extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-17 02:00:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

p2pwall integration

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@762 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-10-09 21:26:08 +00:00
parent 3d7df0dd62
commit c80dacd86a
4 changed files with 48 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -5,3 +5,5 @@ Changes since 1.4.7
2) Applied Andrew Zhoglo's patch that avoids using multiport match for 2) Applied Andrew Zhoglo's patch that avoids using multiport match for
ICMP. ICMP.
3) Added support for QUEUE target.

27
Shorewall/firewall
View File

@ -2369,7 +2369,7 @@ add_a_rule()
[ x$cport = x- ] && cport= [ x$cport = x- ] && cport=
case $proto in case $proto in
tcp|udp|TCP|UDP|6|17) tcp|TCP|6)
if [ -n "$port" ]; then if [ -n "$port" ]; then
dports="--dport" dports="--dport"
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
@ -2387,7 +2387,28 @@ add_a_rule()
fi fi
sports="$sports $cport" sports="$sports $cport"
fi fi
;;
[ "$target" = QUEUE ] && proto="$proto --syn"
;;
udp|UDP|17)
if [ -n "$port" ]; then
dports="--dport"
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
multiport="$multioption"
dports="--dports"
fi
dports="$dports $port"
fi
if [ -n "$cport" ]; then
sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
multiport="$multioption"
sports="--sports"
fi
sports="$sports $cport"
fi
;;
icmp|ICMP|1) icmp|ICMP|1)
[ -n "$port" ] && dports="--icmp-type $port" [ -n "$port" ] && dports="--icmp-type $port"
state= state=
@ -2873,7 +2894,7 @@ process_rules()
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do
temp="${xtarget%:*}" temp="${xtarget%:*}"
case "${temp%<*}" in case "${temp%<*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE) ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then

21
Shorewall/releasenotes.txt
View File

@ -24,4 +24,23 @@ None.
New Features: New Features:
None. 1. A new QUEUE action has been introduced for rules. QUEUE allows you
to pass connection requests to a user-space filter such as p2pwall
(http://p2pwall.sourceforge.net).
For example, to use p2pwall to filter P2P applications, you would
add the following rules:
QUEUE loc net tcp
QUEUE loc net udp
QUEUE loc fw udp
You would normally want to place those two rules BEFORE any ACCEPT
rules for loc->net.
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with p2pwall.

2
Shorewall/rules
View File

@ -46,6 +46,8 @@
# to the rules defined for that # to the rules defined for that
# (those) zone(s). # (those) zone(s).
# LOG -- Simply log the packet and continue. # LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
# #
# You may rate-limit the rule by optionally # You may rate-limit the rule by optionally
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with # following ACCEPT, DNAT[-], REDIRECT[-] or LOG with