Implement ADD and DEL in the mangle file.

- Also document the parameter to SAME

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -649,6 +649,7 @@ our %opttype = ( rule          => CONTROL,
 		 simple        => CONTROL,
 		 matches       => CONTROL,
 		 complex       => CONTROL,
+		 t             => CONTROL,
 
 		 i             => UNIQUE,
 		 s             => UNIQUE,
@@ -891,6 +892,8 @@ sub set_rule_option( $$$ ) {
 	    }
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
+	} elsif ( $opttype  == CONTROL ) {
+	    $ruleref->{$option} = $value;
 	} elsif ( $opttype == UNIQUE ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
@@ -925,7 +928,7 @@ sub transform_rule( $;\$ ) {
 	my $option;
 	my $invert = '';
 
-	if ( $input =~ s/^(!\s+)?-([psdjgiom])\s+// ) {
+	if ( $input =~ s/^(!\s+)?-([psdjgiomt])\s+// ) {
 	    #
 	    # Normal case of single-character
 	    $invert = '!' if $1;
@@ -955,7 +958,7 @@ sub transform_rule( $;\$ ) {
 
       PARAM:
 	{
-	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiom])\s/ ) {
+	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiomt])\s/ ) {
 		last PARAM if $input =~ /^--([^\s]+)/ && $aliases{$1 || '' };
 		$input =~ s/^([^\s]+)\s*//;
 		my $token = $1;

Shorewall/Perl/Shorewall/Providers.pm

@@ -2049,7 +2049,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule( $_ );
 
 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300 --reap" );
+			set_rule_option( $rule1, 'recent', "--name $list --update --seconds $rule1->{t} --reap" );
 
 			$rule2 = clone_irule( $_ );
 
@@ -2084,7 +2084,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule $_;
 
 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300 --reap" );
+			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds $rule1->{t} --reap" );
 
 			$rule2 = clone_irule $_;
 

Shorewall/Perl/Shorewall/Tc.pm

@@ -225,6 +225,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
     my  $device         = '';
     our $cmd;
     our $designator;
+    our $ttl            = 0;
     my $fw              = firewall_zone;
 
     sub handle_mark_param( $$ ) {
@@ -333,7 +334,31 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	}
     }
 
+    sub ipset_command() {
+	my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
+
+	require_capability( 'IPSET_MATCH', "$cmd rules", '' );
+	fatal_error "$cmd rules require a set name parameter" unless $params;
+
+	my ( $setname, $flags, $rest ) = split ':', $params, 3;
+	fatal_error "Invalid ADD/DEL parameter ($params)" if $rest;
+	$setname =~ s/^\+//;
+	fatal_error "Expected ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*$/;
+	fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
+	$target = join( ' ', 'SET --' . $xlate{$cmd} , $setname , $flags );
+    }
+
     my %commands = (
+	ADD       => {
+	    defaultchain   => PREROUTING,
+	    allowedchains  => ALLCHAINS,
+	    minparams      => 1,
+	    maxparams      => 1,
+	    function       => sub() {
+		ipset_command();
+	    }
+	},
+
 	CHECKSUM   => {
 	    defaultchain   => 0,
 	    allowedchains  => ALLCHAINS,
@@ -396,6 +421,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 
+	DEL       => {
+	    defaultchain   => PREROUTING,
+	    allowedchains  => ALLCHAINS,
+	    minparams      => 1,
+	    maxparams      => 1,
+	    function       => sub() {
+		ipset_command();
+	    }
+	},
+
 	DIVERT     => {
 	    defaultchain   => REALPREROUTING,
 	    allowedchains  => PREROUTING | REALPREROUTING,
@@ -587,6 +622,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 		$target = ( $chain == OUTPUT ? 'sticko' : 'sticky' );
 		$restriction = DESTIFACE_DISALLOW;
 		ensure_mangle_chain( $target );
+		if (supplied $params) {
+		    $ttl = numeric_value( $params );
+		    fatal_error "The SAME timeout must be positive" unless $ttl;
+		} else {
+		    $ttl = 300;
+		}
+
 		$sticky++;
 	    },
 	},
@@ -601,7 +643,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 		if ( supplied $params ) {
 		    handle_mark_param( '--save-mark --mask ' ,
 				       $config{TC_EXPERT} ? HIGHMARK : SMALLMARK );
-
 		} else {
 		    $target .= '--save-mark --mask ' . in_hex( $globals{TC_MASK} );
 		}
@@ -801,6 +842,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
 					 do_time( $time ) .
+					 ( $ttl ? "-t $ttl " : '' ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@@ -852,13 +894,17 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
     our  %tccmd;
 
     unless ( %tccmd ) {
-	%tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+	%tccmd = ( ADD =>      { match     => sub ( $ ) { $_[0] =~ /^ADD/ } 
+		               },
+		   DEL =>      { match     => sub ( $ ) { $_[0] =~ /^DEL/ }
+		               },
+	           SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			       } ,
 		   RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 			       } ,
 		   CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
 			       } ,
-		   SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
+		   SAME =>     { match     => sub ( $ ) { $_[0] =~ /^SAME(?:\(d+\))?$/ },
 			       } ,
 		   IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
 			       } ,

