diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 9a1a767e7..1a086e3ed 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -555,6 +555,7 @@ sub initialize( $;$ ) {
LOG_VERBOSITY => undef,
STARTUP_LOG => undef,
SFILTER_LOG_LEVEL => undef,
+ RPFILTER_LOG_LEVEL => undef,
#
# Location of Files
#
@@ -655,6 +656,7 @@ sub initialize( $;$ ) {
BLACKLIST_DISPOSITION => undef,
SMURF_DISPOSITION => undef,
SFILTER_DISPOSITION => undef,
+ RPFILTER_DISPOSITION => undef,
RELATED_DISPOSITION => undef,
#
# Mark Geometry
@@ -4312,6 +4314,15 @@ sub get_configuration( $$$ ) {
$config{SFILTER_DISPOSITION} = 'DROP';
}
+ default_log_level 'RPFILTER_LOG_LEVEL', 'info';
+
+ if ( $val = $config{RPFILTER_DISPOSITION} ) {
+ fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
+ require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1;
+ } else {
+ $config{RPFILTER_DISPOSITION} = 'DROP';
+ }
+
if ( $val = $config{MACLIST_DISPOSITION} ) {
if ( $val =~ /^(?:A_)?DROP$/ ) {
$globals{MACLIST_TARGET} = $val;
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index ddca5494a..9b5069ae8 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -749,7 +749,7 @@ sub add_common_rules ( $ ) {
my $interfaceref = find_interface $interface;
- unless ( $interfaceref->{options}{ignore} & NO_SFILTER ) {
+ unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {
my @filters = @{$interfaceref->{filter}};
@@ -787,6 +787,39 @@ sub add_common_rules ( $ ) {
}
}
+ $list = find_interfaces_by_option('rpfilter');
+
+ if ( @$list ) {
+ $policy = $config{RPFILTER_DISPOSITION};
+ $level = $config{RPFILTER_LOG_LEVEL};
+ $audit = $policy =~ s/^A_//;
+
+ if ( $level || $audit ) {
+ #
+ # Create a chain to log and/or audit and apply the policy
+ #
+ $chainref = ensure_mangle_chain 'rplog';
+
+ log_rule $level , $chainref , $policy , '' if $level ne '';
+
+ add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
+
+ add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
+
+ $target = 'rplog';
+ } else {
+ $target = $policy eq 'REJECT' ? 'reject' : $policy;
+ }
+
+ $chainref = ensure_mangle_chain( 'rpfilter' );
+ add_ijump( $chainref,
+ j => $target,
+ rpfilter => '--validmark --invert',
+ state_imatch 'NEW,RELATED,INVALID',
+ @ipsec
+ );
+ }
+
run_user_exit1 'initdone';
if ( $upgrade ) {
@@ -1379,6 +1412,7 @@ sub add_interface_jumps {
our %forward_jump_added;
my $lo_jump_added = 0;
my @interfaces = grep $_ ne '%vserver%', @_;
+ my $dummy;
#
# Add Nat jumps
#
@@ -1400,6 +1434,8 @@ sub add_interface_jumps {
insert_ijump ( $raw_table->{PREROUTING}, j => prerouting_chain( $interface ), 0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
insert_ijump ( $raw_table->{OUTPUT}, j => output_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $raw_table->{output_chain $interface};
}
+
+ add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
}
#
# Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index abaa8cadb..fa6e6974c 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -299,6 +299,7 @@ sub initialize( $$ ) {
required => SIMPLE_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
routefilter => NUMERIC_IF_OPTION ,
+ rpfilter => SIMPLE_IF_OPTION,
sfilter => IPLIST_IF_OPTION,
sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -332,6 +333,7 @@ sub initialize( $$ ) {
proxyndp => BINARY_IF_OPTION,
required => SIMPLE_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+ rpfilter => SIMPLE_IF_OPTION,
sfilter => IPLIST_IF_OPTION,
sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -1160,11 +1162,16 @@ sub process_interface( $$ ) {
}
}
- fatal_error "Invalid combination of interface options"
+ fatal_error q(The 'required', 'optional' and 'ignore' options are mutually exclusive)
if ( ( $options{required} && $options{optional} ) ||
( $options{required} && $options{ignore} ) ||
( $options{optional} && $options{ignore} ) );
+ if ( $options{rpfilter} ) {
+ require_capability( 'RPFILTER_MATCH', q(The 'rpfilter' option), 's' ) ;
+ fatal_error q(The 'routefilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter};
+ }
+
if ( supplied( my $ignore = $options{ignore} ) ) {
fatal_error "Invalid value ignore=0" if ! $ignore;
} else {
diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf
index 230ab5734..14fdba7ca 100644
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -41,6 +41,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
+RPFILTER_LOG_LEVEL=info
+
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@@ -208,6 +210,8 @@ MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
+RPFILTER_DISPOSITION=DROP
+
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf
index 4293c88d6..4f683a8c5 100644
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -52,6 +52,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
+RPFILTER_LOG_LEVEL=info
+
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@@ -219,6 +221,8 @@ MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
+RPFILTER_DISPOSITION=DROP
+
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf
index 14dc55d6a..712373b60 100644
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -50,6 +50,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
+RPFILTER_LOG_LEVEL=info
+
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@@ -217,6 +219,8 @@ MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
+RPFILTER_DISPOSITION=DROP
+
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf
index 8a8c2c7f3..8c01b801b 100644
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -53,6 +53,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
+RPFILTER_LOG_LEVEL=info
+
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@@ -220,6 +222,8 @@ MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
+RPFILTER_DISPOSITION=DROP
+
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index d2781a307..7c5201f18 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -41,6 +41,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
+RPFILTER_LOG_LEVEL=info
+
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@@ -208,6 +210,8 @@ MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
+RPFILTER_DISPOSITION=DROP
+
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml
index a065f26f4..84efe0769 100644
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -202,7 +202,7 @@ loc eth2 -
changed; the value assigned to the setting will be the value
specified (if any) or 1 if no value is given.
-
+ This option does not work with a wild-card
@@ -236,7 +236,7 @@ loc eth2 -
8 - do not reply for all local addresses
-
+ This option does not work with a wild-card
@@ -244,7 +244,7 @@ loc eth2 -
the INTERFACE column.
-
+ Do not specify
1
teastep@lists:~$
-
+ This option does not work with a wild-card
@@ -636,6 +636,20 @@ loc eth2 -
+
+ rpfilter
+
+
+ Added in Shorewall 4.5.7. This is an anti-spoofing
+ measure that requires the 'RPFilter Match' capability in your
+ iptables and kernel. It provides a more efficient alternative
+ to the option below. It performs a
+ function similar to (see above)
+ but works with Multi-ISP configurations that do now use
+ balanced routes.
+
+
+
sfilter=(net[,...])
@@ -668,7 +682,7 @@ loc eth2 -
changed; the value assigned to the setting will be the value
specified (if any) or 1 if no value is given.
-
+ This option does not work with a wild-card
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index b7aa1f963..c489c7038 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -96,7 +96,7 @@
role="bold">none}
-
+
@@ -106,7 +106,7 @@
role="bold">none}
-
+
@@ -116,7 +116,7 @@
role="bold">none}
-
+
@@ -126,7 +126,7 @@
role="bold">none}
-
+
@@ -482,7 +482,7 @@
-
+ If CONFIG_PATH is not given or if it is set to the empty
value then the contents of /usr/share/shorewall/configpath are
@@ -829,7 +829,7 @@ net all DROP infothen the chain name is 'net2all'
-
+
If this variable is not set or is given an empty value
@@ -1039,7 +1039,7 @@ net all DROP infothen the chain name is 'net2all'
-
+
For example, using the default LOGFORMAT, the log prefix for
@@ -1056,7 +1056,7 @@ net all DROP infothen the chain name is 'net2all'
control your firewall after you enable this option.
-
+ Do not use this option if the resulting log messages will
@@ -1709,7 +1709,7 @@ net all DROP infothen the chain name is 'net2all'
role="bold">"
-
+
@@ -1879,6 +1879,33 @@ net all DROP infothen the chain name is 'net2all'
+
+ RPFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT]
+
+
+ Added in Shorewall 4.5.7. Determines the disposition of
+ packets entering from interfaces the
+ option (see shorewall-interfaces(5)).
+ Packets disposed of by this option are those whose response packets
+ would not be sent through the same interface receiving the
+ packet.
+
+
+
+
+ RPFILTER_LOG_LEVEL=log-level
+
+
+ Added in shorewall 4.5.7. Determines the logging of packets
+ disposed via the RPFILTER_DISPOSITION. The default value is
+ .
