extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-02 12:33:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove ESTABLISHED policy stuff in preparation for sectioned rules file

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2562 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-26 17:16:09 +00:00
parent 0b6defddfd
commit b800346eea
2 changed files with 10 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
Shorewall/firewall
View File

@ -1442,26 +1442,6 @@ validate_policy()
fi fi
esac esac
case $policy in
*:*)
[ -n "$FASTACCEPT" ] && \
startup_error "ESTABLISHED policy may not be specified with FASTACCEPT=Yes in shorewall.conf"
epolicy=${policy#*:}
policy=${policy%:*}
case $epolicy in
ACCEPT|QUEUE)
;;
*)
startup_error "$client $server $policy $loglevel $synparams: Invalid ESTABLISHED policy: $epolicy"
;;
esac
;;
*)
epolicy=ACCEPT
;;
esac
case $policy in case $policy in
ACCEPT|REJECT|DROP|CONTINUE|QUEUE) ACCEPT|REJECT|DROP|CONTINUE|QUEUE)
;; ;;
@ -1489,7 +1469,6 @@ validate_policy()
[ "x$loglevel" = "x-" ] && loglevel= [ "x$loglevel" = "x-" ] && loglevel=
[ "x$synparms" = "x-" ] && synparms= [ "x$synparms" = "x-" ] && synparms=
[ "x$epolicy" = "x-" ] && epolicy=
[ $policy = NONE ] || ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" [ $policy = NONE ] || ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
@ -1497,7 +1476,6 @@ validate_policy()
eval ${chain}_policy=$policy eval ${chain}_policy=$policy
eval ${chain}_loglevel=$loglevel eval ${chain}_loglevel=$loglevel
eval ${chain}_synparams=$synparams eval ${chain}_synparams=$synparams
eval ${chain}_epolicy=$epolicy
if [ -n "${clientwild}" ]; then if [ -n "${clientwild}" ]; then
if [ -n "${serverwild}" ]; then if [ -n "${serverwild}" ]; then
@ -6098,21 +6076,10 @@ display_list() # $1 = List Title, rest of $* = list to display
policy_rules() # $1 = chain to add rules to policy_rules() # $1 = chain to add rules to
# $2 = policy # $2 = policy
# $3 = E/R Policy # $3 = loglevel
# $4 = loglevel
{ {
local target="$2" local target="$2"
[ -n "$FASTACCEPT" ] || case $3 in
QUEUE)
run_iptables -I $1 -m state --state RELATED -j ACCEPT
run_iptables -I $1 -m state --state ESTABLISHED -j QUEUE
;;
ACCEPT)
run_iptables -I $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
;;
esac
case "$target" in case "$target" in
ACCEPT) ACCEPT)
[ -n "$ACCEPT_common" ] && run_iptables -A $1 -j $ACCEPT_common [ -n "$ACCEPT_common" ] && run_iptables -A $1 -j $ACCEPT_common
@ -6135,8 +6102,8 @@ policy_rules() # $1 = chain to add rules to
;; ;;
esac esac
if [ $# -eq 4 -a "x${4}" != "x-" ]; then if [ $# -eq 3 -a "x${3}" != "x-" ]; then
log_rule $4 $1 $2 log_rule $3 $1 $2
fi fi
[ -n "$target" ] && run_iptables -A $1 -j $target [ -n "$target" ] && run_iptables -A $1 -j $target
@ -6160,23 +6127,10 @@ default_policy() # $1 = client $2 = server
local chain1 local chain1
jump_to_policy_chain() { jump_to_policy_chain() {
#
# Insert a rule of ESTABLISHED,RELATED packets at the head of the
# canonical chain.
# #
# Add a jump to from the canonical chain to the policy chain. On return, # Add a jump to from the canonical chain to the policy chain. On return,
# $chain is set to the name of the policy chain # $chain is set to the name of the policy chain
# #
[ -n "$FASTACCEPT" ] || case $epolicy in
QUEUE)
run_iptables -I $chain -m state --state RELATED -j ACCEPT
run_iptables -I $chain -m state --state ESTABLISHED -j QUEUE
;;
ACCEPT)
run_iptables -I $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
;;
esac
run_iptables -A $chain -j $chain1 run_iptables -A $chain -j $chain1
chain=$chain1 chain=$chain1
} }
@ -6189,7 +6143,6 @@ default_policy() # $1 = client $2 = server
eval policy=\$${chain1}_policy eval policy=\$${chain1}_policy
eval loglevel=\$${chain1}_loglevel eval loglevel=\$${chain1}_loglevel
