Add OLD_PING_HANDLING option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@406 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-01-21 00:34:00 +00:00
parent 3b29150cb2
commit 7fe133fe4a
4 changed files with 58 additions and 77 deletions

View File

@ -1,10 +1,5 @@
Changes since 1.3.12 Changes since 1.3.13
1. Added 'DNAT-' target. 1. Fix 'shorewall add' bug.
2. Print policies in 'check' command.
3. Added CLEAR_TC option.
4. Added SHARED_DIR option.
2. Add OLD_PING_HANDLING option

View File

@ -599,12 +599,16 @@ validate_interfaces_file() {
for option in $options; do for option in $options; do
case $option in case $option in
dhcp|noping|filterping|routestopped|norfc1918|multi|tcpflags) dhcp|routestopped|norfc1918|multi|tcpflags)
;; ;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;; ;;
*) noping|filterping)
error_message "Warning: Invalid option ($option) in record \"$r\"" [ -n "$OLD_PING_HANDLING" ] || \
startup_error "Option $option only allowed with old ping handling"
;;
*)
error_message "Warning: Invalid option ($option) in record \"$r\""
;; ;;
esac esac
done done
@ -3350,11 +3354,14 @@ initialize_netfilter () {
# Build the common chain -- called during [re]start and refresh # Build the common chain -- called during [re]start and refresh
# #
build_common_chain() { build_common_chain() {
#
# PING if [ -n "$OLD_PING_HANDLING" ]; then
# #
[ -n "$FORWARDPING" ] && \ # PING
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT #
[ -n "$FORWARDPING" ] && \
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
fi
# #
# Common ICMP rules # Common ICMP rules
# #
@ -3907,23 +3914,25 @@ define_firewall() # $1 = Command (Start or Restart)
process_rules $rules process_rules $rules
echo "Setting up ICMP Echo handling..." if [ -n "$OLD_PING_HANDLING" ]; then
echo "Setting up ICMP Echo handling..."
filterping_interfaces="`find_interfaces_by_option filterping`" filterping_interfaces="`find_interfaces_by_option filterping`"
noping_interfaces="`find_interfaces_by_option noping`" noping_interfaces="`find_interfaces_by_option noping`"
for interface in $all_interfaces; do for interface in $all_interfaces; do
if ! list_search $interface $filterping_interfaces; then if ! list_search $interface $filterping_interfaces; then
if list_search $interface $noping_interfaces; then if list_search $interface $noping_interfaces; then
target=DROP target=DROP
else else
target=ACCEPT target=ACCEPT
fi
run_iptables -A `input_chain $interface` \
-p icmp --icmp-type echo-request -j $target
fi fi
done
run_iptables -A `input_chain $interface` \ fi
-p icmp --icmp-type echo-request -j $target
fi
done
policy=`find_file policy` policy=`find_file policy`
@ -4471,6 +4480,7 @@ do_initialize() {
TCP_FLAGS_LOG_LEVEL= TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL= RFC1918_LOG_LEVEL=
MARK_IN_FORWARD_CHAIN= MARK_IN_FORWARD_CHAIN=
OLD_PING_HANDLING=
SHARED_DIR=/usr/lib/shorewall SHARED_DIR=/usr/lib/shorewall
FUNCTIONS= FUNCTIONS=
VERSION_FILE= VERSION_FILE=
@ -4596,7 +4606,7 @@ do_initialize() {
else else
CLEAR_TC= CLEAR_TC=
fi fi
OLD_PING_HANDLING=`added_param_value_yes OLD_PING_HANDLING $OLD_PING_HANDLING`
run_user_exit params run_user_exit params

View File

@ -2,48 +2,14 @@ This is a minor release of Shorewall that has a couple of new features.
New features include: New features include:
1) A new 'DNAT-' action has been added for entries in the 1) An OLD_PING_HANDLING option has been added to shorewall.conf. When
/etc/shorewall/rules file. DNAT- is intended for advanced users who set to Yes, Shorewall ping handling is as it has always been (see
wish to minimize the number of rules that connection requests must http://www.shorewall.net/ping.html).
traverse.
A Shorewall DNAT rule actually generates two iptables rules: a
header rewriting rule in the 'nat' table and an ACCEPT rule in the
'filter' table. A DNAT- rule only generates the first of these
rules. This is handy when you have several DNAT rules that would
generate the same ACCEPT rule.
Here are three rules from my previous rules file: When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
policies just like any other connection request. The FORWARDPING
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178 option in shorewall.conf is ignored and the 'noping' and
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179 'filterping' options in /etc/shorewall/interfaces will generate an
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,... error.
These three rules ended up generating _three_ copies of
ACCEPT net dmz:206.124.146.177 tcp smtp
By writing the rules this way, I end up with only one copy of the
ACCEPT rule.
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
2) The 'shorewall check' command now prints out the applicable policy
between each pair of zones.
3. A new CLEAR_TC option has been added to shorewall.conf. If this
option is set to 'No' then Shorewall won't clear the current
traffic control rules during [re]start. This setting is intended
for use by people that prefer to configure traffic shaping when
the network interfaces come up rather than when the firewall
is started. If that is what you want to do, set TC_ENABLED=Yes and
CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
way, your traffic shaping rules can still use the 'fwmark'
classifier based on packet marking defined in /etc/shorewall/tcrules.
4. A new SHARED_DIR variable has been added that allows distribution
packagers to easily move the shared directory (default
/usr/lib/shorewall). Users should never have a need to change the
value of this shorewall.conf setting.

View File

@ -400,11 +400,21 @@ MUTEX_TIMEOUT=60
LOGNEWNOTSYN= LOGNEWNOTSYN=
#
# Old Ping Handling
#
# If this option is set to "Yes" then Shorewall will use its old ping handling
# facility including the FORWARDPING option below and the 'noping' and
# 'filterping' interface options. If this option is set to 'No' then ping
# is handled via policy and rules just like any other connection request.
#
OLD_PING_HANDLING=No
# #
# Forward "Ping" # Forward "Ping"
# #
# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are # If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are
# forwarded by the firewall. # forwarded by the firewall. This option is only used if OLD_PING_HANDLING=Yes
FORWARDPING=Yes FORWARDPING=Yes