Commit Graph

2908 Commits

Author SHA1 Message Date
Tom Eastep
a167e3449e Avoid Perl run-time errors when checking a provider interface.
- Handle case where a provider interface matches a wildcard

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-09 07:56:16 -08:00
Tom Eastep
b871fc689c Merge branch 'FETCH_HEAD' into 4.5.14 2013-03-09 07:11:47 -08:00
Tom Eastep
cfe2bd11b0 Allow 'none' in the COPY column when the DUPLICATE column is empty.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-08 19:18:13 -08:00
Tom Eastep
bd64baa8d9 Require at least one zone for a provider
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-08 13:08:23 -08:00
Tom Eastep
e1f7a9dbf8 Reverse an earlier silly patch.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-08 10:38:13 -08:00
Tom Eastep
4586568649 Merge branch '4.5.14' of ssh://git.code.sf.net/p/shorewall/code 2013-03-08 08:00:43 -08:00
Tom Eastep
b4d4083513 Split large '--ports' lists across multiple rules.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-08 07:38:23 -08:00
Tom Eastep
91f5a9dec0 Make 'main' work correctly when specified in the routes file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-08 07:26:49 -08:00
Tom Eastep
50030bcc2d Revert "Don't allow routes to be added to non-Provider tables."
This reverts commit 6f9a1ba29d.
2013-03-08 06:55:12 -08:00
Tom Eastep
8eacbe287b Correction to MULTIPORT patch
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-07 18:11:59 -08:00
Tom Eastep
6f9a1ba29d Don't allow routes to be added to non-Provider tables.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-07 17:18:57 -08:00
Tom Eastep
6ba02c4a24 Merge branch 'master' into 4.5.14
Conflicts:
	Shorewall/Perl/Shorewall/Providers.pm
2013-03-07 08:29:30 -08:00
Tom Eastep
c4f0be96ac Require that interfaces in the COPY column be known.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-07 07:32:56 -08:00
Tom Eastep
7da10ff923 Additional change to copy blackhole routes.
- Add 'blackhole' to the outer case statement
- Add RFC1918 blackhole routes before starting providers.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-07 07:01:58 -08:00
Tom Eastep
ace9a49106 Allow addition of blackhole routes.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-07 07:01:41 -08:00
Tom Eastep
7f2c933cb3 Copy blackhole routes to secondary tables.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-07 07:01:18 -08:00
Tom Eastep
5aa731e963 Additional change to copy blackhole routes.
- Add 'blackhole' to the outer case statement
- Add RFC1918 blackhole routes before starting providers.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-07 06:52:16 -08:00
Tom Eastep
06e7f297f7 Allow addition of blackhole routes.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-06 11:48:09 -08:00
Tom Eastep
216029c3a9 Copy blackhole routes to secondary tables.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-06 11:04:23 -08:00
Tom Eastep
e12bc47546 Remove duplicate interface names in generated case statement.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-06 08:28:12 -08:00
Tom Eastep
384c179dd6 Avoid duplicate echo command in generated script.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-06 08:28:03 -08:00
Tom Eastep
32b2030e59 Remove duplicate interface names in generated case statement.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-06 07:03:41 -08:00
Tom Eastep
0bb62ed290 Avoid duplicate echo command in generated script.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-06 06:12:43 -08:00
Tom Eastep
49918b654e Support '=' in SOURCE PORT(S) columns
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-04 09:56:10 -08:00
Tom Eastep
0857eb27d5 Another case of detecting invalid server IP address.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-02 09:08:13 -08:00
Tom Eastep
69f6149d4c Detect missing, NIL or ALL server IP address in a DNAT rule.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-02 09:00:08 -08:00
Tom Eastep
5ca3b795fc Correct IPv6 REDIRECT
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-01 16:44:49 -08:00
Tom Eastep
9499a47a0d Revert "Use '--to-dest' for IPv6 rather than '--to-destination'"
This reverts commit c9d8c22b60.
