diff --git a/Shorewall2/action.AllowTrcrt b/Shorewall2/action.AllowTrcrt index 63c3950e6..359cb68c7 100644 --- a/Shorewall2/action.AllowTrcrt +++ b/Shorewall2/action.AllowTrcrt @@ -6,6 +6,6 @@ ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 33434:33454 #UDP Traceroute +ACCEPT - - udp 33434:33524 #UDP Traceroute ACCEPT - - icmp 8 #ICMP Traceroute #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall2/actions.std b/Shorewall2/actions.std index 7b357a0f5..ccdc2eb4b 100644 --- a/Shorewall2/actions.std +++ b/Shorewall2/actions.std @@ -10,6 +10,8 @@ # rejNonSyn #Silently Reject Non-syn TCP packets # dropInvalid #Silently Drop packets that are in the INVALID # #conntrack state. +# allowInvalid #Accept packets that are in the INVALID +# #conntrack state. # # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in # shorewall.conf. If that option isn't specified then 'info' is used. diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index b43e0a97c..7f69462f7 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -206,3 +206,7 @@ Changes since 2.0.3 100) Reconcile ipsec masq file implementation with the documentation. 101) Add netfilter module display to status output. + +102) Add 'allowInvalid' builtin action. + +103) Expand range of Traceroute ports. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 66cd438a1..837d8b9e7 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -3404,7 +3404,7 @@ merge_levels() # $1=level at which superior action is called, $2=level at which # process_actions1() { - ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid" + ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid" USEDACTIONS= strip_file actions @@ -3619,6 +3619,13 @@ process_actions3() { run_iptables -A $xchain -m state --state INVALID -j DROP fi ;; + allowInvalid) + if [ "$COMMAND" != check ]; then + [ -n "$xlevel" ] && \ + log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID + run_iptables -A $xchain -m state --state INVALID -j ACCEPT + fi + ;; *) # # Not a builtin diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 740ab9466..274286c41 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 2.2.0-RC4 +Shorewall 2.2.0 ---------------------------------------------------------------------- Problems Corrected since 2.0.3 @@ -300,7 +300,8 @@ New Features: 1) ICMP packets that are in the INVALID state are now dropped by the Reject and Drop default actions. They do so using the new - 'dropInvalid' builtin action. + 'dropInvalid' builtin action. An 'allowInvalid' builtin action is + also provided which accepts packets in that state. 2) The /etc/shorewall/masq file INTERFACE column now allows additional options. @@ -885,3 +886,6 @@ New Features: 40) The output of "shorewall status" now lists the loaded netfilter kernel modules. + +41) The range of UDP ports opened by the AllowTrcrt action has been + increased to 33434:33524.