extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-28 10:33:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow list in the SUBNET column of the rfc1918 file

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1728 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-26 15:26:13 +00:00
parent dce7281692
commit b551db1f5e
4 changed files with 26 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Shorewall2/changelog.txt
View File

@ -121,3 +121,4 @@ Changes since 2.0.3
58) Clarification of the 'ipsec' hosts file option. 58) Clarification of the 'ipsec' hosts file option.
59) Allow list in the SUBNET column of the rfc1918 file.

31
Shorewall2/firewall
View File

@ -1986,7 +1986,6 @@ setup_mac_lists() {
# #
# Process the maclist file producing the verification rules # Process the maclist file producing the verification rules
# #
while read interface mac addresses; do while read interface mac addresses; do
expandv interface mac addresses expandv interface mac addresses
@ -5834,20 +5833,22 @@ add_common_rules() {
;; ;;
esac esac
run_iptables2 -A norfc1918 $(source_ip_range $networks) -j $target for network in $(separate_list $networks); do
run_iptables2 -A norfc1918 $(source_ip_range $network) -j $target
if [ -n "$CONNTRACK_MATCH" ]; then
# if [ -n "$CONNTRACK_MATCH" ]; then
# We have connection tracking match -- match on the original destination #
# # We have connection tracking match -- match on the original destination
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $networks -j $target #
elif [ -n "$MANGLE_ENABLED" ]; then run_iptables2 -A norfc1918 -m conntrack --ctorigdst $network -j $target
# elif [ -n "$MANGLE_ENABLED" ]; then
# No connection tracking match but we have mangling -- add a rule to #
# the mangle table # No connection tracking match but we have mangling -- add a rule to
# # the mangle table
run_iptables2 -t mangle -A man1918 $(dest_ip_range $networks) -j $target #
fi run_iptables2 -t mangle -A man1918 $(dest_ip_range $network) -j $target
fi
done
done < $TMP_DIR/rfc1918 done < $TMP_DIR/rfc1918
for host in $hosts; do for host in $hosts; do

4
Shorewall2/releasenotes.txt
View File

@ -640,3 +640,7 @@ New Features:
DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL
BE SENT TO ANOTHER SYSTEM. BE SENT TO ANOTHER SYSTEM.
26) The SUBNET column in /etc/shorewall/rfc1918 has been renamed
SUBNETS and it is now possible to specify a list of addresses in
that column.

9
Shorewall2/rfc1918
View File

@ -1,5 +1,5 @@
# #
# Shorewall 2.1 -- RFC1918 File # Shorewall 2.2 -- RFC1918 File
# #
# /etc/shorewall/rfc1918 # /etc/shorewall/rfc1918
# #
@ -12,16 +12,17 @@
# #
# Columns are: # Columns are:
# #
# SUBNET The subnet (host addresses also allowed as are IP # SUBNETS A comma-separated list of subnet addresses
(host addresses also allowed as are IP
# address ranges provided that your kernel and iptables # address ranges provided that your kernel and iptables
# have iprange match support). # have iprange match support).
# TARGET Where to send packets to/from this subnet # TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally # RETURN - let the packet be processed normally
# DROP - silently drop the packet # DROP - silently drop the packet
# logdrop - log then drop # logdrop - log then drop
# #
############################################################################### ###############################################################################
#SUBNET TARGET #SUBNETS TARGET
172.16.0.0/12 logdrop # RFC 1918 172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918
10.0.0.0/8 logdrop # RFC 1918 10.0.0.0/8 logdrop # RFC 1918