Add AllowInvalid Action; expand port range opened by AllowTrcrt

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1893 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-01-10 16:36:08 +00:00 · 2005-01-10 16:36:08 +00:00 · 374f64f93b
commit 374f64f93b
parent b32231581c
5 changed files with 21 additions and 4 deletions
--- a/Shorewall2/action.AllowTrcrt
+++ b/Shorewall2/action.AllowTrcrt
@ -6,6 +6,6 @@
 ######################################################################################
 #TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
-ACCEPT	 -	        -               udp	33434:33454 #UDP Traceroute
+ACCEPT	 -	        -               udp	33434:33524 #UDP Traceroute
 ACCEPT	 -		-		icmp	8	    #ICMP Traceroute
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall2/actions.std
+++ b/Shorewall2/actions.std
@ -10,6 +10,8 @@
 #    rejNonSyn          #Silently Reject Non-syn TCP packets
 #    dropInvalid	#Silently Drop packets that are in the INVALID
 #                       #conntrack state.
+#    allowInvalid	#Accept packets that are in the INVALID
+#			#conntrack state.
 #
 # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
 # shorewall.conf. If that option isn't specified then 'info' is used.
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -206,3 +206,7 @@ Changes since 2.0.3
 100) Reconcile ipsec masq file implementation with the documentation.

 101) Add netfilter module display to status output.
+
+102) Add 'allowInvalid' builtin action.
+
+103) Expand range of Traceroute ports.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -3404,7 +3404,7 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
 #
 process_actions1() {
 	
-    ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
+    ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid"
    USEDACTIONS=

    strip_file actions
@ -3619,6 +3619,13 @@ process_actions3() {
 		    run_iptables -A $xchain -m state --state INVALID -j DROP
 		fi
 		;;
+	    allowInvalid)
+		if [ "$COMMAND" != check ]; then
+		    [ -n "$xlevel" ] && \
+			log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID
+		    run_iptables -A $xchain -m state --state INVALID -j ACCEPT
+		fi
+		;;
 	    *)
 		#
 		# Not a builtin
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -1,4 +1,4 @@
-Shorewall 2.2.0-RC4
+Shorewall 2.2.0

 ----------------------------------------------------------------------
 Problems Corrected since 2.0.3
@ -300,7 +300,8 @@ New Features:

 1)  ICMP packets that are in the INVALID state are now dropped by the
    Reject and Drop default actions. They do so using the new 
-    'dropInvalid' builtin action.
+    'dropInvalid' builtin action. An 'allowInvalid' builtin action is
+    also provided which accepts packets in that state.

 2)  The /etc/shorewall/masq file INTERFACE column now allows additional
    options.
@ -885,3 +886,6 @@ New Features:

 40) The output of "shorewall status" now lists the loaded netfilter
    kernel modules.
+
+41) The range of UDP ports opened by the AllowTrcrt action has been
+    increased to 33434:33524.