2009-02-22 18:30:14 +01:00
#
2009-06-13 16:07:55 +02:00
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Rules.pm
2009-02-22 18:30:14 +01:00
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
2010-01-01 21:58:27 +01:00
# (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
2009-02-22 18:30:14 +01:00
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This module contains the high-level code for dealing with rules.
#
package Shorewall::Rules ;
require Exporter ;
2009-11-02 16:15:20 +01:00
2009-02-22 18:30:14 +01:00
use Shorewall::Config qw( :DEFAULT :internal ) ;
use Shorewall::IPAddrs ;
use Shorewall::Zones ;
use Shorewall::Chains qw( :DEFAULT :internal ) ;
use Shorewall::Actions ;
use Shorewall::Policy ;
use Shorewall::Proc ;
use strict ;
our @ ISA = qw( Exporter ) ;
our @ EXPORT = qw( process_tos
setup_ecn
add_common_rules
setup_mac_lists
process_rules
2009-09-08 21:54:23 +02:00
process_routestopped
2009-02-22 18:30:14 +01:00
generate_matrix
2009-03-28 20:22:15 +01:00
compile_stop_firewall
2009-02-22 18:30:14 +01:00
) ;
our @ EXPORT_OK = qw( process_rule process_rule1 initialize ) ;
2010-06-06 22:49:26 +02:00
our $ VERSION = '4.4_11' ;
2009-02-22 18:30:14 +01:00
#
# Set to one if we find a SECTION
#
our $ sectioned ;
our $ macro_nest_level ;
our $ current_param ;
our @ param_stack ;
our $ family ;
#
# When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these
#
my % rules_commands = ( COMMENT = > 0 ,
SECTION = > 2 ) ;
#
2009-08-20 23:32:15 +02:00
# Rather than initializing globals in an INIT block or during declaration,
2009-08-16 18:24:51 +02:00
# we initialize them in a function. This is done for two reasons:
#
2009-08-17 19:45:46 +02:00
# 1. Proper initialization depends on the address family which isn't
2009-08-16 18:24:51 +02:00
# known until the compiler has started.
#
# 2. The compiler can run multiple times in the same process so it has to be
2009-08-17 19:45:46 +02:00
# able to re-initialize its dependent modules' state.
2009-02-22 18:30:14 +01:00
#
sub initialize ( $ ) {
$ family = shift ;
$ sectioned = 0 ;
$ macro_nest_level = 0 ;
$ current_param = '' ;
@ param_stack = ( ) ;
}
use constant { MAX_MACRO_NEST_LEVEL = > 5 } ;
sub process_tos () {
2010-01-25 16:56:16 +01:00
my $ chain = have_capability ( 'MANGLE_FORWARD' ) ? 'fortos' : 'pretos' ;
my $ stdchain = have_capability ( 'MANGLE_FORWARD' ) ? 'FORWARD' : 'PREROUTING' ;
2009-02-22 18:30:14 +01:00
my % tosoptions = ( 'minimize-delay' = > 0x10 ,
'maximize-throughput' = > 0x08 ,
'maximize-reliability' = > 0x04 ,
'minimize-cost' = > 0x02 ,
'normal-service' = > 0x00 ) ;
if ( my $ fn = open_file 'tos' ) {
my $ first_entry = 1 ;
my ( $ pretosref , $ outtosref ) ;
first_entry ( sub { progress_message2 "$doing $fn..." ; $ pretosref = ensure_chain 'mangle' , $ chain ; $ outtosref = ensure_chain 'mangle' , 'outtos' ; } ) ;
while ( read_a_line ) {
my ( $ src , $ dst , $ proto , $ sports , $ ports , $ tos , $ mark ) = split_line 6 , 7 , 'tos file entry' ;
$ first_entry = 0 ;
fatal_error 'A value must be supplied in the TOS column' if $ tos eq '-' ;
if ( defined ( my $ tosval = $ tosoptions { "\L$tos" } ) ) {
$ tos = $ tosval ;
} else {
my $ val = numeric_value ( $ tos ) ;
fatal_error "Invalid TOS value ($tos)" unless defined ( $ val ) && $ val < 0x1f ;
}
my $ chainref ;
my $ restriction = NO_RESTRICT ;
my ( $ srczone , $ source , $ remainder ) ;
if ( $ family == F_IPV4 ) {
( $ srczone , $ source , $ remainder ) = split ( /:/ , $ src , 3 ) ;
fatal_error 'Invalid SOURCE' if defined $ remainder ;
2010-01-08 22:54:31 +01:00
} elsif ( $ src =~ /^(.+?):<(.*)>\s*$/ || $ src =~ /^(.+?):\[(.*)\]\s*$/ ) {
2009-02-22 18:30:14 +01:00
$ srczone = $ 1 ;
$ source = $ 2 ;
} else {
$ srczone = $ src ;
}
if ( $ srczone eq firewall_zone ) {
$ chainref = $ outtosref ;
$ src = $ source || '-' ;
$ restriction = OUTPUT_RESTRICT ;
} else {
$ chainref = $ pretosref ;
$ src =~ s/^all:?// ;
}
$ dst =~ s/^all:?// ;
expand_rule
$ chainref ,
$ restriction ,
2010-01-13 19:50:14 +01:00
do_proto ( $ proto , $ ports , $ sports ) . do_test ( $ mark , $ globals { TC_MASK } ) ,
2009-02-22 18:30:14 +01:00
$ src ,
$ dst ,
'' ,
"-j TOS --set-tos $tos" ,
'' ,
'' ,
'' ;
}
unless ( $ first_entry ) {
2010-01-16 18:53:53 +01:00
add_jump ( $ mangle_table - > { $ stdchain } , $ chain , 0 ) if $ pretosref - > { referenced } ;
add_jump ( $ mangle_table - > { OUTPUT } , 'outtos' , 0 ) if $ outtosref - > { referenced } ;
2009-02-22 18:30:14 +01:00
}
}
}
#
# Setup ECN disabling rules
#
sub setup_ecn ()
{
my % interfaces ;
my @ hosts ;
if ( my $ fn = open_file 'ecn' ) {
first_entry "$doing $fn..." ;
while ( read_a_line ) {
my ( $ interface , $ hosts ) = split_line 1 , 2 , 'ecn file entry' ;
fatal_error "Unknown interface ($interface)" unless known_interface $ interface ;
$ interfaces { $ interface } = 1 ;
$ hosts = ALLIP if $ hosts eq '-' ;
for my $ host ( split_list $ hosts , 'address' ) {
validate_host ( $ host , 1 ) ;
push @ hosts , [ $ interface , $ host ] ;
}
}
if ( @ hosts ) {
my @ interfaces = ( keys % interfaces ) ;
progress_message "$doing ECN control on @interfaces..." ;
for my $ interface ( @ interfaces ) {
my $ chainref = ensure_chain 'mangle' , ecn_chain ( $ interface ) ;
2009-11-06 22:10:19 +01:00
add_jump $ mangle_table - > { POSTROUTING } , $ chainref , 0 , "-p tcp " . match_dest_dev ( $ interface ) ;
add_jump $ mangle_table - > { OUTPUT } , $ chainref , 0 , "-p tcp " . match_dest_dev ( $ interface ) ;
2009-02-22 18:30:14 +01:00
}
for my $ host ( @ hosts ) {
add_rule $ mangle_table - > { ecn_chain $ host - > [ 0 ] } , join ( '' , '-p tcp ' , match_dest_net ( $ host - > [ 1 ] ) , ' -j ECN --ecn-tcp-remove' ) ;
}
}
}
}
sub add_rule_pair ( $$$$ ) {
my ( $ chainref , $ predicate , $ target , $ level ) = @ _ ;
log_rule ( $ level , $ chainref , "\U$target" , $ predicate ) if defined $ level && $ level ne '' ;
2010-01-16 18:53:53 +01:00
add_jump ( $ chainref , $ target , 0 , $ predicate ) ;
2009-02-22 18:30:14 +01:00
}
sub setup_blacklist () {
my $ hosts = find_hosts_by_option 'blacklist' ;
my $ chainref ;
my ( $ level , $ disposition ) = @ config { 'BLACKLIST_LOGLEVEL' , 'BLACKLIST_DISPOSITION' } ;
my $ target = $ disposition eq 'REJECT' ? 'reject' : $ disposition ;
2010-03-21 15:24:29 +01:00
#
# We go ahead and generate the blacklist chain and jump to it, even if it turns out to be empty. That is necessary
# for 'refresh' to work properly.
#
2009-02-22 18:30:14 +01:00
if ( @$ hosts ) {
2010-03-22 14:46:48 +01:00
$ chainref = dont_delete new_standard_chain 'blacklst' ;
2009-02-22 18:30:14 +01:00
if ( defined $ level && $ level ne '' ) {
my $ logchainref = new_standard_chain 'blacklog' ;
log_rule_limit ( $ level , $ logchainref , 'blacklst' , $ disposition , "$globals{LOGLIMIT}" , '' , 'add' , '' ) ;
2010-01-16 18:53:53 +01:00
add_jump $ logchainref , $ target , 1 ;
2009-02-22 18:30:14 +01:00
$ target = 'blacklog' ;
}
}
BLACKLIST:
{
if ( my $ fn = open_file 'blacklist' ) {
my $ first_entry = 1 ;
first_entry "$doing $fn..." ;
while ( read_a_line ) {
if ( $ first_entry ) {
unless ( @$ hosts ) {
2009-02-24 00:39:46 +01:00
warning_message qq( The entries in $fn have been ignored because there are no 'blacklist' interfaces ) ;
2009-02-22 18:30:14 +01:00
close_file ;
last BLACKLIST ;
}
$ first_entry = 0 ;
}
my ( $ networks , $ protocol , $ ports ) = split_line 1 , 3 , 'blacklist file' ;
expand_rule (
$ chainref ,
NO_RESTRICT ,
do_proto ( $ protocol , $ ports , '' ) ,
$ networks ,
'' ,
'' ,
"-j $target" ,
'' ,
$ disposition ,
'' ) ;
progress_message " \"$currentline\" added to blacklist" ;
}
2010-03-19 18:01:02 +01:00
2010-03-19 19:32:22 +01:00
warning_message q( There are interfaces or hosts with the 'blacklist' option but the 'blacklist' file is empty ) if $ first_entry && @$ hosts ;
2010-03-19 18:01:02 +01:00
} elsif ( @$ hosts ) {
warning_message q( There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size ) ;
2009-02-22 18:30:14 +01:00
}
2010-04-25 22:35:41 +02:00
my $ state = $ config { BLACKLISTNEWONLY } ? $ globals { UNTRACKED } ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '' ;
2009-02-22 18:30:14 +01:00
for my $ hostref ( @$ hosts ) {
my $ interface = $ hostref - > [ 0 ] ;
my $ ipsec = $ hostref - > [ 1 ] ;
2010-01-25 17:13:22 +01:00
my $ policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '' ;
2009-02-22 18:30:14 +01:00
my $ network = $ hostref - > [ 2 ] ;
my $ source = match_source_net $ network ;
my $ target = source_exclusion ( $ hostref - > [ 3 ] , $ chainref ) ;
for my $ chain ( first_chains $ interface ) {
add_jump $ filter_table - > { $ chain } , $ chainref , 0 , "${source}${state}${policy}" ;
}
set_interface_option $ interface , 'use_input_chain' , 1 ;
set_interface_option $ interface , 'use_forward_chain' , 1 ;
progress_message " Blacklisting enabled on ${interface}:${network}" ;
}
}
}
sub process_routestopped () {
my ( @ allhosts , % source , % dest , % notrack , @ rule ) ;
my $ fn = open_file 'routestopped' ;
my $ seq = 0 ;
first_entry "$doing $fn..." ;
while ( read_a_line ) {
my ( $ interface , $ hosts , $ options , $ proto , $ ports , $ sports ) = split_line 1 , 6 , 'routestopped file' ;
2010-05-03 21:31:11 +02:00
my $ interfaceref ;
fatal_error "Unknown interface ($interface)" unless $ interfaceref = known_interface $ interface ;
2009-02-22 18:30:14 +01:00
$ hosts = ALLIP unless $ hosts && $ hosts ne '-' ;
2010-05-03 21:31:11 +02:00
my $ routeback = 0 ;
2009-02-22 18:30:14 +01:00
my @ hosts ;
$ seq + + ;
2009-11-22 17:20:07 +01:00
my $ rule = do_proto ( $ proto , $ ports , $ sports , 0 ) ;
2009-02-22 18:30:14 +01:00
for my $ host ( split /,/ , $ hosts ) {
2010-01-04 20:14:05 +01:00
fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $ host =~ /^!?\+/ && $ config { SAVE_IPSETS } ;
2009-02-22 18:30:14 +01:00
validate_host $ host , 1 ;
push @ hosts , "$interface|$host|$seq" ;
push @ rule , $ rule ;
}
unless ( $ options eq '-' ) {
for my $ option ( split /,/ , $ options ) {
if ( $ option eq 'routeback' ) {
if ( $ routeback ) {
warning_message "Duplicate 'routeback' option ignored" ;
} else {
$ routeback = 1 ;
}
} elsif ( $ option eq 'source' ) {
for my $ host ( split /,/ , $ hosts ) {
$ source { "$interface|$host|$seq" } = 1 ;
}
} elsif ( $ option eq 'dest' ) {
for my $ host ( split /,/ , $ hosts ) {
$ dest { "$interface|$host|$seq" } = 1 ;
}
} elsif ( $ option eq 'notrack' ) {
for my $ host ( split /,/ , $ hosts ) {
$ notrack { "$interface|$host|$seq" } = 1 ;
}
} else {
warning_message "Unknown routestopped option ( $option ) ignored" unless $ option eq 'critical' ;
2009-03-30 02:49:00 +02:00
warning_message "The 'critical' option is no longer supported (or needed)" ;
2009-02-22 18:30:14 +01:00
}
}
}
2010-05-03 21:31:11 +02:00
if ( $ routeback || $ interfaceref - > { options } { routeback } ) {
my $ chainref = $ filter_table - > { FORWARD } ;
for my $ host ( split /,/ , $ hosts ) {
add_rule ( $ chainref ,
match_source_dev ( $ interface ) .
