2006-08-27 21:28:20 +02:00
|
|
|
#!/bin/sh
|
|
|
|
#
|
|
|
|
# Shorewall 3.2 -- /usr/share/shorewall/lib.tcrules
|
|
|
|
#
|
|
|
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
|
|
#
|
|
|
|
# (c) 1999,2000,2001,2002,2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net)
|
|
|
|
#
|
|
|
|
# Complete documentation is available at http://shorewall.net
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of Version 2 of the GNU General Public License
|
|
|
|
# as published by the Free Software Foundation.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program; if not, write to the Free Software
|
|
|
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
2006-09-09 17:03:44 +02:00
|
|
|
#
|
|
|
|
# This library is loaded by /usr/share/shorewall/compiler when the tcrules file is
|
|
|
|
# non-empty. It is also loaded by the compiled firewall script under the same
|
|
|
|
# condition when the script is processing the 'refresh' command.
|
|
|
|
#
|
2006-08-27 21:28:20 +02:00
|
|
|
|
|
|
|
#
|
|
|
|
# Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the
|
|
|
|
# default marking chain
|
|
|
|
#
|
|
|
|
process_tc_rule()
|
|
|
|
{
|
|
|
|
local did_connmark=
|
|
|
|
|
|
|
|
chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
|
|
|
|
|
|
|
|
verify_designator() {
|
|
|
|
[ "$chain" = tcout ] && \
|
|
|
|
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
|
|
|
|
chain=$1
|
|
|
|
mark="${mark%:*}"
|
|
|
|
}
|
|
|
|
|
|
|
|
do_ipp2p()
|
|
|
|
{
|
|
|
|
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
|
|
|
|
[ "x$port" = "x-" ] && port="ipp2p"
|
|
|
|
|
|
|
|
case $proto in
|
|
|
|
*:*)
|
|
|
|
proto=${proto#*:}
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
proto=tcp
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
r="${r}-p $proto -m ipp2p --${port} "
|
|
|
|
}
|
|
|
|
|
|
|
|
verify_small_mark()
|
|
|
|
{
|
|
|
|
verify_mark $1
|
|
|
|
[ $(($1)) -lt 256 ] || fatal_error "Mark Value ($1) too larg, rule \"$rule\""
|
|
|
|
}
|
|
|
|
|
|
|
|
do_connmark()
|
|
|
|
{
|
|
|
|
target="CONNMARK --set-mark"
|
|
|
|
mark=$mark/0xff
|
|
|
|
did_connmark=Yes
|
|
|
|
}
|
|
|
|
|
|
|
|
validate_mark()
|
|
|
|
{
|
|
|
|
case $1 in
|
|
|
|
*/*)
|
|
|
|
verify_mark ${1%/*}
|
|
|
|
verify_mark ${1#*/}
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
verify_mark $1
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
}
|
|
|
|
|
|
|
|
add_a_tc_rule() {
|
|
|
|
r=
|
|
|
|
|
|
|
|
if [ "x$source" != "x-" ]; then
|
|
|
|
case $source in
|
|
|
|
$FW:*)
|
|
|
|
[ $chain = tcpost ] || chain=tcout
|
|
|
|
r="$(source_ip_range ${source#*:}) "
|
|
|
|
;;
|
|
|
|
*:*)
|
|
|
|
interface=${source%:*}
|
|
|
|
verify_interface $interface || fatal_error "Unknown interface $interface in rule \"$rule\""
|
|
|
|
r="$(match_source_dev $interface) $(source_ip_range ${source#*:}) "
|
|
|
|
;;
|
|
|
|
*.*.*|+*|!+*)
|
|
|
|
r="$(source_ip_range $source) "
|
|
|
|
;;
|
|
|
|
~*|!~*)
|
|
|
|
r="$(mac_match $source) "
|
|
|
|
;;
|
|
|
|
$FW)
|
|
|
|
[ $chain = tcpost ] || chain=tcout
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
|
|
|
|
r="$(match_source_dev $source) "
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "x${user:--}" != "x-" ]; then
|
|
|
|
|
|
|
|
[ "$chain" != tcout ] && \
|
|
|
|
fatal_error "Invalid use of a user/group: rule \"$rule\""
|
|
|
|
|
|
|
|
r="$r-m owner"
|
|
|
|
|
|
|
|
case "$user" in
|
|
|
|
