Tom Eastep
a167e3449e
Avoid Perl run-time errors when checking a provider interface.
...
- Handle case where a provider interface matches a wildcard
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-09 07:56:16 -08:00
Tom Eastep
b871fc689c
Merge branch 'FETCH_HEAD' into 4.5.14
2013-03-09 07:11:47 -08:00
Tom Eastep
cfe2bd11b0
Allow 'none' in the COPY column when the DUPLICATE column is empty.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-08 19:18:13 -08:00
Tom Eastep
bd64baa8d9
Require at least one zone for a provider
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-08 13:08:23 -08:00
Tom Eastep
e1f7a9dbf8
Reverse an earlier silly patch.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-08 10:38:13 -08:00
Tom Eastep
4586568649
Merge branch '4.5.14' of ssh://git.code.sf.net/p/shorewall/code
2013-03-08 08:00:43 -08:00
Tom Eastep
b4d4083513
Split large '--ports' lists across multiple rules.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-08 07:38:23 -08:00
Tom Eastep
91f5a9dec0
Make 'main' work correctly when specified in the routes file.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-08 07:26:49 -08:00
Tom Eastep
50030bcc2d
Revert "Don't allow routes to be added to non-Provider tables."
...
This reverts commit 6f9a1ba29d
.
2013-03-08 06:55:12 -08:00
Tom Eastep
8eacbe287b
Correction to MULTIPORT patch
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-07 18:11:59 -08:00
Tom Eastep
6f9a1ba29d
Don't allow routes to be added to non-Provider tables.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-07 17:18:57 -08:00
Tom Eastep
6ba02c4a24
Merge branch 'master' into 4.5.14
...
Conflicts:
Shorewall/Perl/Shorewall/Providers.pm
2013-03-07 08:29:30 -08:00
Tom Eastep
c4f0be96ac
Require that interfaces in the COPY column be known.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-07 07:32:56 -08:00
Tom Eastep
7da10ff923
Additional change to copy blackhole routes.
...
- Add 'blackhole' to the outer case statement
- Add RFC1918 blackhole routes before starting providers.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-07 07:01:58 -08:00
Tom Eastep
ace9a49106
Allow addition of blackhole routes.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-07 07:01:41 -08:00
Tom Eastep
7f2c933cb3
Copy blackhole routes to secondary tables.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-07 07:01:18 -08:00
Tom Eastep
5aa731e963
Additional change to copy blackhole routes.
...
- Add 'blackhole' to the outer case statement
- Add RFC1918 blackhole routes before starting providers.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-07 06:52:16 -08:00
Tom Eastep
06e7f297f7
Allow addition of blackhole routes.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-06 11:48:09 -08:00
Tom Eastep
216029c3a9
Copy blackhole routes to secondary tables.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-06 11:04:23 -08:00
Tom Eastep
e12bc47546
Remove duplicate interface names in generated case statement.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-06 08:28:12 -08:00
Tom Eastep
384c179dd6
Avoid duplicate echo command in generated script.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-06 08:28:03 -08:00
Tom Eastep
32b2030e59
Remove duplicate interface names in generated case statement.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-06 07:03:41 -08:00
Tom Eastep
0bb62ed290
Avoid duplicate echo command in generated script.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-06 06:12:43 -08:00
Tom Eastep
49918b654e
Support '=' in SOURCE PORT(S) columns
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-04 09:56:10 -08:00
Tom Eastep
0857eb27d5
Another case of detecting invalid server IP address.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-02 09:08:13 -08:00
Tom Eastep
69f6149d4c
Detect missing, NIL or ALL server IP address in a DNAT rule.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-02 09:00:08 -08:00
Tom Eastep
5ca3b795fc
Correct IPv6 REDIRECT
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-01 16:44:49 -08:00
Tom Eastep
9499a47a0d
Revert "Use '--to-dest' for IPv6 rather than '--to-destination'"
...
This reverts commit c9d8c22b60
.
