From c094518354e80aaeb477c8c4ded865370d62547b Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 11 Jul 2004 16:17:29 +0000 Subject: [PATCH] Add PKTTYPE option to shorewall.conf git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1466 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- STABLE2/fallback.sh | 2 +- STABLE2/firewall | 27 +++++++++++++++++++-------- STABLE2/install.sh | 2 +- STABLE2/releasenotes.txt | 12 ++++++++++++ STABLE2/shorewall.conf | 10 ++++++++++ STABLE2/shorewall.spec | 4 +++- STABLE2/uninstall.sh | 2 +- 7 files changed, 47 insertions(+), 12 deletions(-) diff --git a/STABLE2/fallback.sh b/STABLE2/fallback.sh index 54a5ec26a..e494164da 100755 --- a/STABLE2/fallback.sh +++ b/STABLE2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.0.5 +VERSION=2.0.6 usage() # $1 = exit status { diff --git a/STABLE2/firewall b/STABLE2/firewall index fee1eb195..4c38ae520 100755 --- a/STABLE2/firewall +++ b/STABLE2/firewall @@ -2908,6 +2908,13 @@ process_actions2() { log_action() { [ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn } + + drop_broadcasts() { + for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do + run_iptables -A dropBcast -d $address -j DROP + done + } + # # Generate the transitive closure of $USEDACTIONS # @@ -2933,14 +2940,16 @@ process_actions2() { case $xaction in dropBcast) if [ "$COMMAND" != check ]; then - qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP - if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then - # - # No pkttype support -- do it the hard way - # - for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do - run_iptables -A dropBcast -d $address -j DROP - done + if [ -n "$PKTTYPE" ]; then + qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP + if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then + # + # No pkttype support -- do it the hard way + # + drop_broadcasts + fi + else + drop_broadcasts fi fi ;; @@ -6053,6 +6062,7 @@ do_initialize() { DISABLE_IPV6= BRIDGING= DYNAMIC_ZONES= + PKTTYPE= RESTOREBASE= TMP_DIR= @@ -6225,6 +6235,7 @@ do_initialize() { DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) + PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) # # Strip the files that we use often diff --git a/STABLE2/install.sh b/STABLE2/install.sh index 12cd58775..9ed5562c7 100755 --- a/STABLE2/install.sh +++ b/STABLE2/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.0.5 +VERSION=2.0.6 usage() # $1 = exit status { diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt index ea223cf5b..a3495e814 100644 --- a/STABLE2/releasenotes.txt +++ b/STABLE2/releasenotes.txt @@ -15,3 +15,15 @@ Problems Corrected in version 2.0.5 2) An anachronistic reference to the mangle option was removed from shorewall.conf. + +---------------------------------------------------------------------- +Problems Corrected in version 2.0.6 + +1) Some users have reported with the pkttype match option in iptables/ + Netfilter failing to match certain broadcast packets. The result + is that the firewall log shows a lot of broadcast packets being + logged. + + Users experiencing this problem can use PKTTYPE=No in + shorewall.conf to cause Shorewall to use IP address filtering of + broadcasts rather than packet type. \ No newline at end of file diff --git a/STABLE2/shorewall.conf b/STABLE2/shorewall.conf index 2c1c63d07..115d1492d 100644 --- a/STABLE2/shorewall.conf +++ b/STABLE2/shorewall.conf @@ -603,6 +603,16 @@ BRIDGING=No # set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No. DYNAMIC_ZONES=No + +# +# USE PKTTYPE MATCH +# +# Some users have reported problems with the PKTTYPE match extension not being +# able to patch certail broadcast packets. If you set PKTTYPE=No then Shorewall +# will use IP addresses to detect broadcasts rather than pkttype. If not given +# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed. + +PKTTYPE=Yes ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ diff --git a/STABLE2/shorewall.spec b/STABLE2/shorewall.spec index 81ecb9ab1..4c0ac11d7 100644 --- a/STABLE2/shorewall.spec +++ b/STABLE2/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 2.0.5 +%define version 2.0.6 %define release 1 %define prefix /usr @@ -141,6 +141,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Sun Jul 11 2004 Tom Eastep tom@shorewall.net +- Updated to 2.0.6-1 * Fri Jul 09 2004 Tom Eastep tom@shorewall.net - Updated to 2.0.5-1 * Tue Jul 06 2004 Tom Eastep tom@shorewall.net diff --git a/STABLE2/uninstall.sh b/STABLE2/uninstall.sh index 4be65f8a2..3596ec739 100755 --- a/STABLE2/uninstall.sh +++ b/STABLE2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.0.5 +VERSION=2.0.6 usage() # $1 = exit status {