extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-15 04:04:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add support for exclusion lists in /etc/shorewall/tcrules

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2509 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-16 18:54:11 +00:00
parent 7f459362d1
commit 6a087fd50e
3 changed files with 77 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Shorewall/changelog.txt
View File

@ -1,3 +1,21 @@
Changes in 2.5.3
1) Allow exclusion lists in /etc/shorewall/tcrules.
Changes in 2.5.2
1) Allow port lists in /etc/sorewall/accounting.
2) Fix PKTTYPE=No and packet type match capability reporting.
3) Add FASTACCEPT option.
4) Generate error if norfc1918 is specified on an interface with an RFC
1918 IP address.
5) Implement exclusion lists in /etc/shorewall/rules.
Changes in 2.5.1 Changes in 2.5.1
1) Make "shorewall add" work with 'ipsec' in hosts file. 1) Make "shorewall add" work with 'ipsec' in hosts file.

62
Shorewall/firewall
View File

@ -2941,7 +2941,7 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then if [ "x$source" != "x-" ]; then
case $source in case $source in
$FW:*) $FW:*)
chain=tcout [ $chain = tcpost ] || chain=tcout
r="$(source_ip_range ${source#*:}) " r="$(source_ip_range ${source#*:}) "
;; ;;
*.*.*|+*|!+*) *.*.*|+*|!+*)
@ -2951,7 +2951,7 @@ process_tc_rule()
r="$(mac_match $source) " r="$(mac_match $source) "
;; ;;
$FW) $FW)
chain=tcout [ $chain = tcpost ] || chain=tcout
;; ;;
*) *)
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
@ -3016,14 +3016,15 @@ process_tc_rule()
[ "x$sport" = "x-" ] || r="${r}--sport $sport " [ "x$sport" = "x-" ] || r="${r}--sport $sport "
case $chain in if [ -n "${excludesources}${excludedests}" ]; then
tcpost) build_exclusion_chain chain1 mangle "$excludesources" "$excludedests"
run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark
;; run_iptables2 -t mangle -A $chain $r -j $chain1
*)
run_iptables2 -t mangle -A $chain $r -j $target $mark run_iptables -t mangle -A $chain1 -j $target $mark
;; else
esac run_iptables2 -t mangle -A $chain $r -j $target $mark
fi
} }
@ -3049,6 +3050,7 @@ process_tc_rule()
;; ;;
*) *)
chain=tcpost chain=tcpost
target="CLASSIFY --set-class"
;; ;;
esac esac
@ -3118,8 +3120,44 @@ process_tc_rule()
esac esac
fi fi
for source in $(separate_list ${sources:=-}); do excludesources=
for dest in $(separate_list ${dests:=-}); do
case ${sources:=-} in
*!*!*)
fatal_error "Invalid SOURCE in rule \"$rule\""
;;
!*)
if [ $(list_count $sourcess) -gt 1 ]; then
excludesources=${sources#!}
sources=-
fi
;;
*!*)
excludesources=${sources#*!}
sources=${sources%!*}
;;
esac
excludedests=
case ${dests:=-} in
*!*!*)
fatal_error "Invalid DEST in rule \"$rule\""
;;
!*)
if [ $(list_count $dests) -gt 1 ]; then
excludedests=${dests#*!}
dests=-
fi
;;
*!*)
excludedests=${dests#*!}
dests=${dests%!*}
;;
esac
for source in $(separate_list $sources); do
for dest in $(separate_list $dests); do
for port in $(separate_list ${ports:=-}); do for port in $(separate_list ${ports:=-}); do
for sport in $(separate_list ${sports:=-}); do for sport in $(separate_list ${sports:=-}); do
add_a_tc_rule add_a_tc_rule

10
Shorewall/releasenotes.txt
View File

@ -1,4 +1,12 @@
Shorewall 2.5.2 Shorewall 2.5.3
Problems Corrected in 2.5.3:
New Features in Shorewall 2.5.3
1) You may now specify "!" followed by a list of addresses in the
SOURCE and DEST columns of entries in /etc/shorewall/tcrules and
Shorewall will generate the rule that you expect.
Problems Corrected in 2.5.2: Problems Corrected in 2.5.2: