extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-18 04:11:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

Last batch of IPv6 changes for the day

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8952 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-08 22:51:17 +00:00
parent 285225b87a
commit 65745cd6a2
5 changed files with 142 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Shorewall-perl/Shorewall/Chains.pm
View File

@ -1140,7 +1140,7 @@ sub do_proto( $$$ )
PROTO: PROTO:
{ {
if ( $proto == TCP || $proto == UDP || $proto == SCTP ) { if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP ) {
my $multiport = 0; my $multiport = 0;
if ( $ports ne '' ) { if ( $ports ne '' ) {
@ -1172,6 +1172,7 @@ sub do_proto( $$$ )
last PROTO; } last PROTO; }
if ( $proto == ICMP ) { if ( $proto == ICMP ) {
fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6;
if ( $ports ne '' ) { if ( $ports ne '' ) {
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/; fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
$ports = validate_icmp $ports; $ports = validate_icmp $ports;
@ -1182,6 +1183,19 @@ sub do_proto( $$$ )
last PROTO; } last PROTO; }
if ( $proto == IPv6_ICMP ) {
fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4;
if ( $ports ne '' ) {
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
$ports = validate_icmp6 $ports;
$output .= "--icmpv6-type $ports ";
}
fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
last PROTO; }
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne ''; fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne '';
} # PROTO } # PROTO
@ -1965,7 +1979,7 @@ sub expand_rule( $$$$$$$$$$$ )
if ( $source eq '-' ) { if ( $source eq '-' ) {
$source = ''; $source = '';
} elsif ( $family == F_IPV4 ) { } elsif ( $family == F_IPV4 ) {
if ( $source =~ /^([^:]+):([^:]+)$/ ) { if ( $source =~ /^(.+?):(.+)$/ ) {
$iiface = $1; $iiface = $1;
$inets = $2; $inets = $2;
} elsif ( $source =~ /\+|~|\..*\./ ) { } elsif ( $source =~ /\+|~|\..*\./ ) {
@ -1973,7 +1987,7 @@ sub expand_rule( $$$$$$$$$$$ )
} else { } else {
$iiface = $source; $iiface = $source;
} }
} elsif ( $source =~ /^([^;]+);([^;]+)$/ ) { } elsif ( $source =~ /^(.+?):\[(.+)\]\s+$/ ) {
$iiface = $1; $iiface = $1;
$inets = $2; $inets = $2;
} elsif ( $source =~ /\+|~|\..*\./ ) { } elsif ( $source =~ /\+|~|\..*\./ ) {
@ -2046,7 +2060,7 @@ sub expand_rule( $$$$$$$$$$$ )
$dest = ''; $dest = '';
} elsif ( $family == F_IPV4 ) { } elsif ( $family == F_IPV4 ) {
if ( $dest =~ /^([^:]+):([^:]+)$/ ) { if ( $dest =~ /^(.+?):(.+)$/ ) {
$diface = $1; $diface = $1;
$dnets = $2; $dnets = $2;
} elsif ( $dest =~ /\+|~|\..*\./ ) { } elsif ( $dest =~ /\+|~|\..*\./ ) {
@ -2054,7 +2068,7 @@ sub expand_rule( $$$$$$$$$$$ )
} else { } else {
$diface = $dest; $diface = $dest;
} }
} elsif ( $dest =~ /^([^;]+);([^;]+)$/ ) { } elsif ( $dest =~ /^(.+?):\[(.+)\]\s+$/ ) {
$diface = $1; $diface = $1;
$dnets = $2; $dnets = $2;
} elsif ( $dest =~ /\+|~|\..*\./ ) { } elsif ( $dest =~ /\+|~|\..*\./ ) {

2
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -69,7 +69,7 @@ sub reinitialize() {
Shorewall::Tc::initialize; Shorewall::Tc::initialize;
Shorewall::Actions::initialize; Shorewall::Actions::initialize;
Shorewall::Accounting::initialize; Shorewall::Accounting::initialize;
Shorewall::Rules::initialize; Shorewall::Rules::initialize($family);
Shorewall::Proxyarp::initialize; Shorewall::Proxyarp::initialize;
} }

