holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity
9,554 Commits 104 Branches 736 Tags 54 MiB
1ae9a3185a
Commit Graph

1067 Commits

Author SHA1 Message Date
Tom Eastep
c040344bc1 Promote 'in' blacklist rules to the head of the interface chain 
- Added Chains::promote_blacklist_rules()
- Called the function from Rules::generate_matrix()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 08:38:02 -07:00
Tom Eastep
2fa16f6d08 Enable blacklist rule promotion 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 08:36:59 -07:00
Tom Eastep
578fc6c521 Correct Chains::promote_blacklist_rules() 
- Interate through chains that jump to 'blacklst' until no rule is promoted
  This is required to promote jumps past exclusion chains
- Correct reference counting; the first cut was horribly wrong

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 08:36:35 -07:00
Tom Eastep
fd6ff1849a Promote 'in' blacklist rules to the head of the interface chain 
- Added Chains::promote_blacklist_rules()
- Called the function from Rules::generate_matrix()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 07:37:42 -07:00
Tom Eastep
fd568ece47 Clear raw table on 'clear' 2010-09-17 17:43:57 -07:00
Tom Eastep
1588c700c5 Fix blacklisting vs vservers 2010-09-17 17:43:40 -07:00
Tom Eastep
6106dd3ada Zero out {frozen} in a deleted chain entry 2010-09-17 17:43:04 -07:00
Tom Eastep
580c561a51 Clear raw table on 'clear' 2010-09-17 17:12:34 -07:00
Tom Eastep
a42576aef8 Fix blacklisting vs vservers 2010-09-17 16:38:34 -07:00
Tom Eastep
79bb47582a Zero out {frozen} in a deleted chain entry 2010-09-17 16:00:36 -07:00
Tom Eastep
596d207dfc Simplify a test 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-17 15:43:56 -07:00
Tom Eastep
8cdbe5f88d Fix an optimization bug with the new blacklisting code 2010-09-17 15:43:47 -07:00
Tom Eastep
402b3b929e Restore trace output in move_rules() 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-17 15:43:03 -07:00
Tom Eastep
c5bb3ecfac Simplify a test 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-17 15:42:05 -07:00
Tom Eastep
c9e876fcf5 Fix an optimization bug with the new blacklisting code 2010-09-17 15:10:02 -07:00
Tom Eastep
85430e459c Restore trace output in move_rules() 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-17 14:35:25 -07:00
Tom Eastep
ad660d7fe5 Simplify move_rules() 2010-09-17 13:53:10 -07:00
Tom Eastep
3d0f8e962e Simplify move_rules() 2010-09-17 13:49:32 -07:00
Tom Eastep
7a6943fa54 Disallow mss and blacklist on firewall and vserver zones 2010-09-17 12:54:58 -07:00
Tom Eastep
b76ee408a5 Emit clearer error messages 2010-09-17 12:54:54 -07:00
Tom Eastep
2e3635ff50 Be sure that {frozen} is defined 2010-09-17 12:54:44 -07:00
Tom Eastep
ab78aac3a4 Disallow mss and blacklist on firewall and vserver zones 2010-09-17 12:46:38 -07:00
Tom Eastep
330afe1701 Emit clearer error messages 2010-09-17 12:35:34 -07:00
Tom Eastep
239b4a2356 Be sure that {frozen} is defined 2010-09-17 12:08:48 -07:00
Tom Eastep
7175f8a63e Revert versions on Rules and Zones modules 2010-09-17 11:08:45 -07:00
Tom Eastep
d898c87617 Eliminate a parameter to add_jump() 2010-09-17 11:08:12 -07:00
Tom Eastep
07930fc535 Revert versions on Rules and Zones modules 2010-09-17 11:06:32 -07:00
Tom Eastep
5357f4c347 Eliminate a parameter to add_jump() 2010-09-17 11:05:35 -07:00
Tom Eastep
af24baaecd Update version to RC1 (one more time) 2010-09-17 09:14:56 -07:00
Tom Eastep
e61230a3db Update version to Beta 6 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-17 08:23:24 -07:00
Tom Eastep
882970a598 Use state match for UNTRACKED 2010-09-17 07:58:21 -07:00
Tom Eastep
2ce3c8aa88 Ensure that blacklist rules are before the other interface-oriented rules 2010-09-16 18:19:16 -07:00
Tom Eastep
27c445381e Treat 'blacklist' uniformly in hosts and zones 2010-09-16 15:48:12 -07:00
Tom Eastep
1c870b532a Preserve dynamic blacklist during stop/clear/restore 2010-09-16 12:17:04 -07:00
Tom Eastep
a8c9fc1859 Implement new Blacklisting Scheme 2010-09-16 09:40:28 -07:00
Tom Eastep
3c1cff0794 First steps toward zone-based blacklisting 2010-09-16 06:55:48 -07:00
Tom Eastep
1d650b41cd Remove blacklisting by destination IP address support 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-15 15:24:58 -07:00
Tom Eastep
3ad3f0d9e0 Allow floating point numbers in tcinterfaces fields other than <rate> 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-15 14:07:21 -07:00
Tom Eastep
ba89ec39b5 Add :<burst> to /etc/shorewall/tcdevices 2010-09-15 11:56:14 -07:00
Tom Eastep
69a2fa1907 Replace to/from with dst/src 2010-09-15 11:25:46 -07:00
Tom Eastep
f925b335ef Ignore the 'blacklist' host option 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-15 08:10:57 -07:00
Tom Eastep
373fc87165 More blacklisting wrapup 
- Deprecate 'blacklist' in the hosts file
- Base blacklisting on interfaces alone

