mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-20 12:39:06 +01:00
Finish ADMINISABSENDMINDED change
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
caa72fb7d2
commit
8b4d8bfa16
@ -679,7 +679,13 @@ sub process_stoppedrules() {
|
|||||||
my $result;
|
my $result;
|
||||||
|
|
||||||
if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
|
if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
|
||||||
first_entry "$doing $fn...";
|
first_entry sub() {
|
||||||
|
progress_message2("$doing $fn...");
|
||||||
|
unless ( $config{ADMINISABSENTMINDED} ) {
|
||||||
|
warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
|
||||||
|
$config{ADMINISABSENTMINDED} = 'Yes';
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
while ( read_a_line( NORMAL_READ ) ) {
|
while ( read_a_line( NORMAL_READ ) ) {
|
||||||
|
|
||||||
@ -2512,9 +2518,9 @@ EOF
|
|||||||
"restore_default_route $config{USE_DEFAULT_RT}"
|
"restore_default_route $config{USE_DEFAULT_RT}"
|
||||||
);
|
);
|
||||||
|
|
||||||
my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/;
|
if ( $config{ADMINISABSENTMINDED} ) {
|
||||||
|
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
|
||||||
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for @chains;
|
}
|
||||||
|
|
||||||
if ( $family == F_IPV6 ) {
|
if ( $family == F_IPV6 ) {
|
||||||
add_ijump $input, j => 'ACCEPT', s => IPv6_LINKLOCAL;
|
add_ijump $input, j => 'ACCEPT', s => IPv6_LINKLOCAL;
|
||||||
|
|||||||
@ -281,15 +281,48 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The value of this variable affects Shorewall's stopped state.
|
<para>The value of this variable affects Shorewall's stopped state.
|
||||||
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
|
The behavior differs depending on whether <ulink
|
||||||
listed in <ulink
|
|
||||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||||
is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes,
|
or <ulink
|
||||||
in addition to traffic to/from addresses in <ulink
|
url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
|
||||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5),
|
is used:</para>
|
||||||
connections that were active when Shorewall stopped continue to work
|
|
||||||
and all new connections from the firewall system itself are allowed.
|
<variablelist>
|
||||||
If this variable is not set or is given the empty value then
|
<varlistentry>
|
||||||
|
<term>routestopped</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When ADMINISABSENTMINDED=No, only traffic to/from those
|
||||||
|
addresses listed in <filename>routestopped</filename> is
|
||||||
|
accepted when Shorewall is stopped. When
|
||||||
|
ADMINISABSENTMINDED=Yes, in addition to traffic to/from
|
||||||
|
addresses in <filename>routestopped</filename>, connections
|
||||||
|
that were active when Shorewall stopped continue to work and
|
||||||
|
all new connections from the firewall system itself are
|
||||||
|
allowed.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>stoppedrules</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>If ADMINISABSENTMINDED=No, a warning message is issued
|
||||||
|
and the setting is ignored.</para>
|
||||||
|
|
||||||
|
<para>In addition to connections matching entries in
|
||||||
|
<filename>stoppedrules</filename>, existing connections
|
||||||
|
continue to work and all new connections from the firewall
|
||||||
|
system itself are allowed. To sever all existing connections
|
||||||
|
when the firewall is stopped, install the conntrack utility
|
||||||
|
and place the command <command>conntrack -F</command> in the
|
||||||
|
stopped user exit
|
||||||
|
(<filename>/etc/shorewall/stopped</filename>).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para> If this variable is not set or is given the empty value then
|
||||||
ADMINISABSENTMINDED=No is assumed.</para>
|
ADMINISABSENTMINDED=No is assumed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|||||||
@ -216,18 +216,50 @@
|
|||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The value of this variable affects Shorewall6's stopped state.
|
<para>The value of this variable affects Shorewall's stopped state.
|
||||||
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
|
The behavior differs depending on whether <ulink
|
||||||
listed in <ulink
|
url="shorewall-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||||
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
or <ulink
|
||||||
is accepted when Shorewall6 is stopped. When
|
url="shorewall-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
|
||||||
ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in
|
is used:</para>
|
||||||
<ulink
|
|
||||||
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5),
|
<variablelist>
|
||||||
connections that were active when Shorewall6 stopped continue to
|
<varlistentry>
|
||||||
work and all new connections from the firewall system itself are
|
<term>routestopped</term>
|
||||||
allowed. If this variable is not set or is given the empty value
|
|
||||||
then ADMINISABSENTMINDED=No is assumed.</para>
|
<listitem>
|
||||||
|
<para>When ADMINISABSENTMINDED=No, only traffic to/from those
|
||||||
|
addresses listed in <filename>routestopped</filename> is
|
||||||
|
accepted when Shorewall is stopped. When
|
||||||
|
ADMINISABSENTMINDED=Yes, in addition to traffic to/from
|
||||||
|
addresses in <filename>routestopped</filename>, connections
|
||||||
|
that were active when Shorewall stopped continue to work and
|
||||||
|
all new connections from the firewall system itself are
|
||||||
|
allowed.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>stoppedrules</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>If ADMINISABSENTMINDED=No, a warning message is issued
|
||||||
|
and the setting is ignored.</para>
|
||||||
|
|
||||||
|
<para>In addition to connections matching entries in
|
||||||
|
<filename>stoppedrules</filename>, existing connections
|
||||||
|
continue to work and all new connections from the firewall
|
||||||
|
system itself are allowed. To sever all existing connections
|
||||||
|
when the firewall is stopped, install the conntrack utility
|
||||||
|
and place the command <command>conntrack -F</command> in the
|
||||||
|
stopped user exit
|
||||||
|
(<filename>/etc/shorewall6/stopped</filename>).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>If this variable is not set or is given the empty value then
|
||||||
|
ADMINISABSENTMINDED=No is assumed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user