mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-16 10:38:26 +01:00
Merge branch '4.4.22'
This commit is contained in:
commit
37b08dd991
@ -13,6 +13,9 @@
|
|||||||
#############################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
# Don't allow connection pickup from the net
|
||||||
|
#
|
||||||
|
Invalid(DROP) net all
|
||||||
#
|
#
|
||||||
# Accept DNS connections from the firewall to the Internet
|
# Accept DNS connections from the firewall to the Internet
|
||||||
#
|
#
|
||||||
|
@ -13,6 +13,9 @@
|
|||||||
#############################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
# Don't allow connection pickup from the net
|
||||||
|
#
|
||||||
|
Invalid(DROP) net all
|
||||||
#
|
#
|
||||||
# Accept DNS connections from the firewall to the network
|
# Accept DNS connections from the firewall to the network
|
||||||
#
|
#
|
||||||
|
@ -13,6 +13,9 @@
|
|||||||
#############################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
# Don't allow connection pickup from the net
|
||||||
|
#
|
||||||
|
Invalid(DROP) net all
|
||||||
#
|
#
|
||||||
# Accept DNS connections from the firewall to the Internet
|
# Accept DNS connections from the firewall to the Internet
|
||||||
#
|
#
|
||||||
|
@ -13,6 +13,9 @@
|
|||||||
#############################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
# Don't allow connection pickup from the net
|
||||||
|
#
|
||||||
|
Invalid(DROP) net all
|
||||||
#
|
#
|
||||||
# Accept DNS connections from the firewall to the network
|
# Accept DNS connections from the firewall to the network
|
||||||
#
|
#
|
||||||
|
@ -2110,7 +2110,7 @@ sub ensure_audit_chain( $;$$ ) {
|
|||||||
|
|
||||||
$tgt ||= $action;
|
$tgt ||= $action;
|
||||||
|
|
||||||
add_ijump $ref, j => 'AUDIT --type ' . lc $action;
|
add_ijump $ref, j => 'AUDIT', targetopts => '--type ' . lc $action;
|
||||||
|
|
||||||
if ( $tgt eq 'REJECT' ) {
|
if ( $tgt eq 'REJECT' ) {
|
||||||
add_ijump $ref , g => 'reject';
|
add_ijump $ref , g => 'reject';
|
||||||
@ -4903,7 +4903,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
#
|
#
|
||||||
# Clear the exclusion bit
|
# Clear the exclusion bit
|
||||||
#
|
#
|
||||||
add_ijump $chainref , j => 'MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
|
add_ijump $chainref , j => 'MARK', targetopts => '--and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
|
||||||
#
|
#
|
||||||
# Mark packet if it matches any of the exclusions
|
# Mark packet if it matches any of the exclusions
|
||||||
#
|
#
|
||||||
|
@ -186,7 +186,7 @@ sub setup_ecn()
|
|||||||
}
|
}
|
||||||
|
|
||||||
for my $host ( @hosts ) {
|
for my $host ( @hosts ) {
|
||||||
add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN --ecn-tcp-remove', p => 'tcp', imatch_dest_net( $host->[1] ) );
|
add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', targetopts => '--ecn-tcp-remove', p => 'tcp', imatch_dest_net( $host->[1] ) );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -226,7 +226,7 @@ sub setup_blacklist() {
|
|||||||
|
|
||||||
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
||||||
|
|
||||||
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $target ) if $audit;
|
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
||||||
add_ijump( $logchainref, g => $target );
|
add_ijump( $logchainref, g => $target );
|
||||||
|
|
||||||
$target = 'blacklog';
|
$target = 'blacklog';
|
||||||
@ -506,7 +506,7 @@ sub add_common_rules() {
|
|||||||
|
|
||||||
log_rule $level , $chainref , $policy , '' if $level ne '';
|
log_rule $level , $chainref , $policy , '' if $level ne '';
|
||||||
|
|
||||||
add_ijump( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit;
|
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
|
||||||
|
|
||||||
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
|
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
|
||||||
|
|
||||||
@ -518,7 +518,7 @@ sub add_common_rules() {
|
|||||||
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
|
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
|
||||||
log_rule $level , $chainref , $policy , '' if $level ne '';
|
log_rule $level , $chainref , $policy , '' if $level ne '';
|
||||||
|
|
||||||
add_ijump( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit;
|
add_ijump( $chainref, j => 'AUDIT ', targetopts => '--type ' . lc $policy ) if $audit;
|
||||||
|
|
||||||
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
|
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
|
||||||
|
|
||||||
@ -595,7 +595,7 @@ sub add_common_rules() {
|
|||||||
'',
|
'',
|
||||||
'add',
|
'add',
|
||||||
'' );
|
'' );
|
||||||
add_ijump( $smurfref, j => 'AUDIT --type drop' ) if $smurfdest eq 'A_DROP';
|
add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
|
||||||
add_ijump( $smurfref, j => 'DROP' );
|
add_ijump( $smurfref, j => 'DROP' );
|
||||||
|
|
||||||
$smurfdest = 'smurflog';
|
$smurfdest = 'smurflog';
|
||||||
@ -669,7 +669,7 @@ sub add_common_rules() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
add_ijump $rejectref , j => 'DROP', p => 2;
|
add_ijump $rejectref , j => 'DROP', p => 2;
|
||||||
add_ijump $rejectref , j => 'REJECT --reject-with tcp-reset', p => 6;
|
add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
|
||||||
|
|
||||||
if ( have_capability( 'ENHANCED_REJECT' ) ) {
|
if ( have_capability( 'ENHANCED_REJECT' ) ) {
|
||||||
add_ijump $rejectref , j => 'REJECT', p => 17;
|
add_ijump $rejectref , j => 'REJECT', p => 17;
|
||||||
@ -732,11 +732,11 @@ sub add_common_rules() {
|
|||||||
|
|
||||||
if ( $audit ) {
|
if ( $audit ) {
|
||||||
$disposition =~ s/^A_//;
