shorewall_code

mirror of https://gitlab.com/shorewall/code.git synced 2024-12-01 03:53:40 +01:00

Author	SHA1	Message	Date
Tom Eastep	39d3312f17	Don't complain loopback subzone violations when regression testing Allows Steven Springl's complex tests to pass. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-08-08 10:26:13 -07:00
Tom Eastep	fba5847fa3	Merge branch 'master' of ssh://gitlab.com/shorewall/code Merge remaining requests to the 5.2.9 path	2024-04-15 20:06:34 -07:00
Tom Eastep	3c77d83260	Merge branch 'clean-test-ipset' into 'master' Destroy the temporary IP set in the cleanup function See merge request shorewall/code!13	2024-04-16 02:46:50 +00:00
Tom Eastep	c94c3c5720	Merge branch 'master' of ssh://gitlab.com/shorewall/code Merge Socket6 patch into 5.2.9	2024-04-15 15:58:31 -07:00
Tom Eastep	d8e43cee2b	Merge branch 'master' into 'master' Rewrite gethostbyname2 and inet_ntop to newer getaddrinfo and getnameinfo See merge request shorewall/code!5	2024-04-15 22:57:24 +00:00
Tom Eastep	d3f3a59d6f	Merge branch 'master' of ssh://gitlab.com/shorewall/code Merge changes that occurred while I was inactive	2024-04-15 14:29:10 -07:00
Tom Eastep	b619f1333e	Correct status of optional interface during 'disable' - If <interface>.status contains 0 but the interface's routing table has been deleted, then 'disable' would not correct the file. - This simple change corrects that problem. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-04-15 13:29:08 -07:00
Tom Eastep	90444bdc44	Correct comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-29 15:48:45 -07:00
Tom Eastep	44671e906d	Correct typo Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-13 18:16:51 -07:00
Tom Eastep	160c259866	Silly documentation change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-11 12:32:45 -07:00
Tom Eastep	8f826ce70d	Avoid 'ip' error messages due to missing optional interface Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-10 12:55:34 -07:00
Tom Eastep	895428c7c1	Handle the case where a single host exclusion specifies multiple nets Also reorganize the exclusion code to make it self-contained within add_common_rules() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-10 10:30:33 -07:00
Tom Eastep	0855bc4187	Create /etc/iproute2/rt_tables if it doesn't exist Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-09 15:52:49 -08:00
Tom Eastep	3e52a6c005	Remove interface status files during 'stop/clear' processing Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-08 16:13:05 -08:00
Tom Eastep	467cc4c252	Correct src-dst single exclusion Match the destination address in the output chain Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-08 11:50:49 -08:00
Tom Eastep	a9359d2610	Update $globals{VERSION} Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-07 15:41:15 -08:00
Tom Eastep	9479b83c48	Correct add_dbl_exclution_ijump() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-07 14:18:06 -08:00
Tom Eastep	f37a74a667	Add a comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-07 12:30:37 -08:00
Tom Eastep	0ecf0703dc	Correct classic blacklisting - No filtering in the OUTPUT chain - Correct ipsec filtering Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-07 12:26:59 -08:00
Tom Eastep	f1317f919f	Handle ipsec correctly in ipset-based dynamic blacklisting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-06 20:26:58 -08:00
Tom Eastep	cbe2935fce	Handle 'nodbl' in complex host definitions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-06 17:18:50 -08:00
Tom Eastep	a9c2ee3a76	Major cleanup of DYNAMIC_BLACKLIST code 1) Avoid having to parse the setting in the Zones, Misc and rules modules 2) Apply ipset match rule after dealing with exclusions rather than before 3) Correct handling of src-dst Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-05 14:45:41 -08:00
Tom Eastep	dfd40ee208	Factor out ipset match rule generateion Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-04 13:44:23 -08:00
Tom Eastep	8d0dba349c	Shorten DBL exclusion chain names Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-04 12:10:56 -08:00
Tom Eastep	f21d8b2a27	Correct parsing of the hosts file: 1) Fixed IPv6 parsing of the HOSTS column 2) Properly detect IPv4 loopback violations Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-03 09:54:33 -08:00
Tom Eastep	11fb1ab6cf	Insert comments into add_common_rules() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-02 19:51:18 -08:00
Tom Eastep	e8f28fa564	Allow 'nodbl' for classic blacklisting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-02 16:16:02 -08:00
