|
||||
add_rule $echainref, ( match_dest_net $_, $restriction ) . '-j RETURN';
|
||||
conditional_rule_end( $echainref ) if $cond;
|
||||
}
|
||||
|
||||
@@ -6503,7 +6171,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
|
||||
for my $dnet ( mysplit $dnets ) {
|
||||
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
|
||||
my $dest_match = match_dest_net( $dnet );
|
||||
my $dest_match = match_dest_net( $dnet, $restriction );
|
||||
my $matches = join( '', $rule, $source_match, $dest_match, $onet );
|
||||
|
||||
my $cond = conditional_rule( $chainref, $dnet );
|
||||
@@ -7070,14 +6738,6 @@ sub load_ipsets() {
|
||||
sub create_netfilter_load( $ ) {
|
||||
my $test = shift;
|
||||
|
||||
my @table_list;
|
||||
|
||||
push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
|
||||
push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
|
||||
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
|
||||
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'filter';
|
||||
|
||||
$mode = NULL_MODE;
|
||||
|
||||
emit ( '#',
|
||||
@@ -7108,7 +6768,7 @@ sub create_netfilter_load( $ ) {
|
||||
emit_unindented '#';
|
||||
}
|
||||
|
||||
for my $table ( @table_list ) {
|
||||
for my $table ( valid_tables ) {
|
||||
emit_unindented "*$table";
|
||||
|
||||
my @chains;
|
||||
@@ -7173,14 +6833,6 @@ sub create_netfilter_load( $ ) {
|
||||
#
|
||||
sub preview_netfilter_load() {
|
||||
|
||||
my @table_list;
|
||||
|
||||
push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
|
||||
push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
|
||||
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
|
||||
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'filter';
|
||||
|
||||
$mode = NULL_MODE;
|
||||
|
||||
push_indent;
|
||||
@@ -7191,7 +6843,7 @@ sub preview_netfilter_load() {
|
||||
|
||||
print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
|
||||
|
||||
for my $table ( @table_list ) {
|
||||
for my $table ( valid_tables ) {
|
||||
print "*$table\n";
|
||||
|
||||
my @chains;
|
||||
@@ -7393,14 +7045,6 @@ sub create_chainlist_reload($) {
|
||||
sub create_stop_load( $ ) {
|
||||
my $test = shift;
|
||||
|
||||
my @table_list;
|
||||
|
||||
push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
|
||||
push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
|
||||
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
|
||||
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'filter';
|
||||
|
||||
my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
|
||||
my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
|
||||
|
||||
@@ -7421,7 +7065,7 @@ sub create_stop_load( $ ) {
|
||||
emit_unindented '#';
|
||||
}
|
||||
|
||||
for my $table ( @table_list ) {
|
||||
for my $table ( valid_tables ) {
|
||||
emit_unindented "*$table";
|
||||
|
||||
my @chains;
|
||||
|
||||
@@ -812,12 +812,12 @@ sub compiler {
|
||||
|
||||
optimize_level0;
|
||||
|
||||
if ( $config{OPTIMIZE} & 0x1E ) {
|
||||
if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
|
||||
progress_message2 'Optimizing Ruleset...';
|
||||
#
|
||||
# Optimize Policy Chains
|
||||
#
|
||||
optimize_policy_chains if $config{OPTIMIZE} & 2;
|
||||
optimize_policy_chains if $optimize & 6 == 2; # Level 2 but not 4
|
||||
#
|
||||
# More Optimization
|
||||
#
|
||||
|
||||
@@ -559,6 +559,7 @@ sub initialize( $;$ ) {
|
||||
RESTOREFILE => undef,
|
||||
IPSECFILE => undef,
|
||||
LOCKFILE => undef,
|
||||
GEOIPDIR => undef,
|
||||
#
|
||||
# Default Actions/Macros
|
||||
#
|
||||
@@ -3404,10 +3405,10 @@ sub update_config_file( $ ) {
|
||||
#
|
||||
# Establish default values for the mark layout items
|
||||
#
|
||||
$config{TC_BITS} = ( $wide ? 14 : 8 ) unless supplied $config{TC_BITS};
|
||||
$config{MASK_BITS} = ( $wide ? 16 : 8 ) unless supplied $config{MASK_BITS};
|
||||
$config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless supplied $config{PROVIDER_OFFSET};
|
||||
$config{PROVIDER_BITS} = 8 unless supplied $config{PROVIDER_BITS};
|
||||
$config{TC_BITS} = ( $wide ? 14 : 8 ) unless defined $config{TC_BITS};
|
||||
$config{MASK_BITS} = ( $wide ? 16 : 8 ) unless defined $config{MASK_BITS};
|
||||
$config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless defined $config{PROVIDER_OFFSET};
|
||||
$config{PROVIDER_BITS} = 8 unless defined $config{PROVIDER_BITS};
|
||||
|
||||
my $fn;
|
||||
|
||||
|
||||
@@ -1854,8 +1854,6 @@ sub generate_matrix() {
|
||||
@dest_zones = @zones ;
|
||||
}
|
||||
#
|
||||
# Here it is -- THE BIG UGLY!!!!!!!!!!!!
|
||||
#
|
||||
# We now loop through the destination zones creating jumps to the rules chain for each source/dest combination.
|
||||
# @dest_zones is the list of destination zones that we need to handle from this source zone
|
||||
#
|
||||
|
||||
@@ -1045,8 +1045,8 @@ sub setup_null_routing() {
|
||||
emit "> \${VARDIR}/undo_rfc1918_routing\n";
|
||||
for ( rfc1918_networks ) {
|
||||
emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
|
||||
qq( run_ip route replace unreachable $_),
|
||||
qq( echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_rfc1918_routing),
|
||||
qq( run_ip route replace blackhole $_),
|
||||
qq( echo "qt \$IP -4 route del blackhole $_" >> \${VARDIR}/undo_rfc1918_routing),
|
||||
qq(fi\n) );
|
||||
}
|
||||
}
|
||||
@@ -1152,10 +1152,15 @@ sub finish_providers() {
|
||||
}
|
||||
|
||||
emit( " progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
|
||||
'else',
|
||||
'#',
|
||||
'# We don\'t have any \'fallback\' providers so we delete any default routes in the default table',
|
||||
'#',
|
||||
" while qt \$IP -$family route del default table " . DEFAULT_TABLE . '; do true; done',
|
||||
'fi',
|
||||
'' );
|
||||
} elsif ( $config{USE_DEFAULT_RT} ) {
|
||||
emit "qt \$IP -$family route del default table " . DEFAULT_TABLE;
|
||||
emit "while qt \$IP -$family route del default table " . DEFAULT_TABLE . '; do true; done';
|
||||
}
|
||||
|
||||
unless ( $config{KEEP_RT_TABLES} ) {
|
||||
|
||||
@@ -1688,7 +1688,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
|
||||
my ( $action, $loglevel) = split_action $target;
|
||||
my ( $basictarget, $param ) = get_target_param $action;
|
||||
my $rule = '';
|
||||
my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 1 ) : 0;
|
||||
my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 5 ) : 0;
|
||||
my $inaction = '';
|
||||
my $normalized_target;
|
||||
my $normalized_action;
|
||||
@@ -1953,7 +1953,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
|
||||
#
|
||||
# Handle Optimization
|
||||
#
|
||||
if ( $optimize > 0 && $section eq 'NEW' ) {
|
||||
if ( $optimize == 1 && $section eq 'NEW' ) {
|
||||
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
|
||||
if ( $loglevel ne '' ) {
|
||||
return 0 if $target eq "${policy}:$loglevel}";
|
||||
|
||||
@@ -55,6 +55,8 @@ TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
|
||||
|
||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
||||
|
||||
IPTABLES=
|
||||
|
||||
IP=
|
||||
|
||||
@@ -66,6 +66,8 @@ TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
|
||||
|
||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
||||
|
||||
IPTABLES=
|
||||
|
||||
IP=
|
||||
|
||||
@@ -64,6 +64,8 @@ TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
|
||||
|
||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
||||
|
||||
IPTABLES=
|
||||
|
||||
IP=
|
||||
|
||||
@@ -67,6 +67,8 @@ TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
|
||||
|
||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
||||
|
||||
IPTABLES=
|
||||
|
||||
IP=
|
||||
|
||||
@@ -55,6 +55,8 @@ TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
|
||||
|
||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
||||
|
||||
IPTABLES=
|
||||
|
||||
IP=
|
||||
|
||||
@@ -252,11 +252,16 @@ if [ $PRODUCT = shorewall -a "$BUILD" = "$HOST" ]; then
|
||||
#
|
||||
# Fix up 'use Digest::' if SHA is installed
|
||||
#
|
||||
if perl -e 'use Digest::SHA;' 2> /dev/null ; then
|
||||
sed -i 's/Digest::SHA1/Digest::SHA/' Perl/Shorewall/Chains.pm
|
||||
if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
|
||||
if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
|
||||
sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
|
||||
else
|
||||
echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
#
|
||||
# Verify that Perl is installed
|
||||
# Verify that Perl and all required modules are installed
|
||||
#
|
||||
if ! perl -c Perl/compiler.pl; then
|
||||
echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the Shorewall Perl code" >&2
|
||||
|
||||
@@ -1571,7 +1571,7 @@ usage() # $1 = exit status
|
||||
echo " allow <address> ..."