match_dest_dev ( $ interface ) .
match_source_net ( $ host ) .
match_dest_net ( $ host ) ) ;
clearrule ;
}
}
2009-02-22 18:30:14 +01:00
push @ allhosts , @ hosts ;
}
for my $ host ( @ allhosts ) {
my ( $ interface , $ h , $ seq ) = split /\|/ , $ host ;
my $ source = match_source_net $ h ;
my $ dest = match_dest_net $ h ;
my $ sourcei = match_source_dev $ interface ;
my $ desti = match_dest_dev $ interface ;
my $ rule = shift @ rule ;
2009-11-03 20:36:32 +01:00
add_rule $ filter_table - > { INPUT } , "$sourcei $source $rule -j ACCEPT" , 1 ;
add_rule $ filter_table - > { OUTPUT } , "$desti $dest $rule -j ACCEPT" , 1 unless $ config { ADMINISABSENTMINDED } ;
2009-02-22 18:30:14 +01:00
my $ matched = 0 ;
if ( $ source { $ host } ) {
2009-11-03 20:36:32 +01:00
add_rule $ filter_table - > { FORWARD } , "$sourcei $source $rule -j ACCEPT" , 1 ;
2009-02-22 18:30:14 +01:00
$ matched = 1 ;
}
if ( $ dest { $ host } ) {
2009-11-03 20:36:32 +01:00
add_rule $ filter_table - > { FORWARD } , "$desti $dest $rule -j ACCEPT" , 1 ;
2009-02-22 18:30:14 +01:00
$ matched = 1 ;
}
if ( $ notrack { $ host } ) {
2009-11-03 20:36:32 +01:00
add_rule $ raw_table - > { PREROUTING } , "$sourcei $source $rule -j NOTRACK" , 1 ;
add_rule $ raw_table - > { OUTPUT } , "$desti $dest $rule -j NOTRACK" , 1 ;
2009-02-22 18:30:14 +01:00
}
unless ( $ matched ) {
for my $ host1 ( @ allhosts ) {
unless ( $ host eq $ host1 ) {
my ( $ interface1 , $ h1 , $ seq1 ) = split /\|/ , $ host1 ;
my $ dest1 = match_dest_net $ h1 ;
my $ desti1 = match_dest_dev $ interface1 ;
2009-11-03 20:36:32 +01:00
add_rule $ filter_table - > { FORWARD } , "$sourcei $desti1 $source $dest1 $rule -j ACCEPT" , 1 ;
2009-02-22 18:30:14 +01:00
clearrule ;
}
}
}
}
}
sub setup_mss () ;
sub add_common_rules () {
my $ interface ;
my $ chainref ;
my $ target ;
my $ rule ;
my $ list ;
my $ chain ;
2010-04-25 22:35:41 +02:00
my $ state = $ config { BLACKLISTNEWONLY } ? $ globals { UNTRACKED } ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '' ;
2010-01-16 18:53:53 +01:00
my $ level = $ config { BLACKLIST_LOGLEVEL } ;
my $ rejectref = dont_move new_standard_chain 'reject' ;
2009-02-22 18:30:14 +01:00
2010-01-16 18:53:53 +01:00
if ( $ config { DYNAMIC_BLACKLIST } ) {
add_rule_pair dont_delete ( new_standard_chain ( 'logdrop' ) ) , ' ' , 'DROP' , $ level ;
add_rule_pair dont_delete ( new_standard_chain ( 'logreject' ) ) , ' ' , 'reject' , $ level ;
$ chainref = dont_optimize ( new_standard_chain ( 'dynamic' ) ) ;
add_jump $ filter_table - > { $ _ } , $ chainref , 0 , $ state for qw( INPUT FORWARD ) ;
2010-06-06 22:10:28 +02:00
add_commands ( $ chainref , '[ -f ${VARDIR}/dynamic ] && cat ${VARDIR}/dynamic >&3' ) ;
2010-01-16 18:53:53 +01:00
}
2009-02-22 18:30:14 +01:00
setup_mss ;
if ( $ config { FASTACCEPT } ) {
2010-04-25 22:35:41 +02:00
add_rule ( $ filter_table - > { $ _ } , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT ) ;
2009-02-22 18:30:14 +01:00
}
for $ interface ( all_interfaces ) {
ensure_chain ( 'filter' , $ _ ) for first_chains ( $ interface ) , output_chain ( $ interface ) ;
}
run_user_exit1 'initdone' ;
setup_blacklist ;
$ list = find_hosts_by_option 'nosmurfs' ;
2010-02-04 00:03:15 +01:00
if ( @$ list ) {
progress_message2 'Adding Anti-smurf Rules' ;
$ chainref = new_standard_chain 'smurfs' ;
my $ smurfdest ;
if ( defined $ config { SMURF_LOG_LEVEL } && $ config { SMURF_LOG_LEVEL } ne '' ) {
2010-02-04 01:04:59 +01:00
my $ smurfref = new_chain ( 'filter' , $ smurfdest = 'smurflog' ) ;
2010-02-04 00:03:15 +01:00
log_rule_limit ( $ config { SMURF_LOG_LEVEL } ,
$ smurfref ,
'smurfs' ,
'DROP' ,
$ globals { LOGLIMIT } ,
'' ,
'add' ,
'' ) ;
add_rule ( $ smurfref , '-j DROP' ) ;
} else {
$ smurfdest = 'DROP' ;
}
if ( have_capability ( 'ADDRTYPE' ) ) {
2010-02-07 17:43:31 +01:00
if ( $ family == F_IPV4 ) {
add_rule $ chainref , '-s 0.0.0.0 -j RETURN' ;
} else {
2010-02-08 16:12:58 +01:00
add_rule $ chainref , '-s :: -j RETURN' ;
2010-02-07 17:43:31 +01:00
}
2010-02-04 00:03:15 +01:00
add_jump ( $ chainref , $ smurfdest , 1 , '-m addrtype --src-type BROADCAST ' ) ;
} else {
if ( $ family == F_IPV4 ) {
add_commands $ chainref , 'for address in $ALL_BCASTS; do' ;
} else {
add_commands $ chainref , 'for address in $ALL_ACASTS; do' ;
}
incr_cmd_level $ chainref ;
add_jump ( $ chainref , $ smurfdest , 1 , '-s $address ' ) ;
decr_cmd_level $ chainref ;
add_commands $ chainref , 'done' ;
}
2009-02-22 18:30:14 +01:00
if ( $ family == F_IPV4 ) {
2010-02-04 00:03:15 +01:00
add_jump ( $ chainref , $ smurfdest , 1 , '-s 224.0.0.0/4 ' ) ;
2009-02-22 18:30:14 +01:00
} else {
2010-02-04 00:03:15 +01:00
add_jump ( $ chainref , $ smurfdest , 1 , '-s ff00::/10 ' ) ;
2009-02-22 18:30:14 +01:00
}
2010-02-04 00:03:15 +01:00
my $ state = $ globals { UNTRACKED } ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID' ;
2009-02-22 18:30:14 +01:00
2010-02-04 00:03:15 +01:00
for my $ hostref ( @$ list ) {
$ interface = $ hostref - > [ 0 ] ;
my $ ipsec = $ hostref - > [ 1 ] ;
my $ policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '' ;
my $ target = source_exclusion ( $ hostref - > [ 3 ] , $ chainref ) ;
for $ chain ( first_chains $ interface ) {
2010-04-25 22:35:41 +02:00
add_jump $ filter_table - > { $ chain } , $ target , 0 , join ( '' , "$globals{STATEMATCH} $state " , match_source_net ( $ hostref - > [ 2 ] ) , $ policy ) ;
2010-02-04 00:03:15 +01:00
}
set_interface_option $ interface , 'use_input_chain' , 1 ;
set_interface_option $ interface , 'use_forward_chain' , 1 ;
}
2009-02-22 18:30:14 +01:00
}
2010-01-25 16:56:16 +01:00
if ( have_capability ( 'ADDRTYPE' ) ) {
2009-02-22 18:30:14 +01:00
add_rule $ rejectref , '-m addrtype --src-type BROADCAST -j DROP' ;
} else {
if ( $ family == F_IPV4 ) {
2009-07-07 03:38:39 +02:00
add_commands $ rejectref , 'for address in $ALL_BCASTS; do' ;
2009-02-22 18:30:14 +01:00
} else {
2009-07-07 03:38:39 +02:00
add_commands $ rejectref , 'for address in $ALL_ACASTS; do' ;
2009-02-22 18:30:14 +01:00
}
incr_cmd_level $ rejectref ;
add_rule $ rejectref , '-d $address -j DROP' ;
decr_cmd_level $ rejectref ;
2009-07-07 03:38:39 +02:00
add_commands $ rejectref , 'done' ;
2009-02-22 18:30:14 +01:00
}
if ( $ family == F_IPV4 ) {
add_rule $ rejectref , '-s 224.0.0.0/4 -j DROP' ;
} else {
add_rule $ rejectref , '-s ff00::/10 -j DROP' ;
}
add_rule $ rejectref , '-p 2 -j DROP' ;
add_rule $ rejectref , '-p 6 -j REJECT --reject-with tcp-reset' ;
2010-01-25 16:56:16 +01:00
if ( have_capability ( 'ENHANCED_REJECT' ) ) {
2009-02-22 18:30:14 +01:00
add_rule $ rejectref , '-p 17 -j REJECT' ;
if ( $ family == F_IPV4 ) {
add_rule $ rejectref , '-p 1 -j REJECT --reject-with icmp-host-unreachable' ;
add_rule $ rejectref , '-j REJECT --reject-with icmp-host-prohibited' ;
} else {
add_rule $ rejectref , '-p 58 -j REJECT --reject-with icmp6-addr-unreachable' ;
2009-08-20 23:32:15 +02:00
add_rule $ rejectref , '-j REJECT --reject-with icmp6-adm-prohibited' ;
2009-02-22 18:30:14 +01:00
}
} else {
add_rule $ rejectref , '-j REJECT' ;
}
$ list = find_interfaces_by_option 'dhcp' ;
if ( @$ list ) {
progress_message2 'Adding rules for DHCP' ;
my $ ports = $ family == F_IPV4 ? '67:68' : '546:547' ;
for $ interface ( @$ list ) {
set_interface_option $ interface , 'use_input_chain' , 1 ;
set_interface_option $ interface , 'use_forward_chain' , 1 ;
for $ chain ( input_chain $ interface , output_chain $ interface ) {
add_rule $ filter_table - > { $ chain } , "-p udp --dport $ports -j ACCEPT" ;
}
2009-11-06 22:10:19 +01:00
add_rule ( $ filter_table - > { forward_chain $ interface } ,
"-p udp " .
match_dest_dev ( $ interface ) .
