forked from extern/shorewall_code
Add an ALL section to the rules files.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
d5290fc881
commit
bc706324e9
@ -9,6 +9,7 @@
|
|||||||
####################################################################################################################################################
|
####################################################################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
#SECTION ALL
|
||||||
#SECTION ESTABLISHED
|
#SECTION ESTABLISHED
|
||||||
#SECTION RELATED
|
#SECTION RELATED
|
||||||
SECTION NEW
|
SECTION NEW
|
||||||
|
|||||||
@ -13,6 +13,10 @@
|
|||||||
#############################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
#SECTION ALL
|
||||||
|
#SECTION ESTABLISHED
|
||||||
|
#SECTION RELATED
|
||||||
|
SECTION NEW
|
||||||
|
|
||||||
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||||
|
|
||||||
|
|||||||
@ -13,6 +13,11 @@
|
|||||||
#############################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
#SECTION ALL
|
||||||
|
#SECTION ESTABLISHED
|
||||||
|
#SECTION RELATED
|
||||||
|
SECTION NEW
|
||||||
|
|
||||||
# Don't allow connection pickup from the net
|
# Don't allow connection pickup from the net
|
||||||
#
|
#
|
||||||
Invalid(DROP) net all
|
Invalid(DROP) net all
|
||||||
|
|||||||
@ -13,6 +13,11 @@
|
|||||||
#############################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
#SECTION ALL
|
||||||
|
#SECTION ESTABLISHED
|
||||||
|
#SECTION RELATED
|
||||||
|
SECTION NEW
|
||||||
|
|
||||||
# Don't allow connection pickup from the net
|
# Don't allow connection pickup from the net
|
||||||
#
|
#
|
||||||
Invalid(DROP) net all
|
Invalid(DROP) net all
|
||||||
|
|||||||
@ -9,6 +9,7 @@
|
|||||||
####################################################################################################################################################
|
####################################################################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
#SECTION ALL
|
||||||
#SECTION ESTABLISHED
|
#SECTION ESTABLISHED
|
||||||
#SECTION RELATED
|
#SECTION RELATED
|
||||||
SECTION NEW
|
SECTION NEW
|
||||||
|
|||||||
@ -13,6 +13,10 @@
|
|||||||
#############################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
#SECTION ALL
|
||||||
|
#SECTION ESTABLISHED
|
||||||
|
#SECTION RELATED
|
||||||
|
SECTION NEW
|
||||||
|
|
||||||
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||||
|
|
||||||
|
|||||||
@ -13,6 +13,11 @@
|
|||||||
#############################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
#SECTION ALL
|
||||||
|
#SECTION ESTABLISHED
|
||||||
|
#SECTION RELATED
|
||||||
|
SECTION NEW
|
||||||
|
|
||||||
# Don't allow connection pickup from the net
|
# Don't allow connection pickup from the net
|
||||||
#
|
#
|
||||||
Invalid(DROP) net all
|
Invalid(DROP) net all
|
||||||
|
|||||||
@ -13,6 +13,11 @@
|
|||||||
#############################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
#SECTION ALL
|
||||||
|
#SECTION ESTABLISHED
|
||||||
|
#SECTION RELATED
|
||||||
|
SECTION NEW
|
||||||
|
|
||||||
# Don't allow connection pickup from the net
|
# Don't allow connection pickup from the net
|
||||||
#
|
#
|
||||||
Invalid(DROP) net all
|
Invalid(DROP) net all
|
||||||
|
|||||||
@ -2929,7 +2929,9 @@ sub port_count( $ ) {
|
|||||||
sub state_imatch( $ ) {
|
sub state_imatch( $ ) {
|
||||||
my $state = shift;
|
my $state = shift;
|
||||||
|
|
||||||
have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" );
|
unless ( $state eq 'ALL' ) {
|
||||||
|
have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" );
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|||||||
@ -130,7 +130,8 @@ sub initialize( $ ) {
|
|||||||
#
|
#
|
||||||
# These are set to 1 as sections are encountered.
|
# These are set to 1 as sections are encountered.
|
||||||
#
|
#
|
||||||
%sections = ( ESTABLISHED => 0,
|
%sections = ( ALL => 0,
|
||||||
|
ESTABLISHED => 0,
|
||||||
RELATED => 0,
|
RELATED => 0,
|
||||||
NEW => 0
|
NEW => 0
|
||||||
);
|
);
|
||||||
@ -1940,7 +1941,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
|
|||||||
unless ( $section eq 'NEW' || $inaction ) {
|
unless ( $section eq 'NEW' || $inaction ) {
|
||||||
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
||||||
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
|
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
|
||||||
$rule .= "$globals{STATEMATCH} $section "
|
$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL';
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -2230,11 +2231,13 @@ sub process_section ($) {
|
|||||||
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
|
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
|
||||||
$sections{$sect} = 1;
|
$sections{$sect} = 1;
|
||||||
|
|
||||||
if ( $sect eq 'RELATED' ) {
|
if ( $sect eq 'ESTABLISHED' ) {
|
||||||
$sections{ESTABLISHED} = 1;
|
$sections{ALL} = 1;
|
||||||
|
elsif ( $sect eq 'RELATED' ) {
|
||||||
|
@sections{'ALL','ESTABLISHED'} = ( 1, 1);
|
||||||
finish_section 'ESTABLISHED';
|
finish_section 'ESTABLISHED';
|
||||||
} elsif ( $sect eq 'NEW' ) {
|
} elsif ( $sect eq 'NEW' ) {
|
||||||
@sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
|
@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
|
||||||
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
|
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -9,6 +9,7 @@
|
|||||||
####################################################################################################################################################################
|
####################################################################################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
#SECTION ALL
|
||||||
#SECTION ESTABLISHED
|
#SECTION ESTABLISHED
|
||||||
#SECTION RELATED
|
#SECTION RELATED
|
||||||
SECTION NEW
|
SECTION NEW
|
||||||
|
|||||||
@ -9,6 +9,7 @@
|
|||||||
#######################################################################################################################################################################
|
#######################################################################################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
#SECTION ALL
|
||||||
#SECTION ESTABLISHED
|
#SECTION ESTABLISHED
|
||||||
#SECTION RELATED
|
#SECTION RELATED
|
||||||
SECTION NEW
|
SECTION NEW
|
||||||
|
|||||||
@ -46,6 +46,16 @@
|
|||||||
<para>Sections are as follows and must appear in the order listed:</para>
|
<para>Sections are as follows and must appear in the order listed:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">ALL</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This section was added in Shorewall 4.4.23. rules in this
|
||||||
|
section are applied, regardless of the connection tracking state of
|
||||||
|
the packet.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ESTABLISHED</emphasis></term>
|
<term><emphasis role="bold">ESTABLISHED</emphasis></term>
|
||||||
|
|
||||||
|
|||||||
@ -39,6 +39,16 @@
|
|||||||
<para>Sections are as follows and must appear in the order listed:</para>
|
<para>Sections are as follows and must appear in the order listed:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">ALL</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This section was added in Shorewall 4.4.23. rules in this
|
||||||
|
section are applied, regardless of the connection tracking state of
|
||||||
|
the packet.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ESTABLISHED</emphasis></term>
|
<term><emphasis role="bold">ESTABLISHED</emphasis></term>
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user