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-15 07:38:20 -07:00
Tom Eastep
4d0e8d129b Add dup blacklist message 2010-09-14 18:04:27 -07:00
Tom Eastep
10a9ae496a More manpage updates for 4.4.13 2010-09-14 16:47:45 -07:00
Tom Eastep
94cdc73ec2 Restore setpolicy() to prog.header* 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-14 13:50:22 -07:00
Tom Eastep
c4a40d8c7b Set version to RC1 (again) 2010-09-14 13:09:50 -07:00
Tom Eastep
1f2691b052 Another fix for blacklisting; correct composition of $hosts1 2010-09-14 06:47:29 -07:00
Tom Eastep
0f913fca2f Don't create blackout unnecessarily 2010-09-13 18:15:50 -07:00
Tom Eastep
82bccf16b5 Avoid internal error when there are no 'to' entries 2010-09-13 17:55:20 -07:00
Tom Eastep
b1e9bff382 Create new ipsets on 'start' 2010-09-13 15:46:04 -07:00
Tom Eastep
a6194fabd2 Delete blank line 2010-09-13 14:15:47 -07:00
Tom Eastep
33adbe7a27 Update documentation for net TC features 2010-09-13 13:51:25 -07:00
Tom Eastep
1729da87f1 Allow both 'to' and 'from' in blacklist 2010-09-13 12:51:10 -07:00
Tom Eastep
9b4c3e22dd Allow floating point numbers in TC rates 2010-09-13 12:50:50 -07:00
Tom Eastep
cb1f7adea3 Add :<burst> to IN-BANDWIDTH 2010-09-13 11:23:37 -07:00
Tom Eastep
283eda2fa5 Cosmetic change to OUT-BANDWIDTH code 2010-09-12 16:33:19 -07:00
Tom Eastep
bd9041306c Add undocumented OUT-BANDWIDTH column to tcinterfaces 2010-09-12 16:25:45 -07:00
Tom Eastep
a3b7b9c11b Delete unused functions from prog.header* 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-12 10:07:26 -07:00
Tom Eastep
931c5a8d0a Add an assertion 2010-09-11 16:24:27 -07:00
Tom Eastep
50fc972d2a Fix another SAME defect :-( 2010-09-11 16:15:09 -07:00
Tom Eastep
512cd7b08e Bump version to 4.4.13 RC 1 2010-09-11 15:46:14 -07:00
Tom Eastep
aad7b70e18 Rename constant 2010-09-11 15:31:43 -07:00
Tom Eastep
c6c6503d83 Clean up a remaining issue with SAME 2010-09-11 15:24:01 -07:00
Tom Eastep
f004916055 Disallow a DEST interface in mangle OUTPUT rules 2010-09-11 14:10:05 -07:00
Tom Eastep
3ea7808b38 Disallow a DEST interface in mangle PREROUTING rules 2010-09-11 14:02:09 -07:00
Tom Eastep
e93a7fe9df Avoid recent problems by not padding $target in process_tc_rule() 2010-09-11 11:03:28 -07:00
Tom Eastep
d9ced1051a One more fix for SAME 2010-09-11 10:35:45 -07:00
Tom Eastep
367fc041b8 Correct handling of SAME -- Take 2 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-11 09:36:19 -07:00
Tom Eastep
dbc9f6ac8f Correct handling of SAME 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-11 08:56:22 -07:00
Tom Eastep
8dd42c9e19 Correct handling of dst/src list in ipset invocation 2010-09-11 07:41:01 -07:00
Tom Eastep
99f8f84024 Fix name of F chain in secmarks 2010-09-10 16:45:22 -07:00
Tom Eastep
69817007bf Some more fixes for blacklisting 2010-09-09 14:53:12 -07:00
Tom Eastep
50300a60b7 A number of corrections to split blacklisting. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-09 11:20:49 -07:00
Tom Eastep
64544f4ab5 Correct comparison in 'blacklist' handling 2010-09-09 10:22:48 -07:00
Tom Eastep
cd4b5d80ed Reduce patch footprint by two lines 2010-09-09 09:00:28 -07:00
Tom Eastep
