forked from extern/shorewall_code
Fix route filtering
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@782 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
ee51d49233
commit
f046ea3ab1
@ -24,3 +24,9 @@ Changes since 1.4.7
|
||||
|
||||
11) Remove incorrect comment from shorewall.conf regarding Debian
|
||||
lockfiles.
|
||||
|
||||
12) Change "_exists" suffix (including _nat_exists) to an "exists_"
|
||||
prefix to allow chain names beginning with a digit without
|
||||
lengthening the variable name.
|
||||
|
||||
13) Applied and improved Eric Bowles's fix for route filtering.
|
||||
|
||||
@ -229,7 +229,7 @@ run_tc() {
|
||||
#
|
||||
# If the chain isn't one of the common chains then add a rule to the chain
|
||||
# allowing packets that are part of an established connection. Create a
|
||||
# variable ${1}_exists and set its value to Yes to indicate that the chain now
|
||||
# variable exists_${1} and set its value to Yes to indicate that the chain now
|
||||
# exists.
|
||||
#
|
||||
createchain() # $1 = chain name, $2 = If "yes", create default rules
|
||||
@ -244,7 +244,7 @@ createchain() # $1 = chain name, $2 = If "yes", create default rules
|
||||
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
|
||||
fi
|
||||
|
||||
eval ${c}_exists=Yes
|
||||
eval exists_${c}=Yes
|
||||
}
|
||||
|
||||
createchain2() # $1 = chain name, $2 = If "yes", create default rules
|
||||
@ -259,22 +259,22 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
|
||||
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
|
||||
fi
|
||||
|
||||
eval ${c}_exists=Yes
|
||||
eval exists_${c}=Yes
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Determine if a chain exists
|
||||
#
|
||||
# When we create a chain "chain", we create a variable named chain_exists and
|
||||
# set its value to Yes. This function tests for the "_exists" variable
|
||||
# When we create a chain "chain", we create a variable named exists_chain and
|
||||
# set its value to Yes. This function tests for the "exists_" variable
|
||||
# corresponding to the passed chain having the value of "Yes".
|
||||
#
|
||||
havechain() # $1 = name of chain
|
||||
{
|
||||
local c=`chain_base $1`
|
||||
|
||||
eval test \"\$${c}_exists\" = Yes
|
||||
eval test \"\$exists_${c}\" = Yes
|
||||
}
|
||||
|
||||
#
|
||||
@ -313,26 +313,26 @@ addrule() # $1 = chain name, remainder of arguments specify the rule
|
||||
#
|
||||
# Create a nat chain
|
||||
#
|
||||
# Create a variable ${1}_nat_exists and set its value to Yes to indicate that
|
||||
# Create a variable exists_nat_${1} and set its value to Yes to indicate that
|
||||
# the chain now exists.
|
||||
#
|
||||
createnatchain() # $1 = chain name
|
||||
{
|
||||
run_iptables -t nat -N $1
|
||||
|
||||
eval ${1}_nat_exists=Yes
|
||||
eval exists_nat_${1}=Yes
|
||||
}
|
||||
|
||||
#
|
||||
# Determine if a nat chain exists
|
||||
#
|
||||
# When we create a chain "chain", we create a variable named chain_nat_exists
|
||||
# and set its value to Yes. This function tests for the "_exists" variable
|
||||
# When we create a chain "chain", we create a variable named exists_nat_chain
|
||||
# and set its value to Yes. This function tests for the "exists_" variable
|
||||
# corresponding to the passed chain having the value of "Yes".
|
||||
#
|
||||
havenatchain() # $1 = name of chain
|
||||
{
|
||||
eval test \"\$${1}_nat_exists\" = Yes
|
||||
eval test \"\$exists_nat_${1}\" = Yes
|
||||
}
|
||||
|
||||
#
|
||||
@ -4202,6 +4202,7 @@ add_common_rules() {
|
||||
|
||||
if [ -n "$interfaces" ]; then
|
||||
echo "Setting up ARP Filtering..."