2013-03-01 10:44:40 -08:00
Tom Eastep
c9d8c22b60
Use '--to-dest' for IPv6 rather than '--to-destination'
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-01 09:03:22 -08:00
Tom Eastep
8960f72532
Handle DNAT with no port correctly.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-01 07:58:58 -08:00
Tom Eastep
ee091d09eb
Allow ports with UDPLITE
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-28 06:27:51 -08:00
Tom Eastep
22c614d30b
Don't allow :persistent in a MASQUERADE rule.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-27 12:48:27 -08:00
Tom Eastep
418034579f
Support IPv6 Masquerade
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-27 09:25:26 -08:00
Tom Eastep
78babf0941
Fixes for IPv6 DNAT
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-26 10:24:25 -08:00
Tom Eastep
45d53bdb1d
Delete superfluous statement.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 17:50:33 -08:00
Tom Eastep
fb17de0595
Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code
2013-02-25 17:29:49 -08:00
Tom Eastep
6ed1caedd0
Validate IPv4 port range in ADDRESSES column
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 17:29:33 -08:00
Tom Eastep
1d4f189b5f
Don't allow interior brackets in an address range.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 17:26:17 -08:00
Tom Eastep
7006c62892
Correct port pair handling in the snat ADDRESS column.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 15:31:36 -08:00
Tom Eastep
6b825abeb4
Catch ::<port-range> in /etc/shorewall6/snat
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 13:41:43 -08:00
Tom Eastep
f2ee46b83e
Correct IPv6 address range parsing in handle_one_masq1
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 13:37:22 -08:00
Tom Eastep
e873cb28f4
Correctly handle a port number/range with an address variable
...
- ADDRESSES column of the masq/snat files.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 08:00:15 -08:00
Tom Eastep
de1a5a8024
Handle SNAT 'ADDRESS' without enclosing [...]
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 06:42:19 -08:00
Tom Eastep
34c6013f1b
Handle missing provider in a masq/snat entry.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-24 08:12:02 -08:00
Tom Eastep
82f9ba8bb7
Correct detection of IPv6 PERSISTENT_SNAT
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-23 12:59:38 -08:00
Tom Eastep
6035d49ede
Correct NAT capability required error message.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-23 11:57:32 -08:00
Tom Eastep
67ef1f8b93
Correct detection of IPv6 NAT_ENABLED.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-23 11:57:07 -08:00
Tom Eastep
0349a9a88c
Rename the IPv6 masq file 'snat'.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-19 13:05:24 -08:00
Tom Eastep
2591a17946
Cosmetic change to the output with the '-r' option.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-19 11:59:57 -08:00
Tom Eastep
b562f7f311
Allow specification of destination addresses in Shorewall6 masq.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-19 08:34:03 -08:00
Tom Eastep
ce28c70c60
SNAT and DNAT support for IPv6.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-19 07:08:08 -08:00
Tom Eastep
d0b2d05d5b
Add optional argument to have_capability().
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-18 15:15:26 -08:00
Tom Eastep
088fc1a3a3
Report used/required capabilities
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-18 08:48:18 -08:00
Tom Eastep
6d92d293b8
Use 'here documents' in the usage() function.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-17 07:44:10 -08:00
Tom Eastep
7859267539
Eliminate $globals{CONFDIR}
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-14 17:24:49 -08:00
Tom Eastep
c68513672d
Comments and documentation.
...
- Removes the Actions-4.5 article
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-14 08:48:45 -08:00
Tom Eastep
93b3fd9be5
Correct IPv6 address checking (again)
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-13 13:37:26 -08:00
Tom Eastep
138638cb1a
Effectively use the specified directory as the CONFIG_PATH til .conf is read
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-13 07:45:24 -08:00
Tom Eastep
c5bb16ac26
Another fix for IPv6 address lists.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-13 07:44:19 -08:00
Tom Eastep
f44becdee1
Rename BLACKLIST_LOGLEVEL to BLACKLIST_LOG_LEVEL for consistent naming.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-12 07:47:02 -08:00
Tom Eastep
84c5822c20
Correct IPv6 List Handling
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-11 16:45:03 -08:00
Tom Eastep
b4977db5b2
Add %section_states that maps sections to their related state(s).
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-11 14:59:48 -08:00
Tom Eastep
8d0a80a7e2
Merge branch '4.5.13'
2013-02-11 06:40:11 -08:00
Tom Eastep
b9d5b92f1b
Correct handling of expressions consisting of a single number.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-10 15:19:30 -08:00
Tom Eastep
b349cc0f22
A better fix for inline default action with parameters.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-10 09:29:30 -08:00
Tom Eastep
a312bfbb42
Add a section => name function map
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-10 09:27:43 -08:00
Tom Eastep
c35e753b1d
A better fix for inline default action with parameters.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-10 09:16:18 -08:00
Tom Eastep
8b4349b356
Merge branch '4.5.13'
2013-02-10 09:05:41 -08:00
Tom Eastep
54c43396f0
Correct default action handling:
...
