Tweak NONAT/ACCEPT+ action implementation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1310 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-05-05 23:31:11 +00:00
parent 0036a0d273
commit 65a4fe1d1b
2 changed files with 26 additions and 19 deletions

View File

@ -3224,15 +3224,14 @@ add_a_rule()
fi fi
case $logtarget in case $logtarget in
NONAT) NONAT|ACCEPT+)
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN $cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN
;; ;;
ACCEPT+) esac
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN case $logtarget in
run_iptables2 -A $chain $proto $multiport $cli $sports \ NONAT)
-d $srv $dports $ratelimit $userandgroup -j $target
;; ;;
*) *)
run_iptables2 -A $chain $proto $multiport $cli $sports \ run_iptables2 -A $chain $proto $multiport $cli $sports \
@ -3249,15 +3248,14 @@ add_a_rule()
fi fi
case $logtarget in case $logtarget in
NONAT) NONAT|ACCEPT+)
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $userandgroup -j RETURN $cli $sports $dports $ratelimit $userandgroup -j RETURN
;; ;;
ACCEPT+) esac
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $userandgroup -j RETURN case $logtarget in
run_iptables2 -A $chain $proto $multiport $cli $sports \ NONAT)
$dports $ratelimit $userandgroup -j $target
;; ;;
*) *)
run_iptables2 -A $chain $proto $multiport $cli $sports \ run_iptables2 -A $chain $proto $multiport $cli $sports \
@ -3284,15 +3282,14 @@ add_a_rule()
case $logtarget in case $logtarget in
LOG) LOG)
;; ;;
NONAT) NONAT|ACCEPT+)
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $userandgroup -j RETURN $cli $sports $dports $ratelimit $userandgroup -j RETURN
;; ;;
ACCEPT+) esac
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $userandgroup -j RETURN case $logtarget in
run_iptables2 -A $chain $proto $multiport $dest_interface \ LOG|NONAT)
$cli $sports $dports $ratelimit $userandgroup -j $target
;; ;;
*) *)
run_iptables2 -A $chain $proto $multiport $dest_interface \ run_iptables2 -A $chain $proto $multiport $dest_interface \

View File

@ -115,11 +115,21 @@
# established connection will be accepted # established connection will be accepted
# from this interface, even if # from this interface, even if
# NEWNOTSYN=No has been specified in # NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf. # /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this interface
# are processed as if NEWNOTSYN=Yes had been
# specified in /etc/shorewall/shorewall.conf.
# #
# This option has no effect if # This option has no effect if
# NEWNOTSYN=Yes. # NEWNOTSYN=Yes.
# #
# It is the opinion of the author that
# NEWNOTSYN=No creates more problems than
# it solves and I recommend against using
# that setting in shorewall.conf (hence
# making the use of the 'newnotsyn'
# interface option unnecessary).
#
# routeback - If specified, indicates that Shorewall # routeback - If specified, indicates that Shorewall
# should include rules that allow filtering # should include rules that allow filtering
# traffic arriving on this interface back # traffic arriving on this interface back