forked from extern/shorewall_code
Revert 8ff4d004c0
This commit is contained in:
parent
4e8d753682
commit
e5106f10bc
@ -167,7 +167,7 @@ our %EXPORT_TAGS = (
|
|||||||
|
|
||||||
Exporter::export_ok_tags('internal');
|
Exporter::export_ok_tags('internal');
|
||||||
|
|
||||||
our $VERSION = '4.4_5';
|
our $VERSION = '4.4_4';
|
||||||
|
|
||||||
#
|
#
|
||||||
# Chain Table
|
# Chain Table
|
||||||
@ -1185,18 +1185,9 @@ sub finish_section ( $ ) {
|
|||||||
$sections{$_} = 1 for split /,/, $sections;
|
$sections{$_} = 1 for split /,/, $sections;
|
||||||
|
|
||||||
for my $zone ( all_zones ) {
|
for my $zone ( all_zones ) {
|
||||||
my $mark = defined_zone( $zone )->{mark};
|
|
||||||
for my $zone1 ( all_zones ) {
|
for my $zone1 ( all_zones ) {
|
||||||
my $mark1 = ( defined_zone( $zone1 )->{mark} || 0 ) << VIRTUAL_BITS;
|
|
||||||
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
|
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
|
||||||
|
finish_chain_section $chainref, $sections if $chainref->{referenced};
|
||||||
finish_chain_section $chainref, $sections if $chainref->{referenced} || $mark || $mark1;
|
|
||||||
|
|
||||||
if ( $sections{RELATED} ) {
|
|
||||||
add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark;
|
|
||||||
add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark1) if $mark1;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -127,7 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
|||||||
|
|
||||||
Exporter::export_ok_tags('internal');
|
Exporter::export_ok_tags('internal');
|
||||||
|
|
||||||
our $VERSION = '4.4_5';
|
our $VERSION = '4.4_4';
|
||||||
|
|
||||||
#
|
#
|
||||||
# describe the current command, it's present progressive, and it's completion.
|
# describe the current command, it's present progressive, and it's completion.
|
||||||
@ -242,7 +242,6 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
IPMARK_TARGET => 'IPMARK Target',
|
IPMARK_TARGET => 'IPMARK Target',
|
||||||
PERSISTENT_SNAT => 'Persistent SNAT',
|
PERSISTENT_SNAT => 'Persistent SNAT',
|
||||||
OLD_HL_MATCH => 'Old Hash Limit Match',
|
OLD_HL_MATCH => 'Old Hash Limit Match',
|
||||||
MARK_IN_FILTER => 'MARK in Filter Table',
|
|
||||||
CAPVERSION => 'Capability Version',
|
CAPVERSION => 'Capability Version',
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
@ -620,7 +619,6 @@ sub initialize( $ ) {
|
|||||||
LOG_TARGET => 1, # Assume that we have it.
|
LOG_TARGET => 1, # Assume that we have it.