"--dport $ports -j ACCEPT" )
if get_interface_option ( $ interface , 'bridge' ) ;
2009-02-22 18:30:14 +01:00
}
}
$ list = find_hosts_by_option 'tcpflags' ;
if ( @$ list ) {
my $ disposition ;
progress_message2 "$doing TCP Flags filtering..." ;
$ chainref = new_standard_chain 'tcpflags' ;
if ( $ config { TCP_FLAGS_LOG_LEVEL } ne '' ) {
my $ logflagsref = new_standard_chain 'logflags' ;
my $ savelogparms = $ globals { LOGPARMS } ;
$ globals { LOGPARMS } = "$globals{LOGPARMS}--log-ip-options " ;
log_rule $ config { TCP_FLAGS_LOG_LEVEL } , $ logflagsref , $ config { TCP_FLAGS_DISPOSITION } , '' ;
$ globals { LOGPARMS } = $ savelogparms ;
if ( $ config { TCP_FLAGS_DISPOSITION } eq 'REJECT' ) {
add_rule $ logflagsref , '-p 6 -j REJECT --reject-with tcp-reset' ;
} else {
add_rule $ logflagsref , "-j $config{TCP_FLAGS_DISPOSITION}" ;
}
$ disposition = 'logflags' ;
} else {
$ disposition = $ config { TCP_FLAGS_DISPOSITION } ;
}
2010-01-16 18:53:53 +01:00
add_jump $ chainref , $ disposition , 1 , '-p tcp --tcp-flags ALL FIN,URG,PSH ' ;
add_jump $ chainref , $ disposition , 1 , '-p tcp --tcp-flags ALL NONE ' ;
add_jump $ chainref , $ disposition , 1 , '-p tcp --tcp-flags SYN,RST SYN,RST ' ;
add_jump $ chainref , $ disposition , 1 , '-p tcp --tcp-flags SYN,FIN SYN,FIN ' ;
add_jump $ chainref , $ disposition , 1 , '-p tcp --syn --sport 0 ' ;
2009-02-22 18:30:14 +01:00
for my $ hostref ( @$ list ) {
my $ interface = $ hostref - > [ 0 ] ;
my $ target = source_exclusion ( $ hostref - > [ 3 ] , $ chainref ) ;
2010-01-25 17:13:22 +01:00
my $ policy = have_ipsec ? "-m policy --pol $hostref->[1] --dir in " : '' ;
2009-02-22 18:30:14 +01:00
for $ chain ( first_chains $ interface ) {
add_jump $ filter_table - > { $ chain } , $ target , 0 , join ( '' , '-p tcp ' , match_source_net ( $ hostref - > [ 2 ] ) , $ policy ) ;
}
set_interface_option $ interface , 'use_input_chain' , 1 ;
set_interface_option $ interface , 'use_forward_chain' , 1 ;
}
}
if ( $ family == F_IPV4 ) {
2009-06-15 22:34:35 +02:00
my $ announced = 0 ;
2009-02-22 18:30:14 +01:00
$ list = find_interfaces_by_option 'upnp' ;
if ( @$ list ) {
progress_message2 "$doing UPnP" ;
2010-06-06 22:10:28 +02:00
$ chainref = dont_optimize new_nat_chain ( 'UPnP' ) ;
add_commands ( $ chainref , '[ -s /${VARDIR}/UPnP ] && cat ${VARDIR}/UPnP >&3' ) ;
2009-02-22 18:30:14 +01:00
2009-06-15 22:34:35 +02:00
$ announced = 1 ;
2009-02-22 18:30:14 +01:00
for $ interface ( @$ list ) {
2010-01-16 18:53:53 +01:00
add_jump $ nat_table - > { PREROUTING } , 'UPnP' , 0 , match_source_dev ( $ interface ) ;
2009-02-22 18:30:14 +01:00
}
}
2009-06-15 22:34:35 +02:00
$ list = find_interfaces_by_option 'upnpclient' ;
if ( @$ list ) {
progress_message2 "$doing UPnP" unless $ announced ;
for $ interface ( @$ list ) {
my $ chainref = $ filter_table - > { input_chain $ interface } ;
my $ base = uc chain_base $ interface ;
my $ variable = get_interface_gateway $ interface ;
2009-08-11 17:31:58 +02:00
if ( interface_is_optional $ interface ) {
2009-08-20 23:32:15 +02:00
add_commands ( $ chainref ,
2009-08-11 17:31:58 +02:00
qq( if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then ) ,
2010-06-06 17:05:19 +02:00
' echo "-A ' . match_source_dev ( $ interface ) . qq( -s $variable -p udp -j ACCEPT" >&3 ) ,
2009-08-11 17:31:58 +02:00
qq( fi ) ) ;
} else {
2010-06-06 17:05:19 +02:00
add_rule ( $ chainref , match_source_dev ( $ interface ) . qq( -s $variable -p udp -j ACCEPT ) ) ;
2009-08-11 17:31:58 +02:00
}
2009-06-15 22:34:35 +02:00
}
}
2009-02-22 18:30:14 +01:00
}
setup_syn_flood_chains ;
}
my % maclist_targets = ( ACCEPT = > { target = > 'RETURN' , mangle = > 1 } ,
REJECT = > { target = > 'reject' , mangle = > 0 } ,
DROP = > { target = > 'DROP' , mangle = > 1 } ) ;
sub setup_mac_lists ( $ ) {
my $ phase = $ _ [ 0 ] ;
my % maclist_interfaces ;
my $ table = $ config { MACLIST_TABLE } ;
my $ maclist_hosts = find_hosts_by_option 'maclist' ;
my $ target = $ globals { MACLIST_TARGET } ;
my $ level = $ config { MACLIST_LOG_LEVEL } ;
my $ disposition = $ config { MACLIST_DISPOSITION } ;
my $ ttl = $ config { MACLIST_TTL } ;
progress_message2 "$doing MAC Filtration -- Phase $phase..." ;
for my $ hostref ( @$ maclist_hosts ) {
$ maclist_interfaces { $ hostref - > [ 0 ] } = 1 ;
}
my @ maclist_interfaces = ( sort keys % maclist_interfaces ) ;
if ( $ phase == 1 ) {
for my $ interface ( @ maclist_interfaces ) {
my $ chainref = new_chain $ table , mac_chain $ interface ;
if ( $ family == F_IPV4 ) {
2009-08-20 23:32:15 +02:00
add_rule $ chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
2009-02-22 18:30:14 +01:00
if $ table eq 'mangle' && get_interface_option ( $ interface , 'dhcp' ) ;
} else {
#
# Accept any packet with a link-level source or destination address
#
add_rule $ chainref , '-s ff80::/10 -j RETURN' ;
add_rule $ chainref , '-d ff80::/10 -j RETURN' ;
#
# Accept Multicast
#
add_rule $ chainref , '-d ff00::/10 -j RETURN' ;
}
if ( $ ttl ) {
my $ chain1ref = new_chain $ table , macrecent_target $ interface ;
my $ chain = $ chainref - > { name } ;
add_rule $ chainref , "-m recent --rcheck --seconds $ttl --name $chain -j RETURN" ;
2010-01-16 18:53:53 +01:00
add_jump $ chainref , $ chain1ref , 0 ;
2009-02-22 18:30:14 +01:00
add_rule $ chainref , "-m recent --update --name $chain -j RETURN" ;
add_rule $ chainref , "-m recent --set --name $chain" ;
}
}
my $ fn = open_file 'maclist' ;
first_entry "$doing $fn..." ;
while ( read_a_line ) {
my ( $ original_disposition , $ interface , $ mac , $ addresses ) = split_line1 3 , 4 , 'maclist file' ;
if ( $ original_disposition eq 'COMMENT' ) {
process_comment ;
} else {
my ( $ disposition , $ level , $ remainder ) = split ( /:/ , $ original_disposition , 3 ) ;
fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $ remainder || ! $ disposition ;
my $ targetref = $ maclist_targets { $ disposition } ;
fatal_error "Invalid DISPOSITION ($original_disposition)" if ! $ targetref || ( ( $ table eq 'mangle' ) && ! $ targetref - > { mangle } ) ;
fatal_error "Unknown Interface ($interface)" unless known_interface ( $ interface ) ;
fatal_error "No hosts on $interface have the maclist option specified" unless $ maclist_interfaces { $ interface } ;
my $ chainref = $ chain_table { $ table } { ( $ ttl ? macrecent_target $ interface : mac_chain $ interface ) } ;
$ mac = '' unless $ mac && ( $ mac ne '-' ) ;
$ addresses = '' unless defined $ addresses && ( $ addresses ne '-' ) ;
fatal_error "You must specify a MAC address or an IP address" unless $ mac || $ addresses ;
$ mac = mac_match $ mac if $ mac ;
if ( $ addresses ) {
for my $ address ( split ',' , $ addresses ) {
my $ source = match_source_net $ address ;
log_rule_limit $ level , $ chainref , mac_chain ( $ interface ) , $ disposition , '' , '' , 'add' , "${mac}${source}"
if defined $ level && $ level ne '' ;
2010-04-15 23:13:37 +02:00
add_jump $ chainref , $ targetref - > { target } , 0 , "${mac}${source}" ;
2009-02-22 18:30:14 +01:00
}
} else {
log_rule_limit $ level , $ chainref , mac_chain ( $ interface ) , $ disposition , '' , '' , 'add' , $ mac
if defined $ level && $ level ne '' ;
2010-04-15 23:13:37 +02:00
add_jump $ chainref , $ targetref - > { target } , 0 , "$mac" ;
2009-02-22 18:30:14 +01:00
}
progress_message " Maclist entry \"$currentline\" $done" ;
}
}
clear_comment ;
#
# Generate jumps from the input and forward chains
#
for my $ hostref ( @$ maclist_hosts ) {
my $ interface = $ hostref - > [ 0 ] ;
my $ ipsec = $ hostref - > [ 1 ] ;
2010-01-25 17:13:22 +01:00
my $ policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '' ;
2009-02-22 18:30:14 +01:00
my $ source = match_source_net $ hostref - > [ 2 ] ;
my $ state = $ globals { UNTRACKED } ? 'NEW,UNTRACKED' : 'NEW' ;
if ( $ table eq 'filter' ) {
my $ chainref = source_exclusion ( $ hostref - > [ 3 ] , $ filter_table - > { mac_chain $ interface } ) ;
for my $ chain ( first_chains $ interface ) {
2010-04-25 22:35:41 +02:00
add_jump $ filter_table - > { $ chain } , $ chainref , 0 , "${source}$globals{STATEMATCH} ${state} ${policy}" ;
2009-02-22 18:30:14 +01:00
}
set_interface_option $ interface , 'use_input_chain' , 1 ;
set_interface_option $ interface , 'use_forward_chain' , 1 ;
} else {
my $ chainref = source_exclusion ( $ hostref - > [ 3 ] , $ mangle_table - > { mac_chain $ interface } ) ;
2010-04-25 22:35:41 +02:00
add_jump $ mangle_table - > { PREROUTING } , $ chainref , 0 , match_source_dev ( $ interface ) . "${source}$globals{STATEMATCH} ${state} ${policy}" ;
2009-02-22 18:30:14 +01:00
}
}
} else {
2009-09-10 23:56:23 +02:00
#
# Phase II
#
2009-02-22 18:30:14 +01:00
for my $ interface ( @ maclist_interfaces ) {
my $ chainref = $ chain_table { $ table } { ( $ ttl ? macrecent_target $ interface : mac_chain $ interface ) } ;
my $ chain = $ chainref - > { name } ;
if ( $ family == F_IPV4 ) {
if ( $ level ne '' || $ disposition ne 'ACCEPT' ) {
my $ variable = get_interface_addresses source_port_to_bridge ( $ interface ) ;
2010-01-25 16:56:16 +01:00
if ( have_capability ( 'ADDRTYPE' ) ) {
2009-02-22 18:30:14 +01:00
add_commands ( $ chainref ,
"for address in $variable; do" ,
2010-04-15 02:05:03 +02:00
" echo \"-A -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3" ,
" echo \"-A -s \$address -d 224.0.0.0/4 -j RETURN\" >&3" ,
2009-02-22 18:30:14 +01:00
'done' ) ;
} else {
my $ bridge = source_port_to_bridge ( $ interface ) ;
my $ bridgeref = find_interface ( $ bridge ) ;
add_commands ( $ chainref ,
"for address in $variable; do" ) ;
if ( $ bridgeref - > { broadcasts } ) {
for my $ address ( @ { $ bridgeref - > { broadcasts } } , '255.255.255.255' ) {
add_commands ( $ chainref ,
2010-04-15 02:05:03 +02:00
" echo \"-A -s \$address -d $address -j RETURN\" >&3" ) ;
2009-02-22 18:30:14 +01:00
}
} else {
my $ variable1 = get_interface_bcasts $ bridge ;
2009-08-20 23:32:15 +02:00
add_commands ( $ chainref ,
2009-02-22 18:30:14 +01:00
" for address1 in $variable1; do" ,
2010-04-15 02:05:03 +02:00
" echo \"-A -s \$address -d \$address1 -j RETURN\" >&3" ,
2009-02-22 18:30:14 +01:00
" done" ) ;
}
2009-07-07 03:38:39 +02:00
add_commands ( $ chainref
2010-04-15 02:05:03 +02:00
, " echo \"-A -s \$address -d 224.0.0.0/4 -j RETURN\" >&3" ,
2009-07-07 03:38:39 +02:00
, 'done' ) ;
2009-02-22 18:30:14 +01:00
}
}
}
run_user_exit2 ( 'maclog' , $ chainref ) ;
log_rule_limit $ level , $ chainref , $ chain , $ disposition , '' , '' , 'add' , '' if $ level ne '' ;
2010-01-16 18:53:53 +01:00
add_jump $ chainref , $ target , 0 ;
2009-02-22 18:30:14 +01:00
}
}
}
sub process_rule1 ( $ $ $ $ $ $ $ $ $ $ $ $ $ ) ;
#
# Expand a macro rule from the rules file
#
sub process_macro ( $$$$$$$$$$$$$$$ ) {
my ( $ macro , $ target , $ param , $ source , $ dest , $ proto , $ ports , $ sports , $ origdest , $ rate , $ user , $ mark , $ connlimit , $ time , $ wildcard ) = @ _ ;
my $ nocomment = no_comment ;
my $ format = 1 ;
macro_comment $ macro ;
my $ macrofile = $ macros { $ macro } ;
progress_message "..Expanding Macro $macrofile..." ;
push_open $ macrofile ;
while ( read_a_line ) {
2009-09-13 17:09:40 +02:00
my ( $ mtarget , $ msource , $ mdest , $ mproto , $ mports , $ msports , $ morigdest , $ mrate , $ muser , $ mmark , $ mconnlimit , $ mtime ) ;
2009-02-22 18:30:14 +01:00
if ( $ format == 1 ) {
2009-09-13 17:09:40 +02:00
( $ mtarget , $ msource , $ mdest , $ mproto , $ mports , $ msports , $ mrate , $ muser ) = split_line1 1 , 8 , 'macro file' , $ macro_commands ;
( $ morigdest , $ mmark , $ mconnlimit , $ mtime ) = qw/- - - -/ ;
2009-02-22 18:30:14 +01:00
} else {
2009-09-13 17:09:40 +02:00
( $ mtarget , $ msource , $ mdest , $ mproto , $ mports , $ msports , $ morigdest , $ mrate , $ muser , $ mmark , $ mconnlimit , $ mtime ) = split_line1 1 , 12 , 'macro file' , $ macro_commands ;
2009-02-22 18:30:14 +01:00
}
if ( $ mtarget eq 'COMMENT' ) {
process_comment unless $ nocomment ;
next ;
}
if ( $ mtarget eq 'FORMAT' ) {
fatal_error "Invalid FORMAT ($msource)" unless $ msource =~ /^[12]$/ ;
$ format = $ msource ;
next ;
}
$ mtarget = merge_levels $ target , $ mtarget ;
if ( $ mtarget =~ /^PARAM(:.*)?$/ ) {
fatal_error 'PARAM requires a parameter to be supplied in macro invocation' unless $ param ne '' ;
$ mtarget = substitute_param $ param , $ mtarget ;
}
my $ action = isolate_basic_target $ mtarget ;
fatal_error "Invalid or missing ACTION ($mtarget)" unless defined $ action ;
