Add RFC1918_STRICT Option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1995 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-23 08:03:11 +01:00 · 2005-03-10 23:38:01 +00:00 · 2005-03-10 23:38:01 +00:00 · 25f6815c4f
commit 25f6815c4f
parent c085d04185
4 changed files with 105 additions and 10 deletions
--- a/Lrp2/etc/shorewall/shorewall.conf
+++ b/Lrp2/etc/shorewall/shorewall.conf
@ -732,6 +732,34 @@ PKTTYPE=Yes
 # DROPINVALID=Yes is assumed.

 DROPINVALID=No
+
+#
+# RFC 1918 BEHAVIOR
+#
+# Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918'
+# processing to cease for a packet if the packet's source IP address matches
+# the rule. Thus, if you have:
+#
+#	SUBNETS			TARGET
+#	192.168.1.0/24		RETURN
+#
+# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you 
+# also have:
+#
+#	SUBNETS			TARGET
+#	10.0.0.0/8		logdrop
+#
+# Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped
+# since while the packet's source matches the RETURN rule, the packet's
+# destination matches the 'logdrop' rule.
+#
+# If not specified or specified as empty (e.g., RFC1918_STRICT="") then
+# RFC1918_STRICT=No is assumed.
+#
+# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
+#          'conntrack state' match.
+
+RFC1918_STRICT=No
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################
--- a/Lrp2/usr/share/shorewall/firewall
+++ b/Lrp2/usr/share/shorewall/firewall
@ -5632,6 +5632,10 @@ initialize_netfilter () {
 	[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
    fi

+
+    [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
+	startup_error "RFC1918_STRICT=Yes requires conntrack state match"
+
    echo "Determining Zones..."

    determine_zones
@ -5922,7 +5926,15 @@ add_common_rules() {
 	
 	run_iptables -A rfc1918 -j DROP

-	if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
+	chain=norfc1918
+
+	if [ -n "$RFC1918_STRICT" ]; then
+	    #
+	    # We'll generate two chains - one for source and one for destination
+	    #
+	    chain=rfc1918d
+	    createchain $chain no	    
+	elif [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
 	    #
 	    # Mangling is enabled but conntrack match isn't available -- 
 	    # create a chain in the mangle table to filter RFC1918 destination
@ -5941,8 +5953,13 @@ add_common_rules() {
 	    case $target in
 		logdrop)
 		    target=rfc1918
+		    s_target=rfc1918
 		    ;;
-		DROP|RETURN)
+		DROP)
+		    s_target=DROP
+		    ;;
+		RETURN)
+		    [ -n "$RFC1918_STRICT" ] && s_target=rfc1918d || s_target=RETURN
 		    ;;
 		*)
 		    fatal_error "Invalid target ($target) for $networks"
@ -5950,13 +5967,13 @@ add_common_rules() {
 	    esac

 	    for network in $(separate_list $networks); do
-		run_iptables2 -A norfc1918 $(source_ip_range $network) -j $target
+		run_iptables2 -A norfc1918 $(source_ip_range $network) -j $s_target
 	
 		if [ -n "$CONNTRACK_MATCH" ]; then
 		    #
 		    # We have connection tracking match -- match on the original destination
 		    #
-		    run_iptables2 -A norfc1918 -m conntrack --ctorigdst $network -j $target
+		    run_iptables2 -A $chain -m conntrack --ctorigdst $network -j $target
 		elif [ -n "$MANGLE_ENABLED" ]; then
 		    #
 		    # No connection tracking match but we have mangling -- add a rule to
@ -5967,6 +5984,8 @@ add_common_rules() {
 	    done
 	done < $TMP_DIR/rfc1918

+	[ -n "$RFC1918_STRICT" ] && run_iptables -A norfc1918 -j rfc1918d
+ 
 	for host in $hosts; do
 	    ipsec=${host%^*}
 	    host=${host#*^}
@ -7207,6 +7226,7 @@ do_initialize() {
    LOGTAGONLY=
    LOGALLNEW=
    DROPINVALID=
+    RFC1918_STRICT=

    RESTOREBASE=
    TMP_DIR=
@ -7402,6 +7422,7 @@ do_initialize() {
    DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
    LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
    DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
+    RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
    #
    # Strip the files that we use often
    #
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>

-    <pubdate>2005-02-01</pubdate>
+    <pubdate>2005-03-10</pubdate>

    <copyright>
      <year>2001-2005</year>
@ -2651,6 +2651,41 @@ eth0                  eth1            206.124.146.176</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term>RFC1918_STRICT</term>
+
+        <listitem>
+          <para>(Added at version 2.2.2) — Traditionally, the RETURN target in
+          the 'rfc1918' file has caused <link
+          linkend="Interfaces">norfc1918</link> processing to cease for a
+          packet if the packet's source IP address matches the rule. Thus, if
+          you have this entry in <link
+          linkend="rfc1918">/etc/shorewall/rfc1918</link>:</para>
+
+          <programlisting>#SUBNETS                 TARGET
+192.168.1.0/24           RETURN</programlisting>
+
+          <para>then traffic from 192.168.1.4 to 10.0.3.9 will be accepted
+          even though you also have:</para>
+
+          <programlisting>#SUBNETS                 TARGET
+10.0.0.0/8               logdrop</programlisting>
+
+          <para>Setting RFC1918_STRICT=Yes in shorewall.conf will cause such
+          traffic to be logged and dropped since while the packet's source
+          matches the RETURN rule, the packet's destination matches the
+          'logdrop' rule.</para>
+
+          <para>If not specified or specified as empty (e.g.,
+          RFC1918_STRICT="") then RFC1918_STRICT=No is assumed.</para>
+
+          <warning>
+            <para>RFC1918_STRICT=Yes requires that your kernel and iptables
+            support 'conntrack state' match.</para>
+          </warning>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term>DROPINVALID</term>

@ -3674,8 +3709,9 @@ all      all     tcp         ftp-data          -               8</programlisting
              <term>RETURN</term>

              <listitem>
-                <para>Process the packet normally thru the rules and
-                policies.</para>
+                <para>Process the packet normally thru the rules and policies.
+                See also <link linkend="Conf">RFC1918_STRICT</link>
+                above.</para>
              </listitem>
            </varlistentry>

@ -3984,6 +4020,16 @@ eth1                -</programlisting>
    <title>Revision History</title>

    <para><revhistory>
+        <revision>
+          <revnumber>1.23</revnumber>
+
+          <date>2005-03-10</date>
+
+          <authorinitials>TE</authorinitials>
+
+          <revremark>Changes for Shorewall 2.2.2.</revremark>
+        </revision>
+
        <revision>
          <revnumber>1.20</revnumber>

--- a/Shorewall-docs2/support.xml
+++ b/Shorewall-docs2/support.xml
@ -76,8 +76,8 @@

      <listitem>
        <para>The <ulink url="http://shorewall.net/search.html">Search
-        facility</ulink> linked from the Shorewall Home Page can locate
-        documents and posts about similar problems:</para>
+        facility</ulink> can locate documents and posts about similar
+        problems:</para>
      </listitem>
    </itemizedlist>
  </section>
@ -86,7 +86,7 @@
    <title>Problem Reporting Guidelines</title>

    <note>
-      <para>Shorewall versions earlier that 1.4.0 are no longer
+      <para>Shorewall versions earlier than 1.4.0 are no longer
      supported.</para>
    </note>