allowBcasts, dropBcasts and nosmurfs

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9008 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-12 21:31:31 +00:00
parent f181cf7884
commit 3e328daf0a
13 changed files with 165 additions and 71 deletions

View File

@ -50,6 +50,8 @@ BLACKLIST_LOGLEVEL=
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################

View File

@ -50,6 +50,8 @@ BLACKLIST_LOGLEVEL=
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################

View File

@ -2,6 +2,8 @@ Changes in Shorewall 4.3.2
1) Added 'dhcp' option. 1) Added 'dhcp' option.
2) Add 'allowBcast' and 'dropBcast' builtin actions to Shorewall6.
Changes in Shorewall 4.3.1 Changes in Shorewall 4.3.1
1) Allow addresses in rules to be enclosed in square brackets. 1) Allow addresses in rules to be enclosed in square brackets.

View File

@ -14,6 +14,14 @@ Other changes in 4.3.2
1) The 'dhcp' option has been added to accomodate IPv6 DHCP (UDP ports 1) The 'dhcp' option has been added to accomodate IPv6 DHCP (UDP ports
546 and 547). 546 and 547).
2) The 'allowBcast' and 'dropBcast' builtin actions have been added to
Shorewall6. Respectively, they accept or silently drop packets with
an anycast or multicast destination address.
3) The nosmurfs option has been added to
/etc/shorewall8/interfaces. The option drops incoming packets whose
source address is an anycast or multicast addreess.
Migration Issues. Migration Issues.
None. None.

View File

@ -83,6 +83,8 @@ our %logactionchains;
our %macros; our %macros;
our $family;
# #
# Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited). # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
# #
@ -97,7 +99,9 @@ our $macro_commands = { COMMENT => 0, FORMAT => 2 };
# the second and subsequent calls to that function. # the second and subsequent calls to that function.
# #
sub initialize() { sub initialize( $ ) {
$family = shift;
%usedactions = (); %usedactions = ();
%default_actions = ( DROP => 'none' , %default_actions = ( DROP => 'none' ,
REJECT => 'none' , REJECT => 'none' ,
@ -109,7 +113,7 @@ sub initialize() {
} }
INIT { INIT {
initialize; initialize( F_IPV4 );
} }
# #
@ -731,7 +735,12 @@ sub process_actions3 () {
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP'; add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
} else { } else {
add_command $chainref, 'for address in $ALL_BCASTS; do'; if ( $family == F_IPV4 ) {
add_command $chainref, 'for address in $ALL_BCASTS; do';
} else {
add_command $chainref, 'for address in $ALL_ACASTS; do';
}
incr_cmd_level $chainref; incr_cmd_level $chainref;
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne ''; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
add_rule $chainref, '-d $address -j DROP'; add_rule $chainref, '-d $address -j DROP';
@ -741,7 +750,12 @@ sub process_actions3 () {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
} }
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
if ( $family == F_IPV4 ) {
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
} else {
add_rule $chainref, '-d ff00::/10 -j DROP';
}
} }
sub allowBcast( $$$ ) { sub allowBcast( $$$ ) {
@ -755,16 +769,26 @@ sub process_actions3 () {
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT'; add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
} else { } else {
add_command $chainref, 'for address in $ALL_BCASTS; do'; if ( $family == F_IPV4 ) {
add_command $chainref, 'for address in $ALL_BCASTS; do';
} else {
add_command $chainref, 'for address in $ALL_MACASTS; do';
}
incr_cmd_level $chainref; incr_cmd_level $chainref;
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne ''; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
add_rule $chainref, '-d $address -j ACCEPT'; add_rule $chainref, '-d $address -j ACCEPT';
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_command $chainref, 'done'; add_command $chainref, 'done';
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; if ( $family == F_IPV4 ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
} else {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
add_rule $chainref, '-d ff00:/10 -j ACCEPT';
}
} }
add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
} }
sub dropNotSyn ( $$$ ) { sub dropNotSyn ( $$$ ) {