my $ actiontype = $ targets { $ action } || find_macro ( $ action ) ;
fatal_error "Invalid Action ($mtarget) in macro" unless $ actiontype & ( ACTION + STANDARD + NATRULE + MACRO ) ;
if ( $ msource ) {
if ( $ msource eq '-' ) {
$ msource = $ source || '' ;
} elsif ( $ msource =~ s/^DEST:?// ) {
2009-08-20 23:32:15 +02:00
$ msource = merge_macro_source_dest $ msource , $ dest ;
2009-02-22 18:30:14 +01:00
} else {
$ msource =~ s/^SOURCE:?// ;
$ msource = merge_macro_source_dest $ msource , $ source ;
}
} else {
$ msource = '' ;
}
if ( $ mdest ) {
if ( $ mdest eq '-' ) {
$ mdest = $ dest || '' ;
} elsif ( $ mdest =~ s/^SOURCE:?// ) {
$ mdest = merge_macro_source_dest $ mdest , $ source ;
} else {
$ mdest =~ s/DEST:?// ;
$ mdest = merge_macro_source_dest $ mdest , $ dest ;
}
} else {
$ mdest = '' ;
}
2009-08-20 23:32:15 +02:00
process_rule1 (
$ mtarget ,
$ msource ,
$ mdest ,
2009-09-13 17:09:40 +02:00
merge_macro_column ( $ mproto , $ proto ) ,
merge_macro_column ( $ mports , $ ports ) ,
merge_macro_column ( $ msports , $ sports ) ,
merge_macro_column ( $ morigdest , $ origdest ) ,
merge_macro_column ( $ mrate , $ rate ) ,
merge_macro_column ( $ muser , $ user ) ,
merge_macro_column ( $ mmark , $ mark ) ,
merge_macro_column ( $ mconnlimit , $ connlimit ) ,
merge_macro_column ( $ mtime , $ time ) ,
2009-02-22 18:30:14 +01:00
$ wildcard
) ;
progress_message " Rule \"$currentline\" $done" ;
}
pop_open ;
progress_message "..End Macro $macrofile" ;
clear_comment unless $ nocomment ;
}
#
2009-11-29 18:55:32 +01:00
# Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
2009-02-22 18:30:14 +01:00
# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
#
sub process_rule1 ( $$$$$$$$$$$$$ ) {
my ( $ target , $ source , $ dest , $ proto , $ ports , $ sports , $ origdest , $ ratelimit , $ user , $ mark , $ connlimit , $ time , $ wildcard ) = @ _ ;
my ( $ action , $ loglevel ) = split_action $ target ;
my ( $ basictarget , $ param ) = get_target_param $ action ;
my $ rule = '' ;
my $ actionchainref ;
2010-01-16 18:53:53 +01:00
my $ optimize = $ wildcard ? ( $ basictarget =~ /!$/ ? 0 : $ config { OPTIMIZE } & 1 ) : 0 ;
2009-02-22 18:30:14 +01:00
$ param = '' unless defined $ param ;
#
# Determine the validity of the action
#
my $ actiontype = $ targets { $ basictarget } || find_macro ( $ basictarget ) ;
2009-09-06 22:37:24 +02:00
if ( $ config { MAPOLDACTIONS } ) {
2009-11-29 18:55:32 +01:00
( $ basictarget , $ actiontype , $ param ) = map_old_actions ( $ basictarget ) unless $ actiontype || $ param ;
2009-09-06 22:37:24 +02:00
}
2009-02-22 18:30:14 +01:00
fatal_error "Unknown action ($action)" unless $ actiontype ;
if ( $ actiontype == MACRO ) {
#
# process_macro() will call process_rule1() recursively for each rule in the macro body
#
fatal_error "Macro invocations nested too deeply" if + + $ macro_nest_level > MAX_MACRO_NEST_LEVEL ;
if ( $ param ne '' ) {
push @ param_stack , $ current_param ;
$ current_param = $ param ;
}
process_macro ( $ basictarget ,
$ target ,
$ current_param ,
$ source ,
$ dest ,
$ proto ,
$ ports ,
$ sports ,
$ origdest ,
$ ratelimit ,
$ user ,
$ mark ,
$ connlimit ,
$ time ,
$ wildcard ) ;
$ macro_nest_level - - ;
$ current_param = pop @ param_stack if $ param ne '' ;
return ;
} elsif ( $ actiontype & NFQ ) {
2009-08-20 23:32:15 +02:00
require_capability ( 'NFQUEUE_TARGET' , 'NFQUEUE Rules' , '' ) ;
2009-02-22 18:30:14 +01:00
my $ paramval = $ param eq '' ? 0 : numeric_value ( $ param ) ;
fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined ( $ paramval ) && $ paramval <= 65535 ;
$ action = "NFQUEUE --queue-num $paramval" ;
} else {
fatal_error "The $basictarget TARGET does not accept a parameter" unless $ param eq '' ;
}
#
# We can now dispense with the postfix character
#
$ action =~ s/[\+\-!]$// ;
#
# Mark target as used
#
if ( $ actiontype & ACTION ) {
unless ( $ usedactions { $ target } ) {
$ usedactions { $ target } = 1 ;
createactionchain $ target ;
}
}
#
# Take care of irregular syntax and targets
#
2009-04-09 20:45:21 +02:00
my $ log_action = $ action ;
2009-02-22 18:30:14 +01:00
if ( $ actiontype & REDIRECT ) {
my $ z = $ actiontype & NATONLY ? '' : firewall_zone ;
if ( $ dest eq '-' ) {
$ dest = join ( '' , $ z , '::' , $ ports =~ /[:,]/ ? '' : $ ports ) ;
} else {
$ dest = join ( '' , $ z , '::' , $ dest ) unless $ dest =~ /:/ ;
}
} elsif ( $ action eq 'REJECT' ) {
$ action = 'reject' ;
} elsif ( $ action eq 'CONTINUE' ) {
$ action = 'RETURN' ;
} elsif ( $ action eq 'COUNT' ) {
$ action = '' ;
} elsif ( $ actiontype & LOGRULE ) {
fatal_error 'LOG requires a log level' unless defined $ loglevel and $ loglevel ne '' ;
}
#
# Isolate and validate source and destination zones
#
my $ sourcezone ;
my $ destzone ;
my $ sourceref ;
my $ destref ;
my $ origdstports ;
if ( $ source =~ /^(.+?):(.*)/ ) {
fatal_error "Missing SOURCE Qualifier ($source)" if $ 2 eq '' ;
$ sourcezone = $ 1 ;
$ source = $ 2 ;
} else {
$ sourcezone = $ source ;
$ source = ALLIP ;
}
if ( $ dest =~ /^(.*?):(.*)/ ) {
fatal_error "Missing DEST Qualifier ($dest)" if $ 2 eq '' ;
$ destzone = $ 1 ;
$ dest = $ 2 ;
} elsif ( $ dest =~ /.*\..*\./ ) {
#
# Appears to be an address
#
$ destzone = '-' ;
} else {
$ destzone = $ dest ;
$ dest = ALLIP ;
}
fatal_error "Missing source zone" if $ sourcezone eq '-' || $ sourcezone =~ /^:/ ;
fatal_error "Unknown source zone ($sourcezone)" unless $ sourceref = defined_zone ( $ sourcezone ) ;
if ( $ actiontype & NATONLY ) {
2009-03-05 05:03:05 +01:00
unless ( $ destzone eq '-' || $ destzone eq '' ) {
2009-03-05 17:18:58 +01:00
$ destref = defined_zone ( $ destzone ) ;
2009-08-20 23:32:15 +02:00
2009-03-05 17:18:58 +01:00
if ( $ destref ) {
2009-11-29 18:55:32 +01:00
warning_message "The destination zone ($destzone) is ignored in $log_action rules" ;
2009-03-05 17:18:58 +01:00
} else {
$ dest = join ':' , $ destzone , $ dest ;
$ destzone = '' ;
}
2009-03-05 05:03:05 +01:00
}
2009-02-22 18:30:14 +01:00
} else {
fatal_error "Missing destination zone" if $ destzone eq '-' || $ destzone eq '' ;
fatal_error "Unknown destination zone ($destzone)" unless $ destref = defined_zone ( $ destzone ) ;
}
my $ restriction = NO_RESTRICT ;
if ( $ sourcezone eq firewall_zone ) {
$ restriction = $ destzone eq firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT ;
} else {
$ restriction = INPUT_RESTRICT if $ destzone eq firewall_zone ;
}
my ( $ chain , $ chainref , $ policy ) ;
#
# For compatibility with older Shorewall versions
#
$ origdest = ALLIP if $ origdest eq 'all' ;
#
# Take care of chain
#
unless ( $ actiontype & NATONLY ) {
#
# Check for illegal bridge port rule
#
2009-03-13 23:59:49 +01:00
if ( $ destref - > { type } == BPORT ) {
2009-02-22 18:30:14 +01:00
unless ( $ sourceref - > { bridge } eq $ destref - > { bridge } || single_interface ( $ sourcezone ) eq $ destref - > { bridge } ) {
return 1 if $ wildcard ;
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge" ;
}
}
2010-01-16 18:53:53 +01:00
$ chain = rules_chain ( $ { sourcezone } , $ { destzone } ) ;
2009-12-15 00:52:16 +01:00
#
# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
#
2009-02-22 18:30:14 +01:00
$ chainref = ensure_chain 'filter' , $ chain ;
$ policy = $ chainref - > { policy } ;
if ( $ policy eq 'NONE' ) {
return 1 if $ wildcard ;
fatal_error "Rules may not override a NONE policy" ;
}
#
# Handle Optimization
#
if ( $ optimize > 0 ) {
my $ loglevel = $ filter_table - > { $ chainref - > { policychain } } { loglevel } ;
if ( $ loglevel ne '' ) {
return 1 if $ target eq "${policy}:$loglevel}" ;
} else {
return 1 if $ basictarget eq $ policy ;
}
}
#
# Mark the chain as referenced and add appropriate rules from earlier sections.
#
$ chainref = ensure_filter_chain $ chain , 1 ;
2010-01-16 18:53:53 +01:00
#
# Don't let the rules in this chain be moved elsewhere
#
dont_move $ chainref ;
2009-02-22 18:30:14 +01:00
}
#
# Generate Fixed part of the rule
#
2010-02-19 22:57:45 +01:00
if ( $ actiontype & ( NATRULE | NONAT ) && ! ( $ actiontype & NATONLY ) ) {
2010-02-13 16:21:27 +01:00
#
2010-02-19 22:57:45 +01:00
# Either a DNAT, REDIRECT or ACCEPT+ rule; don't apply rate limiting twice
2010-02-13 16:21:27 +01:00
#
$ rule = join ( '' ,
do_proto ( $ proto , $ ports , $ sports ) ,
do_user ( $ user ) ,
do_test ( $ mark , $ globals { TC_MASK } ) ,
do_connlimit ( $ connlimit ) ,
do_time ( $ time ) ) ;
} else {
$ rule = join ( '' ,
do_proto ( $ proto , $ ports , $ sports ) ,
do_ratelimit ( $ ratelimit , $ basictarget ) ,
do_user ( $ user ) ,
do_test ( $ mark , $ globals { TC_MASK } ) ,
do_connlimit ( $ connlimit ) ,
do_time ( $ time ) ) ;
}
2009-02-22 18:30:14 +01:00
unless ( $ section eq 'NEW' ) {
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $ config { FASTACCEPT } ;
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $ actiontype & ( NATRULE | NONAT ) ;
2010-04-25 22:35:41 +02:00
$ rule . = "$globals{STATEMATCH} $section "
2009-02-22 18:30:14 +01:00
}
#
# Generate NAT rule(s), if any
#
if ( $ actiontype & NATRULE ) {
my ( $ server , $ serverport ) ;
my $ randomize = $ dest =~ s/:random$// ? '--random ' : '' ;
require_capability ( 'NAT_ENABLED' , "$basictarget rules" , '' ) ;
#
2009-08-20 23:32:15 +02:00
# Isolate server port
2009-02-22 18:30:14 +01:00
#
if ( $ dest =~ /^(.*)(:(.+))$/ ) {
#
# Server IP and Port
#
$ server = $ 1 ; # May be empty
2009-08-20 23:32:15 +02:00
$ serverport = $ 3 ; # Not Empty due to RE
2009-02-22 18:30:14 +01:00
$ origdstports = $ ports ;
if ( $ origdstports && $ origdstports ne '-' && port_count ( $ origdstports ) == 1 ) {
$ origdstports = validate_port ( $ proto , $ origdstports ) ;
} else {
$ origdstports = '' ;
}
if ( $ serverport =~ /^(\d+)-(\d+)$/ ) {
#
# Server Port Range
#
fatal_error "Invalid port range ($serverport)" unless $ 1 < $ 2 ;
my @ ports = ( $ 1 , $ 2 ) ;
$ _ = validate_port ( proto_name ( $ proto ) , $ _ ) for ( @ ports ) ;
( $ ports = $ serverport ) =~ tr /-/ : / ;
} else {
$ serverport = $ ports = validate_port ( proto_name ( $ proto ) , $ serverport ) ;
}
} elsif ( $ dest eq ':' ) {
#
# Rule with no server IP or port ( zone:: )
#
$ server = $ serverport = '' ;
} else {
#
# Simple server IP address (may be empty or "-")
#
$ server = $ dest ;
$ serverport = '' ;
}
#
# Generate the target
#
my $ target = '' ;
if ( $ actiontype & REDIRECT ) {
fatal_error "A server IP address may not be specified in a REDIRECT rule" if $ server ;
$ target = '-j REDIRECT ' ;
$ target . = "--to-port $serverport " if $ serverport ;
if ( $ origdest eq '' || $ origdest eq '-' ) {
$ origdest = ALLIP ;
} elsif ( $ origdest eq 'detect' ) {
if ( $ config { DETECT_DNAT_IPADDRS } && $ sourcezone ne firewall_zone ) {
my $ interfacesref = $ sourceref - > { interfaces } ;
my @ interfaces = keys %$ interfacesref ;
$ origdest = @ interfaces ? "detect:@interfaces" : ALLIP ;
} else {
$ origdest = ALLIP ;
}
}
2009-11-23 18:33:16 +01:00
} else {
if ( $ server eq '' ) {
fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $ serverport ;
} elsif ( $ server =~ /^(.+)-(.+)$/ ) {
2009-02-22 18:30:14 +01:00
validate_range ( $ 1 , $ 2 ) ;
} else {
2009-03-05 20:56:24 +01:00
my @ servers = validate_address $ server , 1 ;
$ server = join ',' , @ servers ;
2009-02-22 18:30:14 +01:00
}
2009-04-01 03:31:04 +02:00
if ( $ action eq 'DNAT' ) {
2009-02-22 18:30:14 +01:00
$ target = '-j DNAT ' ;
2009-11-23 18:33:16 +01:00
if ( $ server ) {
$ serverport = ":$serverport" if $ serverport ;
for my $ serv ( split /,/ , $ server ) {
$ target . = "--to-destination ${serv}${serverport} " ;
}
} else {
$ target . = "--to-destination :$serverport " ;
2009-02-22 18:30:14 +01:00
}
}
unless ( $ origdest && $ origdest ne '-' && $ origdest ne 'detect' ) {
if ( $ config { DETECT_DNAT_IPADDRS } && $ sourcezone ne firewall_zone ) {
my $ interfacesref = $ sourceref - > { interfaces } ;
my @ interfaces = keys %$ interfacesref ;
$ origdest = @ interfaces ? "detect:@interfaces" : ALLIP ;
} else {
$ origdest = ALLIP ;
}
}
}
$ target . = $ randomize ;
#
# And generate the nat table rule(s)
#
2009-03-13 23:59:49 +01:00
expand_rule ( ensure_chain ( 'nat' , $ sourceref - > { type } == FIREWALL ? 'OUTPUT' : dnat_chain $ sourcezone ) ,
2009-02-22 18:30:14 +01:00
PREROUTE_RESTRICT ,
$ rule ,
$ source ,
$ origdest ,
'' ,
$ target ,
$ loglevel ,
2009-04-09 20:45:21 +02:00
$ log_action ,
2009-02-22 18:30:14 +01:00
$ serverport ? do_proto ( $ proto , '' , '' ) : '' ) ;
