holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow DROP in the stoppedrules file

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-01-07 13:19:49 -08:00
parent 7e6fc3229d
commit fd28a12653
3 changed files with 30 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -700,14 +700,14 @@ sub process_stoppedrules() {
split_line1( 'stoppedrules file',
{ target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 } );
fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/;
fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|DROP|NOTRACK)$/;
my $tableref;
my $raw;
my $chainref;
my $restriction = NO_RESTRICT;
if ( $target eq 'NOTRACK' ) {
if ( $raw = ( $target eq 'NOTRACK' || $target eq 'DROP' ) ) {
$tableref = $raw_table;
require_capability 'RAW_TABLE', 'NOTRACK', 's';
$chainref = $raw_table->{PREROUTING};
@ -717,21 +717,21 @@ sub process_stoppedrules() {
}
if ( $source eq $fw ) {
$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
$chainref = ( $raw ? $raw_table : $filter_table)->{OUTPUT};
$source = '';
$restriction = OUTPUT_RESTRICT;
} elsif ( $source =~ s/^($fw):// ) {
$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
$chainref = ( $raw ? $raw_table : $filter_table)->{OUTPUT};
$restriction = OUTPUT_RESTRICT;
}
if ( $dest eq $fw ) {
fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
fatal_error "\$FW may not be specified as the destination of a NOTRACK or DROP rule" if $raw;
$chainref = $filter_table->{INPUT};
$dest = '';
$restriction = INPUT_RESTRICT;
} elsif ( $dest =~ s/^($fw):// ) {
fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
fatal_error "\$FW may not be specified as the destination of a NOTRACK or DROP rule" if $raw;
$chainref = $filter_table->{INPUT};
$restriction = INPUT_RESTRICT;
}

18
Shorewall/manpages/shorewall-stoppedrules.xml
View File

@ -40,14 +40,20 @@
<variablelist>
<varlistentry>
<term><emphasis role="bold">ACTION</emphasis> -
<option>ACCEPT|NOTRACK</option></term>
<option>ACCEPT|NOTRACK|DROP</option></term>
<listitem>
<para>Determines the disposition of the packet.
<option>ACCEPT</option> means that the packet will be accepted.
<option>NOTRACK</option> indicates that no conntrack entry should be
created for the packet. <option>NOTRACK</option> does not imply
<option>ACCEPT</option>.</para>
<para>Determines the disposition of the packet.</para>
<para><option>ACCEPT</option> means that the packet will be
accepted.</para>
<para><option>NOTRACK</option> indicates that no conntrack entry
should be created for the packet. <option>NOTRACK</option> does not
imply <option>ACCEPT</option>.</para>
<para><option>DROP</option> was added in Shorewall 4.6.0 and causes
the packet to be dropped in the raw table's PREROUTING chain.</para>
</listitem>
</varlistentry>

16
Shorewall6/manpages/shorewall6-stoppedrules.xml
View File

@ -43,11 +43,17 @@
<option>ACCEPT|NOTRACK</option></term>
<listitem>
<para>Determines the disposition of the packet.
<option>ACCEPT</option> means that the packet will be accepted.
<option>NOTRACK</option> indicates that no conntrack entry should be
created for the packet. <option>NOTRACK</option> does not imply
<option>ACCEPT</option>.</para>
<para>Determines the disposition of the packet.</para>
<para><option>ACCEPT</option> means that the packet will be
accepted.</para>
<para><option>NOTRACK</option> indicates that no conntrack entry
should be created for the packet. <option>NOTRACK</option> does not
imply <option>ACCEPT</option>.</para>
<para><option>DROP</option> was added in Shorewall 4.6.0 and causes
the packet to be dropped in the raw table's PREROUTING chain.</para>
</listitem>
</varlistentry>