|
||||||
PERSISTENT_SNAT => undef,
|
PERSISTENT_SNAT => undef,
|
||||||
OLD_HL_MATCH => undef,
|
OLD_HL_MATCH => undef,
|
||||||
MARK_IN_FILTER => undef,
|
|
||||||
CAPVERSION => undef,
|
CAPVERSION => undef,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
@ -2033,7 +2031,6 @@ sub determine_capabilities( $ ) {
|
|||||||
$capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
|
$capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
|
||||||
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
|
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
|
||||||
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
|
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
|
||||||
$capabilities{MARK_IN_FILTER} = qt1( "$iptables -A $sillyname -j MARK --set-mark 1" );
|
|
||||||
|
|
||||||
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
|
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
|
||||||
|
|
||||||
|
@ -348,16 +348,8 @@ sub validate_policy()
|
|||||||
add_or_modify_policy_chain( $zone1, $zone );
|
add_or_modify_policy_chain( $zone1, $zone );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} elsif ( defined_zone( $zone )->{virtual} ) {
|
|
||||||
for my $zone1 ( @{defined_zone( $zone )->{children}} ) {
|
|
||||||
for my $zone2 ( all_zones ) {
|
|
||||||
unless ( $zone1 eq $zone2 ) {
|
|
||||||
add_or_modify_policy_chain( $zone1, $zone2 );
|
|
||||||
add_or_modify_policy_chain( $zone2, $zone1 );
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
} }
|
|
||||||
|
|
||||||
my $fn = open_file 'policy';
|
my $fn = open_file 'policy';
|
||||||
|
|
||||||
|
@ -1724,11 +1724,10 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
for my $hostref ( @{$arrayref} ) {
|
for my $hostref ( @{$arrayref} ) {
|
||||||
my $ipsec_match = match_ipsec_in $zone , $hostref;
|
my $ipsec_match = match_ipsec_in $zone , $hostref;
|
||||||
my $exclusion = source_exclusion( $hostref->{exclusions}, $frwd_ref );
|
|
||||||
for my $net ( @{$hostref->{hosts}} ) {
|
for my $net ( @{$hostref->{hosts}} ) {
|
||||||
add_jump(
|
add_jump(
|
||||||
$sourcechainref,
|
$sourcechainref,
|
||||||
$exclusion,
|
source_exclusion( $hostref->{exclusions}, $frwd_ref ),
|
||||||
! @{$zoneref->{parents}},
|
! @{$zoneref->{parents}},
|
||||||
join( '', $interfacematch , match_source_net( $net ), $ipsec_match )
|
join( '', $interfacematch , match_source_net( $net ), $ipsec_match )
|
||||||
);
|
);
|
||||||
@ -1760,7 +1759,6 @@ sub generate_matrix() {
|
|||||||
my $nested = $zoneref->{options}{nested};
|
my $nested = $zoneref->{options}{nested};
|
||||||
my $parenthasnat = 0;
|
my $parenthasnat = 0;
|
||||||
my $parenthasnotrack = 0;
|
my $parenthasnotrack = 0;
|
||||||
my $virtual = $zoneref->{virtual};
|
|
||||||
|
|
||||||
if ( $nested ) {
|
if ( $nested ) {
|
||||||
#
|
#
|
||||||
@ -1825,8 +1823,6 @@ sub generate_matrix() {
|
|||||||
my $outputref;
|
my $outputref;
|
||||||
my $interfacematch = '';
|
my $interfacematch = '';
|
||||||
|
|
||||||
add_jump $filter_table->{OUTPUT}, $chain1, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual;
|
|
||||||
|
|
||||||
if ( use_output_chain $interface ) {
|
if ( use_output_chain $interface ) {
|
||||||
$outputref = $filter_table->{output_chain $interface};
|
$outputref = $filter_table->{output_chain $interface};
|
||||||
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
|
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
|
||||||
@ -1885,7 +1881,6 @@ sub generate_matrix() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( $chain2 ) {
|
if ( $chain2 ) {
|
||||||
add_jump $filter_table->{INPUT}, $chain2, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual;
|
|
||||||
add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match );
|
add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match );
|
||||||
move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface;
|
move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface;
|
||||||
}
|
}
|
||||||
@ -1958,11 +1953,6 @@ sub generate_matrix() {
|
|||||||
} else {
|
} else {
|
||||||
@dest_zones = @zones ;
|
@dest_zones = @zones ;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $frwd_ref ) {
|
|
||||||
add_jump $filter_table->{FORWARD}, $frwd_ref, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual;
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Here it is -- THE BIG UGLY!!!!!!!!!!!!
|
# Here it is -- THE BIG UGLY!!!!!!!!!!!!
|
||||||
#
|
#
|
||||||
@ -1971,7 +1961,6 @@ sub generate_matrix() {
|
|||||||
#
|
#
|
||||||
for my $zone1 ( @dest_zones ) {
|
for my $zone1 ( @dest_zones ) {
|
||||||
my $zone1ref = find_zone( $zone1 );
|
my $zone1ref = find_zone( $zone1 );
|
||||||
my $virtual1 = $zone1ref->{virtual};
|
|
||||||
|
|
||||||
next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE';
|
next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE';
|
||||||
|
|
||||||
@ -2001,9 +1990,8 @@ sub generate_matrix() {
|
|||||||
next if $hostref->{options}{sourceonly};
|
next if $hostref->{options}{sourceonly};
|
||||||
if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
|
if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
|
||||||
my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
|
my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
|
||||||
my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
|
|
||||||
for my $net ( @{$hostref->{hosts}} ) {
|
for my $net ( @{$hostref->{hosts}} ) {
|
||||||
add_jump( $frwd_ref, $exclusion, 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match ) );
|
add_jump $frwd_ref, dest_exclusion( $hostref->{exclusions}, $chain), 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -2044,7 +2032,6 @@ sub generate_matrix() {
|
|||||||
for my $host1ref ( @$array1ref ) {
|
for my $host1ref ( @$array1ref ) {
|
||||||
next if $host1ref->{options}{sourceonly};
|
next if $host1ref->{options}{sourceonly};
|
||||||
my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
|
my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
|
||||||
my $exclusion = dest_exclusion( $host1ref->{exclusions}, $chain );
|
|
||||||
for my $net1 ( @{$host1ref->{hosts}} ) {
|
for my $net1 ( @{$host1ref->{hosts}} ) {
|
||||||
unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
|
unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
|
||||||
#
|
#
|
||||||
@ -2052,7 +2039,7 @@ sub generate_matrix() {
|
|||||||
#
|
#
|
||||||
add_jump(
|
add_jump(
|
||||||
$excl3ref ,
|
$excl3ref ,
|
||||||
$exclusion,
|
dest_exclusion( $host1ref->{exclusions}, $chain ),
|
||||||
0,
|
0,
|
||||||
join( '',
|
join( '',
|
||||||
$match_source_dev,
|
$match_source_dev,
|
||||||
@ -2061,11 +2048,6 @@ sub generate_matrix() {
|
|||||||
match_dest_net($net1),
|
match_dest_net($net1),
|
||||||
$ipsec_out_match )
|
$ipsec_out_match )
|
||||||
);
|
);
|
||||||
add_jump($excl3ref ,
|
|
||||||
$exclusion,
|
|
||||||
0,
|
|
||||||
"-m mark ! --mark 0/" . in_hex($virtual1) ) if $virtual1;
|
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -40,7 +40,7 @@ use strict;
|
|||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
our @EXPORT = qw( setup_tc );
|
our @EXPORT = qw( setup_tc );
|
||||||
our @EXPORT_OK = qw( process_tc_rule initialize );
|
our @EXPORT_OK = qw( process_tc_rule initialize );
|
||||||
our $VERSION = '4.4_5';
|
our $VERSION = '4.4_4';
|
||||||
|
|
||||||
our %tcs = ( T => { chain => 'tcpost',
|
our %tcs = ( T => { chain => 'tcpost',
|
||||||
connmark => 0,
|
connmark => 0,
|
||||||
@ -1235,7 +1235,6 @@ sub setup_tc() {
|
|||||||
|
|
||||||
if ( $capabilities{MANGLE_FORWARD} ) {
|
if ( $capabilities{MANGLE_FORWARD} ) {
|
||||||
add_rule $mangle_table->{FORWARD} , '-j tcfor';
|
add_rule $mangle_table->{FORWARD} , '-j tcfor';
|
||||||
add_rule $mangle_table->{POSTROUTING}, '-j MARK --and-mark 0xffffff'; # Clear virtual marks
|
|
||||||
add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
|
add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -40,7 +40,6 @@ our @EXPORT = qw( NOTHING
|
|||||||
IP
|
IP
|
||||||
BPORT
|
BPORT
|
||||||
IPSEC
|
IPSEC
|
||||||
VIRTUAL_BITS
|
|
||||||
|
|
||||||
determine_zones
|
determine_zones
|
||||||
zone_report
|
zone_report
|
||||||
@ -76,7 +75,7 @@ our @EXPORT = qw( NOTHING
|
|||||||
);
|
);
|
||||||
|
|
||||||
our @EXPORT_OK = qw( initialize );
|
our @EXPORT_OK = qw( initialize );
|
||||||
our $VERSION = '4.4_5';
|
our $VERSION = '4.4_4';
|
||||||
|
|
||||||
#
|
#
|
||||||
# IPSEC Option types
|
# IPSEC Option types
|
||||||
@ -105,8 +104,6 @@ use constant { NOTHING => 'NOTHING',
|
|||||||
# children => [ <children> ]
|
# children => [ <children> ]
|
||||||
# interfaces => { <interfaces1> => 1, ... }
|
# interfaces => { <interfaces1> => 1, ... }
|
||||||
# bridge => <bridge>
|
# bridge => <bridge>
|
||||||
# virtual => <virtual zone mark>
|
|
||||||
# mark => <LORed virtual zone marks of parent virtual zones>
|
|
||||||
# hosts { <type> } => [ { <interface1> => { ipsec => 'ipsec'|'none'
|
# hosts { <type> } => [ { <interface1> => { ipsec => 'ipsec'|'none'
|
||||||
# options => { <option1> => <value1>
|
# options => { <option1> => <value1>
|
||||||
# ...
|
# ...
|
||||||
@ -159,7 +156,6 @@ our @bport_zones;
|
|||||||
our %ipsets;
|
our %ipsets;
|
||||||
our %physical;
|
our %physical;
|
||||||
our $family;
|
our $family;
|
||||||
our $virtualmark;
|
|
||||||
|
|
||||||
use constant { FIREWALL => 1,
|
use constant { FIREWALL => 1,
|
||||||
IP => 2,
|
IP => 2,
|
||||||
@ -180,11 +176,6 @@ use constant { SIMPLE_IF_OPTION => 1,
|
|||||||
IF_OPTION_HOST => 16,
|
IF_OPTION_HOST => 16,
|
||||||
};
|
};
|
||||||
|
|
||||||
use constant { VIRTUAL_BASE => 0x1000000 ,
|
|
||||||
VIRTUAL_LIMIT => 0x8000000 ,
|
|
||||||
VIRTUAL_BITS => 4 #Bits for virtual MASK numbers
|
|
||||||
};
|
|
||||||
|
|
||||||
our %validinterfaceoptions;
|
our %validinterfaceoptions;
|
||||||
|
|
||||||
our %validhostoptions;
|
our %validhostoptions;
|
||||||
@ -210,7 +201,6 @@ sub initialize( $ ) {
|
|||||||
@bport_zones = ();
|
@bport_zones = ();
|
||||||
%ipsets = ();
|
%ipsets = ();
|
||||||
%physical = ();
|
%physical = ();
|
||||||
$virtualmark = VIRTUAL_BASE;
|
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
%validinterfaceoptions = (arp_filter => BINARY_IF_OPTION,
|
%validinterfaceoptions = (arp_filter => BINARY_IF_OPTION,
|
||||||
@ -363,8 +353,6 @@ sub process_zone( \$ ) {
|
|||||||
|
|
||||||
my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
|
my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
|
||||||
|
|
||||||
my $mark = 0;
|
|
||||||
|
|
||||||
if ( $zone =~ /(\w+):([\w,]+)/ ) {
|
if ( $zone =~ /(\w+):([\w,]+)/ ) {
|
||||||
$zone = $1;
|
$zone = $1;
|
||||||
@parents = split_list $2, 'zone';
|
@parents = split_list $2, 'zone';
|
||||||
@ -373,7 +361,6 @@ sub process_zone( \$ ) {
|
|||||||
fatal_error "Invalid Parent List ($2)" unless $p;
|
fatal_error "Invalid Parent List ($2)" unless $p;
|
||||||
fatal_error "Unknown parent zone ($p)" unless $zones{$p};
|
fatal_error "Unknown parent zone ($p)" unless $zones{$p};
|
||||||
fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
|
fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
|
||||||
$mark |= $zones{$p}{virtual};
|
|
||||||
push @{$zones{$p}{children}}, $zone;
|
push @{$zones{$p}{children}}, $zone;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -415,17 +402,6 @@ sub process_zone( \$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
my $virtual = 0;
|
|
||||||
|
|
||||||
if ( $options eq 'virtual' ) {
|
|
||||||
require_capability 'MARK_IN_FILTER' , 'virtual zones', '';
|
|
||||||
fatal_error "Only ipv${family} zones may be virtual" unless $type == IP;
|
|
||||||
fatal_error "Too many virtual zones" if $virtualmark == VIRTUAL_LIMIT;
|
|
||||||
$virtual = $virtualmark;
|
|
||||||
$virtualmark = $virtualmark << 1;
|
|
||||||
$options = '';
|
|
||||||
}
|
|
||||||
|
|
||||||
for ( $options, $in_options, $out_options ) {
|
for ( $options, $in_options, $out_options ) {
|
||||||
$_ = '' if $_ eq '-';
|
$_ = '' if $_ eq '-';
|
||||||
}
|
}
|
||||||
@ -433,8 +409,6 @@ sub process_zone( \$ ) {
|
|||||||
$zones{$zone} = { type => $type,
|
$zones{$zone} = { type => $type,
|
||||||
parents => \@parents,
|
parents => \@parents,
|
||||||
bridge => '',
|
bridge => '',
|
||||||
virtual => $virtual,
|
|
||||||
mark => $mark ,
|
|
||||||
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
|
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
|
||||||
in => parse_zone_option_list( $in_options || '', $type ) ,
|
in => parse_zone_option_list( $in_options || '', $type ) ,
|
||||||
out => parse_zone_option_list( $out_options || '', $type ) ,
|
out => parse_zone_option_list( $out_options || '', $type ) ,
|
||||||
@ -556,8 +530,9 @@ sub zone_report()
|
|||||||
|
|
||||||
unless ( $printed ) {
|
unless ( $printed ) {
|
||||||
fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge};
|
fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge};
|
||||||
warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL || ( $zoneref->{virtual} && @{$zoneref->{children}} );
|
warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -612,12 +587,6 @@ sub dump_zone_contents()
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $zoneref->{virtual} && @{$zoneref->{children}} ) {
|
|
||||||
$entry .= " (";
|
|
||||||
$entry .= "$_," for @{$zoneref->{children}};
|
|
||||||
$entry =~ s/,$/) /;
|
|
||||||
}
|
|
||||||
|
|
||||||
emit_unindented $entry;
|
emit_unindented $entry;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -12,7 +12,7 @@ Changes in Shorewall 4.4.5
|
|||||||
|
|
||||||
6) Fix 'show policies' in Shorewall6.
|
6) Fix 'show policies' in Shorewall6.
|
||||||
|
|
||||||
7) Limit the maximum provider mark to 0xff0000.
|
7) Limit the maximum provider mark to 0xf0000.