- isolate basic target before testing for action/inline
- delete the action chain if appropriate.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-10 09:00:13 -08:00
Tom Eastep
f9dc89dc61
Allow arbitrary $n variables when IGNOREUNKNOWNVARIABLES=Yes
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-10 07:56:04 -08:00
Tom Eastep
60e3f1015e
Allow arbitrary $n variables when IGNOREUNKNOWNVARIABLES=Yes
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-10 07:51:35 -08:00
Tom Eastep
8e0a90e077
Merge branch '4.5.13'
2013-02-09 17:54:06 -08:00
Tom Eastep
cadf2747fe
Correct reset_optflags()
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-09 17:53:40 -08:00
Tom Eastep
810ebe32ce
Merge branch '4.5.13'
2013-02-09 13:15:44 -08:00
Tom Eastep
c04c61b314
Correct typos in check_rules().
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-09 11:42:54 -08:00
Tom Eastep
a8fdfa4e48
Create an ESTABLISHED chain
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-09 09:32:12 -08:00
Tom Eastep
a4297381e9
Don't ACCEPT untracked packets unless UNTRACKED_DISPOSITION=ACCEPT
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-09 09:15:05 -08:00
Tom Eastep
eaa6d72a4f
Allow parameters to be omitted in action invocations.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-09 07:07:01 -08:00
Tom Eastep
62a567b550
Treat each -m conntrack subtype as a separate match
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-08 10:08:23 -08:00
Tom Eastep
e4f1c62e71
Improve handling of nested state actions
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-08 09:09:20 -08:00
Tom Eastep
b9e504683e
Prevent a state action from invoking another one.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-07 16:52:06 -08:00
Tom Eastep
aae6e001fe
Convert dropInvalid and allowInvalid to inline actions.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-07 11:21:13 -08:00
Tom Eastep
aa528dd075
Revert "Convert allowInvalid and dropInvalid into macros"
...
This reverts commit 272e1d330c
.
2013-02-07 09:09:56 -08:00
Tom Eastep
e4ae242123
Another tweak to check_state()
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-06 12:07:51 -08:00
Tom Eastep
272e1d330c
Convert allowInvalid and dropInvalid into macros
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-06 09:54:12 -08:00
Tom Eastep
a66256b25b
Additional refinements of check_state()
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-06 08:16:42 -08:00
Tom Eastep
11b976fb36
Correct reference type in check_state()
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-05 19:55:22 -08:00
Tom Eastep
a6ccd53fe0
Unconditionally use '-j' to branch to a state chain or DISPOSITION.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-04 15:17:49 -08:00
Tom Eastep
b22b63b1c3
Don't use '-g' when DISPOSITION is CONTINUE.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-04 15:09:17 -08:00
Tom Eastep
615df6ab8f
Handle 'RETURN' in state chain with terminating disposition.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-04 15:08:20 -08:00
Tom Eastep
d8214885f2
Assume that the conntrack state value in a rule is not a reference.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-04 08:29:50 -08:00
Tom Eastep
475942deb9
Normalize rules prior to combine_state tests.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-03 18:14:14 -08:00
Tom Eastep
f1707d2ace
More state rule check fixes.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-03 18:02:02 -08:00
Tom Eastep
30d96afb69
Push/pop $actionresult.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-03 12:43:28 -08:00
Tom Eastep
014b4ddc50
Combine adjacent rules differing only in conntrack state match.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-03 09:03:22 -08:00
Tom Eastep
5b9d1a6159
Handle UNTRACKED_DISPOSITION=ACCEPT correctly.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-03 07:59:47 -08:00
Tom Eastep
752463bfab
Fix TCPFlags
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-02 22:19:13 -08:00
Tom Eastep
ebef29e161
Handle port numbers being passed to one of the tcp-specific actions
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-02 12:48:54 -08:00
Tom Eastep
9b30f48ba0
Correct handling of actions when @chain is altered.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-02 10:57:08 -08:00
Tom Eastep
8249831e6d
Detect some state conflicts
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-02 09:32:57 -08:00
Tom Eastep
cc1054be66
Correct handling of audited dispositions.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-02 09:30:25 -08:00
Tom Eastep
c68d4c6e27
Simplify Perl from actions even further.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-01 15:55:39 -08:00
Tom Eastep
752e960f2f
Allow specification of the action type via perl_action_helper().
