Implement Run-time Address Variables

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-01-26 09:08:48 -08:00
parent 17a1cd3c57
commit 156b04c380
7 changed files with 266 additions and 48 deletions

View File

@ -2679,6 +2679,15 @@ sub have_ipset_rules() {
$ipset_rules;
}
sub get_interface_address( $ );
sub record_runtime_address( $ ) {
my $interface = shift;
fatal_error "Unknown interface address variable (&$interface)" unless known_interface( $interface );
fatal_error "Invalid interface address variable (&$interface)" if $interface =~ /\+$/;
get_interface_address( $interface ) . ' ';
}
sub mysplit( $ );
#
@ -2714,8 +2723,14 @@ sub match_source_net( $;$ ) {
$result;
} elsif ( $net =~ s/^!// ) {
validate_net $net, 1;
"! -s $net ";
if ( $net =~ /^&(.+)/ ) {
'! -s ' . record_runtime_address $1;
} else {
validate_net $net, 1;
"! -s $net ";
}
} elsif ( $net =~ /^&(.+)/ ) {
'-s ' . record_runtime_address $1;
} else {
validate_net $net, 1;
$net eq ALLIP ? '' : "-s $net ";
@ -2749,10 +2764,15 @@ sub match_dest_net( $ ) {
}
$result;
} elsif ( $net =~ /^!/ ) {
$net =~ s/!//;
validate_net $net, 1;
"! -d $net ";
} elsif ( $net =~ s/^!// ) {
if ( $net =~ /^&(.+)/ ) {
'! -d ' . record_runtime_address $1;
} else {
validate_net $net, 1;
"! -d $net ";
}
} elsif ( $net =~ /^&(.+)/ ) {
'-d ' . record_runtime_address $1;
} else {
validate_net $net, 1;
$net eq ALLIP ? '' : "-d $net ";
@ -2769,10 +2789,20 @@ sub match_orig_dest ( $ ) {
return '' unless have_capability( 'CONNTRACK_MATCH' );
if ( $net =~ s/^!// ) {
validate_net $net, 1;
if ( $net =~ /^&(.+)/ ) {
$net = record_runtime_address $1;
} else {
validate_net $net, 1;
}
have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
} else {
validate_net $net, 1;
if ( $net =~ /^&(.+)/ ) {
$net = record_runtime_address $1;
} else {
validate_net $net, 1;
}
$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
}
}
@ -3501,7 +3531,7 @@ sub expand_rule( $$$$$$$$$$;$ )
if ( $source =~ /^(.+?):(.+)$/ ) {
$iiface = $1;
$inets = $2;
} elsif ( $source =~ /\+|~|\..*\./ ) {
} elsif ( $source =~ /\+|&|~|\..*\./ ) {
$inets = $source;
} else {
$iiface = $source;
@ -3515,7 +3545,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} else {
$inets = $source;
}
} elsif ( $source =~ /\+|~|\..*\./ ) {
} elsif ( $source =~ /(?:\+|&|~|\..*\.)/ ) {
$inets = $source;
} else {
$iiface = $source;
@ -3592,7 +3622,7 @@ sub expand_rule( $$$$$$$$$$;$ )
if ( $dest =~ /^(.+?):(.+)$/ ) {
$diface = $1;
$dnets = $2;
} elsif ( $dest =~ /\+|~|\..*\./ ) {
} elsif ( $dest =~ /\+|&|~|\..*\./ ) {
$dnets = $dest;
} else {
$diface = $dest;
@ -3606,7 +3636,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} else {
$dnets = $dest;
}
} elsif ( $dest =~ /\+|~|\..*\./ ) {
} elsif ( $dest =~ /^(?:\+|&|\..*\.)/ ) {
$dnets = $dest;
} else {
$diface = $dest;

View File

@ -10,6 +10,8 @@ Changes in Shorewall 4.4.17 Beta 1
5) Add 'USE_LOCAL_MODULES' option.
6) Implement runtime address variables (&interface)
Changes in Shorewall 4.4.17 Beta 1
1) Improve readability of logging logic in expand_rule().

