Merge branch '4.4.22'

This commit is contained in:
Tom Eastep 2011-08-13 10:48:27 -07:00
commit 37b08dd991
8 changed files with 34 additions and 22 deletions

View File

@ -13,6 +13,9 @@
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
# Don't allow connection pickup from the net
#
Invalid(DROP) net all
#
# Accept DNS connections from the firewall to the Internet
#

View File

@ -13,6 +13,9 @@
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
# Don't allow connection pickup from the net
#
Invalid(DROP) net all
#
# Accept DNS connections from the firewall to the network
#

View File

@ -13,6 +13,9 @@
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
# Don't allow connection pickup from the net
#
Invalid(DROP) net all
#
# Accept DNS connections from the firewall to the Internet
#

View File

@ -13,6 +13,9 @@
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
# Don't allow connection pickup from the net
#
Invalid(DROP) net all
#
# Accept DNS connections from the firewall to the network
#

View File

@ -2110,7 +2110,7 @@ sub ensure_audit_chain( $;$$ ) {
$tgt ||= $action;
add_ijump $ref, j => 'AUDIT --type ' . lc $action;
add_ijump $ref, j => 'AUDIT', targetopts => '--type ' . lc $action;
if ( $tgt eq 'REJECT' ) {
add_ijump $ref , g => 'reject';
@ -4903,7 +4903,7 @@ sub expand_rule( $$$$$$$$$$;$ )
#
# Clear the exclusion bit
#
add_ijump $chainref , j => 'MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
add_ijump $chainref , j => 'MARK', targetopts => '--and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
#
# Mark packet if it matches any of the exclusions
#

View File

@ -186,7 +186,7 @@ sub setup_ecn()
}
for my $host ( @hosts ) {
add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN --ecn-tcp-remove', p => 'tcp', imatch_dest_net( $host->[1] ) );
add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', targetopts => '--ecn-tcp-remove', p => 'tcp', imatch_dest_net( $host->[1] ) );
}
}
}
@ -226,7 +226,7 @@ sub setup_blacklist() {
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $target ) if $audit;
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
add_ijump( $logchainref, g => $target );
$target = 'blacklog';
@ -506,7 +506,7 @@ sub add_common_rules() {
log_rule $level , $chainref , $policy , '' if $level ne '';
add_ijump( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit;
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
@ -518,7 +518,7 @@ sub add_common_rules() {
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
log_rule $level , $chainref , $policy , '' if $level ne '';
add_ijump( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit;
add_ijump( $chainref, j => 'AUDIT ', targetopts => '--type ' . lc $policy ) if $audit;
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
@ -595,7 +595,7 @@ sub add_common_rules() {
'',
'add',
'' );
add_ijump( $smurfref, j => 'AUDIT --type drop' ) if $smurfdest eq 'A_DROP';
add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
add_ijump( $smurfref, j => 'DROP' );
$smurfdest = 'smurflog';
@ -669,7 +669,7 @@ sub add_common_rules() {
}
add_ijump $rejectref , j => 'DROP', p => 2;
add_ijump $rejectref , j => 'REJECT --reject-with tcp-reset', p => 6;
add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
if ( have_capability( 'ENHANCED_REJECT' ) ) {
add_ijump $rejectref , j => 'REJECT', p => 17;
@ -732,11 +732,11 @@ sub add_common_rules() {
if ( $audit ) {
$disposition =~ s/^A_//;
add_ijump( $logflagsref, j => 'AUDIT --type ' . lc $disposition );
add_ijump( $logflagsref, j => 'AUDIT', targetopts => '--type ' . lc $disposition );
}
if ( $disposition eq 'REJECT' ) {
add_ijump $logflagsref , j => 'REJECT --reject-with tcp-reset', p => 6;
add_ijump $logflagsref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
} else {
add_ijump $logflagsref , j => $disposition;
}
@ -909,14 +909,14 @@ sub setup_mac_lists( $ ) {
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
if supplied $level;
add_ijump( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
}
} else {
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
if supplied $level;
add_ijump( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
add_jump ( $chainref , $targetref->{target}, 0, "$mac" );
}
@ -1858,14 +1858,14 @@ sub setup_mss( ) {
my @mssmatch = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
my @source = imatch_source_dev $_;
my @dest = imatch_dest_dev $_;
add_ijump $chainref, j => "TCPMSS --set-mss $mss", @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @out_match;
add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @out_match;
add_ijump $chainref, j => 'RETURN', @dest if $clampmss;
add_ijump $chainref, j => "TCPMSS --set-mss $mss", @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @in_match;
add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @in_match;
add_ijump $chainref, j => 'RETURN', @source if $clampmss;
}
}
add_ijump $chainref , j => "TCPMSS${option}", p => 'tcp --tcp-flags SYN,RST SYN', @match if $clampmss;
add_ijump $chainref , j => 'TCPMSS', targetopts => $option, p => 'tcp --tcp-flags SYN,RST SYN', @match if $clampmss;
}
#

View File

@ -100,7 +100,7 @@ sub setup_route_marking() {
require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
add_ijump $mangle_table->{$_} , j => "CONNMARK --restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
my $chainref = new_chain 'mangle', 'routemark';
my $chainref1 = new_chain 'mangle', 'setsticky';
@ -122,14 +122,14 @@ sub setup_route_marking() {
if ( $providerref->{shared} ) {
add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
} else {
add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface );
add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
}
}
add_ijump $chainref, j => "CONNMARK --save-mark --mask $mask", mark => "! --mark 0/$mask";
add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
}
sub copy_table( $$$ ) {

View File

@ -533,7 +533,7 @@ sub policy_rules( $$$$$ ) {
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
fatal_error "Null target in policy_rules()" unless $target;
add_ijump( $chainref , j => 'AUDIT --type ' . lc $target ) if $chainref->{audit};
add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
}
}