|
||||
echo " check [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ <directory> ]"
|
||||
echo " clear"
|
||||
echo " compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
|
||||
echo " compile [ -e ] [ -p ] [ -t ] [ -d ] [ -T ] [ <directory name> ] [ <path name> ]"
|
||||
echo " delete <interface>[:<host-list>] ... <zone>"
|
||||
echo " disable <interface>"
|
||||
echo " drop <address> ..."
|
||||
|
||||
@@ -563,7 +563,7 @@
|
||||
role="bold">-</emphasis>]}<emphasis
|
||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
||||
role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>countrycode-list</replaceable>}</term>
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source hosts to which the rule applies. May be a
|
||||
@@ -641,9 +641,11 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.4, A
|
||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
||||
countrycode-list is a comma-separated list of two-character ISO-3661
|
||||
country codes enclosed in curly braces ('{...}'). A list of country
|
||||
codes supported by Shorewall may be found at <ulink
|
||||
countrycode-list is a comma-separated list of up to 15 two-character
|
||||
ISO-3661 country codes enclosed in square brackets ('[...]') and
|
||||
preceded by a caret ('^'). When a single country code is given, the
|
||||
square brackets may be omitted. A list of country codes supported by
|
||||
Shorewall may be found at <ulink
|
||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
||||
@@ -736,7 +738,7 @@
|
||||
role="bold">+</emphasis>][<emphasis
|
||||
role="bold">-</emphasis>]}<emphasis
|
||||
role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
|
||||
role="bold">random</emphasis>]]</term>
|
||||
|
||||
<listitem>
|
||||
@@ -756,9 +758,11 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.4, A
|
||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
||||
countrycode-list is a comma-separated list of two-character ISO-3661
|
||||
country codes enclosed in curly braces ('{...}'). A list of country
|
||||
codes supported by Shorewall may be found at <ulink
|
||||
countrycode-list is a comma-separated list of up to 15 two-character
|
||||
ISO-3661 country codes enclosed in square brackets ('[...]') and
|
||||
preceded by a caret ('^'). When a single country code is given, the
|
||||
square brackets may be omitted. A list of country codes supported by
|
||||
Shorewall may be found at <ulink
|
||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
||||
@@ -1565,7 +1569,7 @@
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
DROP net:{A1,A2} fw tcp 22</programlisting>
|
||||
DROP net:^A1,A2 fw tcp 22</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -669,6 +669,21 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">GEOIPDIR</emphasis>=[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.4. Specifies the pathname of the
|
||||
directory containing the <firstterm>GeoIP Match</firstterm>
|
||||
database. See <ulink
|
||||
url="http://www.shorewall.net/ISOCODES.html">http://www.shorewall.net/ISOCODES.html</ulink>.
|
||||
If not specified, the default value is
|
||||
<filename>/usr/share/xt_geoip/LE</filename> which is the default
|
||||
location of the little-endian database.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
@@ -1538,6 +1553,23 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
chain are appended to it.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>An additional optimization was added in Shorewall 4.5.4.
|
||||
If the last rule in a chain is an unqualified jump to a simple
|
||||
target, then all immediately preceding rules with the same
|
||||
simple target are omitted.</para>
|
||||
|
||||
<para>For example, consider this chain:</para>
|
||||
|
||||
<programlisting> -A fw-net -p udp --dport 67:68 -j ACCEPT
|
||||
-A fw-net -p udp --sport 1194 -j ACCEPT
|
||||
-A fw-net -p 41 -j ACCEPT
|
||||
-A fw-net -j ACCEPT
|
||||
</programlisting>
|
||||
|
||||
<para>Since all of the rules are jumps to the simple target
|
||||
ACCEPT, this chain is totally optimized away and jumps to the
|
||||
chain are replace with jumps to ACCEPT.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -54,6 +54,8 @@ TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
|
||||
|
||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
||||
|
||||
IP6TABLES=
|
||||
|
||||
IP=
|
||||
|
||||
@@ -54,6 +54,8 @@ TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
|
||||
|
||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
||||
|
||||
IP6TABLES=
|
||||
|
||||
IP=
|
||||
|
||||
@@ -54,6 +54,8 @@ TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
|
||||
|
||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
||||
|
||||
IP6TABLES=
|
||||
|
||||
IP=
|
||||
|
||||
@@ -54,6 +54,8 @@ TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
|
||||
|
||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
||||
|
||||
IP6TABLES=
|
||||
|
||||
IP=
|
||||
|
||||
@@ -26,7 +26,6 @@ AllowICMPs # Accept needed ICMP6 types
|
||||
Broadcast # Handles Broadcast/Multicast/Anycast
|
||||
Drop # Default Action for DROP policy
|
||||
DropSmurfs # Handles packets with a broadcast source address
|
||||
GeoIP # Match packets by ISO 3166 Country Code
|
||||
Invalid # Handles packets in the INVALID conntrack state
|
||||
NotSyn # Handles TCP packets that do not have SYN=1 and ACK=0
|
||||
Reject # Default Action for REJECT policy
|
||||
|
||||
@@ -54,6 +54,8 @@ TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
|
||||
|
||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
||||
|
||||
IP6TABLES=
|
||||
|
||||
IP=
|
||||
|
||||
@@ -422,7 +422,7 @@
|
||||
role="bold">-</emphasis>]}<emphasis
|
||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
||||
role="bold">:<option><</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>></option>|<emphasis>exclusion</emphasis>|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>countrycode-list</replaceable>}</term>
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source hosts to which the rule applies. May be a zone declared
|
||||
@@ -492,9 +492,11 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.4, A
|
||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
||||
countrycode-list is a comma-separated list of two-character ISO-3661
|
||||
country codes enclosed in curly braces ('{...}'). A list of country
|
||||
codes supported by Shorewall may be found at <ulink
|
||||
countrycode-list is a comma-separated list of up to 15 two-character
|
||||
ISO-3661 country codes enclosed in square brackets ('[...]') and
|
||||
preceded by a caret ('^'). When a single country code is given, the
|
||||
square brackets may be omitted. A list of country codes supported by
|
||||
Shorewall may be found at <ulink
|
||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
||||
@@ -596,7 +598,7 @@
|
||||
role="bold">-</emphasis>]}<emphasis
|
||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
||||
role="bold">:<option><</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>></option>|<emphasis>exclusion</emphasis>|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>countrycode-list</emphasis>}</emphasis></term>
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|^<emphasis>countrycode-list</emphasis>}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Location of Server. May be a zone declared in <ulink
|
||||
@@ -624,9 +626,11 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.4, A
|
||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
||||
countrycode-list is a comma-separated list of two-character ISO-3661
|
||||
country codes enclosed in curly braces ('{...}'). A list of country
|
||||
codes supported by Shorewall may be found at <ulink
|
||||
countrycode-list is a comma-separated list of up to 15 two-character
|
||||
ISO-3661 country codes enclosed in square brackets ('[...]') and
|
||||
preceded by a caret ('^'). When a single country code is given, the
|
||||
square brackets may be omitted. A list of country codes supported by
|
||||
Shorewall may be found at <ulink
|
||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
||||
@@ -1245,7 +1249,7 @@
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
DROP net:{ZZ} fw tcp 22</programlisting>
|
||||
DROP net:^ZZ fw tcp 22</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -578,6 +578,21 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">GEOIPDIR</emphasis>=[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.4. Specifies the pathname of the
|
||||
directory containing the <firstterm>GeoIP Match</firstterm>
|
||||
database. See <ulink
|
||||
url="http://www.shorewall.net/ISOCODES.html">http://www.shorewall.net/ISOCODES.html</ulink>.
