forked from extern/shorewall_code
Compare commits
96 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
2673e6e60c | ||
|
|
d1a8c19712 | ||
|
|
3c77d83260 | ||
|
|
d8e43cee2b | ||
|
|
b0839c30b2 | ||
|
5a66c1d9d6 | ||
|
|
de23e641f7 | ||
|
|
a8294ed495 | ||
|
|
393cd5043d | ||
|
|
0de5e88018 | ||
|
badf2fc9f0 | ||
|
|
5e8ce7d073 | ||
|
450a16f730 | ||
|
aae5baedfd | ||
|
|
95831e372f | ||
|
|
77317c1766 | ||
|
|
236b06d480 | ||
|
|
86244d8faf | ||
|
|
b8ef488f64 | ||
|
|
b7f2d1b22e | ||
|
|
c93817f30b | ||
|
|
5637385507 | ||
|
|
23f66180e9 | ||
|
c1e58f6faf | ||
|
8b0d829531 | ||
|
|
c941cf4bb5 | ||
|
e9e73a259b | ||
|
|
672c3420a0 | ||
|
|
ba87937f49 | ||
|
|
69f0d4d881 | ||
|
|
6681191c88 | ||
|
|
2ceeb2c934 | ||
|
|
97165ed41e | ||
|
|
5b0cacd9c4 | ||
|
|
eeec6f2396 | ||
|
|
2e7d1ac4a3 | ||
|
|
34c59dca32 | ||
|
|
9aa2a4b704 | ||
|
|
d363809859 | ||
|
|
6c4383b5ce | ||
|
|
877807943d | ||
|
|
378df2861a | ||
|
|
f84be9faa4 | ||
|
|
c6dea1525f | ||
|
|
a7505f3ecb | ||
|
|
8c10c96844 | ||
|
|
126c5ccd53 | ||
|
|
1ca886abd7 | ||
|
|
ca78c0221c | ||
|
|
e4c2122532 | ||
|
|
f16e666858 | ||
|
|
b5f3294adb | ||
|
|
8d4e79650e | ||
|
|
b253be8a69 | ||
|
|
4385264dc3 | ||
|
|
6cab1c3c8c | ||
|
|
fe7bb4abca | ||
|
|
63b477a4de | ||
|
|
2166251b97 | ||
|
|
9e6aec7687 | ||
|
|
b154803f22 | ||
|
|
09449d4c67 | ||
|
|
774be17a32 | ||
|
|
6120eba8f9 | ||
|
|
6e8b25f126 | ||
|
|
1dca860425 | ||
|
|
bb9d574bf8 | ||
|
|
4253f23d6b | ||
|
|
1e90a52b31 | ||
|
|
b11bea1d4d | ||
|
|
130b3e16e5 | ||
|
|
11aa92c5fc | ||
|
|
68c0897352 | ||
|
|
344bbeacb7 | ||
|
|
3073185b39 | ||
|
|
ef9c153dd5 | ||
|
|
fa010dc020 | ||
|
|
770637902f | ||
|
|
2f56edc1ed | ||
|
|
bc4c6637c3 | ||
|
|
0b80856eb6 | ||
|
|
92689b12bd | ||
|
|
070efee47a | ||
|
|
d03146491b | ||
|
|
995a939a37 | ||
|
|
ca19feae69 | ||
|
|
bc7082fb2a | ||
|
|
109ae7e038 | ||
|
|
b3ebcc8025 | ||
|
|
954c0185fa | ||
|
|
8d025e3821 | ||
|
|
ac221348c0 | ||
|
|
381a0ad8aa | ||
|
|
4b3f9ae1e7 | ||
|
|
89201bd294 | ||
|
|
b617c8d224 |
@@ -1 +1 @@
|
||||
5.2.6-base
|
||||
5.2.8-RC1
|
||||
|
||||
@@ -324,6 +324,15 @@ install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
|
||||
|
||||
echo
|
||||
echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
|
||||
#
|
||||
# Install stop_service
|
||||
#
|
||||
if [ -n "${STOPSERVICEFILE}" ]; then
|
||||
install_file ${STOPSERVICEFILE} ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service 0755
|
||||
|
||||
echo
|
||||
echo "${STOPSERVICEFILE} installed in ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service"
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the libraries
|
||||
|
||||
@@ -25,7 +25,7 @@
|
||||
# loaded after this one and replaces some of the functions declared here.
|
||||
#
|
||||
|
||||
SHOREWALL_CAPVERSION=50200
|
||||
SHOREWALL_CAPVERSION=50207
|
||||
|
||||
if [ -z "$g_basedir" ]; then
|
||||
#
|
||||
@@ -247,10 +247,39 @@ search_log() # $1 = IP address to search for
|
||||
#
|
||||
# Show traffic control information
|
||||
#
|
||||
show_tc1() {
|
||||
show_one_classifier() {
|
||||
local class
|
||||
|
||||
qt tc -s filter ls root dev $1 && tc -s filter ls root dev $device | grep -v '^$'
|
||||
tc filter show dev $1
|
||||
tc class show dev $1 | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
|
||||
if [ -n "$class" ]; then
|
||||
echo
|
||||
echo Node $class
|
||||
tc filter show dev $device parent $class
|
||||
fi
|
||||
done
|
||||
echo
|
||||
}
|
||||
|
||||
show_classifier1() {
|
||||
local device
|
||||
local qdisc
|
||||
|
||||
device=${1%@*}
|
||||
qdisc=$(tc qdisc list dev $device)
|
||||
if [ -n "$qdisc" ]; then
|
||||
echo Device $device:
|
||||
show_one_classifier $device
|
||||
fi
|
||||
}
|
||||
|
||||
show_tc1() {
|
||||
show_one_tc() {
|
||||
local device
|
||||
local qdisc
|
||||
local ingress
|
||||
|
||||
device=${1%@*}
|
||||
qdisc=$(tc qdisc list dev $device)
|
||||
|
||||
@@ -260,6 +289,7 @@ show_tc1() {
|
||||
echo
|
||||
tc -s -d class show dev $device
|
||||
echo
|
||||
show_one_classifier $device "$qdisc"
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -270,7 +300,6 @@ show_tc1() {
|
||||
show_one_tc ${interface%:}
|
||||
done
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
show_tc() {
|
||||
@@ -291,28 +320,8 @@ show_tc() {
|
||||
#
|
||||
show_classifiers() {
|
||||
|
||||
show_one_classifier() {
|
||||
local device
|
||||
device=${1%@*}
|
||||
qdisc=$(tc qdisc list dev $device)
|
||||
|
||||
if [ -n "$qdisc" ]; then
|
||||
echo Device $device:
|
||||
qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
|
||||
tc filter show dev $device
|
||||
tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
|
||||
if [ -n "$class" ]; then
|
||||
echo
|
||||
echo Node $class
|
||||
tc filter show dev $device parent $class
|
||||
fi
|
||||
done
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
ip -o link list | while read inx interface details; do
|
||||
show_one_classifier ${interface%:}
|
||||
show_classifier1 ${interface%:}
|
||||
done
|
||||
|
||||
}
|
||||
@@ -1017,6 +1026,8 @@ show_mangle() {
|
||||
show_classifiers_command() {
|
||||
echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
|
||||
echo
|
||||
echo "Warning: This command is deprecated in favor of the 'show tc' command"
|
||||
echo
|
||||
show_classifiers
|
||||
}
|
||||
|
||||
@@ -1904,8 +1915,6 @@ do_dump_command() {
|
||||
if [ -n "$TC_ENABLED" ]; then
|
||||
heading "Traffic Control"
|
||||
show_tc1
|
||||
heading "TC Filters"
|
||||
show_classifiers
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -2878,6 +2887,7 @@ determine_capabilities() {
|
||||
NETMAP_TARGET=
|
||||
NFLOG_SIZE=
|
||||
RESTORE_WAIT_OPTION=
|
||||
CONNMARK_ACTION=
|
||||
|
||||
AMANDA_HELPER=
|
||||
FTP_HELPER=
|
||||
@@ -3245,6 +3255,10 @@ determine_capabilities() {
|
||||
BASIC_FILTER=Yes
|
||||
$TC filter add basic help 2>&1 | egrep -q match && BASIC_EMATCH=Yes
|
||||
fi
|
||||
|
||||
if $TC action add connmark help 2>&1 | grep -q ^Usage; then
|
||||
CONNMARK_ACTION=Yes
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
|
||||
@@ -3388,6 +3402,7 @@ report_capabilities_unsorted() {
|
||||
report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
|
||||
report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
|
||||
report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
|
||||
report_capability "TC connmark support (CONNMARK_ACTION)" $CONNMARK_ACTION
|
||||
|
||||
echo " Kernel Version (KERNELVERSION): $KERNELVERSION"
|
||||
echo " Capabilities Version (CAPVERSION): $CAPVERSION"
|
||||
@@ -3494,6 +3509,7 @@ report_capabilities_unsorted1() {
|
||||
report_capability1 NFLOG_SIZE
|
||||
report_capability1 RESTORE_WAIT_OPTION
|
||||
report_capability1 NAT_INPUT_CHAIN
|
||||
report_capability1 CONNMARK_ACTION
|
||||
|
||||
report_capability1 AMANDA_HELPER
|
||||
report_capability1 FTP_HELPER
|
||||
@@ -3589,7 +3605,7 @@ status_command() {
|
||||
|
||||
[ $# -eq 0 ] || missing_argument
|
||||
|
||||
[ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
|
||||
[ $VERBOSITY -ge 1 ] && echo "${g_product} $SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
