forked from extern/shorewall_code
Some cleanup of policy actions
- Allow '+' in policy file action list Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
af8d4e32c2
commit
7e984af094
@ -138,7 +138,7 @@ our %section_rmap = ( ALL_SECTION , 'ALL',
|
|||||||
|
|
||||||
our @policy_chains;
|
our @policy_chains;
|
||||||
|
|
||||||
our %default_actions;
|
our %policy_actions;
|
||||||
|
|
||||||
our %macros;
|
our %macros;
|
||||||
|
|
||||||
@ -311,12 +311,14 @@ sub initialize( $ ) {
|
|||||||
# This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
|
# This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
|
||||||
# in the %config hash when shorewall[6].conf was processed.
|
# in the %config hash when shorewall[6].conf was processed.
|
||||||
#
|
#
|
||||||
%default_actions = ( DROP => [] ,
|
%policy_actions = ( DROP => [] ,
|
||||||
REJECT => [] ,
|
REJECT => [] ,
|
||||||
BLACKLIST => [] ,
|
BLACKLIST => [] ,
|
||||||
ACCEPT => [] ,
|
ACCEPT => [] ,
|
||||||
QUEUE => [] ,
|
QUEUE => [] ,
|
||||||
NFQUEUE => [] ,
|
NFQUEUE => [] ,
|
||||||
|
CONTINUE => [] ,
|
||||||
|
NONE => [] ,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# These are set to 1 as sections are encountered.
|
# These are set to 1 as sections are encountered.
|
||||||
@ -430,7 +432,7 @@ sub convert_to_policy_chain($$$$$$)
|
|||||||
$chainref->{audit} = $audit;
|
$chainref->{audit} = $audit;
|
||||||
$chainref->{policychain} = $chainref->{name};
|
$chainref->{policychain} = $chainref->{name};
|
||||||
$chainref->{policypair} = [ $source, $dest ];
|
$chainref->{policypair} = [ $source, $dest ];
|
||||||
$chainref->{defaults} = [];
|
$chainref->{pactions} = [];
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -480,7 +482,7 @@ sub set_policy_chain($$$$$$)
|
|||||||
$chainref->{synchain} = $polchainref->{synchain};
|
$chainref->{synchain} = $polchainref->{synchain};
|
||||||
}
|
}
|
||||||
|
|
||||||
$chainref->{defaults} = $polchainref->{defaults};
|
$chainref->{pactions} = $polchainref->{pactions} || [];
|
||||||
$chainref->{is_policy} = 1;
|
$chainref->{is_policy} = 1;
|
||||||
push @policy_chains, $chainref;
|
push @policy_chains, $chainref;
|
||||||
} else {
|
} else {
|
||||||
@ -529,12 +531,12 @@ sub normalize_action( $$$ );
|
|||||||
sub normalize_action_name( $ );
|
sub normalize_action_name( $ );
|
||||||
sub normalize_single_action( $ );
|
sub normalize_single_action( $ );
|
||||||
|
|
||||||
sub process_default_action( $$$$ ) {
|
sub process_policy_action( $$$$ ) {
|
||||||
my ( $originalpolicy, $policy, $default, $level ) = @_;
|
my ( $originalpolicy, $policy, $paction, $level ) = @_;
|
||||||
|
|
||||||
if ( supplied $default ) {
|
if ( supplied $paction ) {
|
||||||
my $default_option = ( $policy =~ /_DEFAULT$/ );
|
my $paction_option = ( $policy =~ /_DEFAULT$/ );
|
||||||
my ( $def, $param ) = get_target_param( $default );
|
my ( $act, $param ) = get_target_param( $paction );
|
||||||
|
|
||||||
if ( supplied $level ) {
|
if ( supplied $level ) {
|
||||||
validate_level( $level );
|
validate_level( $level );
|
||||||
@ -542,46 +544,48 @@ sub process_default_action( $$$$ ) {
|
|||||||
$level = 'none';
|
$level = 'none';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ( $targets{$def} || 0 ) & ACTION ) {
|
if ( ( $targets{$act} || 0 ) & ACTION ) {
|
||||||
$default = supplied $param ? normalize_action( $def, $level, $param ) :
|
$paction = supplied $param ? normalize_action( $act, $level, $param ) :
|
||||||
$level eq 'none' ? normalize_action_name $def :
|
$level eq 'none' ? normalize_action_name $act :
|
||||||
normalize_action( $def, $level, '' );
|
normalize_action( $act, $level, '' );
|
||||||
} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
|
} elsif ( ( $targets{$act} || 0 ) == INLINE ) {
|
||||||
$default = $def;
|
$paction = $act;
|
||||||
$default = "$def($param)" if supplied $param;
|
$paction = "$act($param)" if supplied $param;
|
||||||
$default = join( ':', $default, $level ) if $level ne 'none';
|
$paction = join( ':', $paction, $level ) if $level ne 'none';
|
||||||
} elsif ( $default_option ) {
|
} elsif ( $paction_option ) {
|
||||||
fatal_error "Unknown Action ($default) in $policy setting";
|
fatal_error "Unknown Action ($paction) in $policy setting";
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Unknown Default Action ($default)";
|
fatal_error "Unknown Policy Action ($paction)";
|
||||||
}
|
}
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
$default = $default_actions{$policy};
|
$paction = $policy_actions{$policy};
|
||||||
}
|
}
|
||||||
|
|
||||||
$default;
|
$paction;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub process_default_actions( $$$ ) {
|
sub process_policy_actions( $$$ ) {
|
||||||
my ( $originalpolicy, $policy, $defaults ) = @_;
|
my ( $originalpolicy, $policy, $pactions ) = @_;
|
||||||
|
|
||||||
my @defaults;
|
if ( supplied $pactions ) {
|
||||||
|
my @pactions;
|
||||||
|
|
||||||
if ( supplied $defaults ) {
|
if ( $pactions ne 'none' ) {
|
||||||
if ( $defaults ne 'none' ) {
|
@pactions = @{$policy_actions{policy}} if $pactions =~ s/^\+//;
|
||||||
for my $default ( split_list3( $defaults, 'Default Action' ) ) {
|
|
||||||
my ( $action, $level, $remainder ) = split( /:/, $default );
|
|
||||||
|
|
||||||
fatal_error "Invalid default action ($default:$level:$remainder)" if defined $remainder;
|
for my $paction ( split_list3( $pactions, 'Policy Action' ) ) {
|
||||||
|
my ( $action, $level, $remainder ) = split( /:/, $paction, 3 );
|
||||||
|
|
||||||
push @defaults, process_default_action( $originalpolicy, $policy, $action, $level );
|
fatal_error "Invalid policy action ($paction:$level:$remainder)" if defined $remainder;
|
||||||
|
|
||||||
|
push @pactions, process_policy_action( $originalpolicy, $policy, $action, $level );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
\@defaults;
|
\@pactions;
|
||||||
} else {
|
} else {
|
||||||
$default_actions{$policy};
|
$policy_actions{$policy};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -670,7 +674,7 @@ sub process_a_policy1($$$$$$$) {
|
|||||||
|
|
||||||
require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
|
require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
|
||||||
|
|
||||||
my ( $policy, $defaults ) = split( /:/, $originalpolicy, 2 );
|
my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
|
||||||
|
|
||||||
fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
|
fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
|
||||||
|
|
||||||
@ -682,7 +686,7 @@ sub process_a_policy1($$$$$$$) {
|
|||||||
fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
|
fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
|
||||||
}
|
}
|
||||||
|
|
||||||
my $default = process_default_actions( $originalpolicy, $policy, $defaults );
|
my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
|
||||||
|
|
||||||
if ( defined $queue ) {
|
if ( defined $queue ) {
|
||||||
$policy = handle_nfqueue( $queue,
|
$policy = handle_nfqueue( $queue,
|
||||||
@ -739,7 +743,7 @@ sub process_a_policy1($$$$$$$) {
|
|||||||
$chainref->{synchain} = $chain
|
$chainref->{synchain} = $chain
|
||||||
}
|
}
|
||||||
|
|
||||||
$chainref->{defaults} = $default;
|
$chainref->{pactions} = $pactionref;
|
||||||
$chainref->{origin} = shortlineinfo('');
|
$chainref->{origin} = shortlineinfo('');
|
||||||
|
|
||||||
if ( $clientwild ) {
|
if ( $clientwild ) {
|
||||||
@ -855,10 +859,10 @@ sub process_policies()
|
|||||||
if ( $actions eq 'none' ) {
|
if ( $actions eq 'none' ) {
|
||||||
$actions = [];
|
$actions = [];
|
||||||
} else {
|
} else {
|
||||||
$actions = process_default_actions( $actions, $option, $actions );
|
$actions = process_policy_actions( $actions, $option, $actions );
|
||||||
}
|
}
|
||||||
|
|
||||||
$default_actions{$map{$option}} = $actions;
|
$policy_actions{$map{$option}} = $actions;
|
||||||
}
|
}
|
||||||
|
|
||||||
for $zone ( all_zones ) {
|
for $zone ( all_zones ) {
|
||||||
@ -918,23 +922,23 @@ sub process_policies()
|
|||||||
sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
|
sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
|
||||||
|
|
||||||
sub add_policy_rules( $$$$$ ) {
|
sub add_policy_rules( $$$$$ ) {
|
||||||
my ( $chainref , $target, $loglevel, $defaults, $dropmulticast ) = @_;
|
my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
|
||||||
|
|
||||||
unless ( $target eq 'NONE' ) {
