First cut at default macros

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4479 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-08-30 00:48:24 +00:00
parent 48390fd671
commit 32c15decea
3 changed files with 187 additions and 35 deletions

View File

@ -495,18 +495,31 @@ validate_policy()
esac esac
case $policy in case $policy in
ACCEPT|REJECT|DROP|CONTINUE|QUEUE) *:*)
;; macro=${policy#*:}
NONE) if ! list_search $macro $DEFAULT_MACROS;
[ "$client" = "$FW" -o "$server" = "$FW" ] && \ [ -f find_file macro.${macro} ] || fatal_error "$client $server $policy $loglevel $synparams: Default Macro $macro not found"
fatal_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone" DEFAULT_MACROS="$DEFAULT_MACROS $macro"
fi
;;
*)
macro=
;;
esac
[ -n "$clientwild" -o -n "$serverwild" ] && \ case ${policy%:*} in
fatal_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\"" ACCEPT|REJECT|DROP|CONTINUE|QUEUE)
;; ;;
*) NONE)
fatal_error "Invalid policy $policy" [ "$client" = "$FW" -o "$server" = "$FW" ] && \
;; fatal_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone"
[ -n "$clientwild" -o -n "$serverwild" ] && \
fatal_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
;;
*)
fatal_error "Invalid policy $policy"
;;
esac esac
chain=${client}2${server} chain=${client}2${server}
@ -522,12 +535,15 @@ validate_policy()
[ "x$loglevel" = "x-" ] && loglevel= [ "x$loglevel" = "x-" ] && loglevel=
[ "x$synparams" = "x-" ] && synparams= [ "x$synparams" = "x-" ] && synparams=
policy=${policy%:*}
[ $policy = NONE ] || ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" [ $policy = NONE ] || ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
eval ${chain}_is_policy=Yes eval ${chain}_is_policy=Yes
eval ${chain}_policy=$policy eval ${chain}_policy=$policy
eval ${chain}_loglevel=$loglevel eval ${chain}_loglevel=$loglevel
eval ${chain}_synparams=$synparams eval ${chain}_synparams=$synparams
eval ${chain}_macro=$macro
if [ -n "${clientwild}" ]; then if [ -n "${clientwild}" ]; then
if [ -n "${serverwild}" ]; then if [ -n "${serverwild}" ]; then
@ -2706,6 +2722,120 @@ process_rules()
SECTION=DONE SECTION=DONE
} }
#
# Expand an entry in a default macro
#
expand_macro() {
local chain=$1
local target=$2
local protocol=$3
local port=$4
local cport=$5
local rule=
if [ "x$protocol" != x- -a -n "$protocol" ]; then
rule="-p $protocol"
case $protocol in
6|tcp|TCP|17|udp|UDP)
if [ "x$port" != x- -a -n "$port" ]; then
rule="$rule -m multiport --dports $port"
[ "x$cport" != x- -a -n "$cport" ] && rule="$rule --sports $cport"
else
[ "x$cport" != x- -a -n "$cport" ] && rule="$rule -m multiport --sports $cport"
fi
;;
icmp|ICMP|0)
[ "x$port" != x- -a -n "$port" ] && rule="$rule --icmp-type $port"
;;
;;
*)
[ "x$port" != x- -a -n "$port" ] && fatal_error "DEST PORT(S) not allowed with protocol $protocol"
[ "x$cport" != x- -a -n "$cport" ] && fatal_error "SOURCE PORT(S) not allowed with protocol $protocol"
;;
esac
fi
run_iptables -A $chain $rule -j $target
}
#
# Process a default macro
#
process_default_macro() # $1 = macro name
{
local macro=$1
havechain $macro && fatal_error "Illegal duplicate default macro name: $macro"
createchain $macro
strip_file macro.${macro}
progress_message "..Expanding Macro $(find_file macro.${macro})..."
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
case $mtarget in
PARAM|PARAM:*)
fatal_error "Invalid target ($mtarget) in default macro $macro"
;;
esac
case ${mtarget} in
ACCEPT|DROP|REJECT)
;;
*)
if list_search ${mtarget%%:*} $ACTIONS; then
if ! list_search $mtarget $USEDACTIONS; then
createactionchain $mtarget
USEDACTIONS="$USEDACTIONS $mtarget"
fi
mtarget=$(find_logactionchain $mtarget)
else
fatal_error "Invalid Action in rule \"$mtarget ${mclients:--} ${mservers:--} ${mprotocol:--} ${mports:--} ${mcports:--} ${xaddress:--} ${mratelimit:--} ${muserspec:--}\""
fi
;;
esac
if [ -n "$mclients" ]; then
case $mclients in
-|SOURCE)
;;
*)
fatal_error "Invalid SOURCE ($mclients) in default macro $macro"
;;
esac
fi
if [ -n "$mservers" ]; then
case $mservers in
-|DEST)
;;
*)
fatal_error "Invalid DEST ($mservers) in default macro $macro"
;;
esac
fi
case ${mports}${mcports} in
*,*)
fatal_error "Port lists not allowed in default macro"
;;
esac
[ "x$mratelimit" != "x-" -a -n "$mratelimit" ] && fatal_error "Invalid Rate Limit ($mratelimit) in default macro $macro"
[ "x$muserspec" != "x-" -a -n "$muserspec" ] && fatal_error "Invalid USER/GROUP ($muserspec) in default macro $macro"
expand_macro $1 $target $mprotocol $mports $mcports $mratelimit $muserspec
progress_message "Rule \"$target $mprotocol $mports $mcports $mratelimit $muserspec\" $DONE"
done < $TMP_DIR/macro.${itarget%%:*}
progress_message "..End Macro"
}
# #
# Process a record from the tos file # Process a record from the tos file
# #
@ -2913,28 +3043,35 @@ policy_rules() # $1 = chain to add rules to
# $3 = loglevel # $3 = loglevel
{ {
local target="$2" local target="$2"
local macro
case "$target" in eval macro=\$${1}_macro
ACCEPT)
[ -n "$ACCEPT_default" ] && run_iptables -A $1 -j $ACCEPT_default if [ -n "$macro" ]; then
;; run_iptables -A $1 -j $macro
DROP) else
[ -n "$DROP_default" ] && run_iptables -A $1 -j $DROP_default case "$target" in
;; ACCEPT)
REJECT) [ -n "$ACCEPT_default" ] && run_iptables -A $1 -j $ACCEPT_default
[ -n "$REJECT_default" ] && run_iptables -A $1 -j $REJECT_default ;;
target=reject DROP)
;; [ -n "$DROP_default" ] && run_iptables -A $1 -j $DROP_default
QUEUE) ;;
[ -n "$QUEUE_default" ] && run_iptables -A $1 -j $QUEUE_default REJECT)
;; [ -n "$REJECT_default" ] && run_iptables -A $1 -j $REJECT_default
CONTINUE) target=reject
target= ;;
;; QUEUE)
*) [ -n "$QUEUE_default" ] && run_iptables -A $1 -j $QUEUE_default
fatal_error "Invalid policy ($policy) for $1" ;;
;; CONTINUE)
esac target=
;;
*)
fatal_error "Invalid policy ($policy) for $1"
;;
esac
fi
if [ $# -eq 3 -a "x${3}" != "x-" ]; then if [ $# -eq 3 -a "x${3}" != "x-" ]; then
log_rule $3 $1 $2 log_rule $3 $1 $2
@ -5035,6 +5172,13 @@ __EOF__
setup_tunnels $tunnels setup_tunnels $tunnels
fi fi
if [ -n "$DEFAULT_MACROS" ]; then
progress_message2 "$DOING default macros..."
for macro in $DEFAULT_MACROS; do
process_default_macro $macro
done
fi
if [ -n "$USEDACTIONS" ]; then if [ -n "$USEDACTIONS" ]; then
save_progress_message "Setting up Actions..." save_progress_message "Setting up Actions..."

