holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Commit fix to built-in actions wrt 'none'

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5626 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-22 17:27:02 +00:00
parent 07d5629355
commit b0030d80d9
3 changed files with 46 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -5,6 +5,8 @@ Changes in 3.4.2
2) Update /sbin/shorewall[-lite] to account for mindless renaming of 2) Update /sbin/shorewall[-lite] to account for mindless renaming of
/proc/net/ip_conntrack to /proc/net/nf_conntrack. /proc/net/ip_conntrack to /proc/net/nf_conntrack.
3) Fix 'none[!]' and built-in actions.
Changes in 3.4.1 Changes in 3.4.1
1) Add rest of proxy arp fix. 1) Add rest of proxy arp fix.

108
Shorewall/compiler
View File

@ -1453,6 +1453,15 @@ process_actions3()
xlevel=$2 xlevel=$2
xtag=$3 xtag=$3
case $xlevel in
none|none'!')
ylevel=
;;
*)
ylevel=$xlevel;
;;
esac
save_progress_message "Creating action chain $xaction1" save_progress_message "Creating action chain $xaction1"
# #
@ -1461,16 +1470,10 @@ process_actions3()
case $xaction1 in case $xaction1 in
dropBcast) dropBcast)
if [ -n "$USEPKTTYPE" ]; then if [ -n "$USEPKTTYPE" ]; then
case $xlevel in if [ -n "$ylevel" ]; then
none'!') log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
;; log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
*) fi
if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
fi
;;
esac
run_iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP run_iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP
@ -1480,17 +1483,9 @@ process_actions3()
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
__EOF__ __EOF__
case $xlevel in [ -n "$ylevel" ] && indent >&3 << __EOF__
none*) log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d \$address
;;
*)
[ -n "$xlevel" ] && \
indent >&3 << __EOF__
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d \$address
__EOF__ __EOF__
;;
esac
indent >&3 << __EOF__ indent >&3 << __EOF__
run_iptables -A $xchain -d \$address -j DROP run_iptables -A $xchain -d \$address -j DROP
done done
@ -1499,14 +1494,7 @@ __EOF__
done done
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
case $xlevel in [ -n "$ylevel" ] && log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
none*)
;;
*)
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
;;
esac
run_iptables -A $xchain -d $address -j DROP run_iptables -A $xchain -d $address -j DROP
done done
@ -1514,16 +1502,10 @@ __EOF__
;; ;;
allowBcast) allowBcast)
if [ -n "$USEPKTTYPE" ]; then if [ -n "$USEPKTTYPE" ]; then
case $xlevel in if [ -n "$ylevel" ]; then
none'!') log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
;; log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
*) fi
if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
fi
;;
esac
run_iptables -A allowBcast -m pkttype --pkt-type broadcast -j ACCEPT run_iptables -A allowBcast -m pkttype --pkt-type broadcast -j ACCEPT
run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT
@ -1533,16 +1515,9 @@ __EOF__
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
__EOF__ __EOF__
case $xlevel in [ -n "$ylevel" ] && indent >&3 << __EOF__
none*) log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d \$address
;;
*)
[ -n "$xlevel" ] && \
indent >&3 << __EOF__
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d \$address
__EOF__ __EOF__
;;
esac
indent >&3 << __EOF__ indent >&3 << __EOF__
run_iptables -A $xchain -d \$address -j ACCEPT run_iptables -A $xchain -d \$address -j ACCEPT
@ -1552,53 +1527,46 @@ __EOF__
done done
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
case $xlevel in [ -n "$ylevel" ] && log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
none*)
;;
*)
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
;;
esac
run_iptables -A $xchain -d $address -j ACCEPT run_iptables -A $xchain -d $address -j ACCEPT
done done
fi fi
;; ;;
dropNotSyn) dropNotSyn)
[ -n "$xlevel" ] && \ [ -n "$ylevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn log_rule_limit ${ylevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP run_iptables -A $xchain -p tcp ! --syn -j DROP
;; ;;
rejNotSyn) rejNotSyn)
[ -n "$xlevel" ] && \ [ -n "$ylevel" ] && \
log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn log_rule_limit ${ylevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
;; ;;
dropInvalid) dropInvalid)
[ -n "$xlevel" ] && \ [ -n "$ylevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID log_rule_limit ${ylevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j DROP run_iptables -A $xchain -m state --state INVALID -j DROP
;; ;;
allowInvalid) allowInvalid)
[ -n "$xlevel" ] && \ [ -n "$ylevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID log_rule_limit ${ylevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j ACCEPT run_iptables -A $xchain -m state --state INVALID -j ACCEPT
;; ;;
forwardUPnP) forwardUPnP)
;; ;;
allowinUPnP) allowinUPnP)
if [ -n "$xlevel" ]; then if [ -n "$ylevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900 log_rule_limit ${ylevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152 log_rule_limit ${ylevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
fi fi
run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT
run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
;; ;;
allowoutUPnP) allowoutUPnP)
[ -n "$xlevel" ] && \ [ -n "$ylevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd log_rule_limit ${ylevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
;; ;;
Limit) Limit)
@ -1608,9 +1576,9 @@ __EOF__
run_iptables -A $xchain -m recent --name $1 --set run_iptables -A $xchain -m recent --name $1 --set
if [ -n "$xlevel" ]; then if [ -n "$ylevel" ]; then
run_iptables -N $xchain% run_iptables -N $xchain%
log_rule_limit $xlevel $xchain% $1 DROP "" "" -A log_rule_limit $ylevel $xchain% $1 DROP "" "" -A
run_iptables -A $xchain% -j DROP run_iptables -A $xchain% -j DROP
run_iptables -A $xchain -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $xchain% run_iptables -A $xchain -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $xchain%
else else

6
Shorewall/releasenotes.txt
View File

@ -37,6 +37,12 @@ Problems corrected in Shorewall 3.4.2
renamed /proc/net/nf_conntrack in kernel 2.6.20. The lib.cli renamed /proc/net/nf_conntrack in kernel 2.6.20. The lib.cli
library has been updated to look for both files. library has been updated to look for both files.
3) Shoreall 3.4 was not consistent with respect to its treatment of
log level 'none' and 'none!' and built-in actions. In particular,
specifying 'none' with the Limit action produced a run-time error.
Shorewall now correctly suppresses generation of log messages when
a log level of 'none' or 'none!' is given to a built-in action.
Migration Considerations: Migration Considerations:
If you are migrating from a Shorewall version earlier than 3.2.0 then If you are migrating from a Shorewall version earlier than 3.2.0 then