eval synparams=\$${chain1}_synparams eval synparams=\$${chain1}_synparams
eval epolicy=\$${chain1}_epolicy
# #
# Add the appropriate rules to the canonical chain ($chain) to enforce # Add the appropriate rules to the canonical chain ($chain) to enforce
# the specified policy # the specified policy
@ -6199,7 +6152,7 @@ default_policy() # $1 = client $2 = server
# The policy chain is the canonical chain; add policy rule to it # The policy chain is the canonical chain; add policy rule to it
# The syn flood jump has already been added if required. # The syn flood jump has already been added if required.
# #
policy_rules $chain $policy $epolicy $loglevel policy_rules $chain $policy $loglevel
else else
# #
# The policy chain is different from the canonical chain -- approach # The policy chain is different from the canonical chain -- approach
@ -6213,7 +6166,7 @@ default_policy() # $1 = client $2 = server
# in this chain. # in this chain.
# #
enable_syn_flood_protection $chain $chain1 enable_syn_flood_protection $chain $chain1
policy_rules $chain $policy $epolicy $loglevel policy_rules $chain $policy $loglevel
else else
# #
# No problem with double-counting so just jump to the # No problem with double-counting so just jump to the
@ -6229,7 +6182,7 @@ default_policy() # $1 = client $2 = server
# #
[ -n "$synparams" ] && \ [ -n "$synparams" ] && \
enable_syn_flood_protection $chain $chain1 enable_syn_flood_protection $chain $chain1
policy_rules $chain $policy $epolicy $loglevel policy_rules $chain $policy $loglevel
;; ;;
*) *)
# #
@ -7746,15 +7699,13 @@ apply_policy_rules() {
eval policy=\$${chain}_policy eval policy=\$${chain}_policy
eval loglevel=\$${chain}_loglevel eval loglevel=\$${chain}_loglevel
eval synparams=\$${chain}_synparams eval synparams=\$${chain}_synparams
eval epolicy=\$${chain}_epolicy
eval optional=\$${chain}_is_optional eval optional=\$${chain}_is_optional
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
if havechain $chain; then if havechain $chain; then
[ "$epolicy" = ACCEPT ] && ordinal=2 || ordinal=3
[ -n "$synparams" ] && \ [ -n "$synparams" ] && \
run_iptables -I $chain $ordinal -p tcp --syn -j @$chain run_iptables -I $chain 2 -p tcp --syn -j @$chain ### FIX ME ###
elif [ -z "$optional" -a "$policy" != CONTINUE ]; then elif [ -z "$optional" -a "$policy" != CONTINUE ]; then
# #
# The chain doesn't exist. Create the chain and add policy # The chain doesn't exist. Create the chain and add policy
@ -7779,7 +7730,7 @@ apply_policy_rules() {
case $chain in case $chain in
all2*|*2all) all2*|*2all)
policy_rules $chain $policy $epolicy $loglevel policy_rules $chain $policy $loglevel
;; ;;
esac esac
fi fi
@ -8771,6 +8722,8 @@ do_initialize() {
STOPPING= STOPPING=
HAVE_MUTEX= HAVE_MUTEX=
ALIASES_TO_ADD= ALIASES_TO_ADD=
SECTION=
SECTIONS=
FUNCTIONS=$SHARED_DIR/functions FUNCTIONS=$SHARED_DIR/functions

12
Shorewall/policy
View File

@ -61,18 +61,6 @@
# will be invoked before the policy named in this column # will be invoked before the policy named in this column
# is enforced. # is enforced.
# #
# The policy determined the default treatment of new
# connection requests and may optionally be followed by
# ":" and an ESTABLISHED policy which determines what
# is to be done with packets that are part of an
# established connection. The choices are ACCEPT (the
# default) and QUEUE (to queue the packet to a
# user-space filter like Snort Inline).
#
# WARNING: You may not specify an ESTABLISHED policy if
# you have set FASTACCEPT=Yes in
# /etc/shorewall/shorewall.conf.
#
# LOG LEVEL If supplied, each connection handled under the default # LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no # POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a # log message is generated. See syslog.conf(5) for a