PKTTYPE ported from 2.0.6

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1470 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-07-12 13:01:55 +00:00 · 2004-07-12 13:01:55 +00:00 · 081bd461a2
commit 081bd461a2
parent b60c7aaa14
4 changed files with 43 additions and 9 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -12,3 +12,8 @@ Changes since 2.0.3
 5) Fix logging nat rules.
 6) Fix COMMAND typos.
 7) Add PKTTYPE option.
       firewall
       shorewall.conf
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -2899,6 +2899,13 @@ process_actions2() {
    log_action() {
 	[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
    }
    drop_broadcasts() {
 	for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
 	    run_iptables -A dropBcast -d $address -j DROP
 	done
    }
    #
    # Generate the transitive closure of $USEDACTIONS
    #
@ -2924,14 +2931,16 @@ process_actions2() {
 	case $xaction in
 	    dropBcast)
 		if [ "$COMMAND" != check ]; then
 		    if [ -n "$PKTTYPE" ]; then
 			qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
 			if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
 			    #
 			    # No pkttype support -- do it the hard way
 			    #
-			for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
+			    drop_broadcasts
-			    run_iptables -A dropBcast -d $address -j DROP
+			fi
-			done
+		    else
 			drop_broadcasts
 		    fi
 		fi
 		;;		
@ -6047,6 +6056,7 @@ do_initialize() {
    DISABLE_IPV6=
    BRIDGING=
    DYNAMIC_ZONES=
    PKTTYPE=
    RESTOREBASE=
    TMP_DIR=
@ -6219,6 +6229,7 @@ do_initialize() {
    DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
    BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
    DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
    PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
    #
    # Strip the files that we use often
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -12,6 +12,14 @@ Problems Corrected since 2.0.3
 3)  Two problems with logging NAT rules (DNAT and REDIRECT) could cause
    startup failures.
 4)  Some users have reported the pkttype match option in iptables/
    Netfilter failing to match certain broadcast packets. The result 
    is that the firewall log shows a lot of broadcast packets.
    Users experiencing this problem can use PKTTYPE=No in
    shorewall.conf to cause Shorewall to use IP address filtering of 
    broadcasts rather than packet type.
 Problems Corrected since 2.1.0
 1)  The "check" command fails with the following message:
--- a/Shorewall2/shorewall.conf
+++ b/Shorewall2/shorewall.conf
@ -604,6 +604,16 @@ BRIDGING=No
 # set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
 DYNAMIC_ZONES=No
 #
 # USE PKTTYPE MATCH 
 #
 # Some users have reported problems with the PKTTYPE match extension not being
 # able to patch certail broadcast packets. If you set PKTTYPE=No then Shorewall
 # will use IP addresses to detect broadcasts rather than pkttype. If not given 
 # or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
 PKTTYPE=Yes
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################