*+*)
|
|
|
|
r="$r --cmd-owner ${user#*+} "
|
|
|
|
user=${user%+*}
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
case "$user" in
|
|
|
|
*:*)
|
|
|
|
temp="${user%:*}"
|
|
|
|
[ -n "$temp" ] && r="$r --uid-owner $temp "
|
|
|
|
temp="${user#*:}"
|
|
|
|
[ -n "$temp" ] && r="$r --gid-owner $temp "
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
[ -n "$user" ] && r="$r --uid-owner $user "
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
|
|
|
|
|
|
|
|
if [ "x$dest" != "x-" ]; then
|
|
|
|
case $dest in
|
|
|
|
*:*)
|
|
|
|
[ "$chain" = tcpre ] && fatal_error "Destination interface is not allowed in the PREROUTING chain - rule \"$rule\""
|
|
|
|
interface=${dest%:*}
|
|
|
|
verify_interface $interface || fatal_error "Unknown interface $interface in rule \"$rule\""
|
|
|
|
r="$(match_dest_dev $interface) $(dest_ip_range ${dest#*:}) "
|
|
|
|
;;
|
|
|
|
*.*.*|+*|!+*)
|
|
|
|
r="${r}$(dest_ip_range $dest) "
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
[ "$chain" = tcpre ] && fatal_error "Destination interface is not allowed in the PREROUTING chain - rule \"$rule\""
|
|
|
|
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
|
|
|
|
r="${r}$(match_dest_dev $dest) "
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "x${length:=-}" != "x-" ]; then
|
|
|
|
[ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\""
|
|
|
|
r="${r}-m length --length ${length} "
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "x${tos:=-}" != "x-" ]; then
|
|
|
|
r="${r}-m tos --tos ${tos} "
|
|
|
|
fi
|
|
|
|
|
|
|
|
multiport=
|
|
|
|
|
|
|
|
case $proto in
|
|
|
|
ipp2p|IPP2P|ipp2p:*|IPP2P:*)
|
|
|
|
do_ipp2p
|
|
|
|
;;
|
|
|
|
icmp|ICMP|1)
|
|
|
|
r="${r}-p icmp "
|
|
|
|
[ "x$port" = "x-" ] || r="${r}--icmp-type $port"
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
[ "x$proto" = "x-" ] && proto=all
|
|
|
|
[ "x$proto" = "x" ] && proto=all
|
|
|
|
[ "$proto" = "all" ] || r="${r}-p $proto "
|
|
|
|
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
|
|
|
|
|
|
|
|
if [ -n "${excludesources}${excludedests}" ]; then
|
|
|
|
build_exclusion_chain chain1 mangle "$excludesources" "$excludedests"
|
|
|
|
|
|
|
|
run_iptables2 -t mangle -A $chain $r -j $chain1
|
|
|
|
|
|
|
|
run_iptables -t mangle -A $chain1 -j $target $mark
|
|
|
|
else
|
|
|
|
run_iptables2 -t mangle -A $chain $r -j $target $mark
|
|
|
|
fi
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if [ "$mark" != "${mark%:*}" ]; then
|
|
|
|
case "${mark#*:}" in
|
|
|
|
p|P)
|
|
|
|
verify_designator tcpre
|
|
|
|
;;
|
|
|
|
cp|CP)
|
|
|
|
verify_designator tcpre
|
|
|
|
do_connmark
|
|
|
|
;;
|
|
|
|
f|F)
|
|
|
|
verify_designator tcfor
|
|
|
|
;;
|
|
|
|
cf|CF)
|
|
|
|
verify_designator tcfor
|
|
|
|
do_connmark
|
|
|
|
;;
|
|
|
|
c|C)
|
|
|
|
mark=${mark%:*}
|
|
|
|
do_connmark
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
chain=tcpost
|
|
|
|
target="CLASSIFY --set-class"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
mask=0xffff
|
|
|
|
|
|
|
|
case $mark in
|
|
|
|
SAVE)
|
|
|
|
[ -n "$did_connmark" ] && fatal_error "SAVE not valid with :C[FP]"
|
|
|
|
target="CONNMARK --save-mark --mask 0xFF"
|
|
|
|
mark=
|
|
|
|
;;
|
|
|
|
SAVE/*)
|
|
|
|
[ -n "$did_connmark" ] && fatal_error "SAVE not valid with :C[FP]"
|
|
|
|
target="CONNMARK --save-mark --mask"
|
|
|
|
mark=${mark#*/}
|
|
|
|
verify_small_mark $mark
|
|
|
|
;;
|
|
|
|
RESTORE)
