mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 14:48:51 +01:00
p2pwall integration
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@762 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3d7df0dd62
commit
c80dacd86a
@ -5,3 +5,5 @@ Changes since 1.4.7
|
||||
|
||||
2) Applied Andrew Zhoglo's patch that avoids using multiport match for
|
||||
ICMP.
|
||||
|
||||
3) Added support for QUEUE target.
|
||||
|
@ -2369,7 +2369,7 @@ add_a_rule()
|
||||
[ x$cport = x- ] && cport=
|
||||
|
||||
case $proto in
|
||||
tcp|udp|TCP|UDP|6|17)
|
||||
tcp|TCP|6)
|
||||
if [ -n "$port" ]; then
|
||||
dports="--dport"
|
||||
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
|
||||
@ -2387,7 +2387,28 @@ add_a_rule()
|
||||
fi
|
||||
sports="$sports $cport"
|
||||
fi
|
||||
;;
|
||||
|
||||
[ "$target" = QUEUE ] && proto="$proto --syn"
|
||||
;;
|
||||
udp|UDP|17)
|
||||
if [ -n "$port" ]; then
|
||||
dports="--dport"
|
||||
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
|
||||
multiport="$multioption"
|
||||
dports="--dports"
|
||||
fi
|
||||
dports="$dports $port"
|
||||
fi
|
||||
|
||||
if [ -n "$cport" ]; then
|
||||
sports="--sport"
|
||||
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
|
||||
multiport="$multioption"
|
||||
sports="--sports"
|
||||
fi
|
||||
sports="$sports $cport"
|
||||
fi
|
||||
;;
|
||||
icmp|ICMP|1)
|
||||
[ -n "$port" ] && dports="--icmp-type $port"
|
||||
state=
|
||||
@ -2873,7 +2894,7 @@ process_rules()
|
||||
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do
|
||||
temp="${xtarget%:*}"
|
||||
case "${temp%<*}" in
|
||||
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE)
|
||||
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
|
||||
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset
|
||||
|
||||
if [ "x$xclients" = xall ]; then
|
||||
|
@ -24,4 +24,23 @@ None.
|
||||
|
||||
New Features:
|
||||
|
||||
None.
|
||||
1. A new QUEUE action has been introduced for rules. QUEUE allows you
|
||||
to pass connection requests to a user-space filter such as p2pwall
|
||||
(http://p2pwall.sourceforge.net).
|
||||
|
||||
For example, to use p2pwall to filter P2P applications, you would
|
||||
add the following rules:
|
||||
|
||||
QUEUE loc net tcp
|
||||
QUEUE loc net udp
|
||||
QUEUE loc fw udp
|
||||
|
||||
You would normally want to place those two rules BEFORE any ACCEPT
|
||||
rules for loc->net.
|
||||
|
||||
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
|
||||
Shorewall will only pass connection requests (SYN packets) to user
|
||||
space. This is for compatibility with p2pwall.
|
||||
|
||||
|
||||
|
||||
|
@ -46,6 +46,8 @@
|
||||
# to the rules defined for that
|
||||
# (those) zone(s).
|
||||
# LOG -- Simply log the packet and continue.
|
||||
# QUEUE -- Queue the packet to a user-space
|
||||
# application such as p2pwall.
|
||||
#
|
||||
# You may rate-limit the rule by optionally
|
||||
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
|
||||
|
Loading…
Reference in New Issue
Block a user