Add QUEUE policies

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2016 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-03-30 15:08:37 +00:00
parent ff3b3bdb97
commit 8933f61524
4 changed files with 16 additions and 4 deletions

View File

@ -8,6 +8,8 @@ Changes in 2.2.3
4) Fix ! in hosts file 4) Fix ! in hosts file
5) Add QUEUE policy.
Changes in 2.2.2 Changes in 2.2.2
1) The 'check' command disclaimer is toned down further and only 1) The 'check' command disclaimer is toned down further and only

View File

@ -1100,7 +1100,7 @@ validate_policy()
esac esac
case $policy in case $policy in
ACCEPT|REJECT|DROP|CONTINUE) ACCEPT|REJECT|DROP|CONTINUE|QUEUE)
;; ;;
NONE) NONE)
[ "$client" = "$FW" -o "$server" = "$FW" ] && \ [ "$client" = "$FW" -o "$server" = "$FW" ] && \
@ -3490,14 +3490,14 @@ process_actions1() {
[ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp" [ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp"
xaction=${xaction%:*} xaction=${xaction%:*}
case $temp in case $temp in
ACCEPT|REJECT|DROP) ACCEPT|REJECT|DROP|QUEUE)
eval ${temp}_common=$xaction eval ${temp}_common=$xaction
if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then
USEDACTIONS="$USEDACTIONS $xaction" USEDACTIONS="$USEDACTIONS $xaction"
fi fi
;; ;;
*) *)
startup_error "Common Actions are only allowed for ACCEPT, DROP and REJECT" startup_error "Common Actions are only allowed for ACCEPT, DROP, REJECT and QUEUE"
;; ;;
esac esac
esac esac
@ -4806,6 +4806,9 @@ policy_rules() # $1 = chain to add rules to
[ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common
target=reject target=reject
;; ;;
QUEUE)
[ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common
;;
CONTINUE) CONTINUE)
target= target=
;; ;;
@ -4871,7 +4874,7 @@ default_policy() # $1 = client $2 = server
# depends on the policy # depends on the policy
# #
case $policy in case $policy in
ACCEPT) ACCEPT|QUEUE)
if [ -n "$synparams" ]; then if [ -n "$synparams" ]; then
# #
# To avoid double-counting SYN packets, enforce the policy # To avoid double-counting SYN packets, enforce the policy

View File

@ -25,6 +25,8 @@
# DROP - Ignore the connection request # DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other, send # REJECT - For TCP, send RST. For all other, send
# "port unreachable" ICMP. # "port unreachable" ICMP.
# QUEUE - Send the request to a user-space
# application using the QUEUE target.
# CONTINUE - Pass the connection request past # CONTINUE - Pass the connection request past
# any other rules that it might also # any other rules that it might also
# match (where the source or destination # match (where the source or destination

View File

@ -61,6 +61,11 @@ New Features in version 2.2.3
If MACLIST_TTL is not specified or is specified as empty (e.g, If MACLIST_TTL is not specified or is specified as empty (e.g,
MACLIST_TTL="" or is specified as zero then 'maclist' lookups MACLIST_TTL="" or is specified as zero then 'maclist' lookups
will not be cached. will not be cached.
4) You can now specify QUEUE as a policy and you can designate a
common action for QUEUE policies in /etc/shorewall/actions. This is
useful for sending packets to something like Snort Inline.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Problems corrected in version 2.2.2 Problems corrected in version 2.2.2