mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-03 12:09:14 +01:00
allowBcasts, dropBcasts and nosmurfs
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9008 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
f181cf7884
commit
3e328daf0a
@ -50,6 +50,8 @@ BLACKLIST_LOGLEVEL=
|
|||||||
|
|
||||||
TCP_FLAGS_LOG_LEVEL=info
|
TCP_FLAGS_LOG_LEVEL=info
|
||||||
|
|
||||||
|
SMURF_LOG_LEVEL=info
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -50,6 +50,8 @@ BLACKLIST_LOGLEVEL=
|
|||||||
|
|
||||||
TCP_FLAGS_LOG_LEVEL=info
|
TCP_FLAGS_LOG_LEVEL=info
|
||||||
|
|
||||||
|
SMURF_LOG_LEVEL=info
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -2,6 +2,8 @@ Changes in Shorewall 4.3.2
|
|||||||
|
|
||||||
1) Added 'dhcp' option.
|
1) Added 'dhcp' option.
|
||||||
|
|
||||||
|
2) Add 'allowBcast' and 'dropBcast' builtin actions to Shorewall6.
|
||||||
|
|
||||||
Changes in Shorewall 4.3.1
|
Changes in Shorewall 4.3.1
|
||||||
|
|
||||||
1) Allow addresses in rules to be enclosed in square brackets.
|
1) Allow addresses in rules to be enclosed in square brackets.
|
||||||
|
@ -14,6 +14,14 @@ Other changes in 4.3.2
|
|||||||
1) The 'dhcp' option has been added to accomodate IPv6 DHCP (UDP ports
|
1) The 'dhcp' option has been added to accomodate IPv6 DHCP (UDP ports
|
||||||
546 and 547).
|
546 and 547).
|
||||||
|
|
||||||
|
2) The 'allowBcast' and 'dropBcast' builtin actions have been added to
|
||||||
|
Shorewall6. Respectively, they accept or silently drop packets with
|
||||||
|
an anycast or multicast destination address.
|
||||||
|
|
||||||
|
3) The nosmurfs option has been added to
|
||||||
|
/etc/shorewall8/interfaces. The option drops incoming packets whose
|
||||||
|
source address is an anycast or multicast addreess.
|
||||||
|
|
||||||
Migration Issues.
|
Migration Issues.
|
||||||
|
|
||||||
None.
|
None.
|
||||||
|
@ -83,6 +83,8 @@ our %logactionchains;
|
|||||||
|
|
||||||
our %macros;
|
our %macros;
|
||||||
|
|
||||||
|
our $family;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
|
# Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
|
||||||
#
|
#
|
||||||
@ -97,7 +99,9 @@ our $macro_commands = { COMMENT => 0, FORMAT => 2 };
|
|||||||
# the second and subsequent calls to that function.
|
# the second and subsequent calls to that function.
|
||||||
#
|
#
|
||||||
|
|
||||||
sub initialize() {
|
sub initialize( $ ) {
|
||||||
|
|
||||||
|
$family = shift;
|
||||||
%usedactions = ();
|
%usedactions = ();
|
||||||
%default_actions = ( DROP => 'none' ,
|
%default_actions = ( DROP => 'none' ,
|
||||||
REJECT => 'none' ,
|
REJECT => 'none' ,
|
||||||
@ -109,7 +113,7 @@ sub initialize() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
INIT {
|
INIT {
|
||||||
initialize;
|
initialize( F_IPV4 );
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -731,7 +735,12 @@ sub process_actions3 () {
|
|||||||
|
|
||||||
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
|
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
|
||||||
} else {
|
} else {
|
||||||
add_command $chainref, 'for address in $ALL_BCASTS; do';
|
if ( $family == F_IPV4 ) {
|
||||||
|
add_command $chainref, 'for address in $ALL_BCASTS; do';
|
||||||
|
} else {
|
||||||
|
add_command $chainref, 'for address in $ALL_ACASTS; do';
|
||||||
|
}
|
||||||
|
|
||||||
incr_cmd_level $chainref;
|
incr_cmd_level $chainref;
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||||
add_rule $chainref, '-d $address -j DROP';
|
add_rule $chainref, '-d $address -j DROP';
