extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-21 02:08:48 +02:00
Code Issues Packages Projects Releases Wiki Activity

Log 'norfc1918'

Browse Source 
packets out of 'rfc1918' chains


git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@792 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-11-27 18:39:11 +00:00
parent a3eaa7f9af
commit 9fde389c31
3 changed files with 21 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -7,3 +7,5 @@ Changes since 1.4.8
3) Change wording in release notes. 3) Change wording in release notes.
4) Move ip_forward handling to a function. 4) Move ip_forward handling to a function.
5) Change 'norfc1918' logging to log out of chains named 'rfc1918'.

25
Shorewall/firewall
View File

@ -4088,13 +4088,13 @@ add_common_rules() {
strip_file rfc1918 strip_file rfc1918
createchain rfc1918 no createchain norfc1918 no
createchain logdrop no createchain rfc1918 no
log_rule $RFC1918_LOG_LEVEL logdrop DROP log_rule $RFC1918_LOG_LEVEL rfc1918 DROP
run_iptables -A logdrop -j DROP run_iptables -A rfc1918 -j DROP
if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
# #
@ -4106,27 +4106,30 @@ add_common_rules() {
# Also add a chain to log and drop any RFC1918 packets that we find # Also add a chain to log and drop any RFC1918 packets that we find
# #
run_iptables -t mangle -N man1918 run_iptables -t mangle -N man1918
run_iptables -t mangle -N logdrop run_iptables -t mangle -N rfc1918
log_rule $RFC1918_LOG_LEVEL logdrop DROP -t mangle log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle
run_iptables -t mangle -A logdrop -j DROP run_iptables -t mangle -A rfc1918 -j DROP
fi fi
while read subnet target; do while read subnet target; do
case $target in case $target in
logdrop|DROP|RETURN) logdrop)
target=rfc1918
;;
DROP|RETURN)
;; ;;
*) *)
fatal_error "Invalid target ($target) for $subnet" fatal_error "Invalid target ($target) for $subnet"
;; ;;
esac esac
run_iptables2 -A rfc1918 -s $subnet -j $target run_iptables2 -A norfc1918 -s $subnet -j $target
if [ -n "$CONNTRACK_MATCH" ]; then if [ -n "$CONNTRACK_MATCH" ]; then
# #
# We have connection tracking match -- match on the original destination # We have connection tracking match -- match on the original destination
# #
run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target run_iptables2 -A norfc1918 -m conntrack --ctorigdst $subnet -j $target
elif [ -n "$MANGLE_ENABLED" ]; then elif [ -n "$MANGLE_ENABLED" ]; then
# #
# No connection tracking match but we have mangling -- add a rule to # No connection tracking match but we have mangling -- add a rule to
@ -4138,7 +4141,7 @@ add_common_rules() {
for interface in $norfc1918_interfaces; do for interface in $norfc1918_interfaces; do
for chain in `first_chains $interface`; do for chain in `first_chains $interface`; do
run_iptables -A $chain -m state --state NEW -j rfc1918 run_iptables -A $chain -m state --state NEW -j norfc1918
done done
[ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \ [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \

5
Shorewall/releasenotes.txt
View File

@ -17,6 +17,11 @@ New Features:
stealthed?" questions, the SMB-related rules in stealthed?" questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from 'reject' to 'DROP'. /etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
2) For easier identification, packets logged under the 'norfc1918'
interface option are now logged out of chains named
'rfc1918'. Previously, such packets were logged under chains named
'logdrop'.