forked from extern/shorewall_code
Bring Shorewall-shell up to 4.0
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7126 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
9de9c60e9e
commit
0a78e4f0fd
@ -1873,10 +1873,11 @@ add_a_rule() {
|
||||
if [ -n "$serv" ]; then
|
||||
for serv1 in $(separate_list $serv); do
|
||||
for srv in $(firewall_ip_range $serv1); do
|
||||
srv=$(dest_ip_range $srv)
|
||||
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
|
||||
if [ "$addr" = detect ]; then
|
||||
indent >&3 << __EOF__
|
||||
run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user $mrk -j $target
|
||||
run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $srv $dports -m conntrack --ctorigdst \$adr $user $mrk -j $target
|
||||
done
|
||||
|
||||
__EOF__
|
||||
@ -1884,11 +1885,13 @@ __EOF__
|
||||
for adr in $(separate_list $addr); do
|
||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
|
||||
$user $mrk $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dports) $state
|
||||
$user $mrk $(fix_bang $proto $multiport $sports $cli $srv $dports) $state
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != LOG ]; then
|
||||
run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
|
||||
$(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user $mrk -j $target
|
||||
$srv $dports -m conntrack --ctorigdst $adr $user $mrk -j $target
|
||||
fi
|
||||
done
|
||||
fi
|
||||
else
|
||||
@ -1899,17 +1902,17 @@ __EOF__
|
||||
|
||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
|
||||
$state $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dports)
|
||||
$state $(fix_bang $proto $multiport $sports $cli $srv $dports)
|
||||
fi
|
||||
|
||||
if [ -n "$nonat" ]; then
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports $(dest_ip_range $srv) $dports $ratelimit $user $mrk -j RETURN
|
||||
$cli $sports $srv $dports $ratelimit $user $mrk -j RETURN
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != NONAT ]; then
|
||||
if [ "$logtarget" != NONAT -a "$logtarget" != LOG ]; then
|
||||
run_iptables2 -A $chain $state $proto $multiport $cli $sports \
|
||||
$(dest_ip_range $srv) $dports $ratelimit $user $mrk -j $target
|
||||
$srv $dports $ratelimit $user $mrk -j $target
|
||||
fi
|
||||
fi
|
||||
done
|
||||
@ -1929,7 +1932,7 @@ __EOF__
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports $dports $ratelimit $user $mrk -j RETURN
|
||||
|
||||
[ "$logtarget" != NONAT ] && \
|
||||
[ "$logtarget" != NONAT -a "$logtarget" != LOG ] && \
|
||||
run_iptables2 -A $chain $state $proto $multiport $cli $sports \
|
||||
$dports $ratelimit $user $mrk -j $target
|
||||
fi
|
||||
@ -1983,6 +1986,15 @@ __EOF__
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$logtarget" = LOG -a -z "$KLUDGEFREE" ]; then
|
||||
#
|
||||
# Purge the temporary files that we use to prevent duplicate '-m' specifications
|
||||
#
|
||||
[ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -154,7 +154,8 @@ esac</programlisting><caution>
|
||||
output on an interface is not allowed by <ulink
|
||||
url="manpages/shorewall.conf.html">routestopped</ulink>(8) then
|
||||
the script must blow it's own holes in the firewall before
|
||||
probing.</para>
|
||||
probing. We recommend that this script only be used with
|
||||
ADMINISABSENTMINDED=Yes.</para>
|
||||
</caution></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
Loading…
Reference in New Issue
Block a user