extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-19 03:01:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

More source reorganization

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5513 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-13 23:11:15 +00:00
parent d7ab9421bf
commit 35a3438a7d
1 changed files with 733 additions and 698 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

417
New/compiler.pl
View File

@ -2922,6 +2922,18 @@ sub setup_blacklist() {
}
}
sub setup_forwarding() {
if ( "\L$config{IP_FORWARDING}" eq 'on' ) {
emit 'echo 1 > /proc/sys/net/ipv4/ip_forward';
emit 'progress_message2 IP Forwarding Enabled';
} elsif ( "\L$config{IP_FORWARDING}" eq 'off' ) {
emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
emit 'progress_message2 IP Forwarding Disabled!';
}
emit '';
}
sub add_common_rules() {
my $interface;
my $chainref;
@ -3084,6 +3096,8 @@ sub add_common_rules() {
}
setup_syn_flood_chains;
setup_forwarding;
}
#
@ -4031,6 +4045,8 @@ sub process_rules() {
#
# Here starts the tunnel stuff -- we really should get rid of this crap...
#
sub setup_tunnels() {
sub setup_one_ipsec {
my ($inchainref, $outchainref, $kind, $source, $dest, $gatewayzones) = @_;
@ -4205,9 +4221,9 @@ sub setup_one_tunnel($$$$) {
progress_message " Tunnel \"$line\" $done";
}
sub setup_tunnels() {
#
# Setup_Tunnels() Starts Here
#
open TUNNELS, "$ENV{TMP_DIR}/tunnels" or fatal_error "Unable to open stripped tunnels file: $!";
while ( $line = <TUNNELS> ) {
@ -4236,96 +4252,9 @@ sub setup_tunnels() {
}
#
# The following small functions generate rules for the builtin actions of the same name
# Generate chain for non-builtin action invocation
#
sub dropBcast( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
}
add_rule $chainref, '-m pkttype --pkt-type broadcast -j DROP';
add_rule $chainref, '-m pkttype --pkt-type multicast -j DROP';
}
sub allowBcast( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
}
add_rule $chainref, '-m pkttype --pkt-type broadcast -j ACCEPT';
add_rule $chainref, '-m pkttype --pkt-type multicast -j ACCEPT';
}
sub dropNotSyn ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level;
add_rule $chainref , '-p tcp ! --syn -j DROP';
}
sub rejNotSyn ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level;
add_rule $chainref , '-p tcp ! --syn -j REJECT';
}
sub dropInvalid ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level;
add_rule $chainref , '-m state --state INVALID -j REJECT';
}
sub allowInvalid ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level;
add_rule $chainref , '-m state --state INVALID -j ACCEPT';
}
sub forwardUPnP ( $$$ ) {
}
sub allowinUPnP ( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ) {
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
}
add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
}
sub Limit( $$$ ) {
my ($chainref, $level, $tag) = @_;
my @tag = split /,/, $tag;
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag' unless @tag == 3;
add_rule $chainref, '-m recent --name $tag[0] --set';
if ( $level ) {
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
add_rule $xchainref, '-j DROP';
add_rule $chainref, "-m recent --name $tag[0] --update --seconds $tag[2] --hitcount $(( $tag[1] + 1 )) -j $chainref->{name}%";
} else {
add_rule $chainref, "-m recent --update --name $tag[0] --seconds $tag[2] --hitcount $(( $tag[1] + 1 )) -j DROP";
}
add_rule $chainref, '-j ACCEPT';
