extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-14 01:28:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add 'unmanaged' option

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-06-10 12:36:18 -07:00
parent c653d9ce83
commit 53f1cd40df
4 changed files with 172 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -1428,7 +1428,9 @@ sub handle_loopback_traffic() {
my $rawout = $raw_table->{OUTPUT};
my $rulenum = 0;
my $loopback = loopback_zones;
my $loref = known_interface('lo');
my $unmanaged;
my $outchainref;
my @rule;
@ -1442,8 +1444,13 @@ sub handle_loopback_traffic() {
#
# Only the firewall -- just use the OUTPUT chain
#
$outchainref = $filter_table->{OUTPUT};
@rule = ( o => 'lo');
if ( $unmanaged = $loref && $loref->{options}{unmanaged} ) {
add_ijump( $filter_table->{INPUT}, j => 'ACCEPT', i => 'lo' );
add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => 'lo' );
} else {
$outchainref = $filter_table->{OUTPUT};
@rule = ( o => 'lo');
}
}
for my $z1 ( @zones ) {
@ -1456,10 +1463,9 @@ sub handle_loopback_traffic() {
#
if ( $type1 == FIREWALL ) {
for my $z2 ( @zones ) {
next if $loopback && $z1 eq $z2;
next if $z1 eq $z2 && ( $loopback || $unmanaged );
my $chain = rules_target( $z1, $z2 );
generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
}
#
@ -2081,7 +2087,7 @@ sub optimize1_zones( $$@ ) {
# nat-table rules.
#
sub generate_matrix() {
my @interfaces = ( all_interfaces );
my @interfaces = ( managed_interfaces );
#
# Should this be the real PREROUTING chain?
#
@ -2250,17 +2256,23 @@ sub generate_matrix() {
add_interface_jumps @interfaces unless $interface_jumps_added;
my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
filter=> [ qw/INPUT FORWARD OUTPUT/ ] );
unless ( $config{COMPLETE} ) {
for ( unmanaged_interfaces ) {
my $physical = get_physical $_;
add_ijump( $filter_table->{INPUT}, j => 'ACCEPT', i => $physical );
add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => $physical );
}
complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone , 'DROP';
complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all', 'REJECT';
complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all', 'REJECT';
}
if ( $config{LOGALLNEW} ) {
my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
filter=> [ qw/INPUT FORWARD OUTPUT/ ] );
for my $table ( qw/mangle nat filter/ ) {
for my $chain ( @{$builtins{$table}} ) {
log_rule_limit

61
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -72,6 +72,8 @@ our @EXPORT = ( qw( NOTHING
all_real_interfaces
all_plain_interfaces
all_bridges
managed_interfaces
unmanaged_interfaces
interface_number
find_interface
known_interface
@ -244,9 +246,28 @@ use constant { NO_UPDOWN => 1,
our %validinterfaceoptions;
our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 );
our %prohibitunmanaged = (
blacklist => 1,
bridge => 1,
destonly => 1,
detectnets => 1,
dhcp => 1,
maclist => 1,
nets => 1,
norfc1918 => 1,
nosmurfs => 1,
optional => 1,
routeback => 1,
rpfilter => 1,
sfilter => 1,
tcpflags => 1,
upnp => 1,
upnpclient => 1,
);
our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN, accept_ra => 2 );
our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 , ignore => 3 );
our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );
our %validhostoptions;
@ -332,6 +353,7 @@ sub initialize( $$ ) {
upnpclient => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
physical => STRING_IF_OPTION + IF_OPTION_HOST,
unmanaged => SIMPLE_IF_OPTION,
wait => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
);
%validhostoptions = (
@ -374,6 +396,7 @@ sub initialize( $$ ) {
mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
forward => BINARY_IF_OPTION,
physical => STRING_IF_OPTION + IF_OPTION_HOST,
unmanaged => SIMPLE_IF_OPTION,
wait => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
);
%validhostoptions = (
@ -1305,7 +1328,7 @@ sub process_interface( $$ ) {
$hostoptions{routeback} = $options{routeback} = 1;
}
$hostoptions{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export || $options{routeback};
$hostoptions{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export || $options{routeback} || $options{unmanaged};
$hostoptionsref = \%hostoptions;
} else {
@ -1319,6 +1342,14 @@ sub process_interface( $$ ) {
$options{ignore} ||= 0;
}
if ( $options{unmanaged} ) {
fatal_error "The 'lo' interface may not be unmanaged when there are vserver zones" if $physical eq 'lo' && vserver_zones;
while ( my ( $option, $value ) = each( %options ) ) {
fatal_error "The $option option may not be specified with 'unmanaged'" if $prohibitunmanaged{$option};
}
}
$physical{$physical} = $interfaces{$interface} = { name => $interface ,
bridge => $bridge ,
filter => $filterref ,
@ -1334,6 +1365,8 @@ sub process_interface( $$ ) {
};
if ( $zone ) {
fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
if ( $physical eq 'lo' ) {
fatal_error "Only a loopback zone may be assigned to 'lo'" unless $zoneref->{type} == LOOPBACK;
fatal_error "Invalid definition of 'lo'" if $bridge ne $interface;
@ -1490,7 +1523,7 @@ sub known_interface($)
}
}
0;
$physical{$interface} || 0;
}
#
@ -1508,10 +1541,10 @@ sub all_interfaces() {
}
#
# Return all non-vserver interfaces
# Return all managed non-vserver interfaces
#
sub all_real_interfaces() {
grep $_ ne '%vserver%', @interfaces;
grep $_ ne '%vserver%' && ! $interfaces{$_}{options}{unmanaged}, @interfaces;
}
#
@ -1521,6 +1554,20 @@ sub all_bridges() {
grep ( $interfaces{$_}{options}{bridge} , @interfaces );
}
#
# Return a list of managed interfaces
#
sub managed_interfaces() {
grep (! $interfaces{$_}{options}{unmanaged} , @interfaces );
}
#
# Return a list of unmanaged interfaces (skip 'lo' since it is implicitly unmanaged when there are no loopback zones).
#
sub unmanaged_interfaces() {
grep ( $interfaces{$_}{options}{unmanaged} && $_ ne 'lo', @interfaces );
}
#
# Return a reference to the interfaces table entry for an interface
#
@ -1913,6 +1960,8 @@ sub process_host( ) {
$hosts = $2;
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
if ( $interfaceref->{name} eq 'lo' ) {
fatal_error "Only a loopback zone may be associated with the loopback interface (lo)" if $type != LOOPBACK;
} else {