|
unless ( $target eq 'NONE' ) {
|
||||||
my @defaults;
|
my @pactions;
|
||||||
|
|
||||||
@defaults = @$defaults if defined $defaults;
|
@pactions = @$pactions;
|
||||||
|
|
||||||
add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
|
add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
|
||||||
|
|
||||||
for my $default ( @defaults ) {
|
for my $paction ( @pactions ) {
|
||||||
my ( $action ) = split ':', $default;
|
my ( $action ) = split ':', $paction;
|
||||||
|
|
||||||
if ( ( $targets{$action} || 0 ) & ACTION ) {
|
if ( ( $targets{$action} || 0 ) & ACTION ) {
|
||||||
#
|
#
|
||||||
# Default action is a regular action -- jump to the action chain
|
# Default action is a regular action -- jump to the action chain
|
||||||
#
|
#
|
||||||
add_ijump $chainref, j => use_policy_action( $default, $chainref->{name} );
|
add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
|
||||||
} else {
|
} else {
|
||||||
#
|
#
|
||||||
# Default action is an inline
|
# Default action is an inline
|
||||||
@ -946,7 +950,7 @@ sub add_policy_rules( $$$$$ ) {
|
|||||||
'', #Matches
|
'', #Matches
|
||||||
'', #Matches1
|
'', #Matches1
|
||||||
$loglevel, #Log Level and Tag
|
$loglevel, #Log Level and Tag
|
||||||
$default, #Target
|
$paction, #Target
|
||||||
$param || '', #Param
|
$param || '', #Param
|
||||||
'-', #Source
|
'-', #Source
|
||||||
'-', #Dest
|
'-', #Dest
|
||||||
@ -999,7 +1003,7 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
|
|||||||
my $chainref = $_[0];
|
my $chainref = $_[0];
|
||||||
my $policyref = $filter_table->{$chainref->{policychain}};
|
my $policyref = $filter_table->{$chainref->{policychain}};
|
||||||
my $synparams = $policyref->{synparams};
|
my $synparams = $policyref->{synparams};
|
||||||
my $defaults = $policyref->{defaults};
|
my $defaults = $policyref->{pactions};
|
||||||
my $policy = $policyref->{policy};
|
my $policy = $policyref->{policy};
|
||||||
my $loglevel = $policyref->{loglevel};
|
my $loglevel = $policyref->{loglevel};
|
||||||
|
|
||||||
@ -1041,7 +1045,7 @@ sub complete_policy_chains() {
|
|||||||
unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
|
unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
|
||||||
my $loglevel = $chainref->{loglevel};
|
my $loglevel = $chainref->{loglevel};
|
||||||
my $provisional = $chainref->{provisional};
|
my $provisional = $chainref->{provisional};
|
||||||
my $defaults = $chainref->{defaults};
|
my $defaults = $chainref->{pactions};
|
||||||
my $name = $chainref->{name};
|
my $name = $chainref->{name};
|
||||||
my $synparms = $chainref->{synparms};
|
my $synparms = $chainref->{synparms};
|
||||||
|
|
||||||
@ -1094,17 +1098,17 @@ sub complete_standard_chain ( $$$$ ) {
|
|||||||
|
|
||||||
my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
|
my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
|
||||||
my ( $policy, $loglevel ) = ( $default , 6 );
|
my ( $policy, $loglevel ) = ( $default , 6 );
|
||||||
my $defaultactions = $default_actions{$policy};
|
my $policy_actions = $policy_actions{$policy};
|
||||||
my $policychainref;
|
my $policychainref;
|
||||||
|
|
||||||
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
|
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
|
||||||
|
|
||||||
if ( $policychainref ) {
|
if ( $policychainref ) {
|
||||||
( $policy, $loglevel, $defaultactions ) = @{$policychainref}{'policy', 'loglevel', 'defaults' };
|
( $policy, $loglevel, $policy_actions ) = @{$policychainref}{'policy', 'loglevel', 'pactions' };
|
||||||
$stdchainref->{origin} = $policychainref->{origin};
|
$stdchainref->{origin} = $policychainref->{origin};
|
||||||
}
|
}
|
||||||
|
|
||||||
add_policy_rules $stdchainref , $policy , $loglevel, $defaultactions, 0;
|
add_policy_rules $stdchainref , $policy , $loglevel, $policy_actions, 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -120,7 +120,7 @@
|
|||||||
role="bold">QUEUE</emphasis>|<emphasis
|
role="bold">QUEUE</emphasis>|<emphasis
|
||||||
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
|
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
|
||||||
role="bold">NONE</emphasis>}[<emphasis
|
role="bold">NONE</emphasis>}[<emphasis
|
||||||