#
# After NAT:
# - the destination port will be the server port ($ports) -- we did that above
# - the destination IP will be the server IP ($dest)
# - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
# - the target will be ACCEPT.
#
unless ( $ actiontype & NATONLY ) {
2010-01-16 18:53:53 +01:00
$ rule = join ( '' ,
do_proto ( $ proto , $ ports , $ sports ) ,
do_ratelimit ( $ ratelimit , 'ACCEPT' ) ,
do_user $ user ,
do_test ( $ mark , $ globals { TC_MASK } ) ) ;
2009-02-22 18:30:14 +01:00
$ loglevel = '' ;
$ dest = $ server ;
$ action = 'ACCEPT' ;
}
} elsif ( $ actiontype & NONAT ) {
#
# NONAT or ACCEPT+ -- May not specify a destination interface
#
fatal_error "Invalid DEST ($dest) in $action rule" if $ dest =~ /:/ ;
$ origdest = '' unless $ origdest and $ origdest ne '-' ;
if ( $ origdest eq 'detect' ) {
my $ interfacesref = $ sourceref - > { interfaces } ;
2009-04-01 02:04:04 +02:00
my $ interfaces = [ ( keys %$ interfacesref ) ] ;
$ origdest = $ interfaces ? "detect:@$interfaces" : ALLIP ;
2009-02-22 18:30:14 +01:00
}
2009-07-16 00:59:53 +02:00
my $ tgt = 'RETURN' ;
my $ nonat_chain ;
2009-07-16 20:05:37 +02:00
my $ chn ;
2009-08-20 23:32:15 +02:00
2009-07-16 00:59:53 +02:00
if ( $ sourceref - > { type } == FIREWALL ) {
$ nonat_chain = $ nat_table - > { OUTPUT } ;
} else {
$ nonat_chain = ensure_chain 'nat' , dnat_chain $ sourcezone ;
2009-07-16 20:05:37 +02:00
my @ interfaces = keys % { zone_interfaces $ sourcezone } ;
2009-07-16 00:59:53 +02:00
2009-07-16 20:05:37 +02:00
for ( @ interfaces ) {
2009-07-16 00:59:53 +02:00
my $ ichain = input_chain $ _ ;
if ( $ nat_table - > { $ ichain } ) {
#
# Static NAT is defined on this interface
#
2009-07-16 20:05:37 +02:00
$ chn = new_chain ( 'nat' , newnonatchain ) unless $ chn ;
2009-11-05 22:40:03 +01:00
add_jump $ chn , $ nat_table - > { $ ichain } , 0 , @ interfaces > 1 ? match_source_dev ( $ _ ) : '' ;
2009-07-16 00:59:53 +02:00
}
}
if ( $ chn ) {
2009-07-16 20:05:37 +02:00
#
# Call expand_rule() to correctly handle logging. Because
# the 'logname' argument is passed, expand_rule() will
# not create a separate logging chain but will rather emit
# any logging rule in-line.
#
expand_rule ( $ chn ,
PREROUTE_RESTRICT ,
'' , # Rule
'' , # Source
'' , # Dest
'' , # Original dest
'-j ACCEPT' ,
$ loglevel ,
$ log_action ,
'' ,
dnat_chain ( $ sourcezone ) ) ;
$ loglevel = '' ;
2009-07-16 00:59:53 +02:00
$ tgt = $ chn - > { name } ;
} else {
$ tgt = 'ACCEPT' ;
}
}
2009-07-16 20:05:37 +02:00
2009-07-16 00:59:53 +02:00
expand_rule ( $ nonat_chain ,
2009-02-22 18:30:14 +01:00
PREROUTE_RESTRICT ,
$ rule ,
$ source ,
$ dest ,
$ origdest ,
2009-07-16 20:05:37 +02:00
"-j $tgt" ,
2009-02-22 18:30:14 +01:00
$ loglevel ,
2009-04-09 20:45:21 +02:00
$ log_action ,
2010-01-16 18:53:53 +01:00
'' ,
2009-07-16 20:05:37 +02:00
) ;
#
# Possible optimization if the rule just generated was a simple jump to the nonat chain
#
if ( $ chn && $ { $ nonat_chain - > { rules } } [ - 1 ] eq "-A -j $tgt" ) {
#
2009-08-20 23:32:15 +02:00
# It was -- delete that rule
2009-07-16 20:05:37 +02:00
#
pop @ { $ nonat_chain - > { rules } } ;
#
# And move the rules from the nonat chain to the zone dnat chain
#
2009-11-03 00:35:00 +01:00
move_rules ( $ chn , $ nonat_chain ) ;
2009-07-16 20:05:37 +02:00
}
2009-02-22 18:30:14 +01:00
}
#
# Add filter table rule, unless this is a NATONLY rule type
#
unless ( $ actiontype & NATONLY ) {
if ( $ actiontype & ACTION ) {
$ action = ( find_logactionchain $ target ) - > { name } ;
$ loglevel = '' ;
}
2009-06-15 17:45:34 +02:00
if ( $ origdest ) {
unless ( $ origdest eq '-' ) {
require_capability ( 'CONNTRACK_MATCH' , 'ORIGINAL DEST in a non-NAT rule' , 's' ) unless $ actiontype & NATRULE ;
} else {
$ origdest = '' ;
}
2009-02-22 18:30:14 +01:00
}
2010-01-25 16:56:16 +01:00
$ rule . = "-m conntrack --ctorigdstport $origdstports " if have_capability ( 'NEW_CONNTRACK_MATCH' ) && $ origdstports ;
2009-04-10 00:21:48 +02:00
2009-02-22 18:30:14 +01:00
expand_rule ( ensure_chain ( 'filter' , $ chain ) ,
$ restriction ,
$ rule ,
$ source ,
$ dest ,
$ origdest ,
$ action ? "-j $action " : '' ,
$ loglevel ,
2009-04-09 20:45:21 +02:00
$ log_action ,
2009-02-22 18:30:14 +01:00
'' ) ;
}
}
#
# Process a Record in the rules file
#
# Deals with the ugliness of wildcard zones ('all' in SOURCE and/or DEST column).
#
2009-05-05 20:14:53 +02:00
sub process_rule ( ) {
my ( $ target , $ source , $ dest , $ proto , $ ports , $ sports , $ origdest , $ ratelimit , $ user , $ mark , $ connlimit , $ time ) = split_line1 1 , 12 , 'rules file' , \ % rules_commands ;
if ( $ target eq 'COMMENT' ) {
process_comment ;
return 1 ;
}
2009-08-20 23:32:15 +02:00
2009-05-05 20:14:53 +02:00
if ( $ target eq 'SECTION' ) {
#
# read_a_line has already verified that there are exactly two tokens on the line
#
fatal_error "Invalid SECTION ($source)" unless defined $ sections { $ source } ;
fatal_error "Duplicate or out of order SECTION $source" if $ sections { $ source } ;
$ sectioned = 1 ;
$ sections { $ source } = 1 ;
2009-08-20 23:32:15 +02:00
2009-05-05 20:14:53 +02:00
if ( $ source eq 'RELATED' ) {
$ sections { ESTABLISHED } = 1 ;
finish_section 'ESTABLISHED' ;
} elsif ( $ source eq 'NEW' ) {
@ sections { 'ESTABLISHED' , 'RELATED' } = ( 1 , 1 ) ;
finish_section ( ( $ section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' ) ;
}
2009-08-20 23:32:15 +02:00
2009-05-05 20:14:53 +02:00
$ section = $ source ;
return 1 ;
}
if ( $ source =~ /^none(:.*)?$/i || $ dest =~ /^none(:.*)?$/i ) {
progress_message "Rule \"$currentline\" ignored." ;
return 1 ;
}
2009-02-22 18:30:14 +01:00
my $ intrazone = 0 ;
my $ includesrcfw = 1 ;
my $ includedstfw = 1 ;
my $ thisline = $ currentline ;
2009-07-16 00:59:53 +02:00
my $ anysource = ( $ source =~ s/^any/all/ ) ;
my $ anydest = ( $ dest =~ s/^any/all/ ) ;
2009-02-22 18:30:14 +01:00
#
# Section Names are optional so once we get to an actual rule, we need to be sure that
# we close off any missing sections.
#
unless ( $ sectioned ) {
finish_section 'ESTABLISHED,RELATED' ;
$ sections { $ section = 'NEW' } = 1 ;
$ sectioned = 1 ;
}
#
# Handle Wildcards
#
2009-08-20 23:32:15 +02:00
2009-02-22 18:30:14 +01:00
if ( $ source =~ /^all[-+]/ ) {
if ( $ source eq 'all+' ) {
$ source = 'all' ;
$ intrazone = 1 ;
} elsif ( ( $ source eq 'all+-' ) || ( $ source eq 'all-+' ) ) {
$ source = 'all' ;
$ intrazone = 1 ;
$ includesrcfw = 0 ;
} elsif ( $ source eq 'all-' ) {
$ source = 'all' ;
$ includesrcfw = 0 ;
} else {
fatal_error "Invalid SOURCE ($source)" ;
}
}
if ( $ dest =~ /^all[-+]/ ) {
if ( $ dest eq 'all+' ) {
$ dest = 'all' ;
$ intrazone = 1 ;
} elsif ( ( $ dest eq 'all+-' ) || ( $ dest eq 'all-+' ) ) {
$ dest = 'all' ;
$ intrazone = 1 ;
$ includedstfw = 0 ;
} elsif ( $ dest eq 'all-' ) {
$ dest = 'all' ;
$ includedstfw = 0 ;
} else {
fatal_error "Invalid DEST ($dest)" ;
}
}
my $ action = isolate_basic_target $ target ;
2009-07-16 00:59:53 +02:00
my @ source ;
my @ dest ;
if ( $ source eq 'all' ) {
if ( $ anysource ) {
@ source = ( all_parent_zones ) ;
} else {
@ source = ( non_firewall_zones )
}
unshift @ source , firewall_zone if $ includesrcfw ;
2009-08-20 23:32:15 +02:00
}
2009-07-16 00:59:53 +02:00
if ( $ dest eq 'all' ) {
if ( $ anydest ) {
@ dest = ( all_parent_zones ) ;
} else {
@ dest = ( non_firewall_zones )
}
unshift @ dest , firewall_zone if $ includedstfw ;
2009-08-20 23:32:15 +02:00
}
2009-07-16 00:59:53 +02:00
2009-02-22 18:30:14 +01:00
fatal_error "Invalid or missing ACTION ($target)" unless defined $ action ;
if ( $ source eq 'all' ) {
2009-07-16 00:59:53 +02:00
for my $ zone ( @ source ) {
if ( $ dest eq 'all' ) {
for my $ zone1 ( @ dest ) {
if ( $ intrazone || ( $ zone ne $ zone1 ) ) {
process_rule1 $ target , $ zone , $ zone1 , $ proto , $ ports , $ sports , $ origdest , $ ratelimit , $ user , $ mark , $ connlimit , $ time , 1 ;
2009-02-22 18:30:14 +01:00
}
}
2009-07-16 00:59:53 +02:00
} else {
my $ destzone = ( split ( /:/ , $ dest , 2 ) ) [ 0 ] ;
$ destzone = $ action =~ /^REDIRECT/ ? firewall_zone : '' unless defined_zone $ destzone ;
if ( $ intrazone || ( $ zone ne $ destzone ) ) {
process_rule1 $ target , $ zone , $ dest , $ proto , $ ports , $ sports , $ origdest , $ ratelimit , $ user , $ mark , $ connlimit , $ time , 1 ;
}
2009-02-22 18:30:14 +01:00
}
}
} elsif ( $ dest eq 'all' ) {
2009-07-16 00:59:53 +02:00
for my $ zone ( @ dest ) {
2009-02-22 18:30:14 +01:00
my $ sourcezone = ( split ( /:/ , $ source , 2 ) ) [ 0 ] ;
2009-07-16 00:59:53 +02:00
if ( ( $ sourcezone ne $ zone ) || $ intrazone ) {
2009-02-22 18:30:14 +01:00
process_rule1 $ target , $ source , $ zone , $ proto , $ ports , $ sports , $ origdest , $ ratelimit , $ user , $ mark , $ connlimit , $ time , 1 ;
}
}
} else {
process_rule1 $ target , $ source , $ dest , $ proto , $ ports , $ sports , $ origdest , $ ratelimit , $ user , $ mark , $ connlimit , $ time , 0 ;
}
progress_message " Rule \"$thisline\" $done" ;
}
#
# Process the Rules File
#
sub process_rules () {
my $ fn = open_file 'rules' ;
first_entry "$doing $fn..." ;
2009-05-05 20:14:53 +02:00
process_rule while read_a_line ;
2009-02-22 18:30:14 +01:00
clear_comment ;
$ section = 'DONE' ;
