mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-22 05:28:59 +01:00
NFQUEUE enhancements
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
acd921cd08
commit
267637f139
@ -468,6 +468,52 @@ sub process_default_action( $$$$ ) {
|
|||||||
$default;
|
$default;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Verify an NFQUEUE specification and return the appropriate ip[6]tables target
|
||||||
|
#
|
||||||
|
sub handle_nfqueue( $$ ) {
|
||||||
|
my ($params, $allow_bypass ) = @_;
|
||||||
|
my $action;
|
||||||
|
|
||||||
|
require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' );
|
||||||
|
|
||||||
|
my ( $queue, $bypass ) = split ',', $params;
|
||||||
|
|
||||||
|
if ( $queue eq 'bypass' ) {
|
||||||
|
fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
|
||||||
|
fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
|
||||||
|
return 'NFQUEUE --queue-bypass';
|
||||||
|
}
|
||||||
|
|
||||||
|
my ( $queue1, $queue2 ) = split ':', $queue;
|
||||||
|
|
||||||
|
my $queuenum1 = numeric_value( $queue1 );
|
||||||
|
my $queuenum2;
|
||||||
|
|
||||||
|
fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
|
||||||
|
|
||||||
|
if ( supplied $queue2 ) {
|
||||||
|
$queuenum2 = numeric_value( $queue2 );
|
||||||
|
|
||||||
|
fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( supplied $bypass ) {
|
||||||
|
fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
|
||||||
|
fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
|
||||||
|
|
||||||
|
$bypass =' --queue-bypass';
|
||||||
|
} else {
|
||||||
|
$bypass = '';
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( supplied $queue2 ) {
|
||||||
|
return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}";
|
||||||
|
} else {
|
||||||
|
return "NFQUEUE --queue-num ${queuenum1}${bypass}";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Process an entry in the policy file.
|
# Process an entry in the policy file.
|
||||||
#
|
#
|
||||||
@ -518,11 +564,9 @@ sub process_a_policy() {
|
|||||||
$default = process_default_action( $originalpolicy, $policy, $default, $level );
|
$default = process_default_action( $originalpolicy, $policy, $default, $level );
|
||||||
|
|
||||||
if ( defined $queue ) {
|
if ( defined $queue ) {
|
||||||
fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
|
$policy = handle_nfqueue( $queue,
|
||||||
require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
|
0 # Don't allow 'bypass'
|
||||||
my $queuenum = numeric_value( $queue );
|
);
|
||||||
fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
|
|
||||||
$policy = "NFQUEUE --queue-num $queuenum";
|
|
||||||
} elsif ( $policy eq 'NONE' ) {
|
} elsif ( $policy eq 'NONE' ) {
|
||||||
fatal_error "NONE policy not allowed with \"all\""
|
fatal_error "NONE policy not allowed with \"all\""
|
||||||
if $clientwild || $serverwild;
|
if $clientwild || $serverwild;
|
||||||
@ -2276,10 +2320,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
return $generated;
|
return $generated;
|
||||||
|
|
||||||
} elsif ( $actiontype & NFQ ) {
|
} elsif ( $actiontype & NFQ ) {
|
||||||
require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
|
$action = handle_nfqueue( $param,
|
||||||
my $paramval = $param eq '' ? 0 : numeric_value( $param );
|
1 # Allow 'bypass'
|
||||||
fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535;
|
);
|
||||||
$action = "NFQUEUE --queue-num $paramval";
|
|
||||||
} elsif ( $actiontype & SET ) {
|
} elsif ( $actiontype & SET ) {
|
||||||
require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
|
require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
|
||||||
fatal_error "$action rules require a set name parameter" unless $param;
|
fatal_error "$action rules require a set name parameter" unless $param;
|
||||||
|
@ -105,7 +105,7 @@
|
|||||||
role="bold">REJECT</emphasis>|<emphasis
|
role="bold">REJECT</emphasis>|<emphasis
|
||||||
role="bold">CONTINUE</emphasis>|<emphasis
|
role="bold">CONTINUE</emphasis>|<emphasis
|
||||||
role="bold">QUEUE</emphasis>|<emphasis
|
role="bold">QUEUE</emphasis>|<emphasis
|
||||||
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber</emphasis>)]|<emphasis
|
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[,<replaceable>queuenumber2</replaceable>])]|<emphasis
|
||||||
role="bold">NONE</emphasis>}[<emphasis
|
role="bold">NONE</emphasis>}[<emphasis
|
||||||
role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
|
role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
|
||||||
role="bold">None</emphasis>}]</term>
|
role="bold">None</emphasis>}]</term>
|
||||||
@ -180,8 +180,14 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Queue the request for a user-space application using the
|
<para>Queue the request for a user-space application using the
|
||||||
nfnetlink_queue mechanism. If a
|
nfnetlink_queue mechanism. If a
|
||||||
<replaceable>queuenumber</replaceable> is not given, queue
|
<replaceable>queuenumber1</replaceable> is not given, queue
|
||||||
zero (0) is assumed.</para>
|
zero (0) is assumed. Beginning with Shorewall 4.6.10, a second
|
||||||
|
queue number (queuenumber2) may be given. This specifies a
|
||||||
|
range of queues to use. Packets are then balanced across the
|
||||||
|
given queues. This is useful for multicore systems: start
|
||||||
|
multiple instances of the userspace program on queues x, x+1,
|
||||||
|
.. x+n and use "x:x+n". Packets belonging to the same
|
||||||
|
connection are put into the same nfqueue.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -559,24 +559,36 @@
|
|||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>
|
role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Queues the packet to a user-space application using the
|
<para>Queues the packet to a user-space application using the
|
||||||
nfnetlink_queue mechanism. If a
|
nfnetlink_queue mechanism. If a
|
||||||
<replaceable>queuenumber</replaceable> is not specified, queue
|
<replaceable>queuenumber</replaceable>1 is not specified,
|
||||||
zero (0) is assumed.</para>
|
queue zero (0) is assumed. Beginning with Shorewall 4.6.10,
|
||||||
|
the keyword <emphasis role="bold">bypass</emphasis> can be
|
||||||
|
given. By default, if no userspace program is listening on an
|
||||||
|
NFQUEUE, then all packets that are to be queued are dropped.
