diff options
| author | hrs <hrs@FreeBSD.org> | 2014-10-17 00:31:51 +0000 |
|---|---|---|
| committer | hrs <hrs@FreeBSD.org> | 2014-10-17 00:31:51 +0000 |
| commit | 062adab01a71e8ba401e1ae690e44c5fbfb8dcf3 (patch) | |
| tree | c886034c80e4f5d10cec9acca61dffb80dbc9bf2 /etc/rc.firewall | |
| parent | bd1cd16c9d9e700afea0dce1b4d7fb30dd884fc3 (diff) | |
| download | FreeBSD-src-062adab01a71e8ba401e1ae690e44c5fbfb8dcf3.zip FreeBSD-src-062adab01a71e8ba401e1ae690e44c5fbfb8dcf3.tar.gz | |
Add support of "/{udp,tcp,proto}" suffix into $firewall_myservices, which
interpreted the listed items as port numbers of TCP services.
A service with no suffix still works and recognized as a TCP service for
backward compatibility. It should be updated with /tcp suffix.
PR: 194292
MFC after: 1 week
Diffstat (limited to 'etc/rc.firewall')
| -rw-r--r-- | etc/rc.firewall | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/etc/rc.firewall b/etc/rc.firewall index d8a3f6c..2065253 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -422,8 +422,8 @@ case ${firewall_type} in [Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn]) # Configuration: - # firewall_myservices: List of TCP ports on which this host - # offers services. + # firewall_myservices: List of ports/protocols on which this + # host offers services. # firewall_allowservices: List of IPv4 and/or IPv6 addresses # that have access to # $firewall_myservices. @@ -487,7 +487,24 @@ case ${firewall_type} in # for i in ${firewall_allowservices} ; do for j in ${firewall_myservices} ; do - ${fwcmd} add pass tcp from $i to me $j + case $j in + [0-9A-Za-z]*/[Pp][Rr][Oo][Tt][Oo]) + ${fwcmd} add pass ${j%/[Pp][Rr][Oo][Tt][Oo]} from $i to me + ;; + [0-9A-Za-z]*/[Tt][Cc][Pp]) + ${fwcmd} add pass tcp from $i to me ${j%/[Tt][Cc][Pp]} + ;; + [0-9A-Za-z]*/[Uu][Dd][Pp]) + ${fwcmd} add pass udp from $i to me ${j%/[Uu][Dd][Pp]} + ;; + *[0-9A-Za-z]) + echo "Consider using tcp/$j in firewall_myservices." > /dev/stderr + ${fwcmd} add pass tcp from $i to me $j + ;; + *) + echo "Invalid port in firewall_myservices: $j" > /dev/stderr + ;; + esac done done |