role="bold">:</emphasis>{<emphasis>default-action</emphasis>[:level][,...]|<emphasis
|
role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
|
||||||
role="bold">None</emphasis>}]</term>
|
role="bold">None</emphasis>}]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -140,7 +140,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of an action with optional parameters enclosed in
|
<para>The name of an action with optional parameters enclosed in
|
||||||
parentheses. The action will be invoked before the policy is
|
parentheses. The action will be invoked before the policy is
|
||||||
enforced. </para>
|
enforced.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
@ -154,9 +154,13 @@
|
|||||||
<para>Beginning with Shorewall 5.1.2, multiple
|
<para>Beginning with Shorewall 5.1.2, multiple
|
||||||
<replaceable>action</replaceable>[:<replaceable>level</replaceable>]
|
<replaceable>action</replaceable>[:<replaceable>level</replaceable>]
|
||||||
specification may be listeded, separated by commas. The actions are
|
specification may be listeded, separated by commas. The actions are
|
||||||
invoked in the order listed.</para>
|
invoked in the order listed. Also beginning with Shorewall 5.1.2,
|
||||||
|
the policy-action list can be prefixed with a plus sign ("+")
|
||||||
|
indicating that the listed actions are in addition to those listed
|
||||||
|
in the related _DEFAULT setting in <ulink
|
||||||
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Possible actions are:</para>
|
<para>Possible policies are:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
@ -105,11 +105,11 @@ TC=
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCEPT_DEFAULT=none
|
ACCEPT_DEFAULT=none
|
||||||
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
|
BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
|
||||||
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
|
DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
|
||||||
NFQUEUE_DEFAULT=none
|
NFQUEUE_DEFAULT=none
|
||||||
QUEUE_DEFAULT=none
|
QUEUE_DEFAULT=none
|
||||||
REJECT_DEFAULT=AllowICMPs,dropBcasts
|
REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# R S H / R C P C O M M A N D S
|
# R S H / R C P C O M M A N D S
|
||||||
|
@ -106,11 +106,11 @@ TC=
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCEPT_DEFAULT=none
|
ACCEPT_DEFAULT=none
|
||||||
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
|
BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
|
||||||
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
|
DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
|
||||||
NFQUEUE_DEFAULT=none
|
NFQUEUE_DEFAULT=none
|
||||||
QUEUE_DEFAULT=none
|
QUEUE_DEFAULT=none
|
||||||
REJECT_DEFAULT=AllowICMPs,dropBcasts
|
REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# R S H / R C P C O M M A N D S
|
# R S H / R C P C O M M A N D S
|
||||||
|
@ -105,11 +105,11 @@ TC=
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCEPT_DEFAULT=none
|
ACCEPT_DEFAULT=none
|
||||||
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
|
BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
|
||||||
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
|
DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
|
||||||
NFQUEUE_DEFAULT=none
|
NFQUEUE_DEFAULT=none
|
||||||
QUEUE_DEFAULT=none
|
QUEUE_DEFAULT=none
|
||||||
REJECT_DEFAULT=AllowICMPs,dropBcasts
|
REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# R S H / R C P C O M M A N D S
|
# R S H / R C P C O M M A N D S
|
||||||
|
@ -105,11 +105,11 @@ TC=
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCEPT_DEFAULT=none
|
ACCEPT_DEFAULT=none
|
||||||
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
|
BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
|
||||||
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
|
DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
|
||||||
NFQUEUE_DEFAULT=none
|
NFQUEUE_DEFAULT=none
|
||||||
QUEUE_DEFAULT=none
|
QUEUE_DEFAULT=none
|
||||||
REJECT_DEFAULT=AllowICMPs,dropBcasts
|
REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# R S H / R C P C O M M A N D S
|
# R S H / R C P C O M M A N D S
|
||||||
|
@ -119,7 +119,7 @@
|
|||||||
