From b800346eea628d66456ef8a43fc0585345c58308 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 26 Aug 2005 17:16:09 +0000 Subject: [PATCH] Remove ESTABLISHED policy stuff in preparation for sectioned rules file git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2562 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/firewall | 67 +++++++--------------------------------------- Shorewall/policy | 12 --------- 2 files changed, 10 insertions(+), 69 deletions(-) diff --git a/Shorewall/firewall b/Shorewall/firewall index 855720224..63a0e1f8c 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1442,26 +1442,6 @@ validate_policy() fi esac - case $policy in - *:*) - [ -n "$FASTACCEPT" ] && \ - startup_error "ESTABLISHED policy may not be specified with FASTACCEPT=Yes in shorewall.conf" - epolicy=${policy#*:} - policy=${policy%:*} - - case $epolicy in - ACCEPT|QUEUE) - ;; - *) - startup_error "$client $server $policy $loglevel $synparams: Invalid ESTABLISHED policy: $epolicy" - ;; - esac - ;; - *) - epolicy=ACCEPT - ;; - esac - case $policy in ACCEPT|REJECT|DROP|CONTINUE|QUEUE) ;; @@ -1489,7 +1469,6 @@ validate_policy() [ "x$loglevel" = "x-" ] && loglevel= [ "x$synparms" = "x-" ] && synparms= - [ "x$epolicy" = "x-" ] && epolicy= [ $policy = NONE ] || ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" @@ -1497,7 +1476,6 @@ validate_policy() eval ${chain}_policy=$policy eval ${chain}_loglevel=$loglevel eval ${chain}_synparams=$synparams - eval ${chain}_epolicy=$epolicy if [ -n "${clientwild}" ]; then if [ -n "${serverwild}" ]; then @@ -6098,21 +6076,10 @@ display_list() # $1 = List Title, rest of $* = list to display policy_rules() # $1 = chain to add rules to # $2 = policy - # $3 = E/R Policy - # $4 = loglevel + # $3 = loglevel { local target="$2" - [ -n "$FASTACCEPT" ] || case $3 in - QUEUE) - run_iptables -I $1 -m state --state RELATED -j ACCEPT - run_iptables -I $1 -m state --state ESTABLISHED -j QUEUE - ;; - ACCEPT) - run_iptables -I $1 -m state --state ESTABLISHED,RELATED -j ACCEPT - ;; - esac - case "$target" in ACCEPT) [ -n "$ACCEPT_common" ] && run_iptables -A $1 -j $ACCEPT_common @@ -6135,8 +6102,8 @@ policy_rules() # $1 = chain to add rules to ;; esac - if [ $# -eq 4 -a "x${4}" != "x-" ]; then - log_rule $4 $1 $2 + if [ $# -eq 3 -a "x${3}" != "x-" ]; then + log_rule $3 $1 $2 fi [ -n "$target" ] && run_iptables -A $1 -j $target @@ -6160,23 +6127,10 @@ default_policy() # $1 = client $2 = server local chain1 jump_to_policy_chain() { - # - # Insert a rule of ESTABLISHED,RELATED packets at the head of the - # canonical chain. # # Add a jump to from the canonical chain to the policy chain. On return, # $chain is set to the name of the policy chain # - [ -n "$FASTACCEPT" ] || case $epolicy in - QUEUE) - run_iptables -I $chain -m state --state RELATED -j ACCEPT - run_iptables -I $chain -m state --state ESTABLISHED -j QUEUE - ;; - ACCEPT) - run_iptables -I $chain -m state --state ESTABLISHED,RELATED -j ACCEPT - ;; - esac - run_iptables -A $chain -j $chain1 chain=$chain1 } @@ -6189,7 +6143,6 @@ default_policy() # $1 = client $2 = server eval policy=\$${chain1}_policy eval loglevel=\$${chain1}_loglevel eval synparams=\$${chain1}_synparams - eval epolicy=\$${chain1}_epolicy # # Add the appropriate rules to the canonical chain ($chain) to enforce # the specified policy @@ -6199,7 +6152,7 @@ default_policy() # $1 = client $2 = server # The policy chain is the canonical chain; add policy rule to it # The syn flood jump has already been added if required. # - policy_rules $chain $policy $epolicy $loglevel + policy_rules $chain $policy $loglevel else # # The policy chain is different from the canonical chain -- approach @@ -6213,7 +6166,7 @@ default_policy() # $1 = client $2 = server # in this chain. # enable_syn_flood_protection $chain $chain1 - policy_rules $chain $policy $epolicy $loglevel + policy_rules $chain $policy $loglevel else # # No problem with double-counting so just jump to the @@ -6229,7 +6182,7 @@ default_policy() # $1 = client $2 = server # [ -n "$synparams" ] && \ enable_syn_flood_protection $chain $chain1 - policy_rules $chain $policy $epolicy $loglevel + policy_rules $chain $policy $loglevel ;; *) # @@ -7746,15 +7699,13 @@ apply_policy_rules() { eval policy=\$${chain}_policy eval loglevel=\$${chain}_loglevel eval synparams=\$${chain}_synparams - eval epolicy=\$${chain}_epolicy eval optional=\$${chain}_is_optional [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel if havechain $chain; then - [ "$epolicy" = ACCEPT ] && ordinal=2 || ordinal=3 [ -n "$synparams" ] && \ - run_iptables -I $chain $ordinal -p tcp --syn -j @$chain + run_iptables -I $chain 2 -p tcp --syn -j @$chain ### FIX ME ### elif [ -z "$optional" -a "$policy" != CONTINUE ]; then # # The chain doesn't exist. Create the chain and add policy @@ -7779,7 +7730,7 @@ apply_policy_rules() { case $chain in all2*|*2all) - policy_rules $chain $policy $epolicy $loglevel + policy_rules $chain $policy $loglevel ;; esac fi @@ -8771,6 +8722,8 @@ do_initialize() { STOPPING= HAVE_MUTEX= ALIASES_TO_ADD= + SECTION= + SECTIONS= FUNCTIONS=$SHARED_DIR/functions diff --git a/Shorewall/policy b/Shorewall/policy index 450104e77..54a475868 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -61,18 +61,6 @@ # will be invoked before the policy named in this column # is enforced. # -# The policy determined the default treatment of new -# connection requests and may optionally be followed by -# ":" and an ESTABLISHED policy which determines what -# is to be done with packets that are part of an -# established connection. The choices are ACCEPT (the -# default) and QUEUE (to queue the packet to a -# user-space filter like Snort Inline). -# -# WARNING: You may not specify an ESTABLISHED policy if -# you have set FASTACCEPT=Yes in -# /etc/shorewall/shorewall.conf. -# # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no # log message is generated. See syslog.conf(5) for a