From 1db79a91eba06e27327c39b1e1e464660e089e56 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 15 Jul 2012 10:05:32 -0700 Subject: [PATCH] 'rpfilter' option Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 11 +++++ Shorewall/Perl/Shorewall/Misc.pm | 38 +++++++++++++- Shorewall/Perl/Shorewall/Zones.pm | 9 +++- Shorewall/Samples/Universal/shorewall.conf | 4 ++ .../Samples/one-interface/shorewall.conf | 4 ++ .../Samples/three-interfaces/shorewall.conf | 4 ++ .../Samples/two-interfaces/shorewall.conf | 4 ++ Shorewall/configfiles/shorewall.conf | 4 ++ Shorewall/manpages/shorewall-interfaces.xml | 24 +++++++-- Shorewall/manpages/shorewall.conf.xml | 49 ++++++++++++++----- Shorewall6/Samples6/Universal/shorewall6.conf | 4 ++ .../Samples6/one-interface/shorewall6.conf | 4 ++ .../Samples6/three-interfaces/shorewall6.conf | 4 ++ .../Samples6/two-interfaces/shorewall6.conf | 4 ++ Shorewall6/configfiles/shorewall6.conf | 4 ++ Shorewall6/manpages/shorewall6-interfaces.xml | 18 +++++-- Shorewall6/manpages/shorewall6.conf.xml | 45 +++++++++++++---- 17 files changed, 204 insertions(+), 30 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 9a1a767e7..1a086e3ed 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -555,6 +555,7 @@ sub initialize( $;$ ) { LOG_VERBOSITY => undef, STARTUP_LOG => undef, SFILTER_LOG_LEVEL => undef, + RPFILTER_LOG_LEVEL => undef, # # Location of Files # @@ -655,6 +656,7 @@ sub initialize( $;$ ) { BLACKLIST_DISPOSITION => undef, SMURF_DISPOSITION => undef, SFILTER_DISPOSITION => undef, + RPFILTER_DISPOSITION => undef, RELATED_DISPOSITION => undef, # # Mark Geometry @@ -4312,6 +4314,15 @@ sub get_configuration( $$$ ) { $config{SFILTER_DISPOSITION} = 'DROP'; } + default_log_level 'RPFILTER_LOG_LEVEL', 'info'; + + if ( $val = $config{RPFILTER_DISPOSITION} ) { + fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/; + require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1; + } else { + $config{RPFILTER_DISPOSITION} = 'DROP'; + } + if ( $val = $config{MACLIST_DISPOSITION} ) { if ( $val =~ /^(?:A_)?DROP$/ ) { $globals{MACLIST_TARGET} = $val; diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index ddca5494a..9b5069ae8 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -749,7 +749,7 @@ sub add_common_rules ( $ ) { my $interfaceref = find_interface $interface; - unless ( $interfaceref->{options}{ignore} & NO_SFILTER ) { + unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) { my @filters = @{$interfaceref->{filter}}; @@ -787,6 +787,39 @@ sub add_common_rules ( $ ) { } } + $list = find_interfaces_by_option('rpfilter'); + + if ( @$list ) { + $policy = $config{RPFILTER_DISPOSITION}; + $level = $config{RPFILTER_LOG_LEVEL}; + $audit = $policy =~ s/^A_//; + + if ( $level || $audit ) { + # + # Create a chain to log and/or audit and apply the policy + # + $chainref = ensure_mangle_chain 'rplog'; + + log_rule $level , $chainref , $policy , '' if $level ne ''; + + add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit; + + add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; + + $target = 'rplog'; + } else { + $target = $policy eq 'REJECT' ? 'reject' : $policy; + } + + $chainref = ensure_mangle_chain( 'rpfilter' ); + add_ijump( $chainref, + j => $target, + rpfilter => '--validmark --invert', + state_imatch 'NEW,RELATED,INVALID', + @ipsec + ); + } + run_user_exit1 'initdone'; if ( $upgrade ) { @@ -1379,6 +1412,7 @@ sub add_interface_jumps { our %forward_jump_added; my $lo_jump_added = 0; my @interfaces = grep $_ ne '%vserver%', @_; + my $dummy; # # Add Nat jumps # @@ -1400,6 +1434,8 @@ sub add_interface_jumps { insert_ijump ( $raw_table->{PREROUTING}, j => prerouting_chain( $interface ), 0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface}; insert_ijump ( $raw_table->{OUTPUT}, j => output_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $raw_table->{output_chain $interface}; } + + add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy ); } # # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index abaa8cadb..fa6e6974c 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -299,6 +299,7 @@ sub initialize( $$ ) { required => SIMPLE_IF_OPTION, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER, routefilter => NUMERIC_IF_OPTION , + rpfilter => SIMPLE_IF_OPTION, sfilter => IPLIST_IF_OPTION, sourceroute => BINARY_IF_OPTION, tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST, @@ -332,6 +333,7 @@ sub initialize( $$ ) { proxyndp => BINARY_IF_OPTION, required => SIMPLE_IF_OPTION, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER, + rpfilter => SIMPLE_IF_OPTION, sfilter => IPLIST_IF_OPTION, sourceroute => BINARY_IF_OPTION, tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST, @@ -1160,11 +1162,16 @@ sub process_interface( $$ ) { } } - fatal_error "Invalid combination of interface options" + fatal_error q(The 'required', 'optional' and 'ignore' options are mutually exclusive) if ( ( $options{required} && $options{optional} ) || ( $options{required} && $options{ignore} ) || ( $options{optional} && $options{ignore} ) ); + if ( $options{rpfilter} ) { + require_capability( 'RPFILTER_MATCH', q(The 'rpfilter' option), 's' ) ; + fatal_error q(The 'routefilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter}; + } + if ( supplied( my $ignore = $options{ignore} ) ) { fatal_error "Invalid value ignore=0" if ! $ignore; } else { diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index 230ab5734..14fdba7ca 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -41,6 +41,8 @@ MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= +RPFILTER_LOG_LEVEL=info + SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info @@ -208,6 +210,8 @@ MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT +RPFILTER_DISPOSITION=DROP + SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 4293c88d6..4f683a8c5 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -52,6 +52,8 @@ MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= +RPFILTER_LOG_LEVEL=info + SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info @@ -219,6 +221,8 @@ MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT +RPFILTER_DISPOSITION=DROP + SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index 14dc55d6a..712373b60 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -50,6 +50,8 @@ MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= +RPFILTER_LOG_LEVEL=info + SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info @@ -217,6 +219,8 @@ MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT +RPFILTER_DISPOSITION=DROP + SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index 8a8c2c7f3..8c01b801b 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -53,6 +53,8 @@ MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= +RPFILTER_LOG_LEVEL=info + SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info @@ -220,6 +222,8 @@ MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT +RPFILTER_DISPOSITION=DROP + SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index d2781a307..7c5201f18 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -41,6 +41,8 @@ MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= +RPFILTER_LOG_LEVEL=info + SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info @@ -208,6 +210,8 @@ MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT +RPFILTER_DISPOSITION=DROP + SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml index a065f26f4..84efe0769 100644 --- a/Shorewall/manpages/shorewall-interfaces.xml +++ b/Shorewall/manpages/shorewall-interfaces.xml @@ -202,7 +202,7 @@ loc eth2 - changed; the value assigned to the setting will be the value specified (if any) or 1 if no value is given. - + This option does not work with a wild-card @@ -236,7 +236,7 @@ loc eth2 - 8 - do not reply for all local addresses - + This option does not work with a wild-card @@ -244,7 +244,7 @@ loc eth2 - the INTERFACE column. - + Do not specify 1 teastep@lists:~$ - + This option does not work with a wild-card @@ -636,6 +636,20 @@ loc eth2 - + + rpfilter + + + Added in Shorewall 4.5.7. This is an anti-spoofing + measure that requires the 'RPFilter Match' capability in your + iptables and kernel. It provides a more efficient alternative + to the option below. It performs a + function similar to (see above) + but works with Multi-ISP configurations that do now use + balanced routes. + + + sfilter=(net[,...]) @@ -668,7 +682,7 @@ loc eth2 - changed; the value assigned to the setting will be the value specified (if any) or 1 if no value is given. - + This option does not work with a wild-card diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index b7aa1f963..c489c7038 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -96,7 +96,7 @@ role="bold">none} - + @@ -106,7 +106,7 @@ role="bold">none} - + @@ -116,7 +116,7 @@ role="bold">none} - + @@ -126,7 +126,7 @@ role="bold">none} - + @@ -482,7 +482,7 @@
- + If CONFIG_PATH is not given or if it is set to the empty value then the contents of /usr/share/shorewall/configpath are @@ -829,7 +829,7 @@ net all DROP infothen the chain name is 'net2all' - +
If this variable is not set or is given an empty value @@ -1039,7 +1039,7 @@ net all DROP infothen the chain name is 'net2all' - +
For example, using the default LOGFORMAT, the log prefix for @@ -1056,7 +1056,7 @@ net all DROP infothen the chain name is 'net2all' control your firewall after you enable this option. - + Do not use this option if the resulting log messages will @@ -1709,7 +1709,7 @@ net all DROP infothen the chain name is 'net2all' role="bold">" - + @@ -1879,6 +1879,33 @@ net all DROP infothen the chain name is 'net2all' + + RPFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT] + + + Added in Shorewall 4.5.7. Determines the disposition of + packets entering from interfaces the + option (see shorewall-interfaces(5)). + Packets disposed of by this option are those whose response packets + would not be sent through the same interface receiving the + packet. + + + + + RPFILTER_LOG_LEVEL=log-level + + + Added in shorewall 4.5.7. Determines the logging of packets + disposed via the RPFILTER_DISPOSITION. The default value is + . + + + SAVE_IPSETS={Yes|No} @@ -1900,7 +1927,7 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.4.20. Determines the disposition of - packets matching the option (see sfilter option (see shorewall-interfaces(5)) and of hairpin packets on interfaces without the option. @@ -1916,7 +1943,7 @@ net all DROP infothen the chain name is 'net2all' Added on Shorewall 4.4.20. Determines the logging of packets - matching the option (see sfilter option (see shorewall-interfaces(5)) and of hairpin packets on interfaces without the option. diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index cedb38478..24f0f57fe 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= +RPFILTER_LOG_LEVEL=info + SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info @@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT SFILTER_DISPOSITION=DROP +RPFILTER_DISPOSITION=DROP + SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index 1b7e3488b..f320a0339 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= +RPFILTER_LOG_LEVEL=info + SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info @@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT SFILTER_DISPOSITION=DROP +RPFILTER_DISPOSITION=DROP + SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index 366121eab..015154449 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= +RPFILTER_LOG_LEVEL=info + SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info @@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT SFILTER_DISPOSITION=DROP +RPFILTER_DISPOSITION=DROP + SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index c4d439d6d..d9e59a14a 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= +RPFILTER_LOG_LEVEL=info + SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info @@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT SFILTER_DISPOSITION=DROP +RPFILTER_DISPOSITION=DROP + SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index c5e2231d3..892346e7b 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= +RPFILTER_LOG_LEVEL=info + SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info @@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT SFILTER_DISPOSITION=DROP +RPFILTER_DISPOSITION=DROP + SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP diff --git a/Shorewall6/manpages/shorewall6-interfaces.xml b/Shorewall6/manpages/shorewall6-interfaces.xml index b83603d13..8299db0ba 100644 --- a/Shorewall6/manpages/shorewall6-interfaces.xml +++ b/Shorewall6/manpages/shorewall6-interfaces.xml @@ -366,9 +366,21 @@ loc eth2 - if you want to allow traffic between the interfaces that match the wildcard. - Beginning with Shorewall 4.4.20, if you specify this - option, then you should also specify - (see below). + If you specify this option, then you should also specify + (see below) if you are running + Shorewall 4.5.7 or later; otherwise, you should specify + (see below). + + + + + rpfilter + + + Added in Shorewall 4.5.7. This is an anti-spoofing + measure that requires the 'RPFilter Match' capability in your + iptables and kernel. It provides a more efficient alternative + to the option below. diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index d374f3dac..c7fd84e8c 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -82,7 +82,7 @@ role="bold">none} - + @@ -92,7 +92,7 @@ role="bold">none} - + @@ -102,7 +102,7 @@ role="bold">none} - + @@ -112,7 +112,7 @@ role="bold">none} - + @@ -902,7 +902,7 @@ net all DROP infothen the chain name is 'net2all' - +
For example, using the default LOGFORMAT, the log prefix for @@ -919,7 +919,7 @@ net all DROP infothen the chain name is 'net2all' control your firewall after you enable this option. - + Do not use this option if the resulting log messages will @@ -1507,7 +1507,7 @@ net all DROP infothen the chain name is 'net2all' role="bold">" - + @@ -1612,6 +1612,33 @@ net all DROP infothen the chain name is 'net2all' + + RPFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT] + + + Added in Shorewall 4.5.7. Determines the disposition of + packets entering from interfaces with the + option (see shorewall-interfaces(5)). + Packets disposed of by this option are those whose response packets + would not be sent through the same interface receiving the + packet. + + + + + RPFILTER_LOG_LEVEL=log-level + + + Added in shorewall 4.5.7. Determines the logging of packets + disposed via the RPFILTER_DISPOSITION. The default value is + . + + + SHOREWALL_SHELL=[pathname] @@ -1658,7 +1685,7 @@ net all DROP infothen the chain name is 'net2all' Added in Shorewall 4.4.20. Determines the disposition of - packets matching the option (see sfilter option (see shorewall6-interfaces(5)) and of hairpin packets on interfaces without the option. @@ -1674,7 +1701,7 @@ net all DROP infothen the chain name is 'net2all' Added on Shorewall 4.4.20. Determines the logging of packets - matching the option (see sfilter option (see shorewall6-interfaces(5)) and of hairpin packets on interfaces without the option.