From 63705c0b64119108877182b85b73ad21c0c18764 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 28 Sep 2007 22:26:29 +0000 Subject: [PATCH] Bring trunk up to date with 4.0 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7401 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Config.pm | 2 ++ Shorewall-perl/Shorewall/Policy.pm | 15 ++++++++------- Shorewall-perl/Shorewall/Rules.pm | 17 ++++++++++++++--- Shorewall-perl/Shorewall/Zones.pm | 2 ++ 4 files changed, 26 insertions(+), 10 deletions(-) diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 3fdb0db02..296b583ba 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -323,6 +323,7 @@ sub initialize() { EXPAND_POLICIES => undef, KEEP_RT_TABLES => undef, DELETE_THEN_ADD => undef, + MULTICAST => undef, # # Packet Disposition # @@ -1467,6 +1468,7 @@ sub get_configuration( $ ) { default_yes_no 'EXPAND_POLICIES' , ''; default_yes_no 'KEEP_RT_TABLES' , ''; default_yes_no 'DELETE_THEN_ADD' , 'Yes'; + default_yes_no 'MULTICAST ' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm index 46e882574..ebd0aaa0c 100644 --- a/Shorewall-perl/Shorewall/Policy.pm +++ b/Shorewall-perl/Shorewall/Policy.pm @@ -338,10 +338,11 @@ sub validate_policy() # # Policy Rule application # -sub policy_rules( $$$$ ) { - my ( $chainref , $target, $loglevel, $default ) = @_; +sub policy_rules( $$$$$ ) { + my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_; unless ( $target eq 'NONE' ) { + add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE'; add_rule $chainref, "-j $default" if $default && $default ne 'none'; log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; fatal_error "Null target in policy_rules()" unless $target; @@ -371,19 +372,19 @@ sub default_policy( $$$ ) { fatal_error "No default policy for $_[1] to zone $_[2]" unless $policyref; if ( $chainref eq $policyref ) { - policy_rules $chainref , $policy, $loglevel , $default; + policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST}; } else { if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) { if ( $synparams ) { report_syn_flood_protection; - policy_rules $chainref , $policy , $loglevel , $default; + policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST}; } else { add_rule $chainref, "-j $policyref->{name}"; $chainref = $policyref; } } elsif ( $policy eq 'CONTINUE' ) { report_syn_flood_protection if $synparams; - policy_rules $chainref , $policy , $loglevel , $default; + policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST}; } else { report_syn_flood_protection if $synparams; add_rule $chainref , "-j $policyref->{name}"; @@ -412,7 +413,7 @@ sub apply_policy_rules() { if ( $name =~ /^all2|2all$/ ) { run_user_exit $chainref; - policy_rules $chainref , $policy, $loglevel , $default; + policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST}; } } @@ -454,7 +455,7 @@ sub complete_standard_chain ( $$$ ) { ( $policy, $loglevel, $default ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref; - policy_rules $stdchainref , $policy , $loglevel, $default; + policy_rules $stdchainref , $policy , $loglevel, $default, 0; } # diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index dbc01623d..1c653bb5a 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -998,7 +998,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { if ( $dest eq '-' ) { $dest = firewall_zone; } else { - $dest = join( '', firewall_zone, '::', $dest ); + $dest = join( '', firewall_zone, '::', $dest ) unless $dest =~ /(.+?)::/; } } elsif ( $action eq 'REJECT' ) { $action = 'reject'; @@ -1585,14 +1585,24 @@ sub generate_matrix() { my $dest = match_dest_net $net; if ( $chain1 ) { + my $nextchain; + my $outputref = $filter_table->{output_chain $interface}; + if ( @$exclusions ) { - add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j ${zone}_output" ); + add_rule $outputref , join( '', $dest, $ipsec_out_match, "-j ${zone}_output" ); add_rule $filter_table->{"${zone}_output"} , "-j $chain1"; + $nextchain = "${zone}_output"; } else { - add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" ); + add_rule $outputref , join( '', $dest, $ipsec_out_match, "-j $chain1" ); + $nextchain = $chain1; } + + add_rule( $outputref , join('', match_source_net $net, '-d 255.255.255.255 ' . $ipsec_out_match, "-j $nextchain" ) ) + if $hostref->{options}{broadcast}; } + next if$hostref->{options}{destonly}; + my $source = match_source_net $net; insertnatjump 'PREROUTING' , dnat_chain $zone, \$prerouting_rule, join( '', match_source_dev( $interface), $source, $ipsec_in_match ); @@ -1744,6 +1754,7 @@ sub generate_matrix() { my $arrayref = $typeref->{$interface}; my $chain3ref = $filter_table->{forward_chain $interface}; for my $hostref ( @$arrayref ) { + next if $hostref->{options}{destonly}; for my $net ( @{$hostref->{hosts}} ) { for my $type1ref ( values %$dest_hosts_ref ) { for my $interface1 ( keys %$type1ref ) { diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index aed7c1f90..d7b9cc2fb 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -880,6 +880,8 @@ sub validate_hosts_file() routeback => 1, routefilter => 1, tcpflags => 1, + broadcast => 1, + destonly => 1, ); my $ipsec = 0;