Add MACLISTNEW Option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1951 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-02-09 17:23:32 +00:00 · 2005-02-09 17:23:32 +00:00 · e0abc315d1
commit e0abc315d1
parent 29290ddcfb
4 changed files with 29 additions and 1 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -4,6 +4,8 @@ Changes in 2.2.1

 2) Simon Matter's patch for umask.

+3) Added MACLISTNEWONLY option.
+
 Changes since 2.0.3

 1) Fix security vulnerability involving temporary files/directories.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -2073,10 +2073,11 @@ setup_mac_lists() {
 	ipsec=${hosts%^*}
 	hosts=${hosts#*^}
 	[ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
+	[ -n "$MACLISTNEWONLY" ] && state="-m state --state NEW" || state=
 	interface=${hosts%%:*}
 	hosts=${hosts#*:}
 	for chain in $(first_chains $interface) ; do
-	    run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
+	    run_iptables -A $chain $(match_source_hosts $hosts) $state \
 		$policy -j $(mac_chain $interface)
 	done
    done
@ -7126,6 +7127,7 @@ do_initialize() {
    LOGTAGONLY=
    LOGALLNEW=
    DROPINVALID=
+    MACLISTNEWONLY=

    RESTOREBASE=
    TMP_DIR=
@ -7321,6 +7323,7 @@ do_initialize() {
    DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
    LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
    DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
+    MACLISTNEWONLY=$(added_param_value_yes MACLISTNEWONLY $MACLISTNEWONLY)
    #
    # Strip the files that we use often
    #
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -10,6 +10,13 @@ Problems corrected in version 2.2.1
   files in /var/lib/shorewall to be world-readable. Shorewall now uses
   umask 0177.
 -----------------------------------------------------------------------
+New Features in version 2.2.1
+
+1) A MACLISTNEWONLY option is added to shorewall.conf. When set to Yes
+   (the default), then only new incoming connection requests are
+   checked against the maclist. If set to No, all incoming packets are
+   checked.
+-----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0 to Shorewall 2.2:

 1)  Shorewall configuration files except shorewall.conf are now empty
--- a/Shorewall2/shorewall.conf
+++ b/Shorewall2/shorewall.conf
@ -633,6 +633,22 @@ ADMINISABSENTMINDED=Yes
 #
 BLACKLISTNEWONLY=Yes

+#
+# MACLIST Behavior
+#
+# The following variable determines whether the maclist is checked for each
+# packet or for each new connection.
+#
+#	MACLISTNEWONLY=Yes	Only consult the interface's maclist for new
+#				connection requests
+#
+#	MACLISTNEWONLY=No	Consult maclists for all packets.
+#
+# If the MACLISTNEWONLY option is not set or is set to the empty value then
+# BLACKLISTNEWONLY=Yes is assumed.
+#
+BLACKLISTNEWONLY=Yes
+
 #
 # Users with a large blacklist find that "shorwall [re]start" takes a long
 # time and that new connections are disabled during that time. By setting