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-01 12:59:48 -08:00
Tom Eastep
a5d3b1f470
Remove requirement that matches and proto end with a space in perl helper API.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-01 12:29:30 -08:00
Tom Eastep
abca3a2024
Improve maintainability of @colums vis a vis @rulecolumns.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-30 10:47:40 -08:00
Tom Eastep
755d605578
Make %statetable global
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-30 08:26:47 -08:00
Tom Eastep
78db4abef5
Remove some redundant local variables from finish_chain_section()
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-30 08:02:23 -08:00
Tom Eastep
fc73c3934b
Replace BLACKLISTNEWONLY with BLACKLIST
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-30 08:00:47 -08:00
Tom Eastep
75fb164234
Don't issue fatal error if a proto other than tcp is passed to a tcp-only inline
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-29 10:31:20 -08:00
Tom Eastep
27c5e67632
Rename process_rule to process_raw_rule and process_rule1 to process_rule
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-29 10:13:48 -08:00
Tom Eastep
61d8f704f9
Correct rule-generation detection in perl_action_helper
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-29 09:43:12 -08:00
Tom Eastep
f33e36b61e
Raise an error if a protocol other than TCP is passed to a TCP-only inline
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-29 07:46:50 -08:00
Tom Eastep
670931c987
Initialize the columns array to '-'s.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-29 07:46:07 -08:00
Tom Eastep
316b67473e
Merge branch 'master' into 4.5.13
...
Conflicts:
Shorewall/Perl/Shorewall/Rules.pm
Shorewall/action.Established
Shorewall/actions.std
2013-01-29 07:30:52 -08:00
Tom Eastep
42f46ea5e7
Accurately determine if an inline action generates a rule.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 20:46:20 -08:00
Tom Eastep
49166efdca
Make the TCP standard actions inline
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 18:01:08 -08:00
Tom Eastep
5a2c1792cb
Inline the conntrack state actions.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 16:55:54 -08:00
Tom Eastep
a70c441458
Add CONTINUE as a possible setting for RELATED_DISPOSITION.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 11:47:45 -08:00
Tom Eastep
519861d7b2
Add CONTINUE as a possible setting for RELATED_DISPOSITION.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 07:58:03 -08:00
Tom Eastep
2e8eeff416
Correct error messages that include the section name.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 07:41:52 -08:00
Tom Eastep
2217f89902
Correctly initialize $chainref->{sections} vis-a-vis FASTACCEPT.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 07:41:45 -08:00
Tom Eastep
5c63444c14
Correct error messages that include the section name.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 07:41:09 -08:00
Tom Eastep
cfa5d86f5c
Correctly initialize $chainref->{sections} vis-a-vis FASTACCEPT.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 07:40:26 -08:00
Tom Eastep
b3b074fb61
More infrastructure
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 15:37:23 -08:00
Tom Eastep
cbbcfe355e
Infrastructure for more powerful action handling
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 12:37:10 -08:00
Tom Eastep
2a2e23cb17
Merge branch '4.5.13'
2013-01-27 11:26:59 -08:00
Tom Eastep
1b94c3651d
Always handle ESTABLISHED before the other connection states.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 10:56:41 -08:00
Tom Eastep
b1b2aa910e
Correct section handling:
...
- Correct typo (' INVALID' -> 'INVALID' )
- Don't jump to non-existent target in finish_chain_section()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 10:14:27 -08:00
Tom Eastep
aa609b87a9
Allow arbitrary actions for the various states.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 10:10:24 -08:00
Tom Eastep
a3a90d8d2e
Correct section handling:
...