df1e17eaa8 Re-enable 'blacklist' on bridge ports 2010-09-09 07:09:08 -07:00
Tom Eastep
50b4bd8dfe More Blacklist and Secmark documentation updates 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-06 17:26:49 -07:00
Tom Eastep
f3255cd83a Rework blacklisting 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-06 15:29:20 -07:00
Tom Eastep
c6f58ba924 Enhance SELinux support: 
- Add state match
- Add user/group match
- Add examples to the man pages
 2010-09-06 09:06:40 -07:00
Tom Eastep
33dc8de8fb Allow dash's in ipset names 2010-09-05 11:41:35 -07:00
Tom Eastep
23e94e136c Allow COMMENT, SAVE and RESTORE to work correctly in secmarks 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-05 08:17:58 -07:00
Tom Eastep
629290259d Allow secmarks without TC_ENABLED 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-05 07:49:03 -07:00
Tom Eastep
b139ff7e90 Update docs and implementation of SECMARK 2010-09-04 16:08:29 -07:00
Tom Eastep
28ff3548ff Bump version to 4.4.13-Beta4 2010-09-04 15:30:02 -07:00
Tom Eastep
15d8d6d8b7 Add SECMARK and CONNSECMARK support 2010-09-04 15:12:08 -07:00
Tom Eastep
6caff51c98 Modify a comment are delete a silly identity assignment 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-01 11:24:19 -07:00
Tom Eastep
62fcf1ae8b Adjust version of Raw.pm 2010-08-31 16:52:48 -07:00
Tom Eastep
dfebe5a35e Correct error message 2010-08-31 16:33:15 -07:00
Tom Eastep
8f94137007 Fix last change 2010-08-30 16:47:45 -07:00
Tom Eastep
1da6d51d1a Reduce the Beta3 patch footprint by making the second arg to known_interface() optional 2010-08-30 16:43:30 -07:00
Tom Eastep
add76ed14e Bump version to 4.4.13 Beta 3 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-30 12:33:10 -07:00
Tom Eastep
7f0f4516d7 Rework handle_optional_interfaces() somewhat 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-30 12:29:39 -07:00
Tom Eastep
c18d206726 Use a function to generate the list of interfaces with an L3 address 2010-08-29 20:13:56 -07:00
Tom Eastep
57c54af6ed Re-implement optional interface handling 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-29 12:32:44 -07:00
Tom Eastep
d94f2cc86d Insure that the mapping to base names is deterministic 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-29 07:28:06 -07:00
Tom Eastep
be0231578f Insure uniqueness of chain_base mapping 2010-08-28 20:47:39 -07:00
Tom Eastep
95a09b996f Fix test for KLUDGEFREE 2010-08-28 20:47:15 -07:00
Tom Eastep
1531ad3bcd Re-implement interface->shell-variable mapping 2010-08-28 15:15:41 -07:00
Tom Eastep
3a36a9de4b Fix shell-variable creation 2010-08-28 14:48:47 -07:00
Tom Eastep
d8846b92d8 Fix optional 'upnpclient' interfaces - take 2 2010-08-28 14:46:29 -07:00
Tom Eastep
a440e7023e Fix optional 'upnpclient' interfaces 2010-08-28 14:18:48 -07:00
Tom Eastep
f45879c4f4 split_list1 removes () -- take 2 2010-08-28 13:40:44 -07:00
Tom Eastep
2a54e8cd24 split_list1 removes () 2010-08-28 13:37:19 -07:00
Tom Eastep
c2558af9c8 Document and correct implementation of EXCLUSION_MASK 
1. Require KLUDGEFREE if existing rule uses mark match
2. Pretty up the code
3. Use MASK_BITS rather than TC_BITS when calculating the offset of EXCLUSION_MASK

