mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-26 16:18:57 +01:00
Convert Rules.pm infrastructure to use the new rule interface
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
7aa7cd54c2
commit
043fb8757c
@ -528,13 +528,13 @@ sub policy_rules( $$$$$ ) {
|
|||||||
my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
|
my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
|
||||||
|
|
||||||
unless ( $target eq 'NONE' ) {
|
unless ( $target eq 'NONE' ) {
|
||||||
add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
|
add_irule $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
|
||||||
add_jump $chainref, $default, 0 if $default && $default ne 'none';
|
add_ijump $chainref, j => $default if $default && $default ne 'none';
|
||||||
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
|
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
|
||||||
fatal_error "Null target in policy_rules()" unless $target;
|
fatal_error "Null target in policy_rules()" unless $target;
|
||||||
|
|
||||||
add_rule( $chainref , '-j AUDIT --type ' . lc $target ) if $chainref->{audit};
|
add_irule( $chainref , j => 'AUDIT --type ' . lc $target ) if $chainref->{audit};
|
||||||
add_jump( $chainref , $target eq 'REJECT' ? 'reject' : $target, 1 ) unless $target eq 'CONTINUE';
|
add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -563,7 +563,7 @@ sub default_policy( $$$ ) {
|
|||||||
report_syn_flood_protection;
|
report_syn_flood_protection;
|
||||||
policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
|
policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
|
||||||
} else {
|
} else {
|
||||||
add_jump $chainref, $policyref, 1;
|
add_ijump $chainref, g => $policyref;
|
||||||
$chainref = $policyref;
|
$chainref = $policyref;
|
||||||
}
|
}
|
||||||
} elsif ( $policy eq 'CONTINUE' ) {
|
} elsif ( $policy eq 'CONTINUE' ) {
|
||||||
@ -571,7 +571,7 @@ sub default_policy( $$$ ) {
|
|||||||
policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
|
policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
|
||||||
} else {
|
} else {
|
||||||
report_syn_flood_protection if $synparams;
|
report_syn_flood_protection if $synparams;
|
||||||
add_jump $chainref , $policyref, 1;
|
add_ijump $chainref , g => $policyref;
|
||||||
$chainref = $policyref;
|
$chainref = $policyref;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -680,7 +680,7 @@ sub setup_syn_flood_chains() {
|
|||||||
'add' ,
|
'add' ,
|
||||||
'' )
|
'' )
|
||||||
if $level ne '';
|
if $level ne '';
|
||||||
add_rule $synchainref, '-j DROP';
|
add_irule $synchainref, j => 'DROP';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -744,7 +744,7 @@ sub finish_chain_section ($$) {
|
|||||||
|
|
||||||
push_comment(''); #These rules should not have comments
|
push_comment(''); #These rules should not have comments
|
||||||
|
|
||||||
add_rule $chainref, "$globals{STATEMATCH} $state -j ACCEPT" unless $config{FASTACCEPT};
|
add_irule $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
|
||||||
|
|
||||||
if ($sections{NEW} ) {
|
if ($sections{NEW} ) {
|
||||||
if ( $chainref->{is_policy} ) {
|
if ( $chainref->{is_policy} ) {
|
||||||
@ -752,17 +752,17 @@ sub finish_chain_section ($$) {
|
|||||||
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
|
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
|
||||||
if ( $section eq 'DONE' ) {
|
if ( $section eq 'DONE' ) {
|
||||||
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
|
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
|
||||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
add_ijump $chainref, j => $synchainref, p => 'tcp --syn';
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
add_ijump $chainref, j => $synchainref, p => 'tcp --syn';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
my $policychainref = $filter_table->{$chainref->{policychain}};
|
my $policychainref = $filter_table->{$chainref->{policychain}};
|
||||||
if ( $policychainref->{synparams} ) {
|
if ( $policychainref->{synparams} ) {
|
||||||
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
|
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
|
||||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
add_ijump $chainref, j => $synchainref, p => 'tcp --syn';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1164,7 +1164,7 @@ sub dropBcast( $$$$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
add_jump $chainref, $target, 0, "-m addrtype --dst-type BROADCAST ";
|
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
|
||||||
} else {
|
} else {
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
||||||
@ -1174,17 +1174,17 @@ sub dropBcast( $$$$ ) {
|
|||||||
|
|
||||||
incr_cmd_level $chainref;
|
incr_cmd_level $chainref;
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||||
add_jump $chainref, $target, 0, "-d \$address ";
|
add_ijump $chainref, j => $target, d => '$address';
|
||||||
decr_cmd_level $chainref;
|
decr_cmd_level $chainref;
|
||||||
add_commands $chainref, 'done';
|
add_commands $chainref, 'done';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||||
add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
|
add_ijump $chainref, j => $target, d => '224.0.0.0/4';
|
||||||
} else {
|
} else {
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST . ' ' ) if $level ne '';
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST . ' ' ) if $level ne '';
|
||||||
add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
|