- Correct typo (' INVALID' -> 'INVALID' )
- Don't jump to non-existent target in finish_chain_section()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 10:08:02 -08:00
Tom Eastep
6c8761c7dd
Add a "matches" argument to process_rule1
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 08:21:30 -08:00
Tom Eastep
9194165e89
Handle explicit CONTINUE value for UNTRACKED_DISPOSITION
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 08:17:09 -08:00
Tom Eastep
6306103991
Clean up fix for optimize 8 performance issue
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 08:13:27 -08:00
Tom Eastep
749773f89a
Handle explicit CONTINUE value for UNTRACKED_DISPOSITION
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 08:12:49 -08:00
Tom Eastep
5db317b6f7
Clean up fix for optimize 8 performance issue
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 07:55:55 -08:00
Tom Eastep
380d427a5d
Dramatically reduce the CPU cost of optimize 8.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-26 17:46:31 -08:00
Tom Eastep
6ce392b08e
Correct handling of handle_first_entry() to avoid runaway recursion.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-26 12:18:17 -08:00
Tom Eastep
5fa01728ad
Pass UNTRACKED packets through the blacklist chain when BLACKLISTNEWONLY=Yes
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-26 09:18:20 -08:00
Tom Eastep
7bc66da663
Call handle_first_entry in the warning/error-message generators.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-26 07:30:50 -08:00
Tom Eastep
b8cc9c5a6a
Drop chain-ending rules whose target is 'RETURN'.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-25 14:03:04 -08:00
Tom Eastep
b7273d6999
Favor low-numbered less complex synonym chains in optimization 8.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-25 13:55:04 -08:00
Tom Eastep
e12b919dc1
Prefer shorter action chain names in optimize level 8.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-24 17:25:11 -08:00
Tom Eastep
18c0956374
Fix two bugs in the UNTRACKED section implementation.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-24 16:41:18 -08:00
Tom Eastep
6403f4959d
Implement UNTRACKED SECTION
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-24 15:42:01 -08:00
Tom Eastep
0ca93c1ac9
Unify handling of the RELATED and INVALID sections within finish_chain_section()
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-24 14:38:02 -08:00
Tom Eastep
a40c74ddec
Eliminate forward declaration of finish_chain_section()
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-24 09:04:50 -08:00
Tom Eastep
c2bc74cdfe
Add INVALID section to the rules file.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-24 08:33:59 -08:00
Tom Eastep
7fe2027229
Eliminate superfluous ESTABLISHED,RELATED rule
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-22 16:17:19 -08:00
Tom Eastep
8fe36422b5
Delete stale comment
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-22 10:44:12 -08:00
Tom Eastep
f61f5a8183
Don't copy a chain that has a single RETURN rule.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-22 09:07:07 -08:00
Tom Eastep
4ed5c5fdfe
Sort the chain list in optimize_level8.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 16:00:32 -08:00
Tom Eastep
25d6164f21
Try to avoid ~combN chains when dealing with action chains.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 11:51:33 -08:00
Tom Eastep
32c475193f
Another fix for RELATED_DISPOSITION
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 11:50:46 -08:00
Tom Eastep
982fabc96f
Delete $caller argument from process_default_action()
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 09:45:54 -08:00
Tom Eastep
5beae475f5
Make optimize 8 a multi-pass operation.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 09:12:42 -08:00
Tom Eastep
c820c54f41
Correctly handle audited RELATED_DISPOSITION
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 09:03:27 -08:00
Tom Eastep
4a354ba5a2
Avoid internal error during standard chain completion
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 08:02:50 -08:00
Tom Eastep
e23876b582
Rename '$inline' to '$action' in policy_rules()
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 07:36:50 -08:00
Tom Eastep
64e76599e0
Correct handling of default actions that set Shorewall variables.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-20 16:15:04 -08:00
Tom Eastep
c4a2f3d386
Set caller when possible in policy chains.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-20 14:51:16 -08:00
Tom Eastep
bc882af6c5
Allow RESET of Shorewall variables
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-20 07:32:34 -08:00
Tom Eastep
d31221b03c
Fix variable assignment.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-20 07:26:10 -08:00
Tom Eastep
f403420926
Allow setting chain variables
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-19 10:52:11 -08:00
Tom Eastep
b31c76cc50
Proper job of fixing DEFER_DNS_RESOLUTION=No
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-18 17:18:29 -08:00
Tom Eastep
1307770178
Allow setting action parameters
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-18 15:05:14 -08:00
Tom Eastep
95aab78c0d
Add infrastructure to delete the %usedactions entry for an action chain if
...
the chain parameters are modified.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-18 14:54:57 -08:00
Tom Eastep
4587430e4a
Move get_action_logging() to the Config Module
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-18 13:06:55 -08:00
Tom Eastep
8ccd1ab52b
Handle exclusion correctly when DEFER_DNS_RESOLUTION=No
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-18 12:09:54 -08:00
Tom Eastep
89a09f0256
Implement DEFER_DNS_RESOLUTION
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-13 17:00:14 -08:00
Tom Eastep
54dbbaaa2d
Don't resolve DNS names at compile time.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-13 10:34:31 -08:00
Tom Eastep
90bd19feb9
Convert DNS names into ip addresses in validate_net().
