mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-23 16:13:18 +01:00
Add FASTACCEPT option to accept ESTABLISHED/RELATED packets early
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2474 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
946a464437
commit
370d61970a
@ -12,6 +12,8 @@ Changes in 2.5.1
|
||||
|
||||
6) Don't generate redundant ACCEPT rules for DNAT/REDIRECT/SAME
|
||||
|
||||
7) Add FASTACCEPT option in shorewall.conf.
|
||||
|
||||
Changes in 2.5.1ex/2.5.0
|
||||
|
||||
1) Clean up handling of zones
|
||||
|
@ -1425,6 +1425,8 @@ validate_policy()
|
||||
|
||||
case $policy in
|
||||
*:*)
|
||||
[ -n "$FASTACCEPT" ] && \
|
||||
startup_error "ESTABLISHED policy may not be specified with FASTACCEPT=Yes in shorewall.conf"
|
||||
epolicy=${policy#*:}
|
||||
policy=${policy%:*}
|
||||
|
||||
@ -1432,7 +1434,7 @@ validate_policy()
|
||||
ACCEPT|QUEUE)
|
||||
;;
|
||||
*)
|
||||
startup_error " $client $server $policy $loglevel $synparams: Invalid ESTABLISHED/RELATED policy: $epolicy"
|
||||
startup_error "$client $server $policy $loglevel $synparams: Invalid ESTABLISHED policy: $epolicy"
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
@ -3414,7 +3416,7 @@ setup_accounting() # $1 = Name of accounting file
|
||||
|
||||
if havechain accounting; then
|
||||
for chain in INPUT FORWARD OUTPUT; do
|
||||
run_iptables -A $chain -j accounting
|
||||
run_iptables -I $chain -j accounting
|
||||
done
|
||||
fi
|
||||
|
||||
@ -5839,7 +5841,7 @@ policy_rules() # $1 = chain to add rules to
|
||||
{
|
||||
local target="$2"
|
||||
|
||||
case $3 in
|
||||
[ -n "$FASTACCEPT" ] || case $3 in
|
||||
QUEUE)
|
||||
run_iptables -I $1 -m state --state RELATED -j ACCEPT
|
||||
run_iptables -I $1 -m state --state ESTABLISHED -j QUEUE
|
||||
@ -5903,7 +5905,7 @@ default_policy() # $1 = client $2 = server
|
||||
# Add a jump to from the canonical chain to the policy chain. On return,
|
||||
# $chain is set to the name of the policy chain
|
||||
#
|
||||
case $epolicy in
|
||||
[ -n "$FASTACCEPT" ] || case $epolicy in
|
||||
QUEUE)
|
||||
run_iptables -I $chain -m state --state RELATED -j ACCEPT
|
||||
run_iptables -I $chain -m state --state ESTABLISHED -j QUEUE
|
||||
@ -7808,7 +7810,7 @@ activate_rules()
|
||||
disable_critical_hosts
|
||||
|
||||
for chain in INPUT OUTPUT FORWARD; do
|
||||
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
[ -n "$FASTACCEPT" ] || run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
run_iptables -D $chain -p udp --dport 53 -j ACCEPT
|
||||
done
|
||||
|
||||
@ -8690,6 +8692,7 @@ do_initialize() {
|
||||
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
|
||||
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
|
||||
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
|
||||
|
||||
case ${IPSECFILE:=ipsec} in
|
||||
ipsec|zones)
|
||||
|
@ -61,6 +61,10 @@
|
||||
# default) and QUEUE (to queue the packet to a
|
||||
# user-space filter like Snort Inline).
|
||||
#
|
||||
# WARNING: You may not specify an ESTABLISHED policy if
|
||||
# you have set FASTACCEPT=Yes in
|
||||
# /etc/shorewall/shorewall.conf.
|
||||
#
|
||||
# LOG LEVEL If supplied, each connection handled under the default
|
||||
# POLICY is logged at that level. If not supplied, no
|
||||
# log message is generated. See syslog.conf(5) for a
|
||||
|
@ -315,3 +315,16 @@ New Features in Shorewall 2.5.0
|
||||
ACCEPT loc all tcp 22
|
||||
|
||||
does not.
|
||||
|
||||
8) A new FASTACCEPT option has been added to shorewall.conf.
|
||||
|
||||
Normally, Shorewall accepting ESTABLISHED/RELATED packets until
|
||||
these packets reach the chain in which the original connection was
|
||||
accepted. So for packets going from the 'loc' zone to the 'net'
|
||||
zone, ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net'
|
||||
chain.
|
||||
|
||||
If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are
|
||||
accepted early in the INPUT, FORWARD and OUTPUT chains. If you set
|
||||
FASTACCEPT=Yes then you may not specify ESTABLISHED policies in
|
||||
/etc/shorewall/policy (see above).
|
||||
|
@ -803,6 +803,21 @@ SAVE_IPSETS=No
|
||||
|
||||
MAPOLDACTIONS=No
|
||||
|
||||
#
|
||||
# Fast ESTABLISHED/RELATED handling
|
||||
#
|
||||
# Normally, Shorewall accepting ESTABLISHED/RELATED packets until these packets
|
||||
# reach the chain in which the original connection was accepted. So for packets
|
||||
# going from the 'loc' zone to the 'net' zone, ESTABLISHED/RELATED packets are
|
||||
# ACCEPTED in the 'loc2net' chain.
|
||||
#
|
||||
# If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are accepted
|
||||
# early in the INPUT, FORWARD and OUTPUT chains. If you set
|
||||
# FASTACCEPT=Yes then you may not specify ESTABLISHED policies in
|
||||
# /etc/shorewall/policy.
|
||||
|
||||
FASTACCEPT=No
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
Loading…
Reference in New Issue
Block a user