|
||||
show_status
|
||||
[ -n "$interfaces" ] && show_interfaces
|
||||
exit $status
|
||||
@@ -4003,9 +4019,15 @@ setup_dbl() {
|
||||
# the Standard CLI by loading lib.cli-std
|
||||
################################################################################
|
||||
#
|
||||
# Set the configuration variables from shorewall[6]-lite.conf.
|
||||
# Set the configuration variables from shorewall[6]-lite.conf. This function
|
||||
# is replaced by the one in lib.cli-std (Shorewall product) when Shorewall or
|
||||
# Shorewall6 is being run.
|
||||
#
|
||||
get_config() {
|
||||
# $1 = Yes: read the params file
|
||||
# $2 = Yes: check for STARTUP_ENABLED
|
||||
# $3 = Yes: Check for LOGFILE
|
||||
#
|
||||
lite_get_config() {
|
||||
local config
|
||||
local lib
|
||||
|
||||
@@ -4154,7 +4176,7 @@ get_config() {
|
||||
|
||||
[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
|
||||
|
||||
g_pager="| $g_pager"
|
||||
g_pager="2>&1 | $g_pager"
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -4167,10 +4189,22 @@ get_config() {
|
||||
[ -f $lib ] && . $lib
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# get_config() -- calls the appropriate xxx_get_config()
|
||||
#
|
||||
get_config() {
|
||||
if [ -z "$g_lite" ]; then
|
||||
std_get_config $@
|
||||
else
|
||||
lite_get_config $@
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Start Command Executor
|
||||
#
|
||||
start_command() {
|
||||
lite_start_command() {
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
@@ -4257,10 +4291,21 @@ start_command() {
|
||||
do_it
|
||||
}
|
||||
|
||||
#
|
||||
# start_command() -- calls the appropriate xxx_start_command()
|
||||
#
|
||||
start_command() {
|
||||
if [ -z "$g_lite" ]; then
|
||||
std_start_command $@
|
||||
else
|
||||
lite_start_command $@
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Reload/Restart Command Executor
|
||||
#
|
||||
restart_command() {
|
||||
lite_restart_command() {
|
||||
local finished
|
||||
finished=0
|
||||
local rc
|
||||
@@ -4329,6 +4374,17 @@ restart_command() {
|
||||
return $rc
|
||||
}
|
||||
|
||||
#
|
||||
# restart_command() -- calls the appropriate xxx_restart_command()
|
||||
#
|
||||
restart_command() {
|
||||
if [ -z "$g_lite" ]; then
|
||||
std_restart_command $@
|
||||
else
|
||||
lite_restart_command $@
|
||||
fi
|
||||
}
|
||||
|
||||
run_command() {
|
||||
if [ -x $g_firewall ] ; then
|
||||
run_it $g_firewall $@
|
||||
@@ -4432,12 +4488,11 @@ usage() # $1 = exit status
|
||||
echo " [ show | list | ls ] arptables"
|
||||
echo " [ show | list | ls ] [ -f ] capabilities"
|
||||
echo " [ show | list | ls ] [ -x ] {bl|blacklists}"
|
||||
echo " [ show | list | ls ] classifiers"
|
||||
echo " [ show | list | ls ] {classifiers|filters)"
|
||||
echo " [ show | list | ls ] config"
|
||||
echo " [ show | list | ls ] connections"
|
||||
echo " [ show | list | ls ] event [ <event> ...]"
|
||||
echo " [ show | list | ls ] events"
|
||||
echo " [ show | list | ls ] filters"
|
||||
echo " [ show | list | ls ] ip"
|
||||
|
||||
if [ $g_family -eq 4 ]; then
|
||||
@@ -4698,7 +4753,7 @@ shorewall_cli() {
|
||||
exit 1
|
||||
fi
|
||||
|
||||
banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
|
||||
banner="${g_product} ${SHOREWALL_VERSION} Status at $g_hostname -"
|
||||
|
||||
COMMAND=$1
|
||||
|
||||
@@ -4788,7 +4843,7 @@ shorewall_cli() {
|
||||
logwatch)
|
||||
only_root
|
||||
get_config Yes Yes Yes
|
||||
banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
|
||||
banner="${g_product} $SHOREWALL_VERSION Logwatch at $g_hostname -"
|
||||
logwatch_command $@
|
||||
;;
|
||||
drop)
|
||||
|
||||
@@ -981,7 +981,22 @@
|
||||
<td><command>shorewall -6</command> or <command>shorewall
|
||||
-6l</command></td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<td><command>shorewall</command></td>
|
||||
|
||||
<td><command>shorewall -l</command></td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<para>Note that when Shorewall isn't installed, the 'shorewall'
|
||||
command behaves like shorewall-lite. The same is not true with
|
||||
respect to Shorewall6, "shorewall6" and 'shorewall6-lite". You can
|
||||
make 'shorewall6' behave like 'shorewallt-lite' by adding the
|
||||
following command to root's .profile file (or to .bashrc, if root's
|
||||
shell is bash):</para>
|
||||
|
||||
<programlisting> alias shorewall6=shorewall6-lite</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -2458,8 +2473,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">bl|blacklists</emphasis>
|
||||
[-<option>x</option>]</term>
|
||||
<term><emphasis role="bold">[-<option>x</option>]
|
||||
bl|blacklists</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.2. Displays the dynamic chain
|
||||
@@ -2527,7 +2542,9 @@
|
||||
<listitem>
|
||||
<para>Displays information about the packet classifiers
|
||||
defined on the system as a result of traffic shaping
|
||||
configuration.</para>
|
||||
configuration. Beginning with Shorewall 5.2.8, this command is
|
||||
deprecated, as its output is included in the information
|
||||
displayed by the 'show tc' command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -2904,9 +2921,9 @@
|
||||
listed in <ulink
|
||||
url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
|
||||
or permitted by the ADMINISABSENTMINDED option in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> The only
|
||||
new traffic permitted through the firewall is from systems listed in
|
||||
<ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>, are taken
|
||||
down. The only new traffic permitted through the firewall is from
|
||||
systems listed in <ulink
|
||||
url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
|
||||
or by ADMINISABSENTMINDED.</para>
|
||||
</listitem>
|
||||
|
||||
@@ -22,3 +22,4 @@ SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
||||
DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
|
||||
STOPSERVICEFILE=stop_service.debian #Name of script to stop systemd service that honours `SAFESTOP`.
|
||||
|
||||
19
Shorewall-core/stop_service.debian
Normal file
19
Shorewall-core/stop_service.debian
Normal file
@@ -0,0 +1,19 @@
|
||||
#!/bin/sh
|
||||
|
||||
PRODUCT=$1
|
||||
|
||||
. /etc/default/${PRODUCT}
|
||||
|
||||
if [ "$SAFESTOP" = 1 ]; then
|
||||
COMMAND=stop
|
||||
else
|
||||
COMMAND=clear
|
||||
fi
|
||||
|
||||
if [ "${PRODUCT}" = shorewall6 ]; then
|
||||
EXEC="/sbin/shorewall -6"
|
||||
else
|
||||
EXEC="/sbin/${PRODUCT}"
|
||||
fi
|
||||
|
||||
exec ${EXEC} ${OPTIONS} ${COMMAND}
|
||||
@@ -134,6 +134,7 @@ fi
|
||||
|
||||
remove_directory ${SHAREDIR}/shorewall
|
||||
remove_file ~/.shorewallrc
|
||||
remove_file ${SBINDIR}/shorewall
|
||||
|
||||
#
|
||||
# Report Success
|
||||
|
||||
@@ -12,7 +12,7 @@ Wants=network-pre.target
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/sysconfig/shorewall-init
|
||||
StandardOutput=syslog
|
||||
StandardOutput=journal
|
||||
ExecStart=/sbin/shorewall-init start
|
||||
ExecStop=/sbin/shorewall-init stop
|
||||
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
#
|
||||
[Unit]
|
||||
Description=Shorewall firewall (bootup security)
|
||||
Documentation=man:shorewall-init(8)
|
||||
Before=network.target
|
||||
|
||||
[Service]
|
||||
|
||||
@@ -13,8 +13,8 @@
|
||||
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
SRWL='/sbin/shorewall -l'
|
||||
SRWL_OPTS="-tvv"
|
||||
SRWL=/sbin/shorewall
|
||||
SRWL_OPTS="-ltvv"
|
||||
test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
|
||||
|
||||
[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
|
||||
|
||||
@@ -13,7 +13,7 @@ Conflicts=iptables.service firewalld.service
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/sysconfig/shorewall-lite
|
||||
StandardOutput=syslog
|
||||
StandardOutput=journal
|
||||
ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
|
||||
ExecStop=/sbin/shorewall-lite $OPTIONS stop
|
||||
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
#
|
||||
[Unit]
|
||||
Description=Shorewall IPv4 firewall (lite)
|
||||
Documentation=man:shorewall-lite(8)
|
||||
Wants=network-online.target
|
||||
After=network-online.target
|
||||
Conflicts=iptables.service firewalld.service
|
||||
@@ -16,7 +17,7 @@ RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/default/shorewall-lite
|
||||
StandardOutput=syslog
|
||||
ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
|
||||
ExecStop=/sbin/shorewall-lite $OPTIONS clear
|
||||
ExecStop=/usr/share/shorewall/stop_service shorewall-lite
|
||||
ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
|
||||
|
||||
[Install]
