Merge branch '4.4.22'

This commit is contained in:
Tom Eastep 2011-08-13 10:48:27 -07:00
commit 37b08dd991
8 changed files with 34 additions and 22 deletions

View File

@ -13,6 +13,9 @@
############################################################################################################# #############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
# Don't allow connection pickup from the net
#
Invalid(DROP) net all
# #
# Accept DNS connections from the firewall to the Internet # Accept DNS connections from the firewall to the Internet
# #

View File

@ -13,6 +13,9 @@
############################################################################################################# #############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
# Don't allow connection pickup from the net
#
Invalid(DROP) net all
# #
# Accept DNS connections from the firewall to the network # Accept DNS connections from the firewall to the network
# #

View File

@ -13,6 +13,9 @@
############################################################################################################# #############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
# Don't allow connection pickup from the net
#
Invalid(DROP) net all
# #
# Accept DNS connections from the firewall to the Internet # Accept DNS connections from the firewall to the Internet
# #

View File

@ -13,6 +13,9 @@
############################################################################################################# #############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
# Don't allow connection pickup from the net
#
Invalid(DROP) net all
# #
# Accept DNS connections from the firewall to the network # Accept DNS connections from the firewall to the network
# #

View File

@ -2110,7 +2110,7 @@ sub ensure_audit_chain( $;$$ ) {
$tgt ||= $action; $tgt ||= $action;
add_ijump $ref, j => 'AUDIT --type ' . lc $action; add_ijump $ref, j => 'AUDIT', targetopts => '--type ' . lc $action;
if ( $tgt eq 'REJECT' ) { if ( $tgt eq 'REJECT' ) {
add_ijump $ref , g => 'reject'; add_ijump $ref , g => 'reject';
@ -4903,7 +4903,7 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
# Clear the exclusion bit # Clear the exclusion bit
# #
add_ijump $chainref , j => 'MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff ); add_ijump $chainref , j => 'MARK', targetopts => '--and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
# #
# Mark packet if it matches any of the exclusions # Mark packet if it matches any of the exclusions
# #

