mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 04:04:10 +01:00
Add support for exclusion lists in /etc/shorewall/tcrules
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2509 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
7f459362d1
commit
6a087fd50e
@ -1,3 +1,21 @@
|
||||
|
||||
Changes in 2.5.3
|
||||
|
||||
1) Allow exclusion lists in /etc/shorewall/tcrules.
|
||||
|
||||
Changes in 2.5.2
|
||||
|
||||
1) Allow port lists in /etc/sorewall/accounting.
|
||||
|
||||
2) Fix PKTTYPE=No and packet type match capability reporting.
|
||||
|
||||
3) Add FASTACCEPT option.
|
||||
|
||||
4) Generate error if norfc1918 is specified on an interface with an RFC
|
||||
1918 IP address.
|
||||
|
||||
5) Implement exclusion lists in /etc/shorewall/rules.
|
||||
|
||||
Changes in 2.5.1
|
||||
|
||||
1) Make "shorewall add" work with 'ipsec' in hosts file.
|
||||
|
@ -2941,7 +2941,7 @@ process_tc_rule()
|
||||
if [ "x$source" != "x-" ]; then
|
||||
case $source in
|
||||
$FW:*)
|
||||
chain=tcout
|
||||
[ $chain = tcpost ] || chain=tcout
|
||||
r="$(source_ip_range ${source#*:}) "
|
||||
;;
|
||||
*.*.*|+*|!+*)
|
||||
@ -2951,7 +2951,7 @@ process_tc_rule()
|
||||
r="$(mac_match $source) "
|
||||
;;
|
||||
$FW)
|
||||
chain=tcout
|
||||
[ $chain = tcpost ] || chain=tcout
|
||||
;;
|
||||
*)
|
||||
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
|
||||
@ -3016,14 +3016,15 @@ process_tc_rule()
|
||||
|
||||
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
|
||||
|
||||
case $chain in
|
||||
tcpost)
|
||||
run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark
|
||||
;;
|
||||
*)
|
||||
if [ -n "${excludesources}${excludedests}" ]; then
|
||||
build_exclusion_chain chain1 mangle "$excludesources" "$excludedests"
|
||||
|
||||
run_iptables2 -t mangle -A $chain $r -j $chain1
|
||||
|
||||
run_iptables -t mangle -A $chain1 -j $target $mark
|
||||
else
|
||||
run_iptables2 -t mangle -A $chain $r -j $target $mark
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
@ -3049,6 +3050,7 @@ process_tc_rule()
|
||||
;;
|
||||
*)
|
||||
chain=tcpost
|
||||
target="CLASSIFY --set-class"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3118,8 +3120,44 @@ process_tc_rule()
|
||||
esac
|
||||
fi
|
||||
|
||||
for source in $(separate_list ${sources:=-}); do
|
||||
for dest in $(separate_list ${dests:=-}); do
|
||||
excludesources=
|
||||
|
||||
case ${sources:=-} in
|
||||
*!*!*)
|
||||
fatal_error "Invalid SOURCE in rule \"$rule\""
|
||||
;;
|
||||
!*)
|
||||
if [ $(list_count $sourcess) -gt 1 ]; then
|
||||
excludesources=${sources#!}
|
||||
sources=-
|
||||
fi
|
||||
;;
|
||||
*!*)
|
||||
excludesources=${sources#*!}
|
||||
sources=${sources%!*}
|
||||
;;
|
||||
esac
|
||||
|
||||
excludedests=
|
||||
|
||||
case ${dests:=-} in
|
||||
*!*!*)
|
||||
fatal_error "Invalid DEST in rule \"$rule\""
|
||||
;;
|
||||
!*)
|
||||
if [ $(list_count $dests) -gt 1 ]; then
|
||||
excludedests=${dests#*!}
|
||||
dests=-
|
||||
fi
|
||||
;;
|
||||
*!*)
|
||||
excludedests=${dests#*!}
|
||||
dests=${dests%!*}
|
||||
;;
|
||||
esac
|
||||
|
||||
for source in $(separate_list $sources); do
|
||||
for dest in $(separate_list $dests); do
|
||||
for port in $(separate_list ${ports:=-}); do
|
||||
for sport in $(separate_list ${sports:=-}); do
|
||||
add_a_tc_rule
|
||||
|
@ -1,4 +1,12 @@
|
||||
Shorewall 2.5.2
|
||||
Shorewall 2.5.3
|
||||
|
||||
Problems Corrected in 2.5.3:
|
||||
|
||||
New Features in Shorewall 2.5.3
|
||||
|
||||
1) You may now specify "!" followed by a list of addresses in the
|
||||
SOURCE and DEST columns of entries in /etc/shorewall/tcrules and
|
||||
Shorewall will generate the rule that you expect.
|
||||
|
||||
Problems Corrected in 2.5.2:
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user