4
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -39,6 +39,7 @@ our @EXPORT = qw( ALLIPv4
TCP TCP
UDP UDP
ICMP ICMP
DCCP
IPv6_ICMP IPv6_ICMP
SCTP SCTP
@ -75,7 +76,8 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
ICMP => 1, ICMP => 1,
TCP => 6, TCP => 6,
UDP => 17, UDP => 17,
ICMPv6_ICMP => 58, DCCP => 33,
IPv6_ICMP => 58,
SCTP => 132 }; SCTP => 132 };
our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ); our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

69
Shorewall-perl/Shorewall/Rules.pm
View File

@ -55,6 +55,7 @@ our $sectioned;
our $macro_nest_level; our $macro_nest_level;
our $current_param; our $current_param;
our @param_stack; our @param_stack;
our $family;
# #
# When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these # When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these
@ -72,7 +73,8 @@ my %rules_commands = ( COMMENT => 0,
# the second and subsequent calls to that function. # the second and subsequent calls to that function.
# #
sub initialize() { sub initialize( $ ) {
$family = shift;
$sectioned = 0; $sectioned = 0;
$macro_nest_level = 0; $macro_nest_level = 0;
$current_param = ''; $current_param = '';
@ -80,7 +82,7 @@ sub initialize() {
} }
INIT { INIT {
initialize; initialize( F_IPV4 );
} }
use constant { MAX_MACRO_NEST_LEVEL => 5 }; use constant { MAX_MACRO_NEST_LEVEL => 5 };
@ -121,9 +123,17 @@ sub process_tos() {
my $restriction = NO_RESTRICT; my $restriction = NO_RESTRICT;
my ( $srczone , $source , $remainder ) = split( /:/, $src, 3 ); my ( $srczone , $source , $remainder );
fatal_error 'Invalid SOURCE' if defined $remainder; if ( $family == F_IPV4 ) {
( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
fatal_error 'Invalid SOURCE' if defined $remainder;
} elsif ( $src =~ /^(.+?):\[(.*)]\s$/ ) {
$srczone = $1;
$source = $2;
} else {
$srczone = $src;
}
if ( $srczone eq firewall_zone ) { if ( $srczone eq firewall_zone ) {
$chainref = $outtosref; $chainref = $outtosref;
@ -518,24 +528,26 @@ sub add_common_rules() {
setup_blacklist; setup_blacklist;
$list = find_hosts_by_option 'nosmurfs'; if ( $family == F_IPV4 ) {
$list = find_hosts_by_option 'nosmurfs';
$chainref = new_standard_chain 'smurfs'; $chainref = new_standard_chain 'smurfs';
if ( $capabilities{ADDRTYPE} ) { if ( $capabilities{ADDRTYPE} ) {
add_rule $chainref , '-s 0.0.0.0 -j RETURN'; add_rule $chainref , '-s 0.0.0.0 -j RETURN';
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ; add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
} else { } else {
add_command $chainref, 'for address in $ALL_BCASTS; do'; add_command $chainref, 'for address in $ALL_BCASTS; do';
incr_cmd_level $chainref; incr_cmd_level $chainref;
log_rule( $config{SMURF_LOG_LEVEL} , $chainref, 'DROP', '-s $address ' ); log_rule( $config{SMURF_LOG_LEVEL} , $chainref, 'DROP', '-s $address ' );
add_rule $chainref, '-s $address -j DROP'; add_rule $chainref, '-s $address -j DROP';
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_command $chainref, 'done'; add_command $chainref, 'done';
}
add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL} ;
} }
add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL} ;
if ( $capabilities{ADDRTYPE} ) { if ( $capabilities{ADDRTYPE} ) {
add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP'; add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP';
} else { } else {
@ -585,9 +597,10 @@ sub add_common_rules() {
} }
} }
$list = find_hosts_by_option 'norfc1918'; if ( $family == F_IPV4 ) {
$list = find_hosts_by_option 'norfc1918';
setup_rfc1918_filteration $list if @$list; setup_rfc1918_filteration $list if @$list;
}
$list = find_hosts_by_option 'tcpflags'; $list = find_hosts_by_option 'tcpflags';
@ -634,15 +647,17 @@ sub add_common_rules() {
} }
} }
$list = find_interfaces_by_option 'upnp'; if ( $family == F_IPV4 ) {
$list = find_interfaces_by_option 'upnp';
if ( @$list ) { if ( @$list ) {
progress_message2 '$doing UPnP'; progress_message2 '$doing UPnP';
new_nat_chain( 'UPnP' ); new_nat_chain( 'UPnP' );
for $interface ( @$list ) { for $interface ( @$list ) {
add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP'; add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
}
} }
} }

