extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-21 18:21:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add 'allowBcast' standard action

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1539 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-14 20:44:15 +00:00
parent fae7312553
commit bbe514b417
3 changed files with 38 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Shorewall2/actions.std
View File

@ -4,6 +4,7 @@
# #
# Builtin Actions are: # Builtin Actions are:
# #
# allowBcast #Silently Allow Broadcast/multicast
# dropBcast #Silently Drop Broadcast/multicast # dropBcast #Silently Drop Broadcast/multicast
# dropNonSyn #Silently Drop Non-syn TCP packets # dropNonSyn #Silently Drop Non-syn TCP packets
# rejNonSyn #Silently Reject Non-syn TCP packets # rejNonSyn #Silently Reject Non-syn TCP packets

36
Shorewall2/firewall
View File

@ -3017,7 +3017,7 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
# #
process_actions1() { process_actions1() {
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid" ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
USEDACTIONS= USEDACTIONS=
strip_file actions strip_file actions
@ -3170,12 +3170,44 @@ process_actions3() {
fi fi
fi fi
;; ;;
allowBcast)
if [ "$COMMAND" != check ]; then
if [ -n "$PKTTYPE" ]; then
case $xlevel in
none'!')
;;
*)
if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type multicast
fi
;;
esac
run_iptables -A allowBcast -m pkttype --pkt-type broadcast -j ACCEPT
run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT
else
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
case $xlevel in
none*)
;;
*)
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -d $address
;;
esac
run_iptables -A $xchain -d $address -j ACCEPT
done
fi
fi
;;
dropNonSyn) dropNonSyn)
error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\"" error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP run_iptables -A $xchain -p tcp ! --syn -j DROP
fi fi
;; ;;

3
Shorewall2/releasenotes.txt
View File

@ -264,3 +264,6 @@ New Features:
8) To improve interoperability, tunnels of type 'ipsec' no longer 8) To improve interoperability, tunnels of type 'ipsec' no longer
enforce the use of source port 500 for ISAKMP. enforce the use of source port 500 for ISAKMP.
9) A new 'allowBcast' builtin action has been added -- it silently
allows broadcasts and multicasts.