2013-03-01 10:44:40 -08:00
Tom Eastep
c9d8c22b60 Use '--to-dest' for IPv6 rather than '--to-destination'
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-01 09:03:22 -08:00
Tom Eastep
8960f72532 Handle DNAT with no port correctly.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-03-01 07:58:58 -08:00
Tom Eastep
ee091d09eb Allow ports with UDPLITE
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-28 06:27:51 -08:00
Tom Eastep
22c614d30b Don't allow :persistent in a MASQUERADE rule.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-27 12:48:27 -08:00
Tom Eastep
418034579f Support IPv6 Masquerade
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-27 09:25:26 -08:00
Tom Eastep
78babf0941 Fixes for IPv6 DNAT
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-26 10:24:25 -08:00
Tom Eastep
45d53bdb1d Delete superfluous statement.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 17:50:33 -08:00
Tom Eastep
fb17de0595 Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code 2013-02-25 17:29:49 -08:00
Tom Eastep
6ed1caedd0 Validate IPv4 port range in ADDRESSES column
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 17:29:33 -08:00
Tom Eastep
1d4f189b5f Don't allow interior brackets in an address range.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 17:26:17 -08:00
Tom Eastep
7006c62892 Correct port pair handling in the snat ADDRESS column.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 15:31:36 -08:00
Tom Eastep
6b825abeb4 Catch ::<port-range> in /etc/shorewall6/snat
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 13:41:43 -08:00
Tom Eastep
f2ee46b83e Correct IPv6 address range parsing in handle_one_masq1
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 13:37:22 -08:00
Tom Eastep
e873cb28f4 Correctly handle a port number/range with an address variable
- ADDRESSES column of the masq/snat files.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 08:00:15 -08:00
Tom Eastep
de1a5a8024 Handle SNAT 'ADDRESS' without enclosing [...]
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-25 06:42:19 -08:00
Tom Eastep
34c6013f1b Handle missing provider in a masq/snat entry.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-24 08:12:02 -08:00
Tom Eastep
82f9ba8bb7 Correct detection of IPv6 PERSISTENT_SNAT
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-23 12:59:38 -08:00
Tom Eastep
6035d49ede Correct NAT capability required error message.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-23 11:57:32 -08:00
Tom Eastep
67ef1f8b93 Correct detection of IPv6 NAT_ENABLED.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-23 11:57:07 -08:00
Tom Eastep
0349a9a88c Rename the IPv6 masq file 'snat'.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-19 13:05:24 -08:00
Tom Eastep
2591a17946 Cosmetic change to the output with the '-r' option.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-19 11:59:57 -08:00
Tom Eastep
b562f7f311 Allow specification of destination addresses in Shorewall6 masq.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-19 08:34:03 -08:00
Tom Eastep
ce28c70c60 SNAT and DNAT support for IPv6.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-19 07:08:08 -08:00
Tom Eastep
d0b2d05d5b Add optional argument to have_capability().
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-18 15:15:26 -08:00
Tom Eastep
088fc1a3a3 Report used/required capabilities
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-18 08:48:18 -08:00
Tom Eastep
6d92d293b8 Use 'here documents' in the usage() function.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-17 07:44:10 -08:00
Tom Eastep
7859267539 Eliminate $globals{CONFDIR}
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-14 17:24:49 -08:00
Tom Eastep
c68513672d Comments and documentation.
- Removes the Actions-4.5 article

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-14 08:48:45 -08:00
Tom Eastep
93b3fd9be5 Correct IPv6 address checking (again)
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-13 13:37:26 -08:00
Tom Eastep
138638cb1a Effectively use the specified directory as the CONFIG_PATH til .conf is read
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-13 07:45:24 -08:00
Tom Eastep
c5bb16ac26 Another fix for IPv6 address lists.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-13 07:44:19 -08:00
Tom Eastep
f44becdee1 Rename BLACKLIST_LOGLEVEL to BLACKLIST_LOG_LEVEL for consistent naming.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-12 07:47:02 -08:00
Tom Eastep
84c5822c20 Correct IPv6 List Handling
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-11 16:45:03 -08:00
Tom Eastep
b4977db5b2 Add %section_states that maps sections to their related state(s).
