extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-09 07:08:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implement format-3 conntrack files.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-11-22 20:56:56 -08:00
parent 3f7425b6a0
commit 30de211bda
4 changed files with 235 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -204,7 +204,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
sub process_format( $ ) { sub process_format( $ ) {
my $format = shift; my $format = shift;
fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/; fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/;
$format; $format;
} }
@ -252,13 +252,23 @@ sub setup_conntrack() {
$empty = 0; $empty = 0;
if ( $source =~ /^all(-)?(:(.+))?$/ ) { if ( $format < 3 ) {
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-'; if ( $source =~ /^all(-)?(:(.+))?$/ ) {
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch ) unless $1; fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch ); process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch ) unless $1;
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch );
} else {
process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
} elsif ( $action =~ s/:0$// ) {
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} else { } else {
process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ); $action =~ s/:P//;
} process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
} }
clear_comment; clear_comment;

24
Shorewall/configfiles/conntrack
View File

@ -4,50 +4,50 @@
# For information about entries in this file, type "man shorewall-conntrack" # For information about entries in this file, type "man shorewall-conntrack"
# #
############################################################################################################## ##############################################################################################################
FORMAT 2 FORMAT 3
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
# PORT(S) PORT(S) GROUP # PORT(S) PORT(S) GROUP
?if $AUTOHELPERS && __CT_TARGET ?if $AUTOHELPERS && __CT_TARGET
?if __AMANDA_HELPER ?if __AMANDA_HELPER
CT:helper:amanda all - udp 10080 CT:helper:amanda:PO - - udp 10080
?endif ?endif
?if __FTP_HELPER ?if __FTP_HELPER
CT:helper:ftp all - tcp 21 CT:helper:ftp:PO - - tcp 21
?endif ?endif
?if __H323_HELPER ?if __H323_HELPER
CT:helper:RAS all - udp 1719 CT:helper:RAS;PO - - udp 1719
CT:helper:Q.931 all - tcp 1720 CT:helper:Q.931:PO - - tcp 1720
?endif ?endif
?if __IRC_HELPER ?if __IRC_HELPER
CT:helper:irc all - tcp 6667 CT:helper:irc:PO - - tcp 6667
?endif ?endif
?if __NETBIOS_NS_HELPER ?if __NETBIOS_NS_HELPER
CT:helper:netbios-ns all - udp 137 CT:helper:netbios-ns:PO - - udp 137
?endif ?endif
?if __PPTP_HELPER ?if __PPTP_HELPER
CT:helper:pptp all - tcp 1723 CT:helper:pptp:PO - - tcp 1723
?endif ?endif
?if __SANE_HELPER ?if __SANE_HELPER
CT:helper:sane all - tcp 6566 CT:helper:sane:PO - - tcp 6566
?endif ?endif
?if __SIP_HELPER ?if __SIP_HELPER
CT:helper:sip all - udp 5060 CT:helper:sip:PO - - udp 5060
?endif ?endif
?if __SNMP_HELPER ?if __SNMP_HELPER
CT:helper:snmp all - udp 161 CT:helper:snmp:PO - - udp 161
?endif ?endif
?if __TFTP_HELPER ?if __TFTP_HELPER
CT:helper:tftp all - udp 69 CT:helper:tftp:PO - - udp 69
?endif ?endif
?endif ?endif

