mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-20 05:11:03 +01:00
Get changes from 4.5.0 branch
This commit is contained in:
parent
586a3537bf
commit
bac640e731
@ -447,7 +447,7 @@ sub initialize( $ ) {
|
||||
LOG_MARTIANS => undef,
|
||||
LOG_VERBOSITY => undef,
|
||||
STARTUP_LOG => undef,
|
||||
FILTER_LOG_LEVEL => undef,
|
||||
SFILTER_LOG_LEVEL => undef,
|
||||
#
|
||||
# Location of Files
|
||||
#
|
||||
@ -551,7 +551,7 @@ sub initialize( $ ) {
|
||||
TCP_FLAGS_DISPOSITION => undef,
|
||||
BLACKLIST_DISPOSITION => undef,
|
||||
SMURF_DISPOSITION => undef,
|
||||
FILTER_DISPOSITION => undef,
|
||||
SFILTER_DISPOSITION => undef,
|
||||
#
|
||||
# Mark Geometry
|
||||
#
|
||||
@ -3379,13 +3379,13 @@ sub get_configuration( $ ) {
|
||||
default_log_level 'SMURF_LOG_LEVEL', '';
|
||||
default_log_level 'LOGALLNEW', '';
|
||||
|
||||
default_log_level 'FILTER_LOG_LEVEL', 'info';
|
||||
default_log_level 'SFILTER_LOG_LEVEL', 'info';
|
||||
|
||||
if ( $val = $config{FILTER_DISPOSITION} ) {
|
||||
fatal_error "Invalid FILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
|
||||
require_capability 'AUDIT_TARGET' , "FILTER_DISPOSITION=$val", 's' if $1;
|
||||
if ( $val = $config{SFILTER_DISPOSITION} ) {
|
||||
fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
|
||||
require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
|
||||
} else {
|
||||
$config{FILTER_DISPOSITION} = 'DROP';
|
||||
$config{SFILTER_DISPOSITION} = 'DROP';
|
||||
}
|
||||
|
||||
if ( $val = $config{MACLIST_DISPOSITION} ) {
|
||||
|
@ -489,12 +489,12 @@ sub add_common_rules() {
|
||||
add_rule( $filter_table->{$_} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT OUTPUT );
|
||||
}
|
||||
|
||||
my $policy = $config{FILTER_DISPOSITION};
|
||||
$level = $config{FILTER_LOG_LEVEL};
|
||||
my $policy = $config{SFILTER_DISPOSITION};
|
||||
$level = $config{SFILTER_LOG_LEVEL};
|
||||
my $audit = $policy =~ s/^A_//;
|
||||
|
||||
if ( $level || $audit ) {
|
||||
$chainref = new_standard_chain 'filter';
|
||||
$chainref = new_standard_chain 'sfilter';
|
||||
|
||||
log_rule $level , $chainref , $policy , '' if $level ne '';
|
||||
|
||||
@ -502,7 +502,7 @@ sub add_common_rules() {
|
||||
|
||||
add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1;
|
||||
|
||||
$target = 'filter';
|
||||
$target = 'sfilter';
|
||||
} elsif ( ( $target = $policy ) eq 'REJECT' ) {
|
||||
$target = 'reject';
|
||||
}
|
||||
@ -529,10 +529,6 @@ sub add_common_rules() {
|
||||
|
||||
}
|
||||
}
|
||||
#
|
||||
# Delete 'sfilter' chain unless it has been referenced
|
||||
#
|
||||
$chainref->{referenced} = 0 unless @{$chainref = filter_table-{sfilter}}->{references};
|
||||
|
||||
run_user_exit1 'initdone';
|
||||
|
||||
|
@ -245,7 +245,6 @@ sub initialize( $ ) {
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
detectnets => OBSOLETE_IF_OPTION,
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
filter => IPLIST_IF_OPTION,
|
||||
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
logmartians => BINARY_IF_OPTION,
|
||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
||||
@ -256,6 +255,7 @@ sub initialize( $ ) {
|
||||
required => SIMPLE_IF_OPTION,
|
||||
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
|
||||
routefilter => NUMERIC_IF_OPTION ,
|
||||
sfilter => IPLIST_IF_OPTION,
|
||||
sourceroute => BINARY_IF_OPTION,
|
||||
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
upnp => SIMPLE_IF_OPTION,
|
||||
@ -278,7 +278,6 @@ sub initialize( $ ) {
|
||||
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
filter => IPLIST_IF_OPTION,
|
||||
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
||||
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
@ -286,6 +285,7 @@ sub initialize( $ ) {
|
||||
proxyndp => BINARY_IF_OPTION,
|
||||
required => SIMPLE_IF_OPTION,
|
||||
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
|
||||
sfilter => IPLIST_IF_OPTION,
|
||||
sourceroute => BINARY_IF_OPTION,
|
||||
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||
@ -1058,8 +1058,8 @@ sub process_interface( $$ ) {
|
||||
# Assume 'broadcast'
|
||||
#
|
||||
$hostoptions{broadcast} = 1;
|
||||
} elsif ( $option eq 'filter' ) {
|
||||
warning_message "filter is ineffective with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
||||
} elsif ( $option eq 'sfilter' ) {
|
||||
warning_message "sfilter is ineffective with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
||||
|
||||
$filterref = [ split_list $value, 'address' ];
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user