forked from extern/shorewall_code
Some 'on the train' changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6437 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
9303e56f99
commit
0771b15bb0
@ -644,8 +644,8 @@ sub finish_chain_section ($$) {
|
||||
} else {
|
||||
my $policychainref = $chainref->{policychain};
|
||||
if ( $policychainref->{synparams} ) {
|
||||
my $synchainref = ensure_chain 'filter', "\@$policychainref->{name}";
|
||||
add_rule $synchainref, "-p tcp --syn -j $synchainref->{name}";
|
||||
my $synchainref = ensure_chain 'filter', syn_chain $policychainref->{name};
|
||||
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -127,7 +127,7 @@ sub emitj {
|
||||
my $line = $_; # This copy is necessary because the actual arguments are almost always read-only.
|
||||
$line =~ s/^\n// if $lastlineblank;
|
||||
$line =~ s/^/$indent/gm if $indent;
|
||||
$line =~ s/ /\t/g;
|
||||
$line =~ s/ /\t/gm;
|
||||
print $object "$line\n";
|
||||
$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
|
||||
} else {
|
||||
@ -138,7 +138,6 @@ sub emitj {
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Write passed message to the object with newline but no indentation.
|
||||
#
|
||||
@ -269,12 +268,13 @@ sub create_temp_object( $ ) {
|
||||
( $file, $dir, $suffix ) = fileparse( $objectfile );
|
||||
};
|
||||
|
||||
die $@ if $@;
|
||||
die if $@;
|
||||
|
||||
fatal_error "Directory $dir does not exist" unless -d $dir;
|
||||
fatal_error "$dir is a Symbolic Link" if -l $dir;
|
||||
fatal_error "$objectfile is a Directory" if -d $objectfile;
|
||||
fatal_error "$dir is a Symbolic Link" if -l $objectfile;
|
||||
fatal_error "Directory $dir does not exist" unless -d $dir;
|
||||
fatal_error "Directory $dir is not writable" unless -w _;
|
||||
fatal_error "$dir is a Symbolic Link" if -l $dir;
|
||||
fatal_error "$objectfile is a Directory" if -d $objectfile;
|
||||
fatal_error "$dir is a Symbolic Link" if -l $objectfile;
|
||||
fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _;
|
||||
|
||||
eval {
|
||||
@ -282,7 +282,7 @@ sub create_temp_object( $ ) {
|
||||
( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
|
||||
};
|
||||
|
||||
die if $@;
|
||||
fatal_error "Unable to create temporary file in directory $dir" if $@;
|
||||
|
||||
$file = "$file.$suffix" if $suffix;
|
||||
$dir .= '/' unless substr( $dir, -1, 1 ) eq '/';
|
||||
|
||||
@ -74,7 +74,7 @@ our %globals = ( SHAREDIR => '/usr/share/shorewall' ,
|
||||
ORIGINAL_POLICY_MATCH => '',
|
||||
LOGPARMS => '',
|
||||
TC_SCRIPT => '',
|
||||
VERSION => '4.0.0-Beta1',
|
||||
VERSION => '4.0.0-Beta2',
|
||||
);
|
||||
|
||||
#
|
||||
@ -171,7 +171,7 @@ our %config =
|
||||
BLACKLIST_DISPOSITION => undef,
|
||||
);
|
||||
#
|
||||
# Config options and global settings that are to be copied to object
|
||||
# Config options and global settings that are to be copied to object script
|
||||
#
|
||||
my @propagateconfig = qw/ CLEAR_TC DISABLE_IPV6 ADMINISABSENTMINDED IP_FORWARDING MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE/;
|
||||
my @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
|
||||
|
||||
@ -209,9 +209,9 @@ sub validate_policy()
|
||||
push @policy_chains, ( $chainref );
|
||||
}
|
||||
|
||||
$chainref->{loglevel} = $loglevel if defined $loglevel && $loglevel ne '';
|
||||
$chainref->{synparams} = $synparams if $synparams;
|
||||
$chainref->{default} = $default if $default;
|
||||
$chainref->{loglevel} = $loglevel if defined $loglevel && $loglevel ne '';
|
||||
$chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT' if $synparams ne '';
|
||||
$chainref->{default} = $default if $default;
|
||||
|
||||
if ( $clientwild ) {
|
||||
if ( $serverwild ) {
|
||||
|
||||
@ -260,12 +260,9 @@ sub setup_syn_flood_chains() {
|
||||
for my $chainref ( @policy_chains ) {
|
||||
my $limit = $chainref->{synparams};
|
||||
if ( $limit ) {
|
||||
my $level = $chainref->{loglevel};
|
||||
( $limit, my ( $burst, $remainder) ) = split( ':', $limit, 3 );
|
||||
fatal_error "Invalid BURST/LIMIT" if defined $remainder;
|
||||
$burst = $burst ? "--limit-burst $burst " : '';
|
||||
my $level = $chainref->{loglevel};
|
||||
my $synchainref = new_chain 'filter' , syn_chain $chainref->{name};
|
||||
add_rule $synchainref , "-m limit --limit $limit ${burst}-j RETURN";
|
||||
add_rule $synchainref , "${limit}-j RETURN";
|
||||
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
|
||||
if $level ne '';
|
||||
add_rule $synchainref, '-j DROP';
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=4.0.0-Beta1
|
||||
VERSION=4.0.0-Beta2
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user