mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-16 03:10:39 +01:00
Fix REJECT processing
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@588 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
275a8ca33f
commit
3bb2d171ae
@ -8,6 +8,8 @@ Changes since 1.4.4b
|
|||||||
rule will take effect only if the original destination address in
|
rule will take effect only if the original destination address in
|
||||||
the connection request does not match any of the addresses listed.
|
the connection request does not match any of the addresses listed.
|
||||||
|
|
||||||
|
3) Create two reject chains -- one for use from INPUT and the other for
|
||||||
|
use from FORWARD and OUTPUT.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -750,6 +750,10 @@ validate_policy()
|
|||||||
eval ${chain}_loglevel=$loglevel
|
eval ${chain}_loglevel=$loglevel
|
||||||
eval ${chain}_synparams=$synparams
|
eval ${chain}_synparams=$synparams
|
||||||
|
|
||||||
|
if [ $server = $FW ]; then
|
||||||
|
eval ${chain}_is_input=Yes
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -n "${clientwild}" ]; then
|
if [ -n "${clientwild}" ]; then
|
||||||
if [ -n "${serverwild}" ]; then
|
if [ -n "${serverwild}" ]; then
|
||||||
for zone in $zones $FW all; do
|
for zone in $zones $FW all; do
|
||||||
@ -1964,6 +1968,7 @@ add_nat_rule() {
|
|||||||
add_a_rule()
|
add_a_rule()
|
||||||
{
|
{
|
||||||
local natrule=
|
local natrule=
|
||||||
|
local is_input=
|
||||||
|
|
||||||
# Set source variables. The 'cli' variable will hold the client match predicate(s).
|
# Set source variables. The 'cli' variable will hold the client match predicate(s).
|
||||||
|
|
||||||
@ -2058,7 +2063,8 @@ add_a_rule()
|
|||||||
|
|
||||||
case "$logtarget" in
|
case "$logtarget" in
|
||||||
REJECT)
|
REJECT)
|
||||||
target=reject
|
eval is_input=\$${chain}_is_input
|
||||||
|
[ -z "$is_input" ] && target=reject || target=rejecti
|
||||||
[ -n "$servport" ] && \
|
[ -n "$servport" ] && \
|
||||||
fatal_error "Server port may not be specified in a REJECT rule;"\
|
fatal_error "Server port may not be specified in a REJECT rule;"\
|
||||||
"rule: \"$rule\""
|
"rule: \"$rule\""
|
||||||
@ -2291,6 +2297,10 @@ process_rule() # $1 = target
|
|||||||
[ $command = check ] || ensurechain $chain
|
[ $command = check ] || ensurechain $chain
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ $dest = $FW ]; then
|
||||||
|
eval ${chain}_is_input=Yes
|
||||||
|
fi
|
||||||
|
|
||||||
# Generate Netfilter rule(s)
|
# Generate Netfilter rule(s)
|
||||||
|
|
||||||
if [ -n "$MULTIPORT" -a \
|
if [ -n "$MULTIPORT" -a \
|
||||||
@ -2631,6 +2641,7 @@ policy_rules() # $1 = chain to add rules to
|
|||||||
# $3 = loglevel
|
# $3 = loglevel
|
||||||
{
|
{
|
||||||
local target="$2"
|
local target="$2"
|
||||||
|
local is_input
|
||||||
|
|
||||||
case "$target" in
|
case "$target" in
|
||||||
ACCEPT)
|
ACCEPT)
|
||||||
@ -2641,7 +2652,8 @@ policy_rules() # $1 = chain to add rules to
|
|||||||
;;
|
;;
|
||||||
REJECT)
|
REJECT)
|
||||||
run_iptables -A $1 -j common
|
run_iptables -A $1 -j common
|
||||||
target=reject
|
eval is_input=\$${1}_is_input
|
||||||
|
[ -z "$is_input" ] && target=reject || target=rejecti
|
||||||
;;
|
;;
|
||||||
CONTINUE)
|
CONTINUE)
|
||||||
target=
|
target=
|
||||||
@ -3317,17 +3329,23 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
createchain icmpdef no
|
createchain icmpdef no
|
||||||
createchain common no
|
createchain common no
|
||||||
createchain reject no
|
createchain reject no
|
||||||
|
createchain rejecti no
|
||||||
createchain dynamic no
|
createchain dynamic no
|
||||||
|
|
||||||
|
INPUT_is_input=Yes
|
||||||
|
|
||||||
if [ -f /var/lib/shorewall/save ]; then
|
if [ -f /var/lib/shorewall/save ]; then
|
||||||
echo "Restoring dynamic rules..."