|
||||
If not specified, the default value is
|
||||
<filename>/usr/share/xt_geoip/LE</filename> which is the default
|
||||
location of the little-endian database.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
@@ -1336,6 +1351,23 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
chain are appended to it.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>An additional optimization was added in Shorewall 4.5.4.
|
||||
If the last rule in a chain is an unqualified jump to a simple
|
||||
target, then all immediately preceding rules with the same
|
||||
simple target are omitted.</para>
|
||||
|
||||
<para>For example, consider this chain:</para>
|
||||
|
||||
<programlisting> -A fw-net -p udp --dport 67:68 -j ACCEPT
|
||||
-A fw-net -p udp --sport 1194 -j ACCEPT
|
||||
-A fw-net -p 41 -j ACCEPT
|
||||
-A fw-net -j ACCEPT
|
||||
</programlisting>
|
||||
|
||||
<para>Since all of the rules are jumps to the simple target
|
||||
ACCEPT, this chain is totally optimized away and jumps to the
|
||||
chain are replace with jumps to ACCEPT.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -362,8 +362,8 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
|
||||
Filtering</ulink></entry>
|
||||
<entry><ulink url="ISO-3661.html">ISO 3661 Country
|
||||
Codes</ulink></entry>
|
||||
|
||||
<entry><ulink url="samba.htm">Samba</ulink></entry>
|
||||
|
||||
@@ -371,8 +371,8 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="kernel.htm">Kernel
|
||||
Configuration</ulink></entry>
|
||||
<entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
|
||||
Filtering</ulink></entry>
|
||||
|
||||
<entry><ulink url="Shorewall-init.html">Shorewall
|
||||
Init</ulink></entry>
|
||||
@@ -381,14 +381,23 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
|
||||
Machine)</ulink></entry>
|
||||
<entry><ulink url="kernel.htm">Kernel
|
||||
Configuration</ulink></entry>
|
||||
|
||||
<entry><ulink url="Shorewall-Lite.html">Shorewall
|
||||
Lite</ulink></entry>
|
||||
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
|
||||
Machine)</ulink></entry>
|
||||
|
||||
<entry/>
|
||||
|
||||
<entry/>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
@@ -39,8 +39,10 @@
|
||||
|
||||
<para>Beginning with Shorewall 4.5.4, Shorewall allows matching packet
|
||||
SOURCE and/or DEST IP addresses by their corresponding country. That is
|
||||
dont by specifying a comma-separated list of ISO-3661 2-character Country
|
||||
Codes enclosed in curly braces ('{...}').</para>
|
||||
done by specifying a comma-separated list of up to 15 ISO-3661 2-character
|
||||
Country Codes enclosed in square brackets ('[...]') and prefixed by a
|
||||
caret ('^'). When a single country code is given, the square brackets can
|
||||
be omitted.</para>
|
||||
|
||||
<para>Example - Drop email from the Anonymous Proxy and Satellite Provider
|
||||
networks.</para>
|
||||
@@ -49,462 +51,494 @@
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
DROP:info net:{A1,A2} dmz tcp 25
|
||||
DROP:info net:^[A1,A2] dmz tcp 25
|
||||
</programlisting>
|
||||
|
||||
<para>The country codes recognized by Shorewall as of Shorewall 4.5.4 are
|
||||
shown in the following two sections.</para>
|
||||
<para>Using this feature requires the <firstterm>GeoIP Match</firstterm>
|
||||
capability in your iptables and kernel. As of this writing, that
|
||||
capability requires installing <ulink
|
||||
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink> 1.33
|
||||
or later and <ulink
|
||||
url="http://xtables-addons.sourceforge.net/geoip.php">creating a
|
||||
country-code database</ulink>.</para>
|
||||
|
||||
<para>The Shorewall compiler uses the geoip country-code database to
|
||||
determine the valid set of two-character alphanumeric country codes. The
|
||||
location of that database is currently hard-coded in xtables-addons as
|
||||
<filename>/usr/share/xt_geoip/</filename>. Within that directory are two
|
||||
sub-directories:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>LE -- contains the little-endian database</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>BE -- contains the big-endian database</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>To accomodate both big-endian and little-endian machines as well as
|
||||
any future ability to install the database at another location, Shorewall
|
||||
supports a GEOIPDIR option in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
|
||||
url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5). The
|
||||
default value of that option is
|
||||
<filename>/usr/share/xt_geoip/LE</filename>.</para>
|
||||
|
||||
<para>The country codes at the time of this writing are shown in the
|
||||
following two sections.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>IPv4</title>
|
||||
|
||||
<programlisting> A1 => "Anonymous Proxy" ,
|
||||
A2 => "Satellite Provider" ,
|
||||
AD => "Andorra" ,
|
||||
AE => "United Arab Emirates" ,
|
||||
AF => "Afghanistan" ,
|
||||
AG => "Antigua and Barbuda" ,
|
||||
AI => "Anguilla" ,
|
||||
AL => "Albania" ,
|
||||
AM => "Armenia" ,
|
||||
AN => "Netherlands Antilles" ,
|
||||
AO => "Angola" ,
|
||||
AP => "Asia/Pacific Region" ,
|
||||
AQ => "Antarctica" ,
|
||||
AR => "Argentina" ,
|
||||
AS => "American Samoa" ,
|
||||
AT => "Austria" ,
|
||||
AU => "Australia" ,
|
||||
AW => "Aruba" ,
|
||||
AX => "Aland Islands" ,
|
||||
AZ => "Azerbaijan" ,
|