Tom Eastep	337a4bd6ec	Use shorter names for dbl exclusion chains Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-02 14:54:45 -08:00
Tom Eastep	91d5dbb7ba	Fix some blacklisting bugs: - src-dst didn't work - typo in shorewall.conf(5) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-02 13:53:31 -08:00
Tom Eastep	4ca77b109c	Replace bizarre {dbl} encoding (what was I smoking when I wrote that code?) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-02 10:40:12 -08:00
Tom Eastep	f928b4d6fc	Add a comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-02 08:45:46 -08:00
Tom Eastep	a3abafa98b	Add a 'nodbl' option for the hosts file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2024-03-02 08:33:36 -08:00
Glop	450a16f730	Destroy the temporary IP set in the cleanup function In the IP set capability tests, there is a race condition which might prevent the removal of the temporary IP set immediately after flushing the chain that uses this IP set: even though the rules which used the IP set were deleted, the IP set might still appear to be “in use by a kernel component.” In case this happens, we add an extra call to `ipset -X` in the `cleanup_iptables()` function, just to be sure that the temporary IP set is indeed destroyed when the compiler exits.	2023-03-03 16:12:04 +01:00
Christian Ruppert	8b0d829531	Check for wait option if we don't have capabilities Only check for iptables --wait option if we don't already have existing capabilities. If we have some and they're not up2date / don't match, it will issue a warning anyway. If a valid capabilities file exists, it will already cover whether we can use --wait or not, that's what WAIT_OPTION is for. Signed-off-by: Christian Ruppert <idl0r@qasl.de>	2022-04-02 11:52:10 +02:00
Christian Ruppert	c941cf4bb5	Run iptables -w check against a usually small chain The iptablesw check, that's just looking for whether -w is supported or not, previousely caused iptables to list all rules, each time you do a shorewall check or shorewall start/reload. That might be quite a lot, depending on the amount of rules you have. It is also no necessary to parse each rule just to check for -w. Let's switch to the usually much smaller INPUT chain, to reduce the overhead	2022-04-01 16:45:42 +02:00
Michal Josef Špaček	e9e73a259b	Rewrite gethostbyname2 and inet_ntop to newer getaddrinfo and getnameinfo We don't need Socket6, because Socket has IPv6 implementation now	2022-02-08 00:45:27 +01:00
Tom Eastep	69f0d4d881	Simon Mater's patch to support gbits and gbps in rate/burst specifications Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-10-09 09:39:01 -07:00
Tom Eastep	34c59dca32	Don't export interface_is_plain() - It was used in a superseded change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-09-19 11:38:41 -07:00
Tom Eastep	9aa2a4b704	Use less obscure code to set $call_generate_all_acasts; Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-09-19 11:20:10 -07:00
Tom Eastep	d363809859	Complete the table documentation at the top of the file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-09-18 13:44:41 -07:00
Tom Eastep	126c5ccd53	Include administrative host name in status output Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-09-15 15:16:23 -07:00
Tom Eastep	8d4e79650e	Refactor ALL_ACASTS code Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-09-11 15:58:59 -07:00
Tom Eastep	b253be8a69	Localize to IPv6 the effect of generating ALL_ACASTS during 'restore' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-09-11 14:35:17 -07:00
Tom Eastep	4385264dc3	Revert "Delete superfuous 'use' statements" This reverts commit `fe7bb4abca`.	2020-09-11 13:43:14 -07:00
Tom Eastep	6cab1c3c8c	Generate ALL_ACASTS during 'restore' processing Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-09-11 13:11:44 -07:00
Tom Eastep	fe7bb4abca	Delete superfuous 'use' statements Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-09-11 12:56:37 -07:00
Tom Eastep	63b477a4de	Clean up ALL_ACASTS generation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-09-10 15:59:33 -07:00
Tom Eastep	2166251b97	Correct physwild/wildcard usage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-09-10 15:59:16 -07:00
Tom Eastep	9e6aec7687	Correct usage of $physwild, replacing with $wildcard Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-09-10 13:20:20 -07:00
Tom Eastep	b154803f22	Rename 'noanycast' to 'omitanycast' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-09-10 09:59:45 -07:00

1 2 3 4 5 ...

4216 Commits