Add QUEUE policies

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2016 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-23 08:03:11 +01:00 · 2005-03-30 15:08:37 +00:00 · 2005-03-30 15:08:37 +00:00 · 8933f61524
commit 8933f61524
parent ff3b3bdb97
4 changed files with 16 additions and 4 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -8,6 +8,8 @@ Changes in 2.2.3

 4) Fix ! in hosts file

+5) Add QUEUE policy.
+
 Changes in 2.2.2

 1) The 'check' command disclaimer is toned down further and only
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -1100,7 +1100,7 @@ validate_policy()
 	esac

 	case $policy in
-	ACCEPT|REJECT|DROP|CONTINUE)
+	ACCEPT|REJECT|DROP|CONTINUE|QUEUE)
 	    ;;
 	NONE)
 	    [ "$client" = "$FW" -o "$server" = "$FW" ] && \
@ -3490,14 +3490,14 @@ process_actions1() {
 		    [ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp"
 		    xaction=${xaction%:*}
 		    case $temp in
-			ACCEPT|REJECT|DROP)
+			ACCEPT|REJECT|DROP|QUEUE)
 			    eval ${temp}_common=$xaction
 			    if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then
 				USEDACTIONS="$USEDACTIONS $xaction"
 			    fi
 			    ;;
 			*)
-			    startup_error "Common Actions are only allowed for ACCEPT, DROP and REJECT"
+			    startup_error "Common Actions are only allowed for ACCEPT, DROP, REJECT and QUEUE"
 			    ;;
 		    esac
 	    esac
@ -4806,6 +4806,9 @@ policy_rules() # $1 = chain to add rules to
 	    [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common    
 	    target=reject
 	    ;;
+	QUEUE)
+	    [ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common    
+	    ;;
 	CONTINUE)
 	    target=
 	    ;;
@ -4871,7 +4874,7 @@ default_policy() # $1 = client $2 = server
 	    # depends on the policy
 	    #
 	    case $policy in
-	    ACCEPT)
+	    ACCEPT|QUEUE)
 		if [ -n "$synparams" ]; then
 		    #
 		    # To avoid double-counting SYN packets, enforce the policy
--- a/Shorewall2/policy
+++ b/Shorewall2/policy
@ -25,6 +25,8 @@
 #			DROP		- Ignore the connection request
 #			REJECT		- For TCP, send RST. For all other, send
 #					  "port unreachable" ICMP.
+#			QUEUE		- Send the request to a user-space
+#					  application using the QUEUE target.
 #			CONTINUE	- Pass the connection request past
 #					  any other rules that it might also
 #					  match (where the source or destination
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -61,6 +61,11 @@ New Features in version 2.2.3
   If MACLIST_TTL is not specified or is specified as empty (e.g, 
   MACLIST_TTL="" or is specified as zero then 'maclist' lookups
   will not be cached.
+
+4) You can now specify QUEUE as a policy and you can designate a 
+   common action for QUEUE policies in /etc/shorewall/actions. This is
+   useful for sending packets to something like Snort Inline.
+
 -----------------------------------------------------------------------
 Problems corrected in version 2.2.2