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-28 08:29:47 -07:00
Tom Eastep
c98cf8aea6 Re-implement exclusion in CONTINUE/NONAT/ACCEPT+ rules 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-27 10:09:42 -07:00
Tom Eastep
57bcfee559 Add 'Mark in any table' capability 2010-08-27 08:35:33 -07:00
Tom Eastep
a1cd2ba0f3 Bring 'multiple space before comment' fix forward to master 
Probably unneeded but better be safe

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-27 06:59:52 -07:00
Tom Eastep
12f48e1b97 Don't pass '-j' in target arg to expand_rule() 
- use the target to locate chain for reference tracking

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-26 10:37:07 -07:00
Tom Eastep
15fbbdaac7 Fix exclusion in blacklist 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-26 10:33:57 -07:00
Tom Eastep
bd8bcabdf0 Use the 'disposition' argument to expand_rule() to specify the target chain 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-26 08:40:24 -07:00
Tom Eastep
75e12148ac Bump version to Beta 2 2010-08-25 09:58:07 -07:00
Tom Eastep
4a865e0a6d Pretty up some come 2010-08-24 13:08:21 -07:00
Tom Eastep
91c5a2f80b Fix old ipset detection bug 2010-08-24 13:08:06 -07:00
Tom Eastep
5c49aa843c Generate warning when a rules file entry generates no iptables-restore input 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-24 08:38:49 -07:00
Tom Eastep
383e792807 Restore wildcard properties to zone lists 2010-08-24 06:52:53 -07:00
Tom Eastep
5a92c3262f Fix REQUIRE_INTERFACE=Yes 2010-08-23 17:19:41 -07:00
Tom Eastep
d74af30368 Fix zone-exclusion bug 2010-08-23 16:31:46 -07:00
Tom Eastep
160ad231df Fix an old optimization bug 2010-08-23 15:14:09 -07:00
Tom Eastep
335ac8cdca Improve IPSEC accounting. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-20 10:07:19 -07:00
Tom Eastep
e70d9c82d8 Revise and document IPSEC Accounting 
- Place accounting rules in accipsecin and accipsecout
- Add warning when rule inserted into unreferenced accounting chain
- Add warning when an accounting chain has no references