}
sub process_action3( $$$$$ ) {
#
# This function is called to process each rule generated from an action file.
#
@ -4345,10 +4274,6 @@ sub process_action( $$$$$$$$$$ ) {
'' );
}
#
# Generate chain for non-builtin action invocation
#
sub process_action3( $$$$$ ) {
my ( $chainref, $wholeaction, $action, $level, $tag ) = @_;
my $actionfile = find_file "action.$action";
my $standard = ( $actionfile =~ /^($env{SHAREDIR})/ );
@ -4617,6 +4542,97 @@ sub process_actions2 () {
}
sub process_actions3 () {
#
# The following small functions generate rules for the builtin actions of the same name
#
sub dropBcast( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
}
add_rule $chainref, '-m pkttype --pkt-type broadcast -j DROP';
add_rule $chainref, '-m pkttype --pkt-type multicast -j DROP';
}
sub allowBcast( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
}
add_rule $chainref, '-m pkttype --pkt-type broadcast -j ACCEPT';
add_rule $chainref, '-m pkttype --pkt-type multicast -j ACCEPT';
}
sub dropNotSyn ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level;
add_rule $chainref , '-p tcp ! --syn -j DROP';
}
sub rejNotSyn ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level;
add_rule $chainref , '-p tcp ! --syn -j REJECT';
}
sub dropInvalid ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level;
add_rule $chainref , '-m state --state INVALID -j REJECT';
}
sub allowInvalid ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level;
add_rule $chainref , '-m state --state INVALID -j ACCEPT';
}
sub forwardUPnP ( $$$ ) {
}
sub allowinUPnP ( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ) {
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
}
add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
}
sub Limit( $$$ ) {
my ($chainref, $level, $tag) = @_;
my @tag = split /,/, $tag;
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag' unless @tag == 3;
add_rule $chainref, '-m recent --name $tag[0] --set';
if ( $level ) {
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
add_rule $xchainref, '-j DROP';
add_rule $chainref, "-m recent --name $tag[0] --update --seconds $tag[2] --hitcount $(( $tag[1] + 1 )) -j $chainref->{name}%";
} else {
add_rule $chainref, "-m recent --update --name $tag[0] --seconds $tag[2] --hitcount $(( $tag[1] + 1 )) -j DROP";
}
add_rule $chainref, '-j ACCEPT';
}
my %builtinops = ( 'dropBcast' => \&dropBcast,
'allowBcast' => \&allowBcast,
'dropNotSyn' => \&dropNotSyn,
@ -4670,21 +4686,21 @@ sub dump_action_table() {
#
# Accounting
#
my $jumpchainref;
sub process_accounting_rule( $$$$$$$$ ) {
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user ) = @_;
sub accounting_error() {
warning_message "Invalid Accounting rule \"$line\"";
}
my $jumpchainref;
sub jump_to_chain( $ ) {
my $jumpchain = $_[0];
$jumpchainref = ensure_chain( 'filter', $jumpchain );
"-j $jumpchain";
}
sub process_accounting_rule( $$$$$$$$ ) {
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user ) = @_;
$chain = 'accounting' unless $chain and $chain ne '-';
my $chainref = ensure_filter_chain $chain , 0;
@ -4761,6 +4777,16 @@ sub setup_accounting() {
}
}
#
# To quote an old comment, generate_matrix makes a sows ear out of a silk purse.
#
# The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this functions and the rules that it generates.
#
# The function traverses the full "source-zone X destination-zone" matrix and generates the rules necessary to direct traffic through the right set of rules.
#
sub generate_matrix() {
#
# Helper functions for generate_matrix()
#-----------------------------------------
@ -4778,7 +4804,6 @@ sub addnatjump( $$$ ) {
$iprangematch = $ipsetmatch = 0;
}
}
#
# If the destination chain exists, then at the position in the source chain given by $$countref, add a jump to the destination.
#
@ -4849,17 +4874,9 @@ sub add_exclusions ( $$ ) {
add_rule $chainref , "-i $interface " . match_source_net( $host ) . '-j RETURN';
}
}
#
# To quote an old comment, generate_matrix makes a sows ear out of a silk purse.
# Generate_Matrix() Starts Here
#
# The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
#-----------------------------------------------------------
# The goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this functions and the rules that it generates.
#
# The function traverses the full "source-zone X destination-zone" matrix and generates the rules necessary to direct traffic through the right set of rules.
#
sub generate_matrix() {
my $prerouting_rule = 1;
my $postrouting_rule = 1;
my $exclusion_seq = 1;
@ -5478,18 +5495,6 @@ sub do_initialize() {
initialize_chain_table;
}
sub setup_forwarding() {
if ( "\L$config{IP_FORWARDING}" eq 'on' ) {
emit 'echo 1 > /proc/sys/net/ipv4/ip_forward';
emit 'progress_message2 IP Forwarding Enabled';
} elsif ( "\L$config{IP_FORWARDING}" eq 'off' ) {
emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
emit 'progress_message2 IP Forwarding Disabled!';
}
emit '';
}
use constant { LOCAL_NUMBER => 255,
MAIN_NUMBER => 254,
DEFAULT_NUMBER => 253,
@ -5509,6 +5514,10 @@ my @providers;
my %routemarked_interfaces;
my $routemarked_interfaces = 0;
sub setup_providers() {
my $fn = find_file 'providers';
my $providers = 0;
sub copy_table( $$ ) {
my ( $duplicate, $number ) = @_;
@ -5570,9 +5579,6 @@ sub balance_default_route( $$$ ) {
}
}
#
# Builtin routing tables
#
sub add_a_provider( $$$$$$$$ ) {
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_;
@ -5766,13 +5772,11 @@ sub add_an_rtrule( $$$$ ) {
emit "qt ip rule del $source $dest $priority";
emit "run_ip rule add $source $dest $priority table $provider";
emit "echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing";
progress_message " Routing rule \"$line\" $done"
progress_message " Routing rule \"$line\" $done";
}
sub setup_providers() {
my $fn = find_file 'providers';
my $providers = 0;
