Backport 'dropInvalid' from 2.1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1476 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-11 08:08:12 +01:00 · 2004-07-14 20:08:12 +00:00 · 2004-07-14 20:08:12 +00:00 · d9bb6a55e8
commit d9bb6a55e8
parent 4f69a5eddb
6 changed files with 21 additions and 3 deletions
--- a/STABLE2/action.Drop
+++ b/STABLE2/action.Drop
@ -8,6 +8,7 @@
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 RejectAuth
 dropBcast
+dropInvalid
 DropSMB
 DropUPnP
 dropNotSyn
--- a/STABLE2/action.Reject
+++ b/STABLE2/action.Reject
@ -8,6 +8,7 @@
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 RejectAuth
 dropBcast
+dropInvalid
 RejectSMB
 DropUPnP
 dropNotSyn
--- a/STABLE2/actions.std
+++ b/STABLE2/actions.std
@ -10,6 +10,8 @@
 #    logNonSyn          #Log Non-syn TCP packets with disposition LOG
 #    dLogNonSyn         #Log Non-syn TCP packets with disposition DROP
 #    rLogNonSyn          #Log Non-syn TCP packets with disposition REJECT
+#    dropInvalid	#Silently Drop packets that are in the INVALID
+#                       #conntrack state.
 #
 # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
 # shorewall.conf. If that option isn't specified then 'info' is used.
--- a/STABLE2/changelog.txt
+++ b/STABLE2/changelog.txt
@ -30,4 +30,4 @@ Change in 2.0.6

 3) Don't give shorewall.conf and zones execute permission.
  
-  
+4) Backport 'dropInvalid' from 2.1
--- a/STABLE2/firewall
+++ b/STABLE2/firewall
@ -2790,7 +2790,7 @@ createactionchain() # $1 = chain name

 process_actions1() {
 	
-    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
+    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid"
    USEDACTIONS=

    strip_file actions
@ -2973,6 +2973,9 @@ process_actions2() {
 	    dLogNotSyn)
 		log_action dLogNotSyn DROP		
 		;;
+	    dropInvalid)
+		[ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
+		;;
 	    *)
 		f=action.$xaction
 		fn=$(find_file $f)
--- a/STABLE2/releasenotes.txt
+++ b/STABLE2/releasenotes.txt
@ -23,9 +23,20 @@ Problems Corrected in version 2.0.6
   Netfilter failing to match certain broadcast packets. The result 
   is that the firewall log shows a lot of broadcast packets.

-   Users experiencing this problem can use PKTTYPE=No in
+   Other users have complained of the following message when 
+   starting Shorewall:
+
+	    modprobe: cant locate module ipt_pkttype
+
+   Users experiencing either of these problems can use PKTTYPE=No in
   shorewall.conf to cause Shorewall to use IP address filtering of 
   broadcasts rather than packet type.

 2) The shorewall.conf and zones file are no longer given execute
   permission by the installer script.
+
+3) ICMP packets that are in the INVALID state are now dropped by the
+   Reject and Drop default actions. They do so using the new 
+   'dropInvalid' builtin action.
+
+