|
||||||
@ -741,7 +750,12 @@ sub process_actions3 () {
|
|||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
|
|
||||||
|
if ( $family == F_IPV4 ) {
|
||||||
|
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
|
||||||
|
} else {
|
||||||
|
add_rule $chainref, '-d ff00::/10 -j DROP';
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub allowBcast( $$$ ) {
|
sub allowBcast( $$$ ) {
|
||||||
@ -755,16 +769,26 @@ sub process_actions3 () {
|
|||||||
|
|
||||||
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
|
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
|
||||||
} else {
|
} else {
|
||||||
add_command $chainref, 'for address in $ALL_BCASTS; do';
|
if ( $family == F_IPV4 ) {
|
||||||
|
add_command $chainref, 'for address in $ALL_BCASTS; do';
|
||||||
|
} else {
|
||||||
|
add_command $chainref, 'for address in $ALL_MACASTS; do';
|
||||||
|
}
|
||||||
|
|
||||||
incr_cmd_level $chainref;
|
incr_cmd_level $chainref;
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||||
add_rule $chainref, '-d $address -j ACCEPT';
|
add_rule $chainref, '-d $address -j ACCEPT';
|
||||||
decr_cmd_level $chainref;
|
decr_cmd_level $chainref;
|
||||||
add_command $chainref, 'done';
|
add_command $chainref, 'done';
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
if ( $family == F_IPV4 ) {
|
||||||
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||||
|
add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
|
||||||
|
} else {
|
||||||
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
|
||||||
|
add_rule $chainref, '-d ff00:/10 -j ACCEPT';
|
||||||
|
}
|
||||||
}
|
}
|
||||||
add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
|
|
||||||
}
|
}
|
||||||
|
|
||||||
sub dropNotSyn ( $$$ ) {
|
sub dropNotSyn ( $$$ ) {
|
||||||
|
@ -137,6 +137,7 @@ our %EXPORT_TAGS = (
|
|||||||
get_interface_address
|
get_interface_address
|
||||||
get_interface_addresses
|
get_interface_addresses
|
||||||
get_interface_bcasts
|
get_interface_bcasts
|
||||||
|
get_interface_acasts
|
||||||
get_interface_gateway
|
get_interface_gateway
|
||||||
get_interface_mac
|
get_interface_mac
|
||||||
set_global_variables
|
set_global_variables
|
||||||
@ -235,6 +236,7 @@ our %interfaceaddrs;
|
|||||||
our %interfacenets;
|
our %interfacenets;
|
||||||
our %interfacemacs;
|
our %interfacemacs;
|
||||||
our %interfacebcasts;
|
our %interfacebcasts;
|
||||||
|
our %interfaceacasts;
|
||||||
our %interfacegateways;
|
our %interfacegateways;
|
||||||
|
|
||||||
our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
|
our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
|
||||||
@ -304,6 +306,7 @@ sub initialize( $ ) {
|
|||||||
%interfacenets = ();
|
%interfacenets = ();
|
||||||
%interfacemacs = ();
|
%interfacemacs = ();
|
||||||
%interfacebcasts = ();
|
%interfacebcasts = ();
|
||||||
|
%interfaceacasts = ();
|
||||||
%interfacegateways = ();
|
%interfacegateways = ();
|
||||||
|
|
||||||
$family = shift;
|
$family = shift;
|
||||||
@ -960,6 +963,8 @@ sub initialize_chain_table()
|
|||||||
'QUEUE!' => STANDARD,
|
'QUEUE!' => STANDARD,
|
||||||
'NFQUEUE' => STANDARD + NFQ,
|
'NFQUEUE' => STANDARD + NFQ,
|
||||||
'NFQUEUE!' => STANDARD + NFQ,
|
'NFQUEUE!' => STANDARD + NFQ,
|
||||||
|
'dropBcast' => BUILTIN + ACTION,
|
||||||
|
'allowBcast' => BUILTIN + ACTION,
|
||||||
'dropNotSyn' => BUILTIN + ACTION,
|
'dropNotSyn' => BUILTIN + ACTION,
|
||||||
'rejNotSyn' => BUILTIN + ACTION,
|
'rejNotSyn' => BUILTIN + ACTION,
|
||||||
