mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-21 13:09:01 +01:00
Merge branch '4.6.3'
Conflicts: Shorewall/Perl/Shorewall/Misc.pm
This commit is contained in:
commit
976a1f3deb
@ -1661,6 +1661,10 @@ sub insert_rule($$$) {
|
|||||||
sub insert_irule( $$$$;@ ) {
|
sub insert_irule( $$$$;@ ) {
|
||||||
my ( $chainref, $jump, $target, $number, @matches ) = @_;
|
my ( $chainref, $jump, $target, $number, @matches ) = @_;
|
||||||
|
|
||||||
|
my $rulesref = $chainref->{rules};
|
||||||
|
|
||||||
|
return add_irule( $chainref, $jump, $target, @matches ) if $number >= @$rulesref;
|
||||||
|
|
||||||
my $ruleref = {};
|
my $ruleref = {};
|
||||||
|
|
||||||
$ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
|
$ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
|
||||||
@ -1680,7 +1684,7 @@ sub insert_irule( $$$$;@ ) {
|
|||||||
|
|
||||||
$ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
|
$ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
|
||||||
|
|
||||||
splice( @{$chainref->{rules}}, $number, 0, $ruleref );
|
splice( @$rulesref, $number, 0, $ruleref );
|
||||||
|
|
||||||
trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;
|
trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;
|
||||||
|
|
||||||
|
@ -977,8 +977,7 @@ sub compiler {
|
|||||||
# compile_stop_firewall() also validates the routestopped file. Since we don't
|
# compile_stop_firewall() also validates the routestopped file. Since we don't
|
||||||
# call that function during normal 'check', we must validate routestopped here.
|
# call that function during normal 'check', we must validate routestopped here.
|
||||||
#
|
#
|
||||||
process_routestopped;
|
process_routestopped unless process_stoppedrules;
|
||||||
process_stoppedrules;
|
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
# Report used/required capabilities
|
# Report used/required capabilities
|
||||||
|
@ -690,11 +690,10 @@ sub process_stoppedrules() {
|
|||||||
my $result;
|
my $result;
|
||||||
|
|
||||||
if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
|
if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
|
||||||
first_entry sub() {
|
first_entry sub () {
|
||||||
progress_message2("$doing $fn...");
|
progress_message2( "$doing $fn..." );
|
||||||
unless ( $config{ADMINISABSENTMINDED} ) {
|
unless ( $config{ADMINISABSENTMINDED} ) {
|
||||||
warning_message("Entries in the stoppedrules file are processed as if ADMINISABSENTMINDED=Yes");
|
insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
|
||||||
$config{ADMINISABSENTMINDED} = 'Yes';
|
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -309,17 +309,22 @@
|
|||||||
<term>stoppedrules</term>
|
<term>stoppedrules</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If ADMINISABSENTMINDED=No, a warning message is issued
|
<para>All existing connections continue to work. To sever all
|
||||||
and the setting is ignored.</para>
|
existing connections when the firewall is stopped, install the
|
||||||
|
conntrack utility and place the command <command>conntrack
|
||||||
<para>In addition to connections matching entries in
|
-F</command> in the stopped user exit
|
||||||
<filename>stoppedrules</filename>, existing connections
|
|
||||||
continue to work and all new connections from the firewall
|
|
||||||
system itself are allowed. To sever all existing connections
|
|
||||||
when the firewall is stopped, install the conntrack utility
|
|
||||||
and place the command <command>conntrack -F</command> in the
|
|
||||||
stopped user exit
|
|
||||||
(<filename>/etc/shorewall/stopped</filename>).</para>
|
(<filename>/etc/shorewall/stopped</filename>).</para>
|
||||||
|
|
||||||
|
<para>If ADMINISABSENTMINDED=No, only new connections matching
|
||||||
|
entries in <filename>stoppedrules</filename> are accepted when
|
||||||
|
Shorewall is stopped. Response packets and related connections
|
||||||
|
are automatically accepted.</para>
|
||||||
|
|
||||||
|
<para>If ADMINISABSENTMINDED=Yes, in addition to connections
|
||||||
|
matching entries in <filename>stoppedrules</filename>, all new
|
||||||
|
connections from the firewall system itself are allowed when
|
||||||
|
the firewall is stopped. Response packets and related
|
||||||
|
connections are automatically accepted.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
@ -220,9 +220,9 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The value of this variable affects Shorewall's stopped state.
|
<para>The value of this variable affects Shorewall's stopped state.
|
||||||
The behavior differs depending on whether <ulink
|
The behavior differs depending on whether <ulink
|
||||||
url="shorewall-routestopped.html">shorewall6-routestopped</ulink>(5)
|
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||||
or <ulink
|
or <ulink
|
||||||
url="shorewall-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
|
url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
|
||||||
is used:</para>
|
is used:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
@ -245,17 +245,22 @@
|
|||||||
<term>stoppedrules</term>
|
<term>stoppedrules</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If ADMINISABSENTMINDED=No, a warning message is issued
|
<para>All existing connections continue to work. To sever all
|
||||||
and the setting is ignored.</para>
|
existing connections when the firewall is stopped, install the
|
||||||
|
conntrack utility and place the command <command>conntrack
|
||||||
<para>In addition to connections matching entries in
|
-F</command> in the stopped user exit
|
||||||
<filename>stoppedrules</filename>, existing connections
|
|
||||||
continue to work and all new connections from the firewall
|
|
||||||
system itself are allowed. To sever all existing connections
|
|
||||||
when the firewall is stopped, install the conntrack utility
|
|
||||||
and place the command <command>conntrack -F</command> in the
|
|
||||||
stopped user exit
|
|
||||||
(<filename>/etc/shorewall6/stopped</filename>).</para>
|
(<filename>/etc/shorewall6/stopped</filename>).</para>
|
||||||
|
|
||||||
|
<para>If ADMINISABSENTMINDED=No, only new connections matching
|
||||||
|
entries in <filename>stoppedrules</filename> are accepted when
|
||||||
|
Shorewall is stopped. Response packets and related connections
|
||||||
|
are automatically accepted.</para>
|
||||||
|
|
||||||
|
<para>If ADMINISABSENTMINDED=Yes, in addition to connections
|
||||||
|
matching entries in <filename>stoppedrules</filename>, all new
|
||||||
|
connections from the firewall system itself are allowed when
|
||||||
|
the firewall is stopped. Response packets and related
|
||||||
|
connections are automatically accepted.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
Loading…
Reference in New Issue
Block a user