mirror of
https://gitlab.com/shorewall/code.git
synced 2025-02-21 20:21:19 +01:00
Verify DEST interface in /etc/shorewall/tcrules
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1997 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
573ff6ae57
commit
9b8295527d
@ -2379,6 +2379,7 @@ process_tc_rule()
|
||||
r="${r}$(dest_ip_range $dest) "
|
||||
;;
|
||||
*)
|
||||
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
|
||||
r="${r}$(match_dest_dev $dest) "
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -21,7 +21,23 @@
|
||||
# DROP - silently drop the packet
|
||||
# logdrop - log then drop
|
||||
#
|
||||
###############################################################################
|
||||
# By default, the RETURN target causes 'norfc1918' processing to cease for a
|
||||
# packet if the packet's source IP address matches the rule. Thus, if you have:
|
||||
#
|
||||
# SUBNETS TARGET
|
||||
# 192.168.1.0/24 RETURN
|
||||
#
|
||||
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
|
||||
# also have:
|
||||
#
|
||||
# SUBNETS TARGET
|
||||
# 10.0.0.0/8 logdrop
|
||||
#
|
||||
# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be
|
||||
# logged and dropped since while the packet's source matches the RETURN rule,
|
||||
# the packet's destination matches the 'logdrop' rule.
|
||||
#
|
||||
################################################################################
|
||||
#SUBNETS TARGET
|
||||
172.16.0.0/12 logdrop # RFC 1918
|
||||
192.168.0.0/16 logdrop # RFC 1918
|
||||
|
||||
@ -23,6 +23,8 @@ Changes in 2.2.2
|
||||
|
||||
10) Implement RFC1918_STRICT
|
||||
|
||||
11) Verify interface names in the DEST column of tcrules.
|
||||
|
||||
Changes in 2.2.1
|
||||
|
||||
1) Add examples to the zones and policy files.
|
||||
|
||||
@ -2379,6 +2379,7 @@ process_tc_rule()
|
||||
r="${r}$(dest_ip_range $dest) "
|
||||
;;
|
||||
*)
|
||||
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
|
||||
r="${r}$(match_dest_dev $dest) "
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -20,6 +20,10 @@ Problems corrected in version 2.2.2
|
||||
5) Previously, the 'install.sh' script did not update the
|
||||
/usr/share/shorewall/action.* files.
|
||||
|
||||
6) Previously, when an interface name appeared in the DEST column of
|
||||
/etc/shorewall/tcrules, the name was not validated against the set
|
||||
of defined interfaces and bridge ports.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
New Features in version 2.2.2
|
||||
|
||||
|
||||
@ -21,9 +21,8 @@
|
||||
# DROP - silently drop the packet
|
||||
# logdrop - log then drop
|
||||
#
|
||||
# By default, the RETURN target in the 'rfc1918' causes 'norfc1918'
|
||||
# processing to cease for a packet if the packet's source IP address matches
|
||||
# the rule. Thus, if you have:
|
||||
# By default, the RETURN target causes 'norfc1918' processing to cease for a
|
||||
# packet if the packet's source IP address matches the rule. Thus, if you have:
|
||||
#
|
||||
# SUBNETS TARGET
|
||||
# 192.168.1.0/24 RETURN
|
||||
|
||||
@ -23,6 +23,8 @@ Changes in 2.2.2
|
||||
|
||||
10) Implement RFC1918_STRICT
|
||||
|
||||
11) Verify interface names in the DEST column of tcrules.
|
||||
|
||||
Changes in 2.2.1
|
||||
|
||||
1) Add examples to the zones and policy files.
|
||||
|
||||
@ -2379,6 +2379,7 @@ process_tc_rule()
|
||||
r="${r}$(dest_ip_range $dest) "
|
||||
;;
|
||||
*)
|
||||
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
|
||||
r="${r}$(match_dest_dev $dest) "
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -20,6 +20,10 @@ Problems corrected in version 2.2.2
|
||||
5) Previously, the 'install.sh' script did not update the
|
||||
/usr/share/shorewall/action.* files.
|
||||
|
||||
6) Previously, when an interface name appeared in the DEST column of
|
||||
/etc/shorewall/tcrules, the name was not validated against the set
|
||||
of defined interfaces and bridge ports.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
New Features in version 2.2.2
|
||||
|
||||
|
||||
@ -21,9 +21,8 @@
|
||||
# DROP - silently drop the packet
|
||||
# logdrop - log then drop
|
||||
#
|
||||
# By default, the RETURN target in the 'rfc1918' causes 'norfc1918'
|
||||
# processing to cease for a packet if the packet's source IP address matches
|
||||
# the rule. Thus, if you have:
|
||||
# By default, the RETURN target causes 'norfc1918' processing to cease for a
|
||||
# packet if the packet's source IP address matches the rule. Thus, if you have:
|
||||
#
|
||||
# SUBNETS TARGET
|
||||
# 192.168.1.0/24 RETURN
|
||||
|
||||
Loading…
Reference in New Issue
Block a user