extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-20 05:11:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Get changes from 4.5.0 branch

Browse Source
This commit is contained in:
Tom Eastep 2011-05-27 19:42:09 -07:00
parent 586a3537bf
commit bac640e731
3 changed files with 15 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Shorewall/Perl/Shorewall/Config.pm
View File

@ -447,7 +447,7 @@ sub initialize( $ ) {
LOG_MARTIANS => undef, LOG_MARTIANS => undef,
LOG_VERBOSITY => undef, LOG_VERBOSITY => undef,
STARTUP_LOG => undef, STARTUP_LOG => undef,
FILTER_LOG_LEVEL => undef, SFILTER_LOG_LEVEL => undef,
# #
# Location of Files # Location of Files
# #
@ -551,7 +551,7 @@ sub initialize( $ ) {
TCP_FLAGS_DISPOSITION => undef, TCP_FLAGS_DISPOSITION => undef,
BLACKLIST_DISPOSITION => undef, BLACKLIST_DISPOSITION => undef,
SMURF_DISPOSITION => undef, SMURF_DISPOSITION => undef,
FILTER_DISPOSITION => undef, SFILTER_DISPOSITION => undef,
# #
# Mark Geometry # Mark Geometry
# #
@ -3379,13 +3379,13 @@ sub get_configuration( $ ) {
default_log_level 'SMURF_LOG_LEVEL', ''; default_log_level 'SMURF_LOG_LEVEL', '';
default_log_level 'LOGALLNEW', ''; default_log_level 'LOGALLNEW', '';
default_log_level 'FILTER_LOG_LEVEL', 'info'; default_log_level 'SFILTER_LOG_LEVEL', 'info';
if ( $val = $config{FILTER_DISPOSITION} ) { if ( $val = $config{SFILTER_DISPOSITION} ) {
fatal_error "Invalid FILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/; fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
require_capability 'AUDIT_TARGET' , "FILTER_DISPOSITION=$val", 's' if $1; require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
} else { } else {
$config{FILTER_DISPOSITION} = 'DROP'; $config{SFILTER_DISPOSITION} = 'DROP';
} }
if ( $val = $config{MACLIST_DISPOSITION} ) { if ( $val = $config{MACLIST_DISPOSITION} ) {

12
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -489,12 +489,12 @@ sub add_common_rules() {
add_rule( $filter_table->{$_} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT OUTPUT ); add_rule( $filter_table->{$_} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT OUTPUT );
} }
my $policy = $config{FILTER_DISPOSITION}; my $policy = $config{SFILTER_DISPOSITION};
$level = $config{FILTER_LOG_LEVEL}; $level = $config{SFILTER_LOG_LEVEL};
my $audit = $policy =~ s/^A_//; my $audit = $policy =~ s/^A_//;
if ( $level || $audit ) { if ( $level || $audit ) {
$chainref = new_standard_chain 'filter'; $chainref = new_standard_chain 'sfilter';
log_rule $level , $chainref , $policy , '' if $level ne ''; log_rule $level , $chainref , $policy , '' if $level ne '';
@ -502,7 +502,7 @@ sub add_common_rules() {
add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1; add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1;
$target = 'filter'; $target = 'sfilter';
} elsif ( ( $target = $policy ) eq 'REJECT' ) { } elsif ( ( $target = $policy ) eq 'REJECT' ) {
$target = 'reject'; $target = 'reject';
} }
@ -529,10 +529,6 @@ sub add_common_rules() {
} }
} }
#
# Delete 'sfilter' chain unless it has been referenced
#
$chainref->{referenced} = 0 unless @{$chainref = filter_table-{sfilter}}->{references};
run_user_exit1 'initdone'; run_user_exit1 'initdone';

8
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -245,7 +245,6 @@ sub initialize( $ ) {
bridge => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
detectnets => OBSOLETE_IF_OPTION, detectnets => OBSOLETE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION,
filter => IPLIST_IF_OPTION,
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
logmartians => BINARY_IF_OPTION, logmartians => BINARY_IF_OPTION,
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER, nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
@ -256,6 +255,7 @@ sub initialize( $ ) {
required => SIMPLE_IF_OPTION, required => SIMPLE_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
routefilter => NUMERIC_IF_OPTION , routefilter => NUMERIC_IF_OPTION ,
sfilter => IPLIST_IF_OPTION,
sourceroute => BINARY_IF_OPTION, sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST, tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
upnp => SIMPLE_IF_OPTION, upnp => SIMPLE_IF_OPTION,
@ -278,7 +278,6 @@ sub initialize( $ ) {
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, %validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
bridge => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION,
filter => IPLIST_IF_OPTION,
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER, nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST, nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@ -286,6 +285,7 @@ sub initialize( $ ) {
proxyndp => BINARY_IF_OPTION, proxyndp => BINARY_IF_OPTION,
required => SIMPLE_IF_OPTION, required => SIMPLE_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
sfilter => IPLIST_IF_OPTION,
sourceroute => BINARY_IF_OPTION, sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST, tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@ -1058,8 +1058,8 @@ sub process_interface( $$ ) {
# Assume 'broadcast' # Assume 'broadcast'
# #
$hostoptions{broadcast} = 1; $hostoptions{broadcast} = 1;
} elsif ( $option eq 'filter' ) { } elsif ( $option eq 'sfilter' ) {
warning_message "filter is ineffective with FASTACCEPT=Yes" if $config{FASTACCEPT}; warning_message "sfilter is ineffective with FASTACCEPT=Yes" if $config{FASTACCEPT};
$filterref = [ split_list $value, 'address' ]; $filterref = [ split_list $value, 'address' ];