forked from extern/shorewall_code
Tweak NONAT/ACCEPT+ action implementation
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1310 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
0036a0d273
commit
65a4fe1d1b
@ -3224,15 +3224,14 @@ add_a_rule()
|
||||
fi
|
||||
|
||||
case $logtarget in
|
||||
NONAT)
|
||||
NONAT|ACCEPT+)
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN
|
||||
;;
|
||||
ACCEPT+)
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN
|
||||
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
||||
-d $srv $dports $ratelimit $userandgroup -j $target
|
||||
esac
|
||||
|
||||
case $logtarget in
|
||||
NONAT)
|
||||
;;
|
||||
*)
|
||||
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
||||
@ -3249,15 +3248,14 @@ add_a_rule()
|
||||
fi
|
||||
|
||||
case $logtarget in
|
||||
NONAT)
|
||||
NONAT|ACCEPT+)
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
||||
;;
|
||||
ACCEPT+)
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
||||
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
||||
$dports $ratelimit $userandgroup -j $target
|
||||
esac
|
||||
|
||||
case $logtarget in
|
||||
NONAT)
|
||||
;;
|
||||
*)
|
||||
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
||||
@ -3284,15 +3282,14 @@ add_a_rule()
|
||||
case $logtarget in
|
||||
LOG)
|
||||
;;
|
||||
NONAT)
|
||||
NONAT|ACCEPT+)
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
||||
;;
|
||||
ACCEPT+)
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
||||
run_iptables2 -A $chain $proto $multiport $dest_interface \
|
||||
$cli $sports $dports $ratelimit $userandgroup -j $target
|
||||
esac
|
||||
|
||||
case $logtarget in
|
||||
LOG|NONAT)
|
||||
;;
|
||||
*)
|
||||
run_iptables2 -A $chain $proto $multiport $dest_interface \
|
||||
|
||||
@ -115,11 +115,21 @@
|
||||
# established connection will be accepted
|
||||
# from this interface, even if
|
||||
# NEWNOTSYN=No has been specified in
|
||||
# /etc/shorewall/shorewall.conf.
|
||||
# /etc/shorewall/shorewall.conf. In other
|
||||
# words, packets coming in on this interface
|
||||
# are processed as if NEWNOTSYN=Yes had been
|
||||
# specified in /etc/shorewall/shorewall.conf.
|
||||
#
|
||||
# This option has no effect if
|
||||
# NEWNOTSYN=Yes.
|
||||
#
|
||||
# It is the opinion of the author that
|
||||
# NEWNOTSYN=No creates more problems than
|
||||
# it solves and I recommend against using
|
||||
# that setting in shorewall.conf (hence
|
||||
# making the use of the 'newnotsyn'
|
||||
# interface option unnecessary).
|
||||
#
|
||||
# routeback - If specified, indicates that Shorewall
|
||||
# should include rules that allow filtering
|
||||
# traffic arriving on this interface back
|
||||
|
||||
Loading…
Reference in New Issue
Block a user