mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-24 15:18:53 +01:00
Get changes from 4.5.0 branch
This commit is contained in:
parent
586a3537bf
commit
bac640e731
@ -447,7 +447,7 @@ sub initialize( $ ) {
|
|||||||
LOG_MARTIANS => undef,
|
LOG_MARTIANS => undef,
|
||||||
LOG_VERBOSITY => undef,
|
LOG_VERBOSITY => undef,
|
||||||
STARTUP_LOG => undef,
|
STARTUP_LOG => undef,
|
||||||
FILTER_LOG_LEVEL => undef,
|
SFILTER_LOG_LEVEL => undef,
|
||||||
#
|
#
|
||||||
# Location of Files
|
# Location of Files
|
||||||
#
|
#
|
||||||
@ -551,7 +551,7 @@ sub initialize( $ ) {
|
|||||||
TCP_FLAGS_DISPOSITION => undef,
|
TCP_FLAGS_DISPOSITION => undef,
|
||||||
BLACKLIST_DISPOSITION => undef,
|
BLACKLIST_DISPOSITION => undef,
|
||||||
SMURF_DISPOSITION => undef,
|
SMURF_DISPOSITION => undef,
|
||||||
FILTER_DISPOSITION => undef,
|
SFILTER_DISPOSITION => undef,
|
||||||
#
|
#
|
||||||
# Mark Geometry
|
# Mark Geometry
|
||||||
#
|
#
|
||||||
@ -3379,13 +3379,13 @@ sub get_configuration( $ ) {
|
|||||||
default_log_level 'SMURF_LOG_LEVEL', '';
|
default_log_level 'SMURF_LOG_LEVEL', '';
|
||||||
default_log_level 'LOGALLNEW', '';
|
default_log_level 'LOGALLNEW', '';
|
||||||
|
|
||||||
default_log_level 'FILTER_LOG_LEVEL', 'info';
|
default_log_level 'SFILTER_LOG_LEVEL', 'info';
|
||||||
|
|
||||||
if ( $val = $config{FILTER_DISPOSITION} ) {
|
if ( $val = $config{SFILTER_DISPOSITION} ) {
|
||||||
fatal_error "Invalid FILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
|
fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
|
||||||
require_capability 'AUDIT_TARGET' , "FILTER_DISPOSITION=$val", 's' if $1;
|
require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
|
||||||
} else {
|
} else {
|
||||||
$config{FILTER_DISPOSITION} = 'DROP';
|
$config{SFILTER_DISPOSITION} = 'DROP';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $val = $config{MACLIST_DISPOSITION} ) {
|
if ( $val = $config{MACLIST_DISPOSITION} ) {
|
||||||
|
@ -489,12 +489,12 @@ sub add_common_rules() {
|
|||||||
add_rule( $filter_table->{$_} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT OUTPUT );
|
add_rule( $filter_table->{$_} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT OUTPUT );
|
||||||
}
|
}
|
||||||
|
|
||||||
my $policy = $config{FILTER_DISPOSITION};
|
my $policy = $config{SFILTER_DISPOSITION};
|
||||||
$level = $config{FILTER_LOG_LEVEL};
|
$level = $config{SFILTER_LOG_LEVEL};
|
||||||
my $audit = $policy =~ s/^A_//;
|
my $audit = $policy =~ s/^A_//;
|
||||||
|
|
||||||
if ( $level || $audit ) {
|
if ( $level || $audit ) {
|
||||||
$chainref = new_standard_chain 'filter';
|
$chainref = new_standard_chain 'sfilter';
|
||||||
|
|
||||||
log_rule $level , $chainref , $policy , '' if $level ne '';
|
log_rule $level , $chainref , $policy , '' if $level ne '';
|
||||||
|
|
||||||
@ -502,7 +502,7 @@ sub add_common_rules() {
|
|||||||
|
|
||||||
add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1;
|
add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1;
|
||||||
|
|
||||||
$target = 'filter';
|
$target = 'sfilter';
|
||||||
} elsif ( ( $target = $policy ) eq 'REJECT' ) {
|
} elsif ( ( $target = $policy ) eq 'REJECT' ) {
|
||||||
$target = 'reject';
|
$target = 'reject';
|
||||||
}
|
}
|
||||||
@ -529,10 +529,6 @@ sub add_common_rules() {
|
|||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#
|
|
||||||
# Delete 'sfilter' chain unless it has been referenced
|
|
||||||
#
|
|
||||||
$chainref->{referenced} = 0 unless @{$chainref = filter_table-{sfilter}}->{references};
|
|
||||||
|
|
||||||
run_user_exit1 'initdone';
|
run_user_exit1 'initdone';
|
||||||
|
|
||||||
|
@ -245,7 +245,6 @@ sub initialize( $ ) {
|
|||||||
bridge => SIMPLE_IF_OPTION,
|
bridge => SIMPLE_IF_OPTION,
|
||||||
detectnets => OBSOLETE_IF_OPTION,
|
detectnets => OBSOLETE_IF_OPTION,
|
||||||
dhcp => SIMPLE_IF_OPTION,
|
dhcp => SIMPLE_IF_OPTION,
|
||||||
filter => IPLIST_IF_OPTION,
|
|
||||||
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
logmartians => BINARY_IF_OPTION,
|
logmartians => BINARY_IF_OPTION,
|
||||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
||||||
@ -256,6 +255,7 @@ sub initialize( $ ) {
|
|||||||
required => SIMPLE_IF_OPTION,
|
required => SIMPLE_IF_OPTION,
|
||||||
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
|
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
|
||||||
routefilter => NUMERIC_IF_OPTION ,
|
routefilter => NUMERIC_IF_OPTION ,
|
||||||
|
sfilter => IPLIST_IF_OPTION,
|
||||||
sourceroute => BINARY_IF_OPTION,
|
sourceroute => BINARY_IF_OPTION,
|
||||||
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
upnp => SIMPLE_IF_OPTION,
|
upnp => SIMPLE_IF_OPTION,
|
||||||
@ -278,7 +278,6 @@ sub initialize( $ ) {
|
|||||||
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
bridge => SIMPLE_IF_OPTION,
|
bridge => SIMPLE_IF_OPTION,
|
||||||
dhcp => SIMPLE_IF_OPTION,
|
dhcp => SIMPLE_IF_OPTION,
|
||||||
filter => IPLIST_IF_OPTION,
|
|
||||||
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
||||||
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
@ -286,6 +285,7 @@ sub initialize( $ ) {
|
|||||||
proxyndp => BINARY_IF_OPTION,
|
proxyndp => BINARY_IF_OPTION,
|
||||||
required => SIMPLE_IF_OPTION,
|
required => SIMPLE_IF_OPTION,
|
||||||
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
|
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
|
||||||
|
sfilter => IPLIST_IF_OPTION,
|
||||||
sourceroute => BINARY_IF_OPTION,
|
sourceroute => BINARY_IF_OPTION,
|
||||||
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||||
@ -1058,8 +1058,8 @@ sub process_interface( $$ ) {
|
|||||||
# Assume 'broadcast'
|
# Assume 'broadcast'
|
||||||
#
|
#
|
||||||
$hostoptions{broadcast} = 1;
|
$hostoptions{broadcast} = 1;
|
||||||
} elsif ( $option eq 'filter' ) {
|
} elsif ( $option eq 'sfilter' ) {
|
||||||
warning_message "filter is ineffective with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
warning_message "sfilter is ineffective with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
||||||
|
|
||||||
$filterref = [ split_list $value, 'address' ];
|
$filterref = [ split_list $value, 'address' ];
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user