forked from extern/shorewall_code
Consult PKTTYPE when generating REJECT rules
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1487 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
0ca314fa36
commit
4614fd0536
@ -36,3 +36,5 @@ Changes in 2.0.7
|
|||||||
|
|
||||||
1) Include output of "ip rule ls" and "ip route ls" in "shorewall
|
1) Include output of "ip rule ls" and "ip route ls" in "shorewall
|
||||||
status".
|
status".
|
||||||
|
|
||||||
|
2) Consult PKTTYPE when generating 'REJECT' rules.
|
||||||
|
@ -4922,6 +4922,13 @@ initialize_netfilter () {
|
|||||||
add_common_rules() {
|
add_common_rules() {
|
||||||
local savelogparms="$LOGPARMS"
|
local savelogparms="$LOGPARMS"
|
||||||
local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
|
local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
|
||||||
|
|
||||||
|
drop_broadcasts() {
|
||||||
|
for address in $broadcasts ; do
|
||||||
|
run_iptables -A reject -d $address -j DROP
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Populate the smurf chain
|
# Populate the smurf chain
|
||||||
#
|
#
|
||||||
@ -4932,14 +4939,16 @@ add_common_rules() {
|
|||||||
#
|
#
|
||||||
# Reject Rules -- Don't respond to broadcasts with an ICMP
|
# Reject Rules -- Don't respond to broadcasts with an ICMP
|
||||||
#
|
#
|
||||||
qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
|
if [ -n "$PKTTYPE" ]; then
|
||||||
if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
|
qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
|
||||||
#
|
if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
|
||||||
# No pkttype support -- do it the hard way
|
#
|
||||||
#
|
# No pkttype support -- do it the hard way
|
||||||
for address in $broadcasts ; do
|
#
|
||||||
run_iptables -A reject -d $address -j DROP
|
drop_broadcasts
|
||||||
done
|
fi
|
||||||
|
else
|
||||||
|
drop_broadcasts
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
# Don't feed the smurfs
|
# Don't feed the smurfs
|
||||||
|
@ -44,5 +44,12 @@ Problems Corrected in version 2.0.7
|
|||||||
1) To improve supportability, the "shorewall status" command now
|
1) To improve supportability, the "shorewall status" command now
|
||||||
includes the output from "ip rule ls" and "ip addr ls".
|
includes the output from "ip rule ls" and "ip addr ls".
|
||||||
|
|
||||||
|
2) The PKTTYPE option introduced in version 2.0.6 is now used when
|
||||||
|
generating rules to REJECT packets. Broadcast packets are silently
|
||||||
|
dropped rather than being rejected with an ICMP (which is a protocol
|
||||||
|
violation) and users whose kernels have broken packet type match
|
||||||
|
support are likely to see messages reporting this violation.
|
||||||
|
Setting PKTTYPE=No should cause these messages to cease.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user