|
||||
|
||||
@@ -20,22 +20,23 @@ DEFAULTS ACCEPT
|
||||
|
||||
# The following should have a ttl of 255 and must be allowed to transit a bridge
|
||||
@1 - - ipv6-icmp router-solicitation
|
||||
@1 - - ipv6-icmp router-advertisement
|
||||
@1 - - ipv6-icmp neighbour-solicitation
|
||||
@1 - - ipv6-icmp neighbour-advertisement
|
||||
@1 - - ipv6-icmp 137 # Redirect
|
||||
@1 - - ipv6-icmp 141 # Inverse neighbour discovery solicitation
|
||||
@1 - - ipv6-icmp 142 # Inverse neighbour discovery advertisement
|
||||
|
||||
# The following should have a link local source address and must be allowed to transit a bridge
|
||||
# The following must have a link local source address and must be allowed to transit a bridge
|
||||
@1 fe80::/10 - ipv6-icmp 130 # Listener query
|
||||
@1 fe80::/10 - ipv6-icmp 131 # Listener report
|
||||
@1 fe80::/10 - ipv6-icmp 132 # Listener done
|
||||
@1 fe80::/10 - ipv6-icmp router-advertisement
|
||||
@1 :: - ipv6-icmp 143 # Listener report v2
|
||||
@1 fe80::/10 - ipv6-icmp 143 # Listener report v2
|
||||
|
||||
# The following should be received with a ttl of 255 and must be allowed to transit a bridge
|
||||
@1 - - ipv6-icmp 148 # Certificate path solicitation
|
||||
@1 - - ipv6-icmp 149 # Certificate path advertisement
|
||||
@1 :: - ipv6-icmp 148 # Certificate path solicitation
|
||||
@1 fe80::/10 - ipv6-icmp 148 # Certificate path solicitation
|
||||
@1 fe80::/10 - ipv6-icmp 149 # Certificate path advertisement
|
||||
|
||||
# The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
|
||||
@1 fe80::/10 - ipv6-icmp 151 # Multicast router advertisement
|
||||
|
||||
12
Shorewall/Macros/macro.NFS
Normal file
12
Shorewall/Macros/macro.NFS
Normal file
@@ -0,0 +1,12 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/macro.NFS
|
||||
#
|
||||
# This macro handles NFS v4.1+ traffic with default ports.
|
||||
# You should only allow NFS traffic between hosts you fully trust.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
|
||||
PARAM - - tcp 111 # portmapper, rpcbind
|
||||
PARAM - - tcp 2049 # nfs
|
||||
PARAM - - tcp 20048 # mountd
|
||||
8
Shorewall/Macros/macro.TorMetrics
Normal file
8
Shorewall/Macros/macro.TorMetrics
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
# Shorewall --/usr/share/shorewall/macro.TorMetrics
|
||||
#
|
||||
# Macro for handling Tor Onion Network traffic
|
||||
#
|
||||
##############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
PARAM - - tcp 9035
|
||||
@@ -7478,9 +7478,9 @@ sub have_address_variables() {
|
||||
#
|
||||
# Generate setting of run-time global shell variables
|
||||
#
|
||||
sub set_global_variables( $$ ) {
|
||||
sub set_global_variables( $$$ ) {
|
||||
|
||||
my ( $setall, $conditional ) = @_;
|
||||
my ( $setall, $conditional, $call_generate_all_acasts ) = @_;
|
||||
|
||||
if ( $conditional ) {
|
||||
my ( $interface, @interfaces );
|
||||
@@ -7513,16 +7513,17 @@ sub set_global_variables( $$ ) {
|
||||
}
|
||||
|
||||
if ( $setall ) {
|
||||
emit $interfaceaddr{$_} for sortkeysiftest %interfaceaddr;
|
||||
emit $interfacenets{$_} for sortkeysiftest %interfacenets;
|
||||
if ( $conditional ) {
|
||||
emit $interfaceaddr{$_} for sortkeysiftest %interfaceaddr;
|
||||
emit $interfacenets{$_} for sortkeysiftest %interfacenets;
|
||||
}
|
||||
|
||||
unless ( have_capability( 'ADDRTYPE' ) ) {
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
|
||||
emit $interfacebcasts{$_} for sortkeysiftest %interfacebcasts;
|
||||
} else {
|
||||
emit 'ALL_ACASTS="$(get_all_acasts)"';
|
||||
emit $call_generate_all_acasts;
|
||||
emit $interfaceacasts{$_} for sortkeysiftest %interfaceacasts;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -276,12 +276,18 @@ sub generate_script_2() {
|
||||
|
||||
emit "}\n"; # End of initialize()
|
||||
|
||||
#
|
||||
# Conditionally emit the 'generate_all_acasts() function
|
||||
#
|
||||
my $call_generate_all_acasts = $family == F_IPV6 && ! have_capability( 'ADDRTYPE' ) ? generate_all_acasts : '';
|
||||
|
||||
emit( '' ,
|
||||
'#' ,
|
||||
'# Set global variables holding detected IP information' ,
|
||||
'#' ,
|
||||
'detect_configuration()',
|
||||
'{' );
|
||||
'{'
|
||||
);
|
||||
|
||||
my $global_variables = have_global_variables;
|
||||
my $optional_interfaces = find_interfaces_by_option( 'optional' );
|
||||
@@ -312,7 +318,7 @@ sub generate_script_2() {
|
||||
|
||||
if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
|
||||
verify_required_interfaces(0);
|
||||
set_global_variables(0, 0);
|
||||
set_global_variables( $family == F_IPV6, 0, $call_generate_all_acasts );
|
||||
handle_optional_interfaces;
|
||||
}
|
||||
|
||||
@@ -326,7 +332,7 @@ sub generate_script_2() {
|
||||
}
|
||||
|
||||
verify_required_interfaces(1);
|
||||
set_global_variables(1,1);
|
||||
set_global_variables(1, 1, $call_generate_all_acasts );
|
||||
handle_optional_interfaces;
|
||||
|
||||
if ( $global_variables & NOT_RESTORE ) {
|
||||
|
||||
@@ -502,6 +502,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
RESTORE_WAIT_OPTION
|
||||
=> 'iptables-restore --wait option',
|
||||
NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
|
||||
CONNMARK_ACTION => 'TC connmark support',
|
||||
#
|
||||
# Helpers
|
||||
#
|
||||
@@ -883,8 +884,8 @@ sub initialize($;$$$$) {
|
||||
TC_SCRIPT => '',
|
||||
EXPORT => 0,
|
||||
KLUDGEFREE => '',
|
||||
VERSION => '5.2.4.1',
|
||||
CAPVERSION => 50200 ,
|
||||
VERSION => '5.2.8-RC1',
|
||||
CAPVERSION => 50207 ,
|
||||
BLACKLIST_LOG_TAG => '',
|
||||
RELATED_LOG_TAG => '',
|
||||
MACLIST_LOG_TAG => '',
|
||||
@@ -1178,6 +1179,7 @@ sub initialize($;$$$$) {
|
||||
NFLOG_SIZE => undef,
|
||||
RESTORE_WAIT_OPTION => undef,
|
||||
NAT_INPUT_CHAIN => undef,
|
||||
CONNMARK_ACTION => undef ,
|
||||
|
||||
AMANDA_HELPER => undef,
|
||||
FTP_HELPER => undef,
|
||||
@@ -1505,7 +1507,7 @@ sub qt1( $ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Delete the test chains
|
||||
# Delete the test chains and IP sets
|
||||
#
|
||||
sub cleanup_iptables() {
|
||||
qt1( "$iptables $iptablesw -F $sillyname" );
|
||||
@@ -1528,6 +1530,12 @@ sub cleanup_iptables() {
|
||||
qt1( "$iptables $iptablesw -t raw -X $sillyname" );
|
||||
}
|
||||
|
||||
my $ipset = $config{IPSET} || 'ipset';
|
||||
$ipset = which( $ipset ) unless $ipset =~ '/';
|
||||
if ( $ipset && -x $ipset ) {
|
||||
qt( "$ipset -X $sillyname" );
|
||||
}
|
||||
|
||||
$sillyname = $sillyname1 = '';
|
||||
}
|
||||
|
||||
@@ -1572,7 +1580,7 @@ sub cleanup() {
|
||||
unlink ( $perlscriptname ), $perlscriptname = undef if $perlscriptname;
|
||||
unlink ( @tempfiles ), @tempfiles = () if @tempfiles;
|
||||
#
|
||||
# Delete temporary chains
|
||||
# Delete temporary chains and IP sets
|
||||
#
|
||||
cleanup_iptables if $sillyname;
|
||||
}
|
||||
@@ -5052,6 +5060,10 @@ sub Basic_Filter() {
|
||||
$tc && system( "$tc filter add basic help 2>&1 | grep -q ^Usage" ) == 0;
|
||||
}
|
||||
|
||||
sub Connmark_Action() {
|
||||
$tc && system( "$tc action add connmark help 2>&1 | grep -q ^Usage" ) == 0;
|
||||
}
|
||||
|
||||
sub Basic_Ematch() {
|
||||
$tc && have_capability( 'BASIC_FILTER' ) && system( "$tc filter add basic help 2>&1 | egrep -q match" ) == 0;
|
||||
}
|
||||
@@ -5181,6 +5193,7 @@ our %detect_capability =
|
||||
COMMENTS => \&Comments,
|
||||
CONNLIMIT_MATCH => \&Connlimit_Match,
|
||||
CONNMARK => \&Connmark,
|
||||
CONNMARK_ACTION => \&Connmark_Action,
|
||||
CONNMARK_MATCH => \&Connmark_Match,
|
||||
CONNTRACK_MATCH => \&Conntrack_Match,
|
||||
CPU_FANOUT => \&Cpu_Fanout,
|
||||
@@ -5676,6 +5689,11 @@ sub process_shorewall_conf( $$ ) {
|
||||
$globals{CONFIGDIR} = $configfile = $file;
|
||||
$globals{CONFIGDIR} =~ s/$product.conf//;
|
||||
|
||||
if ( $export ) {
|
||||
use Sys::Hostname;
|
||||
$globals{CONFIGDIR} = join( ':', hostname, $globals{CONFIGDIR} );
|
||||
}
|
||||
|
||||
if ( -r _ ) {
|
||||
open_file $file;
|
||||
|
||||
@@ -5804,9 +5822,10 @@ sub get_capabilities($)
|
||||
fatal_error "Can't find $toolname executable" unless $iptables = which $toolname;
|
||||
}
|
||||
#
|
||||
# Determine if iptables supports the -w option
|
||||
# Determine if iptables supports the -w option unless we already have
|
||||
# existing capabilities
|
||||
#
|
||||
$iptablesw = qt1( "$iptables -w -L -n") ? '-w' : '';
|
||||
$iptablesw = qt1( "$iptables -w -n -L INPUT") ? '-w' : '' unless $_[0];
|
||||
|
||||
my $iptables_restore=$iptables . '-restore';
|
||||
|
||||
|
||||
@@ -149,14 +149,13 @@ sub validate_4address( $$ ) {
|
||||
|
||||
unless ( valid_4address $addr ) {
|
||||
fatal_error "Invalid IP Address ($addr)" unless $allow_name;
|
||||
fatal_error "Unknown Host ($addr)" unless @addrs = gethostbyname( $addr );
|
||||
my ( $err, @addr_structs ) = Socket::getaddrinfo( $addr, 0, {
|
||||
family => Socket::AF_INET,
|
||||
protocol => Socket::IPPROTO_TCP,
|
||||
} );
|
||||
fatal_error "Unknown Host ($addr)" if $err != 0;
|
||||
|
||||
if ( defined wantarray ) {
|
||||
shift @addrs for (1..4);
|
||||
for ( @addrs ) {
|
||||
$_ = ( inet_ntoa( $_ ) );
|
||||
}
|
||||
}
|
||||
@addrs = translate_addr_structs( @addr_structs );
|
||||
}
|
||||
|
||||
defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
|
||||
@@ -164,14 +163,14 @@ sub validate_4address( $$ ) {
|
||||
|
||||
sub resolve_4dnsname( $ ) {
|
||||
my $net = $_[0];
|
||||
my @addrs;
|
||||
|
||||
fatal_error "Unknown Host ($net)" unless @addrs = gethostbyname( $net );
|
||||
my ( $err, @addr_structs ) = Socket::getaddrinfo( $net, 0, {
|
||||
family => Socket::AF_INET,
|
||||
protocol => Socket::IPPROTO_TCP,
|
||||
} );
|
||||
fatal_error "Unknown Host ($net)" if $err != 0;
|
||||
|
||||
shift @addrs for (1..4);
|
||||
for ( @addrs ) {
|
||||
$_ = ( inet_ntoa( $_ ) );
|
||||
}
|
||||
my @addrs = translate_addr_structs( @addr_structs );
|
||||
|
||||
@addrs;
|
||||
}
|
||||
@@ -508,15 +507,13 @@ sub validate_6address( $$ ) {
|
||||
|
||||
unless ( valid_6address $addr ) {
|
||||
fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name;
|
||||
require Socket6;
|
||||
fatal_error "Unknown Host ($addr)" unless (@addrs = Socket6::gethostbyname2( $addr, Socket6::AF_INET6()));
|
||||
my ( $err, @addr_structs ) = Socket::getaddrinfo( $addr, 0, {
|
||||
family => Socket::AF_INET6,
|
||||
protocol => Socket::IPPROTO_TCP,
|
||||
} );
|
||||
fatal_error "Unknown Host ($addr)" if $err != 0;
|
||||
|
||||
if ( defined wantarray ) {
|
||||
shift @addrs for (1..4);
|
||||
for ( @addrs ) {
|
||||
$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
|
||||
}
|
||||
}
|
||||
@addrs = translate_addr_structs( @addr_structs );
|
||||
}
|
||||
|
||||
defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
|
||||
@@ -524,15 +521,14 @@ sub validate_6address( $$ ) {
|
||||
|
||||
sub resolve_6dnsname( $ ) {
|
||||
my $net = $_[0];
|
||||
my @addrs;
|
||||
|
||||
require Socket6;
|
||||
fatal_error "Unknown Host ($net)" unless (@addrs = Socket6::gethostbyname2( $net, Socket6::AF_INET6()));
|
||||
my ( $err, @addr_structs ) = Socket::getaddrinfo( $net, 0, {
|
||||
family => Socket::AF_INET6,
|
||||
protocol => Socket::IPPROTO_TCP,
|
||||
} );
|
||||
fatal_error "Unknown Host ($net)" if $err != 0;
|
||||
|
||||
shift @addrs for (1..4);
|
||||
for ( @addrs ) {
|
||||
$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
|
||||
}
|
||||
my @addrs = translate_addr_structs( @addr_structs );
|
||||
|
||||
@addrs;
|
||||
}
|
||||
@@ -661,6 +657,19 @@ sub validate_6host( $$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
sub translate_addr_structs {
|
||||
my @addr_structs = @_;
|
||||
|
||||
my @addrs;
|
||||
foreach my $addr_struct ( @addr_structs ) {
|
||||
my ( $err, $ip_addr ) = Socket::getnameinfo( $addr_struct->{addr},
|
||||
Socket::NI_NUMERICHOST, Socket::NIx_NOSERV );
|
||||
push @addrs, $ip_addr if $err == 0;
|
||||
}
|
||||
|
||||
return @addrs;
|
||||
}
|
||||
|
||||
my %ipv6_icmp_types = ( any => 'any',
|
||||
'destination-unreachable' => 1,
|
||||
'no-route' => '1/0',
|
||||
|
||||
@@ -72,6 +72,9 @@ our %flow_keys = ( 'src' => 1,
|
||||
# out_bandwidth => <value> ,
|
||||
# number => <number>,
|
||||
# classify => 0|1
|
||||
# flow => Comma-separated flow tupple
|
||||
# classify => 0|1
|
||||
# pfifo => 0|1
|
||||
# tablenumber => <next u32 table to be allocated for this device>
|
||||
# default => <default class mark value>
|
||||
# redirected => [ <dev1>, <dev2>, ... ]
|
||||
@@ -80,6 +83,13 @@ our %flow_keys = ( 'src' => 1,
|
||||
# qdisc => htb|hfsc
|
||||
# guarantee => <total RATE of classes seen so far>
|
||||
# name => <interface>
|
||||
# filters => [ filter, ... ]
|
||||
# linklayer => <type> (optional)
|
||||
# overhead => <number>
|
||||
# mtu => <number>
|
||||
# tsize => <number>
|
||||
# filterpri => <number> (initially 0)
|
||||
# connmark => 0|1
|
||||
# }
|
||||
#
|
||||
our @tcdevices;
|
||||
@@ -139,12 +149,14 @@ sub initialize( $ ) {
|
||||
sub rate_to_kbit( $ ) {
|
||||
my $rate = $_[0];
|
||||
|
||||
return 0 if $rate eq '-';
|
||||
return $1 if $rate =~ /^((\d+)(\.\d+)?)kbit$/i;
|
||||
return $1 * 1000 if $rate =~ /^((\d+)(\.\d+)?)mbit$/i;
|
||||
return $1 * 8000 if $rate =~ /^((\d+)(\.\d+)?)mbps$/i;
|
||||
return $1 * 8 if $rate =~ /^((\d+)(\.\d+)?)kbps$/i;
|
||||
return ($1/125) if $rate =~ /^((\d+)(\.\d+)?)(bps)?$/;
|
||||
return 0 if $rate eq '-';
|
||||
return $1 if $rate =~ /^((\d+)(\.\d+)?)kbit$/i;
|
||||
return $1 * 1000 if $rate =~ /^((\d+)(\.\d+)?)mbit$/i;
|
||||
return $1 * 1000000 if $rate =~ /^((\d+)(\.\d+)?)gbit$/i;
|
||||
return $1 * 8000000 if $rate =~ /^((\d+)(\.\d+)?)gbps$/i;
|
||||
return $1 * 8000 if $rate =~ /^((\d+)(\.\d+)?)mbps$/i;
|
||||
return $1 * 8 if $rate =~ /^((\d+)(\.\d+)?)kbps$/i;
|
||||
return ($1/125) if $rate =~ /^((\d+)(\.\d+)?)(bps)?$/;
|
||||
fatal_error "Invalid Rate ($rate)";
|
||||
}
|
||||
|
||||
@@ -202,7 +214,7 @@ sub process_in_bandwidth( $ ) {
|
||||
} else {
|
||||
if ( $in_band =~ /:/ ) {
|
||||
( $in_band, $burst ) = split /:/, $in_rate, 2;
|
||||
fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
|
||||
fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|g|gb|gbit|mbit|kbit|b)?$/;
|
||||
$in_burst = $burst;
|
||||
}
|
||||
|
||||
@@ -314,7 +326,7 @@ sub process_simple_device() {
|
||||
my $command = "run_tc qdisc add dev $physical root handle $number: tbf rate ${out_bandwidth}kbit";
|
||||
|
||||
if ( supplied $burst ) {
|
||||
fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
|
||||
fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|g|gb|gbit|mbit|kbit|b)?$/;
|
||||
$command .= " burst $burst";
|
||||
} else {
|
||||
$command .= ' burst 10kb';
|
||||
@@ -330,12 +342,12 @@ sub process_simple_device() {
|
||||
$command .= ' mpu 64'; #Assume Ethernet
|
||||
|
||||
if ( supplied $peak ) {
|
||||
fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
|
||||
fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|g|gb|gbit|mbit|kbit|b)?$/;
|
||||
$command .= " peakrate $peak";
|
||||
}
|
||||
|
||||
if ( supplied $minburst ) {
|
||||
fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
|
||||
fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|g|gb|gbit|mbit|kbit|b)?$/;
|
||||
$command .= " minburst $minburst";
|
||||
}
|
||||
|
||||
@@ -365,9 +377,7 @@ sub process_simple_device() {
|
||||
|
||||
emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" .
