forked from extern/shorewall_code
PKTTYPE ported from 2.0.6
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1470 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
b60c7aaa14
commit
081bd461a2
@ -12,3 +12,8 @@ Changes since 2.0.3
|
||||
5) Fix logging nat rules.
|
||||
|
||||
6) Fix COMMAND typos.
|
||||
|
||||
7) Add PKTTYPE option.
|
||||
|
||||
firewall
|
||||
shorewall.conf
|
||||
|
@ -2899,6 +2899,13 @@ process_actions2() {
|
||||
log_action() {
|
||||
[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
|
||||
}
|
||||
|
||||
drop_broadcasts() {
|
||||
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
||||
run_iptables -A dropBcast -d $address -j DROP
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Generate the transitive closure of $USEDACTIONS
|
||||
#
|
||||
@ -2924,14 +2931,16 @@ process_actions2() {
|
||||
case $xaction in
|
||||
dropBcast)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
|
||||
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
|
||||
#
|
||||
# No pkttype support -- do it the hard way
|
||||
#
|
||||
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
||||
run_iptables -A dropBcast -d $address -j DROP
|
||||
done
|
||||
if [ -n "$PKTTYPE" ]; then
|
||||
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
|
||||
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
|
||||
#
|
||||
# No pkttype support -- do it the hard way
|
||||
#
|
||||
drop_broadcasts
|
||||
fi
|
||||
else
|
||||
drop_broadcasts
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
@ -6047,6 +6056,7 @@ do_initialize() {
|
||||
DISABLE_IPV6=
|
||||
BRIDGING=
|
||||
DYNAMIC_ZONES=
|
||||
PKTTYPE=
|
||||
RESTOREBASE=
|
||||
TMP_DIR=
|
||||
|
||||
@ -6219,6 +6229,7 @@ do_initialize() {
|
||||
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
|
||||
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
|
||||
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
|
||||
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
|
||||
|
||||
#
|
||||
# Strip the files that we use often
|
||||
|
@ -12,6 +12,14 @@ Problems Corrected since 2.0.3
|
||||
3) Two problems with logging NAT rules (DNAT and REDIRECT) could cause
|
||||
startup failures.
|
||||
|
||||
4) Some users have reported the pkttype match option in iptables/
|
||||
Netfilter failing to match certain broadcast packets. The result
|
||||
is that the firewall log shows a lot of broadcast packets.
|
||||
|
||||
Users experiencing this problem can use PKTTYPE=No in
|
||||
shorewall.conf to cause Shorewall to use IP address filtering of
|
||||
broadcasts rather than packet type.
|
||||
|
||||
Problems Corrected since 2.1.0
|
||||
|
||||
1) The "check" command fails with the following message:
|
||||
|
@ -604,6 +604,16 @@ BRIDGING=No
|
||||
# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
|
||||
|
||||
DYNAMIC_ZONES=No
|
||||
|
||||
#
|
||||
# USE PKTTYPE MATCH
|
||||
#
|
||||
# Some users have reported problems with the PKTTYPE match extension not being
|
||||
# able to patch certail broadcast packets. If you set PKTTYPE=No then Shorewall
|
||||
# will use IP addresses to detect broadcasts rather than pkttype. If not given
|
||||
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
||||
|
||||
PKTTYPE=Yes
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
|
Loading…
Reference in New Issue
Block a user