|
||||||
|
|
||||||
Changes in Shorewall 4.4.4
|
Changes in Shorewall 4.4.4
|
||||||
|
|
||||||
|
@ -30,7 +30,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_LIBVERSION=40000
|
SHOREWALL_LIBVERSION=40000
|
||||||
SHOREWALL_CAPVERSION=40405
|
SHOREWALL_CAPVERSION=40402
|
||||||
|
|
||||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||||
@ -828,7 +828,6 @@ determine_capabilities() {
|
|||||||
IPMARK_TARGET=
|
IPMARK_TARGET=
|
||||||
LOG_TARGET=Yes
|
LOG_TARGET=Yes
|
||||||
PERSISTENT_SNAT=
|
PERSISTENT_SNAT=
|
||||||
MARK_IN_FILTER=
|
|
||||||
|
|
||||||
chain=fooX$$
|
chain=fooX$$
|
||||||
|
|
||||||
@ -959,7 +958,6 @@ determine_capabilities() {
|
|||||||
qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
|
qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
|
||||||
qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
|
qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
|
||||||
qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
|
qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
|
||||||
qt $IPTABLES -A $chain -j MARK --set-mark 1 && MARK_IN_FILTER=Yes
|
|
||||||
|
|
||||||
qt $IPTABLES -F $chain
|
qt $IPTABLES -F $chain
|
||||||
qt $IPTABLES -X $chain
|
qt $IPTABLES -X $chain
|
||||||
@ -1028,7 +1026,6 @@ report_capabilities() {
|
|||||||
report_capability "IPMARK Target" $IPMARK_TARGET
|
report_capability "IPMARK Target" $IPMARK_TARGET
|
||||||
report_capability "LOG Target" $LOG_TARGET
|
report_capability "LOG Target" $LOG_TARGET
|
||||||
report_capability "Persistent SNAT" $PERSISTENT_SNAT
|
report_capability "Persistent SNAT" $PERSISTENT_SNAT
|
||||||
report_capability "Mark in Filter Table" $MARK_IN_FILTER
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||||
@ -1088,7 +1085,6 @@ report_capabilities1() {
|
|||||||
report_capability1 IPMARK_TARGET
|
report_capability1 IPMARK_TARGET
|
||||||
report_capability1 LOG_TARGET
|
report_capability1 LOG_TARGET
|
||||||
report_capability1 PERSISTENT_SNAT
|
report_capability1 PERSISTENT_SNAT
|
||||||
report_capability1 MARK_IN_FILTER
|
|
||||||
|
|
||||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||||
}
|
}
|
||||||
|
@ -173,6 +173,10 @@ Shorewall 4.4.5
|
|||||||
default. If, for some reason, you don't want 'track' then specify
|
default. If, for some reason, you don't want 'track' then specify
|
||||||
'notrack' for the provider.
|
'notrack' for the provider.
|
||||||
|
|
||||||
|
14) With HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes, the maximum
|
||||||
|
provider mark value is 0xf0000. This limits the number of providers
|
||||||
|
to 15.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 5
|
P R O B L E M S C O R R E C T E D I N 4 . 4 . 5
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
@ -230,6 +234,10 @@ None.
|
|||||||
$FW dmz REJECT info
|
$FW dmz REJECT info
|
||||||
$FW all ACCEPT
|
$FW all ACCEPT
|
||||||
|
|
||||||
|
3) With HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes, the maximum
|
||||||
|
provider mark value is now 0xf0000. This limits the number of
|
||||||
|
providers to 15.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
N E W F E A T U R E S I N 4 . 4 . 0
|
N E W F E A T U R E S I N 4 . 4 . 0
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
@ -33,7 +33,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_LIBVERSION=40300
|
SHOREWALL_LIBVERSION=40300
|
||||||
SHOREWALL_CAPVERSION=40405
|
SHOREWALL_CAPVERSION=40402
|
||||||
|
|
||||||
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
||||||
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
||||||
@ -737,7 +737,6 @@ determine_capabilities() {
|
|||||||
GOTO_TARGET=
|
GOTO_TARGET=
|
||||||
IPMARK_TARGET=
|
IPMARK_TARGET=
|
||||||
LOG_TARGET=Yes
|
LOG_TARGET=Yes
|
||||||
MARK_IN_FILTER=Yes
|
|
||||||
|
|
||||||
chain=fooX$$
|
chain=fooX$$
|
||||||
|
|
||||||
@ -865,7 +864,6 @@ determine_capabilities() {
|
|||||||
qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
|
qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
|
||||||
qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
|
qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
|
||||||
qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
|
qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
|
||||||
qt $IP6TABLES -A $chain -j MARK --set-mark 1 && MARK_IN_FILTER=Yes
|
|
||||||
qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
|
qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
|
||||||
|
|
||||||
qt $IP6TABLES -F $chain
|
qt $IP6TABLES -F $chain
|
||||||
|
Loading…
Reference in New Issue
Block a user