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-11 14:59:48 -08:00
Tom Eastep
8d0a80a7e2 Merge branch '4.5.13' 2013-02-11 06:40:11 -08:00
Tom Eastep
b9d5b92f1b Correct handling of expressions consisting of a single number.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-10 15:19:30 -08:00
Tom Eastep
b349cc0f22 A better fix for inline default action with parameters.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-10 09:29:30 -08:00
Tom Eastep
a312bfbb42 Add a section => name function map
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-10 09:27:43 -08:00
Tom Eastep
c35e753b1d A better fix for inline default action with parameters.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-10 09:16:18 -08:00
Tom Eastep
8b4349b356 Merge branch '4.5.13' 2013-02-10 09:05:41 -08:00
Tom Eastep
54c43396f0 Correct default action handling:
- isolate basic target before testing for action/inline
- delete the action chain if appropriate.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-10 09:00:13 -08:00
Tom Eastep
f9dc89dc61 Allow arbitrary $n variables when IGNOREUNKNOWNVARIABLES=Yes
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-10 07:56:04 -08:00
Tom Eastep
60e3f1015e Allow arbitrary $n variables when IGNOREUNKNOWNVARIABLES=Yes
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-10 07:51:35 -08:00
Tom Eastep
8e0a90e077 Merge branch '4.5.13' 2013-02-09 17:54:06 -08:00
Tom Eastep
cadf2747fe Correct reset_optflags()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-09 17:53:40 -08:00
Tom Eastep
810ebe32ce Merge branch '4.5.13' 2013-02-09 13:15:44 -08:00
Tom Eastep
c04c61b314 Correct typos in check_rules().
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-09 11:42:54 -08:00
Tom Eastep
a8fdfa4e48 Create an ESTABLISHED chain
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-09 09:32:12 -08:00
Tom Eastep
a4297381e9 Don't ACCEPT untracked packets unless UNTRACKED_DISPOSITION=ACCEPT
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-09 09:15:05 -08:00
Tom Eastep
eaa6d72a4f Allow parameters to be omitted in action invocations.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-09 07:07:01 -08:00
Tom Eastep
62a567b550 Treat each -m conntrack subtype as a separate match
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-08 10:08:23 -08:00
Tom Eastep
e4f1c62e71 Improve handling of nested state actions
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-08 09:09:20 -08:00
Tom Eastep
b9e504683e Prevent a state action from invoking another one.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-07 16:52:06 -08:00
Tom Eastep
aae6e001fe Convert dropInvalid and allowInvalid to inline actions.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-07 11:21:13 -08:00
Tom Eastep
aa528dd075 Revert "Convert allowInvalid and dropInvalid into macros"
This reverts commit 272e1d330c.
2013-02-07 09:09:56 -08:00
Tom Eastep
e4ae242123 Another tweak to check_state()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-06 12:07:51 -08:00
Tom Eastep
272e1d330c Convert allowInvalid and dropInvalid into macros
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-06 09:54:12 -08:00
Tom Eastep
a66256b25b Additional refinements of check_state()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-06 08:16:42 -08:00
Tom Eastep
11b976fb36 Correct reference type in check_state()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-05 19:55:22 -08:00
Tom Eastep
a6ccd53fe0 Unconditionally use '-j' to branch to a state chain or DISPOSITION.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-04 15:17:49 -08:00
Tom Eastep
b22b63b1c3 Don't use '-g' when DISPOSITION is CONTINUE.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-04 15:09:17 -08:00
Tom Eastep
615df6ab8f Handle 'RETURN' in state chain with terminating disposition.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-04 15:08:20 -08:00
Tom Eastep
d8214885f2 Assume that the conntrack state value in a rule is not a reference.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-04 08:29:50 -08:00
Tom Eastep
475942deb9 Normalize rules prior to combine_state tests.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-03 18:14:14 -08:00
Tom Eastep
f1707d2ace More state rule check fixes.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-03 18:02:02 -08:00
Tom Eastep
30d96afb69 Push/pop $actionresult.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-03 12:43:28 -08:00
Tom Eastep
014b4ddc50 Combine adjacent rules differing only in conntrack state match.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-03 09:03:22 -08:00
Tom Eastep
5b9d1a6159 Handle UNTRACKED_DISPOSITION=ACCEPT correctly.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-03 07:59:47 -08:00
Tom Eastep
752463bfab Fix TCPFlags
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-02 22:19:13 -08:00
Tom Eastep
ebef29e161 Handle port numbers being passed to one of the tcp-specific actions
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-02 12:48:54 -08:00
Tom Eastep
9b30f48ba0 Correct handling of actions when @chain is altered.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-02 10:57:08 -08:00
Tom Eastep
8249831e6d Detect some state conflicts
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-02 09:32:57 -08:00
Tom Eastep
cc1054be66 Correct handling of audited dispositions.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-02 09:30:25 -08:00
Tom Eastep
c68d4c6e27 Simplify Perl from actions even further.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-01 15:55:39 -08:00
Tom Eastep
752e960f2f Allow specification of the action type via perl_action_helper().