}
2010-03-08 22:11:10 +01:00
#
# Helper functions for generate_matrix()
#-----------------------------------------
#
# Return the target for rules from $zone to $zone1.
#
sub rules_target ( $$ ) {
my ( $ zone , $ zone1 ) = @ _ ;
my $ chain = rules_chain ( $ { zone } , $ { zone1 } ) ;
my $ chainref = $ filter_table - > { $ chain } ;
return $ chain if $ chainref && $ chainref - > { referenced } ;
return 'ACCEPT' if $ zone eq $ zone1 ;
2010-04-16 18:56:11 +02:00
2010-03-08 22:11:10 +01:00
assert ( $ chainref ) ;
2010-04-16 18:56:11 +02:00
2010-03-08 22:11:10 +01:00
if ( $ chainref - > { policy } ne 'CONTINUE' ) {
my $ policyref = $ filter_table - > { $ chainref - > { policychain } } ;
assert ( $ policyref ) ;
return $ policyref - > { name } if $ policyref ne $ chainref ;
return $ chainref - > { policy } eq 'REJECT' ? 'reject' : $ chainref - > { policy } ;
}
2010-04-16 18:56:11 +02:00
2010-03-08 22:11:10 +01:00
'' ; # CONTINUE policy
}
2009-02-22 18:30:14 +01:00
#
# Add jumps from the builtin chains to the interface-chains that are used by this configuration
#
sub add_interface_jumps {
2009-10-17 19:59:41 +02:00
our % input_jump_added ;
our % output_jump_added ;
our % forward_jump_added ;
2009-02-22 18:30:14 +01:00
#
# Add Nat jumps
#
for my $ interface ( @ _ ) {
addnatjump 'POSTROUTING' , snat_chain ( $ interface ) , match_dest_dev ( $ interface ) ;
}
addnatjump 'PREROUTING' , 'nat_in' , '' ;
addnatjump 'POSTROUTING' , 'nat_out' , '' ;
addnatjump 'PREROUTING' , 'dnat' , '' ;
for my $ interface ( @ _ ) {
addnatjump 'PREROUTING' , input_chain ( $ interface ) , match_source_dev ( $ interface ) ;
addnatjump 'POSTROUTING' , output_chain ( $ interface ) , match_dest_dev ( $ interface ) ;
addnatjump 'POSTROUTING' , masq_chain ( $ interface ) , match_dest_dev ( $ interface ) ;
}
#
# Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
#
for my $ interface ( @ _ ) {
2010-04-27 21:26:58 +02:00
my $ forwardref = $ filter_table - > { forward_chain $ interface } ;
my $ inputref = $ filter_table - > { input_chain $ interface } ;
my $ outputref = $ filter_table - > { output_chain $ interface } ;
my $ interfaceref = find_interface ( $ interface ) ;
2010-04-28 00:23:38 +02:00
add_rule ( $ filter_table - > { FORWARD } , match_source_dev ( $ interface ) . match_dest_dev ( $ interface ) . '-j ACCEPT' ) unless $ interfaceref - > { nets } || ! $ interfaceref - > { options } { bridge } ;
2009-02-22 18:30:14 +01:00
2010-03-11 02:25:06 +01:00
add_jump ( $ filter_table - > { FORWARD } , $ forwardref , 0 , match_source_dev ( $ interface ) ) unless $ forward_jump_added { $ interface } || ! use_forward_chain $ interface , $ forwardref ;
add_jump ( $ filter_table - > { INPUT } , $ inputref , 0 , match_source_dev ( $ interface ) ) unless $ input_jump_added { $ interface } || ! use_input_chain $ interface , $ inputref ;
unless ( $ output_jump_added { $ interface } || ! use_output_chain $ interface , $ outputref ) {
add_jump $ filter_table - > { OUTPUT } , $ outputref , 0 , match_dest_dev ( $ interface ) unless get_interface_option ( $ interface , 'port' ) ;
2009-02-22 18:30:14 +01:00
}
}
#
# Loopback
#
my $ fw = firewall_zone ;
2009-11-14 16:07:19 +01:00
my $ chainref = $ filter_table - > { rules_chain ( $ { fw } , $ { fw } ) } ;
2009-02-22 18:30:14 +01:00
2010-01-16 18:53:53 +01:00
add_jump $ filter_table - > { OUTPUT } , ( $ chainref - > { referenced } ? $ chainref : 'ACCEPT' ) , 0 , '-o lo ' ;
2009-02-22 18:30:14 +01:00
add_rule $ filter_table - > { INPUT } , '-i lo -j ACCEPT' ;
}
# Generate the rules matrix.
#
2009-10-20 21:24:28 +02:00
# Stealing a comment from the Burroughs B6700 MCP Operating System source, "generate_matrix makes a sow's ear out of a silk purse".
2009-02-22 18:30:14 +01:00
#
# The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
#
# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules.
#
sub generate_matrix () {
my @ interfaces = ( all_interfaces ) ;
my $ preroutingref = ensure_chain 'nat' , 'dnat' ;
my $ fw = firewall_zone ;
my $ notrackref = $ raw_table - > { notrack_chain $ fw } ;
my @ zones = non_firewall_zones ;
my $ interface_jumps_added = 0 ;
2009-10-17 19:59:41 +02:00
our % input_jump_added = ( ) ;
our % output_jump_added = ( ) ;
our % forward_jump_added = ( ) ;
2009-02-22 18:30:14 +01:00
2010-03-08 22:11:10 +01:00
progress_message2 'Generating Rule Matrix...' ;
2009-02-22 18:30:14 +01:00
#
# Special processing for complex configurations
#
for my $ zone ( @ zones ) {
2009-10-18 17:47:20 +02:00
my $ zoneref = find_zone ( $ zone ) ;
2009-02-22 18:30:14 +01:00
2009-11-28 16:20:28 +01:00
next if @ zones <= 2 && ! $ zoneref - > { options } { complex } ;
2009-10-20 21:24:28 +02:00
#
# Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain
#
2009-02-22 18:30:14 +01:00
my $ frwd_ref = new_standard_chain zone_forward_chain ( $ zone ) ;
2010-01-25 17:13:22 +01:00
if ( have_ipsec ) {
2009-10-20 21:24:28 +02:00
#
# Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
# '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
# can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
#
2009-02-22 18:30:14 +01:00
my $ type = $ zoneref - > { type } ;
my $ source_ref = ( $ zoneref - > { hosts } { ipsec } ) || { } ;
for my $ interface ( sort { interface_number ( $ a ) <=> interface_number ( $ b ) } keys %$ source_ref ) {
2010-03-11 02:25:06 +01:00
my $ sourcechainref = $ filter_table - > { forward_chain $ interface } ;
2009-02-22 18:30:14 +01:00
my $ interfacematch = '' ;
2010-03-11 02:25:06 +01:00
if ( use_forward_chain ( $ interface , $ sourcechainref ) ) {
2009-10-17 19:59:41 +02:00
add_jump $ filter_table - > { FORWARD } , $ sourcechainref , 0 , match_source_dev ( $ interface ) unless $ forward_jump_added { $ interface } + + ;
2009-02-22 18:30:14 +01:00
} else {
$ sourcechainref = $ filter_table - > { FORWARD } ;
$ interfacematch = match_source_dev $ interface ;
move_rules ( $ filter_table - > { forward_chain $ interface } , $ frwd_ref ) ;
}
my $ arrayref = $ source_ref - > { $ interface } ;
for my $ hostref ( @ { $ arrayref } ) {
my $ ipsec_match = match_ipsec_in $ zone , $ hostref ;
for my $ net ( @ { $ hostref - > { hosts } } ) {
add_jump (
$ sourcechainref ,
2009-11-28 16:23:23 +01:00
source_exclusion ( $ hostref - > { exclusions } , $ frwd_ref ) ,
2009-08-26 21:44:10 +02:00
! @ { $ zoneref - > { parents } } ,
2009-02-22 18:30:14 +01:00
join ( '' , $ interfacematch , match_source_net ( $ net ) , $ ipsec_match )
) ;
}
}
}
}
}
#
# NOTRACK from firewall
#
2010-01-16 18:53:53 +01:00
add_jump $ raw_table - > { OUTPUT } , $ notrackref , 0 if $ notrackref - > { referenced } ;
2009-02-22 18:30:14 +01:00
#
# Main source-zone matrix-generation loop
#
for my $ zone ( @ zones ) {
my $ zoneref = find_zone ( $ zone ) ;
my $ source_hosts_ref = $ zoneref - > { hosts } ;
my $ chain1 = rules_target firewall_zone , $ zone ;
my $ chain2 = rules_target $ zone , firewall_zone ;
my $ chain3 = rules_target $ zone , $ zone ;
my $ complex = $ zoneref - > { options } { complex } || 0 ;
my $ type = $ zoneref - > { type } ;
my $ frwd_ref = $ filter_table - > { zone_forward_chain $ zone } ;
my $ chain = 0 ;
my $ dnatref = ensure_chain 'nat' , dnat_chain ( $ zone ) ;
my $ notrackref = ensure_chain 'raw' , notrack_chain ( $ zone ) ;
my $ nested = $ zoneref - > { options } { nested } ;
my $ parenthasnat = 0 ;
my $ parenthasnotrack = 0 ;
if ( $ nested ) {
#
# This is a sub-zone. We need to determine if
#
# a) A parent zone defines DNAT/REDIRECT or notrack rules; and
# b) The current zone has a CONTINUE policy to some other zone.
#
# If a) but not b), then we must avoid sending packets from this
# zone through the DNAT/REDIRECT or notrack chain for the parent.
#
for my $ parent ( @ { $ zoneref - > { parents } } ) {
my $ ref1 = $ nat_table - > { dnat_chain $ parent } || { } ;
my $ ref2 = $ raw_table - > { notrack_chain $ parent } || { } ;
$ parenthasnat = 1 if $ ref1 - > { referenced } ;
$ parenthasnotrack = 1 if $ ref2 - > { referenced } ;
last if $ parenthasnat && $ parenthasnotrack ;
}
if ( $ parenthasnat || $ parenthasnotrack ) {
for my $ zone1 ( all_zones ) {
2009-11-14 16:07:19 +01:00
if ( $ filter_table - > { rules_chain ( $ { zone } , $ { zone1 } ) } - > { policy } eq 'CONTINUE' ) {
2009-02-22 18:30:14 +01:00
#
# This zone has a continue policy to another zone. We must
# send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain.
#
$ nested = 0 ;
last ;
}
}
} else {
#
# No parent has DNAT or notrack so there is nothing to worry about. Don't bother to generate needless RETURN rules in the 'dnat' or 'notrack' chain.
#
$ nested = 0 ;
}
}
#
# Take care of PREROUTING, INPUT and OUTPUT jumps
#
for my $ typeref ( values %$ source_hosts_ref ) {
for my $ interface ( sort { interface_number ( $ a ) <=> interface_number ( $ b ) } keys %$ typeref ) {
my $ arrayref = $ typeref - > { $ interface } ;
if ( $ interface eq '+' ) {
#
# Insert the interface-specific jumps before this one which is not interface-specific
#
add_interface_jumps ( @ interfaces ) unless $ interface_jumps_added + + ;
}
for my $ hostref ( @$ arrayref ) {
my $ ipsec_in_match = match_ipsec_in $ zone , $ hostref ;
my $ ipsec_out_match = match_ipsec_out $ zone , $ hostref ;
my $ exclusions = $ hostref - > { exclusions } ;
for my $ net ( @ { $ hostref - > { hosts } } ) {
my $ dest = match_dest_net $ net ;
2010-04-16 18:56:11 +02:00
if ( $ chain1 && zone_type ( $ zone ) != BPORT ) {
2010-02-03 15:57:51 +01:00
my $ chain1ref = $ filter_table - > { $ chain1 } ;
2009-02-22 18:30:14 +01:00
my $ nextchain = dest_exclusion ( $ exclusions , $ chain1 ) ;
my $ outputref ;
2010-02-03 15:57:51 +01:00
my $ interfacechainref = $ filter_table - > { output_chain $ interface } ;
2009-02-22 18:30:14 +01:00
my $ interfacematch = '' ;
2010-02-03 04:42:54 +01:00
my $ use_output = 0 ;
2009-02-22 18:30:14 +01:00
2010-03-11 02:25:06 +01:00
if ( use_output_chain ( $ interface , $ interfacechainref ) || ( @ { $ interfacechainref - > { rules } } && ! $ chain1ref ) ) {
2010-02-03 15:57:51 +01:00
$ outputref = $ interfacechainref ;
2009-10-17 19:59:41 +02:00
add_jump $ filter_table - > { OUTPUT } , $ outputref , 0 , match_dest_dev ( $ interface ) unless $ output_jump_added { $ interface } + + ;
2010-02-03 04:42:54 +01:00
$ use_output = 1 ;
2009-02-22 18:30:14 +01:00
} else {
$ outputref = $ filter_table - > { OUTPUT } ;
$ interfacematch = match_dest_dev $ interface ;
}
add_jump $ outputref , $ nextchain , 0 , join ( '' , $ interfacematch , $ dest , $ ipsec_out_match ) ;
add_jump ( $ outputref , $ nextchain , 0 , join ( '' , $ interfacematch , '-d 255.255.255.255 ' , $ ipsec_out_match ) )
if $ hostref - > { options } { broadcast } ;
2010-02-03 15:57:51 +01:00
move_rules ( $ interfacechainref , $ chain1ref ) unless $ use_output ;
2009-02-22 18:30:14 +01:00
}
clearrule ;
2009-08-20 23:32:15 +02:00
next if $ hostref - > { options } { destonly } ;
2009-02-22 18:30:14 +01:00
my $ source = match_source_net $ net ;