#
# Setup_Providers() Starts Here....
#
progress_message2 "$doing $fn ...";
emit "\nif [ -z \"\$NOROUTES\" ]; then";
@ -5874,6 +5878,9 @@ sub setup_providers() {
}
#
# Set up marking for 'tracked' interfaces. Unline in Shorewall 3.x, we add these rules inconditionally, even if the associated interface isn't up.
#
sub setup_route_marking() {
my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFFFF' : '0xFF';
my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark';
@ -6058,28 +6065,23 @@ sub generate_script_2 () {
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
setup_forwarding;
if ( -s "$ENV{TMP_DIR}/providers" ) {
setup_providers;
setup_route_marking if $routemarked_interfaces;
} else {
emit "\nundo_routing";
emit 'restore_default_route';
}
setup_traffic_shaping if -s "$ENV{TMP_DIR}/tcdevices";
sub generate_script_3() {
pop_indent;
$indent = '';
emit "}\n";
emit "}\n";;
progress_message2 "Creating iptables-restore input...";
create_netfilter_load;
emit "#\n# Start/Restart the Firewall\n#";
emit 'define_firewall() {';
emit ' setup_routing_and_traffic_shaping;';
emit ' setup_netfilter';
emit ' [ $COMMAND = restore ] || restore_dynamic_rules';
emit "}\n";
}
sub report_capability( $ ) {
my $cap = $_[0];
print " $capdesc{$cap}: ";
print $capabilities{$cap} ? "Available\n" : "Not Available\n";
copy find_file 'prog.footer';
}
sub compile_firewall( $ ) {
@ -6087,6 +6089,12 @@ sub compile_firewall( $ ) {
my $objectfile = $_[0];
my ( $dir, $file );
sub report_capability( $ ) {
my $cap = $_[0];
print " $capdesc{$cap}: ";
print $capabilities{$cap} ? "Available\n" : "Not Available\n";
}
( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile;
if ( $command eq 'compile' ) {
@ -6120,59 +6128,95 @@ sub compile_firewall( $ ) {
}
}
fatal_error "Shorewall $ENV{VERSION} requires Conntrack Match Support" unless $capabilities{CONNTRACK_MATCH};
fatal_error "Shorewall $ENV{VERSION} requires Extended Multi-port Match Support" unless $capabilities{XMULTIPORT};
fatal_error "Shorewall $ENV{VERSION} requires Address Type Match Support" unless $capabilities{ADDRTYPE};
fatal_error 'BRIDGING=Yes requires Physdev Match support in your Kernel and iptables' if $config{BRIDGING} && ! $capabilities{PHYSDEV_MATCH};
fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables' if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};
fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match' if $config{RFC1918_STRICT} && ! $capabilities{CONNTRACK_MATCH};
fatal_error "Shorewall $ENV{VERSION} requires Conntrack Match Support"
unless $capabilities{CONNTRACK_MATCH};
fatal_error "Shorewall $ENV{VERSION} requires Extended Multi-port Match Support"
unless $capabilities{XMULTIPORT};
fatal_error "Shorewall $ENV{VERSION} requires Address Type Match Support"
unless $capabilities{ADDRTYPE};
fatal_error 'BRIDGING=Yes requires Physdev Match support in your Kernel and iptables'
if $config{BRIDGING} && ! $capabilities{PHYSDEV_MATCH};
fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables'
if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};
fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match'
if $config{RFC1918_STRICT} && ! $capabilities{CONNTRACK_MATCH};
#
# Process the zones file.
#
progress_message2 "Determining Zones..."; determine_zones;
progress_message2 "Determining Zones...";
determine_zones;
#
# Process the interfaces file.
#
progress_message2 "Validating interfaces file..."; validate_interfaces_file; dump_interface_info if $ENV{DEBUG};
progress_message2 "Validating interfaces file...";
validate_interfaces_file;
dump_interface_info if $ENV{DEBUG};
