extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-26 01:23:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Deimplement MACLISTNEWONLY

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1953 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-02-09 18:37:45 +00:00
parent 03b4162b40
commit 8d5387466c
4 changed files with 1 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall2/changelog.txt
View File

@ -4,8 +4,6 @@ Changes in 2.2.1
2) Simon Matter's patch for umask. 2) Simon Matter's patch for umask.
3) Added MACLISTNEWONLY option.
Changes since 2.0.3 Changes since 2.0.3
1) Fix security vulnerability involving temporary files/directories. 1) Fix security vulnerability involving temporary files/directories.

6
Shorewall2/firewall
View File

@ -1982,7 +1982,6 @@ setup_mac_lists() {
local hosts local hosts
local ipsec local ipsec
local policy= local policy=
local state
# #
# Generate the list of interfaces having MAC verification # Generate the list of interfaces having MAC verification
# #
@ -2074,11 +2073,10 @@ setup_mac_lists() {
ipsec=${hosts%^*} ipsec=${hosts%^*}
hosts=${hosts#*^} hosts=${hosts#*^}
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
[ -n "$MACLISTNEWONLY" ] && state="-m state --state NEW" || state=
interface=${hosts%%:*} interface=${hosts%%:*}
hosts=${hosts#*:} hosts=${hosts#*:}
for chain in $(first_chains $interface) ; do for chain in $(first_chains $interface) ; do
run_iptables -A $chain $(match_source_hosts $hosts) $state \ run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
$policy -j $(mac_chain $interface) $policy -j $(mac_chain $interface)
done done
done done
@ -7128,7 +7126,6 @@ do_initialize() {
LOGTAGONLY= LOGTAGONLY=
LOGALLNEW= LOGALLNEW=
DROPINVALID= DROPINVALID=
MACLISTNEWONLY=
RESTOREBASE= RESTOREBASE=
TMP_DIR= TMP_DIR=
@ -7324,7 +7321,6 @@ do_initialize() {
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
MACLISTNEWONLY=$(added_param_value_yes MACLISTNEWONLY $MACLISTNEWONLY)
# #
# Strip the files that we use often # Strip the files that we use often
# #

7
Shorewall2/releasenotes.txt
View File

@ -10,13 +10,6 @@ Problems corrected in version 2.2.1
files in /var/lib/shorewall to be world-readable. Shorewall now uses files in /var/lib/shorewall to be world-readable. Shorewall now uses
umask 0177. umask 0177.
----------------------------------------------------------------------- -----------------------------------------------------------------------
New Features in version 2.2.1
1) A MACLISTNEWONLY option is added to shorewall.conf. When set to Yes
(the default), then only new incoming connection requests are
checked against the maclist. If set to No, all incoming packets are
checked.
-----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0 to Shorewall 2.2: Issues when migrating from Shorewall 2.0 to Shorewall 2.2:
1) Shorewall configuration files except shorewall.conf are now empty 1) Shorewall configuration files except shorewall.conf are now empty

16
Shorewall2/shorewall.conf
View File

@ -633,22 +633,6 @@ ADMINISABSENTMINDED=Yes
# #
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
#
# MACLIST Behavior
#
# The following variable determines whether the maclist is checked for each
# packet or for each new connection.
#
# MACLISTNEWONLY=Yes Only consult the interface's maclist for new
# connection requests
#
# MACLISTNEWONLY=No Consult maclists for all packets.
#
# If the MACLISTNEWONLY option is not set or is set to the empty value then
# BLACKLISTNEWONLY=Yes is assumed.
#
BLACKLISTNEWONLY=Yes
# #
# Users with a large blacklist find that "shorwall [re]start" takes a long # Users with a large blacklist find that "shorwall [re]start" takes a long
# time and that new connections are disabled during that time. By setting # time and that new connections are disabled during that time. By setting