mirror of
https://gitlab.com/shorewall/code.git
synced 2025-05-31 23:15:48 +02:00
Re-implement MACLIST_TTL
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2358 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
c6e3e84352
commit
318e204358
@ -502,6 +502,11 @@ dynamic_chains() #$1 = interface
|
||||
echo ${c}_dyni ${c}_dynf ${c}_dyno
|
||||
}
|
||||
|
||||
macrecent_target() # $1 - interface
|
||||
{
|
||||
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
|
||||
}
|
||||
|
||||
#
|
||||
# DNAT Chain from a zone
|
||||
#
|
||||
@ -2322,6 +2327,15 @@ setup_mac_lists() {
|
||||
for interface in $maclist_interfaces; do
|
||||
chain=$(mac_chain $interface)
|
||||
createchain $chain no
|
||||
|
||||
if [ -n "$MACLIST_TTL" ]; then
|
||||
chain1=$(macrecent_target $interface)
|
||||
createchain $chain1 no
|
||||
run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
|
||||
run_iptables -A $chain -j $chain1
|
||||
run_iptables -A $chain -m recent --update --name $chain -j RETURN
|
||||
run_iptables -A $chain -m recent --set --name $chain
|
||||
fi
|
||||
done
|
||||
#
|
||||
# Process the maclist file producing the verification rules
|
||||
@ -2340,8 +2354,7 @@ setup_mac_lists() {
|
||||
esac
|
||||
fi
|
||||
|
||||
chain=$(mac_chain $interface)
|
||||
chain1=$(macrecent_target $interface)
|
||||
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
|
||||
|
||||
if ! havechain $chain ; then
|
||||
fatal_error "No hosts on $interface have the maclist option specified"
|
||||
@ -2350,10 +2363,10 @@ setup_mac_lists() {
|
||||
macpart=$(mac_match $mac)
|
||||
|
||||
if [ -z "$addresses" ]; then
|
||||
run_iptables -A $chain $macpart $physdev_part -j $chain1
|
||||
run_iptables -A $chain $macpart $physdev_part -j RETURN
|
||||
else
|
||||
for address in $(separate_list $addresses) ; do
|
||||
run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1
|
||||
run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
|
||||
done
|
||||
fi
|
||||
done < $TMP_DIR/maclist
|
||||
@ -2362,8 +2375,7 @@ setup_mac_lists() {
|
||||
# chains
|
||||
#
|
||||
for interface in $maclist_interfaces; do
|
||||
chain=$(mac_chain $interface)
|
||||
chain1=$(macrecent_target $interface)
|
||||
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
|
||||
|
||||
blob=$(ip link show $interface 2> /dev/null)
|
||||
|
||||
@ -2373,15 +2385,15 @@ setup_mac_lists() {
|
||||
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
|
||||
address=${address%/*}
|
||||
if [ -n "$broadcast" ]; then
|
||||
run_iptables -A $chain -s $address -d $broadcast -j $chain1
|
||||
run_iptables -A $chain -s $address -d $broadcast -j RETURN
|
||||
fi
|
||||
|
||||
run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1
|
||||
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j $chain1
|
||||
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
|
||||
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN
|
||||
done
|
||||
|
||||
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
||||
log_rule $MACLIST_LOG_LEVEL $chain $MACLIST_DISPOSITION
|
||||
log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A
|
||||
fi
|
||||
|
||||
run_iptables -A $chain -j $maclist_target
|
||||
@ -3180,8 +3192,8 @@ check_config() {
|
||||
|
||||
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
|
||||
|
||||
if [ -n "$MACLIST_TTL" ]; then
|
||||
error_message "WARNING: MACLIST_TTL has been disabled until further notice"
|
||||
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
|
||||
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
||||
fi
|
||||
|
||||
echo "Determining Zones..."
|
||||
@ -6389,8 +6401,8 @@ initialize_netfilter () {
|
||||
|
||||
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
|
||||
|
||||
if [ -n "$MACLIST_TTL" ]; then
|
||||
error_message "WARNING: MACLIST_TTL has been disabled until further notice"
|
||||
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
|
||||
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
||||
fi
|
||||
|
||||
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
|
||||
@ -8178,8 +8190,11 @@ do_initialize() {
|
||||
case $MACLIST_DISPOSITION in
|
||||
REJECT)
|
||||
;;
|
||||
ACCEPT|DROP)
|
||||
maclist_target=$MACLIST_DISPOSITION
|
||||
DROP)
|
||||
maclist_target=DROP
|
||||
;;
|
||||
ACCEPT)
|
||||
maclist_target=RETURN
|
||||
;;
|
||||
*)
|
||||
startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
|
||||
|
@ -779,6 +779,29 @@ DROPINVALID=No
|
||||
|
||||
RFC1918_STRICT=No
|
||||
|
||||
#
|
||||
# MACLIST caching
|
||||
#
|
||||
# If your iptables and kernel support the "Recent Match" (see the output of
|
||||
# "shorewall check" near the top), you can cache the results of a 'maclist'
|
||||
# file lookup and thus reduce the overhead associated with MAC Verification
|
||||
# (/etc/shorewall/maclist).
|
||||
#
|
||||
# When a new connection arrives from a 'maclist' interface, the packet passes
|
||||
# through then list of entries for that interface in /etc/shorewall/maclist. If
|
||||
# there is a match then the source IP address is added to the 'Recent' set for
|
||||
# that interface. Subsequent connection attempts from that IP address occuring
|
||||
# within $MACLIST_TTL seconds will be accepted without having to scan all of
|
||||
# the entries. After $MACLIST_TTL from the first accepted connection request,
|
||||
# the next connection request from that IP address will be checked against
|
||||
# the entire list.
|
||||
#
|
||||
# If MACLIST_TTL is not specified or is specified as empty (e.g,
|
||||
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
|
||||
# be cached.
|
||||
|
||||
MACLIST_TTL=
|
||||
|
||||
#
|
||||
# Save/Restore IPSETS
|
||||
#
|
||||
|
Loading…
x
Reference in New Issue
Block a user