mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 10:18:58 +02:00
Tweak NONAT/ACCEPT+ action implementation
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1310 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
0036a0d273
commit
65a4fe1d1b
@ -3224,15 +3224,14 @@ add_a_rule()
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
case $logtarget in
|
case $logtarget in
|
||||||
NONAT)
|
NONAT|ACCEPT+)
|
||||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||||
$cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN
|
$cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN
|
||||||
;;
|
;;
|
||||||
ACCEPT+)
|
esac
|
||||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
|
||||||
$cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN
|
case $logtarget in
|
||||||
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
NONAT)
|
||||||
-d $srv $dports $ratelimit $userandgroup -j $target
|
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
||||||
@ -3249,15 +3248,14 @@ add_a_rule()
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
case $logtarget in
|
case $logtarget in
|
||||||
NONAT)
|
NONAT|ACCEPT+)
|
||||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||||
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
||||||
;;
|
;;
|
||||||
ACCEPT+)
|
esac
|
||||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
|
||||||
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
case $logtarget in
|
||||||
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
NONAT)
|
||||||
$dports $ratelimit $userandgroup -j $target
|
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
||||||
@ -3284,15 +3282,14 @@ add_a_rule()
|
|||||||
case $logtarget in
|
case $logtarget in
|
||||||
LOG)
|
LOG)
|
||||||
;;
|
;;
|
||||||
NONAT)
|
NONAT|ACCEPT+)
|
||||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||||
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
||||||
;;
|
;;
|
||||||
ACCEPT+)
|
esac
|
||||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
|
||||||
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
case $logtarget in
|
||||||
run_iptables2 -A $chain $proto $multiport $dest_interface \
|
LOG|NONAT)
|
||||||
$cli $sports $dports $ratelimit $userandgroup -j $target
|
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
run_iptables2 -A $chain $proto $multiport $dest_interface \
|
run_iptables2 -A $chain $proto $multiport $dest_interface \
|
||||||
|
@ -115,11 +115,21 @@
|
|||||||
# established connection will be accepted
|
# established connection will be accepted
|
||||||
# from this interface, even if
|
# from this interface, even if
|
||||||
# NEWNOTSYN=No has been specified in
|
# NEWNOTSYN=No has been specified in
|
||||||
# /etc/shorewall/shorewall.conf.
|
# /etc/shorewall/shorewall.conf. In other
|
||||||
|
# words, packets coming in on this interface
|
||||||
|
# are processed as if NEWNOTSYN=Yes had been
|
||||||
|
# specified in /etc/shorewall/shorewall.conf.
|
||||||
#
|
#
|
||||||
# This option has no effect if
|
# This option has no effect if
|
||||||
# NEWNOTSYN=Yes.
|
# NEWNOTSYN=Yes.
|
||||||
#
|
#
|
||||||
|
# It is the opinion of the author that
|
||||||
|
# NEWNOTSYN=No creates more problems than
|
||||||
|
# it solves and I recommend against using
|
||||||
|
# that setting in shorewall.conf (hence
|
||||||
|
# making the use of the 'newnotsyn'
|
||||||
|
# interface option unnecessary).
|
||||||
|
#
|
||||||
# routeback - If specified, indicates that Shorewall
|
# routeback - If specified, indicates that Shorewall
|
||||||
# should include rules that allow filtering
|
# should include rules that allow filtering
|
||||||
# traffic arriving on this interface back
|
# traffic arriving on this interface back
|
||||||
|
Loading…
x
Reference in New Issue
Block a user