if ( $ dnatref - > { referenced } ) {
#
# There are DNAT/REDIRECT rules with this zone as the source.
# Add a jump from this source network to this zone's DNAT/REDIRECT chain
#
add_jump $ preroutingref , source_exclusion ( $ exclusions , $ dnatref ) , 0 , join ( '' , match_source_dev ( $ interface ) , $ source , $ ipsec_in_match ) ;
2010-02-01 23:24:07 +01:00
check_optimization ( $ dnatref ) if $ source ;
2009-02-22 18:30:14 +01:00
}
if ( $ notrackref - > { referenced } ) {
#
# There are notrack rules with this zone as the source.
# Add a jump from this source network to this zone's notrack chain
#
add_jump $ raw_table - > { PREROUTING } , source_exclusion ( $ exclusions , $ notrackref ) , 0 , join ( '' , match_source_dev ( $ interface ) , $ source , $ ipsec_in_match ) ;
}
2010-02-01 23:24:07 +01:00
2009-02-22 18:30:14 +01:00
#
# If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
# then add a RETURN jump for this source network.
#
if ( $ nested ) {
add_rule $ preroutingref , join ( '' , match_source_dev ( $ interface ) , $ source , $ ipsec_in_match , '-j RETURN' ) if $ parenthasnat ;
add_rule $ raw_table - > { PREROUTING } , join ( '' , match_source_dev ( $ interface ) , $ source , $ ipsec_in_match , '-j RETURN' ) if $ parenthasnotrack ;
}
2010-02-03 15:57:51 +01:00
my $ chain2ref = $ filter_table - > { $ chain2 } ;
2009-02-22 18:30:14 +01:00
my $ inputchainref ;
2010-02-03 15:57:51 +01:00
my $ interfacechainref = $ filter_table - > { input_chain $ interface } ;
2009-02-22 18:30:14 +01:00
my $ interfacematch = '' ;
2010-02-03 04:42:54 +01:00
my $ use_input ;
2009-02-22 18:30:14 +01:00
2010-03-11 02:25:06 +01:00
if ( use_input_chain ( $ interface , $ interfacechainref ) || ! $ chain2 || ( @ { $ interfacechainref - > { rules } } && ! $ chain2ref ) ) {
2010-02-03 15:57:51 +01:00
$ inputchainref = $ interfacechainref ;
2009-10-17 19:59:41 +02:00
add_jump $ filter_table - > { INPUT } , $ inputchainref , 0 , match_source_dev ( $ interface ) unless $ input_jump_added { $ interface } + + ;
2010-02-03 04:42:54 +01:00
$ use_input = 1 ;
2009-02-22 18:30:14 +01:00
} else {
$ inputchainref = $ filter_table - > { INPUT } ;
$ interfacematch = match_source_dev $ interface ;
}
if ( $ chain2 ) {
add_jump $ inputchainref , source_exclusion ( $ exclusions , $ chain2 ) , 0 , join ( '' , $ interfacematch , $ source , $ ipsec_in_match ) ;
2010-02-03 15:57:51 +01:00
move_rules ( $ interfacechainref , $ chain2ref ) unless $ use_input ;
2009-02-22 18:30:14 +01:00
}
if ( $ frwd_ref && $ hostref - > { ipsec } ne 'ipsec' ) {
my $ ref = source_exclusion ( $ exclusions , $ frwd_ref ) ;
2010-03-11 02:25:06 +01:00
my $ forwardref = $ filter_table - > { forward_chain $ interface } ;
if ( use_forward_chain $ interface , $ forwardref ) {
2009-10-17 19:59:41 +02:00
add_jump $ forwardref , $ ref , 0 , join ( '' , $ source , $ ipsec_in_match ) ;
add_jump $ filter_table - > { FORWARD } , $ forwardref , 0 , match_source_dev ( $ interface ) unless $ forward_jump_added { $ interface } + + ;
2009-02-22 18:30:14 +01:00
} else {
add_jump $ filter_table - > { FORWARD } , $ ref , 0 , join ( '' , match_source_dev ( $ interface ) , $ source , $ ipsec_in_match ) ;
2010-03-11 02:25:06 +01:00
move_rules ( $ forwardref , $ frwd_ref ) ;
2009-02-22 18:30:14 +01:00
}
}
}
}
}
}
#
# F O R W A R D I N G
#
my @ dest_zones ;
my $ last_chain = '' ;
2010-01-16 18:53:53 +01:00
if ( $ config { OPTIMIZE } & 1 ) {
2009-02-22 18:30:14 +01:00
my @ temp_zones ;
for my $ zone1 ( @ zones ) {
my $ zone1ref = find_zone ( $ zone1 ) ;
2009-11-14 16:07:19 +01:00
my $ policy = $ filter_table - > { rules_chain ( $ { zone } , $ { zone1 } ) } - > { policy } ;
2009-02-22 18:30:14 +01:00
2009-11-03 18:28:34 +01:00
next if $ policy eq 'NONE' ;
2009-02-22 18:30:14 +01:00
my $ chain = rules_target $ zone , $ zone1 ;
next unless $ chain ;
if ( $ zone eq $ zone1 ) {
next if ( scalar ( keys ( % { $ zoneref - > { interfaces } } ) ) < 2 ) && ! $ zoneref - > { options } { in_out } { routeback } ;
}
2009-03-13 23:59:49 +01:00
if ( $ zone1ref - > { type } == BPORT ) {
2009-02-22 18:30:14 +01:00
next unless $ zoneref - > { bridge } eq $ zone1ref - > { bridge } ;
}
2009-11-12 21:30:08 +01:00
if ( $ chain =~ /(2all|-all)$/ ) {
2009-02-22 18:30:14 +01:00
if ( $ chain ne $ last_chain ) {
$ last_chain = $ chain ;
push @ dest_zones , @ temp_zones ;
@ temp_zones = ( $ zone1 ) ;
} elsif ( $ policy eq 'ACCEPT' ) {
push @ temp_zones , $ zone1 ;
} else {
$ last_chain = $ chain ;
@ temp_zones = ( $ zone1 ) ;
}
} else {
push @ dest_zones , @ temp_zones , $ zone1 ;
@ temp_zones = ( ) ;
$ last_chain = '' ;
}
}
if ( $ last_chain && @ temp_zones == 1 ) {
push @ dest_zones , @ temp_zones ;
$ last_chain = '' ;
}
} else {
@ dest_zones = @ zones ;
}
#
# Here it is -- THE BIG UGLY!!!!!!!!!!!!
#
# We now loop through the destination zones creating jumps to the rules chain for each source/dest combination.
# @dest_zones is the list of destination zones that we need to handle from this source zone
#
for my $ zone1 ( @ dest_zones ) {
my $ zone1ref = find_zone ( $ zone1 ) ;
2009-11-14 16:07:19 +01:00
next if $ filter_table - > { rules_chain ( $ { zone } , $ { zone1 } ) } - > { policy } eq 'NONE' ;
2009-02-22 18:30:14 +01:00
my $ chain = rules_target $ zone , $ zone1 ;
next unless $ chain ; # CONTINUE policy with no rules
my $ num_ifaces = 0 ;
if ( $ zone eq $ zone1 ) {
2009-10-18 17:47:20 +02:00
next if ( $ num_ifaces = scalar ( keys ( % { $ zoneref - > { interfaces } } ) ) ) < 2 && ! $ zoneref - > { options } { in_out } { routeback } ;
2009-02-22 18:30:14 +01:00
}
2009-03-13 23:59:49 +01:00
if ( $ zone1ref - > { type } == BPORT ) {
2009-10-18 17:47:20 +02:00
next unless $ zoneref - > { bridge } eq $ zone1ref - > { bridge } ;
2009-02-22 18:30:14 +01:00
}
2009-11-03 18:28:34 +01:00
my $ chainref = $ filter_table - > { $ chain } ; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
2009-02-22 18:30:14 +01:00
if ( $ frwd_ref ) {
2009-11-03 18:28:34 +01:00
#
# Simple case -- the source zone has it's own forwarding chain
#
for my $ typeref ( values % { $ zone1ref - > { hosts } } ) {
2009-02-22 18:30:14 +01:00
for my $ interface ( sort { interface_number ( $ a ) <=> interface_number ( $ b ) } keys %$ typeref ) {
2009-11-03 18:28:34 +01:00
for my $ hostref ( @ { $ typeref - > { $ interface } } ) {
2009-02-22 18:30:14 +01:00
next if $ hostref - > { options } { sourceonly } ;
if ( $ zone ne $ zone1 || $ num_ifaces > 1 || $ hostref - > { options } { routeback } ) {
my $ ipsec_out_match = match_ipsec_out $ zone1 , $ hostref ;
2009-11-28 16:25:31 +01:00
my $ dest_exclusion = dest_exclusion ( $ hostref - > { exclusions } , $ chain ) ;
2009-02-22 18:30:14 +01:00
for my $ net ( @ { $ hostref - > { hosts } } ) {
2009-11-28 16:25:31 +01:00
add_jump $ frwd_ref , $ dest_exclusion , 0 , join ( '' , match_dest_dev ( $ interface ) , match_dest_net ( $ net ) , $ ipsec_out_match ) ;
2009-02-22 18:30:14 +01:00
}
}
}
}
}
} else {
2009-11-03 18:28:34 +01:00
#
# More compilcated case. If the interface is associated with a single simple zone, we try to combine the interface's forwarding chain with the rules chain
#
2009-02-22 18:30:14 +01:00
for my $ typeref ( values %$ source_hosts_ref ) {
for my $ interface ( keys %$ typeref ) {
my $ chain3ref ;
my $ match_source_dev = '' ;
2009-11-02 16:15:20 +01:00
my $ forwardchainref = $ filter_table - > { forward_chain $ interface } ;
2009-02-22 18:30:14 +01:00
2010-03-11 02:25:06 +01:00
if ( use_forward_chain ( $ interface , $ forwardchainref ) || ( @ { $ forwardchainref - > { rules } } && ! $ chainref ) ) {
2009-11-02 16:15:20 +01:00
#
# Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
#
$ chain3ref = $ forwardchainref ;
2009-10-17 19:59:41 +02:00
add_jump $ filter_table - > { FORWARD } , $ chain3ref , 0 , match_source_dev ( $ interface ) unless $ forward_jump_added { $ interface } + + ;
2009-02-22 18:30:14 +01:00
} else {
2009-11-03 18:28:34 +01:00
#
# Don't use the interface's forward chain -- move any rules in that chain to this rules chain
#
2009-02-22 18:30:14 +01:00
$ chain3ref = $ filter_table - > { FORWARD } ;
$ match_source_dev = match_source_dev $ interface ;
2009-11-03 00:35:00 +01:00
move_rules $ forwardchainref , $ chainref ;
2009-02-22 18:30:14 +01:00
}
2009-11-03 18:28:34 +01:00
for my $ hostref ( @ { $ typeref - > { $ interface } } ) {
2009-02-22 18:30:14 +01:00
next if $ hostref - > { options } { destonly } ;
my $ excl3ref = source_exclusion ( $ hostref - > { exclusions } , $ chain3ref ) ;
for my $ net ( @ { $ hostref - > { hosts } } ) {
2009-11-03 18:28:34 +01:00
for my $ type1ref ( values % { $ zone1ref - > { hosts } } ) {
2009-02-22 18:30:14 +01:00
for my $ interface1 ( keys %$ type1ref ) {
my $ array1ref = $ type1ref - > { $ interface1 } ;
for my $ host1ref ( @$ array1ref ) {
next if $ host1ref - > { options } { sourceonly } ;
my $ ipsec_out_match = match_ipsec_out $ zone1 , $ host1ref ;
2009-11-28 16:25:31 +01:00
my $ dest_exclusion = dest_exclusion ( $ host1ref - > { exclusions } , $ chain ) ;
2009-02-22 18:30:14 +01:00
for my $ net1 ( @ { $ host1ref - > { hosts } } ) {
unless ( $ interface eq $ interface1 && $ net eq $ net1 && ! $ host1ref - > { options } { routeback } ) {
#
# We defer evaluation of the source net match to accomodate systems without $capabilities{KLUDEFREE};
#
add_jump (
$ excl3ref ,
2009-11-28 16:25:31 +01:00
$ dest_exclusion ,
2009-02-22 18:30:14 +01:00
0 ,
2009-08-20 23:32:15 +02:00
join ( '' ,
$ match_source_dev ,
match_dest_dev ( $ interface1 ) ,
match_source_net ( $ net ) ,
match_dest_net ( $ net1 ) ,
2009-02-22 18:30:14 +01:00
$ ipsec_out_match )
2009-11-28 16:20:28 +01:00
) ;
2009-02-22 18:30:14 +01:00
}
}
}
}
}
}
}
}
}
}
}
2009-11-03 18:28:34 +01:00
#
# E N D F O R W A R D I N G
#
# Now add an unconditional jump to the last unique policy-only chain determined above, if any
#
add_jump $ frwd_ref , $ last_chain , 1 if $ frwd_ref && $ last_chain ;
2009-02-22 18:30:14 +01:00
}
add_interface_jumps @ interfaces unless $ interface_jumps_added ;
my % builtins = ( mangle = > [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
nat = > [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
filter = > [ qw/INPUT FORWARD OUTPUT/ ] ) ;
