mirror of
https://github.com/firehol/firehol.git
synced 2024-06-30 19:02:21 +00:00
another connmark fix for issue #23
This commit is contained in:
parent
e51a46a140
commit
83a084e9c1
@ -3164,28 +3164,27 @@ connmark() {
|
|||||||
|
|
||||||
require_work clear || ( error "$FUNCNAME cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
|
require_work clear || ( error "$FUNCNAME cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
|
||||||
|
|
||||||
if [ "${1}" = "save" ]
|
|
||||||
then
|
|
||||||
# save MARK to CONNMARK
|
|
||||||
shift 1
|
|
||||||
rule table mangle chain INPUT custom '-m conntrack --ctstate NEW -m mark ! --mark 0' "$@" action CONNMARK save
|
|
||||||
rule table mangle chain POSTROUTING custom '-m conntrack --ctstate NEW -m mark ! --mark 0' "$@" action CONNMARK save
|
|
||||||
return 0
|
|
||||||
elif [ "${1}" = "restore" ]
|
|
||||||
then
|
|
||||||
# restore MARK from CONNMARK
|
|
||||||
shift 1
|
|
||||||
rule table mangle chain OUTPUT custom '-m conntrack --ctstate ESTABLISHED,RELATED' "$@" action CONNMARK restore
|
|
||||||
rule table mangle chain PREROUTING custom '-m conntrack --ctstate ESTABLISHED,RELATED' "$@" action CONNMARK restore
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
local num="${1}"; shift
|
local num="${1}"; shift
|
||||||
local where="${1}"; shift
|
local where="${1}"; shift
|
||||||
test -z "${where}" && where="OUTPUT POSTROUTING"
|
test -z "${where}" && where="OUTPUT POSTROUTING"
|
||||||
|
|
||||||
connmark_count=$[connmark_count + 1]
|
connmark_count=$[connmark_count + 1]
|
||||||
|
|
||||||
|
if [ "${num}" = "save" ]
|
||||||
|
then
|
||||||
|
# save MARK to CONNMARK
|
||||||
|
shift 1
|
||||||
|
rule table mangle chain INPUT custom '-m conntrack --ctstate NEW -m mark ! --mark 0' "$@" action CONNMARK save
|
||||||
|
rule table mangle chain POSTROUTING custom '-m conntrack --ctstate NEW -m mark ! --mark 0' "$@" action CONNMARK save
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${num}" = "restore" ]
|
||||||
|
then
|
||||||
|
# backward compatibility - nothing to be done here
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
set_work_function "Setting up rules for CONNMARK rule No $connmark_count"
|
set_work_function "Setting up rules for CONNMARK rule No $connmark_count"
|
||||||
|
|
||||||
local chain=
|
local chain=
|
||||||
@ -3193,7 +3192,7 @@ connmark() {
|
|||||||
do
|
do
|
||||||
case "${chain}" in
|
case "${chain}" in
|
||||||
interface)
|
interface)
|
||||||
rule table mangle chain "PREROUTING" custom '-m conntrack --ctstate NEW' inface "$@" action CONNMARK to ${num}
|
rule table mangle chain "PREROUTING" custom '-m conntrack --ctstate NEW' inface "$@" action CONNMARK to ${num}
|
||||||
rule table mangle chain "POSTROUTING" custom '-m conntrack --ctstate NEW' outface "$@" action CONNMARK to ${num}
|
rule table mangle chain "POSTROUTING" custom '-m conntrack --ctstate NEW' outface "$@" action CONNMARK to ${num}
|
||||||
;;
|
;;
|
||||||
|
|
||||||
@ -4331,6 +4330,14 @@ close_router() {
|
|||||||
close_master() {
|
close_master() {
|
||||||
set_work_function "Finilizing firewall policies"
|
set_work_function "Finilizing firewall policies"
|
||||||
|
|
||||||
|
if [ $connmark_count -gt 0 ]
|
||||||
|
then
|
||||||
|
# if connmark has been used, add finilization rules
|
||||||
|
# copy CONNMARK to MARK
|
||||||
|
iptables_both -t mangle -A "OUTPUT" -m connmark ! --mark 0 -m mark --mark 0 -j CONNMARK --restore-mark
|
||||||
|
iptables_both -t mangle -A "PREROUTING" -m connmark ! --mark 0 -m mark --mark 0 -j CONNMARK --restore-mark
|
||||||
|
fi
|
||||||
|
|
||||||
# Accept all related traffic to the established connections
|
# Accept all related traffic to the established connections
|
||||||
rule chain INPUT state RELATED action ACCEPT || return 1
|
rule chain INPUT state RELATED action ACCEPT || return 1
|
||||||
rule chain OUTPUT state RELATED action ACCEPT || return 1
|
rule chain OUTPUT state RELATED action ACCEPT || return 1
|
||||||
|
Loading…
Reference in New Issue
Block a user