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-01 12:59:48 -08:00
Tom Eastep
a5d3b1f470 Remove requirement that matches and proto end with a space in perl helper API.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-01 12:29:30 -08:00
Tom Eastep
abca3a2024 Improve maintainability of @colums vis a vis @rulecolumns.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-30 10:47:40 -08:00
Tom Eastep
755d605578 Make %statetable global
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-30 08:26:47 -08:00
Tom Eastep
78db4abef5 Remove some redundant local variables from finish_chain_section()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-30 08:02:23 -08:00
Tom Eastep
fc73c3934b Replace BLACKLISTNEWONLY with BLACKLIST
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-30 08:00:47 -08:00
Tom Eastep
75fb164234 Don't issue fatal error if a proto other than tcp is passed to a tcp-only inline
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-29 10:31:20 -08:00
Tom Eastep
27c5e67632 Rename process_rule to process_raw_rule and process_rule1 to process_rule
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-29 10:13:48 -08:00
Tom Eastep
61d8f704f9 Correct rule-generation detection in perl_action_helper
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-29 09:43:12 -08:00
Tom Eastep
f33e36b61e Raise an error if a protocol other than TCP is passed to a TCP-only inline
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-29 07:46:50 -08:00
Tom Eastep
670931c987 Initialize the columns array to '-'s.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-29 07:46:07 -08:00
Tom Eastep
316b67473e Merge branch 'master' into 4.5.13
Conflicts:
	Shorewall/Perl/Shorewall/Rules.pm
	Shorewall/action.Established
	Shorewall/actions.std
2013-01-29 07:30:52 -08:00
Tom Eastep
42f46ea5e7 Accurately determine if an inline action generates a rule.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 20:46:20 -08:00
Tom Eastep
49166efdca Make the TCP standard actions inline
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 18:01:08 -08:00
Tom Eastep
5a2c1792cb Inline the conntrack state actions.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 16:55:54 -08:00
Tom Eastep
a70c441458 Add CONTINUE as a possible setting for RELATED_DISPOSITION.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 11:47:45 -08:00
Tom Eastep
519861d7b2 Add CONTINUE as a possible setting for RELATED_DISPOSITION.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 07:58:03 -08:00
Tom Eastep
2e8eeff416 Correct error messages that include the section name.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 07:41:52 -08:00
Tom Eastep
2217f89902 Correctly initialize $chainref->{sections} vis-a-vis FASTACCEPT.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 07:41:45 -08:00
Tom Eastep
5c63444c14 Correct error messages that include the section name.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 07:41:09 -08:00
Tom Eastep
cfa5d86f5c Correctly initialize $chainref->{sections} vis-a-vis FASTACCEPT.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-28 07:40:26 -08:00
Tom Eastep
b3b074fb61 More infrastructure
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 15:37:23 -08:00
Tom Eastep
cbbcfe355e Infrastructure for more powerful action handling
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 12:37:10 -08:00
Tom Eastep
2a2e23cb17 Merge branch '4.5.13' 2013-01-27 11:26:59 -08:00
Tom Eastep
1b94c3651d Always handle ESTABLISHED before the other connection states.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 10:56:41 -08:00
Tom Eastep
b1b2aa910e Correct section handling:
- Correct typo (' INVALID' -> 'INVALID' )
- Don't jump to non-existent target in finish_chain_section()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 10:14:27 -08:00
Tom Eastep
aa609b87a9 Allow arbitrary actions for the various states.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 10:10:24 -08:00
Tom Eastep
a3a90d8d2e Correct section handling:
- Correct typo (' INVALID' -> 'INVALID' )
- Don't jump to non-existent target in finish_chain_section()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 10:08:02 -08:00
Tom Eastep
6c8761c7dd Add a "matches" argument to process_rule1
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 08:21:30 -08:00
Tom Eastep
9194165e89 Handle explicit CONTINUE value for UNTRACKED_DISPOSITION
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 08:17:09 -08:00
Tom Eastep
6306103991 Clean up fix for optimize 8 performance issue
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 08:13:27 -08:00
Tom Eastep
749773f89a Handle explicit CONTINUE value for UNTRACKED_DISPOSITION
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 08:12:49 -08:00
Tom Eastep
5db317b6f7 Clean up fix for optimize 8 performance issue
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-27 07:55:55 -08:00
Tom Eastep
380d427a5d Dramatically reduce the CPU cost of optimize 8.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-26 17:46:31 -08:00
