forked from extern/shorewall_code
Clean up rules file sectioning
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2565 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
0ae1bdfbc1
commit
86c837bf48
@ -235,9 +235,36 @@ run_ipset() {
|
||||
#
|
||||
finish_chain_section() # $1 = canonical chain $2 = state list
|
||||
{
|
||||
local policy policychain
|
||||
|
||||
[ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
|
||||
|
||||
if list_search RELATED $(separate_list $2) ; then
|
||||
[ -z "$NEWNOTSYN" ] && run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
|
||||
|
||||
if is_policy_chain $1 ; then
|
||||
if eval test -n \"\$${1}_synparams\" ; then
|
||||
if [ $SECTION = DONE ]; then
|
||||
eval policy=\$${1}_policy
|
||||
|
||||
case $policy in
|
||||
ACCEPT|CONTINUE|QUEUE)
|
||||
run_iptables -A $1 -p tcp --syn -j @$1
|
||||
;;
|
||||
*)
|
||||
|
||||
esac
|
||||
else
|
||||
run_iptables -A $1 -p tcp --syn -j @$1
|
||||
fi
|
||||
fi
|
||||
else
|
||||
eval policychain=\$${1}_policychain
|
||||
|
||||
if eval test -n \"\$${policychain}_synparams\" ; then
|
||||
run_iptables -A $1 -p tcp --syn -j @$policychain
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -273,7 +300,7 @@ createchain() # $1 = chain name, $2 = If "yes", create newnotsyn rule
|
||||
|
||||
if [ $2 = yes ]; then
|
||||
case $SECTION in
|
||||
NEW)
|
||||
NEW|DONE)
|
||||
finish_chain_section $1 ESTABLISHED,RELATED
|
||||
;;
|
||||
RELATED)
|
||||
@ -296,7 +323,7 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
|
||||
|
||||
if [ $2 = yes ]; then
|
||||
case $SECTION in
|
||||
NEW)
|
||||
NEW|DONE)
|
||||
finish_chain_section $1 ESTABLISHED,RELATED
|
||||
;;
|
||||
RELATED)
|
||||
@ -1455,6 +1482,7 @@ validate_policy()
|
||||
eval ${chain}_is_policy=Yes
|
||||
eval ${chain}_is_optional=Yes
|
||||
eval ${chain}_policy=ACCEPT
|
||||
eval ${chain}_policychain=$chain
|
||||
ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
|
||||
done
|
||||
|
||||
@ -1512,7 +1540,7 @@ validate_policy()
|
||||
fi
|
||||
|
||||
[ "x$loglevel" = "x-" ] && loglevel=
|
||||
[ "x$synparms" = "x-" ] && synparms=
|
||||
[ "x$synparams" = "x-" ] && synparams=
|
||||
|
||||
[ $policy = NONE ] || ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
|
||||
|
||||
@ -2782,17 +2810,6 @@ setup_syn_flood_chains()
|
||||
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
|
||||
done
|
||||
}
|
||||
#
|
||||
# Enable SYN flood protection on a chain
|
||||
#
|
||||
# Insert a jump rule to the protection chain from the first chain. Inserted
|
||||
# as the second rule and restrict the jump to SYN packets
|
||||
#
|
||||
enable_syn_flood_protection() # $1 = chain, $2 = protection chain
|
||||
{
|
||||
run_iptables -I $1 -p tcp --syn -j @$2
|
||||
progress_message " Enabled SYN flood protection"
|
||||
}
|
||||
|
||||
#
|
||||
# Delete existing Proxy ARP
|
||||
@ -5979,13 +5996,13 @@ process_rules() # $1 = "Yes" if the target is a macro.