View File

@ -186,7 +186,7 @@ sub setup_ecn()
} }
for my $host ( @hosts ) { for my $host ( @hosts ) {
add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN --ecn-tcp-remove', p => 'tcp', imatch_dest_net( $host->[1] ) ); add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', targetopts => '--ecn-tcp-remove', p => 'tcp', imatch_dest_net( $host->[1] ) );
} }
} }
} }
@ -226,7 +226,7 @@ sub setup_blacklist() {
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $target ) if $audit; add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
add_ijump( $logchainref, g => $target ); add_ijump( $logchainref, g => $target );
$target = 'blacklog'; $target = 'blacklog';
@ -506,7 +506,7 @@ sub add_common_rules() {
log_rule $level , $chainref , $policy , '' if $level ne ''; log_rule $level , $chainref , $policy , '' if $level ne '';
add_ijump( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit; add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
@ -518,7 +518,7 @@ sub add_common_rules() {
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' ); add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
log_rule $level , $chainref , $policy , '' if $level ne ''; log_rule $level , $chainref , $policy , '' if $level ne '';
add_ijump( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit; add_ijump( $chainref, j => 'AUDIT ', targetopts => '--type ' . lc $policy ) if $audit;
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
@ -595,7 +595,7 @@ sub add_common_rules() {
'', '',
'add', 'add',
'' ); '' );
add_ijump( $smurfref, j => 'AUDIT --type drop' ) if $smurfdest eq 'A_DROP'; add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
add_ijump( $smurfref, j => 'DROP' ); add_ijump( $smurfref, j => 'DROP' );
$smurfdest = 'smurflog'; $smurfdest = 'smurflog';
@ -669,7 +669,7 @@ sub add_common_rules() {
} }
add_ijump $rejectref , j => 'DROP', p => 2; add_ijump $rejectref , j => 'DROP', p => 2;
add_ijump $rejectref , j => 'REJECT --reject-with tcp-reset', p => 6; add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
if ( have_capability( 'ENHANCED_REJECT' ) ) { if ( have_capability( 'ENHANCED_REJECT' ) ) {
add_ijump $rejectref , j => 'REJECT', p => 17; add_ijump $rejectref , j => 'REJECT', p => 17;
@ -732,11 +732,11 @@ sub add_common_rules() {
if ( $audit ) { if ( $audit ) {
$disposition =~ s/^A_//; $disposition =~ s/^A_//;
add_ijump( $logflagsref, j => 'AUDIT --type ' . lc $disposition ); add_ijump( $logflagsref, j => 'AUDIT', targetopts => '--type ' . lc $disposition );
} }
if ( $disposition eq 'REJECT' ) { if ( $disposition eq 'REJECT' ) {
add_ijump $logflagsref , j => 'REJECT --reject-with tcp-reset', p => 6; add_ijump $logflagsref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
} else { } else {
add_ijump $logflagsref , j => $disposition; add_ijump $logflagsref , j => $disposition;
} }
@ -909,14 +909,14 @@ sub setup_mac_lists( $ ) {
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}" log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
if supplied $level; if supplied $level;
add_ijump( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT'; add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" ); add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
} }
} else { } else {
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
if supplied $level; if supplied $level;
add_ijump( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT'; add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
add_jump ( $chainref , $targetref->{target}, 0, "$mac" ); add_jump ( $chainref , $targetref->{target}, 0, "$mac" );
} }
@ -1824,10 +1824,10 @@ sub setup_mss( ) {
if ( $clampmss ) { if ( $clampmss ) {
if ( "\L$clampmss" eq 'yes' ) { if ( "\L$clampmss" eq 'yes' ) {
$option = ' --clamp-mss-to-pmtu'; $option = '--clamp-mss-to-pmtu';
} else { } else {
@match = ( tcpmss => "--mss $clampmss:" ) if have_capability( 'TCPMSS_MATCH' ); @match = ( tcpmss => "--mss $clampmss:" ) if have_capability( 'TCPMSS_MATCH' );
$option = " --set-mss $clampmss"; $option = "--set-mss $clampmss";
} }
push @match, ( policy => '--pol none --dir out' ) if have_ipsec; push @match, ( policy => '--pol none --dir out' ) if have_ipsec;
@ -1858,14 +1858,14 @@ sub setup_mss( ) {
my @mssmatch = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : (); my @mssmatch = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
my @source = imatch_source_dev $_; my @source = imatch_source_dev $_;
my @dest = imatch_dest_dev $_; my @dest = imatch_dest_dev $_;
add_ijump $chainref, j => "TCPMSS --set-mss $mss", @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @out_match; add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @out_match;
add_ijump $chainref, j => 'RETURN', @dest if $clampmss; add_ijump $chainref, j => 'RETURN', @dest if $clampmss;
add_ijump $chainref, j => "TCPMSS --set-mss $mss", @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @in_match; add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @in_match;
add_ijump $chainref, j => 'RETURN', @source if $clampmss; add_ijump $chainref, j => 'RETURN', @source if $clampmss;
} }
} }
add_ijump $chainref , j => "TCPMSS${option}", p => 'tcp --tcp-flags SYN,RST SYN', @match if $clampmss; add_ijump $chainref , j => 'TCPMSS', targetopts => $option, p => 'tcp --tcp-flags SYN,RST SYN', @match if $clampmss;
} }
# #

View File

@ -100,7 +100,7 @@ sub setup_route_marking() {
require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/; require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
add_ijump $mangle_table->{$_} , j => "CONNMARK --restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/; add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
my $chainref = new_chain 'mangle', 'routemark'; my $chainref = new_chain 'mangle', 'routemark';
my $chainref1 = new_chain 'mangle', 'setsticky'; my $chainref1 = new_chain 'mangle', 'setsticky';
@ -122,14 +122,14 @@ sub setup_route_marking() {
if ( $providerref->{shared} ) { if ( $providerref->{shared} ) {
add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional}; add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}"; add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional}; decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
} else { } else {
add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface ); add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
} }
} }
add_ijump $chainref, j => "CONNMARK --save-mark --mask $mask", mark => "! --mark 0/$mask"; add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
} }
sub copy_table( $$$ ) { sub copy_table( $$$ ) {

View File

@ -533,7 +533,7 @@ sub policy_rules( $$$$$ ) {
log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
fatal_error "Null target in policy_rules()" unless $target; fatal_error "Null target in policy_rules()" unless $target;
add_ijump( $chainref , j => 'AUDIT --type ' . lc $target ) if $chainref->{audit}; add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE'; add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
} }
} }