111
Shorewall-perl/Shorewall/Zones.pm
View File

@ -593,25 +593,40 @@ sub validate_interfaces_file( $ )
IF_OPTION_ZONEONLY => 8 }; IF_OPTION_ZONEONLY => 8 };
my %validoptions = (arp_filter => BINARY_IF_OPTION, my %validoptions;
arp_ignore => ENUM_IF_OPTION,
blacklist => SIMPLE_IF_OPTION, if ( $family == F_IPV4 ) {
bridge => SIMPLE_IF_OPTION, %validoptions = (arp_filter => BINARY_IF_OPTION,
detectnets => OBSOLETE_IF_OPTION, arp_ignore => ENUM_IF_OPTION,
dhcp => SIMPLE_IF_OPTION, blacklist => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
logmartians => BINARY_IF_OPTION, detectnets => OBSOLETE_IF_OPTION,
norfc1918 => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION,
nosmurfs => SIMPLE_IF_OPTION, maclist => SIMPLE_IF_OPTION,
optional => SIMPLE_IF_OPTION, logmartians => BINARY_IF_OPTION,
proxyarp => BINARY_IF_OPTION, norfc1918 => SIMPLE_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY, nosmurfs => SIMPLE_IF_OPTION,
routefilter => BINARY_IF_OPTION, optional => SIMPLE_IF_OPTION,
sourceroute => BINARY_IF_OPTION, proxyarp => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
upnp => SIMPLE_IF_OPTION, routefilter => BINARY_IF_OPTION,
mss => NUMERIC_IF_OPTION, sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION,
upnp => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION,
); );
} else {
%validoptions = ( blacklist => SIMPLE_IF_OPTION,
bridge => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION,
optional => SIMPLE_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION,
forward => NUMERIC_IF_OPTION,
);
}
my $fn = open_file 'interfaces'; my $fn = open_file 'interfaces';
@ -933,18 +948,33 @@ sub set_interface_option( $$$ ) {
# #
sub validate_hosts_file() sub validate_hosts_file()
{ {
my %validoptions = ( my %validoptions;
blacklist => 1,
maclist => 1, if ( $family == F_IPV4 ) {
norfc1918 => 1, %validoptions = (
nosmurfs => 1, blacklist => 1,
routeback => 1, maclist => 1,
routefilter => 1, norfc1918 => 1,
tcpflags => 1, nosmurfs => 1,
broadcast => 1, routeback => 1,
destonly => 1, routefilter => 1,
sourceonly => 1, tcpflags => 1,
broadcast => 1,
destonly => 1,
sourceonly => 1,
); );
} else {
%validoptions = (
blacklist => 1,
maclist => 1,
nosmurfs => 1,
routeback => 1,
tcpflags => 1,
broadcast => 1,
destonly => 1,
sourceonly => 1,
);
}
my $ipsec = 0; my $ipsec = 0;
my $first_entry = 1; my $first_entry = 1;
@ -968,13 +998,24 @@ sub validate_hosts_file()
my $interface; my $interface;
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) { if ( $family == F_IPV4 ) {
$interface = $1; if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
$hosts = $2; $interface = $1;
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/; $hosts = $2;
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root}; $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
} else {
fatal_error "Invalid HOST(S) column contents: $hosts";
}
} else { } else {
fatal_error "Invalid HOST(S) column contents: $hosts"; if ( $hosts =~ /^([\w.@%-]+\+?)\[(.*)\]\s+$/ ) {
$interface = $1;
$hosts = $2;
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
} else {
fatal_error "Invalid HOST(S) column contents: $hosts";
}
} }
if ( $type eq 'bport' ) { if ( $type eq 'bport' ) {