diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules index 8ca2cc232..8288a3286 100644 --- a/Samples/three-interfaces/rules +++ b/Samples/three-interfaces/rules @@ -13,6 +13,9 @@ ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP +# Don't allow connection pickup from the net +# +Invalid(DROP) net all # # Accept DNS connections from the firewall to the Internet # diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules index 4dcec9128..ab6aa9fe0 100644 --- a/Samples/two-interfaces/rules +++ b/Samples/two-interfaces/rules @@ -13,6 +13,9 @@ ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP +# Don't allow connection pickup from the net +# +Invalid(DROP) net all # # Accept DNS connections from the firewall to the network # diff --git a/Samples6/three-interfaces/rules b/Samples6/three-interfaces/rules index 77cc9ed09..a9b9de846 100644 --- a/Samples6/three-interfaces/rules +++ b/Samples6/three-interfaces/rules @@ -13,6 +13,9 @@ ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP +# Don't allow connection pickup from the net +# +Invalid(DROP) net all # # Accept DNS connections from the firewall to the Internet # diff --git a/Samples6/two-interfaces/rules b/Samples6/two-interfaces/rules index 75065698e..1afdb16d2 100644 --- a/Samples6/two-interfaces/rules +++ b/Samples6/two-interfaces/rules @@ -13,6 +13,9 @@ ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP +# Don't allow connection pickup from the net +# +Invalid(DROP) net all # # Accept DNS connections from the firewall to the network # diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 6398303b5..21382347c 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2110,7 +2110,7 @@ sub ensure_audit_chain( $;$$ ) { $tgt ||= $action; - add_ijump $ref, j => 'AUDIT --type ' . lc $action; + add_ijump $ref, j => 'AUDIT', targetopts => '--type ' . lc $action; if ( $tgt eq 'REJECT' ) { add_ijump $ref , g => 'reject'; @@ -4903,7 +4903,7 @@ sub expand_rule( $$$$$$$$$$;$ ) # # Clear the exclusion bit # - add_ijump $chainref , j => 'MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff ); + add_ijump $chainref , j => 'MARK', targetopts => '--and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff ); # # Mark packet if it matches any of the exclusions # diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 5405b771e..3454ed9e8 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -186,7 +186,7 @@ sub setup_ecn() } for my $host ( @hosts ) { - add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN --ecn-tcp-remove', p => 'tcp', imatch_dest_net( $host->[1] ) ); + add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', targetopts => '--ecn-tcp-remove', p => 'tcp', imatch_dest_net( $host->[1] ) ); } } } @@ -226,7 +226,7 @@ sub setup_blacklist() { log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); - add_ijump( $logchainref, j => 'AUDIT --type ' . lc $target ) if $audit; + add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit; add_ijump( $logchainref, g => $target ); $target = 'blacklog'; @@ -506,7 +506,7 @@ sub add_common_rules() { log_rule $level , $chainref , $policy , '' if $level ne ''; - add_ijump( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit; + add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit; add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; @@ -518,7 +518,7 @@ sub add_common_rules() { add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' ); log_rule $level , $chainref , $policy , '' if $level ne ''; - add_ijump( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit; + add_ijump( $chainref, j => 'AUDIT ', targetopts => '--type ' . lc $policy ) if $audit; add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; @@ -595,7 +595,7 @@ sub add_common_rules() { '', 'add', '' ); - add_ijump( $smurfref, j => 'AUDIT --type drop' ) if $smurfdest eq 'A_DROP'; + add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP'; add_ijump( $smurfref, j => 'DROP' ); $smurfdest = 'smurflog'; @@ -669,7 +669,7 @@ sub add_common_rules() { } add_ijump $rejectref , j => 'DROP', p => 2; - add_ijump $rejectref , j => 'REJECT --reject-with tcp-reset', p => 6; + add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6; if ( have_capability( 'ENHANCED_REJECT' ) ) { add_ijump $rejectref , j => 'REJECT', p => 17; @@ -732,11 +732,11 @@ sub add_common_rules() { if ( $audit ) { $disposition =~ s/^A_//; - add_ijump( $logflagsref, j => 'AUDIT --type ' . lc $disposition ); + add_ijump( $logflagsref, j => 'AUDIT', targetopts => '--type ' . lc $disposition ); } if ( $disposition eq 'REJECT' ) { - add_ijump $logflagsref , j => 'REJECT --reject-with tcp-reset', p => 6; + add_ijump $logflagsref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6; } else { add_ijump $logflagsref , j => $disposition; } @@ -909,14 +909,14 @@ sub setup_mac_lists( $ ) { log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}" if supplied $level; - add_ijump( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT'; + add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT'; add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" ); } } else { log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac if supplied $level; - add_ijump( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT'; + add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT'; add_jump ( $chainref , $targetref->{target}, 0, "$mac" ); } @@ -1824,10 +1824,10 @@ sub setup_mss( ) { if ( $clampmss ) { if ( "\L$clampmss" eq 'yes' ) { - $option = ' --clamp-mss-to-pmtu'; + $option = '--clamp-mss-to-pmtu'; } else { @match = ( tcpmss => "--mss $clampmss:" ) if have_capability( 'TCPMSS_MATCH' ); - $option = " --set-mss $clampmss"; + $option = "--set-mss $clampmss"; } push @match, ( policy => '--pol none --dir out' ) if have_ipsec; @@ -1858,14 +1858,14 @@ sub setup_mss( ) { my @mssmatch = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : (); my @source = imatch_source_dev $_; my @dest = imatch_dest_dev $_; - add_ijump $chainref, j => "TCPMSS --set-mss $mss", @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @out_match; + add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @out_match; add_ijump $chainref, j => 'RETURN', @dest if $clampmss; - add_ijump $chainref, j => "TCPMSS --set-mss $mss", @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @in_match; + add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @in_match; add_ijump $chainref, j => 'RETURN', @source if $clampmss; } } - add_ijump $chainref , j => "TCPMSS${option}", p => 'tcp --tcp-flags SYN,RST SYN', @match if $clampmss; + add_ijump $chainref , j => 'TCPMSS', targetopts => $option, p => 'tcp --tcp-flags SYN,RST SYN', @match if $clampmss; } # diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 3e5f3a513..2447006d7 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -100,7 +100,7 @@ sub setup_route_marking() { require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/; - add_ijump $mangle_table->{$_} , j => "CONNMARK --restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/; + add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/; my $chainref = new_chain 'mangle', 'routemark'; my $chainref1 = new_chain 'mangle', 'setsticky'; @@ -122,14 +122,14 @@ sub setup_route_marking() { if ( $providerref->{shared} ) { add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional}; - add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}"; + add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}"; decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional}; } else { - add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface ); + add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ); } } - add_ijump $chainref, j => "CONNMARK --save-mark --mask $mask", mark => "! --mark 0/$mask"; + add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask"; } sub copy_table( $$$ ) { diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 0eaaee635..8aea58a7f 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -533,7 +533,7 @@ sub policy_rules( $$$$$ ) { log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; fatal_error "Null target in policy_rules()" unless $target; - add_ijump( $chainref , j => 'AUDIT --type ' . lc $target ) if $chainref->{audit}; + add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit}; add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE'; } }