forked from extern/shorewall_code
Merge branch '4.6.3'
Conflicts: Shorewall/Perl/Shorewall/Misc.pm
This commit is contained in:
Tom Eastep
commit
976a1f3deb
@ -1661,6 +1661,10 @@ sub insert_rule($$$) {
|
||||
sub insert_irule( $$$$;@ ) {
|
||||
my ( $chainref, $jump, $target, $number, @matches ) = @_;
|
||||
|
||||
my $rulesref = $chainref->{rules};
|
||||
|
||||
return add_irule( $chainref, $jump, $target, @matches ) if $number >= @$rulesref;
|
||||
|
||||
my $ruleref = {};
|
||||
|
||||
$ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
|
||||
@ -1680,7 +1684,7 @@ sub insert_irule( $$$$;@ ) {
|
||||
|
||||
$ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
|
||||
|
||||
splice( @{$chainref->{rules}}, $number, 0, $ruleref );
|
||||
splice( @$rulesref, $number, 0, $ruleref );
|
||||
|
||||
trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;
|
||||
|
||||
|
||||
@ -977,8 +977,7 @@ sub compiler {
|
||||
# compile_stop_firewall() also validates the routestopped file. Since we don't
|
||||
# call that function during normal 'check', we must validate routestopped here.
|
||||
#
|
||||
process_routestopped;
|
||||
process_stoppedrules;
|
||||
process_routestopped unless process_stoppedrules;
|
||||
}
|
||||
#
|
||||
# Report used/required capabilities
|
||||
|
||||
@ -690,11 +690,10 @@ sub process_stoppedrules() {
|
||||
my $result;
|
||||
|
||||
if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
|
||||
first_entry sub() {
|
||||
progress_message2("$doing $fn...");
|
||||
first_entry sub () {
|
||||
progress_message2( "$doing $fn..." );
|
||||
unless ( $config{ADMINISABSENTMINDED} ) {
|
||||
warning_message("Entries in the stoppedrules file are processed as if ADMINISABSENTMINDED=Yes");
|
||||
$config{ADMINISABSENTMINDED} = 'Yes';
|
||||
insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
@ -309,17 +309,22 @@
|
||||
<term>stoppedrules</term>
|
||||
|
||||
<listitem>
|
||||
<para>If ADMINISABSENTMINDED=No, a warning message is issued
|
||||
and the setting is ignored.</para>
|
||||
|
||||
<para>In addition to connections matching entries in
|
||||
<filename>stoppedrules</filename>, existing connections
|
||||
continue to work and all new connections from the firewall
|
||||
system itself are allowed. To sever all existing connections
|
||||
when the firewall is stopped, install the conntrack utility
|
||||
and place the command <command>conntrack -F</command> in the
|
||||
stopped user exit
|
||||
<para>All existing connections continue to work. To sever all
|
||||
existing connections when the firewall is stopped, install the
|
||||
conntrack utility and place the command <command>conntrack
|
||||
-F</command> in the stopped user exit
|
||||
(<filename>/etc/shorewall/stopped</filename>).</para>
|
||||
|
||||
<para>If ADMINISABSENTMINDED=No, only new connections matching
|
||||
entries in <filename>stoppedrules</filename> are accepted when
|
||||
Shorewall is stopped. Response packets and related connections
|
||||
are automatically accepted.</para>
|
||||
|
||||
<para>If ADMINISABSENTMINDED=Yes, in addition to connections
|
||||
matching entries in <filename>stoppedrules</filename>, all new
|
||||
connections from the firewall system itself are allowed when
|
||||
the firewall is stopped. Response packets and related
|
||||
connections are automatically accepted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@ -220,9 +220,9 @@
|
||||
<listitem>
|
||||
<para>The value of this variable affects Shorewall's stopped state.
|
||||
The behavior differs depending on whether <ulink
|
||||
url="shorewall-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||
or <ulink
|
||||
url="shorewall-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
|
||||
url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
|
||||
is used:</para>
|
||||
|
||||
<variablelist>
|
||||
@ -245,17 +245,22 @@
|
||||
<term>stoppedrules</term>
|
||||
|
||||
<listitem>
|
||||
<para>If ADMINISABSENTMINDED=No, a warning message is issued
|
||||
and the setting is ignored.</para>
|
||||
|
||||
<para>In addition to connections matching entries in
|
||||
<filename>stoppedrules</filename>, existing connections
|
||||
continue to work and all new connections from the firewall
|
||||
system itself are allowed. To sever all existing connections
|
||||
when the firewall is stopped, install the conntrack utility
|
||||
and place the command <command>conntrack -F</command> in the
|
||||
stopped user exit
|
||||
<para>All existing connections continue to work. To sever all
|
||||
existing connections when the firewall is stopped, install the
|
||||
conntrack utility and place the command <command>conntrack
|
||||
-F</command> in the stopped user exit
|
||||
(<filename>/etc/shorewall6/stopped</filename>).</para>
|
||||
|
||||
<para>If ADMINISABSENTMINDED=No, only new connections matching
|
||||
entries in <filename>stoppedrules</filename> are accepted when
|
||||
Shorewall is stopped. Response packets and related connections
|
||||
are automatically accepted.</para>
|
||||
|
||||
<para>If ADMINISABSENTMINDED=Yes, in addition to connections
|
||||
matching entries in <filename>stoppedrules</filename>, all new
|
||||
connections from the firewall system itself are allowed when
|
||||
the firewall is stopped. Response packets and related
|
||||
connections are automatically accepted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user