holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add PKTTYPE option to shorewall.conf

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1466 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-07-11 16:17:29 +00:00
parent e77ebf7433
commit c094518354
7 changed files with 47 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
STABLE2/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=2.0.5 VERSION=2.0.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

17
STABLE2/firewall
View File

@ -2908,6 +2908,13 @@ process_actions2() {
log_action() { log_action() {
[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn [ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
} }
drop_broadcasts() {
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
run_iptables -A dropBcast -d $address -j DROP
done
}
# #
# Generate the transitive closure of $USEDACTIONS # Generate the transitive closure of $USEDACTIONS
# #
@ -2933,14 +2940,16 @@ process_actions2() {
case $xaction in case $xaction in
dropBcast) dropBcast)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
if [ -n "$PKTTYPE" ]; then
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
# #
# No pkttype support -- do it the hard way # No pkttype support -- do it the hard way
# #
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do drop_broadcasts
run_iptables -A dropBcast -d $address -j DROP fi
done else
drop_broadcasts
fi fi
fi fi
;; ;;
@ -6053,6 +6062,7 @@ do_initialize() {
DISABLE_IPV6= DISABLE_IPV6=
BRIDGING= BRIDGING=
DYNAMIC_ZONES= DYNAMIC_ZONES=
PKTTYPE=
RESTOREBASE= RESTOREBASE=
TMP_DIR= TMP_DIR=
@ -6225,6 +6235,7 @@ do_initialize() {
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
# #
# Strip the files that we use often # Strip the files that we use often

2
STABLE2/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=2.0.5 VERSION=2.0.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

12
STABLE2/releasenotes.txt
View File

@ -15,3 +15,15 @@ Problems Corrected in version 2.0.5
2) An anachronistic reference to the mangle option was removed from 2) An anachronistic reference to the mangle option was removed from
shorewall.conf. shorewall.conf.
----------------------------------------------------------------------
Problems Corrected in version 2.0.6
1) Some users have reported with the pkttype match option in iptables/
Netfilter failing to match certain broadcast packets. The result
is that the firewall log shows a lot of broadcast packets being
logged.
Users experiencing this problem can use PKTTYPE=No in
shorewall.conf to cause Shorewall to use IP address filtering of
broadcasts rather than packet type.

10
STABLE2/shorewall.conf
View File

@ -603,6 +603,16 @@ BRIDGING=No
# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No. # set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
DYNAMIC_ZONES=No DYNAMIC_ZONES=No
#
# USE PKTTYPE MATCH
#
# Some users have reported problems with the PKTTYPE match extension not being
# able to patch certail broadcast packets. If you set PKTTYPE=No then Shorewall
# will use IP addresses to detect broadcasts rather than pkttype. If not given
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
PKTTYPE=Yes
################################################################################ ################################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
################################################################################ ################################################################################

4
STABLE2/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 2.0.5 %define version 2.0.6
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -141,6 +141,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Sun Jul 11 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.6-1
* Fri Jul 09 2004 Tom Eastep tom@shorewall.net * Fri Jul 09 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.5-1 - Updated to 2.0.5-1
* Tue Jul 06 2004 Tom Eastep tom@shorewall.net * Tue Jul 06 2004 Tom Eastep tom@shorewall.net

2
STABLE2/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=2.0.5 VERSION=2.0.6
usage() # $1 = exit status usage() # $1 = exit status
{ {