extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-01 23:45:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix TCP_FLAGS_DISPOSITION=REJECT in trunk

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9390 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-02-01 18:49:26 +00:00
parent 555636bff8
commit ba14c45cf4
4 changed files with 48 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
Shorewall-common/swping
View File

@ -27,30 +27,30 @@
# #
FAMILY=4 FAMILY=4
# #
# The commands to run when the status of a line changes. Both commands will be executed. # The command to run when the status of a line changes. Can include multiple commands
# separated by semicolons (";").
# #
COMMANDA= COMMAND=
COMMANDB="ip -$FAMILY route ls"
if [ $FAMILY -eq 4 ]; then if [ $FAMILY -eq 4 ]; then
if [ -f /usr/share/shorewall-lite/lib.base ]; then if [ -f /usr/share/shorewall-lite/lib.base ]; then
. /usr/share/shorewall-lite/lib.base . /usr/share/shorewall-lite/lib.base
[ -f /etc/shorewall-lite/params ] && . /etc/shorewall-lite/params [ -f /etc/shorewall-lite/params ] && . /etc/shorewall-lite/params
[ -n "${COMMANDA:="/sbin/shorewall-lite restart"}" ] [ -n "${COMMAND:="/sbin/shorewall-lite restart; /sbin/ip -4 route ls"}" ]
elif [ -f /usr/share/shorewall/lib.base ]; then elif [ -f /usr/share/shorewall/lib.base ]; then
. /usr/share/shorewall/lib.base . /usr/share/shorewall/lib.base
[ -f /etc/shorewall/params ] && . /etc/shorewall/params [ -f /etc/shorewall/params ] && . /etc/shorewall/params
[ -n "${COMMANDA:="/sbin/shorewall restart -f"}" ] [ -n "${COMMAND:="/sbin/shorewall restart -f; /sbin/ip -4 route ls"}" ]
fi fi
else else
if [ -f /usr/share/shorewall6-lite/lib.base ]; then if [ -f /usr/share/shorewall6-lite/lib.base ]; then
. /usr/share/shorewall6-lite/lib.base . /usr/share/shorewall6-lite/lib.base
[ -f /etc/shorewall6-lite/params ] && . /etc/shorewall6-lite/params [ -f /etc/shorewall6-lite/params ] && . /etc/shorewall6-lite/params
[ -n "${COMMANDA:="/sbin/shorewall6-lite restart"}" ] [ -n "${COMMAND:="/sbin/shorewall6-lite restart; /sbin/ip -4 route ls"}" ]
elif [ -f /usr/share/shorewall6/lib.base ]; then elif [ -f /usr/share/shorewall6/lib.base ]; then
. /usr/share/shorewal6l/lib.base . /usr/share/shorewal6l/lib.base
[ -f /etc/shorewall6/params ] && . /etc/shorewall6/params [ -f /etc/shorewall6/params ] && . /etc/shorewall6/params
[ -n "${COMMANDA:="/sbin/shorewall6 restart -f"}" ] [ -n "${COMMAND:="/sbin/shorewall6 restart -f; /sbin/ip -4 route ls"}" ]
fi fi
fi fi
# #
@ -59,7 +59,9 @@ fi
IF1=eth0 IF1=eth0
IF2=eth1 IF2=eth1
# #
# Sites to Ping. Must depend only on routes in the 'main' routing table. # Sites to Ping. Must depend only on routes in the 'main' routing table. If not specified,
# the interface is assumed to be managed by dhcpcd and the script uses the gateway address
# from /var/lib/dhcpcd/dhcpcd-${IFx}.info
# #
TARGET1=xxx.xxx.xxx.xxx TARGET1=xxx.xxx.xxx.xxx
TARGET2=yyy.yyy.yyy.yyy TARGET2=yyy.yyy.yyy.yyy
@ -100,6 +102,19 @@ count1=0
count2=0 count2=0
[ $FAMILY -eq 4 ] && ping=ping || ping=ping6 [ $FAMILY -eq 4 ] && ping=ping || ping=ping6
#################################################################################################
# Determine the GATEWAY of a DHCP interface
#################################################################################################
get_target() {
local GATEWAYS
GATEWAYS=
if [ -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
eval $(grep ^GATEWAYS= /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && echo $GATEWAYS
fi
}
# #
# Script starts here # Script starts here
# #
@ -107,7 +122,15 @@ rm -f $STATEDIR/${IF1}.status
rm -f $STATEDIR/${IF2}.status rm -f $STATEDIR/${IF2}.status
while : ; do while : ; do
$ping -n -W $PING_TIMEOUT -I $IF1 -c 1 $TARGET1 > /dev/null 2>&1 && current_if1_ping=0 || current_if1_ping=1 target=$TARGET1
[ -n "$target" ] || target=$(get_target $IF1)
if [ -n "$target" ]; then
$ping -n -W $PING_TIMEOUT -I $IF1 -c 1 $target > /dev/null 2>&1 && current_if1_ping=0 || current_if1_ping=1
else
current_if1_ping=1
fi
if [ $current_if1_ping -ne $last_if1_ping ]; then if [ $current_if1_ping -ne $last_if1_ping ]; then
last_if1_ping=$current_if1_ping last_if1_ping=$current_if1_ping
@ -141,7 +164,15 @@ while : ; do
;; ;;
esac esac
$ping -n -W $PING_TIMEOUT -I $IF2 -c 1 $TARGET2 > /dev/null 2>&1 && current_if2_ping=0 || current_if2_ping=1 target=$TARGET2
[ -n "$target" ] || target=$(get_target $IF2)
if [ -n "$target" ]; then
$ping -n -W $PING_TIMEOUT -I $IF2 -c 1 $target > /dev/null 2>&1 && current_if2_ping=0 || current_if2_ping=1
else
current_if2_ping=1
fi
if [ $current_if2_ping -ne $last_if2_ping ]; then if [ $current_if2_ping -ne $last_if2_ping ]; then
last_if2_ping=$current_if2_ping last_if2_ping=$current_if2_ping
@ -181,8 +212,7 @@ while : ; do
# #
echo $if1_state > /etc/shorewall/${IF1}.status echo $if1_state > /etc/shorewall/${IF1}.status
echo $if2_state > /etc/shorewall/${IF2}.status echo $if2_state > /etc/shorewall/${IF2}.status
$COMMANDA eval $COMMAND
$COMMANDB
state_changed= state_changed=
fi fi

