Fix ADMINISABSENTMINDED=No used with stoppedrules

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-09-25 08:03:35 -07:00
parent 56649e2183
commit ea40068c10
4 changed files with 40 additions and 27 deletions

View File

@ -1654,6 +1654,10 @@ sub insert_rule($$$) {
sub insert_irule( $$$$;@ ) { sub insert_irule( $$$$;@ ) {
my ( $chainref, $jump, $target, $number, @matches ) = @_; my ( $chainref, $jump, $target, $number, @matches ) = @_;
my $rulesref = $chainref->{rules};
return add_irule( $chainref, $jump, $target, @matches ) if $number >= @$rulesref;
my $ruleref = {}; my $ruleref = {};
$ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE; $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
@ -1673,7 +1677,7 @@ sub insert_irule( $$$$;@ ) {
$ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment; $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
splice( @{$chainref->{rules}}, $number, 0, $ruleref ); splice( @$rulesref, $number, 0, $ruleref );
trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug; trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;

View File

@ -690,11 +690,10 @@ sub process_stoppedrules() {
my $result; my $result;
if ( my $fn = open_file 'stoppedrules' , 1, 1 ) { if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
first_entry sub() { first_entry sub () {
progress_message2("$doing $fn..."); progress_message2( "$doing $fn..." );
unless ( $config{ADMINISABSENTMINDED} ) { unless ( $config{ADMINISABSENTMINDED} ) {
warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes"); insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
$config{ADMINISABSENTMINDED} = 'Yes';
} }
}; };

View File

@ -309,17 +309,22 @@
<term>stoppedrules</term> <term>stoppedrules</term>
<listitem> <listitem>
<para>If ADMINISABSENTMINDED=No, a warning message is issued <para>All existing connections continue to work. To sever all
and the setting is ignored.</para> existing connections when the firewall is stopped, install the
conntrack utility and place the command <command>conntrack
<para>In addition to connections matching entries in -F</command> in the stopped user exit
<filename>stoppedrules</filename>, existing connections
continue to work and all new connections from the firewall
system itself are allowed. To sever all existing connections
when the firewall is stopped, install the conntrack utility
and place the command <command>conntrack -F</command> in the
stopped user exit
(<filename>/etc/shorewall/stopped</filename>).</para> (<filename>/etc/shorewall/stopped</filename>).</para>
<para>If ADMINISABSENTMINDED=No, only new connections matching
entries in <filename>stoppedrules</filename> are accepted when
Shorewall is stopped. Response packets and related connections
are automatically accepted.</para>
<para>If ADMINISABSENTMINDED=Yes, in addition to connections
matching entries in <filename>stoppedrules</filename>, all new
connections from the firewall system itself are allowed when
the firewall is stopped. Response packets and related
connections are automatically accepted.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

View File

@ -220,9 +220,9 @@
<listitem> <listitem>
<para>The value of this variable affects Shorewall's stopped state. <para>The value of this variable affects Shorewall's stopped state.
The behavior differs depending on whether <ulink The behavior differs depending on whether <ulink
url="shorewall-routestopped.html">shorewall6-routestopped</ulink>(5) url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or <ulink or <ulink
url="shorewall-stoppedrules.html">shorewall6-stoppedrules</ulink>(5) url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
is used:</para> is used:</para>
<variablelist> <variablelist>
@ -245,17 +245,22 @@
<term>stoppedrules</term> <term>stoppedrules</term>
<listitem> <listitem>
<para>If ADMINISABSENTMINDED=No, a warning message is issued <para>All existing connections continue to work. To sever all
and the setting is ignored.</para> existing connections when the firewall is stopped, install the
conntrack utility and place the command <command>conntrack
<para>In addition to connections matching entries in -F</command> in the stopped user exit
<filename>stoppedrules</filename>, existing connections
continue to work and all new connections from the firewall
system itself are allowed. To sever all existing connections
when the firewall is stopped, install the conntrack utility
and place the command <command>conntrack -F</command> in the
stopped user exit
(<filename>/etc/shorewall6/stopped</filename>).</para> (<filename>/etc/shorewall6/stopped</filename>).</para>
<para>If ADMINISABSENTMINDED=No, only new connections matching
entries in <filename>stoppedrules</filename> are accepted when
Shorewall is stopped. Response packets and related connections
are automatically accepted.</para>
<para>If ADMINISABSENTMINDED=Yes, in addition to connections
matching entries in <filename>stoppedrules</filename>, all new
connections from the firewall system itself are allowed when
the firewall is stopped. Response packets and related
connections are automatically accepted.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>