109
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -32,11 +32,26 @@
role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
<emphasis role="bold">conntrack</emphasis>.</para> <emphasis role="bold">conntrack</emphasis>.</para>
<para>The file supports two different column layouts: FORMAT 1 and FORMAT <para>The file supports two different column layouts: FORMAT 1, FORMAT 2,
2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an and FORMAT 3, FORMAT 1 being the default. The three differ as
additional leading ACTION column. When an entry in the file of this form follows:</para>
is encountered, the format of the following entries are assumed to be of
the specified <replaceable>format</replaceable>.</para> <itemizedlist>
<listitem>
<para>in FORMAT 2 and 3, there is an additional leading ACTION
column.</para>
</listitem>
<listitem>
<para>in FORMAT 3, the SOURCE column accepts no zone name; rather the
ACTION column allows a SUFFIX that determines the chain(s) that the
generated rule will be added to.</para>
</listitem>
</itemizedlist>
<para>When an entry in the following form is encountered, the format of
the following entries are assumed to be of the specified
<replaceable>format</replaceable>.</para>
<simplelist> <simplelist>
<member><emphasis role="bold">FORMAT</emphasis> <member><emphasis role="bold">FORMAT</emphasis>
@ -44,7 +59,10 @@
</simplelist> </simplelist>
<para>where <replaceable>format</replaceable> is either <emphasis <para>where <replaceable>format</replaceable> is either <emphasis
role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para> role="bold">1</emphasis>,<emphasis role="bold">2</emphasis> or <emphasis
role="bold">3</emphasis>.</para>
<para>Format 3 was introduced in Shorewall 4.5.10.</para>
<para>Comments may be attached to Netfilter rules generated from entries <para>Comments may be attached to Netfilter rules generated from entries
in this file through the use of COMMENT lines. These lines begin with the in this file through the use of COMMENT lines. These lines begin with the
@ -63,7 +81,7 @@
role="bold">NOTRACK</emphasis>|<emphasis role="bold">NOTRACK</emphasis>|<emphasis
role="bold">CT</emphasis>:<emphasis role="bold">CT</emphasis>:<emphasis
role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
role="bold">CT:notrack</emphasis>}</term> role="bold">CT:notrack</emphasis>}[:<replaceable>chain-designator</replaceable>]</term>
<listitem> <listitem>
<para>This column is only present when FORMAT = 2. Values other than <para>This column is only present when FORMAT = 2. Values other than
@ -151,10 +169,10 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term></term> <term/>
<listitem> <listitem>
<para></para> <para/>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -232,11 +250,46 @@
<para>When FORMAT = 1, this column is not present and the rule is <para>When FORMAT = 1, this column is not present and the rule is
processed as if NOTRACK had been entered in this column.</para> processed as if NOTRACK had been entered in this column.</para>
<para>Beginning with Shoreall 4.5.10, when FORMAT = 3, this column
can end with a colon followed by a
<replaceable>chain-designator</replaceable>. The
<replaceable>chain-designator</replaceable> can be one of the
following:</para>
<variablelist>
<varlistentry>
<term>P</term>
<listitem>
<para>The rule is added to the raw table PREROUTING chain.
This is the default if no
<replaceable>chain-designator</replaceable> is present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>O</term>
<listitem>
<para>The rule is added to the raw table OUTPUT chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PO or OP</term>
<listitem>
<para>The rule is added to the raw table PREROUTING and OUTPUT
chains.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>SOURCE <term>SOURCE (formats 1 and 2)
{<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]|COMMENT}</term> {<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]|COMMENT}</term>
<listitem> <listitem>
@ -267,6 +320,23 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>SOURCE (formats 3)
{-|[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>}</term>
<listitem>
<para>Where <replaceable>interface</replaceable> is an interface to
that zone, and <replaceable>address-list</replaceable> is a
comma-separated list of addresses (may contain exclusion - see
<ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
(5)).</para>
<para>COMMENT is only allowed in format 1; the remainder of the line
is treated as a comment that will be associated with the generated
rule(s).</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>DEST <term>DEST
[<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term> [<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>
@ -393,9 +463,28 @@
<refsect1> <refsect1>
<title>EXAMPLE</title> <title>EXAMPLE</title>
<para>Example 1:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP <programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S) # PORT(S) PORT(S)
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting> CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
<para>Example 2 (Shorewall 4.5.10 or later):</para>
<para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
<programlisting>FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
DROP all-:1.2.3.4 -
DROP all 1.2.3.4</programlisting>
<para>or<programlisting>FORMAT 3
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
DROP:P 1.2.3.4 -
DROP:PO - 1.2.3.4
</programlisting></para>
</refsect1> </refsect1>
<refsect1> <refsect1>

