mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-20 17:58:07 +02:00
Add some insurance
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8414 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
b99813a1b5
commit
0927fcb95c
@ -27,6 +27,7 @@
|
|||||||
package Shorewall::Chains;
|
package Shorewall::Chains;
|
||||||
require Exporter;
|
require Exporter;
|
||||||
|
|
||||||
|
use Scalar::Util 'reftype';
|
||||||
use Shorewall::Config qw(:DEFAULT :internal);
|
use Shorewall::Config qw(:DEFAULT :internal);
|
||||||
use Shorewall::Zones;
|
use Shorewall::Zones;
|
||||||
use Shorewall::IPAddrs;
|
use Shorewall::IPAddrs;
|
||||||
@ -35,6 +36,7 @@ use strict;
|
|||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
our @EXPORT = qw(
|
our @EXPORT = qw(
|
||||||
add_rule
|
add_rule
|
||||||
|
add_jump
|
||||||
insert_rule
|
insert_rule
|
||||||
new_chain
|
new_chain
|
||||||
new_manual_chain
|
new_manual_chain
|
||||||
@ -432,6 +434,8 @@ sub add_rule($$;$)
|
|||||||
{
|
{
|
||||||
my ($chainref, $rule, $expandports) = @_;
|
my ($chainref, $rule, $expandports) = @_;
|
||||||
|
|
||||||
|
fatal_error 'Internal Error in add_rule()' if reftype $rule;
|
||||||
|
|
||||||
$iprangematch = 0;
|
$iprangematch = 0;
|
||||||
#
|
#
|
||||||
# Pre-processing the port lists as was done in Shorewall-shell results in port-list
|
# Pre-processing the port lists as was done in Shorewall-shell results in port-list
|
||||||
@ -487,6 +491,31 @@ sub add_rule($$;$)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Add a jump from the chain represented by the reference in the first argument to
|
||||||
|
# the chain named in the second argument. The optional third argument specifies any
|
||||||
|
# matches to be included in the rule and must end with a space character if it is passed.
|
||||||
|
#
|
||||||
|
|
||||||
|
sub add_jump( $$;$ ) {
|
||||||
|
my ( $fromref, $to, $predicate ) = @_;
|
||||||
|
|
||||||
|
$predicate |= '';
|
||||||
|
|
||||||
|
my $toref;
|
||||||
|
|
||||||
|
if ( reftype $to ) {
|
||||||
|
$toref = $to;
|
||||||
|
$to = $toref->{name};
|
||||||
|
} else {
|
||||||
|
$toref = ensure_chain( $fromref->{table} , $to ) unless ($targets{$to} | 0 ) & STANDARD;
|
||||||
|
}
|
||||||
|
|
||||||
|
$toref->{referenced} = 1 if $toref;
|
||||||
|
|
||||||
|
add_rule ($fromref, join( '', $predicate, "-j $to" ) );
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Insert a rule into a chain. Arguments are:
|
# Insert a rule into a chain. Arguments are:
|
||||||
#
|
#
|
||||||
|
|||||||
@ -438,22 +438,22 @@ sub apply_policy_rules() {
|
|||||||
# - If no applicable policy is found, add rules for an assummed
|
# - If no applicable policy is found, add rules for an assummed
|
||||||
# policy of DROP INFO
|
# policy of DROP INFO
|
||||||
#
|
#
|
||||||
sub complete_standard_chain ( $$$ ) {
|
sub complete_standard_chain ( $$$$ ) {
|
||||||
my ( $stdchainref, $zone, $zone2 ) = @_;
|
my ( $stdchainref, $zone, $zone2, $default ) = @_;
|
||||||
|
|
||||||
add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT};
|
add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT};
|
||||||
|
|
||||||
run_user_exit $stdchainref;
|
run_user_exit $stdchainref;
|
||||||
|
|
||||||
my $ruleschainref = $filter_table->{"${zone}2${zone2}"};
|
my $ruleschainref = $filter_table->{"${zone}2${zone2}"};
|
||||||
my ( $policy, $loglevel, $default ) = ( 'DROP', 6, $config{DROP_DEFAULT} );
|
my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
|
||||||
my $policychainref;
|
my $policychainref;
|
||||||
|
|
||||||
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
|
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
|
||||||
|
|
||||||
( $policy, $loglevel, $default ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref;
|
( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref;
|
||||||
|
|
||||||
policy_rules $stdchainref , $policy , $loglevel, $default, 0;
|
policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|||||||
@ -1693,15 +1693,15 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
if ( @$exclusions ) {
|
if ( @$exclusions ) {
|
||||||
my $output = zone_output_chain $zone;
|
my $output = zone_output_chain $zone;
|
||||||
add_rule $outputref , join( '', $interfacematch, $dest, $ipsec_out_match, "-j $output" );
|
add_jump $outputref , $output, join( '', $interfacematch, $dest, $ipsec_out_match );
|
||||||
add_rule $filter_table->{$output} , "-j $chain1";
|
add_jump $filter_table->{$output} , $chain1;
|
||||||
$nextchain = $output;
|
$nextchain = $output;
|
||||||
} else {
|
} else {
|
||||||
add_rule $outputref , join( '', $interfacematch, $dest, $ipsec_out_match, "-j $chain1" );
|
add_jump $outputref , $chain1, join( '', $interfacematch, $dest, $ipsec_out_match );
|
||||||
$nextchain = $chain1;
|
$nextchain = $chain1;
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule( $outputref , join('', $interfacematch, '-d 255.255.255.255 ' , $ipsec_out_match, "-j $nextchain" ) )
|
add_jump( $outputref , $nextchain, join('', $interfacematch, '-d 255.255.255.255 ' , $ipsec_out_match ) )
|
||||||
if $hostref->{options}{broadcast};
|
if $hostref->{options}{broadcast};
|
||||||
|
|
||||||
move_rules( $filter_table->{output_chain $interface} , $filter_table->{$nextchain} ) unless use_output_chain $interface;
|
move_rules( $filter_table->{output_chain $interface} , $filter_table->{$nextchain} ) unless use_output_chain $interface;
|
||||||
@ -1716,7 +1716,7 @@ sub generate_matrix() {
|
|||||||
# There are DNAT/REDIRECT rules with this zone as the source.
|
# There are DNAT/REDIRECT rules with this zone as the source.
|
||||||
# Add a jump from this source network to this zone's DNAT/REDIRECT chain
|
# Add a jump from this source network to this zone's DNAT/REDIRECT chain
|
||||||
#
|
#
|
||||||
add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j ', $dnatref->{name} );
|
add_jump $preroutingref, $dnatref, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
# If this zone has parents with DNAT/REDIRECT rules and there are no CONTINUE polcies with this zone as the source
|
# If this zone has parents with DNAT/REDIRECT rules and there are no CONTINUE polcies with this zone as the source
|
||||||
@ -1739,11 +1739,11 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
if ( @$exclusions ) {
|
if ( @$exclusions ) {
|
||||||
my $input = zone_input_chain $zone;
|
my $input = zone_input_chain $zone;
|
||||||
add_rule $inputchainref, join( '', $interfacematch, $source, $ipsec_in_match, "-j $input" );
|
add_jump $inputchainref, $input, join( '', $interfacematch, $source, $ipsec_in_match );
|
||||||
add_rule $filter_table->{ $input } , "-j $chain2";
|
add_jump $filter_table->{ $input } , $chain2;
|
||||||
$nextchain = $input;
|
$nextchain = $input;
|
||||||
} else {
|
} else {
|
||||||
add_rule $inputchainref, join( '', $interfacematch, $source, $ipsec_in_match, "-j $chain2" );
|
add_jump $inputchainref, $chain2, join( '', $interfacematch, $source, $ipsec_in_match );
|
||||||
$nextchain = $chain2;
|
$nextchain = $chain2;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1864,7 +1864,7 @@ sub generate_matrix() {
|
|||||||
$policy_exclusions{"${chain}_${zone1}"} = $chain1;
|
$policy_exclusions{"${chain}_${zone1}"} = $chain1;
|
||||||
my $chain1ref = ensure_filter_chain $chain1, 0;
|
my $chain1ref = ensure_filter_chain $chain1, 0;
|
||||||
add_exclusions $chain1ref, $exclusions1;
|
add_exclusions $chain1ref, $exclusions1;
|
||||||
add_rule $chain1ref, "-j $chain";
|
add_jump $chain1ref, $chain;
|
||||||
}
|
}
|
||||||
|
|
||||||