|
$disposition =~ s/^A_//;
|
||||||
add_ijump( $logflagsref, j => 'AUDIT --type ' . lc $disposition );
|
add_ijump( $logflagsref, j => 'AUDIT', targetopts => '--type ' . lc $disposition );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $disposition eq 'REJECT' ) {
|
if ( $disposition eq 'REJECT' ) {
|
||||||
add_ijump $logflagsref , j => 'REJECT --reject-with tcp-reset', p => 6;
|
add_ijump $logflagsref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
|
||||||
} else {
|
} else {
|
||||||
add_ijump $logflagsref , j => $disposition;
|
add_ijump $logflagsref , j => $disposition;
|
||||||
}
|
}
|
||||||
@ -909,14 +909,14 @@ sub setup_mac_lists( $ ) {
|
|||||||
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
|
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
|
||||||
if supplied $level;
|
if supplied $level;
|
||||||
|
|
||||||
add_ijump( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
|
add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
|
||||||
add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
|
add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
|
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
|
||||||
if supplied $level;
|
if supplied $level;
|
||||||
|
|
||||||
add_ijump( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
|
add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
|
||||||
add_jump ( $chainref , $targetref->{target}, 0, "$mac" );
|
add_jump ( $chainref , $targetref->{target}, 0, "$mac" );
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1824,10 +1824,10 @@ sub setup_mss( ) {
|
|||||||
|
|
||||||
if ( $clampmss ) {
|
if ( $clampmss ) {
|
||||||
if ( "\L$clampmss" eq 'yes' ) {
|
if ( "\L$clampmss" eq 'yes' ) {
|
||||||
$option = ' --clamp-mss-to-pmtu';
|
$option = '--clamp-mss-to-pmtu';
|
||||||
} else {
|
} else {
|
||||||
@match = ( tcpmss => "--mss $clampmss:" ) if have_capability( 'TCPMSS_MATCH' );
|
@match = ( tcpmss => "--mss $clampmss:" ) if have_capability( 'TCPMSS_MATCH' );
|
||||||
$option = " --set-mss $clampmss";
|
$option = "--set-mss $clampmss";
|
||||||
}
|
}
|
||||||
|
|
||||||
push @match, ( policy => '--pol none --dir out' ) if have_ipsec;
|
push @match, ( policy => '--pol none --dir out' ) if have_ipsec;
|
||||||
@ -1858,14 +1858,14 @@ sub setup_mss( ) {
|
|||||||
my @mssmatch = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
|
my @mssmatch = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
|
||||||
my @source = imatch_source_dev $_;
|
my @source = imatch_source_dev $_;
|
||||||
my @dest = imatch_dest_dev $_;
|
my @dest = imatch_dest_dev $_;
|
||||||
add_ijump $chainref, j => "TCPMSS --set-mss $mss", @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @out_match;
|
add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @out_match;
|
||||||
add_ijump $chainref, j => 'RETURN', @dest if $clampmss;
|
add_ijump $chainref, j => 'RETURN', @dest if $clampmss;
|
||||||
add_ijump $chainref, j => "TCPMSS --set-mss $mss", @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @in_match;
|
add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @in_match;
|
||||||
add_ijump $chainref, j => 'RETURN', @source if $clampmss;
|
add_ijump $chainref, j => 'RETURN', @source if $clampmss;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
add_ijump $chainref , j => "TCPMSS${option}", p => 'tcp --tcp-flags SYN,RST SYN', @match if $clampmss;
|
add_ijump $chainref , j => 'TCPMSS', targetopts => $option, p => 'tcp --tcp-flags SYN,RST SYN', @match if $clampmss;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -100,7 +100,7 @@ sub setup_route_marking() {
|
|||||||
|
|
||||||
require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
|
require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
|
||||||
|
|
||||||
add_ijump $mangle_table->{$_} , j => "CONNMARK --restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
|
add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
|
||||||
|
|
||||||
my $chainref = new_chain 'mangle', 'routemark';
|
my $chainref = new_chain 'mangle', 'routemark';
|
||||||
my $chainref1 = new_chain 'mangle', 'setsticky';
|
my $chainref1 = new_chain 'mangle', 'setsticky';
|
||||||
@ -122,14 +122,14 @@ sub setup_route_marking() {
|
|||||||
|
|
||||||
if ( $providerref->{shared} ) {
|
if ( $providerref->{shared} ) {
|
||||||
add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
|
add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
|
||||||
add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
|
add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
|
||||||
decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
|
decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
|
||||||
} else {
|
} else {
|
||||||
add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface );
|
add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
add_ijump $chainref, j => "CONNMARK --save-mark --mask $mask", mark => "! --mark 0/$mask";
|
add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub copy_table( $$$ ) {
|
sub copy_table( $$$ ) {
|
||||||
|
@ -533,7 +533,7 @@ sub policy_rules( $$$$$ ) {
|
|||||||
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
|
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
|
||||||
fatal_error "Null target in policy_rules()" unless $target;
|
fatal_error "Null target in policy_rules()" unless $target;
|
||||||
|
|
||||||
add_ijump( $chainref , j => 'AUDIT --type ' . lc $target ) if $chainref->{audit};
|
add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
|
||||||
add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
|
add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user