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -132,6 +132,13 @@ sub setup_tunnels() {
 	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$source
 	}
 
+    sub setup_one_tinc {
+	my ( $inchainref, $outchainref, $kind, $source, $dest ) = @_;
+
+	add_tunnel_rule $inchainref,  p => 'udp --dport 655', @$source;
+	add_tunnel_rule $outchainref, p => 'udp --dport 655', @$dest;
+    }
+
     sub setup_one_openvpn {
 	my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
 
@@ -154,7 +161,7 @@ sub setup_tunnels() {
 	}
 
 	add_tunnel_rule $inchainref,  p => "$protocol --dport $port", @$source;
-	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;;
+	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;
     }
 
     sub setup_one_openvpn_client {
@@ -263,6 +270,7 @@ sub setup_tunnels() {
 				'6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
 				'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
 				'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
+				'tinc'          => { function => \&setup_one_tinc,           params   => [ $kind, \@source, \@dest ] } ,
 				'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
 				'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
 				'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,

Shorewall/manpages/shorewall-mangle.xml

@@ -123,6 +123,28 @@
           following.</para>
 
           <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.7. Causes addresses and/or port
+                numbers to be added to the named
+                <replaceable>ipset</replaceable>. The
+                <replaceable>flags</replaceable> specify the address or tuple
+                to be added to the set and must match the type of ipset
+                involved. For example, for an iphash ipset, either the SOURCE
+                or DESTINATION address can be added using
+                <replaceable>flags</replaceable> <emphasis
+                role="bold">src</emphasis> or <emphasis
+                role="bold">dst</emphasis> respectively (see the -A command in
+                ipset (8)).</para>
+
+                <para>ADD is non-terminating. Even if a packet matches the
+                rule, it is passed on to the next rule.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">CHECKSUM</emphasis></term>
 
@@ -214,6 +236,27 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.7. Causes an entry to be deleted
+                from the named <replaceable>ipset</replaceable>. The
+                <replaceable>flags</replaceable> specify the address or tuple
+                to be deleted from the set and must match the type of ipset
+                involved. For example, for an iphash ipset, either the SOURCE
+                or DESTINATION address can be deleted using
+                <replaceable>flags</replaceable> <emphasis
+                role="bold">src</emphasis> or <emphasis
+                role="bold">dst</emphasis> respectively (see the -D command in
+                ipset (8)).</para>
+
+                <para>DEL is non-terminating. Even if a packet matches the
+                rule, it is passed on to the next rule.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">DIVERT</emphasis></term>
 
@@ -509,7 +552,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">SAME</emphasis></term>
+              <term><emphasis
+              role="bold">SAME[(<replaceable>timeout</replaceable>)]</emphasis></term>
 
               <listitem>
                 <para>Some websites run applications that require multiple
@@ -533,12 +577,16 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
                 connections to an individual remote system to all use the same
                 provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
-SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
+SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>The
-                If the firewall attempts a connection on TCP port 80 or 443
+                optional <replaceable>timeout</replaceable> parameter was
-                and it has sent a packet on either of those ports in the last
+                added in Shorewall 4.6.7 and specifies a number of seconds .
-                five minutes to the same remote system then the new connection
+                When not specified, a value of 300 seconds (5 minutes) is
-                will use the same provider as the connection over which that
+                assumed. If the firewall attempts a connection on TCP port 80
-                last packet was sent.</para>
+                or 443 and it has sent a packet on either of those ports in
+                the last <replaceable>timeout</replaceable> seconds to the
+                same remote system then the new connection will use the same
+                provider as the connection over which that last packet was
+                sent.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall-tunnels.xml

@@ -70,7 +70,8 @@
         <emphasis role="bold">openvpn</emphasis>       - OpenVPN in point-to-point mode
         <emphasis role="bold">openvpnclient</emphasis> - OpenVPN client runs on the firewall
         <emphasis role="bold">openvpnserver</emphasis> - OpenVPN server runs on the firewall
-        <emphasis role="bold">generic</emphasis>       - Other tunnel type</programlisting>
+        <emphasis role="bold">generic</emphasis>       - Other tunnel type
+        <emphasis role="bold">tinc</emphasis>          - TINC (added in Shorewall 4.6.6)</programlisting>
 