|
||||
"\\\n match ip6 protocol 6 0xff" .
|
||||
"\\\n match u8 0x05 0x0f at 0" .
|
||||
"\\\n match u16 0x0000 0xffc0 at 2" .
|
||||
"\\\n match u8 0x10 0xff at 33 flowid $number:1\n" );
|
||||
"\\\n match u8 0x10 0xff at 53 flowid $number:1\n" );
|
||||
|
||||
save_progress_message_short qq(" TC Device $physical defined.");
|
||||
|
||||
@@ -422,8 +432,8 @@ sub validate_tc_device( ) {
|
||||
fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device};
|
||||
fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
|
||||
|
||||
my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize ) =
|
||||
(0, 0, '', 'htb', '', 0, 0, 0, 0);
|
||||
my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize, $connmark ) =
|
||||
(0, 0, '', 'htb', '', 0, 0, 0, 0, 0);
|
||||
|
||||
if ( $options ne '-' ) {
|
||||
for my $option ( split_list1 $options, 'option' ) {
|
||||
@@ -458,6 +468,9 @@ sub validate_tc_device( ) {
|
||||
$tsize = numeric_value( $1 );
|
||||
fatal_error "Invalid tsize ($1)" unless defined $tsize;
|
||||
fatal_error q('tsize' requires 'linklayer') unless $linklayer;
|
||||
} elsif ( $option eq 'connmark' ) {
|
||||
require_capability( 'CONNMARK_ACTION', q(The 'connmark' option), 's' );
|
||||
$connmark = 1;
|
||||
} else {
|
||||
fatal_error "Unknown device option ($option)";
|
||||
}
|
||||
@@ -470,7 +483,7 @@ sub validate_tc_device( ) {
|
||||
|
||||
if ( @redirected ) {
|
||||
fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband;
|
||||
$classify = 1;
|
||||
$classify = 1 unless $connmark;
|
||||
|
||||
for my $rdevice ( @redirected ) {
|
||||
fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
|
||||
@@ -478,6 +491,8 @@ sub validate_tc_device( ) {
|
||||
fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref;
|
||||
fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} != 0;
|
||||
}
|
||||
} elsif ( $connmark ) {
|
||||
fatal_error "Option connmark can only be used when setting up a IFB device";
|
||||
}
|
||||
|
||||
$inband = process_in_bandwidth( $inband );
|
||||
@@ -503,6 +518,7 @@ sub validate_tc_device( ) {
|
||||
mpu => $mpu,
|
||||
tsize => $tsize,
|
||||
filterpri => 0,
|
||||
connmark => $connmark,
|
||||
} ,
|
||||
|
||||
push @tcdevices, $device;
|
||||
@@ -661,6 +677,7 @@ sub validate_tc_class( ) {
|
||||
|
||||
if ( $mark ne '-' ) {
|
||||
fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
|
||||
fatal_error "MARK may not be specified for an interface with the 'classify' option" if $devref->{classify};
|
||||
|
||||
( $mark, my $priority ) = split/:/, $mark, 2;
|
||||
|
||||
@@ -1639,8 +1656,8 @@ sub process_tcfilters() {
|
||||
#
|
||||
# Process a tcpri record
|
||||
#
|
||||
sub process_tc_priority1( $$$$$$ ) {
|
||||
my ( $band, $proto, $ports , $address, $interface, $helper ) = @_;
|
||||
sub process_tc_priority1( $$$$$$$ ) {
|
||||
my ( $band, $proto, $dports , $sports, $address, $interface, $helper ) = @_;
|
||||
|
||||
my $val = numeric_value $band;
|
||||
|
||||
@@ -1651,7 +1668,7 @@ sub process_tc_priority1( $$$$$$ ) {
|
||||
$rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
|
||||
|
||||
if ( $interface ne '-' ) {
|
||||
fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
|
||||
fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $dports eq '-' && $sports eq '-';
|
||||
|
||||
my $forwardref = $mangle_table->{tcfor};
|
||||
|
||||
@@ -1662,41 +1679,57 @@ sub process_tc_priority1( $$$$$$ ) {
|
||||
my $postref = $mangle_table->{tcpost};
|
||||
|
||||
if ( $address ne '-' ) {
|
||||
fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
|
||||
fatal_error "Invalid combination of columns" unless $proto eq '-' && $dports eq '-' && $sports eq '-';
|
||||
add_rule( $postref ,
|
||||
join( '', match_source_net( $address) , $rule ) ,
|
||||
1 );
|
||||
} else {
|
||||
add_rule( $postref ,
|
||||
join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
|
||||
join( '', do_proto( $proto, $dports, $sports , 0 ) , $rule ) ,
|
||||
1 );
|
||||
|
||||
if ( $ports ne '-' ) {
|
||||
if ( $dports ne '-' ) {
|
||||
my $protocol = resolve_proto $proto;
|
||||
|
||||
if ( $proto =~ /^ipp2p/ ) {
|
||||
fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
|
||||
$ipp2p = 1;
|
||||
} elsif ( $file_format == 1 ) {
|
||||
add_rule( $postref ,
|
||||
join( '' , do_proto( $proto, '-', $dports, 0 ) , $rule ) ,
|
||||
1 )
|
||||
unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
|
||||
}
|
||||
|
||||
add_rule( $postref ,
|
||||
join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
|
||||
1 )
|
||||
unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub process_tc_priority() {
|
||||
my ( $band, $protos, $ports , $address, $interface, $helper ) =
|
||||
split_line1( 'tcpri',
|
||||
{ band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 } );
|
||||
my ( $band, $protos, $dports , $sports, $address, $interface, $helper );
|
||||
|
||||
if ( $file_format == 1 ) {
|
||||
( $band, $protos, $dports , $address, $interface, $helper ) =
|
||||
split_line2( 'tcpri',
|
||||
{ band => 0, proto => 1, port => 2, dport => 2, address => 3, interface => 4, helper => 5 },
|
||||
{},
|
||||
6,
|
||||
1 );
|
||||
$sports = '-';
|
||||
} else {
|
||||
( $band, $protos, $dports , $sports, $address, $interface, $helper ) =
|
||||
split_line2( 'tcpri',
|
||||
{ band => 0, proto => 1, port => 2, dport => 2, sport => 3, address => 4, interface => 5, helper => 6 },
|
||||
{},
|
||||
7,
|
||||
1 );
|
||||
};
|
||||
|
||||
fatal_error 'BAND must be specified' if $band eq '-';
|
||||
|
||||
fatal_error "Invalid tcpri entry" if ( $protos eq '-' &&
|
||||
$ports eq '-' &&
|
||||
$dports eq '-' &&
|
||||
$sports eq '-' &&
|
||||
$address eq '-' &&
|
||||
$interface eq '-' &&
|
||||
$helper eq '-' );
|
||||
@@ -1706,7 +1739,7 @@ sub process_tc_priority() {
|
||||
fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
|
||||
|
||||
for my $proto ( split_list $protos, 'Protocol' ) {
|
||||
process_tc_priority1( $band, $proto, $ports , $address, $interface, $helper );
|
||||
process_tc_priority1( $band, $proto, $dports , $sports, $address, $interface, $helper );
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1728,7 +1761,7 @@ sub process_tcinterfaces() {
|
||||
#
|
||||
sub process_tcpri() {
|
||||
my $fn = find_file 'tcinterfaces';
|
||||
my $fn1 = open_file 'tcpri', 1,1;
|
||||
my $fn1 = open_file 'tcpri', 2,1,0,1;
|
||||
|
||||
if ( $fn1 ) {
|
||||
first_entry
|
||||
@@ -1865,7 +1898,7 @@ sub process_traffic_shaping() {
|
||||
for my $rdev ( @{$devref->{redirected}} ) {
|
||||
my $phyrdev = physical_name( $rdev );
|
||||
emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
|
||||
emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
|
||||
emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0".($devref->{'connmark'} ? ' action connmark' : '')." action mirred egress redirect dev $device > /dev/null" );
|
||||
}
|
||||
|
||||
for my $class ( @tcclasses ) {
|
||||
@@ -2371,7 +2404,6 @@ sub setup_tc( $ ) {
|
||||
}
|
||||
|
||||
if ( $config{MANGLE_ENABLED} ) {
|
||||
|
||||
if ( $convert ) {
|
||||
my $have_tcrules;
|
||||
|
||||
|
||||
@@ -103,6 +103,7 @@ our @EXPORT = ( qw( NOTHING
|
||||
find_zone_hosts_by_option
|
||||
find_zones_by_option
|
||||
have_ipsec
|
||||
generate_all_acasts
|
||||
),
|
||||
);
|
||||
|
||||
@@ -176,7 +177,8 @@ our %reservedName = ( all => 1,
|
||||
# number => <ordinal position in the interfaces file>
|
||||
# physical => <physical interface name>
|
||||
# base => <shell variable base representing this interface>
|
||||
# wildcard => undef|1 # Wildcard Name
|
||||
# wildcard => undef|1 # Wildcard Logical Name
|
||||
# physwild => undef|1 # Wildcard Physical Name
|
||||
# zones => { zone1 => 1, ... }
|
||||
# origin => <where defined>
|
||||
# }
|
||||
@@ -418,7 +420,8 @@ sub initialize( $$ ) {
|
||||
32 => 'loopback',
|
||||
64 => 'local' );
|
||||
} else {
|
||||
%validinterfaceoptions = ( accept_ra => NUMERIC_IF_OPTION,
|
||||
%validinterfaceoptions = (
|
||||
accept_ra => NUMERIC_IF_OPTION,
|
||||
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
dbl => ENUM_IF_OPTION + IF_OPTION_WILDOK,
|
||||
@@ -430,6 +433,7 @@ sub initialize( $$ ) {
|
||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
||||
nodbl => SIMPLE_IF_OPTION,
|
||||
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
omitanycast => SIMPLE_IF_OPTION + IF_OPTION_WILDOK,
|
||||
optional => SIMPLE_IF_OPTION,
|
||||
proxyndp => BINARY_IF_OPTION,
|
||||
required => SIMPLE_IF_OPTION,
|
||||
@@ -1370,7 +1374,7 @@ sub process_interface( $$ ) {
|
||||
$hostoptions{$option} = $value if $hostopt;
|
||||
} elsif ( $type == ENUM_IF_OPTION ) {
|
||||
if ( $option eq 'arp_ignore' ) {
|
||||
fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $wildcard;
|
||||
fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $physwild;
|
||||
if ( defined $value ) {
|
||||
if ( $value =~ /^[1-3,8]$/ ) {
|
||||
$options{arp_ignore} = $value;
|
||||
@@ -1487,7 +1491,7 @@ sub process_interface( $$ ) {
|
||||
|
||||
if ( $options{bridge} ) {
|
||||
require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
|
||||
fatal_error "Bridges may not have wildcard names" if $wildcard;
|
||||
fatal_error "Bridges may not have wildcard names" if $physwild;
|
||||
$hostoptions{routeback} = $options{routeback} = 1 unless supplied $options{routeback};
|
||||
}
|
||||
|
||||
@@ -1536,7 +1540,7 @@ sub process_interface( $$ ) {
|
||||
zones => {},
|
||||
origin => shortlineinfo( '' ),
|
||||
wildcard => $wildcard,
|
||||
physwild => $physwild, # Currently unused
|
||||
physwild => $physwild,
|
||||
};
|
||||
|
||||
$interfaces{$physical} = $interfaceref if $physical ne $interface;
|
||||
@@ -1717,6 +1721,7 @@ sub known_interface($)
|
||||
physical => $physical ,
|
||||
base => $interfaceref->{base} ,
|
||||
wildcard => $interfaceref->{wildcard} ,
|
||||
physwild => $interfaceref->{physwild} ,
|
||||
zones => $interfaceref->{zones} ,
|
||||
};
|
||||
return $interfaceref;
|
||||
@@ -2385,4 +2390,110 @@ sub find_zones_by_option( $$ ) {
|
||||
\@zns;
|
||||
}
|
||||
|
||||
#
|
||||
# Generate the shell code to populate the ALL_ACASTS run-time variable
|
||||
#
|
||||
|
||||
sub generate_all_acasts() {
|
||||
my ( @acasts, @noacasts, @wildacasts, @wildnoacasts );
|
||||
|
||||
for my $interface ( @interfaces ) {
|
||||
my $interfaceref = $interfaces{$interface};
|
||||
my $physical = $interfaceref->{physical};
|
||||
|
||||
next if ( $interfaceref->{options}{port} ||
|
||||
$interfaceref->{options}{unmanaged} );
|
||||
|
||||
if ( $interfaceref->{physwild} ) {
|
||||
$physical =~ s/\+/*/;
|
||||
|
||||
if ( $interfaceref->{options}{omitanycast} ) {
|
||||
if ( $physical eq '*' ) {
|
||||
@wildnoacasts = ( '*' );
|
||||
} else {
|
||||
push @wildnoacasts, $physical;
|
||||
}
|
||||
} else {
|
||||
if ( $physical eq '*' ) {
|
||||
@wildacasts = ( '*' );
|
||||
} else {
|
||||
push @wildacasts, $physical;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if ( $interfaceref->{options}{omitanycast} ) {
|
||||
push @noacasts, $physical;
|
||||
} else {
|
||||
push @acasts, $physical;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return 'ALL_ACASTS="$(get_all_acasts)"' unless @noacasts || @wildnoacasts;
|
||||
|
||||
@wildacasts = '*' unless @wildacasts;
|
||||
|
||||
emit( "#\n# Populate the ALL_ACASTS variable\n#",
|
||||
'generate_all_acasts()',
|
||||
'{' );
|
||||
push_indent;
|
||||
|
||||
emit( 'ALL_ACASTS=',
|
||||
'',
|
||||
'for iface in $(find_all_interfaces1); do' );
|
||||
|
||||
push_indent;
|
||||
|
||||
emit( 'case $iface in' );
|
||||
|
||||
push_indent;
|
||||
|
||||
if ( @noacasts ) {
|
||||
unless ( @wildacasts ) {
|
||||
push @noacasts, @wildnoacasts;
|
||||
@wildnoacasts = ();
|
||||
}
|
||||
|
||||
emit( join( '|', @noacasts) . ')',
|
||||
' ;;' );
|
||||
}
|
||||
|
||||
if ( @wildnoacasts ) {
|
||||
if ( @acasts ) {
|
||||
emit( join( '|', @acasts) . ')',
|
||||
' if [ -n "$ALL_ACASTS" ]; then',
|
||||
' ALL_ACASTS="$ALL_ACASTS $(get_interface_acasts $iface)"',
|
||||
' else',
|
||||
' ALL_ACASTS="$(get_interface_acasts $iface)"',
|
||||
' fi',
|
||||
' ;;' );
|
||||
}
|
||||
|
||||
emit( join( '|', @wildnoacasts) . ')',
|
||||
' ;;' );
|
||||
|
||||
} else {
|
||||
@wildacasts = ( '*' );
|
||||
}
|
||||
|
||||
if ( @wildacasts ) {
|
||||
emit( join( '|', @wildacasts ) . ')',
|
||||
' if [ -n "$ALL_ACASTS" ]; then',
|
||||
' ALL_ACASTS="$ALL_ACASTS $(get_interface_acasts $iface)"',
|
||||
' else',
|
||||
' ALL_ACASTS="$(get_interface_acasts $iface)"',
|
||||
' fi',
|
||||
' ;;' );
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
emit( 'esac');
|
||||
pop_indent;
|
||||
emit( 'done');
|
||||
pop_indent;
|
||||
emit( "}\n" );
|
||||
|
||||
return 'generate_all_acasts';
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
@@ -47,7 +47,7 @@
|
||||
#
|
||||
use strict;
|
||||
use FindBin;
|
||||
use lib "$FindBin::Bin";
|
||||
use lib "$FindBin::Bin"; # Required to allow modules to reside in ${BASEDIR}/Shorewall/
|
||||
use Shorewall::Compiler;
|
||||
use Getopt::Long;
|
||||
|
||||
|
||||
@@ -1 +1 @@
|
||||
5.2.6-RC1
|
||||
5.2.8-base
|
||||
|
||||
@@ -6,5 +6,6 @@
|
||||
# See https://shorewall.org/simple_traffic_shaping.htm for additional
|
||||
# information.
|
||||
#
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#BAND PROTO PORT ADDRESS INTERFACE HELPER
|
||||
#BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
# $2 = Yes: check for STARTUP_ENABLED
|
||||
# $3 = Yes: Check for LOGFILE
|
||||
#
|
||||
get_config() {
|
||||
std_get_config() {
|
||||
local prog
|
||||
local lib
|
||||
|
||||
@@ -216,6 +216,8 @@ get_config() {
|
||||
echo " WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
|
||||
SHOREWALL_SHELL=/bin/sh
|
||||
fi
|
||||
else
|
||||
SHOREWALL_SHELL=/bin/sh
|
||||
fi
|
||||
|
||||
if [ -n "$IP" ]; then
|
||||
@@ -332,7 +334,7 @@ get_config() {
|
||||
|
||||
[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
|
||||
|
||||
g_pager="| $g_pager"
|
||||
g_pager="2>&1 | $g_pager"
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -379,36 +381,33 @@ uptodate() {
|
||||
[ -x $1 ] || return 1
|
||||
|
||||
local dir
|
||||
local busybox
|
||||
local find
|
||||
local quit
|
||||
local maxdepth
|
||||
|
||||
find=$(mywhich find)
|
||||
|
||||
[ -n "${find}" ] || return 1
|
||||
[ -h "${find}" ] && busybox=Yes
|
||||
find="${find} -L"