complete_standard_chain $ filter_table - > { INPUT } , 'all' , firewall_zone , 'DROP' ;
complete_standard_chain $ filter_table - > { OUTPUT } , firewall_zone , 'all' , 'REJECT' ;
complete_standard_chain $ filter_table - > { FORWARD } , 'all' , 'all' , 'REJECT' ;
if ( $ config { LOGALLNEW } ) {
for my $ table qw/mangle nat filter/ {
for my $ chain ( @ { $ builtins { $ table } } ) {
log_rule_limit
$ config { LOGALLNEW } ,
$ chain_table { $ table } { $ chain } ,
$ table ,
$ chain ,
'' ,
'' ,
'insert' ,
2010-04-25 22:35:41 +02:00
"$globals{STATEMATCH} NEW " ;
2009-02-22 18:30:14 +01:00
}
}
}
}
sub setup_mss ( ) {
my $ clampmss = $ config { CLAMPMSS } ;
my $ option ;
my $ match = '' ;
my $ chainref = $ filter_table - > { FORWARD } ;
if ( $ clampmss ) {
if ( "\L$clampmss" eq 'yes' ) {
$ option = '--clamp-mss-to-pmtu' ;
} else {
2010-01-25 16:56:16 +01:00
$ match = "-m tcpmss --mss $clampmss: " if have_capability ( 'TCPMSS_MATCH' ) ;
2009-02-22 18:30:14 +01:00
$ option = "--set-mss $clampmss" ;
}
2010-01-25 17:13:22 +01:00
$ match . = '-m policy --pol none --dir out ' if have_ipsec ;
2009-02-22 18:30:14 +01:00
}
my $ interfaces = find_interfaces_by_option ( 'mss' ) ;
if ( @$ interfaces ) {
#
# Since we will need multiple rules, we create a separate chain
#
$ chainref = new_chain 'filter' , 'settcpmss' ;
#
# Send all forwarded SYN packets to the 'settcpmss' chain
#
2010-01-16 18:53:53 +01:00
add_jump $ filter_table - > { FORWARD } , $ chainref , 0 , '-p tcp --tcp-flags SYN,RST SYN ' ;
2009-02-22 18:30:14 +01:00
my $ in_match = '' ;
my $ out_match = '' ;
2010-01-25 17:13:22 +01:00
if ( have_ipsec ) {
2009-02-22 18:30:14 +01:00
$ in_match = '-m policy --pol none --dir in ' ;
$ out_match = '-m policy --pol none --dir out ' ;
2009-08-20 23:32:15 +02:00
}
2009-02-22 18:30:14 +01:00
for ( @$ interfaces ) {
my $ mss = get_interface_option ( $ _ , 'mss' ) ;
2010-01-25 16:56:16 +01:00
my $ mssmatch = have_capability ( 'TCPMSS_MATCH' ) ? "-m tcpmss --mss $mss: " : '' ;
2009-11-05 20:44:40 +01:00
my $ source = match_source_dev $ _ ;
my $ dest = match_dest_dev $ _ ;
2009-11-05 22:40:03 +01:00
add_rule $ chainref , "${dest}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss" ;
add_rule $ chainref , "${dest}-j RETURN" if $ clampmss ;
add_rule $ chainref , "${source}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss" ;
add_rule $ chainref , "${source}-j RETURN" if $ clampmss ;
2009-02-22 18:30:14 +01:00
}
}
add_rule $ chainref , "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS $option" if $ clampmss ;
}
2009-03-28 20:22:15 +01:00
#
# Compile the stop_firewall() function
#
2010-01-16 18:53:53 +01:00
sub compile_stop_firewall ( $$ ) {
my ( $ test , $ export ) = @ _ ;
2009-03-28 20:22:15 +01:00
2009-04-01 00:42:37 +02:00
my $ input = $ filter_table - > { INPUT } ;
my $ output = $ filter_table - > { OUTPUT } ;
my $ forward = $ filter_table - > { FORWARD } ;
2009-03-28 20:22:15 +01:00
emit << 'EOF' ;
#
# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
#
stop_firewall ( ) {
2010-01-04 19:14:36 +01:00
local hack
2009-03-28 20:22:15 +01:00
EOF
2009-04-01 00:42:37 +02:00
$ output - > { policy } = 'ACCEPT' if $ config { ADMINISABSENTMINDED } ;
2009-03-30 02:49:00 +02:00
2009-03-28 20:22:15 +01:00
if ( $ family == F_IPV4 ) {
emit ( ' deletechain() {' ,
' qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1' ) ;
} else {
emit ( ' deletechain() {' ,
' qt $IP6TABLES -L $1 -n && qt $IP6TABLES -F $1 && qt $IP6TABLES -X $1' ) ;
}
emit << 'EOF' ;
}
case $ COMMAND in
2010-05-17 00:31:41 +02:00
stop | clear | restore )
2009-03-28 20:22:15 +01:00
; ;
* )
set + x
case $ COMMAND in
start )
2010-03-02 21:34:36 +01:00
logger - p kern . err "ERROR:$g_product start failed"
2009-03-28 20:22:15 +01:00
; ;
restart )
2010-03-02 21:34:36 +01:00
logger - p kern . err "ERROR:$g_product restart failed"
2009-03-28 20:22:15 +01:00
; ;
2010-01-06 17:01:06 +01:00
refresh )
2010-03-02 21:34:36 +01:00
logger - p kern . err "ERROR:$g_product refresh failed"
2009-03-28 20:22:15 +01:00
; ;
esac
if [ "$RESTOREFILE" = NONE ] ; then
COMMAND = clear
clear_firewall
2010-03-02 21:34:36 +01:00
echo "$g_product Cleared"
2009-03-28 20:22:15 +01:00
kill $$
exit 2
else
2010-02-26 17:35:50 +01:00
g_restorepath = $ { VARDIR } / $ RESTOREFILE
2009-03-28 20:22:15 +01:00
2010-02-26 17:35:50 +01:00
if [ - x $ g_restorepath ] ; then
2010-03-02 21:34:36 +01:00
echo Restoring $ { g_product: = Shorewall } ...
2010-01-06 16:44:00 +01:00
2010-03-03 18:50:07 +01:00
g_recovering = Yes
2009-03-28 20:22:15 +01:00
2010-03-03 17:59:58 +01:00
if run_it $ g_restorepath restore ; then
2010-03-02 21:34:36 +01:00
echo "$g_product restored from $g_restorepath"
2010-03-17 18:10:56 +01:00
set_state "Restored from $g_restorepath"
2009-03-28 20:22:15 +01:00
else
set_state "Unknown"
fi
kill $$
exit 2
fi
fi
; ;
esac
2010-03-02 16:37:30 +01:00
if [ - n "$g_stopping" ] ; then
kill $$
exit 1
fi
2009-03-28 20:22:15 +01:00
2010-03-02 16:37:30 +01:00
set_state "Stopping"
2009-03-28 20:22:15 +01:00
2010-03-02 16:37:30 +01:00
g_stopping = "Yes"
2009-03-28 20:22:15 +01:00
deletechain shorewall
run_stop_exit
EOF
2010-01-25 16:56:16 +01:00
if ( have_capability ( 'NAT_ENABLED' ) ) {
2009-03-30 02:49:00 +02:00
emit << 'EOF' ;
if [ - f $ { VARDIR } / nat ] ; then
while read external interface ; do
del_ip_addr $ external $ interface
done < $ { VARDIR } / nat
rm - f $ { VARDIR } / nat
fi
2009-03-28 20:22:15 +01:00
EOF
}
if ( $ family == F_IPV4 ) {
emit << 'EOF' ;
if [ - f $ { VARDIR } / proxyarp ] ; then
while read address interface external haveroute ; do
qt arp - i $ external - d $ address pub
2010-03-03 18:50:07 +01:00
[ - z "${haveroute}${g_noroutes}" ] && qt $ IP - 4 route del $ address dev $ interface
2009-03-28 20:22:15 +01:00
f = /proc/s ys /net/i pv4 /conf/ $ interface / proxy_arp
[ - f $ f ] && echo 0 > $ f
done < $ { VARDIR } / proxyarp
2009-03-30 02:49:00 +02:00
rm - f $ { VARDIR } / proxyarp
2009-03-28 20:22:15 +01:00
fi
EOF
}
push_indent ;
emit 'delete_tc1' if $ config { CLEAR_TC } ;
emit ( 'undo_routing' ,
'restore_default_route'
) ;
2009-03-30 02:49:00 +02:00
my @ chains = $ config { ADMINISABSENTMINDED } ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/ ;
2009-08-20 23:32:15 +02:00
2010-04-25 22:35:41 +02:00
add_rule $ filter_table - > { $ _ } , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" for @ chains ;
2009-03-28 20:22:15 +01:00
if ( $ family == F_IPV6 ) {
2009-04-01 00:42:37 +02:00
add_rule $ input , '-s ff80::/10 -j ACCEPT' ;
add_rule $ input , '-d ff80::/10 -j ACCEPT' ;
add_rule $ input , '-d ff00::/10 -j ACCEPT' ;
2009-03-28 20:22:15 +01:00
2009-03-30 02:49:00 +02:00
unless ( $ config { ADMINISABSENTMINDED } ) {
2009-04-01 00:42:37 +02:00
add_rule $ output , '-d ff80::/10 -j ACCEPT' ;
add_rule $ output , '-d ff00::/10 -j ACCEPT' ;
2009-03-30 02:49:00 +02:00
}
2009-03-28 20:22:15 +01:00
}
process_routestopped ;
2009-04-01 00:42:37 +02:00
add_rule $ input , '-i lo -j ACCEPT' ;
add_rule $ input , '-i lo -j ACCEPT' ;
2009-03-28 20:22:15 +01:00
2009-04-01 00:42:37 +02:00
add_rule $ output , '-o lo -j ACCEPT' unless $ config { ADMINISABSENTMINDED } ;
2009-03-28 20:22:15 +01:00
my $ interfaces = find_interfaces_by_option 'dhcp' ;
if ( @$ interfaces ) {
my $ ports = $ family == F_IPV4 ? '67:68' : '546:547' ;
for my $ interface ( @$ interfaces ) {
2009-11-06 22:10:19 +01:00
add_rule $ input , "-p udp " . match_source_dev ( $ interface ) . "--dport $ports -j ACCEPT" ;
add_rule $ output , "-p udp " . match_dest_dev ( $ interface ) . "--dport $ports -j ACCEPT" unless $ config { ADMINISABSENTMINDED } ;
2009-03-28 20:22:15 +01:00
#
# This might be a bridge
#
2009-11-06 22:10:19 +01:00
add_rule $ forward , "-p udp " . match_source_dev ( $ interface ) . match_dest_dev ( $ interface ) . "--dport $ports -j ACCEPT" ;
2009-03-28 20:22:15 +01:00
}
}
emit '' ;
2009-03-30 02:49:00 +02:00
create_stop_load $ test ;
2009-03-28 20:22:15 +01:00
if ( $ family == F_IPV4 ) {
if ( $ config { IP_FORWARDING } eq 'on' ) {
emit ( 'echo 1 > /proc/sys/net/ipv4/ip_forward' ,
'progress_message2 IPv4 Forwarding Enabled' ) ;
} elsif ( $ config { IP_FORWARDING } eq 'off' ) {
emit ( 'echo 0 > /proc/sys/net/ipv4/ip_forward' ,
'progress_message2 IPv4 Forwarding Disabled!'
) ;
}
} else {
for my $ interface ( all_bridges ) {
2009-11-22 17:20:07 +01:00
emit "do_iptables -A FORWARD -p 58 " . match_source_dev ( $ interface ) . match_dest_dev ( $ interface ) . "-j ACCEPT" ;
2009-08-20 23:32:15 +02:00
}
2009-03-28 20:22:15 +01:00
if ( $ config { IP_FORWARDING } eq 'on' ) {
emit ( 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding' ,
'progress_message2 IPv6 Forwarding Enabled' ) ;
} elsif ( $ config { IP_FORWARDING } eq 'off' ) {
emit ( 'echo 0 > /proc/sys/net/ipv6/conf/all/forwarding' ,
'progress_message2 IPv6 Forwarding Disabled!'
) ;
}
}
pop_indent ;
emit '
run_stopped_exit ' ;
2009-08-20 23:32:15 +02:00
my @ ipsets = all_ipsets ;
2009-03-28 20:22:15 +01:00
2010-01-04 20:14:05 +01:00
if ( @ ipsets || $ config { SAVE_IPSETS } ) {
2009-03-30 02:49:00 +02:00
emit << 'EOF' ;
2009-03-28 20:22:15 +01:00
2010-01-04 19:14:36 +01:00
case $ IPSET in
* / * )
if [ ! - x "$IPSET" ] ; then
error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
IPSET =
fi
; ;
* )
IPSET = "$(mywhich $IPSET)"
[ - n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
; ;
esac
if [ - n "$IPSET" ] ; then
if [ - f /etc/ debian_version ] && [ $ ( cat /etc/ debian_version ) = 5.0 .3 ] ; then
#
# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
#
hack = '| grep -v /31'
else
hack =
fi
if eval $ IPSET - S $ hack > $ { VARDIR } / ipsets . tmp ; then
2009-03-28 20:22:15 +01:00
#
# Don't save an 'empty' file
#
grep - q '^-N' $ { VARDIR } /ipsets.tmp && mv -f ${VARDIR}/i psets . tmp $ { VARDIR } / ipsets . save
2010-01-04 19:14:36 +01:00
fi
2009-03-30 20:00:23 +02:00
fi
2009-03-28 20:22:15 +01:00
EOF
}
2009-08-20 23:32:15 +02:00
emit '
2009-03-28 20:22:15 +01:00
2010-05-17 00:31:41 +02:00
set_state "Stopped"
logger - p kern . info "$g_product Stopped"
2009-03-28 20:22:15 +01:00
case $ COMMAND in
stop | clear )
; ;
* )
#
# The firewall is being stopped when we were trying to do something
# else. Kill the shell in case we\'re running in a subshell
#
kill $$
; ;
esac
}
' ;
}
2009-02-22 18:30:14 +01:00
1 ;