From c2bc74cdfebd3873eb94566438ce67540fcb76a0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 24 Jan 2013 08:33:59 -0800 Subject: [PATCH] Add INVALID section to the rules file. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 9 ++ Shorewall/Perl/Shorewall/Config.pm | 26 +++- Shorewall/Perl/Shorewall/Rules.pm | 114 +++++++++++++++--- Shorewall/Samples/Universal/shorewall.conf | 4 + .../Samples/one-interface/shorewall.conf | 4 + .../Samples/three-interfaces/shorewall.conf | 4 + .../Samples/two-interfaces/shorewall.conf | 4 + Shorewall/configfiles/shorewall.conf | 4 + Shorewall/manpages/shorewall-rules.xml | 21 +++- Shorewall6/Samples6/Universal/shorewall6.conf | 4 + .../Samples6/one-interface/shorewall6.conf | 4 + .../Samples6/three-interfaces/shorewall6.conf | 4 + .../Samples6/two-interfaces/shorewall6.conf | 4 + Shorewall6/configfiles/shorewall6.conf | 4 + Shorewall6/manpages/shorewall6-rules.xml | 21 +++- 15 files changed, 206 insertions(+), 25 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 6ca3f2497..fff416752 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -131,6 +131,7 @@ our %EXPORT_TAGS = ( rules_chain blacklist_chain related_chain + invalid_chain zone_forward_chain use_forward_chain input_chain @@ -293,6 +294,7 @@ our $VERSION = 'MODULEVERSION'; # level 8. # complete => The last rule in the chain is a -g or a simple -j to a terminating target # Suppresses adding additional rules to the chain end of the chain +# sections => {
= 1, ... } - Records sections that have been completed. # } , # => ... # } @@ -1628,6 +1630,13 @@ sub related_chain($$) { '+' . &rules_chain(@_); } +# +# Name of the invalid chain between an ordered pair of zones +# +sub invalid_chain($$) { + '_' . &rules_chain(@_); +} + # # Create the base for a chain involving the passed interface -- we make this a function so it will be # easy to change the mapping should the need ever arrive. diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index b95193e9a..4a7ae9bd5 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -642,7 +642,7 @@ sub initialize( $;$$) { EXPORT => 0, KLUDGEFREE => '', STATEMATCH => '-m state --state', - VERSION => "4.5.13-Beta1", + VERSION => "4.5.13-Beta3", CAPVERSION => 40512 , ); # @@ -663,6 +663,7 @@ sub initialize( $;$$) { LOGALLNEW => undef, BLACKLIST_LOGLEVEL => undef, RELATED_LOG_LEVEL => undef, + INVALID_LOG_LEVEL => undef, RFC1918_LOG_LEVEL => undef, MACLIST_LOG_LEVEL => undef, TCP_FLAGS_LOG_LEVEL => undef, @@ -782,6 +783,7 @@ sub initialize( $;$$) { SFILTER_DISPOSITION => undef, RPFILTER_DISPOSITION => undef, RELATED_DISPOSITION => undef, + INVALID_DISPOSITION => undef, # # Mark Geometry # @@ -5224,6 +5226,7 @@ sub get_configuration( $$$$ ) { default_log_level 'TCP_FLAGS_LOG_LEVEL', ''; default_log_level 'RFC1918_LOG_LEVEL', ''; default_log_level 'RELATED_LOG_LEVEL', ''; + default_log_level 'INVALID_LOG_LEVEL', ''; warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL}; @@ -5278,12 +5281,31 @@ sub get_configuration( $$$$ ) { fatal_error "Invalid value ($config{RELATED_DISPOSITION}) for RELATED_DISPOSITION" } - require_capability 'AUDIT_TARGET' , "MACLIST_DISPOSITION=$val", 's' if $val =~ /^A_/; + require_capability 'AUDIT_TARGET' , "RELATED_DISPOSITION=$val", 's' if $val =~ /^A_/; } else { $config{RELATED_DISPOSITION} = $globals{RELATED_TARGET} = 'ACCEPT'; } + if ( $val = $config{INVALID_DISPOSITION} ) { + if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) { + $globals{INVALID_TARGET} = $val; + } elsif ( $val eq 'REJECT' ) { + $globals{INVALID_TARGET} = 'reject'; + } elsif ( $val eq 'A_REJECT' ) { + $globals{INVALID_TARGET} = $val; + } elsif ( $val eq 'CONTINUE' ) { + $globals{INVALID_TARGET} = ''; + } else { + fatal_error "Invalid value ($config{INVALID_DISPOSITION}) for INVALID_DISPOSITION" + } + + require_capability 'AUDIT_TARGET' , "RELATED_DISPOSITION=$val", 's' if $val =~ /^A_/; + } else { + $config{INVALID_DISPOSITION} = 'CONTINUE'; + $globals{INVALID_TARGET} = ''; + } + if ( $val = $config{MACLIST_TABLE} ) { if ( $val eq 'mangle' ) { fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 9b3e903ba..480c8d807 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -67,14 +67,16 @@ use constant { NULL_SECTION => 0, ALL_SECTION => 2, ESTABLISHED_SECTION => 4, RELATED_SECTION => 