#
# Process the hosts file.
#
progress_message2 "Validating hosts file..."; validate_hosts_file;
progress_message2 "Validating hosts file...";
validate_hosts_file;
if ( $ENV{DEBUG} ) {
dump_zone_info;
} elsif ( $ENV{VERBOSE} > 1 ) {
progress_message "Determining Hosts in Zones..."; zone_report;
progress_message "Determining Hosts in Zones...";
zone_report;
}
#
# Do action pre-processing.
#
progress_message2 "Preprocessing Action Files..."; process_actions1;
progress_message2 "Preprocessing Action Files...";
process_actions1;
#
# Process the Policy File.
#
progress_message2 "Validating Policy file..."; validate_policy;
progress_message2 "Validating Policy file...";
validate_policy;
#
# Start Second Part of script
#
generate_script_2;
#
# Do all of the zone-independent stuff
#
progress_message2 "Setting up Common Rules..."; add_common_rules;
progress_message2 "Setting up Common Rules...";
add_common_rules;
#
# [Re-]establish Routing
#
if ( -s "$ENV{TMP_DIR}/providers" ) {
setup_providers;
setup_route_marking if $routemarked_interfaces;
} else {
emit "\nundo_routing";
emit 'restore_default_route';
}
#
# Traffic Shaping
#
setup_traffic_shaping if -s "$ENV{TMP_DIR}/tcdevices";
#
# Setup Masquerading/SNAT
#
progress_message2 "$doing Masq file..."; setup_masq;
progress_message2 "$doing Masq file...";
setup_masq;
#
# MACLIST Filtration
#
progress_message2 "Setting up MAC Filtration -- Phase 1..."; setup_mac_lists 1;
progress_message2 "Setting up MAC Filtration -- Phase 1...";
setup_mac_lists 1;
#
# Process the rules file.
#
progress_message2 "$doing Rules..."; process_rules;
progress_message2 "$doing Rules...";
process_rules;
#
# Add Tunnel rules.
#
progress_message2 "Adding Tunnels..."; setup_tunnels;
progress_message2 "Adding Tunnels...";
setup_tunnels;
#
# Post-rules action processing.
#
@ -6181,49 +6225,40 @@ sub compile_firewall( $ ) {
#
# MACLIST Filtration again
#
progress_message2 "Setting up MAC Filtration -- Phase 2..."; setup_mac_lists 2;
progress_message2 "Setting up MAC Filtration -- Phase 2...";
setup_mac_lists 2;
#
# Apply Policies
#
progress_message2 'Applying Policies...'; apply_policy_rules; dump_action_table if $ENV{DEBUG};
progress_message2 'Applying Policies...';
apply_policy_rules;
dump_action_table if $ENV{DEBUG};
#
# Setup Nat
#
progress_message2 "$doing one-to-one NAT..."; setup_nat;
progress_message2 "$doing one-to-one NAT...";
setup_nat;
#
# TCRules
#
progress_message2 "Processing TC Rules..."; process_tcrules;
progress_message2 "Processing TC Rules...";
process_tcrules;
#
# Accounting.
#
progress_message2 "Setting UP Accounting..."; setup_accounting;
progress_message2 "Setting UP Accounting...";
setup_accounting;
#
# Do the BIG UGLY...
#
if ( $command eq 'check' ) {
if ( -s "$ENV{TMP_DIR}/providers" ) {
progress_message2 'Checking Routing...';
setup_providers;
setup_route_marking if $routemarked_interfaces;
}
} else {
progress_message2 "Generating Rule Matrix..."; generate_matrix; dump_chain_table if $ENV{DEBUG};
unless ( $command eq 'check' ) {
#
# Finish the script.
#
progress_message2 "Compiling Routing and Traffic Shaping";
generate_script_2;
progress_message2 "Creating iptables-restore input...";
create_netfilter_load;
emit "#\n# Start/Restart the Firewall\n#";
emit 'define_firewall() {';
emit ' setup_routing_and_traffic_shaping;';
emit ' setup_netfilter';
emit ' [ $COMMAND = restore ] || restore_dynamic_rules';
emit "}\n";
copy find_file 'prog.footer';
progress_message2 'Generating Rule Matrix...';
generate_matrix;
dump_chain_table if $ENV{DEBUG};
generate_script_3;
$file = "$dir/$file";
rename $tempfile, $file;
chmod 0700, $file;