Tom Eastep
6ce392b08e Correct handling of handle_first_entry() to avoid runaway recursion.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-26 12:18:17 -08:00
Tom Eastep
5fa01728ad Pass UNTRACKED packets through the blacklist chain when BLACKLISTNEWONLY=Yes
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-26 09:18:20 -08:00
Tom Eastep
7bc66da663 Call handle_first_entry in the warning/error-message generators.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-26 07:30:50 -08:00
Tom Eastep
b8cc9c5a6a Drop chain-ending rules whose target is 'RETURN'.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-25 14:03:04 -08:00
Tom Eastep
b7273d6999 Favor low-numbered less complex synonym chains in optimization 8.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-25 13:55:04 -08:00
Tom Eastep
e12b919dc1 Prefer shorter action chain names in optimize level 8.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-24 17:25:11 -08:00
Tom Eastep
18c0956374 Fix two bugs in the UNTRACKED section implementation.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-24 16:41:18 -08:00
Tom Eastep
6403f4959d Implement UNTRACKED SECTION
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-24 15:42:01 -08:00
Tom Eastep
0ca93c1ac9 Unify handling of the RELATED and INVALID sections within finish_chain_section()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-24 14:38:02 -08:00
Tom Eastep
a40c74ddec Eliminate forward declaration of finish_chain_section()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-24 09:04:50 -08:00
Tom Eastep
c2bc74cdfe Add INVALID section to the rules file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-24 08:33:59 -08:00
Tom Eastep
7fe2027229 Eliminate superfluous ESTABLISHED,RELATED rule
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-22 16:17:19 -08:00
Tom Eastep
8fe36422b5 Delete stale comment
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-22 10:44:12 -08:00
Tom Eastep
f61f5a8183 Don't copy a chain that has a single RETURN rule.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-22 09:07:07 -08:00
Tom Eastep
4ed5c5fdfe Sort the chain list in optimize_level8.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 16:00:32 -08:00
Tom Eastep
25d6164f21 Try to avoid ~combN chains when dealing with action chains.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 11:51:33 -08:00
Tom Eastep
32c475193f Another fix for RELATED_DISPOSITION
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 11:50:46 -08:00
Tom Eastep
982fabc96f Delete $caller argument from process_default_action()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 09:45:54 -08:00
Tom Eastep
5beae475f5 Make optimize 8 a multi-pass operation.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 09:12:42 -08:00
Tom Eastep
c820c54f41 Correctly handle audited RELATED_DISPOSITION
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 09:03:27 -08:00
Tom Eastep
4a354ba5a2 Avoid internal error during standard chain completion
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 08:02:50 -08:00
Tom Eastep
e23876b582 Rename '$inline' to '$action' in policy_rules()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-21 07:36:50 -08:00
Tom Eastep
64e76599e0 Correct handling of default actions that set Shorewall variables.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-20 16:15:04 -08:00
Tom Eastep
c4a2f3d386 Set caller when possible in policy chains.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-20 14:51:16 -08:00
Tom Eastep
bc882af6c5 Allow RESET of Shorewall variables
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-20 07:32:34 -08:00
Tom Eastep
d31221b03c Fix variable assignment.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-20 07:26:10 -08:00
Tom Eastep
f403420926 Allow setting chain variables
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-19 10:52:11 -08:00
Tom Eastep
b31c76cc50 Proper job of fixing DEFER_DNS_RESOLUTION=No
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-18 17:18:29 -08:00
Tom Eastep
1307770178 Allow setting action parameters
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-18 15:05:14 -08:00
Tom Eastep
95aab78c0d Add infrastructure to delete the %usedactions entry for an action chain if
the chain parameters are modified.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-18 14:54:57 -08:00
Tom Eastep
4587430e4a Move get_action_logging() to the Config Module
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-18 13:06:55 -08:00
Tom Eastep
8ccd1ab52b Handle exclusion correctly when DEFER_DNS_RESOLUTION=No
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-18 12:09:54 -08:00
Tom Eastep
89a09f0256 Implement DEFER_DNS_RESOLUTION
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-13 17:00:14 -08:00
Tom Eastep
54dbbaaa2d Don't resolve DNS names at compile time.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-13 10:34:31 -08:00
Tom Eastep
90bd19feb9 Convert DNS names into ip addresses in validate_net().
