forked from extern/shorewall_code
Use -m conntrack if available in place of -m state
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
21e0c68ef2
commit
6d61e962eb
@ -856,15 +856,15 @@ sub rejNotSyn ( $$$ ) {
|
||||
sub dropInvalid ( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
|
||||
add_rule $chainref , '-m state --state INVALID -j DROP';
|
||||
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
|
||||
add_rule $chainref , "$globals{STATEMATCH} INVALID -j DROP";
|
||||
}
|
||||
|
||||
sub allowInvalid ( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
|
||||
add_rule $chainref , '-m state --state INVALID -j ACCEPT';
|
||||
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
|
||||
add_rule $chainref , "$globals{STATEMATCH} INVALID -j ACCEPT";
|
||||
}
|
||||
|
||||
sub forwardUPnP ( $$$ ) {
|
||||
|
@ -1358,7 +1358,7 @@ sub finish_chain_section ($$) {
|
||||
|
||||
$comment = '';
|
||||
|
||||
add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT};
|
||||
add_rule $chainref, "$globals{STATEMATCH} $state -j ACCEPT" unless $config{FASTACCEPT};
|
||||
|
||||
if ($sections{NEW} ) {
|
||||
if ( $chainref->{is_policy} ) {
|
||||
|
@ -339,6 +339,7 @@ sub initialize( $ ) {
|
||||
LOGPARMS => '',
|
||||
TC_SCRIPT => '',
|
||||
EXPORT => 0,
|
||||
STATEMATCH => '-m state --state',
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.4.9-RC1",
|
||||
CAPVERSION => 40408 ,
|
||||
@ -2502,7 +2503,10 @@ sub determine_capabilities() {
|
||||
qt1( "$iptables -N $sillyname1" );
|
||||
|
||||
fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
|
||||
unless qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");
|
||||
unless
|
||||
qt1( "$iptables -A $sillyname -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT") ||
|
||||
qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");;
|
||||
|
||||
|
||||
unless ( $config{ LOAD_HELPERS_ONLY } ) {
|
||||
#
|
||||
@ -2812,6 +2816,8 @@ sub get_configuration( $ ) {
|
||||
|
||||
get_capabilities( $export );
|
||||
|
||||
$globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
|
||||
|
||||
if ( $config{LOGRATE} || $config{LOGBURST} ) {
|
||||
if ( defined $config{LOGRATE} ) {
|
||||
fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/;
|
||||
|
@ -467,7 +467,7 @@ sub apply_policy_rules() {
|
||||
sub complete_standard_chain ( $$$$ ) {
|
||||
my ( $stdchainref, $zone, $zone2, $default ) = @_;
|
||||
|
||||
add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT};
|
||||
add_rule $stdchainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" unless $config{FASTACCEPT};
|
||||
|
||||
run_user_exit $stdchainref;
|
||||
|
||||
|
@ -283,7 +283,7 @@ sub setup_blacklist() {
|
||||
warning_message q(There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
|
||||
}
|
||||
|
||||
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
|
||||
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
|
||||
|
||||
for my $hostref ( @$hosts ) {
|
||||
my $interface = $hostref->[0];
|
||||
@ -431,7 +431,7 @@ sub add_common_rules() {
|
||||
my $list;
|
||||
my $chain;
|
||||
|
||||
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
|
||||
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
|
||||
my $level = $config{BLACKLIST_LOGLEVEL};
|
||||
my $rejectref = dont_move new_standard_chain 'reject';
|
||||
|
||||
@ -445,7 +445,7 @@ sub add_common_rules() {
|
||||
setup_mss;
|
||||
|
||||
if ( $config{FASTACCEPT} ) {
|
||||
add_rule( $filter_table->{$_} , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT );
|
||||
add_rule( $filter_table->{$_} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT );
|
||||
}
|
||||
|
||||
for $interface ( all_interfaces ) {
|
||||
@ -517,7 +517,7 @@ sub add_common_rules() {
|
||||
my $target = source_exclusion( $hostref->[3], $chainref );
|
||||
|
||||
for $chain ( first_chains $interface ) {
|
||||
add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ), $policy );
|
||||
add_jump $filter_table->{$chain} , $target, 0, join( '', "$globals{STATEMATCH} $state ", match_source_net( $hostref->[2] ), $policy );
|
||||
}
|
||||
|
||||
set_interface_option $interface, 'use_input_chain', 1;
|
||||
@ -801,14 +801,14 @@ sub setup_mac_lists( $ ) {
|
||||
my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
|
||||
|
||||
for my $chain ( first_chains $interface ) {
|
||||
add_jump $filter_table->{$chain} , $chainref, 0, "${source}-m state --state ${state} ${policy}";
|
||||
add_jump $filter_table->{$chain} , $chainref, 0, "${source}$globals{STATEMATCH} ${state} ${policy}";
|
||||
}
|
||||
|
||||
set_interface_option $interface, 'use_input_chain', 1;
|
||||
set_interface_option $interface, 'use_forward_chain', 1;
|
||||
} else {
|
||||
my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
|
||||
add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}-m state --state ${state} ${policy}";
|
||||
add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}$globals{STATEMATCH} ${state} ${policy}";
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@ -1212,7 +1212,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
unless ( $section eq 'NEW' ) {
|
||||
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
||||
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
|
||||
$rule .= "-m state --state $section "
|
||||
$rule .= "$globals{STATEMATCH} $section "
|
||||
}
|
||||
|
||||
#
|
||||
@ -2144,7 +2144,7 @@ sub generate_matrix() {
|
||||
'' ,
|
||||
'' ,
|
||||
'insert' ,
|
||||
'-m state --state NEW ';
|
||||
"$globals{STATEMATCH} NEW ";
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -2332,7 +2332,7 @@ EOF
|
||||
|
||||
my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/;
|
||||
|
||||
add_rule $filter_table->{$_}, '-m state --state ESTABLISHED,RELATED -j ACCEPT' for @chains;
|
||||
add_rule $filter_table->{$_}, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" for @chains;
|
||||
|
||||
if ( $family == F_IPV6 ) {
|
||||
add_rule $input, '-s ff80::/10 -j ACCEPT';
|
||||
|
@ -61,7 +61,7 @@ sub setup_tunnels() {
|
||||
}
|
||||
}
|
||||
|
||||
my $options = $globals{UNTRACKED} ? '-m state --state NEW,UNTRACKED -j ACCEPT' : '-m state --state NEW -j ACCEPT';
|
||||
my $options = $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
|
||||
|
||||
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||
add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
|
||||
|
@ -1537,7 +1537,8 @@ determine_capabilities() {
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then
|
||||
if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT &&
|
||||
! qt $IPTABLES -A $chain -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; then
|
||||
echo " ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
@ -1222,7 +1222,8 @@ determine_capabilities() {
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! qt $IP6TABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then
|
||||
if ! qt $IP6TABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT &&
|
||||
! qt $IP6TABLES -A $chain -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; then
|
||||
echo " ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user