9
Shorewall-perl/Shorewall/Providers.pm
View File

@ -263,7 +263,6 @@ sub add_a_provider( $$$$$$$$ ) {
my $base = uc chain_base $interface; my $base = uc chain_base $interface;
if ( $gateway eq 'detect' ) { if ( $gateway eq 'detect' ) {
fatal_error "'detect' is not allowed with USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared; fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
$gateway = get_interface_gateway $interface; $gateway = get_interface_gateway $interface;
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) ); start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
@ -427,7 +426,7 @@ sub add_a_provider( $$$$$$$$ ) {
if ( $loose ) { if ( $loose ) {
if ( $config{DELETE_THEN_ADD} ) { if ( $config{DELETE_THEN_ADD} ) {
emit ( "\nfind_interface_addresses $interface | while read address; do", emit ( "\nfind_interface_addresses $interface | while read address; do",
" qt ip -$family rule del from $address", " qt ip -$family rule del from \$address",
'done' 'done'
); );
} }
@ -441,7 +440,7 @@ sub add_a_provider( $$$$$$$$ ) {
emit "\nrulenum=0\n"; emit "\nrulenum=0\n";
emit ( "find_interface_addresses $interface | while read address; do" ); emit ( "find_interface_addresses $interface | while read address; do" );
emit ( " qt ip $family rule del from $address" ) if $config{DELETE_THEN_ADD}; emit ( " qt ip -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number", emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
" echo \"qt ip -$family rule del from \$address\" >> \${VARDIR}/undo_routing", " echo \"qt ip -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
' rulenum=$(($rulenum + 1))', ' rulenum=$(($rulenum + 1))',
@ -568,7 +567,7 @@ sub setup_providers() {
fatal_error "A non-empty providers file is not permitted with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED}; fatal_error "A non-empty providers file is not permitted with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
emit "\nif [ -z \"\$NORTC\" ]; then"; emit "\nif [ -z \"\$NOROUTES\" ]; then";
push_indent; push_indent;
@ -714,7 +713,7 @@ sub setup_providers() {
emit "\nundo_routing"; emit "\nundo_routing";
emit 'restore_default_route'; emit 'restore_default_route';
if ( $config{NULL_ROUTE_RFC1918} ) { if ( $config{NULL_ROUTE_RFC1918} ) {
emit "\nif [ -z \"\$NORTC\" ]; then"; emit "\nif [ -z \"\$NOROUTES\" ]; then";
push_indent; push_indent;

2
Shorewall-perl/Shorewall/Rules.pm
View File

@ -663,7 +663,7 @@ sub add_common_rules() {
$globals{LOGPARMS} = $savelogparms; $globals{LOGPARMS} = $savelogparms;
if ( $config{TCP_FLAGS_DISPOSITION} eq 'REJECT' ) { if ( $config{TCP_FLAGS_DISPOSITION} eq 'REJECT' ) {
add_rule $logflagsref , '-j REJECT --reject-with tcp-reset'; add_rule $logflagsref , '-p 6 -j REJECT --reject-with tcp-reset';
} else { } else {
add_rule $logflagsref , "-j $config{TCP_FLAGS_DISPOSITION}"; add_rule $logflagsref , "-j $config{TCP_FLAGS_DISPOSITION}";
} }

2
Shorewall-shell/compiler
View File

@ -3882,7 +3882,7 @@ __EOF__
case $TCP_FLAGS_DISPOSITION in case $TCP_FLAGS_DISPOSITION in
REJECT) REJECT)
run_iptables -A logflags -j REJECT --reject-with tcp-reset run_iptables -A logflags -p tcp -j REJECT --reject-with tcp-reset
;; ;;
*) *)
run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION