extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 15:43:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow inline matches in the conntrack file.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2019-01-07 17:47:05 -08:00
parent 49731da807
commit cf330afbd9
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
2 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -3,7 +3,7 @@
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2009-2018 - Tom Eastep (teastep@shorewall.net) # (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #
@ -70,6 +70,13 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
my $zone; my $zone;
my $restriction = PREROUTE_RESTRICT; my $restriction = PREROUTE_RESTRICT;
my $raw_matches = get_inline_matches(0);
my $prerule = '';
if ( $raw_matches =~ /s*+/ ) {
$prerule = $raw_matches;
$raw_matches = '';
}
if ( $chainref ) { if ( $chainref ) {
$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT'; $restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
@ -206,10 +213,11 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
expand_rule( $chainref , expand_rule( $chainref ,
$restriction , $restriction ,
'', $prerule,
do_proto( $proto, $ports, $sports ) . do_proto( $proto, $ports, $sports ) .
do_user ( $user ) . do_user ( $user ) .
do_condition( $switch , $chainref->{name} ), do_condition( $switch , $chainref->{name} ) .
$raw_matches ,
$source , $source ,
$dest , $dest ,
'' , '' ,
@ -316,7 +324,7 @@ sub setup_conntrack($) {
{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } ); { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
$action = 'NOTRACK'; $action = 'NOTRACK';
} else { } else {
( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }; ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line2( 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, undef, undef, 1 );
} }
$empty = 0; $empty = 0;

7
docs/configuration_file_basics.xml
View File

@ -18,7 +18,7 @@
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright> <copyright>
<year>2001-2017</year> <year>2001-2019</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -56,7 +56,7 @@
Shorewall</ulink> is required reading for being able to use this article Shorewall</ulink> is required reading for being able to use this article
effectively. For information about setting up your first Shorewall-based effectively. For information about setting up your first Shorewall-based
firewall, see the <ulink url="GettingStarted.html">Quickstart firewall, see the <ulink url="GettingStarted.html">Quickstart
Guides</ulink>.</para> Guides</ulink>.in</para>
</section> </section>
<section id="Files"> <section id="Files">
@ -852,7 +852,8 @@ INLINE net $FW ;; -m recent --rcheck 10 --hitcount 5
column=value specifications. In Shorewall 5.0.0 and later, inline column=value specifications. In Shorewall 5.0.0 and later, inline
matches are allowed in mangle, masq and rules following two adjacent matches are allowed in mangle, masq and rules following two adjacent
semicolons (";;"). If alternate input is present, the adjacent semicolons (";;"). If alternate input is present, the adjacent
semicolons should follow that input.</para> semicolons should follow that input. In Shorewall 5.2.2, this
support was extended to the conntrack file.</para>
<caution> <caution>
<para>INLINE_MATCHES=Yes is deprecated and will no longer be <para>INLINE_MATCHES=Yes is deprecated and will no longer be