||||
BA => "Bosnia and Herzegovina" ,
|
||||
BB => "Barbados" ,
|
||||
BD => "Bangladesh" ,
|
||||
BE => "Belgium" ,
|
||||
BF => "Burkina Faso" ,
|
||||
BG => "Bulgaria" ,
|
||||
BH => "Bahrain" ,
|
||||
BI => "Burundi" ,
|
||||
BJ => "Benin" ,
|
||||
BM => "Bermuda" ,
|
||||
BN => "Brunei Darussalam" ,
|
||||
BO => "Bolivia" ,
|
||||
BR => "Brazil" ,
|
||||
BS => "Bahamas" ,
|
||||
BT => "Bhutan" ,
|
||||
BV => "Bouvet Island" ,
|
||||
BW => "Botswana" ,
|
||||
BY => "Belarus" ,
|
||||
BZ => "Belize" ,
|
||||
CA => "Canada" ,
|
||||
CC => "Cocos (Keeling) Islands" ,
|
||||
CD => "Congo, The Democratic Republic of the" ,
|
||||
CF => "Central African Republic" ,
|
||||
CG => "Congo" ,
|
||||
CH => "Switzerland" ,
|
||||
CI => "Cote D'Ivoire" ,
|
||||
CK => "Cook Islands" ,
|
||||
CL => "Chile" ,
|
||||
CM => "Cameroon" ,
|
||||
CN => "China" ,
|
||||
CO => "Colombia" ,
|
||||
CR => "Costa Rica" ,
|
||||
CU => "Cuba" ,
|
||||
CV => "Cape Verde" ,
|
||||
CX => "Christmas Island" ,
|
||||
CY => "Cyprus" ,
|
||||
CZ => "Czech Republic" ,
|
||||
DE => "Germany" ,
|
||||
DJ => "Djibouti" ,
|
||||
DK => "Denmark" ,
|
||||
DM => "Dominica" ,
|
||||
DO => "Dominican Republic" ,
|
||||
DZ => "Algeria" ,
|
||||
EC => "Ecuador" ,
|
||||
EE => "Estonia" ,
|
||||
EG => "Egypt" ,
|
||||
EH => "Western Sahara" ,
|
||||
ER => "Eritrea" ,
|
||||
ES => "Spain" ,
|
||||
ET => "Ethiopia" ,
|
||||
EU => "Europe" ,
|
||||
FI => "Finland" ,
|
||||
FJ => "Fiji" ,
|
||||
FK => "Falkland Islands (Malvinas)" ,
|
||||
FM => "Micronesia, Federated States of" ,
|
||||
FO => "Faroe Islands" ,
|
||||
FR => "France" ,
|
||||
GA => "Gabon" ,
|
||||
GB => "United Kingdom" ,
|
||||
GD => "Grenada" ,
|
||||
GE => "Georgia" ,
|
||||
GF => "French Guiana" ,
|
||||
GG => "Guernsey" ,
|
||||
GH => "Ghana" ,
|
||||
GI => "Gibraltar" ,
|
||||
GL => "Greenland" ,
|
||||
GM => "Gambia" ,
|
||||
GN => "Guinea" ,
|
||||
GP => "Guadeloupe" ,
|
||||
GQ => "Equatorial Guinea" ,
|
||||
GR => "Greece" ,
|
||||
GS => "South Georgia and the South Sandwich Islands" ,
|
||||
GT => "Guatemala" ,
|
||||
GU => "Guam" ,
|
||||
GW => "Guinea-Bissau" ,
|
||||
GY => "Guyana" ,
|
||||
HK => "Hong Kong" ,
|
||||
HN => "Honduras" ,
|
||||
HR => "Croatia" ,
|
||||
HT => "Haiti" ,
|
||||
HU => "Hungary" ,
|
||||
ID => "Indonesia" ,
|
||||
IE => "Ireland" ,
|
||||
IL => "Israel" ,
|
||||
IM => "Isle of Man" ,
|
||||
IN => "India" ,
|
||||
IO => "British Indian Ocean Territory" ,
|
||||
IQ => "Iraq" ,
|
||||
IR => "Iran, Islamic Republic of" ,
|
||||
IS => "Iceland" ,
|
||||
IT => "Italy" ,
|
||||
JE => "Jersey" ,
|
||||
JM => "Jamaica" ,
|
||||
JO => "Jordan" ,
|
||||
JP => "Japan" ,
|
||||
KE => "Kenya" ,
|
||||
KG => "Kyrgyzstan" ,
|
||||
KH => "Cambodia" ,
|
||||
KI => "Kiribati" ,
|
||||
KM => "Comoros" ,
|
||||
KN => "Saint Kitts and Nevis" ,
|
||||
KP => "Korea, Democratic People's Republic of" ,
|
||||
KR => "Korea, Republic of" ,
|
||||
KW => "Kuwait" ,
|
||||
KY => "Cayman Islands" ,
|
||||
KZ => "Kazakhstan" ,
|
||||
LA => "Lao People's Democratic Republic" ,
|
||||
LB => "Lebanon" ,
|
||||
LC => "Saint Lucia" ,
|
||||
LI => "Liechtenstein" ,
|
||||
LK => "Sri Lanka" ,
|
||||
LR => "Liberia" ,
|
||||
LS => "Lesotho" ,
|
||||
LT => "Lithuania" ,
|
||||
LU => "Luxembourg" ,
|
||||
LV => "Latvia" ,
|
||||
LY => "Libyan Arab Jamahiriya" ,
|
||||
MA => "Morocco" ,
|
||||
MC => "Monaco" ,
|
||||
MD => "Moldova, Republic of" ,
|
||||
ME => "Montenegro" ,
|
||||
MG => "Madagascar" ,
|
||||
MH => "Marshall Islands" ,
|
||||
MK => "Macedonia" ,
|
||||
ML => "Mali" ,
|
||||
MM => "Myanmar" ,
|
||||
MN => "Mongolia" ,
|
||||
MO => "Macau" ,
|
||||
MP => "Northern Mariana Islands" ,
|
||||
MQ => "Martinique" ,
|
||||
MR => "Mauritania" ,
|
||||
MS => "Montserrat" ,
|
||||
MT => "Malta" ,
|
||||
MU => "Mauritius" ,
|
||||
MV => "Maldives" ,
|
||||
MW => "Malawi" ,
|
||||
MX => "Mexico" ,
|
||||
MY => "Malaysia" ,
|
||||
MZ => "Mozambique" ,
|
||||
NA => "Namibia" ,
|
||||
NC => "New Caledonia" ,
|
||||
NE => "Niger" ,
|
||||
NF => "Norfolk Island" ,
|
||||
NG => "Nigeria" ,
|
||||
NI => "Nicaragua" ,
|
||||
NL => "Netherlands" ,
|
||||
NO => "Norway" ,
|
||||
NP => "Nepal" ,
|
||||
NR => "Nauru" ,
|
||||
NU => "Niue" ,
|
||||
NZ => "New Zealand" ,
|
||||
OM => "Oman" ,
|
||||
PA => "Panama" ,
|
||||
PE => "Peru" ,
|
||||
PF => "French Polynesia" ,
|
||||
PG => "Papua New Guinea" ,
|
||||
PH => "Philippines" ,
|
||||
PK => "Pakistan" ,
|
||||
PL => "Poland" ,
|
||||
PM => "Saint Pierre and Miquelon" ,
|
||||
PR => "Puerto Rico" ,
|
||||
PS => "Palestinian Territory, Occupied" ,
|
||||
PT => "Portugal" ,
|
||||
PW => "Palau" ,
|
||||
PY => "Paraguay" ,
|
||||
QA => "Qatar" ,
|
||||
RE => "Reunion" ,
|
||||
RO => "Romania" ,
|
||||
RS => "Serbia" ,
|
||||
RU => "Russian Federation" ,
|
||||
RW => "Rwanda" ,
|
||||
SA => "Saudi Arabia" ,
|
||||
SB => "Solomon Islands" ,
|
||||
SC => "Seychelles" ,
|
||||
SD => "Sudan" ,
|
||||
SE => "Sweden" ,
|
||||
SG => "Singapore" ,
|
||||
SH => "Saint Helena" ,
|
||||
SI => "Slovenia" ,
|
||||
SJ => "Svalbard and Jan Mayen" ,
|
||||
SK => "Slovakia" ,
|
||||
SL => "Sierra Leone" ,
|
||||
SM => "San Marino" ,
|
||||
SN => "Senegal" ,
|
||||
SO => "Somalia" ,
|
||||
SR => "Suriname" ,
|
||||
ST => "Sao Tome and Principe" ,
|
||||
SV => "El Salvador" ,
|
||||
SY => "Syrian Arab Republic" ,
|
||||
SZ => "Swaziland" ,
|
||||
TC => "Turks and Caicos Islands" ,
