forked from extern/shorewall_code
Avoid superfluous --state NEW tests
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1156 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
321488cc24
commit
f99779a27f
@ -50,3 +50,5 @@ Changes since 1.4.10
|
|||||||
24) Move rfc1918 to /usr/share/shorewall
|
24) Move rfc1918 to /usr/share/shorewall
|
||||||
|
|
||||||
25) Make detectnets and routeback play nice together.
|
25) Make detectnets and routeback play nice together.
|
||||||
|
|
||||||
|
26) Avoid superfluous --state NEW tests.
|
||||||
|
|||||||
@ -1569,8 +1569,6 @@ setup_nat() {
|
|||||||
#
|
#
|
||||||
> ${STATEDIR}/nat
|
> ${STATEDIR}/nat
|
||||||
|
|
||||||
echo "Setting up NAT..."
|
|
||||||
|
|
||||||
while read external interface internal allints localnat; do
|
while read external interface internal allints localnat; do
|
||||||
expandv external interface internal allints localnat
|
expandv external interface internal allints localnat
|
||||||
|
|
||||||
@ -2152,7 +2150,6 @@ add_an_action()
|
|||||||
|
|
||||||
sports=
|
sports=
|
||||||
dports=
|
dports=
|
||||||
state="-m state --state NEW"
|
|
||||||
proto=$protocol
|
proto=$protocol
|
||||||
servport=$serverport
|
servport=$serverport
|
||||||
multiport=
|
multiport=
|
||||||
@ -2170,10 +2167,8 @@ add_an_action()
|
|||||||
;;
|
;;
|
||||||
icmp|ICMP|1)
|
icmp|ICMP|1)
|
||||||
[ -n "$port" ] && dports="--icmp-type $port"
|
[ -n "$port" ] && dports="--icmp-type $port"
|
||||||
state=
|
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
state=
|
|
||||||
[ -n "$port" ] && \
|
[ -n "$port" ] && \
|
||||||
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
|
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
|
||||||
;;
|
;;
|
||||||
@ -2195,20 +2190,20 @@ add_an_action()
|
|||||||
for srv in $(ip_range $serv1); do
|
for srv in $(ip_range $serv1); do
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \
|
log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \
|
||||||
$(fix_bang $proto $sports $multiport $state $cli -d $srv $dports)
|
$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_iptables2 -A $action $proto $multiport $state $cli $sports \
|
run_iptables2 -A $action $proto $multiport $cli $sports \
|
||||||
-d $srv $dports $ratelimit $userandgroup -j $target
|
-d $srv $dports $ratelimit $userandgroup -j $target
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \
|
log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \
|
||||||
$(fix_bang $proto $sports $multiport $state $cli $dports)
|
$(fix_bang $proto $sports $multiport $cli $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_iptables2 -A $action $proto $multiport $state $cli $sports \
|
run_iptables2 -A $action $proto $multiport $cli $sports \
|
||||||
$dports $ratelimit $userandgroup -j $target
|
$dports $ratelimit $userandgroup -j $target
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -2826,7 +2821,6 @@ add_a_rule()
|
|||||||
|
|
||||||
sports=
|
sports=
|
||||||
dports=
|
dports=
|
||||||
state="-m state --state NEW"
|
|
||||||
proto=$protocol
|
proto=$protocol
|
||||||
addr=$address
|
addr=$address
|
||||||
servport=$serverport
|
servport=$serverport
|
||||||
@ -2845,7 +2839,6 @@ add_a_rule()
|
|||||||
;;
|
;;
|
||||||
icmp|ICMP|1)
|
icmp|ICMP|1)
|
||||||
[ -n "$port" ] && dports="--icmp-type $port"
|
[ -n "$port" ] && dports="--icmp-type $port"
|
||||||
state=
|
|
||||||
;;
|
;;
|
||||||
all|ALL)
|
all|ALL)
|
||||||
[ -n "$port" ] && \
|
[ -n "$port" ] && \
|
||||||
@ -2853,7 +2846,6 @@ add_a_rule()
|
|||||||
proto=
|
proto=
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
state=
|
|
||||||
[ -n "$port" ] && \
|
[ -n "$port" ] && \
|
||||||
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
|
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
|
||||||
;;
|
;;
|
||||||
@ -2911,19 +2903,19 @@ add_a_rule()
|
|||||||
for adr in $(separate_list $addr); do
|
for adr in $(separate_list $addr); do
|
||||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \
|
log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \
|
||||||
$userandgroup $(fix_bang $proto $sports $multiport $state $cli -d $srv $dports)
|
$userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_iptables2 -A $chain $proto $ratelimit $multiport $state $cli $sports \
|
run_iptables2 -A $chain $proto $ratelimit $multiport $cli $sports \
|
||||||
-d $srv $dports -m conntrack --ctorigdst $adr $userandgroup -j $target
|
-d $srv $dports -m conntrack --ctorigdst $adr $userandgroup -j $target
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
|
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
|
||||||
$(fix_bang $proto $sports $multiport $state $cli -d $srv $dports)
|
$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
|
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
||||||
-d $srv $dports $ratelimit $userandgroup -j $target
|
-d $srv $dports $ratelimit $userandgroup -j $target
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@ -2931,10 +2923,10 @@ add_a_rule()
|
|||||||
else
|
else
|
||||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
|
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
|
||||||
$(fix_bang $proto $sports $multiport $state $cli $dports)
|
$(fix_bang $proto $sports $multiport $cli $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
|
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
||||||
$dports $ratelimit $userandgroup -j $target
|
$dports $ratelimit $userandgroup -j $target
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -2950,11 +2942,11 @@ add_a_rule()
|
|||||||
if [ $command != check ]; then
|
if [ $command != check ]; then
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
|
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
|
||||||
$(fix_bang $proto $multiport $dest_interface $state $cli $sports $dports)
|
$(fix_bang $proto $multiport $dest_interface $cli $sports $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $logtarget != LOG ]; then
|
if [ $logtarget != LOG ]; then
|
||||||
run_iptables2 -A $chain $proto $multiport $dest_interface $state \
|
run_iptables2 -A $chain $proto $multiport $dest_interface \
|
||||||
$cli $sports $dports $ratelimit $userandgroup -j $target
|
$cli $sports $dports $ratelimit $userandgroup -j $target
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -4925,6 +4917,8 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
|
|
||||||
setup_proxy_arp
|
setup_proxy_arp
|
||||||
|
|
||||||
|
echo "Setting up NAT..."
|
||||||
|
|
||||||
setup_nat
|
setup_nat
|
||||||
|
|
||||||
echo "Adding Common Rules"
|
echo "Adding Common Rules"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user