|
||||||
|
When this option is used, the NFQUEUE rule is silently
|
||||||
|
bypassed instead. The packet will move on to the next rule.
|
||||||
|
Also beginning in Shorewall 4.6.10, a second queue number
|
||||||
|
(<replaceable>queuenumber2</replaceable>) may be specified.
|
||||||
|
This specifies a range of queues to use. Packets are then
|
||||||
|
balanced across the given queues. This is useful for multicore
|
||||||
|
systems: start multiple instances of the userspace program on
|
||||||
|
queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
|
||||||
|
the same connection are put into the same nfqueue.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis role="bold"><emphasis
|
||||||
role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>
|
role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>like NFQUEUE but exempts the rule from being suppressed
|
<para>like NFQUEUE but exempts the rule from being suppressed
|
||||||
by OPTIMIZE=1 in <ulink
|
by OPTIMIZE=1 in <ulink
|
||||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -105,9 +105,9 @@
|
|||||||
role="bold">REJECT</emphasis>|<emphasis
|
role="bold">REJECT</emphasis>|<emphasis
|
||||||
role="bold">CONTINUE</emphasis>|<emphasis
|
role="bold">CONTINUE</emphasis>|<emphasis
|
||||||
role="bold">QUEUE</emphasis>|<emphasis
|
role="bold">QUEUE</emphasis>|<emphasis
|
||||||
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber</emphasis>)]|<emphasis
|
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[,<replaceable>queuenumber2</replaceable>])]|<emphasis
|
||||||
role="bold">NONE</emphasis>}[<emphasis
|
role="bold">NONE</emphasis>}[<emphasis
|
||||||
role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>|<emphasis
|
role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
|
||||||
role="bold">None</emphasis>}]</term>
|
role="bold">None</emphasis>}]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -180,8 +180,14 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Queue the request for a user-space application using the
|
<para>Queue the request for a user-space application using the
|
||||||
nfnetlink_queue mechanism. If a
|
nfnetlink_queue mechanism. If a
|
||||||
<replaceable>queuenumber</replaceable> is not given, queue
|
<replaceable>queuenumber1</replaceable> is not given, queue
|
||||||
zero (0) is assumed.</para>
|
zero (0) is assumed. Beginning with Shorewall 4.6.10, a second
|
||||||
|
queue number (queuenumber2) may be given. This specifies a
|
||||||
|
range of queues to use. Packets are then balanced across the
|
||||||
|
given queues. This is useful for multicore systems: start
|
||||||
|
multiple instances of the userspace program on queues x, x+1,
|
||||||
|
.. x+n and use "x:x+n". Packets belonging to the same
|
||||||
|
connection are put into the same nfqueue.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -534,19 +534,31 @@
|
|||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>
|
role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Queues the packet to a user-space application using the
|
<para>Queues the packet to a user-space application using the
|
||||||
nfnetlink_queue mechanism. If a
|
nfnetlink_queue mechanism. If a
|
||||||
<replaceable>queuenumber</replaceable> is not specified, queue
|
<replaceable>queuenumber</replaceable>1 is not specified,
|
||||||
zero (0) is assumed.</para>
|
queue zero (0) is assumed. Beginning with Shorewall 4.6.10,
|
||||||
|
the keyword <emphasis role="bold">bypass</emphasis> can be
|
||||||
|
given. By default, if no userspace program is listening on an
|
||||||
|
NFQUEUE, then all packets that are to be queued are dropped.
|
||||||
|
When this option is used, the NFQUEUE rule is silently
|
||||||
|
bypassed instead. The packet will move on to the next rule.
|
||||||
|
Also beginning in Shorewall 4.6.10, a second queue number
|
||||||
|
(<replaceable>queuenumber2</replaceable>) may be specified.
|
||||||
|
This specifies a range of queues to use. Packets are then
|
||||||
|
balanced across the given queues. This is useful for multicore
|
||||||
|
systems: start multiple instances of the userspace program on
|
||||||
|
queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
|
||||||
|
the same connection are put into the same nfqueue.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis role="bold"><emphasis
|
||||||
role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>
|
role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>like NFQUEUE but exempts the rule from being suppressed
|
<para>like NFQUEUE but exempts the rule from being suppressed
|
||||||
|
Loading…
Reference in New Issue
Block a user