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-20 08:24:45 -07:00
Tom Eastep
33ee9b1481 Add IPSEC Accounting (again) 2010-08-20 06:53:31 -07:00
Tom Eastep
d9d31ff132 Remove another 'our' variable 2010-08-19 15:34:04 -07:00
Tom Eastep
c80b1b3585 Correct types in do_ipsec() 2010-08-19 15:33:49 -07:00
Tom Eastep
af77eb08bc Back out IPSEC accounting rules 2010-08-19 15:13:01 -07:00
Tom Eastep
2a9bbbfe62 Eliminate an ugly 'our' variable. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-19 12:00:52 -07:00
Tom Eastep
676da7a2f1 More reorganization of process_rule() 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-19 11:53:26 -07:00
Tom Eastep
d997ef1653 First cut at IPSEC support in the accounting file. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-19 11:46:26 -07:00
Tom Eastep
4322d7b2af Zone exclusion 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-18 16:10:58 -07:00
Tom Eastep
4460b49842 Complete Zone list Support 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-18 14:38:53 -07:00
Tom Eastep
fafb0dea73 Update version to 4.4.13-Beta1 2010-08-18 12:40:34 -07:00
Tom Eastep
255cd6cf9c Implement zone lists in rules file entries 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-18 12:18:58 -07:00
Tom Eastep
7a17b65368 Allow simple zone lists in rules 2010-08-18 07:26:38 -07:00
Tom Eastep
12aecdef37 Use '&' trick to avoid prototype matching 2010-08-17 09:17:25 -07:00
Tom Eastep
a0dffa787d Add an assertion 2010-08-16 19:17:44 -07:00
Tom Eastep
2919c48ba0 Avoid forward reference to ensure_chain() 2010-08-16 13:25:01 -07:00
Tom Eastep
00837ed503 Add Shorewall::Chains::find_chain() 2010-08-16 13:12:12 -07:00
Tom Eastep
633eba6c90 Set version to 4.4.12 2010-08-15 08:50:45 -07:00
Tom Eastep
1510e111c4 Fix typo in conf basics doc 2010-08-13 20:27:14 -07:00
Tom Eastep
7281c9166e Record the config directory in the state file 2010-08-12 17:54:07 -07:00
Tom Eastep
15eec24672 Simplify logic for generating all parent zones 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-12 15:15:19 -07:00
Tom Eastep
49053afdcb Fix port range validate issue 2010-08-12 09:49:26 -07:00
Tom Eastep
69eaf84078 Fix bug with 'any' 2010-08-12 07:31:37 -07:00
Tom Eastep
965ad7ced1 Minor tweaks to the IPAddrs module 2010-08-11 11:46:26 -07:00
Tom Eastep
0234564a1b Add destination IP blacklisting 2010-08-10 17:33:50 -07:00
Tom Eastep
8d4498c9b8 Update Version to 4.4.12 RC 1 2010-08-06 19:31:36 -07:00
Tom Eastep
0f02ee2628 Fix issue with set match generation 2010-08-06 10:17:54 -07:00
Tom Eastep
364ad41cf5 Add support for new ipset match syntax 2010-08-03 21:06:17 -07:00
Tom Eastep
2774ee1bd6 Make 'icmp' a synonym for 'ipv6-icmp' in IPv6 compilations 2010-08-02 08:04:55 -07:00
Tom Eastep
3ce8ff5741 Bump version to Beta 4 2010-08-01 16:10:32 -07:00
Tom Eastep
967629569b Taylor Universal config to work with Shorewall-init and streamline ruleset 
- Make interface 'all' optional and set REQUIRE_INTERFACE=Yes
- Add COMPLETE option
- Set FASTACCEPT in Universal samples
- Reset SUBSYSLOCK in Universal samples

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-01 08:36:56 -07:00