Insert comments into add_common_rules()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2024-03-02 19:51:18 -08:00
parent e8f28fa564
commit 11fb1ab6cf

View File

@ -786,9 +786,15 @@ sub add_common_rules ( $ ) {
create_docker_rules if $config{DOCKER}; create_docker_rules if $config{DOCKER};
if ( my $val = $config{DYNAMIC_BLACKLIST} ) { if ( my $val = $config{DYNAMIC_BLACKLIST} ) {
#
# $config{DYNAMIC_BLACKLIST} was normalized in Shorewall:Config:get_configuration - it is probably not what is specified in the shorewall[6].conf
#
( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $val ); ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $val );
unless ( $dbl_type =~ /^ipset-only/ ) { unless ( $dbl_type =~ /^ipset-only/ ) {
#
# Classic chain-based backlisting
#
add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag); add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag);
add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag); add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
$dynamicref = set_optflags( new_standard_chain( 'dynamic' ) , DONT_OPTIMIZE ); $dynamicref = set_optflags( new_standard_chain( 'dynamic' ) , DONT_OPTIMIZE );
@ -796,6 +802,9 @@ sub add_common_rules ( $ ) {
} }
if ( $dbl_ipset ) { if ( $dbl_ipset ) {
#
# ipset-based blacklisting - not mutually exclusive with the classic type
#
if ( $val = $globals{DBL_TIMEOUT} ) { if ( $val = $globals{DBL_TIMEOUT} ) {
$dbl_options = $globals{DBL_OPTIONS}; $dbl_options = $globals{DBL_OPTIONS};
$dbl_src_target = $dbl_options =~ /src-dst/ ? 'dbl_src' : 'dbl_log'; $dbl_src_target = $dbl_options =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
@ -919,7 +928,9 @@ sub add_common_rules ( $ ) {
# #
$target1 = $target; $target1 = $target;
} }
#
# Interface-specific processing
#
for $interface ( all_real_interfaces ) { for $interface ( all_real_interfaces ) {
ensure_chain( 'filter', $_ )->{origin} = interface_origin( $interface ) ensure_chain( 'filter', $_ )->{origin} = interface_origin( $interface )
for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface ); for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
@ -927,6 +938,9 @@ sub add_common_rules ( $ ) {
my $interfaceref = find_interface $interface; my $interfaceref = find_interface $interface;
unless ( $interfaceref->{physical} eq loopback_interface ) { unless ( $interfaceref->{physical} eq loopback_interface ) {
#
# sfilter
#
unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) { unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {
my @filters = @{$interfaceref->{filter}}; my @filters = @{$interfaceref->{filter}};
@ -950,7 +964,9 @@ sub add_common_rules ( $ ) {
add_ijump_extended( $chainref , g => $target, $origin, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters; add_ijump_extended( $chainref , g => $target, $origin, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
} }
} }
#
# Dynamic Blacklisting
#
my ( $src_target, $dst_target, $classic_target ) = ( $dbl_src_target, $dbl_dst_target , $dynamicref->{name} ); my ( $src_target, $dst_target, $classic_target ) = ( $dbl_src_target, $dbl_dst_target , $dynamicref->{name} );
if ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) != DBL_NONE ) { if ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) != DBL_NONE ) {
@ -1024,14 +1040,15 @@ sub add_common_rules ( $ ) {
} }
} }
} }
#
# Finish blacklisting and FASTACCEPT
#
for ( option_chains( $interface ) ) { for ( option_chains( $interface ) ) {
add_ijump_extended( $filter_table->{$_}, j => $classic_target, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) & DBL_CLASSIC ); add_ijump_extended( $filter_table->{$_}, j => $classic_target, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) & DBL_CLASSIC );
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT}; add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
} }
} }
} }
# #
# Delete 'sfilter' chains unless there are referenced to them # Delete 'sfilter' chains unless there are referenced to them
# #
@ -1040,7 +1057,9 @@ sub add_common_rules ( $ ) {
$chainref->{referenced} = 0 unless keys %{$chainref->{references}}; $chainref->{referenced} = 0 unless keys %{$chainref->{references}};
} }
} }
#
# rfilter
#
$list = find_interfaces_by_option('rpfilter'); $list = find_interfaces_by_option('rpfilter');
if ( @$list ) { if ( @$list ) {
@ -1110,7 +1129,9 @@ sub add_common_rules ( $ ) {
} elsif ( -f ( my $fn = find_file 'blacklist' ) ) { } elsif ( -f ( my $fn = find_file 'blacklist' ) ) {
warning_message "The blacklist file is no longer supported -- use '$product update' to convert $fn to the equivalent blrules file"; warning_message "The blacklist file is no longer supported -- use '$product update' to convert $fn to the equivalent blrules file";
} }
#
# Smurfs
#
$list = find_hosts_by_option 'nosmurfs'; $list = find_hosts_by_option 'nosmurfs';
if ( @$list ) { if ( @$list ) {
@ -1184,7 +1205,9 @@ sub add_common_rules ( $ ) {
} }
} }
} }
#
# DHCP
#
$list = find_interfaces_by_option 'dhcp'; $list = find_interfaces_by_option 'dhcp';
if ( @$list ) { if ( @$list ) {
@ -1217,7 +1240,9 @@ sub add_common_rules ( $ ) {
} }
} }
} }
#
# tcpflags
#
$list = find_hosts_by_option 'tcpflags'; $list = find_hosts_by_option 'tcpflags';
if ( @$list ) { if ( @$list ) {
@ -1289,7 +1314,9 @@ sub add_common_rules ( $ ) {
} }
my $announced = 0; my $announced = 0;
#
# upnp
#
$list = find_interfaces_by_option 'upnp'; $list = find_interfaces_by_option 'upnp';
if ( @$list ) { if ( @$list ) {
@ -1313,7 +1340,9 @@ sub add_common_rules ( $ ) {
add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD} , imatch_dest_dev ( $interface ) if $chainref1; add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD} , imatch_dest_dev ( $interface ) if $chainref1;
} }
} }
#
# upnp client
#
$list = find_interfaces_by_option 'upnpclient'; $list = find_interfaces_by_option 'upnpclient';
if ( @$list ) { if ( @$list ) {