|
||||
|
||||
if [ -h "${find}" ]; then
|
||||
#
|
||||
# 'Find' is provided by Busybox and doesn't support -quit.
|
||||
#
|
||||
quit=
|
||||
else
|
||||
quit=-quit
|
||||
fi
|
||||
|
||||
if [ "$AUTOMAKE" = recursive ]; then
|
||||
maxdepth=
|
||||
elif [ -z "$AUTOMAKE" ]; then
|
||||
maxdepth="-maxdepth 1"
|
||||
else
|
||||
maxdepth="-maxdepth $AUTOMAKE"
|
||||
fi
|
||||
|
||||
for dir in $g_shorewalldir $(split $CONFIG_PATH); do
|
||||
if [ -n "${busybox}" ]; then
|
||||
#
|
||||
# Busybox 'find' doesn't support -quit.
|
||||
#
|
||||
if [ $AUTOMAKE = recursive ]; then
|
||||
if [ -n "$(${find} ${dir} -newer $1 -print)" ]; then
|
||||
return 1;
|
||||
fi
|
||||
elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print)" ]; then
|
||||
return 1;
|
||||
fi
|
||||
elif [ "$AUTOMAKE" = recursive ]; then
|
||||
if [ -n "$(${find} ${dir} -newer $1 -print -quit)" ]; then
|
||||
return 1;
|
||||
fi
|
||||
elif [ -z "$AUTOMAKE" ]; then
|
||||
if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
|
||||
return 1;
|
||||
fi
|
||||
elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print -quit)" ]; then
|
||||
if [ -n "$(${find} -L ${dir} ${maxdepth} -newer $1 -print ${quit})" ]; then
|
||||
return 1;
|
||||
fi
|
||||
done
|
||||
@@ -566,7 +565,7 @@ compiler() {
|
||||
#
|
||||
# Start Command Executor
|
||||
#
|
||||
start_command() {
|
||||
std_start_command() {
|
||||
local finished
|
||||
finished=0
|
||||
local rc
|
||||
@@ -965,7 +964,7 @@ update_command() {
|
||||
#
|
||||
# Reload/Restart Command Executor
|
||||
#
|
||||
restart_command() {
|
||||
std_restart_command() {
|
||||
local finished
|
||||
finished=0
|
||||
local rc
|
||||
|
||||
@@ -653,6 +653,56 @@ loc eth2 -</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>omitanycast</term>
|
||||
|
||||
<listitem>
|
||||
<para>IPv6 only. Added in Shorewall 5.2.8.</para>
|
||||
|
||||
<para>Shorewall6 has traditionally generated rules for IPv6
|
||||
<emphasis>anycast</emphasis> addresses. These rules
|
||||
include:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>Packets with these destination IP addresses are
|
||||
dropped by REJECT rules.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Packets with these source IP addresses are dropped
|
||||
by the 'nosmurfs' interface option and by the 'dropSmurfs'
|
||||
action.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Packets with these destination IP addresses are not
|
||||
logged during policy enforcement.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Packets with these destination IP addresses are
|
||||
processes by the 'Broadcast' action.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>This can be inhibited for individual interfaces by
|
||||
specifying <emphasis role="bold">noanycast</emphasis> for
|
||||
those interfaces.</para>
|
||||
|
||||
<note>
|
||||
<para>RFC 2526 describes IPv6 subnet anycast addresses. The
|
||||
RFC makes a distinction between subnets with "IPv6 address
|
||||
types required to have 64-bit interface identifiers in
|
||||
EUI-64 format" and all other subnets. When generating these
|
||||
anycast addresses, the Shorewall compiler does not make this
|
||||
distinction and unconditionally assumes that the last 128
|
||||
addresses in the subnet are reserved as anycast
|
||||
addresses.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">optional</emphasis></term>
|
||||
|
||||
|
||||
@@ -207,9 +207,6 @@
|
||||
the IP addresses configured on the interface named in the DEST
|
||||
column and substitute them in this column.</para>
|
||||
|
||||
<para>Finally, you may also specify a comma-separated list of
|
||||
ranges and/or addresses in this column.</para>
|
||||
|
||||
<para>DNS Names names are not allowed.</para>
|
||||
|
||||
<para>Normally, Netfilter will attempt to retain the source
|
||||
@@ -805,21 +802,16 @@
|
||||
<term>IPv4 Example 6:</term>
|
||||
|
||||
<listitem>
|
||||
<para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
|
||||
round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
|
||||
(Shorewall 4.5.9 and later).</para>
|
||||
<para>SNAT outgoing connections on eth0 from 192.168.1.0/24 randomly
|
||||
to addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 (Shorewall 5.0.0 and
|
||||
later).</para>
|
||||
|
||||
<programlisting>/etc/shorewall/tcrules:
|
||||
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
1-3:CF 192.168.1.0/24 eth0 ; state=NEW
|
||||
|
||||
/etc/shorewall/snat:
|
||||
<programlisting>/etc/shorewall/snat:
|
||||
|
||||
#ACTION SOURCE DEST
|
||||
SNAT(1.1.1.1) 192.168.1.0/24 eth0 { mark=1:C }
|
||||
SNAT(1.1.1.3) 192.168.1.0/24 eth0 { mark=2:C }
|
||||
SNAT(1.1.1.9) 192.168.1.0/24 eth0 { mark=3:C }</programlisting>
|
||||
SNAT(1.1.1.1) 192.168.1.0/24 eth0 { probability=0.33 }
|
||||
SNAT(1.1.1.3) 192.168.1.0/24 eth0 { probability=0.50 }
|
||||
SNAT(1.1.1.9) 192.168.1.0/24 eth0</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -54,6 +54,14 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">gbps</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Gigabytes per second.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">kbit</emphasis></term>
|
||||
|
||||
@@ -70,6 +78,14 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">gbit</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Gigabits per second.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">bps</emphasis> or <emphasis
|
||||
role="bold">number</emphasis></term>
|
||||
|
||||
@@ -61,6 +61,14 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">gbps</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Gigabytes per second.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">kbit</emphasis></term>
|
||||
|
||||
@@ -77,6 +85,14 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">gbit</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Gigabits per second.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">bps</emphasis> or <emphasis
|
||||
role="bold">number</emphasis></term>
|
||||
@@ -200,6 +216,11 @@
|
||||
marks. You must do all classification using CLASSIFY rules in <ulink
|
||||
url="shorewall-mangle.html">shorewall-mangle</ulink>(5).</para>
|
||||
|
||||
<para><emphasis role="bold">connmark</emphasis> -- Added in
|
||||
Shorewall 5.2.7. May only be specified if the REDIRECTED_INTERFACES
|
||||
column is non-empty. It allows packet marks to be used to classify
|
||||
traffic for these interfaces.</para>
|
||||
|
||||
<para><option>htb</option> - Use the <firstterm>Hierarchical Token
|
||||
Bucket</firstterm> queuing discipline. This is the default.</para>
|
||||
|
||||
@@ -248,7 +269,9 @@
|
||||
enter each listed interface to be passed through the egress filters
|
||||
defined for this device, thus providing a form of incoming traffic
|
||||
shaping. When this column is non-empty, the <emphasis
|
||||
role="bold">classify</emphasis> option is assumed.</para>
|
||||
role="bold">classify</emphasis> option is assumed unless the
|
||||
<emphasis role="bold">connmark</emphasis> option is
|
||||
specified.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -59,6 +59,14 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">gbps</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Gigabytes per second.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">kbit</emphasis></term>
|
||||
|
||||
@@ -75,6 +83,14 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">gbit</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Gigabits per second.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">bps</emphasis> or <emphasis
|
||||
role="bold">number</emphasis></term>
|
||||
@@ -88,7 +104,7 @@
|
||||
<term>k or kb</term>
|
||||
|
||||
<listitem>
|
||||
<para>Kilo bytes.</para>
|
||||
<para>Kilobytes.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -99,6 +115,14 @@
|
||||
<para>Megabytes.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>g or gb</term>
|
||||
|
||||
<listitem>
|
||||
<para>Gigabytes.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
|
||||
|
||||
@@ -27,8 +27,11 @@
|
||||
|
||||
<para>This file is used to specify the priority of traffic for simple
|
||||
traffic shaping (TC_ENABLED=Simple in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)). The
|
||||
priority band of each packet is determined by the <emphasis
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)). Beginning with
|
||||
Shorewall 5.2.7, the file allows ?FORMAT 2 which inserts a SPORT column
|
||||
immediately to the right of the DPORT column.</para>
|
||||
|
||||
<para>The priority band of each packet is determined by the <emphasis
|
||||
role="bold">last</emphasis> entry that the packet matches. If a packet
|
||||
doesn't match any entry in this file, then its priority will be determined
|
||||
by its TOS field. The default mapping is as follows but can be changed by
|
||||
@@ -87,15 +90,36 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>PORT(S) - <replaceable>port</replaceable> [,...]</term>
|
||||
<term>DPORT - <replaceable>port</replaceable> [,...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column was named PORT prior to Shorewall 5.2.7. Both
|
||||
'port' and 'dport' may be used in the <ulink
|
||||
url="../configuration_file_basics.htm#Pairs">alternate input
|
||||
format</ulink>.</para>
|
||||
|
||||
<para>Optional. May only be given if the the PROTO is TCP (6), UDP
|
||||
(17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more
|
||||
port numbers or service names from /etc/services. Port ranges of the
|
||||
form
|
||||
<replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
|
||||
may also be included.</para>
|
||||
may also be included. In format 1, packets whose source or
|
||||
destination port matches the specified
|
||||
