sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-28 18:02:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

another connmark fix for issue #23

Browse Source
This commit is contained in:
Costa Tsaousis (ktsaou) 2014-03-13 03:08:34 +02:00
parent e51a46a140
commit 83a084e9c1
1 changed files with 24 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
sbin/firehol.in
View File

@ -3164,28 +3164,27 @@ connmark() {
require_work clear || ( error "$FUNCNAME cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
if [ "${1}" = "save" ]
then
# save MARK to CONNMARK
shift 1
rule table mangle chain INPUT custom '-m conntrack --ctstate NEW -m mark ! --mark 0' "$@" action CONNMARK save
rule table mangle chain POSTROUTING custom '-m conntrack --ctstate NEW -m mark ! --mark 0' "$@" action CONNMARK save
return 0
elif [ "${1}" = "restore" ]
then
# restore MARK from CONNMARK
shift 1
rule table mangle chain OUTPUT custom '-m conntrack --ctstate ESTABLISHED,RELATED' "$@" action CONNMARK restore
rule table mangle chain PREROUTING custom '-m conntrack --ctstate ESTABLISHED,RELATED' "$@" action CONNMARK restore
return 0
fi
local num="${1}"; shift
local where="${1}"; shift
test -z "${where}" && where="OUTPUT POSTROUTING"
connmark_count=$[connmark_count + 1]
if [ "${num}" = "save" ]
then
# save MARK to CONNMARK
shift 1
rule table mangle chain INPUT custom '-m conntrack --ctstate NEW -m mark ! --mark 0' "$@" action CONNMARK save
rule table mangle chain POSTROUTING custom '-m conntrack --ctstate NEW -m mark ! --mark 0' "$@" action CONNMARK save
return 0
fi
if [ "${num}" = "restore" ]
then
# backward compatibility - nothing to be done here
return 0
fi
set_work_function "Setting up rules for CONNMARK rule No $connmark_count"
local chain=
@ -3193,7 +3192,7 @@ connmark() {
do
case "${chain}" in
interface)
rule table mangle chain "PREROUTING" custom '-m conntrack --ctstate NEW' inface "$@" action CONNMARK to ${num}
rule table mangle chain "PREROUTING" custom '-m conntrack --ctstate NEW' inface "$@" action CONNMARK to ${num}
rule table mangle chain "POSTROUTING" custom '-m conntrack --ctstate NEW' outface "$@" action CONNMARK to ${num}
;;
@ -4331,6 +4330,14 @@ close_router() {
close_master() {
set_work_function "Finilizing firewall policies"
if [ $connmark_count -gt 0 ]
then
# if connmark has been used, add finilization rules
# copy CONNMARK to MARK
iptables_both -t mangle -A "OUTPUT" -m connmark ! --mark 0 -m mark --mark 0 -j CONNMARK --restore-mark
iptables_both -t mangle -A "PREROUTING" -m connmark ! --mark 0 -m mark --mark 0 -j CONNMARK --restore-mark
fi
# Accept all related traffic to the established connections
rule chain INPUT state RELATED action ACCEPT || return 1
rule chain OUTPUT state RELATED action ACCEPT || return 1