PKTTYPE ported from 2.0.6

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1470 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-07-12 13:01:55 +00:00
parent b60c7aaa14
commit 081bd461a2
4 changed files with 43 additions and 9 deletions

View File

@ -12,3 +12,8 @@ Changes since 2.0.3
5) Fix logging nat rules.
6) Fix COMMAND typos.
7) Add PKTTYPE option.
firewall
shorewall.conf

View File

@ -2899,6 +2899,13 @@ process_actions2() {
log_action() {
[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
}
drop_broadcasts() {
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
run_iptables -A dropBcast -d $address -j DROP
done
}
#
# Generate the transitive closure of $USEDACTIONS
#
@ -2924,14 +2931,16 @@ process_actions2() {
case $xaction in
dropBcast)
if [ "$COMMAND" != check ]; then
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
run_iptables -A dropBcast -d $address -j DROP
done
if [ -n "$PKTTYPE" ]; then
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
drop_broadcasts
fi
else
drop_broadcasts
fi
fi
;;
@ -6047,6 +6056,7 @@ do_initialize() {
DISABLE_IPV6=
BRIDGING=
DYNAMIC_ZONES=
PKTTYPE=
RESTOREBASE=
TMP_DIR=
@ -6219,6 +6229,7 @@ do_initialize() {
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
#
# Strip the files that we use often

View File

@ -12,6 +12,14 @@ Problems Corrected since 2.0.3
3) Two problems with logging NAT rules (DNAT and REDIRECT) could cause
startup failures.
4) Some users have reported the pkttype match option in iptables/
Netfilter failing to match certain broadcast packets. The result
is that the firewall log shows a lot of broadcast packets.
Users experiencing this problem can use PKTTYPE=No in
shorewall.conf to cause Shorewall to use IP address filtering of
broadcasts rather than packet type.
Problems Corrected since 2.1.0
1) The "check" command fails with the following message:

View File

@ -604,6 +604,16 @@ BRIDGING=No
# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
DYNAMIC_ZONES=No
#
# USE PKTTYPE MATCH
#
# Some users have reported problems with the PKTTYPE match extension not being
# able to patch certail broadcast packets. If you set PKTTYPE=No then Shorewall
# will use IP addresses to detect broadcasts rather than pkttype. If not given
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
PKTTYPE=Yes
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################