Section the rules file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2563 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-26 19:55:05 +00:00
parent b800346eea
commit 07c152ab35
4 changed files with 199 additions and 20 deletions

View File

@ -13,6 +13,8 @@ Changes in 2.5.3
6) Clear the raw table on stop and [re]start
7) Section the rules file.
Changes in 2.5.2
1) Allow port lists in /etc/sorewall/accounting.

View File

@ -230,6 +230,33 @@ run_ipset() {
fi
}
#
# Add the implicit ACCEPT rules at the end of a rules file section
#
finish_chain_section() # $1 = canonical chain $2 = state list
{
[ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
if list_search RELATED $(separate_list $2) ; then
[ -z "$NEWNOTSYN" ] && run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
fi
}
finish_section() # $1 = Section(s)
{
local zone zone1 chain
if [ "$COMMAND" != check ]; then
for zone in $ZONES $FW; do
for zone1 in $ZONES $FW; do
chain=${zone}2${zone1}
if havechain $chain; then
finish_chain_section $chain $1
fi
done
done
fi
}
#
# Create a filter chain
#
@ -245,6 +272,15 @@ createchain() # $1 = chain name, $2 = If "yes", create newnotsyn rule
run_iptables -N $1
if [ $2 = yes ]; then
case $SECTION in
NEW)
finish_chain_section $1 ESTABLISHED,RELATED
;;
RELATED)
finish_chain_section $1 ESTABLISHED
;;
esac
[ -z "$NEWNOTSYN" ] && \
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
fi
@ -259,12 +295,20 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
if $IPTABLES -N $1; then
if [ $2 = yes ]; then
[ -z "$NEWNOTSYN" ] && \
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
case $SECTION in
NEW)
finish_chain_section $1 ESTABLISHED,RELATED
;;
RELATED)
finish_chain_section $1 ESTABLISHED
;;
esac
fi
eval exists_${c}=Yes
fi
}
#
@ -2729,6 +2773,15 @@ setup_syn_flood_chain ()
run_iptables -A $chain -j DROP
}
setup_syn_flood_chains()
{
for chain in $ALL_POLICY_CHAINS; do
eval loglevel=\$${chain}_loglevel
eval synparams=\$${chain}_synparams
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
done
}
#
# Enable SYN flood protection on a chain
#
@ -5015,11 +5068,11 @@ process_rule() # $1 = target
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do
run_iptables -A $logchain $(fix_bang $proto $sports $multiport $dports) $user -m conntrack --ctorigdst $adr -j $chain
run_iptables -A $logchain $state $(fix_bang $proto $sports $multiport $dports) $user -m conntrack --ctorigdst $adr -j $chain
done
addr=
else
run_iptables -A $logchain $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain
run_iptables -A $state $logchain $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain
fi
cli=
@ -5028,6 +5081,7 @@ process_rule() # $1 = target
multiport=
dports=
user=
state=
}
# Set source variables. The 'cli' variable will hold the client match predicate(s).
@ -5149,6 +5203,18 @@ process_rule() # $1 = target
;;
esac
case $SECTION in
NEW)
state=
;;
ESTABLISHED)
state="-m state --state ESTABLISHED"
;;
RELATED)
state="-m state --state ESTABLISHED"
;;
esac
if [ -n "${serv}${servport}" ]; then
if [ $COMMAND != check ]; then
@ -5173,16 +5239,16 @@ process_rule() # $1 = target
for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
$user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
$user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state
fi
run_iptables2 -A $chain $proto $ratelimit $multiport $cli $sports \
run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
$(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target
done
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state
fi
if [ -n "$nonat" ]; then
@ -5191,7 +5257,7 @@ process_rule() # $1 = target
fi
if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $proto $multiport $cli $sports \
run_iptables2 -A $chain $state $proto $multiport $cli $sports \
$(dest_ip_range $srv) $dports $ratelimit $user -j $target
fi
fi
@ -5200,7 +5266,7 @@ process_rule() # $1 = target
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $sports $multiport $cli $dports)
$(fix_bang $proto $sports $multiport $cli $dports) $state
fi
[ -n "$nonat" ] && \
@ -5226,7 +5292,7 @@ process_rule() # $1 = target
for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr)
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr) $state
fi
if [ "$logtarget" != LOG ]; then
@ -5236,7 +5302,7 @@ process_rule() # $1 = target
fi
if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \
$sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j $target
fi
fi
@ -5244,7 +5310,7 @@ process_rule() # $1 = target
else
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports) $state
fi
if [ "$logtarget" != LOG ]; then
@ -5254,7 +5320,7 @@ process_rule() # $1 = target
fi
if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \
$sports $dports $ratelimit $user -j $target
fi
fi
@ -5372,6 +5438,7 @@ process_rule() # $1 = target
case $target in
ACCEPT+|NONAT)
[ $SECTION = NEW ] || fatal_error "$target rules are not allowed in the $SECTION SECTION"
nonat=Yes
target=ACCEPT
;;
@ -5387,10 +5454,12 @@ process_rule() # $1 = target
target=RETURN
;;
DNAT*|SAME*)
[ $SECTION = NEW ] || fatal_error "$target rules are not allowed in the $SECTION SECTION"
target=ACCEPT
address=${address:=detect}
;;
REDIRECT*)
[ $SECTION = NEW ] || fatal_error "REDIRECT rules are not allowed in the $SECTION SECTION"
target=ACCEPT
address=${address:=all}
if [ "x-" = "x$servers" ]; then
@ -5399,6 +5468,9 @@ process_rule() # $1 = target
servers="$FW::$servers"
fi
;;
*-)
[ $SECTION = NEW ] || fatal_error "$target rules are not allowed in the $SECTION SECTION"
;;
esac
# Parse and validate source
@ -5778,6 +5850,8 @@ process_rules() # $1 = "Yes" if the target is a macro.
{
expandv xprotocol xports xcports xaddress xratelimit xuserspec intrazone=
[ -z "$SECTIONS" ] && SECTIONS="ESTABLISHED RELATED NEW"
case $xclients in
all+)
xclients=all
@ -5828,6 +5902,30 @@ process_rules() # $1 = "Yes" if the target is a macro.
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
do_it No
;;
SECTION)
list_search $xclients $SECTIONS && fatal_error "Duplicate or out of order SECTION $xclients"
case $xclients in
ESTABLISHED)
SECTIONS=ESTABLISHED
;;
RELATED)
finish_section ESTABLISHED
SECTIONS="ESTABLISHED RELATED"
;;
NEW)
[ $SECTION = RELATED ] && finish_section RELATED || finish_section ESTABLISHED,RELATED
SECTIONS="ESTABLISHED RELATED NEW"
;;
*)
fatal_error "Invalid SECTION $xclients"
;;
esac
[ -n "$xservers" ] && fatal_error "Invalid SECTION $xclients $xservers"
SECTION=$xclients
;;
*)
if list_search ${xtarget%%:*} $ACTIONS; then
if ! list_search $xtarget $USEDACTIONS; then
@ -5871,6 +5969,17 @@ process_rules() # $1 = "Yes" if the target is a macro.
esac
done < $TMP_DIR/rules
case $SECTION in
ESTABLISHED)
finish_section ESTABLISHED,RELATED
SECTION=NEW
;;
RELATED)
finish_section RELATED
SECTION=NEW
;;
esac
}
#
@ -7698,21 +7807,18 @@ apply_policy_rules() {
for chain in $ALL_POLICY_CHAINS; do
eval policy=\$${chain}_policy
eval loglevel=\$${chain}_loglevel
eval synparams=\$${chain}_synparams
eval optional=\$${chain}_is_optional
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
if havechain $chain ; then
[ -n "$synparams" ] && \
run_iptables -I $chain 2 -p tcp --syn -j @$chain ### FIX ME ###
[ -n "$synparms" ] && run_iptables -I $chain -p tcp --syn -j @$chain
elif [ -z "$optional" -a "$policy" != CONTINUE ]; then
#
# The chain doesn't exist. Create the chain and add policy
# rules
#
createchain $chain yes
#
# If either client or server is 'all' then this MUST be
# a policy chain and we must apply the appropriate policy rules
@ -8130,6 +8236,8 @@ define_firewall() # $1 = Command (Start or Restart)
maclist_hosts=$(find_hosts_by_option maclist)
[ -n "$maclist_hosts" ] && setup_mac_lists
setup_syn_flood_chains
echo "Processing $(find_file rules)..."; process_rules
echo "Processing Actions..."; process_actions2
process_actions3
@ -8722,7 +8830,7 @@ do_initialize() {
STOPPING=
HAVE_MUTEX=
ALIASES_TO_ADD=
SECTION=
SECTION=NEW
SECTIONS=
FUNCTIONS=$SHARED_DIR/functions

