mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-08 22:58:50 +01:00
Validate interface names in ecn file; confirm additions to ECN control chain; update to Beta2
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@468 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
dbd20362ff
commit
08ec9ac4e0
@ -47,3 +47,7 @@ Changes since 1.3.14
|
||||
|
||||
21. Improved parsing of comma-separated lists.
|
||||
|
||||
22. Add ECN Removal support
|
||||
|
||||
23. Add TCP ports 445 and 139 to the common silent list.
|
||||
|
||||
|
||||
@ -22,6 +22,8 @@ run_iptables -A common -m state -p tcp --state INVALID -j DROP
|
||||
#
|
||||
run_iptables -A common -p udp --dport 137:139 -j REJECT
|
||||
run_iptables -A common -p udp --dport 445 -j REJECT
|
||||
run_iptables -A common -p tcp --dport 139 -j REJECT
|
||||
run_iptables -A common -p tcp --dport 445 -j REJECT
|
||||
run_iptables -A common -p tcp --dport 135 -j reject
|
||||
############################################################################
|
||||
# UPnP
|
||||
|
||||
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.4.0-Beta1
|
||||
VERSION=1.4.0-Beta2
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -131,6 +131,8 @@ restore_file /etc/shorewall/stop
|
||||
|
||||
restore_file /etc/shorewall/stopped
|
||||
|
||||
restore_file /etc/shorewall/ecn
|
||||
|
||||
if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
|
||||
restore_file /usr/lib/shorewall/version
|
||||
oldversion="`cat /usr/lib/shorewall/version`"
|
||||
|
||||
@ -366,6 +366,14 @@ flushnat() # $1 = name of chain
|
||||
run_iptables -t nat -F $1
|
||||
}
|
||||
|
||||
#
|
||||
# Flush one of the Mangle table chains
|
||||
#
|
||||
flushmangle() # $1 = name of chain
|
||||
{
|
||||
run_iptables -t mangle -F $1
|
||||
}
|
||||
|
||||
#
|
||||
# Chain name base for an interface
|
||||
#
|
||||
@ -455,7 +463,15 @@ dnat_chain() # $1 = zone
|
||||
#
|
||||
snat_chain() # $1 = zone
|
||||
{
|
||||
echo ${1}_snat
|
||||
echo `chain_base $1`_snat
|
||||
}
|
||||
|
||||
#
|
||||
# ECN Chain to an interface
|
||||
#
|
||||
ecn_chain() # $1 = interface
|
||||
{
|
||||
echo ${1}_ecn
|
||||
}
|
||||
|
||||
#
|
||||
@ -1766,6 +1782,52 @@ delete_nat() {
|
||||
[ -d ${STATEDIR} ] && touch ${STATEDIR}/nat
|
||||
}
|
||||
|
||||
#
|
||||
# Setup ECN disabling rules
|
||||
#
|
||||
setup_ecn() # $1 = file name
|
||||
{
|
||||
local interfaces
|
||||
local hosts
|
||||
local h
|
||||
|
||||
strip_file ecn $1
|
||||
|
||||
while read interface host; do
|
||||
expandv interface host
|
||||
list_search $interface $all_interfaces || \
|
||||
startup_error "Unknown interface $interface"
|
||||
list_search $interface $interfaces || \
|
||||
interfaces="$interfaces $interface"
|
||||
[ "x$host" = "x-" ] && host=0.0.0.0/0
|
||||
for h in `separate_list $host`; do
|
||||
hosts="$hosts $interface:$h"
|
||||
done
|
||||
done < $TMP_DIR/ecn
|
||||
|
||||
if [ -n "$interfaces" ]; then
|
||||
echo "Setting up ECN control on${interfaces}..."
|
||||
|
||||
for interface in $interfaces; do
|
||||
chain=`ecn_chain $interface`
|
||||
if mangle_chain_exists $chain; then
|
||||
flushmangle $chain
|
||||
else
|
||||
run_iptables -t mangle -N $chain
|
||||
run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
|
||||
run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain
|
||||
fi
|
||||
done
|
||||
|
||||
for host in $hosts; do
|
||||
interface=${host%:*}
|
||||
h=${host#*:}
|
||||
run_iptables -t mangle -A `ecn_chain $interface` -p tcp -d $h -j ECN --ecn-tcp-remove
|
||||
echo " ECN Disabled to $h through $interface"
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Process a TC Rule - $marking_chain is assumed to contain the name of the
|
||||
# default marking chain
|
||||
@ -4004,6 +4066,10 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
|
||||
[ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos
|
||||
|
||||
ecn=`find_file ecn`
|
||||
|
||||
[ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn
|
||||
|
||||
[ -n "$TC_ENABLED" ] && setup_tc
|
||||
|
||||
echo "Activating Rules..."
|
||||
@ -4099,6 +4165,9 @@ refresh_firewall()
|
||||
#
|
||||
refresh_blacklist
|
||||
|
||||
ecn=`find_file ecn`
|
||||
|
||||
[ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn
|
||||
#
|
||||
# Refresh Traffic Control
|
||||
#
|
||||
|
||||
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.4.0-Beta1
|
||||
VERSION=1.4.0-Beta2
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -538,6 +538,16 @@ else
|
||||
echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
|
||||
fi
|
||||
#
|
||||
# Install the ECN file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/ecn ]; then
|
||||
backup_file /etc/shorewall/ecn
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
|
||||
echo
|
||||
echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
|
||||
fi
|
||||
#
|
||||
# Backup the version file
|
||||
#
|
||||
if [ -z "$PREFIX" ]; then
|
||||
|
||||
@ -65,6 +65,16 @@ Changes for 1.4 include:
|
||||
8. IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
|
||||
utility).
|
||||
|
||||
9. Explicit Congestion Notification (ECN - RFC 3168) may now be turned
|
||||
off on a host or network basis using the new /etc/shorewall/ecn
|
||||
file. To use this facility:
|
||||
|
||||
a) You must be running kernel 2.4.20
|
||||
b) You must have applied the patch in
|
||||
http://www.shorewall/net/pub/shorewall/ecn/patch.
|
||||
c) You must have iptables 1.2.7a installed.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
%define name shorewall
|
||||
%define version 1.4.0
|
||||
%define release 0Beta1
|
||||
%define release 0Beta2
|
||||
%define prefix /usr
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
@ -97,6 +97,7 @@ fi
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/start
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
|
||||
%attr(0544,root,root) /sbin/shorewall
|
||||
%attr(0444,root,root) /usr/share/shorewall/functions
|
||||
%attr(0544,root,root) /usr/share/shorewall/firewall
|
||||
@ -104,6 +105,10 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Mon Feb 24 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.0-0Beta2
|
||||
* Sun Feb 23 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Add ecn file
|
||||
* Fri Feb 21 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.4.0-0Beta1
|
||||
* Thu Feb 06 2003 Tom Eastep <tom@shorewall.net>
|
||||
|
||||
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.4.0-Beta1
|
||||
VERSION=1.4.0-Beta2
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user