'dropInvalid' => BUILTIN + ACTION,
|
'dropInvalid' => BUILTIN + ACTION,
|
||||||
@ -1789,6 +1794,27 @@ sub get_interface_bcasts ( $ ) {
|
|||||||
"\$$variable";
|
"\$$variable";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Returns the name of the shell variable holding the anycast addresses of the passed interface
|
||||||
|
#
|
||||||
|
sub interface_acasts( $ ) {
|
||||||
|
my $variable = chain_base( $_[0] ) . '_acasts';
|
||||||
|
uc $variable;
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Record that the ruleset requires the anycast addresses on the passed interface
|
||||||
|
#
|
||||||
|
sub get_interface_acasts ( $ ) {
|
||||||
|
my ( $interface ) = $_[0];
|
||||||
|
|
||||||
|
my $variable = interface_acasts( $interface );
|
||||||
|
|
||||||
|
$interfaceacasts{$interface} = qq($variable="\$(get_interface_acasts $interface) ff00::/10");
|
||||||
|
|
||||||
|
"\$$variable";
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Returns the name of the shell variable holding the gateway through the passed interface
|
# Returns the name of the shell variable holding the gateway through the passed interface
|
||||||
#
|
#
|
||||||
@ -2388,10 +2414,19 @@ sub set_global_variables() {
|
|||||||
unless ( $capabilities{ADDRTYPE} ) {
|
unless ( $capabilities{ADDRTYPE} ) {
|
||||||
emit_comment unless $emitted_comment;
|
emit_comment unless $emitted_comment;
|
||||||
emit_test unless $emitted_test;
|
emit_test unless $emitted_test;
|
||||||
emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
|
|
||||||
|
|
||||||
for ( values %interfacebcasts ) {
|
if ( $family == F_IPV4 ) {
|
||||||
emit $_;
|
emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
|
||||||
|
|
||||||
|
for ( values %interfacebcasts ) {
|
||||||
|
emit $_;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
emit 'ALL_ACASTS="$(get_all_acasts)"';
|
||||||
|
|
||||||
|
for ( values %interfaceacasts ) {
|
||||||
|
emit $_;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -67,7 +67,7 @@ sub reinitialize() {
|
|||||||
Shorewall::Nat::initialize;
|
Shorewall::Nat::initialize;
|
||||||
Shorewall::Providers::initialize($family);
|
Shorewall::Providers::initialize($family);
|
||||||
Shorewall::Tc::initialize($family);
|
Shorewall::Tc::initialize($family);
|
||||||
Shorewall::Actions::initialize;
|
Shorewall::Actions::initialize( $family );
|
||||||
Shorewall::Accounting::initialize;
|
Shorewall::Accounting::initialize;
|
||||||
Shorewall::Rules::initialize($family);
|
Shorewall::Rules::initialize($family);
|
||||||
Shorewall::Proxyarp::initialize;
|
Shorewall::Proxyarp::initialize;
|
||||||
|
@ -534,36 +534,48 @@ sub add_common_rules() {
|
|||||||
|
|
||||||
$chainref = new_standard_chain 'smurfs';
|
$chainref = new_standard_chain 'smurfs';
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $capabilities{ADDRTYPE} ) {
|
||||||
if ( $capabilities{ADDRTYPE} ) {
|
add_rule $chainref , '-s 0.0.0.0 -j RETURN';
|
||||||
add_rule $chainref , '-s 0.0.0.0 -j RETURN';
|
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
|
||||||
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
|
} else {
|
||||||
} else {
|
if ( $family == F_IPV4 ) {
|
||||||
add_command $chainref, 'for address in $ALL_BCASTS; do';
|
add_command $chainref, 'for address in $ALL_BCASTS; do';
|
||||||
incr_cmd_level $chainref;
|
|
||||||
log_rule( $config{SMURF_LOG_LEVEL} , $chainref, 'DROP', '-s $address ' );
|
|
||||||
add_rule $chainref, '-s $address -j DROP';
|
|
||||||
decr_cmd_level $chainref;
|
|
||||||