View File

@ -54,6 +54,54 @@ Beta 1
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
Beta 2
1) Traditionally, the -lite products have used the modules (or
helpers) file on the firewall system unless there is a modules (or
helpers) file in the configuration directory. This release
introduces the USE_LOCAL_MODULES option in shorewall[6].conf.
When USE_LOCAL_MODULES=Yes, the modules (helpers) file on the
administrative system will be used to determine the set of modules
loaded.
2) Given that shell variables are expanded at compile time, there was
previously no way to cause such variables to be expended at run
time. This made it difficult (to impossible) to include dynamic IP
addresses in a Shorewall-lite configuration.
This release implements "Run-time address variables". In
configuration files, these variables are expressed as an apersand
('&') followed by the name of an interface defined in
/etc/shorewall/interfaces.
Example:
&eth0 would represent the primary IP address of eth0.
Run-time address variables may be used in the SOURCE and DEST
column of the following configuration files:
accounting
action files
blacklist
macro files
rules
tcrules
tos
They may also appear in the ORIGINAL DEST column of
action files
macro files
rules
For optional interfaces, if the interface is not usable at the time
that the firewall starts the all-zero address will be used (0.0.0.0
in IPv4 and :: in IPv6), resulting in no packets matching the rule.
Beta 1
1) The shell variables set in /etc/shorewall/params
(/etc/shorewall6/params) are now available in the compiled script
at run-time with EXPORTPARAMS=No. The EXPORTPARAMS option is now
@ -85,15 +133,6 @@ Beta 1
INCLUDE was performed on the firewall system rather than on the
administrative system.
3) Traditionally, the -lite products have used the modules (or
helpers) file on the firewall system unless there is a modules (or
helpers) file in the configuration directory. This release
introduces the USE_LOCAL_MODULES option in shorewall[6].conf.
When USE_LOCAL_MODULES=Yes, the modules (helpers) file on the
administrative system will be used to determine the set of modules
loaded.
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------

View File

@ -620,6 +620,12 @@ ACCEPT net:\
role="bold">loc</emphasis> zone — <emphasis
role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
</listitem>
<listitem>
<para>The primary IP address of eth0 in the $FW zone - <emphasis
role="bold">$FW:&amp;eth0</emphasis> (see <link
linkend="Rvariables">Run-time Address Variables</link> below)</para>
</listitem>
</orderedlist>
</section>
@ -713,7 +719,7 @@ ACCEPT net:\
<filename>params</filename> file from being copied into the compiled
script. With EXPORTPARAMS=No, it is perfectly okay to use INCLUDE in the
<filename>params</filename> file. Note that with Shorewall 4.4.17 and
later: </para>
later:</para>
<itemizedlist>
<listitem>
@ -954,14 +960,103 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
<para>The <command>shorewall-lite call</command> command allows you to
to call interactively any Shorewall function that you can call in an
extension script.</para>
<note>
<para>Within your configuration files, only the $VAR and ${VAR}
forms of variable expansion are supported. You may not use the more
exotic forms supported by the shell (${VAR:=val}, ${VAR:-val},
...)</para>
</note>
</listitem>
</orderedlist>
<note>
<para>Within your configuration files, only the $VAR and ${VAR} forms of
variable expansion are supported. You may not use the more exotic forms
supported by the shell (${VAR:=val}, ${VAR:-val}, ...)</para>
</note>
<para id="Rvariables">Given that shell variables are expanded at compile
time, there is no way to cause such variables to be expended at run time.
Prior to Shorewall 4.4.17, this made it difficult (to impossible) to
include dynamic IP addresses in a <ulink
url="CompiledPrograms.html">Shorewall-lite</ulink> configuration.</para>
<para>Version 4.4.17 implemented <firstterm>Run-time address
variables</firstterm>. In configuration files, these variables are
expressed as an apersand ('&amp;') followed by the logical name of an
interface defined in shorewall-interfaces (5). Wildcard interfaces (those
ending in '+') are not supported and will cause a compilation
error.</para>
<variablelist>
<varlistentry>
<term>Example:</term>
<listitem>
<para><emphasis role="bold">&amp;eth0</emphasis> would represent the
primary IP address of eth0.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Run-time address variables may be used in the SOURCE and DEST column
of the following configuration files:</para>
<itemizedlist>
<listitem>
<para><ulink
url="manapges/shorewall-accounting.html">shorewall-accounting</ulink>
(5)</para>
</listitem>
<listitem>
<para><ulink url="Actions.html">Action</ulink> files</para>
</listitem>
<listitem>
<para><ulink
url="manpages/shorewall-accounting.html">shorewall-blacklist</ulink>
(5)</para>
</listitem>
<listitem>
<para><ulink url="Macros.html">Macro</ulink> files</para>
</listitem>
<listitem>
<para><ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
</listitem>
<listitem>
<para><ulink
url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
(5)</para>
</listitem>
<listitem>
<para><ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
(5)</para>
</listitem>
</itemizedlist>
<para>They may also appear in the ORIGINAL DEST column of:</para>
<itemizedlist>
<listitem>
<para><ulink
url="manapges/shorewall-accounting.html">shorewall-accounting</ulink>
(5)</para>
</listitem>
<listitem>
<para><ulink url="Macros.html">Macro</ulink> files</para>
</listitem>
<listitem>
<para><ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
</listitem>
</itemizedlist>
<para>For optional interfaces, if the interface is not usable at the time
that the firewall starts the all-zero address will be used (0.0.0.0 in
IPv4 and :: in IPv6), resulting in no packets matching the rule. </para>
</section>
<section id="Embedded">

