Add AllowInvalid Action; expand port range opened by AllowTrcrt

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1893 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-01-10 16:36:08 +00:00 · 2005-01-10 16:36:08 +00:00 · 374f64f93b
commit 374f64f93b
parent b32231581c
5 changed files with 21 additions and 4 deletions
--- a/Shorewall2/action.AllowTrcrt
+++ b/Shorewall2/action.AllowTrcrt
@ -6,6 +6,6 @@
 ######################################################################################
 #TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
-ACCEPT	 -	        -               udp	33434:33454 #UDP Traceroute
+ACCEPT	 -	        -               udp	33434:33524 #UDP Traceroute
 ACCEPT	 -		-		icmp	8	    #ICMP Traceroute
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall2/actions.std
+++ b/Shorewall2/actions.std
@ -10,6 +10,8 @@
 #    rejNonSyn          #Silently Reject Non-syn TCP packets
 #    dropInvalid	#Silently Drop packets that are in the INVALID
 #                       #conntrack state.
 #    allowInvalid	#Accept packets that are in the INVALID
 #			#conntrack state.
 #
 # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
 # shorewall.conf. If that option isn't specified then 'info' is used.
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -206,3 +206,7 @@ Changes since 2.0.3
 100) Reconcile ipsec masq file implementation with the documentation.
 101) Add netfilter module display to status output.
 102) Add 'allowInvalid' builtin action.
 103) Expand range of Traceroute ports.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -3404,7 +3404,7 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
 #
 process_actions1() {
-    ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
+    ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid"
    USEDACTIONS=
    strip_file actions
@ -3619,6 +3619,13 @@ process_actions3() {
 		    run_iptables -A $xchain -m state --state INVALID -j DROP
 		fi
 		;;
 	    allowInvalid)
 		if [ "$COMMAND" != check ]; then
 		    [ -n "$xlevel" ] && \
 			log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID
 		    run_iptables -A $xchain -m state --state INVALID -j ACCEPT
 		fi
 		;;
 	    *)
 		#
 		# Not a builtin
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -1,4 +1,4 @@
-Shorewall 2.2.0-RC4
+Shorewall 2.2.0
 ----------------------------------------------------------------------
 Problems Corrected since 2.0.3
@ -300,7 +300,8 @@ New Features:
 1)  ICMP packets that are in the INVALID state are now dropped by the
    Reject and Drop default actions. They do so using the new 
-    'dropInvalid' builtin action.
+    'dropInvalid' builtin action. An 'allowInvalid' builtin action is
    also provided which accepts packets in that state.
 2)  The /etc/shorewall/masq file INTERFACE column now allows additional
    options.
@ -885,3 +886,6 @@ New Features:
 40) The output of "shorewall status" now lists the loaded netfilter
    kernel modules.
 41) The range of UDP ports opened by the AllowTrcrt action has been
    increased to 33434:33524.