|
||||
TD => "Chad" ,
|
||||
TF => "French Southern Territories" ,
|
||||
TG => "Togo" ,
|
||||
TH => "Thailand" ,
|
||||
TJ => "Tajikistan" ,
|
||||
TK => "Tokelau" ,
|
||||
TL => "Timor-Leste" ,
|
||||
TM => "Turkmenistan" ,
|
||||
TN => "Tunisia" ,
|
||||
TO => "Tonga" ,
|
||||
TR => "Turkey" ,
|
||||
TT => "Trinidad and Tobago" ,
|
||||
TV => "Tuvalu" ,
|
||||
TW => "Taiwan" ,
|
||||
TZ => "Tanzania, United Republic of" ,
|
||||
UA => "Ukraine" ,
|
||||
UG => "Uganda" ,
|
||||
UM => "United States Minor Outlying Islands" ,
|
||||
US => "United States" ,
|
||||
UY => "Uruguay" ,
|
||||
UZ => "Uzbekistan" ,
|
||||
VA => "Holy See (Vatican City State)" ,
|
||||
VC => "Saint Vincent and the Grenadines" ,
|
||||
VE => "Venezuela" ,
|
||||
VG => "Virgin Islands, British" ,
|
||||
VI => "Virgin Islands, U.S." ,
|
||||
VN => "Vietnam" ,
|
||||
VU => "Vanuatu" ,
|
||||
WF => "Wallis and Futuna" ,
|
||||
WS => "Samoa" ,
|
||||
YE => "Yemen" ,
|
||||
YT => "Mayotte" ,
|
||||
ZA => "South Africa" ,
|
||||
ZM => "Zambia" ,
|
||||
ZW => "Zimbabwe" ,
|
||||
<programlisting> A1 => "Anonymous Proxy" ,
|
||||
A2 => "Satellite Provider" ,
|
||||
AD => "Andorra" ,
|
||||
AE => "United Arab Emirates" ,
|
||||
AF => "Afghanistan" ,
|
||||
AG => "Antigua and Barbuda" ,
|
||||
AI => "Anguilla" ,
|
||||
AL => "Albania" ,
|
||||
AM => "Armenia" ,
|
||||
AN => "Netherlands Antilles" ,
|
||||
AO => "Angola" ,
|
||||
AP => "Asia/Pacific Region" ,
|
||||
AQ => "Antarctica" ,
|
||||
AR => "Argentina" ,
|
||||
AS => "American Samoa" ,
|
||||
AT => "Austria" ,
|
||||
AU => "Australia" ,
|
||||
AW => "Aruba" ,
|
||||
AX => "Aland Islands" ,
|
||||
AZ => "Azerbaijan" ,
|
||||
BA => "Bosnia and Herzegovina" ,
|
||||
BB => "Barbados" ,
|
||||
BD => "Bangladesh" ,
|
||||
BE => "Belgium" ,
|
||||
BF => "Burkina Faso" ,
|
||||
BG => "Bulgaria" ,
|
||||
BH => "Bahrain" ,
|
||||
BI => "Burundi" ,
|
||||
BJ => "Benin" ,
|
||||
BM => "Bermuda" ,
|
||||
BN => "Brunei Darussalam" ,
|
||||
BO => "Bolivia" ,
|
||||
BR => "Brazil" ,
|
||||
BS => "Bahamas" ,
|
||||
BT => "Bhutan" ,
|
||||
BV => "Bouvet Island" ,
|
||||
BW => "Botswana" ,
|
||||
BY => "Belarus" ,
|
||||
BZ => "Belize" ,
|
||||
CA => "Canada" ,
|
||||
CC => "Cocos (Keeling) Islands" ,
|
||||
CD => "Congo, The Democratic Republic of the" ,
|
||||
CF => "Central African Republic" ,
|
||||
CG => "Congo" ,
|
||||
CH => "Switzerland" ,
|
||||
CI => "Cote D'Ivoire" ,
|
||||
CK => "Cook Islands" ,
|
||||
CL => "Chile" ,
|
||||
CM => "Cameroon" ,
|
||||
CN => "China" ,
|
||||
CO => "Colombia" ,
|
||||
CR => "Costa Rica" ,
|
||||
CU => "Cuba" ,
|
||||
CV => "Cape Verde" ,
|
||||
CX => "Christmas Island" ,
|
||||
CY => "Cyprus" ,
|
||||
CZ => "Czech Republic" ,
|
||||
DE => "Germany" ,
|
||||
DJ => "Djibouti" ,
|
||||
DK => "Denmark" ,
|
||||
DM => "Dominica" ,
|
||||
DO => "Dominican Republic" ,
|
||||
DZ => "Algeria" ,
|
||||
EC => "Ecuador" ,
|
||||
EE => "Estonia" ,
|
||||
EG => "Egypt" ,
|
||||
EH => "Western Sahara" ,
|
||||
ER => "Eritrea" ,
|
||||
ES => "Spain" ,
|
||||
ET => "Ethiopia" ,
|
||||
EU => "Europe" ,
|
||||
FI => "Finland" ,
|
||||
FJ => "Fiji" ,
|
||||
FK => "Falkland Islands (Malvinas)" ,
|
||||
FM => "Micronesia, Federated States of" ,
|
||||
FO => "Faroe Islands" ,
|
||||
FR => "France" ,
|
||||
GA => "Gabon" ,
|
||||
GB => "United Kingdom" ,
|
||||
GD => "Grenada" ,
|
||||
GE => "Georgia" ,
|
||||
GF => "French Guiana" ,
|
||||
GG => "Guernsey" ,
|
||||
GH => "Ghana" ,
|
||||
GI => "Gibraltar" ,
|
||||
GL => "Greenland" ,
|
||||
GM => "Gambia" ,
|
||||
GN => "Guinea" ,
|
||||
GP => "Guadeloupe" ,
|
||||
GQ => "Equatorial Guinea" ,
|
||||
GR => "Greece" ,
|
||||
GS => "South Georgia and the South Sandwich Islands" ,
|
||||
GT => "Guatemala" ,
|
||||
GU => "Guam" ,
|
||||
GW => "Guinea-Bissau" ,
|
||||
GY => "Guyana" ,
|
||||
HK => "Hong Kong" ,
|
||||
HN => "Honduras" ,
|
||||
HR => "Croatia" ,
|
||||
HT => "Haiti" ,
|
||||
HU => "Hungary" ,
|
||||
ID => "Indonesia" ,
|
||||
IE => "Ireland" ,
|
||||
IL => "Israel" ,
|
||||
IM => "Isle of Man" ,
|
||||
IN => "India" ,
|
||||
IO => "British Indian Ocean Territory" ,
|
||||
IQ => "Iraq" ,
|
||||
IR => "Iran, Islamic Republic of" ,
|
||||
IS => "Iceland" ,
|
||||
IT => "Italy" ,
|
||||
JE => "Jersey" ,
|
||||
JM => "Jamaica" ,
|
||||
JO => "Jordan" ,
|
||||
JP => "Japan" ,
|
||||
KE => "Kenya" ,
|
||||
KG => "Kyrgyzstan" ,
|
||||
KH => "Cambodia" ,
|
||||
KI => "Kiribati" ,
|
||||
KM => "Comoros" ,
|
||||
KN => "Saint Kitts and Nevis" ,
|
||||
KP => "Korea, Democratic People's Republic of" ,
|
||||
KR => "Korea, Republic of" ,
|
||||
KW => "Kuwait" ,
|
||||
KY => "Cayman Islands" ,
|
||||
KZ => "Kazakhstan" ,
|
||||
LA => "Lao People's Democratic Republic" ,
|
||||
LB => "Lebanon" ,
|
||||
LC => "Saint Lucia" ,
|
||||
LI => "Liechtenstein" ,
|
||||
LK => "Sri Lanka" ,
|
||||
LR => "Liberia" ,
|
||||
LS => "Lesotho" ,
|
||||
LT => "Lithuania" ,
|
||||
LU => "Luxembourg" ,
|
||||
LV => "Latvia" ,
|
||||
LY => "Libyan Arab Jamahiriya" ,
|
||||
MA => "Morocco" ,
|
||||
MC => "Monaco" ,
|
||||
MD => "Moldova, Republic of" ,
|
||||
ME => "Montenegro" ,
|
||||
MG => "Madagascar" ,
|
||||
MH => "Marshall Islands" ,
|
||||
MK => "Macedonia" ,
|
||||
ML => "Mali" ,
|
||||
MM => "Myanmar" ,
|
||||
MN => "Mongolia" ,
|
||||
MO => "Macau" ,
|
||||
MP => "Northern Mariana Islands" ,
|
||||
MQ => "Martinique" ,
|
||||
