holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Finish ADMINISABSENDMINDED change

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-03-05 08:57:03 -08:00
parent caa72fb7d2
commit 8b4d8bfa16
3 changed files with 95 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -679,7 +679,13 @@ sub process_stoppedrules() {
my $result;
if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
first_entry "$doing $fn...";
first_entry sub() {
progress_message2("$doing $fn...");
unless ( $config{ADMINISABSENTMINDED} ) {
warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
$config{ADMINISABSENTMINDED} = 'Yes';
}
};
while ( read_a_line( NORMAL_READ ) ) {
@ -2512,9 +2518,9 @@ EOF
"restore_default_route $config{USE_DEFAULT_RT}"
);
my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/;
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for @chains;
if ( $config{ADMINISABSENTMINDED} ) {
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
}
if ( $family == F_IPV6 ) {
add_ijump $input, j => 'ACCEPT', s => IPv6_LINKLOCAL;

49
Shorewall/manpages/shorewall.conf.xml
View File

@ -281,15 +281,48 @@
<listitem>
<para>The value of this variable affects Shorewall's stopped state.
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
listed in <ulink
The behavior differs depending on whether <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes,
in addition to traffic to/from addresses in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5),
connections that were active when Shorewall stopped continue to work
and all new connections from the firewall system itself are allowed.
If this variable is not set or is given the empty value then
or <ulink
url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
is used:</para>
<variablelist>
<varlistentry>
<term>routestopped</term>
<listitem>
<para>When ADMINISABSENTMINDED=No, only traffic to/from those
addresses listed in <filename>routestopped</filename> is
accepted when Shorewall is stopped. When
ADMINISABSENTMINDED=Yes, in addition to traffic to/from
addresses in <filename>routestopped</filename>, connections
that were active when Shorewall stopped continue to work and
all new connections from the firewall system itself are
allowed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>stoppedrules</term>
<listitem>
<para>If ADMINISABSENTMINDED=No, a warning message is issued
and the setting is ignored.</para>
<para>In addition to connections matching entries in
<filename>stoppedrules</filename>, existing connections
continue to work and all new connections from the firewall
system itself are allowed. To sever all existing connections
when the firewall is stopped, install the conntrack utility
and place the command <command>conntrack -F</command> in the
stopped user exit
(<filename>/etc/shorewall/stopped</filename>).</para>
</listitem>
</varlistentry>
</variablelist>
<para> If this variable is not set or is given the empty value then
ADMINISABSENTMINDED=No is assumed.</para>
</listitem>
</varlistentry>

56
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -216,18 +216,50 @@
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>The value of this variable affects Shorewall6's stopped state.
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
listed in <ulink
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
is accepted when Shorewall6 is stopped. When
ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in
<ulink
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5),
connections that were active when Shorewall6 stopped continue to
work and all new connections from the firewall system itself are
allowed. If this variable is not set or is given the empty value
then ADMINISABSENTMINDED=No is assumed.</para>
<para>The value of this variable affects Shorewall's stopped state.
The behavior differs depending on whether <ulink
url="shorewall-routestopped.html">shorewall6-routestopped</ulink>(5)
or <ulink
url="shorewall-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
is used:</para>
<variablelist>
<varlistentry>
<term>routestopped</term>
<listitem>
<para>When ADMINISABSENTMINDED=No, only traffic to/from those
addresses listed in <filename>routestopped</filename> is
accepted when Shorewall is stopped. When
ADMINISABSENTMINDED=Yes, in addition to traffic to/from
addresses in <filename>routestopped</filename>, connections
that were active when Shorewall stopped continue to work and
all new connections from the firewall system itself are
allowed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>stoppedrules</term>
<listitem>
<para>If ADMINISABSENTMINDED=No, a warning message is issued
and the setting is ignored.</para>
<para>In addition to connections matching entries in
<filename>stoppedrules</filename>, existing connections
continue to work and all new connections from the firewall
system itself are allowed. To sever all existing connections
when the firewall is stopped, install the conntrack utility
and place the command <command>conntrack -F</command> in the
stopped user exit
(<filename>/etc/shorewall6/stopped</filename>).</para>
</listitem>
</varlistentry>
</variablelist>
<para>If this variable is not set or is given the empty value then
ADMINISABSENTMINDED=No is assumed.</para>
</listitem>
</varlistentry>