extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 17:28:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add 'tcpsyn'

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3480 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-02-12 20:45:57 +00:00
parent ec7fa4adcb
commit a42f0514de
4 changed files with 33 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -65,3 +65,5 @@ Changes in 3.1.x.
29) Automatically use capabilities file when non-root. 29) Automatically use capabilities file when non-root.
30) Correct typo in help file ("help drop"). 30) Correct typo in help file ("help drop").
31) Added 'tcpsyn'

10
Shorewall/compiler
View File

@ -3755,7 +3755,10 @@ add_an_action()
case $proto in case $proto in
tcp|TCP|6) tcp|TCP|6)
do_ports do_ports
[ "$target" = QUEUE ] && proto="$proto --syn" ;;
tcpsyn)
proto="$proto --syn"
do_ports
;; ;;
udp|UDP|17) udp|UDP|17)
do_ports do_ports
@ -5171,7 +5174,10 @@ process_rule() # $1 = target
case $proto in case $proto in
tcp|TCP|6) tcp|TCP|6)
do_ports do_ports
[ "$target" = QUEUE -a $SECTION != ESTABLISHED ] && proto="$proto --syn" ;;
tcpsyn)
proto="tcp --syn"
do_ports
;; ;;
udp|UDP|17) udp|UDP|17)
do_ports do_ports

18
Shorewall/releasenotes.txt
View File

@ -90,6 +90,14 @@ Other changes in 3.1.6
For instructions about running shorecap, see the comments at the top For instructions about running shorecap, see the comments at the top
of the program file (it's a simple shell script). of the program file (it's a simple shell script).
5) In the /etc/shorewall/rules file and in actions, you may now specify
'tcpsyn' in the PROTO column. 'tcpsyn' is equivalent to 'tcp' but also
requires that the SYN flag is set and the RST, FIN and ACK flags be
off ("--syn" is added to the iptables rule).
As part of this change, Shorewall no longer adds the "--syn" option
to TCP rules that specify QUEUE as their target.
Migration Considerations: Migration Considerations:
1) A number of macros have been split into two. The macros affected are: 1) A number of macros have been split into two. The macros affected are:
@ -124,6 +132,16 @@ Migration Considerations:
Beginning with Shorewall 3.2.0, the special exclusion syntax will no Beginning with Shorewall 3.2.0, the special exclusion syntax will no
longer be supported. longer be supported.
3) Important if you use the QUEUE target.
In the /etc/shorewall/rules file and in actions, you may now specify
'tcpsyn' in the PROTO column. 'tcpsyn' is equivalent to 'tcp' but also
requires that the SYN flag is set and the RST, FIN and ACK flags be
off ("--syn" is added to the iptables rule).
As part of this change, Shorewall no longer adds the "--syn" option
to TCP rules that specify QUEUE as their target.
New Features: New Features:
1) A new 'shorewall compile' command has been added. 1) A new 'shorewall compile' command has been added.

7
Shorewall/rules
View File

@ -267,10 +267,13 @@
# contain the port number on the firewall that the # contain the port number on the firewall that the
# request should be redirected to. # request should be redirected to.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", # PROTO Protocol - Must be "tcp", "tcpsyn", "udp", "icmp",
# "ipp2p:udp", "ipp2p:all" a number, or "all". # "ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all".
# "ipp2p*" requires ipp2p match support in your kernel # "ipp2p*" requires ipp2p match support in your kernel
# and iptables. # and iptables.
#
"tcpsyn" implies "tcp" plus the SYN flag must be
set and the RST,ACK and FIN flags must be reset.
# #
# DEST PORT(S) Destination Ports. A comma-separated list of Port # DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port # names (from /etc/services), port numbers or port