8, - NEW_SECTION => 16, - DEFAULTACTION_SECTION => 32 }; + INVALID_SECTION => 16, + NEW_SECTION => 32, + DEFAULTACTION_SECTION => 64 }; # # These are the sections that may appear in a section header # our %section_map = ( ALL => ALL_SECTION, ESTABLISHED => ESTABLISHED_SECTION, RELATED => RELATED_SECTION, + INVALID => INVALID_SECTION, NEW => NEW_SECTION ); our @policy_chains; @@ -170,6 +172,7 @@ sub initialize( $ ) { %sections = ( ALL => 0, ESTABLISHED => 0, RELATED => 0, + INVALID => 0, NEW => 0 ); # @@ -212,6 +215,15 @@ sub initialize( $ ) { } } +# +# Create a rules chain +# +sub new_rules_chain( $ ) { + my $chainref = new_chain( 'filter', $_[0] ); + $chainref->{sections} = {}; + $chainref; +} + ############################################################################### # Functions moved from the former Policy Module ############################################################################### @@ -250,7 +262,7 @@ sub new_policy_chain($$$$$) { my ($source, $dest, $policy, $provisional, $audit) = @_; - my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) ); + my $chainref = new_rules_chain( rules_chain( ${source}, ${dest} ) ); convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional, $audit ); @@ -266,7 +278,7 @@ sub set_policy_chain($$$$$) my $chainref1 = $filter_table->{$chain1}; - $chainref1 = new_chain 'filter', $chain1 unless $chainref1; + $chainref1 = new_rules_chain $chain1 unless $chainref1; unless ( $chainref1->{policychain} ) { if ( $config{EXPAND_POLICIES} ) { @@ -837,10 +849,12 @@ sub ensure_rules_chain( $ ) my $chainref = $filter_table->{$chain}; - $chainref = new_chain( 'filter', $chain ) unless $chainref; + $chainref = new_rules_chain( $chain ) unless $chainref; unless ( $chainref->{referenced} ) { if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) { + finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID'; + } elsif ( $section == INVALID_SECTION ) { finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED'; } elsif ( $section == RELATED_SECTION ) { finish_chain_section $chainref , $chainref, 'ESTABLISHED'; @@ -853,7 +867,7 @@ sub ensure_rules_chain( $ ) } # -# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain +# Add ESTABLISHED,RELATED,INVALID rules and synparam jumps to the passed chain # sub finish_chain_section ($$$) { my ($chainref, @@ -862,8 +876,20 @@ sub finish_chain_section ($$$) { my $chain = $chainref->{name}; my $related_level = $config{RELATED_LOG_LEVEL}; my $related_target = $globals{RELATED_TARGET}; + my $invalid_level = $config{INVALID_LOG_LEVEL}; + my $invalid_target = $globals{INVALID_TARGET}; my $save_comment = push_comment; my $relatedchain = $chainref->{name} =~ /^\+/; + my $invalidchain = $chainref->{name} =~ /^_/; + my %state; + + $state{$_} = 1 for split ',', $state; + + for ( qw/ESTABLISHED RELATED INVALID/ ) { + delete $state{$_} if $chain1ref->{sections}{$_}; + } + + $chain1ref->{sections}{$_} = 1 for keys %state; if ( $state =~ /RELATED/ && ( $relatedchain || $related_level || $related_target ne 'ACCEPT' ) ) { @@ -879,7 +905,7 @@ sub finish_chain_section ($$$) { log_rule( $related_level, $relatedref, $config{RELATED_DISPOSITION}, - '' ) if $related_level; + '' ); $related_target = ensure_audit_chain( $related_target ) if ( $targets{$related_target} || 0 ) & AUDIT; @@ -890,15 +916,53 @@ sub finish_chain_section ($$$) { if ( $relatedchain ) { add_ijump $chainref, g => $related_target; - $state = ''; + %state = (); } else { add_ijump $chainref, g => $related_target, state_imatch 'RELATED'; - $state =~ s/,?RELATED//; + delete $state{RELATED}; } } - if ( $state ) { - add_ijump $chain1ref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT}; + if ( $state =~ /INVALID/ && ( $invalidchain || $invalid_level || $invalid_target ne 'ACCEPT' ) ) { + + if ( $invalid_level ) { + my $invalidref; + + if ( $invalidchain ) { + $invalidref = $chainref; + } else { + $invalidref = new_chain( 'filter', "_$chainref->{name}" ); + } + + log_rule( $invalid_level, + $invalidref, + $config{INVALID_DISPOSITION}, + '' ); + + $invalid_target = ensure_audit_chain( $invalid_target ) if ( $targets{$invalid_target} || 0 ) & AUDIT; + + add_ijump( $invalidref, g => $invalid_target ) if $invalid_target; + + $invalid_target = $invalidref->{name} unless $invalidchain; + } + + if ( $invalidchain ) { + add_ijump $chainref, g => $invalid_target; + %state = (); + } else { + add_ijump $chainref, g => $invalid_target, state_imatch 'INVALID' if $invalid_target; + delete $state{INVALID}; + } + } + + if ( keys %state && ! $config{FASTACCEPT} ) { + my @state; + + for ( qw/ESTABLISHED RELATED/ ) { + push @state, $_ if $state{$_}; + } + + add_ijump $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) if @state; } if ($sections{NEW} ) { @@ -939,6 +1003,8 @@ sub finish_section ( $ ) { if ( $section == RELATED_SECTION ) { $function = \&related_chain; + } elsif ( $section == INVALID_SECTION ) { + $function = \&invalid_chain; } else { $function = \&rules_chain; } @@ -2258,14 +2324,16 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { # $chainref = ensure_rules_chain $chain; # - # Handle rules in the BLACKLIST and RELATED sections + # Handle rules in the BLACKLIST, RELATED and INVALID sections # - if ( $section & ( BLACKLIST_SECTION | RELATED_SECTION ) ) { + if ( $section & ( BLACKLIST_SECTION | RELATED_SECTION | INVALID_SECTION ) ) { my $auxchain; my $auxref; if ( $blacklist ) { $auxchain = blacklist_chain( ${sourcezone}, ${destzone} ); + } elsif ( $section == INVALID_SECTION ) { + $auxchain = invalid_chain( ${sourcezone}, ${destzone} ); } else { $auxchain = related_chain( ${sourcezone}, ${destzone} ); } @@ -2280,6 +2348,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { if ( $blacklist ) { @state = state_imatch( 'NEW,INVALID' ) if $config{BLACKLISTNEWONLY}; $auxref->{blacklistsection} = 1; + } elsif ( $section == INVALID_SECTION ) { + @state = state_imatch( 'INVALID' ); } else { @state = state_imatch 'RELATED'; }; @@ -2369,7 +2439,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { do_headers( $headers ) , do_condition( $condition , $chain ) , ); - } elsif ( $section == RELATED_SECTION ) { + } elsif ( $section & ( INVALID_SECTION | RELATED_SECTION ) ) { $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , @@ -2400,8 +2470,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { $basictarget eq 'dropInvalid' ) { if ( $config{FASTACCEPT} ) { fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless - $section == RELATED_SECTION && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) - } + ( $section & ( RELATED_SECTION | INVALID_SECTION ) ) && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) + } fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT ); $rule .= "$globals{STATEMATCH} ESTABLISHED " if $section == ESTABLISHED_SECTION; @@ -2535,7 +2605,6 @@ sub process_section ($) { # fatal_error "Invalid SECTION ($sect)" unless defined $sections{$sect}; fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect}; - $sections{$sect} = 1; if ( $sect eq 'BLACKLIST' ) { fatal_error "The BLACKLIST section has been eliminated. Please move your BLACKLIST rules to the 'blrules' file"; @@ -2544,9 +2613,14 @@ sub process_section ($) { } elsif ( $sect eq 'RELATED' ) { @sections{'ALL','ESTABLISHED'} = ( 1, 1); finish_section 'ESTABLISHED'; - } elsif ( $sect eq 'NEW' ) { + } elsif ( $sect eq 'INVALID' ) { @sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 ); finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' ); + } elsif ( $sect eq 'NEW' ) { + @sections{'ALL','ESTABLISHED','RELATED','INVALID','NEW'} = ( 1, 1, 1, 1, 1 ); + finish_section ( ( $section == RELATED_SECTION ) ? 'RELATED,INVALID' : + ( $section == INVALID_SECTION ) ? 'INVALID' : + 'ESTABLISHED,RELATED,INVALID' ); } $section = $section_map{$sect}; @@ -2822,7 +2896,9 @@ sub process_rules( $ ) { process_rule while read_a_line( NORMAL_READ ); } - + # + # No need to finish the NEW section since no rules need to be generated + # $section = DEFAULTACTION_SECTION; } diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index f3205cba3..30e3fc77d 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -23,6 +23,8 @@ VERBOSITY=1 BLACKLIST_LOGLEVEL= +INVALID_LOG_LEVEL= + LOG_MARTIANS=Yes LOG_VERBOSITY=2 @@ -224,6 +226,8 @@ ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP +INVALID_DISPOSITION=CONTINUE + MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 4bd67b5b7..e9df443c9 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -34,6 +34,8 @@ VERBOSITY=1 BLACKLIST_LOGLEVEL= +INVALID_LOG_LEVEL= + LOG_MARTIANS=Yes LOG_VERBOSITY=2 @@ -235,6 +237,8 @@ ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP +INVALID_DISPOSITION=CONTINUE + MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index 344fe7fb0..afde9972a 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -32,6 +32,8 @@ VERBOSITY=1 BLACKLIST_LOGLEVEL= +INVALID_LOG_LEVEL= + LOG_MARTIANS=Yes LOG_VERBOSITY=2 @@ -233,6 +235,8 @@ ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP +INVALID_DISPOSITION=CONTINUE + MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index b7ecf7663..a0502918f 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -35,6 +35,8 @@ VERBOSITY=1 BLACKLIST_LOGLEVEL= +INVALID_LOG_LEVEL= + LOG_MARTIANS=Yes LOG_VERBOSITY=2 @@ -236,6 +238,8 @@ ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP +INVALID_DISPOSITION=CONTINUE + MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index d49366214..2c0ec4692 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -23,6 +23,8 @@ VERBOSITY=1 BLACKLIST_LOGLEVEL= +INVALID_LOG_LEVEL= + LOG_MARTIANS=Yes LOG_VERBOSITY=2 @@ -224,6 +226,8 @@ ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP +INVALID_DISPOSITION=CONTINUE + MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index e8451bf46..e1817e53f 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -81,8 +81,25 @@ The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG and QUEUE - There is an implicit ACCEPT rule inserted at the end of this - section. + There is an implicit rule added at the end of this section + that invokes the RELATED_DISPOSITION (shorewall.conf(5)). + + + + + INVALID + + + Added in Shorewall 4.5.13. Packets in the INVALID state are + processed by rules in this section. + + The only Actions allowed in this section are ACCEPT, DROP, + REJECT, LOG and QUEUE. + + There is an implicit rule added at the end of this section + that invokes the INVALID_DISPOSITION (shorewall.conf(5)). diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index 1c554babf..13b89547e 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -24,6 +24,8 @@ VERBOSITY=1 BLACKLIST_LOGLEVEL= +INVALID_LOG_LEVEL= + LOG_VERBOSITY=2 LOGALLNEW= @@ -197,6 +199,8 @@ ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP +INVALID_DISPOSITION=CONTINUE + MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index 219f4ac8a..9e4e1f31f 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -24,6 +24,8 @@ VERBOSITY=1 BLACKLIST_LOGLEVEL= +INVALID_LOG_LEVEL= + LOG_VERBOSITY=2 LOGALLNEW= @@ -197,6 +199,8 @@ ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP +INVALID_DISPOSITION=CONTINUE + MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index b822f3ac2..7ccd5bbeb 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -24,6 +24,8 @@ VERBOSITY=1 BLACKLIST_LOGLEVEL= +INVALID_LOG_LEVEL= + LOG_VERBOSITY=2 LOGALLNEW= @@ -197,6 +199,8 @@ ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP +INVALID_DISPOSITION=CONTINUE + MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index 6a7131407..9c691f931 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -24,6 +24,8 @@ VERBOSITY=1 BLACKLIST_LOGLEVEL= +INVALID_LOG_LEVEL= + LOG_VERBOSITY=2 LOGALLNEW= @@ -197,6 +199,8 @@ ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP +INVALID_DISPOSITION=CONTINUE + MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index 0c2a87821..3bde1ff60 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -24,6 +24,8 @@ VERBOSITY=1 BLACKLIST_LOGLEVEL= +INVALID_LOG_LEVEL= + LOG_VERBOSITY=2 LOGALLNEW= @@ -197,6 +199,8 @@ ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP +INVALID_DISPOSITION=CONTINUE + MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index b80ff1d17..ec3f5d133 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -74,8 +74,25 @@ The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG and QUEUE - There is an implicit ACCEPT rule inserted at the end of this - section. + There is an implicit rule added at the end of this section + that invokes the RELATED_DISPOSITION (shorewall6.conf(5)). + + + + + INVALID + + + Added in Shorewall 4.5.13. Packets in the INVALID state are + processed by rules in this section. + + The only Actions allowed in this section are ACCEPT, DROP, + REJECT, LOG and QUEUE. + + There is an implicit rule added at the end of this section + that invokes the INVALID_DISPOSITION (shorewall6.conf(5)).