add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1199,7 +1199,7 @@ sub allowBcast( $$$$ ) {
|
|||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
||||||
}
|
}
|
||||||
|
|
||||||
add_jump $chainref, $target, 0, "-m addrtype --dst-type BROADCAST ";
|
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
|
||||||
} else {
|
} else {
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
||||||
@ -1209,17 +1209,17 @@ sub allowBcast( $$$$ ) {
|
|||||||
|
|
||||||
incr_cmd_level $chainref;
|
incr_cmd_level $chainref;
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||||
add_rule $chainref, "-d \$address -j $target";
|
add_irule $chainref, j => $target, d => '$address';
|
||||||
decr_cmd_level $chainref;
|
decr_cmd_level $chainref;
|
||||||
add_commands $chainref, 'done';
|
add_commands $chainref, 'done';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||||
add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
|
add_ijump $chainref, j => $target, d => '224.0.0.0/4';
|
||||||
} else {
|
} else {
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
|
||||||
add_jump $chainref, $target, 0, join ( ' ', '-d', IPv6_MULTICAST . ' ' );
|
add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1229,7 +1229,7 @@ sub dropNotSyn ( $$$$ ) {
|
|||||||
my $target = require_audit( 'DROP', $audit );
|
my $target = require_audit( 'DROP', $audit );
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
|
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
|
||||||
add_jump $chainref , $target, 0, "-p 6 ! --syn ";
|
add_ijump $chainref , j => $target, p => '6 ! --syn';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub rejNotSyn ( $$$$ ) {
|
sub rejNotSyn ( $$$$ ) {
|
||||||
@ -1242,7 +1242,7 @@ sub rejNotSyn ( $$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
|
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
|
||||||
add_jump $chainref , $target, 0, '-p 6 ! --syn ';
|
add_ijump $chainref , j => $target, p => '6 ! --syn';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub dropInvalid ( $$$$ ) {
|
sub dropInvalid ( $$$$ ) {
|
||||||
@ -1251,7 +1251,7 @@ sub dropInvalid ( $$$$ ) {
|
|||||||
my $target = require_audit( 'DROP', $audit );
|
my $target = require_audit( 'DROP', $audit );
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
|
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
|
||||||
add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
|
add_ijump $chainref , j => $target, state_imatch 'INVALID';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub allowInvalid ( $$$$ ) {
|
sub allowInvalid ( $$$$ ) {
|
||||||
@ -1260,7 +1260,7 @@ sub allowInvalid ( $$$$ ) {
|
|||||||
my $target = require_audit( 'ACCEPT', $audit );
|
my $target = require_audit( 'ACCEPT', $audit );
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
|
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
|
||||||
add_rule $chainref , "$globals{STATEMATCH} INVALID -j $target";
|
add_irule $chainref , j => $target, state_imatch 'INVALID';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub forwardUPnP ( $$$$ ) {
|
sub forwardUPnP ( $$$$ ) {
|
||||||
@ -1279,8 +1279,8 @@ sub allowinUPnP ( $$$$ ) {
|
|||||||
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
|
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
|
||||||
}
|
}
|
||||||
|
|
||||||
add_jump $chainref, $target, 0, '-p 17 --dport 1900 ';
|
add_ijump $chainref, j => $target, p => '17 --dport 1900';
|
||||||
add_jump $chainref, $target, 0, '-p 6 --dport 49152 ';
|
add_ijump $chainref, j => $target, p => '6 --dport 49152';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub Limit( $$$$ ) {
|
sub Limit( $$$$ ) {
|
||||||
@ -1307,18 +1307,18 @@ sub Limit( $$$$ ) {
|
|||||||
|
|
||||||
require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
|
require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
|
||||||
|
|
||||||
add_rule $chainref, "-m recent --name $set --set";
|
add_irule $chainref, '' => '', recent => "--name $set --set";
|
||||||
|
|
||||||
if ( $level ne '' ) {
|
if ( $level ne '' ) {
|
||||||
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
||||||
log_rule_limit $level, $xchainref, $param[0], 'DROP', '', $tag, 'add', '';
|
log_rule_limit $level, $xchainref, $param[0], 'DROP', '', $tag, 'add', '';
|
||||||
add_rule $xchainref, '-j DROP';
|
add_irule $xchainref, j => 'DROP';
|
||||||
add_jump $chainref, $xchainref, 0, "-m recent --name $set --update --seconds $param[2] --hitcount $count ";
|
add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
|
||||||
} else {
|
} else {
|
||||||
add_rule $chainref, "-m recent --update --name $set --seconds $param[2] --hitcount $count -j DROP";
|
add_irule $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $chainref, '-j ACCEPT';
|
add_irule $chainref, j => 'ACCEPT';
|
||||||
}
|
}
|
||||||
|
|
||||||
my %builtinops = ( 'dropBcast' => \&dropBcast,
|
my %builtinops = ( 'dropBcast' => \&dropBcast,
|
||||||
@ -2122,7 +2122,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
|
|||||||
# Static NAT is defined on this interface
|
# Static NAT is defined on this interface
|
||||||
#
|
#
|
||||||
$chn = new_chain( 'nat', newnonatchain ) unless $chn;
|
$chn = new_chain( 'nat', newnonatchain ) unless $chn;
|
||||||
add_jump $chn, $nat_table->{$ichain}, 0, @interfaces > 1 ? match_source_dev( $_ ) : '';
|
add_ijump $chn, j => $nat_table->{$ichain}, @interfaces > 1 ? imatch_source_dev( $_ ) : ();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user