View File

@ -137,6 +137,7 @@ our %EXPORT_TAGS = (
get_interface_address get_interface_address
get_interface_addresses get_interface_addresses
get_interface_bcasts get_interface_bcasts
get_interface_acasts
get_interface_gateway get_interface_gateway
get_interface_mac get_interface_mac
set_global_variables set_global_variables
@ -235,6 +236,7 @@ our %interfaceaddrs;
our %interfacenets; our %interfacenets;
our %interfacemacs; our %interfacemacs;
our %interfacebcasts; our %interfacebcasts;
our %interfaceacasts;
our %interfacegateways; our %interfacegateways;
our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING); our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
@ -304,6 +306,7 @@ sub initialize( $ ) {
%interfacenets = (); %interfacenets = ();
%interfacemacs = (); %interfacemacs = ();
%interfacebcasts = (); %interfacebcasts = ();
%interfaceacasts = ();
%interfacegateways = (); %interfacegateways = ();
$family = shift; $family = shift;
@ -960,6 +963,8 @@ sub initialize_chain_table()
'QUEUE!' => STANDARD, 'QUEUE!' => STANDARD,
'NFQUEUE' => STANDARD + NFQ, 'NFQUEUE' => STANDARD + NFQ,
'NFQUEUE!' => STANDARD + NFQ, 'NFQUEUE!' => STANDARD + NFQ,
'dropBcast' => BUILTIN + ACTION,
'allowBcast' => BUILTIN + ACTION,
'dropNotSyn' => BUILTIN + ACTION, 'dropNotSyn' => BUILTIN + ACTION,
'rejNotSyn' => BUILTIN + ACTION, 'rejNotSyn' => BUILTIN + ACTION,
'dropInvalid' => BUILTIN + ACTION, 'dropInvalid' => BUILTIN + ACTION,
@ -1789,6 +1794,27 @@ sub get_interface_bcasts ( $ ) {
"\$$variable"; "\$$variable";
} }
#
# Returns the name of the shell variable holding the anycast addresses of the passed interface
#
sub interface_acasts( $ ) {
my $variable = chain_base( $_[0] ) . '_acasts';
uc $variable;
}
#
# Record that the ruleset requires the anycast addresses on the passed interface
#
sub get_interface_acasts ( $ ) {
my ( $interface ) = $_[0];
my $variable = interface_acasts( $interface );
$interfaceacasts{$interface} = qq($variable="\$(get_interface_acasts $interface) ff00::/10");
"\$$variable";
}
# #
# Returns the name of the shell variable holding the gateway through the passed interface # Returns the name of the shell variable holding the gateway through the passed interface
# #
@ -2388,10 +2414,19 @@ sub set_global_variables() {
unless ( $capabilities{ADDRTYPE} ) { unless ( $capabilities{ADDRTYPE} ) {
emit_comment unless $emitted_comment; emit_comment unless $emitted_comment;
emit_test unless $emitted_test; emit_test unless $emitted_test;
emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
for ( values %interfacebcasts ) { if ( $family == F_IPV4 ) {
emit $_; emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
for ( values %interfacebcasts ) {
emit $_;
}
} else {
emit 'ALL_ACASTS="$(get_all_acasts)"';
for ( values %interfaceacasts ) {
emit $_;
}
} }
} }

View File

@ -67,7 +67,7 @@ sub reinitialize() {
Shorewall::Nat::initialize; Shorewall::Nat::initialize;
Shorewall::Providers::initialize($family); Shorewall::Providers::initialize($family);
Shorewall::Tc::initialize($family); Shorewall::Tc::initialize($family);
Shorewall::Actions::initialize; Shorewall::Actions::initialize( $family );
Shorewall::Accounting::initialize; Shorewall::Accounting::initialize;
Shorewall::Rules::initialize($family); Shorewall::Rules::initialize($family);
Shorewall::Proxyarp::initialize; Shorewall::Proxyarp::initialize;

View File

@ -534,36 +534,48 @@ sub add_common_rules() {
$chainref = new_standard_chain 'smurfs'; $chainref = new_standard_chain 'smurfs';
if ( $family == F_IPV4 ) { if ( $capabilities{ADDRTYPE} ) {
if ( $capabilities{ADDRTYPE} ) { add_rule $chainref , '-s 0.0.0.0 -j RETURN';
add_rule $chainref , '-s 0.0.0.0 -j RETURN'; add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ; } else {
} else { if ( $family == F_IPV4 ) {
add_command $chainref, 'for address in $ALL_BCASTS; do'; add_command $chainref, 'for address in $ALL_BCASTS; do';
incr_cmd_level $chainref;
log_rule( $config{SMURF_LOG_LEVEL} , $chainref, 'DROP', '-s $address ' );
add_rule $chainref, '-s $address -j DROP';
decr_cmd_level $chainref;
add_command $chainref, 'done';
}
add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL} ;
if ( $capabilities{ADDRTYPE} ) {
add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP';
} else { } else {
add_command $rejectref, 'for address in $ALL_BCASTS; do'; add_command $chainref, 'for address in $ALL_ACASTS; do';
incr_cmd_level $rejectref;
add_rule $rejectref, '-d $address -j DROP';
decr_cmd_level $rejectref;
add_command $rejectref, 'done';
} }
incr_cmd_level $chainref;
log_rule( $config{SMURF_LOG_LEVEL} , $chainref, 'DROP', '-s $address ' );
add_rule $chainref, '-s $address -j DROP';
decr_cmd_level $chainref;
add_command $chainref, 'done';
}
if ( $family == F_IPV4 ) {
add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL};
} else {
add_rule_pair $chainref, '-s ff00::/10 ', 'DROP', $config{SMURF_LOG_LEVEL} if $family == F_IPV4;
}
if ( $capabilities{ADDRTYPE} ) {
add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP';
} else {
if ( $family == F_IPV4 ) {
add_command $rejectref, 'for address in $ALL_BCASTS; do';
} else {
add_command $rejectref, 'for address in $ALL_ACASTS; do';
}
incr_cmd_level $rejectref;
add_rule $rejectref, '-d $address -j DROP';
decr_cmd_level $rejectref;
add_command $rejectref, 'done';
}
if ( $family == F_IPV4 ) {
add_rule $rejectref , '-s 224.0.0.0/4 -j DROP'; add_rule $rejectref , '-s 224.0.0.0/4 -j DROP';
} else { } else {
my $predicate = '-s ' . IPv6_MULTICAST . ' '; add_rule $rejectref , '-s ff00::/10 -j DROP';
add_rule_pair $chainref , $predicate, 'DROP' , $config{SMURF_LOG_LEVEL};
add_rule $rejectref, "$predicate -j DROP";
} }
if ( @$list ) { if ( @$list ) {

View File

@ -628,8 +628,9 @@ sub validate_interfaces_file( $ )
%validoptions = ( blacklist => SIMPLE_IF_OPTION, %validoptions = ( blacklist => SIMPLE_IF_OPTION,
bridge => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION,
nosmurfs => SIMPLE_IF_OPTION,
optional => SIMPLE_IF_OPTION, optional => SIMPLE_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
sourceroute => BINARY_IF_OPTION, sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION, tcpflags => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION, mss => NUMERIC_IF_OPTION,

View File

@ -156,14 +156,6 @@ restore_dynamic_rules() {
fi fi
} }
#
# Get a list of all configured broadcast addresses on the system
#
get_all_bcasts()
{
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
}
# #
# Run the .iptables_restore_input as a set of discrete iptables commands # Run the .iptables_restore_input as a set of discrete iptables commands
# #

View File

@ -562,39 +562,43 @@ convert_to_anycast() {
local m local m
while read address; do while read address; do
vlsm=${address#*/} case $address in
if [ ${vlsm:-128} -ne 128 ]; then 2*|3*)
# vlsm=${address#*/}
# Defines a subnet -- get the anycase address if [ ${vlsm:-128} -ne 128 ]; then
# #
address=$(normalize_address ${address%/*}) # Defines a subnet -- get the anycast address
#
address=$(normalize_address ${address%/*})
while [ $vlsm -le 112 ]; do while [ $vlsm -le 112 ]; do
address=${address%:*} address=${address%:*}
vlsm=$(($vlsm + 16)) vlsm=$(($vlsm + 16))
done done
if [ $vlsm -lt 128 ]; then if [ $vlsm -lt 128 ]; then
o=$((0x${address##*:})) o=$((0x${address##*:}))
m=0 m=0
while [ $vlsm -lt 128 ]; do while [ $vlsm -lt 128 ]; do
m=$((($m >> 1) | 0x8000)) m=$((($m >> 1) | 0x8000))
vlsm=$(($vlsm + 1)) vlsm=$(($vlsm + 1))
done done
o=$(($o & $m)) o=$(($o & $m))
address=${address%:*}:$(printf %04x $o) address=${address%:*}:$(printf %04x $o)
fi fi
list_count $(split $address) list_count $(split $address)
if [ $? -lt 8 ]; then if [ $? -lt 8 ]; then
address=$address:: address=$address::
fi fi
echo $address echo $address
fi fi
;;
esac
done done
} }
@ -602,7 +606,7 @@ convert_to_anycast() {
# Generate a list of anycast addresses for a given interface # Generate a list of anycast addresses for a given interface
# #
get_interface_bcasts() # $1 = interface get_interface_acasts() # $1 = interface
{ {
local addresses local addresses
addresses= addresses=
@ -610,6 +614,14 @@ get_interface_bcasts() # $1 = interface
find_interface_full_addresses $1 | convert_to_anycast | sort -u find_interface_full_addresses $1 | convert_to_anycast | sort -u
} }
#
# Get a list of all configured anycast addresses on the system
#
get_all_acasts()
{
find_interface_full_addresses | convert_to_anycast | sort -u
}
# #
# Internal version of 'which' # Internal version of 'which'
# #

View File

@ -506,6 +506,8 @@ show_command() {
case $1 in case $1 in
actions) actions)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "allowBcast # Accept Multicast and Anycast Packets"
echo "dropBcast # Silently Drop Multicast and Anycast Packets"
echo "allowInvalid # Accept packets that are in the INVALID conntrack state." echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
echo "dropNotSyn # Silently Drop Non-syn TCP packets" echo "dropNotSyn # Silently Drop Non-syn TCP packets"

View File

@ -50,6 +50,8 @@ BLACKLIST_LOGLEVEL=
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################