+
+
+
SAVE_IPSETS={Yes|No}
@@ -1900,7 +1927,7 @@ net all DROP infothen the chain name is 'net2all'
Added in Shorewall 4.4.20. Determines the disposition of
- packets matching the option (see sfilter option (see shorewall-interfaces(5)) and
of hairpin packets on interfaces without the
option.
@@ -1916,7 +1943,7 @@ net all DROP infothen the chain name is 'net2all'
Added on Shorewall 4.4.20. Determines the logging of packets
- matching the option (see sfilter option (see shorewall-interfaces(5)) and
of hairpin packets on interfaces without the
option.
diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf
index cedb38478..24f0f57fe 100644
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
+RPFILTER_LOG_LEVEL=info
+
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT
SFILTER_DISPOSITION=DROP
+RPFILTER_DISPOSITION=DROP
+
SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf
index 1b7e3488b..f320a0339 100644
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
+RPFILTER_LOG_LEVEL=info
+
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT
SFILTER_DISPOSITION=DROP
+RPFILTER_DISPOSITION=DROP
+
SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
index 366121eab..015154449 100644
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
+RPFILTER_LOG_LEVEL=info
+
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT
SFILTER_DISPOSITION=DROP
+RPFILTER_DISPOSITION=DROP
+
SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
index c4d439d6d..d9e59a14a 100644
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
+RPFILTER_LOG_LEVEL=info
+
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT
SFILTER_DISPOSITION=DROP
+RPFILTER_DISPOSITION=DROP
+
SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf
index c5e2231d3..892346e7b 100644
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
+RPFILTER_LOG_LEVEL=info
+
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT
SFILTER_DISPOSITION=DROP
+RPFILTER_DISPOSITION=DROP
+
SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
diff --git a/Shorewall6/manpages/shorewall6-interfaces.xml b/Shorewall6/manpages/shorewall6-interfaces.xml
index b83603d13..8299db0ba 100644
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -366,9 +366,21 @@ loc eth2 -
if you want to allow traffic between the interfaces that match
the wildcard.
- Beginning with Shorewall 4.4.20, if you specify this
- option, then you should also specify
- (see below).
+ If you specify this option, then you should also specify
+ (see below) if you are running
+ Shorewall 4.5.7 or later; otherwise, you should specify
+ (see below).
+
+
+
+
+ rpfilter
+
+
+ Added in Shorewall 4.5.7. This is an anti-spoofing
+ measure that requires the 'RPFilter Match' capability in your
+ iptables and kernel. It provides a more efficient alternative
+ to the option below.
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index d374f3dac..c7fd84e8c 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -82,7 +82,7 @@
role="bold">none}
-
+
@@ -92,7 +92,7 @@
role="bold">none}
-
+
@@ -102,7 +102,7 @@
role="bold">none}
-
+
@@ -112,7 +112,7 @@
role="bold">none}
-
+
@@ -902,7 +902,7 @@ net all DROP infothen the chain name is 'net2all'
-
+
For example, using the default LOGFORMAT, the log prefix for
@@ -919,7 +919,7 @@ net all DROP infothen the chain name is 'net2all'
control your firewall after you enable this option.
-
+ Do not use this option if the resulting log messages will
@@ -1507,7 +1507,7 @@ net all DROP infothen the chain name is 'net2all'
role="bold">"
-
+
@@ -1612,6 +1612,33 @@ net all DROP infothen the chain name is 'net2all'
+
+ RPFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT]
+
+
+ Added in Shorewall 4.5.7. Determines the disposition of
+ packets entering from interfaces with the
+ option (see shorewall-interfaces(5)).
+ Packets disposed of by this option are those whose response packets
+ would not be sent through the same interface receiving the
+ packet.
+
+
+
+
+ RPFILTER_LOG_LEVEL=log-level
+
+
+ Added in shorewall 4.5.7. Determines the logging of packets
+ disposed via the RPFILTER_DISPOSITION. The default value is
+ .
+
+
+
SHOREWALL_SHELL=[pathname]
@@ -1658,7 +1685,7 @@ net all DROP infothen the chain name is 'net2all'
Added in Shorewall 4.4.20. Determines the disposition of
- packets matching the option (see sfilter option (see shorewall6-interfaces(5))
and of hairpin packets on interfaces without
the option.
@@ -1674,7 +1701,7 @@ net all DROP infothen the chain name is 'net2all'
Added on Shorewall 4.4.20. Determines the logging of packets
- matching the option (see sfilter option (see shorewall6-interfaces(5))
and of hairpin packets on interfaces without
the option.