Add 'allowBcast' standard action

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1539 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-14 19:54:06 +01:00 · 2004-08-14 20:44:15 +00:00 · 2004-08-14 20:44:15 +00:00 · bbe514b417
commit bbe514b417
parent fae7312553
3 changed files with 38 additions and 2 deletions
--- a/Shorewall2/actions.std
+++ b/Shorewall2/actions.std
@ -4,6 +4,7 @@
 #
 # Builtin Actions are:
 #
+#    allowBcast		#Silently Allow Broadcast/multicast
 #    dropBcast          #Silently Drop Broadcast/multicast
 #    dropNonSyn         #Silently Drop Non-syn TCP packets
 #    rejNonSyn          #Silently Reject Non-syn TCP packets
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -3017,7 +3017,7 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
 #
 process_actions1() {
 	
-    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
+    ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
    USEDACTIONS=

    strip_file actions
@ -3170,12 +3170,44 @@ process_actions3() {
 		    fi
 		fi
 		;;
+	    allowBcast)
+		if [ "$COMMAND" != check ]; then
+		    if [ -n "$PKTTYPE" ]; then
+			case $xlevel in
+			    none'!')
+	                        ;;
+			    *)
+			        if [ -n "$xlevel" ]; then
+				    log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast
+				    log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type multicast
+				fi
+				;;
+			esac
+			
+			run_iptables -A allowBcast -m pkttype --pkt-type broadcast -j ACCEPT
+			run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT
+		    else
+			for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
+			    case $xlevel in
+				none*)
+				    ;;
+				*)
+				    [ -n "$xlevel" ] && \
+					log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -d $address
+				    ;;
+			    esac
+			    
+			    run_iptables -A $xchain -d $address -j ACCEPT
+			done
+		    fi
+		fi
+		;;
 	    dropNonSyn)
 		error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
 		
 		if [ "$COMMAND" != check ]; then
 		    [ -n "$xlevel" ] && \
-			log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -p tcp ! --syn
+			log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -p tcp ! --syn
 		    run_iptables -A $xchain -p tcp ! --syn -j DROP
 		fi
 		;;
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -264,3 +264,6 @@ New Features:
 
 8)  To improve interoperability, tunnels of type 'ipsec' no longer
    enforce the use of source port 500 for ISAKMP.
+
+9)  A new 'allowBcast' builtin action has been added -- it silently
+    allows broadcasts and multicasts.