Remove ICMP.DEF and replace with FORWARDPING option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@189 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/firewall

@@ -2814,16 +2814,15 @@ add_common_rules() {
 	    echo "   $interface"
 	done
     fi
+    ###########################################################################
+    # PING
+    #
+    [ -n "$FORWARDPING" ] && \
+	run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
     ############################################################################
     # Common ICMP rules
     #
-    icmpdef=`find_file icmpdef`
-
-    if [ -f $icmpdef ]; then
-	. $icmpdef
-    else
-	. `find_file icmp.def`
-    fi
+    run_user_exit icmpdef
     ############################################################################
     # Common rules in each chain
     #
@@ -2838,7 +2837,6 @@ add_common_rules() {
     # BROADCASTS
     #
     drop_broadcasts `find_broadcasts`
-    
     ###########################################################################
     # RFC 1918
     #
@@ -3400,6 +3398,7 @@ do_initialize() {
     MERGE_HOSTS=
     MUTEX_TIMEOUT=
     LOGNEWNOTSYN=
+    FORWARDPING=
     stopping=
     have_mutex=
     masq_seq=1
@@ -3476,6 +3475,7 @@ do_initialize() {
     MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
     DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
     MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
+    FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
 }
 
 ################################################################################

Shorewall/icmp.def

@@ -1,22 +1,6 @@
 ##############################################################################
 # Shorewall 1.3 /etc/shorewall/icmp.def
 #
-# This file defines the default rules for accepting ICMP packets. 
+# This file is obsolete and is included for compatibility with existing
+# icmpdef extension scripts that source it.
 #
-# Do not modify this file -- if you wish to change these rules, create
-# /etc/shorewall/icmpdef to replace it. It is suggested that you include
-# the command "source /etc/shorewall/icmp.def" in your
-# /etc/shorewall/icmpdef file so that you will continue to get the
-# advantage of new releases of this file.
-#
-# For example, if you want to accept 'ping' everywhere then create
-# /etc/shorewall/icmpdef with the following two lines:
-#
-# source /etc/shorewall/icmp.def
-# run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT
-#
-run_iptables -A icmpdef -p ICMP --icmp-type echo-reply              -j ACCEPT
-run_iptables -A icmpdef -p ICMP --icmp-type source-quench           -j ACCEPT
-run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
-run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded           -j ACCEPT
-run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem       -j ACCEPT

Shorewall/shorewall.conf

@@ -349,4 +349,12 @@ MUTEX_TIMEOUT=60
 
 LOGNEWNOTSYN=
 
+#
+# Forward "Ping"
+#
+# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are
+# forwarded by the firewall.
+
+FORWARDPING=Yes
+
 #LAST LINE -- DO NOT REMOVE