extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Correct handling of IPv6 dropped/accepted broadcast packets

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-07-03 09:36:04 -07:00
parent 7266e1bd89
commit 5287e85eb4
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1163,11 +1163,12 @@ sub dropBcast( $$$$ ) {
if ( $family == F_IPV4 ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
} else {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '' );
}
}
add_jump $chainref, $target, 0, "-m addrtype --dst-type BROADCAST ";
add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
} else {
if ( $family == F_IPV4 ) {
add_commands $chainref, 'for address in $ALL_BCASTS; do';
@ -1181,7 +1182,11 @@ sub dropBcast( $$$$ ) {
decr_cmd_level $chainref;
add_commands $chainref, 'done';
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
if ( $family == F_IPV4 ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
} else {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST . ' ' ) if $level ne '';
}
}
if ( $family == F_IPV4 ) {
@ -1199,11 +1204,15 @@ sub allowBcast( $$$$ ) {
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
if ( $family == F_IPV4 ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'ACCECT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
} else {
log_rule_limit $level, $chainref, 'dropBcast' , 'ACCEPT', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST . ' ' );
}
}
add_jump $chainref, $target, 0, "-m addrtype --dst-type BROADCAST ";
add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
add_jump $chainref, $target, 0, join( ' ' , ' -d', IPv6_MULTICAST , '' );
} else {
if ( $family == F_IPV4 ) {
add_commands $chainref, 'for address in $ALL_BCASTS; do';
@ -1222,7 +1231,7 @@ sub allowBcast( $$$$ ) {
add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
} else {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
add_jump $chainref, $target, 0, join ( ' ', '-d', IPv6_MULTICAST, ' ' );
add_jump $chainref, $target, 0, join ( ' ', '-d', IPv6_MULTICAST . ' ' );
}
}
}