forked from extern/shorewall_code
Generate warning for zone names beginning with digit; pretty up add_a_rule()
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2110 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
9350da941e
commit
d12d88afcd
@ -4288,8 +4288,8 @@ add_a_rule()
|
|||||||
|
|
||||||
if [ -n "$natrule" ]; then
|
if [ -n "$natrule" ]; then
|
||||||
add_nat_rule
|
add_nat_rule
|
||||||
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
|
elif [ -n "$servport" -a "$servport" != "$port" ]; then
|
||||||
fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\""
|
fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination port mapping; rule \"$rule\""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$dnat_only" ]; then
|
if [ -z "$dnat_only" ]; then
|
||||||
@ -4312,13 +4312,15 @@ add_a_rule()
|
|||||||
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
|
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$nonat" ] && \
|
if [ -n "$nonat" ]; then
|
||||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||||
$cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN
|
$cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN
|
||||||
|
fi
|
||||||
|
|
||||||
[ "$logtarget" != NONAT ] && \
|
if [ "$logtarget" != NONAT ]; then
|
||||||
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
||||||
$(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target
|
$(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
@ -4342,24 +4344,43 @@ add_a_rule()
|
|||||||
|
|
||||||
# Destination is a simple zone
|
# Destination is a simple zone
|
||||||
|
|
||||||
[ -n "$addr" ] && fatal_error \
|
|
||||||
"An ORIGINAL DESTINATION ($addr) is only allowed in" \
|
|
||||||
" a DNAT, SAME or REDIRECT: \"$rule\""
|
|
||||||
|
|
||||||
if [ $COMMAND != check ]; then
|
if [ $COMMAND != check ]; then
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$addr" ]; then
|
||||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
for adr in $(separate_list $addr); do
|
||||||
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
|
if [ -n "$loglevel" ]; then
|
||||||
fi
|
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||||
|
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr)
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$logtarget" != LOG ]; then
|
if [ "$logtarget" != LOG ]; then
|
||||||
[ -n "$nonat" ] && \
|
if [ -n "$nonat" ]; then
|
||||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||||
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
$cli $sports $dports $ratelimit $userandgroup -m conntrack --ctorigdst $adr -j RETURN
|
||||||
|
fi
|
||||||
|
|
||||||
[ "$logtarget" != NONAT ] && \
|
if [ "$logtarget" != NONAT ]; then
|
||||||
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
|
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
|
||||||
$sports $dports $ratelimit $userandgroup -j $target
|
$sports $dports $ratelimit $userandgroup -m conntrack --ctorigdst $adr -j $target
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
if [ -n "$loglevel" ]; then
|
||||||
|
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||||
|
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$logtarget" != LOG ]; then
|
||||||
|
if [ -n "$nonat" ]; then
|
||||||
|
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||||
|
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$logtarget" != NONAT ]; then
|
||||||
|
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
|
||||||
|
$sports $dports $ratelimit $userandgroup -j $target
|
||||||
|
fi
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -269,6 +269,9 @@ find_zones() # $1 = name of the zone file
|
|||||||
{
|
{
|
||||||
while read zone display comments; do
|
while read zone display comments; do
|
||||||
[ -n "$zone" ] && case "$zone" in
|
[ -n "$zone" ] && case "$zone" in
|
||||||
|
[0-9*])
|
||||||
|
echo " Warning: Illegal zone name \"$zone\" in zones file ignored" 2>&2
|
||||||
|
;;
|
||||||
\#*)
|
\#*)
|
||||||
;;
|
;;
|
||||||
$FW|all|none)
|
$FW|all|none)
|
||||||
|
@ -263,8 +263,8 @@
|
|||||||
# Otherwise, a separate rule will be generated for each
|
# Otherwise, a separate rule will be generated for each
|
||||||
# port.
|
# port.
|
||||||
#
|
#
|
||||||
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
|
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then
|
||||||
# REDIRECT[-]) If included and different from the IP
|
# if included and different from the IP
|
||||||
# address given in the SERVER column, this is an address
|
# address given in the SERVER column, this is an address
|
||||||
# on some interface on the firewall and connections to
|
# on some interface on the firewall and connections to
|
||||||
# that address will be forwarded to the IP and port
|
# that address will be forwarded to the IP and port
|
||||||
@ -280,6 +280,20 @@
|
|||||||
# destination address in the connection request does not
|
# destination address in the connection request does not
|
||||||
# match any of the addresses listed.
|
# match any of the addresses listed.
|
||||||
#
|
#
|
||||||
|
# For other actions, this column may be included and may
|
||||||
|
# contain one or more addresses (host or network)
|
||||||
|
# separated by commas. Address ranges are not allowed.
|
||||||
|
# When this column is supplied, rules are generated
|
||||||
|
# that require that the original destination address matches
|
||||||
|
# one of the listed addresses. This feature is most useful when
|
||||||
|
# you want to generate a filter rule that corresponds to a
|
||||||
|
# DNAT- or REDIRECT- rule. In this usage, the list of
|
||||||
|
# addresses should not begin with "!".
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/PortKnocking.html for an
|
||||||
|
# example of using an entry in this column with a
|
||||||
|
# user-defined action rule.
|
||||||
|
#
|
||||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||||
# this colume:
|
# this colume:
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user