Add NONAT and ACCEPT+ actions

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1309 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-05-05 16:22:21 +00:00
parent 169d7016b8
commit 0036a0d273
8 changed files with 80 additions and 15 deletions

View File

@ -48,3 +48,4 @@ Changes since 2.0.1
23) Apply Alex Wilms's patch for install.sh
24) Add ACCEPT+ and NONAT targets.

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.0.2-Beta1
VERSION=2.0.2-Beta2
usage() # $1 = exit status
{

View File

@ -3223,8 +3223,22 @@ add_a_rule()
$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi
run_iptables2 -A $chain $proto $multiport $cli $sports \
-d $srv $dports $ratelimit $userandgroup -j $target
case $logtarget in
NONAT)
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN
;;
ACCEPT+)
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN
run_iptables2 -A $chain $proto $multiport $cli $sports \
-d $srv $dports $ratelimit $userandgroup -j $target
;;
*)
run_iptables2 -A $chain $proto $multiport $cli $sports \
-d $srv $dports $ratelimit $userandgroup -j $target
;;
esac
fi
done
done
@ -3234,8 +3248,22 @@ add_a_rule()
$(fix_bang $proto $sports $multiport $cli $dports)
fi
run_iptables2 -A $chain $proto $multiport $cli $sports \
$dports $ratelimit $userandgroup -j $target
case $logtarget in
NONAT)
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $userandgroup -j RETURN
;;
ACCEPT+)
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $userandgroup -j RETURN
run_iptables2 -A $chain $proto $multiport $cli $sports \
$dports $ratelimit $userandgroup -j $target
;;
*)
run_iptables2 -A $chain $proto $multiport $cli $sports \
$dports $ratelimit $userandgroup -j $target
;;
esac
fi
fi
fi
@ -3253,10 +3281,24 @@ add_a_rule()
$(fix_bang $proto $multiport $dest_interface $cli $sports $dports)
fi
if [ $logtarget != LOG ]; then
run_iptables2 -A $chain $proto $multiport $dest_interface \
$cli $sports $dports $ratelimit $userandgroup -j $target
fi
case $logtarget in
LOG)
;;
NONAT)
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $userandgroup -j RETURN
;;
ACCEPT+)
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $userandgroup -j RETURN
run_iptables2 -A $chain $proto $multiport $dest_interface \
$cli $sports $dports $ratelimit $userandgroup -j $target
;;
*)
run_iptables2 -A $chain $proto $multiport $dest_interface \
$cli $sports $dports $ratelimit $userandgroup -j $target
;;
esac
fi
fi
}
@ -3368,7 +3410,10 @@ process_rule() # $1 = target
fi
case $target in
ACCEPT|LOG)
ACCEPT+)
target=ACCEPT
;;
ACCEPT|LOG|NONAT)
;;
DROP)
[ -n "$ratelimit" ] && fatal_error "Rate Limiting not available with DROP"
@ -3613,7 +3658,7 @@ process_rules()
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
temp="${xtarget%%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
do_it
;;
*)

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.0.2-Beta1
VERSION=2.0.2-Beta2
usage() # $1 = exit status
{

View File

@ -210,4 +210,14 @@ New Features:
To 0.0.0.0/0 (tcp 25) from 10.0.0.0/8 through eth0 using 206.124.146.177
To 0.0.0.0/0 (all) from 10.0.0.0/8 through eth0 using 206.124.146.176
11) Two new actions are available in the /etc/shorewall/rules file.
ACCEPT+ -- Behaves like ACCEPT with the exception that it exempts
matching connections from subsequent DNAT[-] and
REDIRECT[-] rules.
NONAT -- Exempts matching connections from subsequent DNAT[-]
and REDIRECT[-] rules.

View File

@ -25,6 +25,13 @@
# LOG, QUEUE or an <action>.
#
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent
# DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-]
rules but doesn't generate a rule
# to accept the traffic.
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.

View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 2.0.2
%define release 0Beta1
%define release 0Beta2
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -140,6 +140,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Tue May 04 2004 Tom Eastep tom@shorewall.net
- Shorewall 2.0.2-Beta2
* Tue Apr 13 2004 Tom Eastep tom@shorewall.net
- Add /usr/share/shorewall/configpath
* Mon Apr 05 2004 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.0.2-Beta1
VERSION=2.0.2-Beta2
usage() # $1 = exit status
{