NewNotSyn Reimplimentation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1365 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 17:58:07 +02:00 · 2004-05-27 18:18:41 +00:00 · 2004-05-27 18:18:41 +00:00 · 102743a0e3
commit 102743a0e3
parent ccb3c8740c
4 changed files with 82 additions and 35 deletions
--- a/Shorewall2/action.Drop
+++ b/Shorewall2/action.Drop
@ -10,6 +10,6 @@ RejectAuth
 dropBcast
 DropSMB
 DropUPnP
-dropNonSyn
+dropNotSyn
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall2/action.Reject
+++ b/Shorewall2/action.Reject
@ -10,6 +10,6 @@ RejectAuth
 dropBcast
 RejectSMB
 DropUPnP
-dropNonSyn
+dropNotSyn
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -2745,37 +2745,9 @@ createactionchain() # $1 = chain name
 #
 process_actions1() {
    #
    # Add the builtin actions
    #
    add_builtin_actions() {
-	if [ "$COMMAND" != check ]; then
+    ACTIONS="dropBcast dropNonSyn dropNotSyn rejectNotSyn logNotSyn rLogNotSyn dLogNotSyn"
-	    createchain dropBcast no
+    USEDACTIONS=
 	    qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
 	    if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
                #
                # No pkttype support -- do it the hard way
                #
 		for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
 		    run_iptables -A dropBcast -d $address -j DROP
 		done
 	    fi
 	    createchain dropNonSyn no
 	    run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
 	    createchain rejectNonSyn no
 	    run_iptables -A rejectNonSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
 	fi
 	ACTIONS="dropBcast dropNonSyn RejectNonSyn"
 	USEDACTIONS="dropBcast dropNonSyn RejectNonSyn"
    }
    add_builtin_actions
    strip_file actions
@ -2888,6 +2860,10 @@ process_actions2() {
 	process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
    }
    log_action() {
 	[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
    }
    #
    # Generate the transitive closure of $USEDACTIONS
    #
@ -2911,7 +2887,38 @@ process_actions2() {
    #
    for xaction in $USEDACTIONS; do
 	case $xaction in
-	    dropNonSyn|dropBcast|RejectNonSyn)
+	    dropBcast)
 		if [ "$COMMAND" != check ]; then
 		    qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
 		    if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
                        #
                        # No pkttype support -- do it the hard way
                        #
 			for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
 			    run_iptables -A dropBcast -d $address -j DROP
 			done
 		    fi
 		fi
 		;;
 	    dropNonSyn)
 		error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
 		[ "$COMMAND" != check ] && run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
 		;;
 	    dropNotSyn)
 		[ "$COMMAND" != check ] && run_iptables -A dropNotSyn -p tcp ! --syn -j DROP
 		;;
 	    rejectNotSyn)
 		[ "$COMMAND" != check ] && run_iptables -A rejectNotSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
 		;;
 	    logNotSyn)
 		log_action logNotSyn LOG
 		;;
 	    rLogNotSyn)
 		log_action rLogNotSyn REJECT
 		;;
 	    dLogNotSyn)
 		log_action dLogNotSyn DROP		
 		;;
 	    *)
 		f=action.$xaction
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -26,7 +26,14 @@ Problems Corrected since 2.0.2
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
-None.
+1) The 'dropNonSyn' standard builtin action has been replaced with the
   'dropNotSyn' standard builtin action. The old name can still be used
   but will generate a warning.
 2) To lay the groundwork for eventual removal of NEWNOTSYN from
   shorewall.conf and removal of the 'newnotsyn' interface option,
   several new standard builtin actions have been defined. See New
   Feature 3 below.
 -----------------------------------------------------------------------
 New Features:
@ -41,4 +48,37 @@ New Features:
 3) A new 'rejectNonSyn' built-in standard action has been added. This
   action responds to "New not SYN" packets with an RST.
   The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
   action. The old name will be accepted until the next major release
   of Shorewall but will generate a warning.
   Several new logging actions involving "New not SYN" packets have
   been added:
 	logNewNotSyn  -- logs the packet with disposition = LOG
 	dLogNewNotSyn -- logs the packet with disposition = DROP
 	rLogNewNotSyn -- logs the packet with disposition = REJECT
   The packets are logged at the log level specified in the
   LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
   not specified, then 'info' is assumed.
   Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
   A: To simulate the behavior of NEWNOTSYN=No:
      a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
      b) Create /etc/shorewall/action.NoNewNotSyn containing:
 	    dLogNotSyn
 	    dropNotSyn
      c) Early in your rules file, place:
 	 NoNewNotSyn   all   all     tcp
   B: Drop 'New not SYN' packets from the net only. Don't log them.
      a) Early in your rules file, place:
         dropNotSyn    net	  all	tcp