holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Validate interface names in ecn file; confirm additions to ECN control chain; update to Beta2

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@468 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-24 15:24:55 +00:00
parent dbd20362ff
commit 08ec9ac4e0
8 changed files with 107 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/changelog.txt
View File

@ -47,3 +47,7 @@ Changes since 1.3.14
21. Improved parsing of comma-separated lists. 21. Improved parsing of comma-separated lists.
22. Add ECN Removal support
23. Add TCP ports 445 and 139 to the common silent list.

2
Shorewall/common.def
View File

@ -22,6 +22,8 @@ run_iptables -A common -m state -p tcp --state INVALID -j DROP
# #
run_iptables -A common -p udp --dport 137:139 -j REJECT run_iptables -A common -p udp --dport 137:139 -j REJECT
run_iptables -A common -p udp --dport 445 -j REJECT run_iptables -A common -p udp --dport 445 -j REJECT
run_iptables -A common -p tcp --dport 139 -j REJECT
run_iptables -A common -p tcp --dport 445 -j REJECT
run_iptables -A common -p tcp --dport 135 -j reject run_iptables -A common -p tcp --dport 135 -j reject
############################################################################ ############################################################################
# UPnP # UPnP

4
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.0-Beta1 VERSION=1.4.0-Beta2
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -131,6 +131,8 @@ restore_file /etc/shorewall/stop
restore_file /etc/shorewall/stopped restore_file /etc/shorewall/stopped
restore_file /etc/shorewall/ecn
if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
restore_file /usr/lib/shorewall/version restore_file /usr/lib/shorewall/version
oldversion="`cat /usr/lib/shorewall/version`" oldversion="`cat /usr/lib/shorewall/version`"

71
Shorewall/firewall
View File

@ -366,6 +366,14 @@ flushnat() # $1 = name of chain
run_iptables -t nat -F $1 run_iptables -t nat -F $1
} }
#
# Flush one of the Mangle table chains
#
flushmangle() # $1 = name of chain
{
run_iptables -t mangle -F $1
}
# #
# Chain name base for an interface # Chain name base for an interface
# #
@ -455,7 +463,15 @@ dnat_chain() # $1 = zone
# #
snat_chain() # $1 = zone snat_chain() # $1 = zone
{ {
echo ${1}_snat echo `chain_base $1`_snat
}
#
# ECN Chain to an interface
#
ecn_chain() # $1 = interface
{
echo ${1}_ecn
} }
# #
@ -1766,6 +1782,52 @@ delete_nat() {
[ -d ${STATEDIR} ] && touch ${STATEDIR}/nat [ -d ${STATEDIR} ] && touch ${STATEDIR}/nat
} }
#
# Setup ECN disabling rules
#
setup_ecn() # $1 = file name
{
local interfaces
local hosts
local h
strip_file ecn $1
while read interface host; do
expandv interface host
list_search $interface $all_interfaces || \
startup_error "Unknown interface $interface"
list_search $interface $interfaces || \
interfaces="$interfaces $interface"
[ "x$host" = "x-" ] && host=0.0.0.0/0
for h in `separate_list $host`; do
hosts="$hosts $interface:$h"
done
done < $TMP_DIR/ecn
if [ -n "$interfaces" ]; then
echo "Setting up ECN control on${interfaces}..."
for interface in $interfaces; do
chain=`ecn_chain $interface`
if mangle_chain_exists $chain; then
flushmangle $chain
else
run_iptables -t mangle -N $chain
run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain
fi
done
for host in $hosts; do
interface=${host%:*}
h=${host#*:}
run_iptables -t mangle -A `ecn_chain $interface` -p tcp -d $h -j ECN --ecn-tcp-remove
echo " ECN Disabled to $h through $interface"
done
fi
}
# #
# Process a TC Rule - $marking_chain is assumed to contain the name of the # Process a TC Rule - $marking_chain is assumed to contain the name of the
# default marking chain # default marking chain
@ -4004,6 +4066,10 @@ define_firewall() # $1 = Command (Start or Restart)
[ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos [ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos
ecn=`find_file ecn`
[ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn
[ -n "$TC_ENABLED" ] && setup_tc [ -n "$TC_ENABLED" ] && setup_tc
echo "Activating Rules..." echo "Activating Rules..."
@ -4099,6 +4165,9 @@ refresh_firewall()
# #
refresh_blacklist refresh_blacklist
ecn=`find_file ecn`
[ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn
# #
# Refresh Traffic Control # Refresh Traffic Control
# #

12
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.0-Beta1 VERSION=1.4.0-Beta2
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -538,6 +538,16 @@ else
echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped" echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
fi fi
# #
# Install the ECN file
#
if [ -f ${PREFIX}/etc/shorewall/ecn ]; then
backup_file /etc/shorewall/ecn
else
run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
echo
echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
fi
#
# Backup the version file # Backup the version file
# #
if [ -z "$PREFIX" ]; then if [ -z "$PREFIX" ]; then

10
Shorewall/releasenotes.txt
View File

@ -65,6 +65,16 @@ Changes for 1.4 include:
8. IMPORTANT: Shorewall now REQUIRES the iproute package ('ip' 8. IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
utility). utility).
9. Explicit Congestion Notification (ECN - RFC 3168) may now be turned
off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:
a) You must be running kernel 2.4.20
b) You must have applied the patch in
http://www.shorewall/net/pub/shorewall/ecn/patch.
c) You must have iptables 1.2.7a installed.

7
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 1.4.0 %define version 1.4.0
%define release 0Beta1 %define release 0Beta2
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -97,6 +97,7 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/start %attr(0600,root,root) %config(noreplace) /etc/shorewall/start
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop %attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped %attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
%attr(0544,root,root) /sbin/shorewall %attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /usr/share/shorewall/functions %attr(0444,root,root) /usr/share/shorewall/functions
%attr(0544,root,root) /usr/share/shorewall/firewall %attr(0544,root,root) /usr/share/shorewall/firewall
@ -104,6 +105,10 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Mon Feb 24 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.0-0Beta2
* Sun Feb 23 2003 Tom Eastep <tom@shorewall.net>
- Add ecn file
* Fri Feb 21 2003 Tom Eastep <tom@shorewall.net> * Fri Feb 21 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.4.0-0Beta1 - Changes version to 1.4.0-0Beta1
* Thu Feb 06 2003 Tom Eastep <tom@shorewall.net> * Thu Feb 06 2003 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.0-Beta1 VERSION=1.4.0-Beta2
usage() # $1 = exit status usage() # $1 = exit status
{ {