extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-23 16:13:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add FASTACCEPT option to accept ESTABLISHED/RELATED packets early

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2474 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-11 19:53:07 +00:00
parent 946a464437
commit 370d61970a
5 changed files with 42 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -12,6 +12,8 @@ Changes in 2.5.1
6) Don't generate redundant ACCEPT rules for DNAT/REDIRECT/SAME 6) Don't generate redundant ACCEPT rules for DNAT/REDIRECT/SAME
7) Add FASTACCEPT option in shorewall.conf.
Changes in 2.5.1ex/2.5.0 Changes in 2.5.1ex/2.5.0
1) Clean up handling of zones 1) Clean up handling of zones

13
Shorewall/firewall
View File

@ -1425,6 +1425,8 @@ validate_policy()
case $policy in case $policy in
*:*) *:*)
[ -n "$FASTACCEPT" ] && \
startup_error "ESTABLISHED policy may not be specified with FASTACCEPT=Yes in shorewall.conf"
epolicy=${policy#*:} epolicy=${policy#*:}
policy=${policy%:*} policy=${policy%:*}
@ -1432,7 +1434,7 @@ validate_policy()
ACCEPT|QUEUE) ACCEPT|QUEUE)
;; ;;
*) *)
startup_error " $client $server $policy $loglevel $synparams: Invalid ESTABLISHED/RELATED policy: $epolicy" startup_error "$client $server $policy $loglevel $synparams: Invalid ESTABLISHED policy: $epolicy"
;; ;;
esac esac
;; ;;
@ -3414,7 +3416,7 @@ setup_accounting() # $1 = Name of accounting file
if havechain accounting; then if havechain accounting; then
for chain in INPUT FORWARD OUTPUT; do for chain in INPUT FORWARD OUTPUT; do
run_iptables -A $chain -j accounting run_iptables -I $chain -j accounting
done done
fi fi
@ -5839,7 +5841,7 @@ policy_rules() # $1 = chain to add rules to
{ {
local target="$2" local target="$2"
case $3 in [ -n "$FASTACCEPT" ] || case $3 in
QUEUE) QUEUE)
run_iptables -I $1 -m state --state RELATED -j ACCEPT run_iptables -I $1 -m state --state RELATED -j ACCEPT
run_iptables -I $1 -m state --state ESTABLISHED -j QUEUE run_iptables -I $1 -m state --state ESTABLISHED -j QUEUE
@ -5903,7 +5905,7 @@ default_policy() # $1 = client $2 = server
# Add a jump to from the canonical chain to the policy chain. On return, # Add a jump to from the canonical chain to the policy chain. On return,
# $chain is set to the name of the policy chain # $chain is set to the name of the policy chain
# #
case $epolicy in [ -n "$FASTACCEPT" ] || case $epolicy in
QUEUE) QUEUE)
run_iptables -I $chain -m state --state RELATED -j ACCEPT run_iptables -I $chain -m state --state RELATED -j ACCEPT
run_iptables -I $chain -m state --state ESTABLISHED -j QUEUE run_iptables -I $chain -m state --state ESTABLISHED -j QUEUE
@ -7808,7 +7810,7 @@ activate_rules()
disable_critical_hosts disable_critical_hosts
for chain in INPUT OUTPUT FORWARD; do for chain in INPUT OUTPUT FORWARD; do
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT [ -n "$FASTACCEPT" ] || run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -D $chain -p udp --dport 53 -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT
done done
@ -8690,6 +8692,7 @@ do_initialize() {
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
case ${IPSECFILE:=ipsec} in case ${IPSECFILE:=ipsec} in
ipsec|zones) ipsec|zones)

4
Shorewall/policy
View File

@ -61,6 +61,10 @@
# default) and QUEUE (to queue the packet to a # default) and QUEUE (to queue the packet to a
# user-space filter like Snort Inline). # user-space filter like Snort Inline).
# #
# WARNING: You may not specify an ESTABLISHED policy if
# you have set FASTACCEPT=Yes in
# /etc/shorewall/shorewall.conf.
#
# LOG LEVEL If supplied, each connection handled under the default # LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no # POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a # log message is generated. See syslog.conf(5) for a

13
Shorewall/releasenotes.txt
View File

@ -315,3 +315,16 @@ New Features in Shorewall 2.5.0
ACCEPT loc all tcp 22 ACCEPT loc all tcp 22
does not. does not.
8) A new FASTACCEPT option has been added to shorewall.conf.
Normally, Shorewall accepting ESTABLISHED/RELATED packets until
these packets reach the chain in which the original connection was
accepted. So for packets going from the 'loc' zone to the 'net'
zone, ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net'
chain.
If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are
accepted early in the INPUT, FORWARD and OUTPUT chains. If you set
FASTACCEPT=Yes then you may not specify ESTABLISHED policies in
/etc/shorewall/policy (see above).

15
Shorewall/shorewall.conf
View File

@ -803,6 +803,21 @@ SAVE_IPSETS=No
MAPOLDACTIONS=No MAPOLDACTIONS=No
#
# Fast ESTABLISHED/RELATED handling
#
# Normally, Shorewall accepting ESTABLISHED/RELATED packets until these packets
# reach the chain in which the original connection was accepted. So for packets
# going from the 'loc' zone to the 'net' zone, ESTABLISHED/RELATED packets are
# ACCEPTED in the 'loc2net' chain.
#
# If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are accepted
# early in the INPUT, FORWARD and OUTPUT chains. If you set
# FASTACCEPT=Yes then you may not specify ESTABLISHED policies in
# /etc/shorewall/policy.
FASTACCEPT=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################