119
Shorewall6/manpages/shorewall6-conntrack.xml
View File

@ -25,25 +25,44 @@
<para>The original intent of the <emphasis role="bold">notrack</emphasis> <para>The original intent of the <emphasis role="bold">notrack</emphasis>
file was to exempt certain traffic from Netfilter connection tracking. file was to exempt certain traffic from Netfilter connection tracking.
Traffic matching entries in that file were not to be tracked.</para> Traffic matching entries in the file were not to be tracked.</para>
<para>The role of the file was expanded in Shorewall 4.4.27 to include all <para>The role of the file was expanded in Shorewall 4.4.27 to include all
rules that can be added in the Netfilter <emphasis rules that can be added in the Netfilter <emphasis
role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
<emphasis role="bold">conntrack</emphasis>.</para> <emphasis role="bold">conntrack</emphasis>.</para>
<para>The file supports two different column layouts: FORMAT 1 and FORMAT <para>The file supports two different column layouts: FORMAT 1, FORMAT 2,
2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an and FORMAT 3, FORMAT 1 being the default. The three differ as
additional leading ACTION column. When an entry in the file of this form follows:</para>
is encountered, the format of the following entries are assumed to be of
the specified <replaceable>format</replaceable>.</para> <itemizedlist>
<listitem>
<para>in FORMAT 2 and 3, there is an additional leading ACTION
column.</para>
</listitem>
<listitem>
<para>in FORMAT 3, the SOURCE column accepts no zone name; rather the
ACTION column allows a SUFFIX that determines the chain(s) that the
generated rule will be added to.</para>
</listitem>
</itemizedlist>
<para>When an entry in the following form is encountered, the format of
the following entries are assumed to be of the specified
<replaceable>format</replaceable>.</para>
<simplelist> <simplelist>
<member>FORMAT <replaceable>format</replaceable></member> <member><emphasis role="bold">FORMAT</emphasis>
<replaceable>format</replaceable></member>
</simplelist> </simplelist>
<para>where <replaceable>format</replaceable> is either <emphasis <para>where <replaceable>format</replaceable> is either <emphasis
role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para> role="bold">1</emphasis>,<emphasis role="bold">2</emphasis> or <emphasis
role="bold">3</emphasis>.</para>
<para>Format 3 was introduced in Shorewall 4.5.10.</para>
<para>Comments may be attached to Netfilter rules generated from entries <para>Comments may be attached to Netfilter rules generated from entries
in this file through the use of COMMENT lines. These lines begin with the in this file through the use of COMMENT lines. These lines begin with the
@ -62,7 +81,7 @@
role="bold">NOTRACK</emphasis>|<emphasis role="bold">NOTRACK</emphasis>|<emphasis
role="bold">CT</emphasis>:<emphasis role="bold">CT</emphasis>:<emphasis
role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
role="bold">CT:notrack</emphasis>}</term> role="bold">CT:notrack</emphasis>}[:<replaceable>chain-designator</replaceable>]</term>
<listitem> <listitem>
<para>This column is only present when FORMAT = 2. Values other than <para>This column is only present when FORMAT = 2. Values other than
@ -127,11 +146,46 @@
<para>When FORMAT = 1, this column is not present and the rule is <para>When FORMAT = 1, this column is not present and the rule is
processed as if NOTRACK had been entered in this column.</para> processed as if NOTRACK had been entered in this column.</para>
<para>Beginning with Shoreall 4.5.10, when FORMAT = 3, this column
can end with a colon followed by a
<replaceable>chain-designator</replaceable>. The
<replaceable>chain-designator</replaceable> can be one of the
following:</para>
<variablelist>
<varlistentry>
<term>P</term>
<listitem>
<para>The rule is added to the raw table PREROUTING chain.
This is the default if no
<replaceable>chain-designator</replaceable> is present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>O</term>
<listitem>
<para>The rule is added to the raw table OUTPUT chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PO or OP</term>
<listitem>
<para>The rule is added to the raw table PREROUTING and OUTPUT
chains.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>SOURCE <term>SOURCE (formats 1 and 2)
<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]</term> <emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]</term>
<listitem> <listitem>
@ -162,6 +216,23 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>SOURCE (formats 3)
{-|[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>}</term>
<listitem>
<para>Where <replaceable>interface</replaceable> is an interface to
that zone, and <replaceable>address-list</replaceable> is a
comma-separated list of addresses (may contain exclusion - see
<ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
(5)).</para>
<para>COMMENT is only allowed in format 1; the remainder of the line
is treated as a comment that will be associated with the generated
rule(s).</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>DEST <term>DEST
[<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term> [<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>
@ -277,11 +348,35 @@
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>EXAMPLE</title> <title>EXAMPLES</title>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP <para>Example 1:</para>
<para>Use the FTP helper for TCP port 21 connections from the firewall
itself.</para>
<programlisting>FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S) # PORT(S) PORT(S)
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting> CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
<para>Example 2 (Shorewall 4.5.10 or later):</para>
<para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
<programlisting>FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
DROP all-:2001:1.2.3::4 -
DROP all 2001:1.2.3::4
</programlisting>
<para>or<programlisting>FORMAT 3
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
DROP:P 2001:1.2.3::4 -
DROP:PO - 2001:1.2.3::4
</programlisting></para>
</refsect1> </refsect1>
<refsect1> <refsect1>