From b0030d80d92e5c7f0aa172fcafad854a13fb004b Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 22 Mar 2007 17:27:02 +0000 Subject: [PATCH] Commit fix to built-in actions wrt 'none' git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5626 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 + Shorewall/compiler | 108 +++++++++++++------------------------ Shorewall/releasenotes.txt | 6 +++ 3 files changed, 46 insertions(+), 70 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 31a312de5..011001c7f 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -5,6 +5,8 @@ Changes in 3.4.2 2) Update /sbin/shorewall[-lite] to account for mindless renaming of /proc/net/ip_conntrack to /proc/net/nf_conntrack. +3) Fix 'none[!]' and built-in actions. + Changes in 3.4.1 1) Add rest of proxy arp fix. diff --git a/Shorewall/compiler b/Shorewall/compiler index 56220abaa..3b404c143 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -1453,6 +1453,15 @@ process_actions3() xlevel=$2 xtag=$3 + case $xlevel in + none|none'!') + ylevel= + ;; + *) + ylevel=$xlevel; + ;; + esac + save_progress_message "Creating action chain $xaction1" # @@ -1461,16 +1470,10 @@ process_actions3() case $xaction1 in dropBcast) if [ -n "$USEPKTTYPE" ]; then - case $xlevel in - none'!') - ;; - *) - if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast - log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast - fi - ;; - esac + if [ -n "$ylevel" ]; then + log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast + log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast + fi run_iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP @@ -1480,17 +1483,9 @@ process_actions3() ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do __EOF__ - case $xlevel in - none*) - ;; - *) - [ -n "$xlevel" ] && \ - indent >&3 << __EOF__ - log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d \$address + [ -n "$ylevel" ] && indent >&3 << __EOF__ + log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d \$address __EOF__ - ;; - esac - indent >&3 << __EOF__ run_iptables -A $xchain -d \$address -j DROP done @@ -1499,14 +1494,7 @@ __EOF__ done for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do - case $xlevel in - none*) - ;; - *) - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address - ;; - esac + [ -n "$ylevel" ] && log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address run_iptables -A $xchain -d $address -j DROP done @@ -1514,16 +1502,10 @@ __EOF__ ;; allowBcast) if [ -n "$USEPKTTYPE" ]; then - case $xlevel in - none'!') - ;; - *) - if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast - log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast - fi - ;; - esac + if [ -n "$ylevel" ]; then + log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast + log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast + fi run_iptables -A allowBcast -m pkttype --pkt-type broadcast -j ACCEPT run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT @@ -1533,16 +1515,9 @@ __EOF__ ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do __EOF__ - case $xlevel in - none*) - ;; - *) - [ -n "$xlevel" ] && \ - indent >&3 << __EOF__ - log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d \$address + [ -n "$ylevel" ] && indent >&3 << __EOF__ + log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d \$address __EOF__ - ;; - esac indent >&3 << __EOF__ run_iptables -A $xchain -d \$address -j ACCEPT @@ -1552,53 +1527,46 @@ __EOF__ done for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do - case $xlevel in - none*) - ;; - *) - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address - ;; - esac + [ -n "$ylevel" ] && log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address run_iptables -A $xchain -d $address -j ACCEPT done fi ;; dropNotSyn) - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn + [ -n "$ylevel" ] && \ + log_rule_limit ${ylevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn run_iptables -A $xchain -p tcp ! --syn -j DROP ;; rejNotSyn) - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn + [ -n "$ylevel" ] && \ + log_rule_limit ${ylevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset ;; dropInvalid) - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID + [ -n "$ylevel" ] && \ + log_rule_limit ${ylevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID run_iptables -A $xchain -m state --state INVALID -j DROP ;; allowInvalid) - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID + [ -n "$ylevel" ] && \ + log_rule_limit ${ylevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID run_iptables -A $xchain -m state --state INVALID -j ACCEPT ;; forwardUPnP) ;; allowinUPnP) - if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900 - log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152 + if [ -n "$ylevel" ]; then + log_rule_limit ${ylevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900 + log_rule_limit ${ylevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152 fi run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT ;; allowoutUPnP) - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd + [ -n "$ylevel" ] && \ + log_rule_limit ${ylevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT ;; Limit) @@ -1608,9 +1576,9 @@ __EOF__ run_iptables -A $xchain -m recent --name $1 --set - if [ -n "$xlevel" ]; then + if [ -n "$ylevel" ]; then run_iptables -N $xchain% - log_rule_limit $xlevel $xchain% $1 DROP "" "" -A + log_rule_limit $ylevel $xchain% $1 DROP "" "" -A run_iptables -A $xchain% -j DROP run_iptables -A $xchain -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $xchain% else diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 82692e6a6..fe48e1973 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -37,6 +37,12 @@ Problems corrected in Shorewall 3.4.2 renamed /proc/net/nf_conntrack in kernel 2.6.20. The lib.cli library has been updated to look for both files. +3) Shoreall 3.4 was not consistent with respect to its treatment of + log level 'none' and 'none!' and built-in actions. In particular, + specifying 'none' with the Limit action produced a run-time error. + Shorewall now correctly suppresses generation of log messages when + a log level of 'none' or 'none!' is given to a built-in action. + Migration Considerations: If you are migrating from a Shorewall version earlier than 3.2.0 then