MR => "Mauritania" ,
|
||||
MS => "Montserrat" ,
|
||||
MT => "Malta" ,
|
||||
MU => "Mauritius" ,
|
||||
MV => "Maldives" ,
|
||||
MW => "Malawi" ,
|
||||
MX => "Mexico" ,
|
||||
MY => "Malaysia" ,
|
||||
MZ => "Mozambique" ,
|
||||
NA => "Namibia" ,
|
||||
NC => "New Caledonia" ,
|
||||
NE => "Niger" ,
|
||||
NF => "Norfolk Island" ,
|
||||
NG => "Nigeria" ,
|
||||
NI => "Nicaragua" ,
|
||||
NL => "Netherlands" ,
|
||||
NO => "Norway" ,
|
||||
NP => "Nepal" ,
|
||||
NR => "Nauru" ,
|
||||
NU => "Niue" ,
|
||||
NZ => "New Zealand" ,
|
||||
OM => "Oman" ,
|
||||
PA => "Panama" ,
|
||||
PE => "Peru" ,
|
||||
PF => "French Polynesia" ,
|
||||
PG => "Papua New Guinea" ,
|
||||
PH => "Philippines" ,
|
||||
PK => "Pakistan" ,
|
||||
PL => "Poland" ,
|
||||
PM => "Saint Pierre and Miquelon" ,
|
||||
PR => "Puerto Rico" ,
|
||||
PS => "Palestinian Territory, Occupied" ,
|
||||
PT => "Portugal" ,
|
||||
PW => "Palau" ,
|
||||
PY => "Paraguay" ,
|
||||
QA => "Qatar" ,
|
||||
RE => "Reunion" ,
|
||||
RO => "Romania" ,
|
||||
RS => "Serbia" ,
|
||||
RU => "Russian Federation" ,
|
||||
RW => "Rwanda" ,
|
||||
SA => "Saudi Arabia" ,
|
||||
SB => "Solomon Islands" ,
|
||||
SC => "Seychelles" ,
|
||||
SD => "Sudan" ,
|
||||
SE => "Sweden" ,
|
||||
SG => "Singapore" ,
|
||||
SH => "Saint Helena" ,
|
||||
SI => "Slovenia" ,
|
||||
SJ => "Svalbard and Jan Mayen" ,
|
||||
SK => "Slovakia" ,
|
||||
SL => "Sierra Leone" ,
|
||||
SM => "San Marino" ,
|
||||
SN => "Senegal" ,
|
||||
SO => "Somalia" ,
|
||||
SR => "Suriname" ,
|
||||
ST => "Sao Tome and Principe" ,
|
||||
SV => "El Salvador" ,
|
||||
SY => "Syrian Arab Republic" ,
|
||||
SZ => "Swaziland" ,
|
||||
TC => "Turks and Caicos Islands" ,
|
||||
TD => "Chad" ,
|
||||
TF => "French Southern Territories" ,
|
||||
TG => "Togo" ,
|
||||
TH => "Thailand" ,
|
||||
TJ => "Tajikistan" ,
|
||||
TK => "Tokelau" ,
|
||||
TL => "Timor-Leste" ,
|
||||
TM => "Turkmenistan" ,
|
||||
TN => "Tunisia" ,
|
||||
TO => "Tonga" ,
|
||||
TR => "Turkey" ,
|
||||
TT => "Trinidad and Tobago" ,
|
||||
TV => "Tuvalu" ,
|
||||
TW => "Taiwan" ,
|
||||
TZ => "Tanzania, United Republic of" ,
|
||||
UA => "Ukraine" ,
|
||||
UG => "Uganda" ,
|
||||
UM => "United States Minor Outlying Islands" ,
|
||||
US => "United States" ,
|
||||
UY => "Uruguay" ,
|
||||
UZ => "Uzbekistan" ,
|
||||
VA => "Holy See (Vatican City State)" ,
|
||||
VC => "Saint Vincent and the Grenadines" ,
|
||||
VE => "Venezuela" ,
|
||||
VG => "Virgin Islands, British" ,
|
||||
VI => "Virgin Islands, U.S." ,
|
||||
VN => "Vietnam" ,
|
||||
VU => "Vanuatu" ,
|
||||
WF => "Wallis and Futuna" ,
|
||||
WS => "Samoa" ,
|
||||
YE => "Yemen" ,
|
||||
YT => "Mayotte" ,
|
||||
ZA => "South Africa" ,
|
||||
ZM => "Zambia" ,
|
||||
ZW => "Zimbabwe" ,
|
||||
</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>IPv6</title>
|
||||
|
||||
<programlisting> AD => "Andorra" ,
|
||||
AE => "United Arab Emirates" ,
|
||||
AF => "Afghanistan" ,
|
||||
AL => "Albania" ,
|
||||
AM => "Armenia" ,
|
||||
AO => "Angola" ,
|
||||
AP => "Asia/Pacific Region" ,
|
||||
AR => "Argentina" ,
|
||||
AS => "American Samoa" ,
|
||||
AT => "Austria" ,
|
||||
AU => "Australia" ,
|
||||
AW => "Aruba" ,
|
||||
AZ => "Azerbaijan" ,
|
||||
BA => "Bosnia and Herzegovina" ,
|
||||
BD => "Bangladesh" ,
|
||||
BE => "Belgium" ,
|
||||
BF => "Burkina Faso" ,
|
||||
BG => "Bulgaria" ,
|
||||
BH => "Bahrain" ,
|
||||
BI => "Burundi" ,
|
||||
BJ => "Benin" ,
|
||||
BM => "Bermuda" ,
|
||||
BN => "Brunei Darussalam" ,
|
||||
BO => "Bolivia" ,
|
||||
BR => "Brazil" ,
|
||||
BS => "Bahamas" ,
|
||||
BT => "Bhutan" ,
|
||||
BW => "Botswana" ,
|
||||
BY => "Belarus" ,
|
||||
BZ => "Belize" ,
|
||||
CA => "Canada" ,
|
||||
CD => "Congo, The Democratic Republic of the" ,
|
||||
CH => "Switzerland" ,
|
||||
CI => "Cote D'Ivoire" ,
|
||||
CK => "Cook Islands" ,
|
||||
CL => "Chile" ,
|
||||
CM => "Cameroon" ,
|
||||
CN => "China" ,
|
||||
CO => "Colombia" ,
|
||||
CR => "Costa Rica" ,
|
||||
CU => "Cuba" ,
|
||||
CW => "" ,
|
||||
CY => "Cyprus" ,
|
||||
CZ => "Czech Republic" ,
|
||||
DE => "Germany" ,
|
||||
DJ => "Djibouti" ,
|
||||
DK => "Denmark" ,
|
||||
DO => "Dominican Republic" ,
|
||||
DZ => "Algeria" ,
|
||||
EC => "Ecuador" ,
|
||||
EE => "Estonia" ,
|
||||
EG => "Egypt" ,
|
||||
ES => "Spain" ,
|
||||
EU => "Europe" ,
|
||||
FI => "Finland" ,
|
||||
FJ => "Fiji" ,
|
||||
FM => "Micronesia, Federated States of" ,
|
||||
FO => "Faroe Islands" ,
|
||||
FR => "France" ,
|
||||
GB => "United Kingdom" ,
|
||||
GD => "Grenada" ,
|
||||
GE => "Georgia" ,
|
||||
GG => "Guernsey" ,
|
||||
GH => "Ghana" ,
|
||||
GI => "Gibraltar" ,
|
||||
GL => "Greenland" ,
|
||||
GM => "Gambia" ,
|
||||
GP => "Guadeloupe" ,
|
||||
GR => "Greece" ,
|
||||
GT => "Guatemala" ,
|
||||
GU => "Guam" ,
|
||||
GY => "Guyana" ,
|
||||
HK => "Hong Kong" ,
|
||||
HN => "Honduras" ,
|
||||
HR => "Croatia" ,
|
||||
HT => "Haiti" ,
|
||||
HU => "Hungary" ,
|
||||
ID => "Indonesia" ,
|
||||
IE => "Ireland" ,
|
||||
IL => "Israel" ,
|
||||
IM => "Isle of Man" ,
|
||||
IN => "India" ,
|
||||
IQ => "Iraq" ,
|
||||
IR => "Iran, Islamic Republic of" ,
|
||||
IS => "Iceland" ,
|
||||
IT => "Italy" ,
|
||||
JE => "Jersey" ,
|
||||
JM => "Jamaica" ,
|
||||
JO => "Jordan" ,
|
||||
JP => "Japan" ,
|
||||
KE => "Kenya" ,
|
||||
KG => "Kyrgyzstan" ,
|
||||
KH => "Cambodia" ,
|
||||
KN => "Saint Kitts and Nevis" ,
|
||||
KR => "Korea, Republic of" ,
