forked from extern/shorewall_code
More ORIGINAL DEST fixes; restore last 'Hits' report
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@579 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
e3bafeecaa
commit
89bb721da4
@ -1966,6 +1966,7 @@ add_nat_rule() {
|
|||||||
#
|
#
|
||||||
add_a_rule()
|
add_a_rule()
|
||||||
{
|
{
|
||||||
|
local natrule=
|
||||||
|
|
||||||
rule_error() {
|
rule_error() {
|
||||||
fatal_error "Only DNAT and REDIRECT rules may specify port mapping; rule \"$rule\""
|
fatal_error "Only DNAT and REDIRECT rules may specify port mapping; rule \"$rule\""
|
||||||
@ -1975,7 +1976,7 @@ add_a_rule()
|
|||||||
|
|
||||||
cli=
|
cli=
|
||||||
|
|
||||||
[ -n "$client" ] && case "$client" in
|
case "$client" in
|
||||||
-)
|
-)
|
||||||
;;
|
;;
|
||||||
*:*)
|
*:*)
|
||||||
@ -1988,7 +1989,7 @@ add_a_rule()
|
|||||||
cli=`mac_match $client`
|
cli=`mac_match $client`
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
cli="-i $client"
|
[ -n "$client" ] && cli="-i $client"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -1997,7 +1998,7 @@ add_a_rule()
|
|||||||
dest_interface=
|
dest_interface=
|
||||||
serv=
|
serv=
|
||||||
|
|
||||||
[ -n "$server" ] && case "$server" in
|
case "$server" in
|
||||||
-)
|
-)
|
||||||
;;
|
;;
|
||||||
*.*.*)
|
*.*.*)
|
||||||
@ -2007,7 +2008,7 @@ add_a_rule()
|
|||||||
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
|
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
dest_interface="-o $server"
|
[ -n "$server" ] && dest_interface="-o $server"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -2073,10 +2074,12 @@ add_a_rule()
|
|||||||
[ -n "$serv" ] && startup_error "REDIRECT rules cannot"\
|
[ -n "$serv" ] && startup_error "REDIRECT rules cannot"\
|
||||||
" specify a server IP; rule: \"$rule\""
|
" specify a server IP; rule: \"$rule\""
|
||||||
servport=${servport:=$port}
|
servport=${servport:=$port}
|
||||||
|
natrule=Yes
|
||||||
;;
|
;;
|
||||||
DNAT)
|
DNAT)
|
||||||
[ -n "$serv" ] || fatal_error "DNAT rules require a" \
|
[ -n "$serv" ] || fatal_error "DNAT rules require a" \
|
||||||
" server address; rule: \"$rule\""
|
" server address; rule: \"$rule\""
|
||||||
|
natrule=Yes
|
||||||
;;
|
;;
|
||||||
LOG)
|
LOG)
|
||||||
[ -z "$loglevel" ] && fatal_error "LOG requires log level"
|
[ -z "$loglevel" ] && fatal_error "LOG requires log level"
|
||||||
@ -2095,19 +2098,11 @@ add_a_rule()
|
|||||||
|
|
||||||
# A specific server or server port given
|
# A specific server or server port given
|
||||||
|
|
||||||
case "$logtarget" in
|
if [ -n "$natrule" ]; then
|
||||||
REDIRECT|DNAT)
|
|
||||||
add_nat_rule
|
add_nat_rule
|
||||||
;;
|
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
|
||||||
*)
|
rule_error
|
||||||
if [ -n "$addr" -a "$addr" != "$serv" ]; then
|
fi
|
||||||
rule_error
|
|
||||||
elif [ -n "$servport" -a "$servport" != "$port" ]; then
|
|
||||||
rule_error
|
|
||||||
fi
|
|
||||||
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
|
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
|
||||||
serv="${serv:+-d $serv}"
|
serv="${serv:+-d $serv}"
|
||||||
@ -2289,8 +2284,6 @@ process_rule() # $1 = target
|
|||||||
return
|
return
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
else
|
|
||||||
[ $command = check ] || ensurechain $chain
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Generate Netfilter rule(s)
|
# Generate Netfilter rule(s)
|
||||||
|
|||||||
@ -170,13 +170,16 @@
|
|||||||
# specified in the DEST column.
|
# specified in the DEST column.
|
||||||
#
|
#
|
||||||
# A comma-separated list of addresses may also be used.
|
# A comma-separated list of addresses may also be used.
|
||||||
# This is usually most useful with the REDIRECT target.
|
# This is usually most useful with the REDIRECT target
|
||||||
|
# where you want to redirect traffic destined for
|
||||||
|
# particular set of hosts.
|
||||||
|
#
|
||||||
# Finally, if the list of addresses begins with "!" then
|
# Finally, if the list of addresses begins with "!" then
|
||||||
# the rule will be followed only if the original
|
# the rule will be followed only if the original
|
||||||
# destination address in the connection request does not
|
# destination address in the connection request does not
|
||||||
# match any of the addresses listed.
|
# match any of the addresses listed.
|
||||||
#
|
#
|
||||||
# The address may optionally be followed by
|
# The address (list) may optionally be followed by
|
||||||
# a colon (":") and a second IP address. This causes
|
# a colon (":") and a second IP address. This causes
|
||||||
# Shorewall to use the second IP address as the source
|
# Shorewall to use the second IP address as the source
|
||||||
# address in forwarded packets. See the Shorewall
|
# address in forwarded packets. See the Shorewall
|
||||||
|
|||||||
@ -756,7 +756,7 @@ case "$1" in
|
|||||||
|
|
||||||
echo " HITS PORT SERVICE(S)"
|
echo " HITS PORT SERVICE(S)"
|
||||||
echo " ---- ----- ----------"
|
echo " ---- ----- ----------"
|
||||||
grep '${LOGFORMAT}.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
|
grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
|
||||||
while read count port ; do
|
while read count port ; do
|
||||||
# List all services defined for the given port
|
# List all services defined for the given port
|
||||||
srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u`
|
srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u`
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user