sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-28 18:02:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

synproxy: enable lo routing only when it is necessary; synproxy: on custom actions in INPUT, ACCEPT the SYN packet on filter.OUTPUT and apply the custom action only on filter.INPUT to ensure the custom action is only applied once.

Browse Source
This commit is contained in:
Costa Tsaousis (ktsaou) 2015-02-20 16:04:46 +02:00
parent bd9d711462
commit 8459d75f71
1 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
sbin/firehol.in
View File

@ -3711,9 +3711,6 @@ synproxy() {
REDIRECT)
# REDIRECT
# this requires routing device lo
setup_lo_for_synproxy "${inface[@]}" || return 1
set_work_function "SYNPROXY->SERVER REDIRECTing packet at nat.OUTPUT"
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER REDIRECT")
rule table nat chain SYNPROXY2SERVER_OUT "${match[@]}" proto tcp "${log[@]}" nosoftwarnings action ${action} "${action_args[@]}" inface any physin any outface lo physout any || return 1
@ -3729,6 +3726,10 @@ synproxy() {
set_work_function "SYNPROXY->SERVER accepting re-routed packet at device lo at filter.INPUT"
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER lo IN")
rule table filter chain SYNPROXY2SERVER_IN "${match[@]}" proto tcp "${log[@]}" action ACCEPT nosoftwarnings inface lo physin any outface any physout any dst "${localhost}" dport ${action_args[1]} || return 1
# this requires routing device lo
set_work_function "SYNPROXY->SERVER enabling routing ${inface[@]} <-> lo"
setup_lo_for_synproxy "${inface[@]}" || return 1
;;
*)
@ -3736,21 +3737,22 @@ synproxy() {
# we allow an action to be defined, since this traffic is now in device lo !
# Practically we use 'dst' and a possibly defined 'dport' to take the action on OUTPUT.
# this requires routing device lo
setup_lo_for_synproxy "${inface[@]}" || return 1
# FIXME
# we have to check that the action exists in mangle
if [ "${chain}" = "INPUT" ]
then
set_work_function "SYNPROXY->SERVER executing action ${action} at filter.OUTPUT"
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER ACTION ${action^^} OUT (the packet will come back - re-routed)")
rule table filter chain SYNPROXY2SERVER_OUT "${match[@]}" proto tcp "${log[@]}" nosoftwarnings action "${action}" "${action_args[@]}" inface any physin any outface lo physout any || return 1
set_work_function "SYNPROXY->SERVER executing action ACCEPT at filter.OUTPUT (the packet will come back - re-routed via lo)"
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER ACCEPT OUT (the packet will come back - re-routed via lo)")
rule table filter chain SYNPROXY2SERVER_OUT "${match[@]}" proto tcp "${log[@]}" nosoftwarnings action ACCEPT inface any physin any outface lo physout any || return 1
set_work_function "SYNPROXY->SERVER executing action ${action} after re-route at filter.INPUT"
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER ACTION ${action^^} IN")
rule table filter chain SYNPROXY2SERVER_IN "${match[@]}" proto tcp "${log[@]}" nosoftwarnings action "${action}" "${action_args[@]}" inface lo physin any outface any physout any || return 1
# this requires routing device lo
set_work_function "SYNPROXY->SERVER enabling routing ${inface[@]} <-> lo"
setup_lo_for_synproxy "${inface[@]}" || return 1
else
set_work_function "SYNPROXY->SERVER executing action ${action} at filter.OUTPUT (the packet should leave the machine)"
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER ACTION ${action^^} OUT")