extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-31 15:05:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix builtin action logging

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6975 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-07-27 22:34:53 +00:00
parent ee4f4c04a1
commit d13c794a7d
2 changed files with 20 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Shorewall-common/releasenotes.txt
View File

@ -73,11 +73,10 @@ Problems corrected in 4.0.1.
4.0.0. Previously, Shorewall was not started automatically at 4.0.0. Previously, Shorewall was not started automatically at
reboot after an upgrade using the RPM. reboot after an upgrade using the RPM.
9) Shorewall-perl now detects dead policy file entries that result 9) Shorewall-perl was generating invalid iptables-restore input when a
when an entry is masked by an earlier entry. Example: log level was specified with the dropBcast and allowBcast builtin
actions and when a log level followed by '!' was used with any
all all REJECT info builtin actions.
loc net ACCEPT
Other changes in Shorewall 4.0.1. Other changes in Shorewall 4.0.1.
@ -106,6 +105,12 @@ Other changes in Shorewall 4.0.1.
capability has been relaxed. This allows Shorewall 4.0.1 to be used capability has been relaxed. This allows Shorewall 4.0.1 to be used
on releases like RHEL4 that con's support that capability. on releases like RHEL4 that con's support that capability.
3) Shorewall-perl now detects dead policy file entries that result
when an entry is masked by an earlier entry. Example:
all all REJECT info
loc net ACCEPT
Migration Considerations: Migration Considerations:
1) Beginning with Shorewall 4.0.0, there is no single 'shorewall' 1) Beginning with Shorewall 4.0.0, there is no single 'shorewall'

18
Shorewall-perl/Shorewall/Actions.pm
View File

@ -658,20 +658,20 @@ sub process_actions3 () {
if ( $capabilities{ADDRTYPE} ) { if ( $capabilities{ADDRTYPE} ) {
if ( $level ne '' ) { if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST'; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4'; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
} }
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP'; add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
} else { } else {
add_command $chainref, 'for address in $ALL_BCASTS; do'; add_command $chainref, 'for address in $ALL_BCASTS; do';
push_cmd_mode $chainref; push_cmd_mode $chainref;
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address' if $level ne ''; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
add_rule $chainref, '-d $address -j DROP'; add_rule $chainref, '-d $address -j DROP';
pop_cmd_mode $chainref; pop_cmd_mode $chainref;
add_command $chainref, 'done'; add_command $chainref, 'done';
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4' if $level ne ''; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
} }
add_rule $chainref, '-d 224.0.0.0/4 -j DROP'; add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
@ -682,20 +682,20 @@ sub process_actions3 () {
if ( $capabilities{ADDRTYPE} ) { if ( $capabilities{ADDRTYPE} ) {
if ( $level ne '' ) { if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST'; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4'; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
} }
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT'; add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
} else { } else {
add_command $chainref, 'for address in $ALL_BCASTS; do'; add_command $chainref, 'for address in $ALL_BCASTS; do';
push_cmd_mode $chainref; push_cmd_mode $chainref;
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address' if $level ne ''; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
add_rule $chainref, '-d $address -j ACCEPT'; add_rule $chainref, '-d $address -j ACCEPT';
pop_cmd_mode $chainref; pop_cmd_mode $chainref;
add_command $chainref, 'done'; add_command $chainref, 'done';
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4' if $level ne ''; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
} }
add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT'; add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
} }
@ -792,6 +792,8 @@ sub process_actions3 () {
$level = '' unless defined $level; $level = '' unless defined $level;
$tag = '' unless defined $tag; $tag = '' unless defined $tag;
$level =~ s/!$//;
if ( $targets{$action} & BUILTIN ) { if ( $targets{$action} & BUILTIN ) {
$level = '' if $level =~ /none!?/; $level = '' if $level =~ /none!?/;
$builtinops{$action}->($chainref, $level, $tag); $builtinops{$action}->($chainref, $level, $tag);