role="bold">QUEUE</emphasis>|<emphasis
|
role="bold">QUEUE</emphasis>|<emphasis
|
||||||
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
|
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
|
||||||
role="bold">NONE</emphasis>}[<emphasis
|
role="bold">NONE</emphasis>}[<emphasis
|
||||||
role="bold">:</emphasis>{<emphasis>default-action</emphasis>[:level][,...]|<emphasis
|
role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
|
||||||
role="bold">None</emphasis>}]</term>
|
role="bold">None</emphasis>}]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -152,9 +152,13 @@
|
|||||||
<para>Beginning with Shorewall 5.1.2, multiple
|
<para>Beginning with Shorewall 5.1.2, multiple
|
||||||
<replaceable>action</replaceable>[:<replaceable>level</replaceable>]
|
<replaceable>action</replaceable>[:<replaceable>level</replaceable>]
|
||||||
pairs may be specified, separated by commas. The actions are invoked
|
pairs may be specified, separated by commas. The actions are invoked
|
||||||
in the order listed.</para>
|
in the order listed. Also beginning with Shorewall 5.1.2, the
|
||||||
|
policy-action list can be prefixed with a plus sign ("+") indicating
|
||||||
|
that the listed actions are in addition to those listed in the
|
||||||
|
related _DEFAULT setting in <ulink
|
||||||
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Possible actions are:</para>
|
<para>Possible policies are:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
@ -136,9 +136,10 @@ ACCEPT - - tcp 135,139,445</programlisting>
|
|||||||
|
|
||||||
<para>Shorewall allows the association of a <firstterm>policy
|
<para>Shorewall allows the association of a <firstterm>policy
|
||||||
action</firstterm> with policies. A separate policy action may be
|
action</firstterm> with policies. A separate policy action may be
|
||||||
associated with ACCEPT, DROP, REJECT, QUEUE and NFQUEUE policies. Policy
|
associated with ACCEPT, DROP, REJECT, QUEUE, NFQUEUE and BLACKLIST
|
||||||
actions provide a way to invoke a set of common rules just before the
|
policies. Policy actions provide a way to invoke a set of common rules
|
||||||
policy is enforced. Policy actions accomplish two goals:</para>
|
just before the policy is enforced. Policy actions accomplish two
|
||||||
|
goals:</para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -153,8 +154,8 @@ ACCEPT - - tcp 135,139,445</programlisting>
|
|||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>Shorewall supports policy actions for the ACCEPT, REJECT, DROP,
|
<para>Shorewall supports policy actions for the ACCEPT, REJECT, DROP,
|
||||||
QUEUE and NFQUEUE policies. These default actions are specified in the
|
QUEUE, NFQUEUE and BLACKLIST policies. These default actions are specified
|
||||||
<filename>/etc/shorewall/shorewall.conf</filename> file using the
|
in the <filename>/etc/shorewall/shorewall.conf</filename> file using the
|
||||||
ACCEPT_DEFAULT, REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and
|
ACCEPT_DEFAULT, REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and
|
||||||
NFQUEUE_DEFAULT options respectively. Policies whose default is set to a
|
NFQUEUE_DEFAULT options respectively. Policies whose default is set to a
|
||||||
value of <quote>none</quote> have no default action.</para>
|
value of <quote>none</quote> have no default action.</para>
|
||||||
@ -295,7 +296,7 @@ ACCEPT - - tcp 135,139,445</programlisting>
|
|||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>Broadcasts[(<replaceable>disposition</replaceable>)]</term>
|
<term>Broadcast[(<replaceable>disposition</replaceable>)]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Handles broadcasts and multicasts based on the
|
<para>Handles broadcasts and multicasts based on the
|
||||||
@ -335,7 +336,7 @@ ACCEPT - - tcp 135,139,445</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Allows ICMP packets mandated by RFC 4890. In particular, this
|
<para>Allows ICMP packets mandated by RFC 4890. In particular, this
|
||||||
ensures that Neighbor Discovery won't be broken </para>
|
ensures that Neighbor Discovery won't be broken</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
Loading…
Reference in New Issue
Block a user