From 3bb2d171aebd0f511c682c9ce642c7c593482527 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 11 Jun 2003 19:46:50 +0000 Subject: [PATCH] Fix REJECT processing git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@588 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 ++ Shorewall/firewall | 47 +++++++++++++++++++++++++++++++------- Shorewall/releasenotes.txt | 7 ++++++ 3 files changed, 48 insertions(+), 8 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 113dc2712..6336298ed 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -8,6 +8,8 @@ Changes since 1.4.4b rule will take effect only if the original destination address in the connection request does not match any of the addresses listed. +3) Create two reject chains -- one for use from INPUT and the other for + use from FORWARD and OUTPUT. diff --git a/Shorewall/firewall b/Shorewall/firewall index 513d7b43c..2444f051d 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -749,6 +749,10 @@ validate_policy() eval ${chain}_policy=$policy eval ${chain}_loglevel=$loglevel eval ${chain}_synparams=$synparams + + if [ $server = $FW ]; then + eval ${chain}_is_input=Yes + fi if [ -n "${clientwild}" ]; then if [ -n "${serverwild}" ]; then @@ -1964,6 +1968,7 @@ add_nat_rule() { add_a_rule() { local natrule= + local is_input= # Set source variables. The 'cli' variable will hold the client match predicate(s). @@ -2058,7 +2063,8 @@ add_a_rule() case "$logtarget" in REJECT) - target=reject + eval is_input=\$${chain}_is_input + [ -z "$is_input" ] && target=reject || target=rejecti [ -n "$servport" ] && \ fatal_error "Server port may not be specified in a REJECT rule;"\ "rule: \"$rule\"" @@ -2291,6 +2297,10 @@ process_rule() # $1 = target [ $command = check ] || ensurechain $chain fi + if [ $dest = $FW ]; then + eval ${chain}_is_input=Yes + fi + # Generate Netfilter rule(s) if [ -n "$MULTIPORT" -a \ @@ -2631,6 +2641,7 @@ policy_rules() # $1 = chain to add rules to # $3 = loglevel { local target="$2" + local is_input case "$target" in ACCEPT) @@ -2641,7 +2652,8 @@ policy_rules() # $1 = chain to add rules to ;; REJECT) run_iptables -A $1 -j common - target=reject + eval is_input=\$${1}_is_input + [ -z "$is_input" ] && target=reject || target=rejecti ;; CONTINUE) target= @@ -3317,17 +3329,23 @@ initialize_netfilter () { createchain icmpdef no createchain common no - createchain reject no + createchain reject no + createchain rejecti no createchain dynamic no + INPUT_is_input=Yes + if [ -f /var/lib/shorewall/save ]; then echo "Restoring dynamic rules..." while read target ignore1 ignore2 address rest; do case $target in - DROP|reject) + DROP) run_iptables2 -A dynamic -s $address -j $target ;; + reject*) + run_iptables2 -A dynamic -s $address -j $reject + ;; *) ;; esac @@ -3384,7 +3402,20 @@ add_common_rules() { # # Reject Rules # - run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset + run_iptables -A rejecti -p tcp -j REJECT --reject-with tcp-reset + run_iptables -A rejecti -p udp -j REJECT + # + # Not all versions of iptables support these so don't complain if they don't work + # + qt iptables -A rejecti -p icmp -j REJECT --reject-with icmp-host-unreachable + if ! qt iptables -A rejecti -j REJECT --reject-with icmp-host-prohibited; then + # + # In case the above doesn't work + # + run_iptables -A rejecti -j REJECT + fi + + run_iptables -A reject -p tcp -j REJECT run_iptables -A reject -p udp -j REJECT # # Not all versions of iptables support these so don't complain if they don't work @@ -3551,7 +3582,7 @@ add_common_rules() { case $TCP_FLAGS_DISPOSITION in REJECT) - run_iptables -A logflags -j REJECT --reject-with tcp-reset + run_iptables -A logflags -p tcp -j REJECT --reject-with tcp-reset ;; *) run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION @@ -4504,11 +4535,11 @@ do_initialize() { NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN` - maclist_target=reject if [ -n "$MACLIST_DISPOSITION" ] ; then case $MACLIST_DISPOSITION in REJECT) + maclist_target=reject ;; ACCEPT|DROP) maclist_target=$MACLIST_DISPOSITION @@ -4518,7 +4549,7 @@ do_initialize() { ;; esac else - MACLIST_DISPOSITION=REJECT + MACLIST_DISPOSITION=reject fi if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 65bf2b673..a1846781e 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -5,6 +5,13 @@ Problems Corrected: 1) The command "shorewall debug try " now correctly traces the attempt. +2) Shorewall now works properly with RedHat errata kernels and + 2.4.21-rc1. In these kernels, the REJECT target with "--reject-with + tcp-reset" behaves like DROP when invoked on a packet that is being + forwarded by the firewall. Shorewall now only uses that target when + it is certain that the run will not be invoked on packets whose + destination is another host. + New Features: 1) The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now