<replaceable>port</replaceable>(s) are assigned to the band given in
|
||||
the BAND column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SPORT - <replaceable>port</replaceable> [,...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Only present in file format 2. Optional. May only be given if
|
||||
the the PROTO is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
|
||||
(136). A list of one or more port numbers or service names from
|
||||
/etc/services. Port ranges of the form
|
||||
<replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
|
||||
may also be included. </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -13,7 +13,7 @@ Conflicts=iptables.service firewalld.service
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/sysconfig/shorewall
|
||||
StandardOutput=syslog
|
||||
StandardOutput=journal
|
||||
ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
|
||||
ExecStop=/sbin/shorewall $OPTIONS stop
|
||||
ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
#
|
||||
[Unit]
|
||||
Description=Shorewall IPv4 firewall
|
||||
Documentation=man:shorewall(8)
|
||||
Wants=network-online.target
|
||||
After=network-online.target
|
||||
Conflicts=iptables.service firewalld.service
|
||||
@@ -16,7 +17,7 @@ RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/default/shorewall
|
||||
StandardOutput=syslog
|
||||
ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
|
||||
ExecStop=/sbin/shorewall $OPTIONS clear
|
||||
ExecStop=/usr/share/shorewall/stop_service shorewall
|
||||
ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
|
||||
|
||||
[Install]
|
||||
|
||||
@@ -149,7 +149,9 @@ if [ $configure -eq 1 ]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
remove_file ${SBINDIR}/$PRODUCT
|
||||
if [ $PRODUCT = shorewall6 ]; then
|
||||
remove_file ${SBINDIR}/shorewall6
|
||||
fi
|
||||
|
||||
if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
|
||||
FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
|
||||
|
||||
@@ -13,8 +13,8 @@
|
||||
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
SRWL='/sbin/shorewall6-lite -6'
|
||||
SRWL_OPTS="-tvv"
|
||||
SRWL=/sbin/shorewall
|
||||
SRWL_OPTS="-6ltvv"
|
||||
test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
|
||||
|
||||
[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
|
||||
|
||||
@@ -15,7 +15,7 @@ Conflicts=ip6tables.service firewalld.service
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/sysconfig/shorewall6-lite
|
||||
StandardOutput=syslog
|
||||
StandardOutput=journal
|
||||
ExecStart=/sbin/shorewall -6l $OPTIONS start $STARTOPTIONS
|
||||
ExecStop=/sbin/shorewall -6l $OPTIONS stop
|
||||
ExecReload=/sbin/shorewall -6l $OPTIONS reload $RELOADOPTIONS
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
#
|
||||
[Unit]
|
||||
Description=Shorewall IPv6 firewall (lite)
|
||||
Documentation=man:shorewall6-lite(8)
|
||||
Wants=network-online.target
|
||||
After=network-online.target
|
||||
After=shorewall-lite.service
|
||||
@@ -16,7 +17,7 @@ RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/default/shorewall6-lite
|
||||
StandardOutput=syslog
|
||||
ExecStart=/sbin/shorewall6-lite $OPTIONS start
|
||||
ExecStop=/sbin/shorewall6-lite $OPTIONS clear
|
||||
ExecStop=/usr/share/shorewall/stop_service shorewall6-lite
|
||||
ExecReload=/sbin/shorewall6-lite $OPTIONS reload
|
||||
|
||||
[Install]
|
||||
|
||||
@@ -6,5 +6,6 @@
|
||||
# See https://shorewall.org/simple_traffic_shaping.htm for additional
|
||||
# information.
|
||||
#
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#BAND PROTO PORT ADDRESS INTERFACE HELPER
|
||||
#BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
|
||||
|
||||
@@ -12,8 +12,8 @@
|
||||
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
SRWL='/sbin/shorewall -6'
|
||||
SRWL_OPTS="-tvv"
|
||||
SRWL=/sbin/shorewall
|
||||
SRWL_OPTS="-6tvv"
|
||||
WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
|
||||
test -n ${INITLOG:=/var/log/shorewall6-init.log}
|
||||
|
||||
|
||||
@@ -14,7 +14,7 @@ Conflicts=ip6tables.service firewalld.service
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/sysconfig/shorewall6
|
||||
StandardOutput=syslog
|
||||
StandardOutput=journal
|
||||
ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
|
||||
ExecStop=/sbin/shorewall -6 $OPTIONS stop
|
||||
ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
#
|
||||
[Unit]
|
||||
Description=Shorewall IPv6 firewall
|
||||
Documentation=man:shorewall6(8)
|
||||
Wants=network-online.target
|
||||
After=network-online.target
|
||||
After=shorewall.service
|
||||
@@ -17,7 +18,7 @@ RemainAfterExit=yes
|
||||
EnvironmentFile=-/etc/default/shorewall6
|
||||
StandardOutput=syslog
|
||||
ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
|
||||
ExecStop=/sbin/shorewall -6 $OPTIONS clear
|
||||
ExecStop=/usr/share/shorewall/stop_service shorewall6
|
||||
ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
|
||||
|
||||
[Install]
|
||||
|
||||
@@ -39,7 +39,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -41,7 +41,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -31,7 +31,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled <quote>
|
||||
<ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink>
|
||||
</quote>.</para>
|
||||
@@ -2592,7 +2592,7 @@ eth0 External 50mbit:200kb 5.0mbit:100kb:200ms:100m
|
||||
<programlisting><emphasis role="bold">ethtool -K eth<emphasis>N</emphasis> tso off gso off</emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="faq97a">
|
||||
<title>(FAQ 97a) I enable Shorewall traffic shaping and now my download
|
||||
rate is way below what I specified</title>
|
||||
|
||||
|
||||
@@ -56,7 +56,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled <quote>
|
||||
<ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink>
|
||||
</quote>.</para>
|
||||
@@ -2458,4 +2458,4 @@ loc $FW ACCEPT </programlisting>
|
||||
avec les deux politiques fix<69>es ci-dessus.</para>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
||||
</article>
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -47,7 +47,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
@@ -57,11 +57,8 @@
|
||||
</programlisting>
|
||||
|
||||
<para>Using this feature requires the <firstterm>GeoIP Match</firstterm>
|
||||
capability in your iptables and kernel. As of this writing, that
|
||||
capability requires installing <ulink
|
||||
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink> 1.33
|
||||
or later and <ulink
|
||||
url="http://xtables-addons.sourceforge.net/geoip.php">creating a
|
||||
capability in your iptables and kernel. That capability requires <ulink
|
||||
url="https://dev.maxmind.com/geoip/geoip2/geolite2/">creating a
|
||||
country-code database</ulink>.</para>
|
||||
|
||||
<para>The Shorewall compiler uses the geoip country-code database to
|
||||
@@ -83,11 +80,19 @@
|
||||
<para>To accomodate both big-endian and little-endian machines as well as
|
||||
any future ability to install the database at another location, Shorewall
|
||||
supports a GEOIPDIR option in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall6.conf</ulink> (5). The
|
||||
default value of that option is
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5). The default
|
||||
value of that option is
|
||||
<filename>/usr/share/xt_geoip/LE</filename>.</para>
|
||||
|
||||
<important>
|
||||
<para>Recent versions of the country-code database are installed in
|
||||
<filename>/usr/share/xt_geoip/, regardless of endian convention. This
|
||||
requires modifying the setting of GEOIPDIR in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</filename></para>
|
||||
</important>
|
||||
|
||||
<para>The country codes at the time of this writing are shown in the
|
||||
following two sections.</para>
|
||||
</section>
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -56,7 +56,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
@@ -712,4 +712,4 @@ tar -xzvf /mnt/package2.lrp
|
||||
<para>Voir <quote><ulink url="fallback.htm">Fallback and
|
||||
Uninstall</ulink></quote>.</para>
|
||||
</section>
|
||||
</article>
|
||||
</article>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink type="" url="Copyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -30,7 +30,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -41,7 +41,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -39,7 +39,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -30,7 +30,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -43,7 +43,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
@@ -1150,7 +1150,7 @@ TCPMSS(pmtu,none) { PROTO=tcp }
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
ipsecnat {ZONE=net, GATEWAY=$ALL, GATEWAY_ZONE=vpn }
|
||||
ipsecnat {ZONE=loc, GATEWAY=$ALL, GATEWAY_ZONE=vpn }
|
||||
</programlisting>
|
||||
ipsecnat {ZONE=wlan, GATEWAY=$ALL, GATEWAY_ZONE=vpn }</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
||||
@@ -31,7 +31,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
@@ -547,6 +547,18 @@
|
||||
<command>remote-reload</command> command (e.g., <command>shorewall
|
||||
remote-reload -c gateway</command>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Shorewall6-lite works with Shorewall6 in the same way that
|
||||
Shorewall-lite works with Shorewall. Beginning with Shorewall
|
||||
5.0.0, running 'shorewall <cmd>" is the same as running
|
||||
"shorewall-lite <cmd>" when Shorewall is not installed.. To
|
||||
continue to use the "shorewall6" command after switching to
|
||||
Shoerwall6-lite, you need to add this to your .profile (or to
|
||||
.bashrc if root's shell is bash):</para>
|
||||
|
||||
<programlisting> alias shorewall6=shorewall6-lite</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user