View File

@ -481,10 +481,10 @@
</ulink></para>
<para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),

View File

@ -553,7 +553,7 @@
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
<emphasis role="bold">any</emphasis>[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
removed in Shorewall-4.4.13. </para>
removed in Shorewall-4.4.13.</para>
<para><emphasis role="bold">any</emphasis> is equivalent to
<emphasis role="bold">all</emphasis> when there are no nested zones.
@ -572,6 +572,13 @@
square brackets ([]) to indicate the number of levels of source
bindings to be matched.</para>
<para>Beginning with Shorewall 4.4.17, the primary IP address of a
firewall interface can be specified by an apersand ('&amp;')
followed by the logican name of the interface as found in the
INTERFACE column of <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
@ -638,6 +645,15 @@
155.186.235.16/28</para>
</listitem>
</varlistentry>
<varlistentry>
<term>$FW:&amp;eth0</term>
<listitem>
<para>The primary IP address of eth0 in the firewall zone
(Shorewall 4.4.17 and later).</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
@ -743,6 +759,13 @@
role="bold">DEST</emphasis> columns may specify an ipset
name.</para>
<para>Beginning with Shorewall 4.4.17, the primary IP address of a
firewall interface can be specified by an apersand ('&amp;')
followed by the logical name of the interface as found in the
INTERFACE column of <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para>
<para>The <replaceable>port</replaceable> that the server is
listening on may be included and separated from the server's IP
address by ":". If omitted, the firewall will not modifiy the
@ -900,6 +923,13 @@
if the original destination address in the connection request does
not match any of the addresses listed.</para>
<para>Beginning with Shorewall 4.4.17, the primary IP address of a
firewall interface can be specified by an apersand ('&amp;')
followed by the logical name of the interface as found in the
INTERFACE column of <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para>
<para>For other actions, this column may be included and may contain
one or more addresses (host or network) separated by commas. Address
ranges are not allowed. When this column is supplied, rules are
@ -1370,12 +1400,13 @@
url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -425,6 +425,13 @@
square brackets ([]) to indicate the number of levels of source
bindings to be matched.</para>
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a
firewall interface can be specified by an apersand ('&amp;')
followed by the logican name of the interface as found in the
INTERFACE column of <ulink
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>
(5).</para>
<para>When an <replaceable>interface</replaceable> is not specified,
you may omit the angled brackets ('&lt;' and '&gt;') around the
address(es) or you may supply them to improve readability.</para>
@ -478,17 +485,24 @@
2001:4d48:ad51:24:6:/80.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>$FW:&amp;eth0</term>
<listitem>
<para>The primary IP address of eth0 in the firewall zone
(Shorewall6 4.4.17 and later).</para>
</listitem>
</varlistentry>
</variablelist>
<blockquote>
<para>Alternatively, clients may be specified by interface by
appending ":" to the zone name followed by the interface name. For
example, <emphasis role="bold">loc:eth1</emphasis> specifies a
client that communicates with the firewall system through eth1.
This may be optionally followed by another colon (":") and an
IP/MAC/subnet address as described above (e.g., <emphasis
role="bold">loc:eth1:&lt;2002:ce7c::92b4:1::2&gt;</emphasis>).</para>
</blockquote>
<para>Alternatively, clients may be specified by interface by
appending ":" to the zone name followed by the interface name. For
example, <emphasis role="bold">loc:eth1</emphasis> specifies a
client that communicates with the firewall system through eth1. This
may be optionally followed by another colon (":") and an
IP/MAC/subnet address as described above (e.g., <emphasis
role="bold">loc:eth1:&lt;2002:ce7c::92b4:1::2&gt;</emphasis>).</para>
<para>Examples:</para>
@ -533,6 +547,13 @@
exclusion is supported -- see see <ulink
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a
firewall interface can be specified by an apersand ('&amp;')
followed by the logican name of the interface as found in the
INTERFACE column of <ulink
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>
(5).</para>
<para>When <emphasis role="bold">none</emphasis> is used either in
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
role="bold">DEST</emphasis> column, the rule is ignored.</para>