diff options
author | Gerald Combs <gerald@wireshark.org> | 2016-06-02 08:57:07 -0700 |
---|---|---|
committer | Jaap Keuter <jaap.keuter@xs4all.nl> | 2016-06-06 06:27:47 +0000 |
commit | 82cd99ec3b4e5efe42cc3a26f952a58d6d3d9964 (patch) | |
tree | f60b01763e424f08c9deb7c94f9bee39c871d36b /ui/firewall_rules.c | |
parent | cbf4a8c9d2bc409623c972ec91ed5f7229978cbf (diff) |
Firewall rule fixups.
Make the netfilter rules more sensible as described in bug 2482.
Switch to long names while we're here.
Ping-bug: 2482
Change-Id: I9e44c4ed88ed83ff1d7d478acea83fa0c2af5cac
Reviewed-on: https://code.wireshark.org/review/15701
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Diffstat (limited to 'ui/firewall_rules.c')
-rw-r--r-- | ui/firewall_rules.c | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/ui/firewall_rules.c b/ui/firewall_rules.c index ae7db51848..a2b8d104f0 100644 --- a/ui/firewall_rules.c +++ b/ui/firewall_rules.c @@ -81,11 +81,11 @@ static fw_product products[] = { NULL, sf_ios_std_ipv4, NULL, NULL, FALSE }, { "Cisco IOS (extended)", "Change NUMBER to a valid ACL number.", "!", NULL, sf_ios_ext_ipv4, sf_ios_ext_port, sf_ios_ext_ipv4_port, TRUE }, - { "IP Filter (ipfilter)", "Change le0 to a valid interface.", "#", + { "IP Filter (ipfilter)", "Change le0 to a valid interface if needed.", "#", NULL, sf_ipfilter_ipv4, sf_ipfilter_port, sf_ipfilter_ipv4_port, TRUE }, { "IPFirewall (ipfw)", "", "#", sf_ipfw_mac, sf_ipfw_ipv4, sf_ipfw_port, sf_ipfw_ipv4_port, TRUE }, - { "Netfilter (iptables)", "Change eth0 to a valid interface.", "#", + { "Netfilter (iptables)", "Change eth0 to a valid interface if needed.", "#", sf_netfilter_mac, sf_netfilter_ipv4, sf_netfilter_port, sf_netfilter_ipv4_port, TRUE }, { "Packet Filter (pf)", "$ext_if should be set to a valid interface.", "#", @@ -164,7 +164,7 @@ static void sf_ipfw_mac(GString *rtxt, gchar *addr, guint32 port _U_, port_type #define NF_DROP (deny ? "DROP" : "ACCEPT") #define NF_INPUT (inbound ? "INPUT" : "OUTPUT") static void sf_netfilter_mac(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) { - g_string_append_printf(rtxt, "iptables -A %s -i eth0 --mac-source %s -j %s", + g_string_append_printf(rtxt, "iptables --append %s --in-interface eth0 --mac-source %s --jump %s", NF_INPUT, addr, NF_DROP); } @@ -193,9 +193,10 @@ static void sf_ipfw_ipv4(GString *rtxt, gchar *addr, guint32 port _U_, port_type IPFW_DENY, addr, IPFW_IN); } +#define NF_ADDR_DIR (inbound ? "--source" : "--destination") static void sf_netfilter_ipv4(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) { - g_string_append_printf(rtxt, "iptables -A %s -i eth0 -d %s/32 -j %s", - NF_INPUT, addr, NF_DROP); + g_string_append_printf(rtxt, "iptables --append %s --in-interface eth0 %s %s/32 --jump %s", + NF_INPUT, NF_ADDR_DIR, addr, NF_DROP); } #define PF_DENY (deny ? "block" : "pass") @@ -222,9 +223,10 @@ static void sf_ipfw_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type IPFW_DENY, RT_TCP_UDP, port, IPFW_IN); } +#define NF_PORT_DIR (inbound ? "--source-port" : "--destination-port") static void sf_netfilter_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type ptype, gboolean inbound, gboolean deny) { - g_string_append_printf(rtxt, "iptables -A %s -i eth0 -p %s --destination-port %u -j %s", - NF_INPUT, RT_TCP_UDP, port, NF_DROP); + g_string_append_printf(rtxt, "iptables --append %s --in-interface eth0 --protocol %s %s %u --jump %s", + NF_INPUT, RT_TCP_UDP, NF_PORT_DIR, port, NF_DROP); } static void sf_pf_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type ptype, gboolean inbound, gboolean deny) { @@ -266,8 +268,8 @@ static void sf_pf_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type } static void sf_netfilter_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny) { - g_string_append_printf(rtxt, "iptables -A %s -i eth0 -p %s -d %s/32 --destination-port %u -j %s", - NF_INPUT, RT_TCP_UDP, addr, port, NF_DROP); + g_string_append_printf(rtxt, "iptables --append %s --in-interface eth0 --protocol %s %s %s/32 %s %u --jump %s", + NF_INPUT, RT_TCP_UDP, NF_ADDR_DIR, addr, NF_PORT_DIR, port, NF_DROP); } static void sf_netsh_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound _U_, gboolean deny) { |