forked from extern/shorewall_code
Add an ALL section to the rules files.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
d5290fc881
commit
bc706324e9
@ -9,6 +9,7 @@
|
||||
####################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
@ -13,6 +13,10 @@
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||
|
||||
|
||||
@ -13,6 +13,11 @@
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
# Don't allow connection pickup from the net
|
||||
#
|
||||
Invalid(DROP) net all
|
||||
|
||||
@ -13,6 +13,11 @@
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
# Don't allow connection pickup from the net
|
||||
#
|
||||
Invalid(DROP) net all
|
||||
|
||||
@ -9,6 +9,7 @@
|
||||
####################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
@ -13,6 +13,10 @@
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||
|
||||
|
||||
@ -13,6 +13,11 @@
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
# Don't allow connection pickup from the net
|
||||
#
|
||||
Invalid(DROP) net all
|
||||
|
||||
@ -13,6 +13,11 @@
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
# Don't allow connection pickup from the net
|
||||
#
|
||||
Invalid(DROP) net all
|
||||
|
||||
@ -2929,7 +2929,9 @@ sub port_count( $ ) {
|
||||
sub state_imatch( $ ) {
|
||||
my $state = shift;
|
||||
|
||||
have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" );
|
||||
unless ( $state eq 'ALL' ) {
|
||||
have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" );
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
|
||||
@ -130,7 +130,8 @@ sub initialize( $ ) {
|
||||
#
|
||||
# These are set to 1 as sections are encountered.
|
||||
#
|
||||
%sections = ( ESTABLISHED => 0,
|
||||
%sections = ( ALL => 0,
|
||||
ESTABLISHED => 0,
|
||||
RELATED => 0,
|
||||
NEW => 0
|
||||
);
|
||||
@ -1940,7 +1941,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
|
||||
unless ( $section eq 'NEW' || $inaction ) {
|
||||
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
||||
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
|
||||
$rule .= "$globals{STATEMATCH} $section "
|
||||
$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL';
|
||||
}
|
||||
|
||||
#
|
||||
@ -2230,11 +2231,13 @@ sub process_section ($) {
|
||||
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
|
||||
$sections{$sect} = 1;
|
||||
|
||||
if ( $sect eq 'RELATED' ) {
|
||||
$sections{ESTABLISHED} = 1;
|
||||
if ( $sect eq 'ESTABLISHED' ) {
|
||||
$sections{ALL} = 1;
|
||||
elsif ( $sect eq 'RELATED' ) {
|
||||
@sections{'ALL','ESTABLISHED'} = ( 1, 1);
|
||||
finish_section 'ESTABLISHED';
|
||||
} elsif ( $sect eq 'NEW' ) {
|
||||
@sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
|
||||
@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
|
||||
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
|
||||
}
|
||||
|
||||
|
||||
@ -9,6 +9,7 @@
|
||||
####################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
@ -9,6 +9,7 @@
|
||||
#######################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
|
||||
@ -46,6 +46,16 @@
|
||||
<para>Sections are as follows and must appear in the order listed:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ALL</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This section was added in Shorewall 4.4.23. rules in this
|
||||
section are applied, regardless of the connection tracking state of
|
||||
the packet.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ESTABLISHED</emphasis></term>
|
||||
|
||||
|
||||
@ -39,6 +39,16 @@
|
||||
<para>Sections are as follows and must appear in the order listed:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ALL</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This section was added in Shorewall 4.4.23. rules in this
|
||||
section are applied, regardless of the connection tracking state of
|
||||
the packet.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ESTABLISHED</emphasis></term>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user