forked from extern/shorewall_code
Allow list in the SUBNET column of the rfc1918 file
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1728 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
dce7281692
commit
b551db1f5e
@ -121,3 +121,4 @@ Changes since 2.0.3
|
||||
|
||||
58) Clarification of the 'ipsec' hosts file option.
|
||||
|
||||
59) Allow list in the SUBNET column of the rfc1918 file.
|
||||
|
@ -1986,7 +1986,6 @@ setup_mac_lists() {
|
||||
#
|
||||
# Process the maclist file producing the verification rules
|
||||
#
|
||||
|
||||
while read interface mac addresses; do
|
||||
expandv interface mac addresses
|
||||
|
||||
@ -5834,20 +5833,22 @@ add_common_rules() {
|
||||
;;
|
||||
esac
|
||||
|
||||
run_iptables2 -A norfc1918 $(source_ip_range $networks) -j $target
|
||||
|
||||
if [ -n "$CONNTRACK_MATCH" ]; then
|
||||
#
|
||||
# We have connection tracking match -- match on the original destination
|
||||
#
|
||||
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $networks -j $target
|
||||
elif [ -n "$MANGLE_ENABLED" ]; then
|
||||
#
|
||||
# No connection tracking match but we have mangling -- add a rule to
|
||||
# the mangle table
|
||||
#
|
||||
run_iptables2 -t mangle -A man1918 $(dest_ip_range $networks) -j $target
|
||||
fi
|
||||
for network in $(separate_list $networks); do
|
||||
run_iptables2 -A norfc1918 $(source_ip_range $network) -j $target
|
||||
|
||||
if [ -n "$CONNTRACK_MATCH" ]; then
|
||||
#
|
||||
# We have connection tracking match -- match on the original destination
|
||||
#
|
||||
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $network -j $target
|
||||
elif [ -n "$MANGLE_ENABLED" ]; then
|
||||
#
|
||||
# No connection tracking match but we have mangling -- add a rule to
|
||||
# the mangle table
|
||||
#
|
||||
run_iptables2 -t mangle -A man1918 $(dest_ip_range $network) -j $target
|
||||
fi
|
||||
done
|
||||
done < $TMP_DIR/rfc1918
|
||||
|
||||
for host in $hosts; do
|
||||
|
@ -640,3 +640,7 @@ New Features:
|
||||
|
||||
DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL
|
||||
BE SENT TO ANOTHER SYSTEM.
|
||||
|
||||
26) The SUBNET column in /etc/shorewall/rfc1918 has been renamed
|
||||
SUBNETS and it is now possible to specify a list of addresses in
|
||||
that column.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 -- RFC1918 File
|
||||
# Shorewall 2.2 -- RFC1918 File
|
||||
#
|
||||
# /etc/shorewall/rfc1918
|
||||
#
|
||||
@ -12,16 +12,17 @@
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SUBNET The subnet (host addresses also allowed as are IP
|
||||
# SUBNETS A comma-separated list of subnet addresses
|
||||
(host addresses also allowed as are IP
|
||||
# address ranges provided that your kernel and iptables
|
||||
# have iprange match support).
|
||||
# have iprange match support).
|
||||
# TARGET Where to send packets to/from this subnet
|
||||
# RETURN - let the packet be processed normally
|
||||
# DROP - silently drop the packet
|
||||
# logdrop - log then drop
|
||||
#
|
||||
###############################################################################
|
||||
#SUBNET TARGET
|
||||
#SUBNETS TARGET
|
||||
172.16.0.0/12 logdrop # RFC 1918
|
||||
192.168.0.0/16 logdrop # RFC 1918
|
||||
10.0.0.0/8 logdrop # RFC 1918
|
||||
|
Loading…
Reference in New Issue
Block a user