View File

@ -40,6 +40,38 @@ New Features in Shorewall 2.5.3
#SOURCE DEST POLICY LOG LEVEL
loc loc ACCEPT info
5) Prior to Shorewall 2.5.3, the rules file only controlled packets in
the Netfilter states NEW and INVALID. Beginning with this release,
the rules file can also deal with packets in the ESTABLISHED and
RELATED states.
The /etc/shorewall/rules file may now be divided into
"sections". Each section is introduced by a line that begins with
the keyword SECTION which is followed by the section name. Sections
are as listed below and must appear in the order shown.
ESTABLISHED
Rules in this section apply to packets in the ESTABLISHED
state.
RELATED
Rules in this section apply to packets in the RELATED state.
NEW
Rules in this section apply to packets in the NEW and INVALID
states.
Rules in the ESTABLISHED and RELATED sections are limited to the
following ACTIONs:
ACCEPT, DROP, REJECT, QUEUE, LOG and User-defined actions.
Macros may be used in these sections provided that they expand to
only these ACTIONs.
Problems Corrected in 2.5.2:
1) You may now include port lists in in the /etc/shorewall/accounting

View File

@ -19,6 +19,40 @@
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
#------------------------------------------------------------------------------
#
# The rules file is divided into sections. Each section is introduced by
# a "Section Header" which is a line beginning with SECTION followed by the
# section name.
#
# Sections are as follows and must appear in the order listed:
#
# ESTABLISHED Packets in the ESTABLISHED state are processed
# by rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# RELATED Packets in the RELATED state are processed by
# rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# NEW Packets in the NEW and INVALID states are
# processed by rules in this section.
#
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
# ESTABLISHED and RELATED sections must be empty.
#
# You may omit any section that you don't need. If no Section Headers appear
# in the file then all rules are assumed to be in the NEW section.
#
# Columns are:
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
@ -370,4 +404,7 @@
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
SECTION ESTABLISHED
SECTION RELATED
SECTION NEW
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE