Disable MACLIST_TTL

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2356 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-12 18:54:25 +01:00 · 2005-07-17 16:52:21 +00:00 · 2005-07-17 16:52:21 +00:00 · c6e3e84352
commit c6e3e84352
parent 7c0e2c8f77
2 changed files with 4 additions and 40 deletions
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -477,11 +477,6 @@ mac_chain() # $1 = interface
   echo $(chain_base $1)_mac
 }

-macrecent_target() # $1 - interface
-{
-    [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
-}
-
 #
 # Functions for creating dynamic zone rules
 #
@ -2327,14 +2322,6 @@ setup_mac_lists() {
    for interface in $maclist_interfaces; do
 	chain=$(mac_chain $interface)
 	createchain $chain no
-	
-	if [ -n "$MACLIST_TTL" ]; then
-	    chain1=$(macrecent_target $interface)
-	    createchain $chain1 no
-	    run_iptables -A $chain  -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
-	    run_iptables -A $chain1 -m recent --update                        --name $chain -j ACCEPT
-	    run_iptables -A $chain1 -m recent --set                           --name $chain -j ACCEPT
-	fi
    done
    #
    # Process the maclist file producing the verification rules
@ -3193,8 +3180,8 @@ check_config() {

    [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=

-    if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
-	startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
+    if [ -n "$MACLIST_TTL" ]; then
+	error_message "WARNING: MACLIST_TTL has been disabled until further notice"
    fi

    echo "Determining Zones..."
@ -6402,8 +6389,8 @@ initialize_netfilter () {

    [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=

-    if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
-	startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
+    if [ -n "$MACLIST_TTL" ]; then
+	error_message "WARNING: MACLIST_TTL has been disabled until further notice"
    fi

    [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@ -779,29 +779,6 @@ DROPINVALID=No

 RFC1918_STRICT=No

-#
-# MACLIST caching
-#
-# If your iptables and kernel support the "Recent Match" (see the output of
-# "shorewall check" near the top), you can cache the results of a 'maclist'
-# file lookup and thus reduce the overhead associated with MAC Verification
-# (/etc/shorewall/maclist).
-#
-# When a new connection arrives from a 'maclist' interface, the packet passes
-# through then list of entries for that interface in /etc/shorewall/maclist. If
-# there is a match then the source IP address is added to the 'Recent' set for
-# that interface. Subsequent connection attempts from that IP address occuring
-# within $MACLIST_TTL seconds will be accepted without having to scan all of
-# the entries. After $MACLIST_TTL from the first accepted connection request,
-# the next connection request from that IP address will be checked against
-# the entire list.
-# 
-# If MACLIST_TTL is not specified or is specified as empty (e.g, 
-# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
-# be cached.
-
-MACLIST_TTL=
-
 #
 # Save/Restore IPSETS
 #