|
|
|
|
[ -n "$did_connmark" ] && fatal_error "RESTORE not valid with :C[FP]"
|
|
|
|
target="CONNMARK --restore-mark --mask 0xFF"
|
|
|
|
mark=
|
|
|
|
;;
|
|
|
|
RESTORE/*)
|
|
|
|
[ -n "$did_connmark" ] && fatal_error "RESTORE not valid with :C[FP]"
|
|
|
|
target="CONNMARK --restore-mark --mask"
|
|
|
|
mark=${mark#*/}
|
|
|
|
verify_small_mark $mark
|
|
|
|
;;
|
|
|
|
CONTINUE)
|
|
|
|
[ -n "$did_connmark" ] && fatal_error "CONTINUE not valid with :C[FP]"
|
|
|
|
target=RETURN
|
|
|
|
mark=
|
|
|
|
;;
|
2006-10-02 18:48:08 +02:00
|
|
|
OR)
|
|
|
|
[ -n "$did_connmark" ] && fatal_error "OR not valid with :C[FP]"
|
|
|
|
target="MARK --or-mark"
|
|
|
|
validate_mark $mark
|
|
|
|
;;
|
|
|
|
AND)
|
|
|
|
[ -n "$did_connmark" ] && fatal_error "AND not valid with :C[FP]"
|
|
|
|
target="MARK --and-mark"
|
|
|
|
validate_mark $mark
|
|
|
|
;;
|
2006-08-27 21:28:20 +02:00
|
|
|
*)
|
|
|
|
if [ "$chain" != tcpost ]; then
|
|
|
|
validate_mark $mark
|
|
|
|
if [ $((${mark%/*})) -gt 255 ]; then
|
|
|
|
case $chain in
|
|
|
|
tcpre|tcout)
|
|
|
|
target="MARK --or-mark"
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
fatal_error "Invalid mark value ($mark) in rule \"$rule\""
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
elif [ $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
|
|
|
|
fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
case $testval in
|
|
|
|
-)
|
|
|
|
;;
|
|
|
|
!*:C)
|
|
|
|
marktest="connmark ! "
|
|
|
|
testval=${testval%:*}
|
|
|
|
testval=${testval#!}
|
|
|
|
;;
|
|
|
|
*:C)
|
|
|
|
marktest="connmark "
|
|
|
|
testval=${testval%:*}
|
|
|
|
;;
|
|
|
|
!*)
|
|
|
|
marktest="mark ! "
|
|
|
|
testval=${testval#!}
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
[ -n "$testval" ] && marktest="mark "
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
if [ -n "$marktest" ] ; then
|
|
|
|
case $testval in
|
|
|
|
*/*)
|
|
|
|
verify_mark ${testval%/*}
|
|
|
|
verify_mark ${testval#*/}
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
verify_mark $testval
|
|
|
|
testval=$testval/$mask
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
fi
|
|
|
|
|
|
|
|
excludesources=
|
|
|
|
|
|
|
|
case ${sources:=-} in
|
|
|
|
*!*!*)
|
|
|
|
fatal_error "Invalid SOURCE in rule \"$rule\""
|
|
|
|
;;
|
|
|
|
!*)
|
|
|
|
if [ $(list_count $sources) -gt 1 ]; then
|
|
|
|
excludesources=${sources#!}
|
|
|
|
sources=-
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
*!*)
|
|
|
|
excludesources=${sources#*!}
|
|
|
|
sources=${sources%!*}
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
excludedests=
|
|
|
|
|
|
|
|
case ${dests:=-} in
|
|
|
|
*!*!*)
|
|
|
|
fatal_error "Invalid DEST in rule \"$rule\""
|
|
|
|
;;
|
|
|
|
!*)
|
|
|
|
if [ $(list_count $dests) -gt 1 ]; then
|
|
|
|
excludedests=${dests#*!}
|
|
|
|
dests=-
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
*!*)
|
|
|
|
excludedests=${dests#*!}
|
|
|
|
dests=${dests%!*}
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
for source in $(separate_list $sources); do
|
|
|
|
for dest in $(separate_list $dests); do
|
|
|
|
for port in $(separate_list ${ports:=-}); do
|
|
|
|
for sport in $(separate_list ${sports:=-}); do
|
|
|
|
add_a_tc_rule
|
|
|
|
done
|
|
|
|
done
|
|
|
|
done
|
|
|
|
done
|
|
|
|
|
|
|
|
progress_message " TC Rule \"$rule\" $DONE"
|
|
|
|
save_progress_message_short " TC Rule \\\"$rule\\\" Added"
|
|
|
|
}
|