View File

@ -2933,6 +2933,7 @@ do_initialize() {
SECTION=ESTABLISHED SECTION=ESTABLISHED
SECTIONS= SECTIONS=
ALL_PORTS= ALL_PORTS=
DEFAULT_MACROS=
TMP_DIR=$(mktempdir) TMP_DIR=$(mktempdir)

View File

@ -59,13 +59,20 @@
# contain the firewall zone ($FW) or # contain the firewall zone ($FW) or
# "all". # "all".
# #
# If this column contains ACCEPT, DROP or REJECT and a # If USE_ACTIONS=Yes in shorewall.conf (or if that
# corresponding common action is defined in # option is not set) then if this column contains ACCEPT,
# /etc/shorewall/actions (or # DROP, or REJECT and a corresponding default action
# is defined in /etc/shorewall/actions (or
# /usr/share/shorewall/actions.std) then that action # /usr/share/shorewall/actions.std) then that action
# will be invoked before the policy named in this column # will be invoked before the policy named in this column
# is enforced. # is enforced.
# #
# If USE_ACTIONS=No in shorewall.conf then ACCEPT,DROP
# REJECT may be optionally followed by ":" and the name
# of a macro. The rules in the macro will be expanded
# and packets will pass through the rules prior to
# the policy being applied.
#
# LOG LEVEL If supplied, each connection handled under the default # LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no # POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a # log message is generated. See syslog.conf(5) for a