57
Shorewall/manpages/shorewall-interfaces.xml
View File

@ -210,7 +210,7 @@ loc eth2 -</programlisting>
changed; the value assigned to the setting will be the value
specified (if any) or 1 if no value is given.</para>
<para></para>
<para/>
<note>
<para>This option does not work with a wild-card
@ -244,7 +244,7 @@ loc eth2 -</programlisting>
<para>8 - do not reply for all local addresses</para>
<para></para>
<para/>
<note>
<para>This option does not work with a wild-card
@ -252,7 +252,7 @@ loc eth2 -</programlisting>
the INTERFACE column.</para>
</note>
<para></para>
<para/>
<warning>
<para>Do not specify <emphasis
@ -411,7 +411,7 @@ loc eth2 -</programlisting>
1
teastep@lists:~$ </programlisting>
<para></para>
<para/>
<note>
<para>This option does not work with a wild-card
@ -719,6 +719,55 @@ loc eth2 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>unmanaged</term>
<listitem>
<para>Added in Shorewall 4.5.18. Causes all traffic between
the firewall and hosts on the interface to be accepted. When
this option is given:</para>
<itemizedlist>
<listitem>
<para>The ZONE column must contain '-'.</para>
</listitem>
<listitem>
<para>Only the following other options are allowed with
<emphasis role="bold">unmanaged</emphasis>:</para>
<simplelist>
<member><emphasis
role="bold">arp_filter</emphasis></member>
<member><emphasis
role="bold">arp_ignore</emphasis></member>
<member><emphasis role="bold">ignore</emphasis></member>
<member><emphasis
role="bold">routefilter</emphasis></member>
<member><emphasis
role="bold">optional</emphasis></member>
<member><emphasis
role="bold">physical</emphasis></member>
<member><emphasis
role="bold">routefilter</emphasis></member>
<member><emphasis
role="bold">sourceroute</emphasis></member>
<member><emphasis
role="bold">proxyndp</emphasis></member>
</simplelist>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">upnp</emphasis></term>

43
Shorewall6/manpages/shorewall6-interfaces.xml
View File

@ -514,6 +514,49 @@ loc eth2 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>unmanaged</term>
<listitem>
<para>Added in Shorewall 4.5.18. Causes all traffic between
the firewall and hosts on the interface to be accepted. When
this option is given:</para>
<itemizedlist>
<listitem>
<para>The ZONE column must contain '-'.</para>
</listitem>
<listitem>
<para>Only the following other options are allowed with
<emphasis role="bold">unmanaged</emphasis>:</para>
<simplelist>
<member><emphasis
role="bold">accept_ra</emphasis></member>
<member><emphasis
role="bold">forward</emphasis></member>
<member><emphasis role="bold">ignore</emphasis></member>
<member><emphasis
role="bold">optional</emphasis></member>
<member><emphasis
role="bold">physical</emphasis></member>
<member><emphasis
role="bold">sourceroute</emphasis></member>
<member><emphasis
role="bold">proxyndp</emphasis></member>
</simplelist>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">wait</emphasis>=<emphasis>seconds</emphasis></term>