|
||||
KW => "Kuwait" ,
|
||||
KY => "Cayman Islands" ,
|
||||
KZ => "Kazakhstan" ,
|
||||
LA => "Lao People's Democratic Republic" ,
|
||||
LB => "Lebanon" ,
|
||||
LI => "Liechtenstein" ,
|
||||
LK => "Sri Lanka" ,
|
||||
LS => "Lesotho" ,
|
||||
LT => "Lithuania" ,
|
||||
LU => "Luxembourg" ,
|
||||
LV => "Latvia" ,
|
||||
LY => "Libyan Arab Jamahiriya" ,
|
||||
MA => "Morocco" ,
|
||||
MC => "Monaco" ,
|
||||
MD => "Moldova, Republic of" ,
|
||||
ME => "Montenegro" ,
|
||||
MG => "Madagascar" ,
|
||||
MH => "Marshall Islands" ,
|
||||
MK => "Macedonia" ,
|
||||
ML => "Mali" ,
|
||||
MM => "Myanmar" ,
|
||||
MN => "Mongolia" ,
|
||||
MO => "Macau" ,
|
||||
MT => "Malta" ,
|
||||
MU => "Mauritius" ,
|
||||
MV => "Maldives" ,
|
||||
MW => "Malawi" ,
|
||||
MX => "Mexico" ,
|
||||
MY => "Malaysia" ,
|
||||
MZ => "Mozambique" ,
|
||||
NA => "Namibia" ,
|
||||
NC => "New Caledonia" ,
|
||||
NF => "Norfolk Island" ,
|
||||
NG => "Nigeria" ,
|
||||
NI => "Nicaragua" ,
|
||||
NL => "Netherlands" ,
|
||||
NO => "Norway" ,
|
||||
NP => "Nepal" ,
|
||||
NR => "Nauru" ,
|
||||
NU => "Niue" ,
|
||||
NZ => "New Zealand" ,
|
||||
OM => "Oman" ,
|
||||
PA => "Panama" ,
|
||||
PE => "Peru" ,
|
||||
PF => "French Polynesia" ,
|
||||
PG => "Papua New Guinea" ,
|
||||
PH => "Philippines" ,
|
||||
PK => "Pakistan" ,
|
||||
PL => "Poland" ,
|
||||
PR => "Puerto Rico" ,
|
||||
PS => "Palestinian Territory" ,
|
||||
PT => "Portugal" ,
|
||||
PW => "Palau" ,
|
||||
PY => "Paraguay" ,
|
||||
QA => "Qatar" ,
|
||||
RO => "Romania" ,
|
||||
RS => "Serbia" ,
|
||||
RU => "Russian Federation" ,
|
||||
RW => "Rwanda" ,
|
||||
SA => "Saudi Arabia" ,
|
||||
SB => "Solomon Islands" ,
|
||||
SC => "Seychelles" ,
|
||||
SD => "Sudan" ,
|
||||
SE => "Sweden" ,
|
||||
SG => "Singapore" ,
|
||||
SI => "Slovenia" ,
|
||||
SK => "Slovakia" ,
|
||||
SL => "Sierra Leone" ,
|
||||
SM => "San Marino" ,
|
||||
SN => "Senegal" ,
|
||||
SO => "Somalia" ,
|
||||
ST => "Sao Tome and Principe" ,
|
||||
SV => "El Salvador" ,
|
||||
SY => "Syrian Arab Republic" ,
|
||||
SZ => "Swaziland" ,
|
||||
TH => "Thailand" ,
|
||||
TK => "Tokelau" ,
|
||||
TN => "Tunisia" ,
|
||||
TO => "Tonga" ,
|
||||
TR => "Turkey" ,
|
||||
TT => "Trinidad and Tobago" ,
|
||||
TV => "Tuvalu" ,
|
||||
TW => "Taiwan" ,
|
||||
TZ => "Tanzania, United Republic of" ,
|
||||
UA => "Ukraine" ,
|
||||
UG => "Uganda" ,
|
||||
US => "United States" ,
|
||||
UY => "Uruguay" ,
|
||||
UZ => "Uzbekistan" ,
|
||||
VA => "Holy See (Vatican City State)" ,
|
||||
VE => "Venezuela" ,
|
||||
VI => "Virgin Islands, U.S." ,
|
||||
VN => "Vietnam" ,
|
||||
VU => "Vanuatu" ,
|
||||
WS => "Samoa" ,
|
||||
YE => "Yemen" ,
|
||||
ZA => "South Africa" ,
|
||||
ZM => "Zambia" ,
|
||||
ZW => "Zimbabwe" ,
|
||||
<programlisting> AD => "Andorra" ,
|
||||
AE => "United Arab Emirates" ,
|
||||
AF => "Afghanistan" ,
|
||||
AL => "Albania" ,
|
||||
AM => "Armenia" ,
|
||||
AO => "Angola" ,
|
||||
AP => "Asia/Pacific Region" ,
|
||||
AR => "Argentina" ,
|
||||
AS => "American Samoa" ,
|
||||
AT => "Austria" ,
|
||||
AU => "Australia" ,
|
||||
AW => "Aruba" ,
|
||||
AZ => "Azerbaijan" ,
|
||||
BA => "Bosnia and Herzegovina" ,
|
||||
BD => "Bangladesh" ,
|
||||
BE => "Belgium" ,
|
||||
BF => "Burkina Faso" ,
|
||||
BG => "Bulgaria" ,
|
||||
BH => "Bahrain" ,
|
||||
BI => "Burundi" ,
|
||||
BJ => "Benin" ,
|
||||
BM => "Bermuda" ,
|
||||
BN => "Brunei Darussalam" ,
|
||||
BO => "Bolivia" ,
|
||||
BR => "Brazil" ,
|
||||
BS => "Bahamas" ,
|
||||
BT => "Bhutan" ,
|
||||
BW => "Botswana" ,
|
||||
BY => "Belarus" ,
|
||||
BZ => "Belize" ,
|
||||
CA => "Canada" ,
|
||||
CD => "Congo, The Democratic Republic of the" ,
|
||||
CH => "Switzerland" ,
|
||||
CI => "Cote D'Ivoire" ,
|
||||
CK => "Cook Islands" ,
|
||||
CL => "Chile" ,
|
||||
CM => "Cameroon" ,
|
||||
CN => "China" ,
|
||||
CO => "Colombia" ,
|
||||
CR => "Costa Rica" ,
|
||||
CU => "Cuba" ,
|
||||
CW => "" ,
|
||||
CY => "Cyprus" ,
|
||||
CZ => "Czech Republic" ,
|
||||
DE => "Germany" ,
|
||||
DJ => "Djibouti" ,
|
||||
DK => "Denmark" ,
|
||||
DO => "Dominican Republic" ,
|
||||
DZ => "Algeria" ,
|
||||
EC => "Ecuador" ,
|
||||
EE => "Estonia" ,
|
||||
EG => "Egypt" ,
|
||||
ES => "Spain" ,
|
||||
EU => "Europe" ,
|
||||
FI => "Finland" ,
|
||||
FJ => "Fiji" ,
|
||||
FM => "Micronesia, Federated States of" ,
|
||||
FO => "Faroe Islands" ,
|
||||
FR => "France" ,
|
||||
GB => "United Kingdom" ,
|
||||
GD => "Grenada" ,
|
||||
GE => "Georgia" ,
|
||||
GG => "Guernsey" ,
|
||||
GH => "Ghana" ,
|
||||
GI => "Gibraltar" ,
|
||||
GL => "Greenland" ,
|
||||
GM => "Gambia" ,
|
||||
GP => "Guadeloupe" ,
|
||||
GR => "Greece" ,
|
||||
GT => "Guatemala" ,
|
||||
GU => "Guam" ,
|
||||
GY => "Guyana" ,
|
||||
HK => "Hong Kong" ,
|
||||
HN => "Honduras" ,
|
||||
HR => "Croatia" ,
|
||||
HT => "Haiti" ,
|
||||
HU => "Hungary" ,
|
||||
ID => "Indonesia" ,
|
||||
IE => "Ireland" ,
|
||||
IL => "Israel" ,
|
||||
IM => "Isle of Man" ,
|
||||
IN => "India" ,
|
||||
IQ => "Iraq" ,
|
||||
IR => "Iran, Islamic Republic of" ,
|
||||
IS => "Iceland" ,
|
||||
IT => "Italy" ,
|
||||
JE => "Jersey" ,
|
||||
JM => "Jamaica" ,
|
||||
JO => "Jordan" ,
|
||||
JP => "Japan" ,
|
||||
KE => "Kenya" ,
|
||||
KG => "Kyrgyzstan" ,
|
||||
KH => "Cambodia" ,
|
||||
KN => "Saint Kitts and Nevis" ,
|
||||
KR => "Korea, Republic of" ,
|
||||
KW => "Kuwait" ,
|
||||
KY => "Cayman Islands" ,