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-13 07:39:27 -08:00
Tom Eastep
853b9ce916 Enable DNS names without an interface name.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-12 14:38:26 -08:00
Tom Eastep
c61d51363d Correct generation of rules in the ESTABLISHED section of the rules file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-12 06:49:32 -08:00
Tom Eastep
af83989465 Update copyright dates.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-11 16:01:10 -08:00
Tom Eastep
b53fd39b49 Avoid a fatal Perl error in Config::cleanup when an fatal error occurs
while compiling a default action.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-11 15:50:23 -08:00
Tom Eastep
38097bef5d Correct an optimizer bug.
- delete_chain_and_references() was only deleting the downward references
  and not the upward ones.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-11 14:55:43 -08:00
Tom Eastep
76a63fb7e8 Don't flush 'noarp' ARP entries
= doing so kills the loopback interface

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-10 17:14:40 -08:00
Tom Eastep
15ca9edf8a Allow delete_tc1() to work on devices which an @ suffix in their reported names.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-09 14:09:07 -08:00
Tom Eastep
199bce925f Don't add chains with RETURNs to %terminating.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-09 12:54:29 -08:00
Tom Eastep
1fd3a6a522 Detect terminating chains
- no RETURN Rules
- last rule is terminating

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-08 16:32:24 -08:00
Tom Eastep
011dd2c901 Add a RETURNS flag to optflags indicating that there is RETURN in the chain.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-08 15:25:53 -08:00
Tom Eastep
e54563d9c1 Don't append rules that can't be matched.
Also, delete chains whose only rule is a -j RETURN

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-08 13:53:03 -08:00
Tom Eastep
f8c1b02dba Correct test for optimization in 'check -r'
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-08 09:51:32 -08:00
Tom Eastep
dece73f7b6 Another fix for *C actions in arprules.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-07 18:59:24 -08:00
Tom Eastep
eb3b47ae24 Correctly handle *C actions in arprules.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-07 18:29:41 -08:00
Tom Eastep
c157228f7d Correct handling of unknown ACTION in arprules.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-07 18:21:58 -08:00
Tom Eastep
a7af052d91 Correct issue with generating ESTABLISHED rules.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-07 16:07:24 -08:00
Tom Eastep
414a74d23c Support protocol lists in most files.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-07 16:06:54 -08:00
Tom Eastep
0526863e66 Make $section numeric
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-07 13:39:49 -08:00
Tom Eastep
5dbe2aa9ec Optimize a test in finish_chain_section().
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-07 07:00:15 -08:00
Tom Eastep
ca202ca10b Flush the arp cache after applying the arprules.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-06 17:46:40 -08:00
Tom Eastep
de4e0898b5 Catch protocol lists in contexts that don't allow them.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-06 17:23:14 -08:00
Tom Eastep
edc0a84e5d Optimize RELATED rules.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-06 16:48:37 -08:00
Tom Eastep
d4c9885c09 Change interpretation of the log tag when LOGTAGONLY=Yes
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-06 13:10:18 -08:00
Tom Eastep
c41b9e596d Don't add --cstate to dropInvalid rule.
Signed-off-by: Tom Eastep <teastep@mint14.(none)>
2013-01-06 09:42:55 -08:00
Tom Eastep
9fd7933b5d Make inline actions work in sections other than NEW.
Signed-off-by: Tom Eastep <teastep@mint14.(none)>
2013-01-06 09:32:50 -08:00
Tom Eastep
f223e3584c Make '+' optional in the ADD and DEL statements.
Signed-off-by: Tom Eastep <teastep@mint14.(none)>
2013-01-06 07:37:11 -08:00
Tom Eastep
3f24416f37 Add a warning for opcode inversion when not arptables_jf.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-05 13:14:32 -08:00
Tom Eastep
38aa7f3857 Correct opcode inversion when not ARPTABLES_JF
Signed-off-by: Tom Eastep <teastep@mint14.(none)>
2013-01-05 08:26:46 -08:00
Tom Eastep
7f6430a383 Correct address inversion in match_arp_net()
Signed-off-by: Tom Eastep <teastep@mint14.(none)>
2013-01-05 08:20:51 -08:00