Re-implement MACLIST_TTL

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2358 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-07-17 22:08:15 +00:00
parent c6e3e84352
commit 318e204358
2 changed files with 54 additions and 16 deletions

View File

@ -502,6 +502,11 @@ dynamic_chains() #$1 = interface
echo ${c}_dyni ${c}_dynf ${c}_dyno
}
macrecent_target() # $1 - interface
{
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
}
#
# DNAT Chain from a zone
#
@ -2322,6 +2327,15 @@ setup_mac_lists() {
for interface in $maclist_interfaces; do
chain=$(mac_chain $interface)
createchain $chain no
if [ -n "$MACLIST_TTL" ]; then
chain1=$(macrecent_target $interface)
createchain $chain1 no
run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
run_iptables -A $chain -j $chain1
run_iptables -A $chain -m recent --update --name $chain -j RETURN
run_iptables -A $chain -m recent --set --name $chain
fi
done
#
# Process the maclist file producing the verification rules
@ -2340,8 +2354,7 @@ setup_mac_lists() {
esac
fi
chain=$(mac_chain $interface)
chain1=$(macrecent_target $interface)
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
if ! havechain $chain ; then
fatal_error "No hosts on $interface have the maclist option specified"
@ -2350,10 +2363,10 @@ setup_mac_lists() {
macpart=$(mac_match $mac)
if [ -z "$addresses" ]; then
run_iptables -A $chain $macpart $physdev_part -j $chain1
run_iptables -A $chain $macpart $physdev_part -j RETURN
else
for address in $(separate_list $addresses) ; do
run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1
run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
done
fi
done < $TMP_DIR/maclist
@ -2362,8 +2375,7 @@ setup_mac_lists() {
# chains
#
for interface in $maclist_interfaces; do
chain=$(mac_chain $interface)
chain1=$(macrecent_target $interface)
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
blob=$(ip link show $interface 2> /dev/null)
@ -2373,15 +2385,15 @@ setup_mac_lists() {
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
address=${address%/*}
if [ -n "$broadcast" ]; then
run_iptables -A $chain -s $address -d $broadcast -j $chain1
run_iptables -A $chain -s $address -d $broadcast -j RETURN
fi
run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j $chain1
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN
done
if [ -n "$MACLIST_LOG_LEVEL" ]; then
log_rule $MACLIST_LOG_LEVEL $chain $MACLIST_DISPOSITION
log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A
fi
run_iptables -A $chain -j $maclist_target
@ -3180,8 +3192,8 @@ check_config() {
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" ]; then
error_message "WARNING: MACLIST_TTL has been disabled until further notice"
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
echo "Determining Zones..."
@ -6389,8 +6401,8 @@ initialize_netfilter () {
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" ]; then
error_message "WARNING: MACLIST_TTL has been disabled until further notice"
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
@ -8178,8 +8190,11 @@ do_initialize() {
case $MACLIST_DISPOSITION in
REJECT)
;;
ACCEPT|DROP)
maclist_target=$MACLIST_DISPOSITION
DROP)
maclist_target=DROP
;;
ACCEPT)
maclist_target=RETURN
;;
*)
startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"

View File

@ -779,6 +779,29 @@ DROPINVALID=No
RFC1918_STRICT=No
#
# MACLIST caching
#
# If your iptables and kernel support the "Recent Match" (see the output of
# "shorewall check" near the top), you can cache the results of a 'maclist'
# file lookup and thus reduce the overhead associated with MAC Verification
# (/etc/shorewall/maclist).
#
# When a new connection arrives from a 'maclist' interface, the packet passes
# through then list of entries for that interface in /etc/shorewall/maclist. If
# there is a match then the source IP address is added to the 'Recent' set for
# that interface. Subsequent connection attempts from that IP address occuring
# within $MACLIST_TTL seconds will be accepted without having to scan all of
# the entries. After $MACLIST_TTL from the first accepted connection request,
# the next connection request from that IP address will be checked against
# the entire list.
#
# If MACLIST_TTL is not specified or is specified as empty (e.g,
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
# be cached.
MACLIST_TTL=
#
# Save/Restore IPSETS
#