|
||||
KZ => "Kazakhstan" ,
|
||||
LA => "Lao People's Democratic Republic" ,
|
||||
LB => "Lebanon" ,
|
||||
LI => "Liechtenstein" ,
|
||||
LK => "Sri Lanka" ,
|
||||
LS => "Lesotho" ,
|
||||
LT => "Lithuania" ,
|
||||
LU => "Luxembourg" ,
|
||||
LV => "Latvia" ,
|
||||
LY => "Libyan Arab Jamahiriya" ,
|
||||
MA => "Morocco" ,
|
||||
MC => "Monaco" ,
|
||||
MD => "Moldova, Republic of" ,
|
||||
ME => "Montenegro" ,
|
||||
MG => "Madagascar" ,
|
||||
MH => "Marshall Islands" ,
|
||||
MK => "Macedonia" ,
|
||||
ML => "Mali" ,
|
||||
MM => "Myanmar" ,
|
||||
MN => "Mongolia" ,
|
||||
MO => "Macau" ,
|
||||
MT => "Malta" ,
|
||||
MU => "Mauritius" ,
|
||||
MV => "Maldives" ,
|
||||
MW => "Malawi" ,
|
||||
MX => "Mexico" ,
|
||||
MY => "Malaysia" ,
|
||||
MZ => "Mozambique" ,
|
||||
NA => "Namibia" ,
|
||||
NC => "New Caledonia" ,
|
||||
NF => "Norfolk Island" ,
|
||||
NG => "Nigeria" ,
|
||||
NI => "Nicaragua" ,
|
||||
NL => "Netherlands" ,
|
||||
NO => "Norway" ,
|
||||
NP => "Nepal" ,
|
||||
NR => "Nauru" ,
|
||||
NU => "Niue" ,
|
||||
NZ => "New Zealand" ,
|
||||
OM => "Oman" ,
|
||||
PA => "Panama" ,
|
||||
PE => "Peru" ,
|
||||
PF => "French Polynesia" ,
|
||||
PG => "Papua New Guinea" ,
|
||||
PH => "Philippines" ,
|
||||
PK => "Pakistan" ,
|
||||
PL => "Poland" ,
|
||||
PR => "Puerto Rico" ,
|
||||
PS => "Palestinian Territory" ,
|
||||
PT => "Portugal" ,
|
||||
PW => "Palau" ,
|
||||
PY => "Paraguay" ,
|
||||
QA => "Qatar" ,
|
||||
RO => "Romania" ,
|
||||
RS => "Serbia" ,
|
||||
RU => "Russian Federation" ,
|
||||
RW => "Rwanda" ,
|
||||
SA => "Saudi Arabia" ,
|
||||
SB => "Solomon Islands" ,
|
||||
SC => "Seychelles" ,
|
||||
SD => "Sudan" ,
|
||||
SE => "Sweden" ,
|
||||
SG => "Singapore" ,
|
||||
SI => "Slovenia" ,
|
||||
SK => "Slovakia" ,
|
||||
SL => "Sierra Leone" ,
|
||||
SM => "San Marino" ,
|
||||
SN => "Senegal" ,
|
||||
SO => "Somalia" ,
|
||||
ST => "Sao Tome and Principe" ,
|
||||
SV => "El Salvador" ,
|
||||
SY => "Syrian Arab Republic" ,
|
||||
SZ => "Swaziland" ,
|
||||
TH => "Thailand" ,
|
||||
TK => "Tokelau" ,
|
||||
TN => "Tunisia" ,
|
||||
TO => "Tonga" ,
|
||||
TR => "Turkey" ,
|
||||
TT => "Trinidad and Tobago" ,
|
||||
TV => "Tuvalu" ,
|
||||
TW => "Taiwan" ,
|
||||
TZ => "Tanzania, United Republic of" ,
|
||||
UA => "Ukraine" ,
|
||||
UG => "Uganda" ,
|
||||
US => "United States" ,
|
||||
UY => "Uruguay" ,
|
||||
UZ => "Uzbekistan" ,
|
||||
VA => "Holy See (Vatican City State)" ,
|
||||
VE => "Venezuela" ,
|
||||
VI => "Virgin Islands, U.S." ,
|
||||
VN => "Vietnam" ,
|
||||
VU => "Vanuatu" ,
|
||||
WS => "Samoa" ,
|
||||
YE => "Yemen" ,
|
||||
ZA => "South Africa" ,
|
||||
ZM => "Zambia" ,
|
||||
ZW => "Zimbabwe" ,
|
||||
</programlisting>
|
||||
</section>
|
||||
</article>
|
||||
|
||||
@@ -834,7 +834,7 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
|
||||
<listitem>
|
||||
<para>ADDRESS LIST — A list of one or more addresses (host or network)
|
||||
or address ranges, separated by commas. In an IPv6 configuration, this
|
||||
list must be includef in square or angled brackets ("[...]" or
|
||||
list must be included in square or angled brackets ("[...]" or
|
||||
"<...>"). The list may have <link
|
||||
linkend="Exclusion">exclusion</link>.</para>
|
||||
</listitem>
|
||||
@@ -875,7 +875,7 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
|
||||
<listitem>
|
||||
<para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
|
||||
role="bold">loc</emphasis> zone — <emphasis
|
||||
role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
|
||||
role="bold">loc::[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -883,6 +883,12 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
|
||||
role="bold">$FW:&eth0</emphasis> (see <link
|
||||
linkend="Rvariables">Run-time Address Variables</link> below)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>All hosts in Vatican City - <emphasis
|
||||
role="bold">net:^VA</emphasis> (Shorwall 4.5.4 and later - See <ulink
|
||||
url="ISO-3661.html">this article</ulink>).</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
@@ -1517,12 +1523,23 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true</programlisting
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>If the <replaceable>variable</replaceable> is still not found and it
|
||||
begins with '__', then those leading characters are stripped off and the
|
||||
result is searched for in the defined <firstterm>capabilities</firstterm>.
|
||||
The current set of capabilities may be obtained by the command
|
||||
<command>shorewall show capabilities</command> (the capability names are
|
||||
in parentheses).</para>
|
||||
<para>If the <replaceable>variable</replaceable> is still not
|
||||
found:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>it begins with '__', then those leading characters are stripped
|
||||
off.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>the variable is then searched for in the defined
|
||||
<firstterm>capabilities</firstterm>. The current set of capabilities
|
||||
may be obtained by the command <command>shorewall show
|
||||
capabilities</command> (the capability names are in
|
||||
parentheses).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>If it is not found in any of those places, the
|
||||
<replaceable>variable</replaceable> is assumed to have a value of 0
|
||||
|
||||
Reference in New Issue
Block a user