extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-24 03:31:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Disable MACLIST_TTL

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2356 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-07-17 16:52:21 +00:00
parent 7c0e2c8f77
commit c6e3e84352
2 changed files with 4 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Shorewall/firewall
View File

@ -477,11 +477,6 @@ mac_chain() # $1 = interface
echo $(chain_base $1)_mac echo $(chain_base $1)_mac
} }
macrecent_target() # $1 - interface
{
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
}
# #
# Functions for creating dynamic zone rules # Functions for creating dynamic zone rules
# #
@ -2327,14 +2322,6 @@ setup_mac_lists() {
for interface in $maclist_interfaces; do for interface in $maclist_interfaces; do
chain=$(mac_chain $interface) chain=$(mac_chain $interface)
createchain $chain no createchain $chain no
if [ -n "$MACLIST_TTL" ]; then
chain1=$(macrecent_target $interface)
createchain $chain1 no
run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
run_iptables -A $chain1 -m recent --update --name $chain -j ACCEPT
run_iptables -A $chain1 -m recent --set --name $chain -j ACCEPT
fi
done done
# #
# Process the maclist file producing the verification rules # Process the maclist file producing the verification rules
@ -3193,8 +3180,8 @@ check_config() {
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then if [ -n "$MACLIST_TTL" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" error_message "WARNING: MACLIST_TTL has been disabled until further notice"
fi fi
echo "Determining Zones..." echo "Determining Zones..."
@ -6402,8 +6389,8 @@ initialize_netfilter () {
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then if [ -n "$MACLIST_TTL" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" error_message "WARNING: MACLIST_TTL has been disabled until further notice"
fi fi
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \ [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \

23
Shorewall/shorewall.conf
View File

@ -779,29 +779,6 @@ DROPINVALID=No
RFC1918_STRICT=No RFC1918_STRICT=No
#
# MACLIST caching
#
# If your iptables and kernel support the "Recent Match" (see the output of
# "shorewall check" near the top), you can cache the results of a 'maclist'
# file lookup and thus reduce the overhead associated with MAC Verification
# (/etc/shorewall/maclist).
#
# When a new connection arrives from a 'maclist' interface, the packet passes
# through then list of entries for that interface in /etc/shorewall/maclist. If
# there is a match then the source IP address is added to the 'Recent' set for
# that interface. Subsequent connection attempts from that IP address occuring
# within $MACLIST_TTL seconds will be accepted without having to scan all of
# the entries. After $MACLIST_TTL from the first accepted connection request,
# the next connection request from that IP address will be checked against
# the entire list.
#
# If MACLIST_TTL is not specified or is specified as empty (e.g,
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
# be cached.
MACLIST_TTL=
# #
# Save/Restore IPSETS # Save/Restore IPSETS
# #