|
||||
|
||||
for interface in $interfaces; do
|
||||
file=/proc/sys/net/ipv4/conf/$interface/arp_filter
|
||||
if [ -f $file ]; then
|
||||
@ -4215,28 +4216,28 @@ add_common_rules() {
|
||||
#
|
||||
# Route Filtering
|
||||
#
|
||||
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
||||
echo 0 > $f
|
||||
done
|
||||
|
||||
interfaces="`find_interfaces_by_option routefilter`"
|
||||
|
||||
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
|
||||
echo "Setting up Kernel Route Filtering..."
|
||||
|
||||
if [ -n "$ROUTE_FILTER" ]; then
|
||||
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
||||
else
|
||||
for interface in $interfaces; do
|
||||
file=/proc/sys/net/ipv4/conf/$interface/rp_filter
|
||||
if [ -f $file ]; then
|
||||
echo 1 > $file
|
||||
else
|
||||
error_message \
|
||||
"Warning: Cannot set route filtering on $interface"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
||||
echo 0 > $f
|
||||
done
|
||||
|
||||
for interface in $interfaces; do
|
||||
file=/proc/sys/net/ipv4/conf/$interface/rp_filter
|
||||
if [ -f $file ]; then
|
||||
echo 1 > $file
|
||||
else
|
||||
error_message \
|
||||
"Warning: Cannot set route filtering on $interface"
|
||||
fi
|
||||
done
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
||||
[ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
|
||||
run_ip route flush cache
|
||||
fi
|
||||
#
|
||||
# IP Forwarding
|
||||
|
||||
@ -422,9 +422,6 @@ chain_base() #$1 = interface
|
||||
|
||||
while true; do
|
||||
case $c in
|
||||
[0-9]*)
|
||||
c=C${c}
|
||||
;;
|
||||
*.*)
|
||||
c="${c%.*}_${c##*.}"
|
||||
;;
|
||||
|
||||
@ -44,9 +44,20 @@ Problems Corrected since version 1.4.7:
|
||||
8) An incorrect comment concerning Debian's use of the SYBSYSLOCK
|
||||
option has been removed from shorewall.conf.
|
||||
|
||||
9) Previously, neither the 'routefilter' interface option nor the
|
||||
ROUTE_FILTER parameter were working properly. This has been
|
||||
corrected. The definition of the ROUTE_FILTER option has changed
|
||||
however. Previously, ROUTE_FILTER=Yes was documented as enabling
|
||||
route filtering on all interfaces (which didn't work). Beginning
|
||||
with this release, setting ROUTE_FILTER=Yes will enable route
|
||||
filtering of all interfaces brought up while Shorewall is
|
||||
started. As a consequence, ROUTE_FILTER=Yes can coexist with the use
|
||||
of the 'routefilter' option in the interfaces file.
|
||||
|
||||
Migration Issues:
|
||||
|
||||
None.
|
||||
1. The definition of the ROUTE_FILTER option in shorewall.conf has
|
||||
changed as described in item 9) above.
|
||||
|
||||
New Features:
|
||||
|
||||
@ -84,3 +95,4 @@ New Features:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -349,11 +349,12 @@ CLAMPMSS=No
|
||||
# ROUTE FILTERING
|
||||
#
|
||||
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
|
||||
# interfaces (anti-spoofing measure).
|
||||
# interfaces started while Shorewall is started (anti-spoofing measure).
|
||||
#
|
||||
# If this variable is not set or is set to the empty value, "No" is assumed.
|
||||
# In that case, you can still enable route filtering on individual interfaces
|
||||
# in the /etc/shorewall/interfaces file.
|
||||
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
|
||||
# on individual interfaces using the 'routefilter' option in the
|
||||
# /etc/shorewall/interfaces file.
|
||||
|
||||
ROUTE_FILTER=No
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user