           <para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
           be followed by <emphasis role="bold">:ah</emphasis> to indicate that
@@ -270,6 +271,19 @@
         generic:udp:4444 net     4.3.99.124</programlisting>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>Example 9:</term>
+
+        <listitem>
+          <para>TINC tunnel where the remote gateways are not specified. If
+          you wish to specify a list of gateways, you can do so in the GATEWAY
+          column.</para>
+
+          <programlisting>        #TYPE            ZONE    GATEWAY          GATEWAY ZONES
+        tinc             net     0.0.0.0/0</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall6/manpages/shorewall6-mangle.xml

@@ -124,6 +124,28 @@
           following.</para>
 
           <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.7. Causes addresses and/or port
+                numbers to be added to the named
+                <replaceable>ipset</replaceable>. The
+                <replaceable>flags</replaceable> specify the address or tuple
+                to be added to the set and must match the type of ipset
+                involved. For example, for an iphash ipset, either the SOURCE
+                or DESTINATION address can be added using
+                <replaceable>flags</replaceable> <emphasis
+                role="bold">src</emphasis> or <emphasis
+                role="bold">dst</emphasis> respectively (see the -A command in
+                ipset (8)).</para>
+
+                <para>ADD is non-terminating. Even if a packet matches the
+                rule, it is passed on to the next rule.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">CHECKSUM</emphasis></term>
 
@@ -215,6 +237,27 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.7. Causes an entry to be deleted
+                from the named <replaceable>ipset</replaceable>. The
+                <replaceable>flags</replaceable> specify the address or tuple
+                to be deleted from the set and must match the type of ipset
+                involved. For example, for an iphash ipset, either the SOURCE
+                or DESTINATION address can be deleted using
+                <replaceable>flags</replaceable> <emphasis
+                role="bold">src</emphasis> or <emphasis
+                role="bold">dst</emphasis> respectively (see the -D command in
+                ipset (8)).</para>
+
+                <para>DEL is non-terminating. Even if a packet matches the
+                rule, it is passed on to the next rule.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">DIVERT</emphasis></term>
 
@@ -510,7 +553,8 @@ INLINE          eth0              -                 ; -p tcp -j MARK --set-mark
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">SAME</emphasis></term>
+              <term><emphasis
+              role="bold">SAME[(<replaceable>timeout</replaceable>)]</emphasis></term>
 
               <listitem>
                 <para>Some websites run applications that require multiple
@@ -534,12 +578,16 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
                 connections to an individual remote system to all use the same
                 provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
 #                                                        PORT(S)
-SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
+SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>The
-                If the firewall attempts a connection on TCP port 80 or 443
+                optional <replaceable>timeout</replaceable> parameter was
-                and it has sent a packet on either of those ports in the last
+                added in Shorewall 4.6.7 and specifies a number of seconds .
-                five minutes to the same remote system then the new connection
+                When not specified, a value of 300 seconds (5 minutes) is
-                will use the same provider as the connection over which that
+                assumed. If the firewall attempts a connection on TCP port 80
-                last packet was sent.</para>
+                or 443 and it has sent a packet on either of those ports in
+                the last <replaceable>timeout</replaceable> seconds to the
+                same remote system then the new connection will use the same
+                provider as the connection over which that last packet was
+                sent.</para>
               </listitem>
             </varlistentry>
 

Shorewall6/manpages/shorewall6-tunnels.xml

@@ -65,7 +65,8 @@
         <emphasis role="bold">openvpn</emphasis>       - OpenVPN in point-to-point mode
         <emphasis role="bold">openvpnclient</emphasis> - OpenVPN client runs on the firewall
         <emphasis role="bold">openvpnserver</emphasis> - OpenVPN server runs on the firewall
-        <emphasis role="bold">generic</emphasis>       - Other tunnel type</programlisting>
+        <emphasis role="bold">generic</emphasis>       - Other tunnel type
+        <emphasis role="bold">tinc</emphasis>          - TINC (added in Shorewall 4.6.6)</programlisting>
 
           <para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
           be followed by <emphasis role="bold">:ah</emphasis> to indicate that
@@ -229,6 +230,19 @@
         generic:udp:4444 net     2001:cec792b4:1::44</programlisting>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>Example 9:</term>
+
+        <listitem>
+          <para>TINC tunnel where the remote gateways are not specified. If
+          you wish to specify a list of gateways, you can do so in the GATEWAY
+          column.</para>
+
+          <programlisting>        #TYPE            ZONE    GATEWAY          GATEWAY ZONES
+        tinc             net     ::/0</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

docs/FAQ.xml

@@ -2208,7 +2208,7 @@ shorewall status > /dev/null 2>&1 || shorewall start # Start Shorewall
 
           <listitem>
             <para>Beginning with Shorewall 4.4.10, there is a new <ulink
-            url="Manpages/shorewall-init.html">Shorewall Init Package</ulink>
+            url="manpages/shorewall-init.html">Shorewall Init Package</ulink>
             that is designed to handle this case.</para>
           </listitem>
         </varlistentry>