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-13 07:39:27 -08:00
Tom Eastep
853b9ce916
Enable DNS names without an interface name.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-12 14:38:26 -08:00
Tom Eastep
c61d51363d
Correct generation of rules in the ESTABLISHED section of the rules file.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-12 06:49:32 -08:00
Tom Eastep
af83989465
Update copyright dates.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-11 16:01:10 -08:00
Tom Eastep
b53fd39b49
Avoid a fatal Perl error in Config::cleanup when an fatal error occurs
...
while compiling a default action.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-11 15:50:23 -08:00
Tom Eastep
38097bef5d
Correct an optimizer bug.
...
- delete_chain_and_references() was only deleting the downward references
and not the upward ones.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-11 14:55:43 -08:00
Tom Eastep
76a63fb7e8
Don't flush 'noarp' ARP entries
...
= doing so kills the loopback interface
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-10 17:14:40 -08:00
Tom Eastep
15ca9edf8a
Allow delete_tc1() to work on devices which an @ suffix in their reported names.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-09 14:09:07 -08:00
Tom Eastep
199bce925f
Don't add chains with RETURNs to %terminating.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-09 12:54:29 -08:00
Tom Eastep
1fd3a6a522
Detect terminating chains
...
- no RETURN Rules
- last rule is terminating
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-08 16:32:24 -08:00
Tom Eastep
011dd2c901
Add a RETURNS flag to optflags indicating that there is RETURN in the chain.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-08 15:25:53 -08:00
Tom Eastep
e54563d9c1
Don't append rules that can't be matched.
...
Also, delete chains whose only rule is a -j RETURN
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-08 13:53:03 -08:00
Tom Eastep
f8c1b02dba
Correct test for optimization in 'check -r'
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-08 09:51:32 -08:00
Tom Eastep
dece73f7b6
Another fix for *C actions in arprules.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-07 18:59:24 -08:00
Tom Eastep
eb3b47ae24
Correctly handle *C actions in arprules.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-07 18:29:41 -08:00
Tom Eastep
c157228f7d
Correct handling of unknown ACTION in arprules.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-07 18:21:58 -08:00
Tom Eastep
a7af052d91
Correct issue with generating ESTABLISHED rules.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-07 16:07:24 -08:00
Tom Eastep
414a74d23c
Support protocol lists in most files.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-07 16:06:54 -08:00
Tom Eastep
0526863e66
Make $section numeric
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-07 13:39:49 -08:00
Tom Eastep
5dbe2aa9ec
Optimize a test in finish_chain_section().
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-07 07:00:15 -08:00
Tom Eastep
ca202ca10b
Flush the arp cache after applying the arprules.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-06 17:46:40 -08:00
Tom Eastep
de4e0898b5
Catch protocol lists in contexts that don't allow them.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-06 17:23:14 -08:00
Tom Eastep
edc0a84e5d
Optimize RELATED rules.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-06 16:48:37 -08:00
Tom Eastep
d4c9885c09
Change interpretation of the log tag when LOGTAGONLY=Yes
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-06 13:10:18 -08:00
Tom Eastep
c41b9e596d
Don't add --cstate to dropInvalid rule.
...
Signed-off-by: Tom Eastep <teastep@mint14.(none)>
2013-01-06 09:42:55 -08:00
Tom Eastep
9fd7933b5d
Make inline actions work in sections other than NEW.
...
Signed-off-by: Tom Eastep <teastep@mint14.(none)>
2013-01-06 09:32:50 -08:00
Tom Eastep
f223e3584c
Make '+' optional in the ADD and DEL statements.
...
Signed-off-by: Tom Eastep <teastep@mint14.(none)>
2013-01-06 07:37:11 -08:00
Tom Eastep
3f24416f37
Add a warning for opcode inversion when not arptables_jf.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-05 13:14:32 -08:00
Tom Eastep
38aa7f3857
Correct opcode inversion when not ARPTABLES_JF
...
Signed-off-by: Tom Eastep <teastep@mint14.(none)>
2013-01-05 08:26:46 -08:00
Tom Eastep
7f6430a383
Correct address inversion in match_arp_net()
...
Signed-off-by: Tom Eastep <teastep@mint14.(none)>
2013-01-05 08:20:51 -08:00