|
||||
case $SECTION in
|
||||
ESTABLISHED)
|
||||
finish_section ESTABLISHED,RELATED
|
||||
SECTION=NEW
|
||||
;;
|
||||
RELATED)
|
||||
finish_section RELATED
|
||||
SECTION=NEW
|
||||
;;
|
||||
esac
|
||||
|
||||
SECTION=DONE
|
||||
}
|
||||
|
||||
#
|
||||
@ -6250,6 +6267,11 @@ default_policy() # $1 = client $2 = server
|
||||
chain=$chain1
|
||||
}
|
||||
|
||||
report_syn_flood_protection()
|
||||
{
|
||||
progress_message " Enabled SYN flood protection"
|
||||
}
|
||||
|
||||
apply_default()
|
||||
{
|
||||
#
|
||||
@ -6280,7 +6302,7 @@ default_policy() # $1 = client $2 = server
|
||||
# To avoid double-counting SYN packets, enforce the policy
|
||||
# in this chain.
|
||||
#
|
||||
enable_syn_flood_protection $chain $chain1
|
||||
report_syn_flood_protection
|
||||
policy_rules $chain $policy $loglevel
|
||||
else
|
||||
#
|
||||
@ -6296,7 +6318,7 @@ default_policy() # $1 = client $2 = server
|
||||
# rules and enable SYN flood protection if requested
|
||||
#
|
||||
[ -n "$synparams" ] && \
|
||||
enable_syn_flood_protection $chain $chain1
|
||||
report_syn_flood_protection
|
||||
policy_rules $chain $policy $loglevel
|
||||
;;
|
||||
*)
|
||||
@ -6305,7 +6327,7 @@ default_policy() # $1 = client $2 = server
|
||||
# enable SYN flood protection if requested.
|
||||
#
|
||||
[ -n "$synparams" ] && \
|
||||
enable_syn_flood_protection $chain $chain1
|
||||
report_syn_flood_protection
|
||||
jump_to_policy_chain
|
||||
;;
|
||||
esac
|
||||
@ -7815,11 +7837,7 @@ apply_policy_rules() {
|
||||
eval loglevel=\$${chain}_loglevel
|
||||
eval optional=\$${chain}_is_optional
|
||||
|
||||
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
|
||||
|
||||
if havechain $chain ; then
|
||||
[ -n "$synparms" ] && run_iptables -I $chain -p tcp --syn -j @$chain
|
||||
elif [ -z "$optional" -a "$policy" != CONTINUE ]; then
|
||||
if ! havechain $chain && [ -z "$optional" -a "$policy" != CONTINUE ]; then
|
||||
#
|
||||
# The chain doesn't exist. Create the chain and add policy
|
||||
# rules
|
||||
@ -7832,14 +7850,6 @@ apply_policy_rules() {
|
||||
# Otherwise, this is a canonical chain which will be handled in
|
||||
# the for loop below
|
||||
#
|
||||
if [ -n "$synparams" ]; then
|
||||
case $policy in
|
||||
ACCEPT|CONTINUE|QUEUE)
|
||||
run_iptables -I $chain -p tcp --syn -j @$chain
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
case $chain in
|
||||
all2*|*2all)
|
||||
policy_rules $chain $policy $loglevel
|
||||
@ -8233,6 +8243,8 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
echo "Setting up NETMAP..."; setup_netmap
|
||||
echo "Adding Common Rules"; add_common_rules
|
||||
|
||||
setup_syn_flood_chains
|
||||
|
||||
tunnels=$(find_file tunnels)
|
||||
[ -f $tunnels ] && \
|
||||
echo "Processing $tunnels..." && setup_tunnels $tunnels
|
||||
@ -8242,8 +8254,6 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
maclist_hosts=$(find_hosts_by_option maclist)
|
||||
[ -n "$maclist_hosts" ] && setup_mac_lists
|
||||
|
||||
setup_syn_flood_chains
|
||||
|
||||
echo "Processing $(find_file rules)..."; process_rules
|
||||
echo "Processing Actions..."; process_actions2
|
||||
process_actions3
|
||||
|
Loading…
Reference in New Issue
Block a user