forked from extern/shorewall_code
Add 'allowBcast' standard action
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1539 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
fae7312553
commit
bbe514b417
@ -4,6 +4,7 @@
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
# allowBcast #Silently Allow Broadcast/multicast
|
||||
# dropBcast #Silently Drop Broadcast/multicast
|
||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
||||
|
@ -3017,7 +3017,7 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
|
||||
#
|
||||
process_actions1() {
|
||||
|
||||
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
|
||||
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
|
||||
USEDACTIONS=
|
||||
|
||||
strip_file actions
|
||||
@ -3170,12 +3170,44 @@ process_actions3() {
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
allowBcast)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
if [ -n "$PKTTYPE" ]; then
|
||||
case $xlevel in
|
||||
none'!')
|
||||
;;
|
||||
*)
|
||||
if [ -n "$xlevel" ]; then
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type multicast
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
run_iptables -A allowBcast -m pkttype --pkt-type broadcast -j ACCEPT
|
||||
run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT
|
||||
else
|
||||
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
||||
case $xlevel in
|
||||
none*)
|
||||
;;
|
||||
*)
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -d $address
|
||||
;;
|
||||
esac
|
||||
|
||||
run_iptables -A $xchain -d $address -j ACCEPT
|
||||
done
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
dropNonSyn)
|
||||
error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
|
||||
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||
fi
|
||||
;;
|
||||
|
@ -264,3 +264,6 @@ New Features:
|
||||
|
||||
8) To improve interoperability, tunnels of type 'ipsec' no longer
|
||||
enforce the use of source port 500 for ISAKMP.
|
||||
|
||||
9) A new 'allowBcast' builtin action has been added -- it silently
|
||||
allows broadcasts and multicasts.
|
||||
|
Loading…
Reference in New Issue
Block a user