brielle
/
SRFirewall
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Testing fix for UDP replies

master
bbruns 2014-04-12 22:16:43 +00:00
parent 277e92d3a3
commit a7b0ab662a
2 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG
View File

@ -1,4 +1,8 @@
2.00 Alpha 2 - 04/11/2014 2.00 Alpha 3 -
- (Hopefully) Resolved UDP reply issue with conntracking and default DROP
2.00 Alpha 2 - 04/12/2014
- Slightly better documentation - Slightly better documentation
- Kernel module loading - 4/11/2014 - Kernel module loading - 4/11/2014
- The next two changes affect config files: - The next two changes affect config files:

7
lib/iptables.inc
View File

@ -359,8 +359,8 @@ function enable_forwarding {
esac esac
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" ]; then if [ -e "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" ]; then
unset conntrack_state
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/forward.conf successful" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/forward.conf successful"
use_conntrack="no"
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED" ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED" ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn; do while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn; do
@ -388,6 +388,7 @@ function enable_forwarding {
[[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}" [[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
[[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}" [[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
[[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}" [[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
([[ ${syn} == "syn" ]] && [[ ${protocol} == "udp" ]] && [[ -z ${conntrack_state} ]]) && conntrack_udp_new=",NEW"
[[ ${syn} == "syn" ]] && syn="--syn" [[ ${syn} == "syn" ]] && syn="--syn"
[[ ${syn} == "notsyn" ]] && syn="! --syn" [[ ${syn} == "notsyn" ]] && syn="! --syn"
[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}" [[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
@ -412,8 +413,8 @@ function enable_forwarding {
[[ ${action} == "DROP" ]] && conntrack_state="" [[ ${action} == "DROP" ]] && conntrack_state=""
${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${srcinterface} ${srcaddress} ${srcport} ${syn} ${dstinterface} ${dstaddress} ${dstport} ${conntrack_state} -j ${action} ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${srcinterface} ${srcaddress} ${srcport} ${syn} ${dstinterface} ${dstaddress} ${dstport} ${conntrack_state}${conntrack_udp_new} -j ${action}
[[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${revsrcinterface} ${revsrcaddress} ${revsrcport} ${syn} ${revdstinterface} ${revdstaddress} ${revdstport} ${conntrack_state} -j ${action} [[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${revsrcinterface} ${revsrcaddress} ${revsrcport} ${syn} ${revdstinterface} ${revdstaddress} ${revdstport} ${conntrack_state}${conntrack_udp_new} -j ${action}
done < "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" done < "${FWCONFIGDIR}/ipv${IPVER}/forward.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi fi