mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 18:21:27 +02:00
Add 'allowBcast' standard action
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1539 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
fae7312553
commit
bbe514b417
@ -4,6 +4,7 @@
|
|||||||
#
|
#
|
||||||
# Builtin Actions are:
|
# Builtin Actions are:
|
||||||
#
|
#
|
||||||
|
# allowBcast #Silently Allow Broadcast/multicast
|
||||||
# dropBcast #Silently Drop Broadcast/multicast
|
# dropBcast #Silently Drop Broadcast/multicast
|
||||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
# dropNonSyn #Silently Drop Non-syn TCP packets
|
||||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
# rejNonSyn #Silently Reject Non-syn TCP packets
|
||||||
|
@ -3017,7 +3017,7 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
|
|||||||
#
|
#
|
||||||
process_actions1() {
|
process_actions1() {
|
||||||
|
|
||||||
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
|
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
|
||||||
USEDACTIONS=
|
USEDACTIONS=
|
||||||
|
|
||||||
strip_file actions
|
strip_file actions
|
||||||
@ -3170,12 +3170,44 @@ process_actions3() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
allowBcast)
|
||||||
|
if [ "$COMMAND" != check ]; then
|
||||||
|
if [ -n "$PKTTYPE" ]; then
|
||||||
|
case $xlevel in
|
||||||
|
none'!')
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
if [ -n "$xlevel" ]; then
|
||||||
|
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast
|
||||||
|
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type multicast
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
run_iptables -A allowBcast -m pkttype --pkt-type broadcast -j ACCEPT
|
||||||
|
run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT
|
||||||
|
else
|
||||||
|
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
||||||
|
case $xlevel in
|
||||||
|
none*)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
[ -n "$xlevel" ] && \
|
||||||
|
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -d $address
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
run_iptables -A $xchain -d $address -j ACCEPT
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
;;
|
||||||
dropNonSyn)
|
dropNonSyn)
|
||||||
error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
|
error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
|
||||||
|
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -p tcp ! --syn
|
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -p tcp ! --syn
|
||||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
@ -264,3 +264,6 @@ New Features:
|
|||||||
|
|
||||||
8) To improve interoperability, tunnels of type 'ipsec' no longer
|
8) To improve interoperability, tunnels of type 'ipsec' no longer
|
||||||
enforce the use of source port 500 for ISAKMP.
|
enforce the use of source port 500 for ISAKMP.
|
||||||
|
|
||||||
|
9) A new 'allowBcast' builtin action has been added -- it silently
|
||||||
|
allows broadcasts and multicasts.
|
||||||
|
Loading…
x
Reference in New Issue
Block a user