mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-09 07:08:14 +01:00
Use -m conntrack if available in place of -m state
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
21e0c68ef2
commit
6d61e962eb
@ -856,15 +856,15 @@ sub rejNotSyn ( $$$ ) {
|
|||||||
sub dropInvalid ( $$$ ) {
|
sub dropInvalid ( $$$ ) {
|
||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
|
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
|
||||||
add_rule $chainref , '-m state --state INVALID -j DROP';
|
add_rule $chainref , "$globals{STATEMATCH} INVALID -j DROP";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub allowInvalid ( $$$ ) {
|
sub allowInvalid ( $$$ ) {
|
||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
|
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
|
||||||
add_rule $chainref , '-m state --state INVALID -j ACCEPT';
|
add_rule $chainref , "$globals{STATEMATCH} INVALID -j ACCEPT";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub forwardUPnP ( $$$ ) {
|
sub forwardUPnP ( $$$ ) {
|
||||||
|
|||||||
@ -1358,7 +1358,7 @@ sub finish_chain_section ($$) {
|
|||||||
|
|
||||||
$comment = '';
|
$comment = '';
|
||||||
|
|
||||||
add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT};
|
add_rule $chainref, "$globals{STATEMATCH} $state -j ACCEPT" unless $config{FASTACCEPT};
|
||||||
|
|
||||||
if ($sections{NEW} ) {
|
if ($sections{NEW} ) {
|
||||||
if ( $chainref->{is_policy} ) {
|
if ( $chainref->{is_policy} ) {
|
||||||
|
|||||||
@ -339,6 +339,7 @@ sub initialize( $ ) {
|
|||||||
LOGPARMS => '',
|
LOGPARMS => '',
|
||||||
TC_SCRIPT => '',
|
TC_SCRIPT => '',
|
||||||
EXPORT => 0,
|
EXPORT => 0,
|
||||||
|
STATEMATCH => '-m state --state',
|
||||||
UNTRACKED => 0,
|
UNTRACKED => 0,
|
||||||
VERSION => "4.4.9-RC1",
|
VERSION => "4.4.9-RC1",
|
||||||
CAPVERSION => 40408 ,
|
CAPVERSION => 40408 ,
|
||||||
@ -2502,7 +2503,10 @@ sub determine_capabilities() {
|
|||||||
qt1( "$iptables -N $sillyname1" );
|
qt1( "$iptables -N $sillyname1" );
|
||||||
|
|
||||||
fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
|
fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
|
||||||
unless qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");
|
unless
|
||||||
|
qt1( "$iptables -A $sillyname -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT") ||
|
||||||
|
qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");;
|
||||||
|
|
||||||
|
|
||||||
unless ( $config{ LOAD_HELPERS_ONLY } ) {
|
unless ( $config{ LOAD_HELPERS_ONLY } ) {
|
||||||
#
|
#
|
||||||
@ -2812,6 +2816,8 @@ sub get_configuration( $ ) {
|
|||||||
|
|
||||||
get_capabilities( $export );
|
get_capabilities( $export );
|
||||||
|
|
||||||
|
$globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
|
||||||
|
|
||||||
if ( $config{LOGRATE} || $config{LOGBURST} ) {
|
if ( $config{LOGRATE} || $config{LOGBURST} ) {
|
||||||
if ( defined $config{LOGRATE} ) {
|
if ( defined $config{LOGRATE} ) {
|
||||||
fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/;
|
fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/;
|
||||||
|
|||||||
@ -467,7 +467,7 @@ sub apply_policy_rules() {
|
|||||||
sub complete_standard_chain ( $$$$ ) {
|
sub complete_standard_chain ( $$$$ ) {
|
||||||
my ( $stdchainref, $zone, $zone2, $default ) = @_;
|
my ( $stdchainref, $zone, $zone2, $default ) = @_;
|
||||||
|
|
||||||
add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT};
|
add_rule $stdchainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" unless $config{FASTACCEPT};
|
||||||
|
|
||||||
run_user_exit $stdchainref;
|
run_user_exit $stdchainref;
|
||||||
|
|
||||||
|
|||||||
@ -283,7 +283,7 @@ sub setup_blacklist() {
|
|||||||
warning_message q(There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
|
warning_message q(There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
|
||||||
}
|
}
|
||||||
|
|
||||||
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
|
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
|
||||||
|
|
||||||
for my $hostref ( @$hosts ) {
|
for my $hostref ( @$hosts ) {
|
||||||
my $interface = $hostref->[0];
|
my $interface = $hostref->[0];
|
||||||
@ -431,7 +431,7 @@ sub add_common_rules() {
|
|||||||
my $list;
|
my $list;
|
||||||
my $chain;
|
my $chain;
|
||||||
|
|
||||||
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
|
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
|
||||||
my $level = $config{BLACKLIST_LOGLEVEL};
|
my $level = $config{BLACKLIST_LOGLEVEL};
|
||||||
my $rejectref = dont_move new_standard_chain 'reject';
|
my $rejectref = dont_move new_standard_chain 'reject';
|
||||||
|
|
||||||
@ -445,7 +445,7 @@ sub add_common_rules() {
|
|||||||
setup_mss;
|
setup_mss;
|
||||||
|
|
||||||
if ( $config{FASTACCEPT} ) {
|
if ( $config{FASTACCEPT} ) {
|
||||||
