forked from extern/shorewall_code
Allow list in the SUBNET column of the rfc1918 file
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1728 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
dce7281692
commit
b551db1f5e
@ -121,3 +121,4 @@ Changes since 2.0.3
|
|||||||
|
|
||||||
58) Clarification of the 'ipsec' hosts file option.
|
58) Clarification of the 'ipsec' hosts file option.
|
||||||
|
|
||||||
|
59) Allow list in the SUBNET column of the rfc1918 file.
|
||||||
|
@ -1986,7 +1986,6 @@ setup_mac_lists() {
|
|||||||
#
|
#
|
||||||
# Process the maclist file producing the verification rules
|
# Process the maclist file producing the verification rules
|
||||||
#
|
#
|
||||||
|
|
||||||
while read interface mac addresses; do
|
while read interface mac addresses; do
|
||||||
expandv interface mac addresses
|
expandv interface mac addresses
|
||||||
|
|
||||||
@ -5834,20 +5833,22 @@ add_common_rules() {
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
run_iptables2 -A norfc1918 $(source_ip_range $networks) -j $target
|
for network in $(separate_list $networks); do
|
||||||
|
run_iptables2 -A norfc1918 $(source_ip_range $network) -j $target
|
||||||
if [ -n "$CONNTRACK_MATCH" ]; then
|
|
||||||
#
|
if [ -n "$CONNTRACK_MATCH" ]; then
|
||||||
# We have connection tracking match -- match on the original destination
|
#
|
||||||
#
|
# We have connection tracking match -- match on the original destination
|
||||||
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $networks -j $target
|
#
|
||||||
elif [ -n "$MANGLE_ENABLED" ]; then
|
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $network -j $target
|
||||||
#
|
elif [ -n "$MANGLE_ENABLED" ]; then
|
||||||
# No connection tracking match but we have mangling -- add a rule to
|
#
|
||||||
# the mangle table
|
# No connection tracking match but we have mangling -- add a rule to
|
||||||
#
|
# the mangle table
|
||||||
run_iptables2 -t mangle -A man1918 $(dest_ip_range $networks) -j $target
|
#
|
||||||
fi
|
run_iptables2 -t mangle -A man1918 $(dest_ip_range $network) -j $target
|
||||||
|
fi
|
||||||
|
done
|
||||||
done < $TMP_DIR/rfc1918
|
done < $TMP_DIR/rfc1918
|
||||||
|
|
||||||
for host in $hosts; do
|
for host in $hosts; do
|
||||||
|
@ -640,3 +640,7 @@ New Features:
|
|||||||
|
|
||||||
DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL
|
DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL
|
||||||
BE SENT TO ANOTHER SYSTEM.
|
BE SENT TO ANOTHER SYSTEM.
|
||||||
|
|
||||||
|
26) The SUBNET column in /etc/shorewall/rfc1918 has been renamed
|
||||||
|
SUBNETS and it is now possible to specify a list of addresses in
|
||||||
|
that column.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.1 -- RFC1918 File
|
# Shorewall 2.2 -- RFC1918 File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/rfc1918
|
# /etc/shorewall/rfc1918
|
||||||
#
|
#
|
||||||
@ -12,16 +12,17 @@
|
|||||||
#
|
#
|
||||||
# Columns are:
|
# Columns are:
|
||||||
#
|
#
|
||||||
# SUBNET The subnet (host addresses also allowed as are IP
|
# SUBNETS A comma-separated list of subnet addresses
|
||||||
|
(host addresses also allowed as are IP
|
||||||
# address ranges provided that your kernel and iptables
|
# address ranges provided that your kernel and iptables
|
||||||
# have iprange match support).
|
# have iprange match support).
|
||||||
# TARGET Where to send packets to/from this subnet
|
# TARGET Where to send packets to/from this subnet
|
||||||
# RETURN - let the packet be processed normally
|
# RETURN - let the packet be processed normally
|
||||||
# DROP - silently drop the packet
|
# DROP - silently drop the packet
|
||||||
# logdrop - log then drop
|
# logdrop - log then drop
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#SUBNET TARGET
|
#SUBNETS TARGET
|
||||||
172.16.0.0/12 logdrop # RFC 1918
|
172.16.0.0/12 logdrop # RFC 1918
|
||||||
192.168.0.0/16 logdrop # RFC 1918
|
192.168.0.0/16 logdrop # RFC 1918
|
||||||
10.0.0.0/8 logdrop # RFC 1918
|
10.0.0.0/8 logdrop # RFC 1918
|
||||||
|
Loading…
Reference in New Issue
Block a user