From a42f0514de7d0e9696303b0265b6f588c9f75466 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 12 Feb 2006 20:45:57 +0000 Subject: [PATCH] Add 'tcpsyn' git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3480 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 ++ Shorewall/compiler | 10 ++++++++-- Shorewall/releasenotes.txt | 18 ++++++++++++++++++ Shorewall/rules | 7 +++++-- 4 files changed, 33 insertions(+), 4 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 50bb2e0dc..5d7cb040f 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -65,3 +65,5 @@ Changes in 3.1.x. 29) Automatically use capabilities file when non-root. 30) Correct typo in help file ("help drop"). + +31) Added 'tcpsyn' diff --git a/Shorewall/compiler b/Shorewall/compiler index 264b07956..f0bf9ed2f 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -3755,7 +3755,10 @@ add_an_action() case $proto in tcp|TCP|6) do_ports - [ "$target" = QUEUE ] && proto="$proto --syn" + ;; + tcpsyn) + proto="$proto --syn" + do_ports ;; udp|UDP|17) do_ports @@ -5171,7 +5174,10 @@ process_rule() # $1 = target case $proto in tcp|TCP|6) do_ports - [ "$target" = QUEUE -a $SECTION != ESTABLISHED ] && proto="$proto --syn" + ;; + tcpsyn) + proto="tcp --syn" + do_ports ;; udp|UDP|17) do_ports diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 8886e2054..7bb8285e6 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -90,6 +90,14 @@ Other changes in 3.1.6 For instructions about running shorecap, see the comments at the top of the program file (it's a simple shell script). +5) In the /etc/shorewall/rules file and in actions, you may now specify + 'tcpsyn' in the PROTO column. 'tcpsyn' is equivalent to 'tcp' but also + requires that the SYN flag is set and the RST, FIN and ACK flags be + off ("--syn" is added to the iptables rule). + + As part of this change, Shorewall no longer adds the "--syn" option + to TCP rules that specify QUEUE as their target. + Migration Considerations: 1) A number of macros have been split into two. The macros affected are: @@ -124,6 +132,16 @@ Migration Considerations: Beginning with Shorewall 3.2.0, the special exclusion syntax will no longer be supported. +3) Important if you use the QUEUE target. + + In the /etc/shorewall/rules file and in actions, you may now specify + 'tcpsyn' in the PROTO column. 'tcpsyn' is equivalent to 'tcp' but also + requires that the SYN flag is set and the RST, FIN and ACK flags be + off ("--syn" is added to the iptables rule). + + As part of this change, Shorewall no longer adds the "--syn" option + to TCP rules that specify QUEUE as their target. + New Features: 1) A new 'shorewall compile' command has been added. diff --git a/Shorewall/rules b/Shorewall/rules index 9f9173550..daa9dc706 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -267,10 +267,13 @@ # contain the port number on the firewall that the # request should be redirected to. # -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# "ipp2p:udp", "ipp2p:all" a number, or "all". +# PROTO Protocol - Must be "tcp", "tcpsyn", "udp", "icmp", +# "ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all". # "ipp2p*" requires ipp2p match support in your kernel # and iptables. +# + "tcpsyn" implies "tcp" plus the SYN flag must be + set and the RST,ACK and FIN flags must be reset. # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port