forked from extern/shorewall_code
Incomplete implementation of MACLIST_TABLE
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2815 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1f23f6a9a4
commit
a510a70124
@ -2754,6 +2754,34 @@ setup_mac_lists() {
|
||||
local hosts
|
||||
local ipsec
|
||||
local policy=
|
||||
|
||||
create_mac_chain()
|
||||
{
|
||||
case $MACLIST_TABLE in
|
||||
filter)
|
||||
createchain $1 no
|
||||
;;
|
||||
*)
|
||||
run_iptables -t mangle -N $1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
have_mac_chain()
|
||||
{
|
||||
local result
|
||||
|
||||
case $MACLIST_TABLE in
|
||||
filter)
|
||||
havechain $1 && result=0 || result=1
|
||||
;;
|
||||
*)
|
||||
mangle_chain_exists $1 && result=0 || result=1
|
||||
;;
|
||||
esac
|
||||
|
||||
return $result
|
||||
}
|
||||
#
|
||||
# Generate the list of interfaces having MAC verification
|
||||
#
|
||||
@ -2777,15 +2805,15 @@ setup_mac_lists() {
|
||||
#
|
||||
for interface in $maclist_interfaces; do
|
||||
chain=$(mac_chain $interface)
|
||||
createchain $chain no
|
||||
create_mac_chain $chain
|
||||
|
||||
if [ -n "$MACLIST_TTL" ]; then
|
||||
chain1=$(macrecent_target $interface)
|
||||
createchain $chain1 no
|
||||
run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
|
||||
run_iptables -A $chain -j $chain1
|
||||
run_iptables -A $chain -m recent --update --name $chain -j RETURN
|
||||
run_iptables -A $chain -m recent --set --name $chain
|
||||
create_mac_chain $chain1
|
||||
run_iptables -t $MACLIST_TABLE -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
|
||||
run_iptables -t $MACLIST_TABLE -A $chain -j $chain1
|
||||
run_iptables -t $MACLIST_TABLE -A $chain -m recent --update --name $chain -j RETURN
|
||||
run_iptables -t $MACLIST_TABLE -A $chain -m recent --set --name $chain
|
||||
fi
|
||||
done
|
||||
#
|
||||
@ -2807,17 +2835,17 @@ setup_mac_lists() {
|
||||
|
||||
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
|
||||
|
||||
if ! havechain $chain ; then
|
||||
if ! have_mac_chain $chain ; then
|
||||
fatal_error "No hosts on $interface have the maclist option specified"
|
||||
fi
|
||||
|
||||
macpart=$(mac_match $mac)
|
||||
|
||||
if [ -z "$addresses" ]; then
|
||||
run_iptables -A $chain $macpart $physdev_part -j RETURN
|
||||
run_iptables -t $MACLIST_TABLE -A $chain $macpart $physdev_part -j RETURN
|
||||
else
|
||||
for address in $(separate_list $addresses) ; do
|
||||
run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
|
||||
run_iptables2 -t $MACLIST_TABLE -A $chain $macpart -s $address $physdev_part -j RETURN
|
||||
done
|
||||
fi
|
||||
done < $TMP_DIR/maclist
|
||||
@ -2836,18 +2864,18 @@ setup_mac_lists() {
|
||||
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
|
||||
address=${address%/*}
|
||||
if [ -n "$broadcast" ]; then
|
||||
run_iptables -A $chain -s $address -d $broadcast -j RETURN
|
||||
run_iptables -t $MACLIST_TABLE -A $chain -s $address -d $broadcast -j RETURN
|
||||
fi
|
||||
|
||||
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
|
||||
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN
|
||||
run_iptables -t $MACLIST_TABLE -A $chain -s $address -d 255.255.255.255 -j RETURN
|
||||
run_iptables -t $MACLIST_TABLE -A $chain -s $address -d 224.0.0.0/4 -j RETURN
|
||||
done
|
||||
|
||||
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
||||
log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A
|
||||
log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
|
||||
fi
|
||||
|
||||
run_iptables -A $chain -j $maclist_target
|
||||
run_iptables -t $MACLIST_TABLE -A $chain -j $maclist_target
|
||||
done
|
||||
#
|
||||
# Generate jumps from the input and forward chains
|
||||
@ -2858,10 +2886,18 @@ setup_mac_lists() {
|
||||
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
|
||||
interface=${hosts%%:*}
|
||||
hosts=${hosts#*:}
|
||||
for chain in $(first_chains $interface) ; do
|
||||
run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
|
||||
$policy -j $(mac_chain $interface)
|
||||
done
|
||||
case $MACLIST_TABLE in
|
||||
filter)
|
||||
for chain in $(first_chains $interface) ; do
|
||||
run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
|
||||
$policy -j $(mac_chain $interface)
|
||||
done
|
||||
;;
|
||||
*)
|
||||
run_itables -t mangle -A PREROUTING $(match_source_hosts $hosts) -m state --state NEW \
|
||||
$policy -j $(mac_chain $interface)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
@ -9367,6 +9403,16 @@ do_initialize() {
|
||||
;;
|
||||
esac
|
||||
|
||||
case ${MACLIST_TABLE:=filter} in
|
||||
filter)
|
||||
;;
|
||||
mangle)
|
||||
[ $MACLIST_DISPOSITION = reject ] && startup_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
|
||||
;; *)
|
||||
startup_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
|
||||
;;
|
||||
esac
|
||||
|
||||
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
|
||||
|
||||
#
|
||||
|
@ -782,6 +782,20 @@ FASTACCEPT=No
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
#
|
||||
# MAC List Table
|
||||
#
|
||||
# Normally, MAC verification occurs in the filter table (INPUT and FORWARD)
|
||||
# chains. In some configurations, users have reported problems with MAC
|
||||
# verification of forwarded packets.
|
||||
#
|
||||
# These problems can be worked around by setting MAC_TABLE=mangle which
|
||||
# will cause Mac verification to occur out of the PREROUTING chain. Because
|
||||
# REJECT isn't available in that environment, you may not specify
|
||||
# MACLIST_DISPOSITION=REJECT with MAC_TABLE=mangle.
|
||||
|
||||
MAC_TABLE=filter
|
||||
|
||||
#
|
||||
# MAC List Disposition
|
||||
#
|
||||
|
@ -161,6 +161,8 @@
|
||||
# tested.
|
||||
#
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
# For usage in selecting among multiple ISPs, see
|
||||
# http://shorewall.net/Shorewall_and_Routing.html
|
||||
###############################################################################
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
|
Loading…
Reference in New Issue
Block a user