$chain = $chain1;
|
$chain = $chain1;
|
||||||
@ -1883,7 +1883,7 @@ sub generate_matrix() {
|
|||||||
if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
|
if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
|
||||||
my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
|
my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
|
||||||
for my $net ( @{$hostref->{hosts}} ) {
|
for my $net ( @{$hostref->{hosts}} ) {
|
||||||
add_rule $frwd_ref, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match, "-j $chain" );
|
add_jump $frwd_ref, $chain, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1917,15 +1917,15 @@ sub generate_matrix() {
|
|||||||
#
|
#
|
||||||
# We defer evaluation of the source net match to accomodate systems without $capabilities{KLUDEFREE};
|
# We defer evaluation of the source net match to accomodate systems without $capabilities{KLUDEFREE};
|
||||||
#
|
#
|
||||||
add_rule(
|
add_jump(
|
||||||
$chain3ref ,
|
$chain3ref ,
|
||||||
|
$chain ,
|
||||||
join( '',
|
join( '',
|
||||||
$match_source_dev,
|
$match_source_dev,
|
||||||
match_dest_dev($interface1),
|
match_dest_dev($interface1),
|
||||||
match_source_net($net),
|
match_source_net($net),
|
||||||
match_dest_net($net1),
|
match_dest_net($net1),
|
||||||
$ipsec_out_match,
|
$ipsec_out_match )
|
||||||
"-j $chain" )
|
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1942,7 +1942,7 @@ sub generate_matrix() {
|
|||||||
#
|
#
|
||||||
# Now add an unconditional jump to the last unique policy-only chain determined above, if any
|
# Now add an unconditional jump to the last unique policy-only chain determined above, if any
|
||||||
#
|
#
|
||||||
add_rule $frwd_ref , "-j $last_chain" if $last_chain;
|
add_jump $frwd_ref , $last_chain if $last_chain;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
@ -1974,11 +1974,11 @@ sub generate_matrix() {
|
|||||||
#
|
#
|
||||||
for my $interface ( @interfaces ) {
|
for my $interface ( @interfaces ) {
|
||||||
|
|
||||||
add_rule $filter_table->{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface if use_forward_chain $interface;
|
add_jump( $filter_table->{FORWARD} , forward_chain $interface , match_source_dev( $interface ) ) if use_forward_chain $interface;
|
||||||
add_rule $filter_table->{INPUT} , match_source_dev( $interface ) . "-j " . input_chain($interface) if use_input_chain $interface;
|
add_jump( $filter_table->{INPUT} , input_chain $interface , match_source_dev( $interface ) ) if use_input_chain $interface;
|
||||||
|
|
||||||
if ( use_output_chain $interface ) {
|
if ( use_output_chain $interface ) {
|
||||||
add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' );
|
add_jump $filter_table->{OUTPUT} , output_chain $interface , "-o $interface " unless get_interface_option( $interface, 'port' );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1991,9 +1991,9 @@ sub generate_matrix() {
|
|||||||
nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
|
nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
|
||||||
filter=> [ qw/INPUT FORWARD OUTPUT/ ] );
|
filter=> [ qw/INPUT FORWARD OUTPUT/ ] );
|
||||||
|
|
||||||
complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone;
|
complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone , 'DROP';
|
||||||
complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all';
|
complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all', 'REJECT';
|
||||||
complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all';
|
complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all', 'REJECT';
|
||||||
|
|
||||||
if ( $config{LOGALLNEW} ) {
|
if ( $config{LOGALLNEW} ) {
|
||||||
for my $table qw/mangle nat filter/ {
|
for my $table qw/mangle nat filter/ {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user