add_command $chainref, 'done';
|
|
||||||
}
|
|
||||||
|
|
||||||
add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL} ;
|
|
||||||
|
|
||||||
if ( $capabilities{ADDRTYPE} ) {
|
|
||||||
add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP';
|
|
||||||
} else {
|
} else {
|
||||||
add_command $rejectref, 'for address in $ALL_BCASTS; do';
|
add_command $chainref, 'for address in $ALL_ACASTS; do';
|
||||||
incr_cmd_level $rejectref;
|
|
||||||
add_rule $rejectref, '-d $address -j DROP';
|
|
||||||
decr_cmd_level $rejectref;
|
|
||||||
add_command $rejectref, 'done';
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
incr_cmd_level $chainref;
|
||||||
|
log_rule( $config{SMURF_LOG_LEVEL} , $chainref, 'DROP', '-s $address ' );
|
||||||
|
add_rule $chainref, '-s $address -j DROP';
|
||||||
|
decr_cmd_level $chainref;
|
||||||
|
add_command $chainref, 'done';
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $family == F_IPV4 ) {
|
||||||
|
add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL};
|
||||||
|
} else {
|
||||||
|
add_rule_pair $chainref, '-s ff00::/10 ', 'DROP', $config{SMURF_LOG_LEVEL} if $family == F_IPV4;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $capabilities{ADDRTYPE} ) {
|
||||||
|
add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP';
|
||||||
|
} else {
|
||||||
|
if ( $family == F_IPV4 ) {
|
||||||
|
add_command $rejectref, 'for address in $ALL_BCASTS; do';
|
||||||
|
} else {
|
||||||
|
add_command $rejectref, 'for address in $ALL_ACASTS; do';
|
||||||
|
}
|
||||||
|
|
||||||
|
incr_cmd_level $rejectref;
|
||||||
|
add_rule $rejectref, '-d $address -j DROP';
|
||||||
|
decr_cmd_level $rejectref;
|
||||||
|
add_command $rejectref, 'done';
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $family == F_IPV4 ) {
|
||||||
add_rule $rejectref , '-s 224.0.0.0/4 -j DROP';
|
add_rule $rejectref , '-s 224.0.0.0/4 -j DROP';
|
||||||
} else {
|
} else {
|
||||||
my $predicate = '-s ' . IPv6_MULTICAST . ' ';
|
add_rule $rejectref , '-s ff00::/10 -j DROP';
|
||||||
add_rule_pair $chainref , $predicate, 'DROP' , $config{SMURF_LOG_LEVEL};
|
|
||||||
add_rule $rejectref, "$predicate -j DROP";
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( @$list ) {
|
if ( @$list ) {
|
||||||
|
@ -628,8 +628,9 @@ sub validate_interfaces_file( $ )
|
|||||||
%validoptions = ( blacklist => SIMPLE_IF_OPTION,
|
%validoptions = ( blacklist => SIMPLE_IF_OPTION,
|
||||||
bridge => SIMPLE_IF_OPTION,
|
bridge => SIMPLE_IF_OPTION,
|
||||||
dhcp => SIMPLE_IF_OPTION,
|
dhcp => SIMPLE_IF_OPTION,
|
||||||
|
nosmurfs => SIMPLE_IF_OPTION,
|
||||||
optional => SIMPLE_IF_OPTION,
|
optional => SIMPLE_IF_OPTION,
|
||||||
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
|
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
|
||||||
sourceroute => BINARY_IF_OPTION,
|
sourceroute => BINARY_IF_OPTION,
|
||||||
tcpflags => SIMPLE_IF_OPTION,
|
tcpflags => SIMPLE_IF_OPTION,
|
||||||
mss => NUMERIC_IF_OPTION,
|
mss => NUMERIC_IF_OPTION,
|
||||||
|
@ -156,14 +156,6 @@ restore_dynamic_rules() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
|
||||||
# Get a list of all configured broadcast addresses on the system
|
|
||||||
#
|
|
||||||
get_all_bcasts()
|
|
||||||
{
|
|
||||||
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Run the .iptables_restore_input as a set of discrete iptables commands
|
# Run the .iptables_restore_input as a set of discrete iptables commands
|
||||||
#
|
#
|
||||||
|
@ -562,39 +562,43 @@ convert_to_anycast() {
|
|||||||
local m
|
local m
|
||||||
|
|
||||||
while read address; do
|
while read address; do
|
||||||
vlsm=${address#*/}
|
case $address in
|
||||||
if [ ${vlsm:-128} -ne 128 ]; then
|
2*|3*)
|
||||||
#
|
vlsm=${address#*/}
|
||||||
# Defines a subnet -- get the anycase address
|
if [ ${vlsm:-128} -ne 128 ]; then
|
||||||
#
|
#
|
||||||
address=$(normalize_address ${address%/*})
|
# Defines a subnet -- get the anycast address
|
||||||
|
#
|
||||||
|
address=$(normalize_address ${address%/*})
|
||||||
|
|
||||||
while [ $vlsm -le 112 ]; do
|
while [ $vlsm -le 112 ]; do
|
||||||
address=${address%:*}
|
address=${address%:*}
|
||||||
vlsm=$(($vlsm + 16))
|
vlsm=$(($vlsm + 16))
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ $vlsm -lt 128 ]; then
|
if [ $vlsm -lt 128 ]; then
|
||||||
o=$((0x${address##*:}))
|
o=$((0x${address##*:}))
|
||||||
m=0
|
m=0
|
||||||
while [ $vlsm -lt 128 ]; do
|
while [ $vlsm -lt 128 ]; do
|
||||||
m=$((($m >> 1) | 0x8000))
|
m=$((($m >> 1) | 0x8000))
|
||||||
vlsm=$(($vlsm + 1))
|
vlsm=$(($vlsm + 1))
|
||||||
done
|
done
|
||||||
|
|
||||||
o=$(($o & $m))
|
o=$(($o & $m))
|
||||||
|
|
||||||
address=${address%:*}:$(printf %04x $o)
|
address=${address%:*}:$(printf %04x $o)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
list_count $(split $address)
|
list_count $(split $address)
|
||||||
|
|
||||||
if [ $? -lt 8 ]; then
|
if [ $? -lt 8 ]; then
|
||||||
address=$address::
|
address=$address::
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo $address
|
echo $address
|
||||||
fi
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -602,7 +606,7 @@ convert_to_anycast() {
|
|||||||
# Generate a list of anycast addresses for a given interface
|
# Generate a list of anycast addresses for a given interface
|
||||||
#
|
#
|
||||||
|
|
||||||
get_interface_bcasts() # $1 = interface
|
get_interface_acasts() # $1 = interface
|
||||||
{
|
{
|
||||||
local addresses
|
local addresses
|
||||||
addresses=
|
addresses=
|
||||||
@ -610,6 +614,14 @@ get_interface_bcasts() # $1 = interface
|
|||||||
find_interface_full_addresses $1 | convert_to_anycast | sort -u
|
find_interface_full_addresses $1 | convert_to_anycast | sort -u
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Get a list of all configured anycast addresses on the system
|
||||||
|
#
|
||||||
|
get_all_acasts()
|
||||||
|
{
|
||||||
|
find_interface_full_addresses | convert_to_anycast | sort -u
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Internal version of 'which'
|
# Internal version of 'which'
|
||||||
#
|
#
|
||||||
|
@ -506,6 +506,8 @@ show_command() {
|
|||||||
case $1 in
|
case $1 in
|
||||||
actions)
|
actions)
|
||||||
[ $# -gt 1 ] && usage 1
|
[ $# -gt 1 ] && usage 1
|
||||||
|
echo "allowBcast # Accept Multicast and Anycast Packets"
|
||||||
|
echo "dropBcast # Silently Drop Multicast and Anycast Packets"
|
||||||
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
|
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
|
||||||
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
|
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
|
||||||
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
|
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
|
||||||
|
@ -50,6 +50,8 @@ BLACKLIST_LOGLEVEL=
|
|||||||
|
|
||||||
TCP_FLAGS_LOG_LEVEL=info
|
TCP_FLAGS_LOG_LEVEL=info
|
||||||
|
|
||||||
|
SMURF_LOG_LEVEL=info
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
Loading…
Reference in New Issue
Block a user