|
echo "Restoring dynamic rules..."
|
||||||
|
|
||||||
while read target ignore1 ignore2 address rest; do
|
while read target ignore1 ignore2 address rest; do
|
||||||
case $target in
|
case $target in
|
||||||
DROP|reject)
|
DROP)
|
||||||
run_iptables2 -A dynamic -s $address -j $target
|
run_iptables2 -A dynamic -s $address -j $target
|
||||||
;;
|
;;
|
||||||
|
reject*)
|
||||||
|
run_iptables2 -A dynamic -s $address -j $reject
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -3384,7 +3402,20 @@ add_common_rules() {
|
|||||||
#
|
#
|
||||||
# Reject Rules
|
# Reject Rules
|
||||||
#
|
#
|
||||||
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
|
run_iptables -A rejecti -p tcp -j REJECT --reject-with tcp-reset
|
||||||
|
run_iptables -A rejecti -p udp -j REJECT
|
||||||
|
#
|
||||||
|
# Not all versions of iptables support these so don't complain if they don't work
|
||||||
|
#
|
||||||
|
qt iptables -A rejecti -p icmp -j REJECT --reject-with icmp-host-unreachable
|
||||||
|
if ! qt iptables -A rejecti -j REJECT --reject-with icmp-host-prohibited; then
|
||||||
|
#
|
||||||
|
# In case the above doesn't work
|
||||||
|
#
|
||||||
|
run_iptables -A rejecti -j REJECT
|
||||||
|
fi
|
||||||
|
|
||||||
|
run_iptables -A reject -p tcp -j REJECT
|
||||||
run_iptables -A reject -p udp -j REJECT
|
run_iptables -A reject -p udp -j REJECT
|
||||||
#
|
#
|
||||||
# Not all versions of iptables support these so don't complain if they don't work
|
# Not all versions of iptables support these so don't complain if they don't work
|
||||||
@ -3551,7 +3582,7 @@ add_common_rules() {
|
|||||||
|
|
||||||
case $TCP_FLAGS_DISPOSITION in
|
case $TCP_FLAGS_DISPOSITION in
|
||||||
REJECT)
|
REJECT)
|
||||||
run_iptables -A logflags -j REJECT --reject-with tcp-reset
|
run_iptables -A logflags -p tcp -j REJECT --reject-with tcp-reset
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION
|
run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION
|
||||||
@ -4504,11 +4535,11 @@ do_initialize() {
|
|||||||
|
|
||||||
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
|
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
|
||||||
|
|
||||||
maclist_target=reject
|
|
||||||
|
|
||||||
if [ -n "$MACLIST_DISPOSITION" ] ; then
|
if [ -n "$MACLIST_DISPOSITION" ] ; then
|
||||||
case $MACLIST_DISPOSITION in
|
case $MACLIST_DISPOSITION in
|
||||||
REJECT)
|
REJECT)
|
||||||
|
maclist_target=reject
|
||||||
;;
|
;;
|
||||||
ACCEPT|DROP)
|
ACCEPT|DROP)
|
||||||
maclist_target=$MACLIST_DISPOSITION
|
maclist_target=$MACLIST_DISPOSITION
|
||||||
@ -4518,7 +4549,7 @@ do_initialize() {
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
else
|
else
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=reject
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
|
if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
|
||||||
|
|||||||
@ -5,6 +5,13 @@ Problems Corrected:
|
|||||||
1) The command "shorewall debug try <directory>" now correctly traces
|
1) The command "shorewall debug try <directory>" now correctly traces
|
||||||
the attempt.
|
the attempt.
|
||||||
|
|
||||||
|
2) Shorewall now works properly with RedHat errata kernels and
|
||||||
|
2.4.21-rc1. In these kernels, the REJECT target with "--reject-with
|
||||||
|
tcp-reset" behaves like DROP when invoked on a packet that is being
|
||||||
|
forwarded by the firewall. Shorewall now only uses that target when
|
||||||
|
it is certain that the run will not be invoked on packets whose
|
||||||
|
destination is another host.
|
||||||
|
|
||||||
New Features:
|
New Features:
|
||||||
|
|
||||||
1) The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now
|
1) The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user