add_rule( $filter_table->{$_} , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT );
|
add_rule( $filter_table->{$_} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT );
|
||||||
}
|
}
|
||||||
|
|
||||||
for $interface ( all_interfaces ) {
|
for $interface ( all_interfaces ) {
|
||||||
@ -517,7 +517,7 @@ sub add_common_rules() {
|
|||||||
my $target = source_exclusion( $hostref->[3], $chainref );
|
my $target = source_exclusion( $hostref->[3], $chainref );
|
||||||
|
|
||||||
for $chain ( first_chains $interface ) {
|
for $chain ( first_chains $interface ) {
|
||||||
add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ), $policy );
|
add_jump $filter_table->{$chain} , $target, 0, join( '', "$globals{STATEMATCH} $state ", match_source_net( $hostref->[2] ), $policy );
|
||||||
}
|
}
|
||||||
|
|
||||||
set_interface_option $interface, 'use_input_chain', 1;
|
set_interface_option $interface, 'use_input_chain', 1;
|
||||||
@ -801,14 +801,14 @@ sub setup_mac_lists( $ ) {
|
|||||||
my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
|
my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
|
||||||
|
|
||||||
for my $chain ( first_chains $interface ) {
|
for my $chain ( first_chains $interface ) {
|
||||||
add_jump $filter_table->{$chain} , $chainref, 0, "${source}-m state --state ${state} ${policy}";
|
add_jump $filter_table->{$chain} , $chainref, 0, "${source}$globals{STATEMATCH} ${state} ${policy}";
|
||||||
}
|
}
|
||||||
|
|
||||||
set_interface_option $interface, 'use_input_chain', 1;
|
set_interface_option $interface, 'use_input_chain', 1;
|
||||||
set_interface_option $interface, 'use_forward_chain', 1;
|
set_interface_option $interface, 'use_forward_chain', 1;
|
||||||
} else {
|
} else {
|
||||||
my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
|
my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
|
||||||
add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}-m state --state ${state} ${policy}";
|
add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}$globals{STATEMATCH} ${state} ${policy}";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
@ -1212,7 +1212,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
|||||||
unless ( $section eq 'NEW' ) {
|
unless ( $section eq 'NEW' ) {
|
||||||
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
||||||
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
|
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
|
||||||
$rule .= "-m state --state $section "
|
$rule .= "$globals{STATEMATCH} $section "
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -2144,7 +2144,7 @@ sub generate_matrix() {
|
|||||||
'' ,
|
'' ,
|
||||||
'' ,
|
'' ,
|
||||||
'insert' ,
|
'insert' ,
|
||||||
'-m state --state NEW ';
|
"$globals{STATEMATCH} NEW ";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -2332,7 +2332,7 @@ EOF
|
|||||||
|
|
||||||
my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/;
|
my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/;
|
||||||
|
|
||||||
add_rule $filter_table->{$_}, '-m state --state ESTABLISHED,RELATED -j ACCEPT' for @chains;
|
add_rule $filter_table->{$_}, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" for @chains;
|
||||||
|
|
||||||
if ( $family == F_IPV6 ) {
|
if ( $family == F_IPV6 ) {
|
||||||
add_rule $input, '-s ff80::/10 -j ACCEPT';
|
add_rule $input, '-s ff80::/10 -j ACCEPT';
|
||||||
|
|||||||
@ -61,7 +61,7 @@ sub setup_tunnels() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
my $options = $globals{UNTRACKED} ? '-m state --state NEW,UNTRACKED -j ACCEPT' : '-m state --state NEW -j ACCEPT';
|
my $options = $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
|
||||||
|
|
||||||
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
|
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||||
add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
|
add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
|
||||||
|
|||||||
@ -1537,7 +1537,8 @@ determine_capabilities() {
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then
|
if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT &&
|
||||||
|
! qt $IPTABLES -A $chain -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; then
|
||||||
echo " ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
|
echo " ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -1222,7 +1222,8 @@ determine_capabilities() {
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! qt $IP6TABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then
|
if ! qt $IP6TABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT &&
|
||||||
|
! qt $IP6TABLES -A $chain -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; then
|
||||||
echo " ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
|
echo " ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user