From 7e984af09420fef76ffaad7e8b4726b44803f6d5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 7 Feb 2017 13:19:53 -0800 Subject: [PATCH] Some cleanup of policy actions - Allow '+' in policy file action list Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 114 +++++++++--------- Shorewall/manpages/shorewall-policy.xml | 12 +- Shorewall6/Samples6/Universal/shorewall6.conf | 6 +- .../Samples6/one-interface/shorewall6.conf | 6 +- .../Samples6/three-interfaces/shorewall6.conf | 6 +- .../Samples6/two-interfaces/shorewall6.conf | 6 +- Shorewall6/manpages/shorewall6-policy.xml | 10 +- docs/Actions.xml | 15 +-- 8 files changed, 94 insertions(+), 81 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 16c09237b..ca4c7ce08 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -138,7 +138,7 @@ our %section_rmap = ( ALL_SECTION , 'ALL', our @policy_chains; -our %default_actions; +our %policy_actions; our %macros; @@ -311,12 +311,14 @@ sub initialize( $ ) { # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored # in the %config hash when shorewall[6].conf was processed. # - %default_actions = ( DROP => [] , - REJECT => [] , - BLACKLIST => [] , - ACCEPT => [] , - QUEUE => [] , - NFQUEUE => [] , + %policy_actions = ( DROP => [] , + REJECT => [] , + BLACKLIST => [] , + ACCEPT => [] , + QUEUE => [] , + NFQUEUE => [] , + CONTINUE => [] , + NONE => [] , ); # # These are set to 1 as sections are encountered. @@ -430,7 +432,7 @@ sub convert_to_policy_chain($$$$$$) $chainref->{audit} = $audit; $chainref->{policychain} = $chainref->{name}; $chainref->{policypair} = [ $source, $dest ]; - $chainref->{defaults} = []; + $chainref->{pactions} = []; } # @@ -480,7 +482,7 @@ sub set_policy_chain($$$$$$) $chainref->{synchain} = $polchainref->{synchain}; } - $chainref->{defaults} = $polchainref->{defaults}; + $chainref->{pactions} = $polchainref->{pactions} || []; $chainref->{is_policy} = 1; push @policy_chains, $chainref; } else { @@ -529,12 +531,12 @@ sub normalize_action( $$$ ); sub normalize_action_name( $ ); sub normalize_single_action( $ ); -sub process_default_action( $$$$ ) { - my ( $originalpolicy, $policy, $default, $level ) = @_; +sub process_policy_action( $$$$ ) { + my ( $originalpolicy, $policy, $paction, $level ) = @_; - if ( supplied $default ) { - my $default_option = ( $policy =~ /_DEFAULT$/ ); - my ( $def, $param ) = get_target_param( $default ); + if ( supplied $paction ) { + my $paction_option = ( $policy =~ /_DEFAULT$/ ); + my ( $act, $param ) = get_target_param( $paction ); if ( supplied $level ) { validate_level( $level ); @@ -542,46 +544,48 @@ sub process_default_action( $$$$ ) { $level = 'none'; } - if ( ( $targets{$def} || 0 ) & ACTION ) { - $default = supplied $param ? normalize_action( $def, $level, $param ) : - $level eq 'none' ? normalize_action_name $def : - normalize_action( $def, $level, '' ); - } elsif ( ( $targets{$def} || 0 ) == INLINE ) { - $default = $def; - $default = "$def($param)" if supplied $param; - $default = join( ':', $default, $level ) if $level ne 'none'; - } elsif ( $default_option ) { - fatal_error "Unknown Action ($default) in $policy setting"; + if ( ( $targets{$act} || 0 ) & ACTION ) { + $paction = supplied $param ? normalize_action( $act, $level, $param ) : + $level eq 'none' ? normalize_action_name $act : + normalize_action( $act, $level, '' ); + } elsif ( ( $targets{$act} || 0 ) == INLINE ) { + $paction = $act; + $paction = "$act($param)" if supplied $param; + $paction = join( ':', $paction, $level ) if $level ne 'none'; + } elsif ( $paction_option ) { + fatal_error "Unknown Action ($paction) in $policy setting"; } else { - fatal_error "Unknown Default Action ($default)"; + fatal_error "Unknown Policy Action ($paction)"; } } else { - $default = $default_actions{$policy}; + $paction = $policy_actions{$policy}; } - $default; + $paction; } -sub process_default_actions( $$$ ) { - my ( $originalpolicy, $policy, $defaults ) = @_; +sub process_policy_actions( $$$ ) { + my ( $originalpolicy, $policy, $pactions ) = @_; - my @defaults; + if ( supplied $pactions ) { + my @pactions; - if ( supplied $defaults ) { - if ( $defaults ne 'none' ) { - for my $default ( split_list3( $defaults, 'Default Action' ) ) { - my ( $action, $level, $remainder ) = split( /:/, $default ); + if ( $pactions ne 'none' ) { + @pactions = @{$policy_actions{policy}} if $pactions =~ s/^\+//; - fatal_error "Invalid default action ($default:$level:$remainder)" if defined $remainder; + for my $paction ( split_list3( $pactions, 'Policy Action' ) ) { + my ( $action, $level, $remainder ) = split( /:/, $paction, 3 ); - push @defaults, process_default_action( $originalpolicy, $policy, $action, $level ); + fatal_error "Invalid policy action ($paction:$level:$remainder)" if defined $remainder; + + push @pactions, process_policy_action( $originalpolicy, $policy, $action, $level ); } } - \@defaults; + \@pactions; } else { - $default_actions{$policy}; + $policy_actions{$policy}; } } @@ -670,7 +674,7 @@ sub process_a_policy1($$$$$$$) { require_capability 'AUDIT_TARGET', ":audit", "s" if $audit; - my ( $policy, $defaults ) = split( /:/, $originalpolicy, 2 ); + my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 ); fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy; @@ -682,7 +686,7 @@ sub process_a_policy1($$$$$$$) { fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy}; } - my $default = process_default_actions( $originalpolicy, $policy, $defaults ); + my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions ); if ( defined $queue ) { $policy = handle_nfqueue( $queue, @@ -739,7 +743,7 @@ sub process_a_policy1($$$$$$$) { $chainref->{synchain} = $chain } - $chainref->{defaults} = $default; + $chainref->{pactions} = $pactionref; $chainref->{origin} = shortlineinfo(''); if ( $clientwild ) { @@ -855,10 +859,10 @@ sub process_policies() if ( $actions eq 'none' ) { $actions = []; } else { - $actions = process_default_actions( $actions, $option, $actions ); + $actions = process_policy_actions( $actions, $option, $actions ); } - $default_actions{$map{$option}} = $actions; + $policy_actions{$map{$option}} = $actions; } for $zone ( all_zones ) { @@ -918,23 +922,23 @@ sub process_policies() sub process_inline ($$$$$$$$$$$$$$$$$$$$$$); sub add_policy_rules( $$$$$ ) { - my ( $chainref , $target, $loglevel, $defaults, $dropmulticast ) = @_; + my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_; unless ( $target eq 'NONE' ) { - my @defaults; + my @pactions; - @defaults = @$defaults if defined $defaults; + @pactions = @$pactions; add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT'; - for my $default ( @defaults ) { - my ( $action ) = split ':', $default; + for my $paction ( @pactions ) { + my ( $action ) = split ':', $paction; if ( ( $targets{$action} || 0 ) & ACTION ) { # # Default action is a regular action -- jump to the action chain # - add_ijump $chainref, j => use_policy_action( $default, $chainref->{name} ); + add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} ); } else { # # Default action is an inline @@ -946,7 +950,7 @@ sub add_policy_rules( $$$$$ ) { '', #Matches '', #Matches1 $loglevel, #Log Level and Tag - $default, #Target + $paction, #Target $param || '', #Param '-', #Source '-', #Dest @@ -999,7 +1003,7 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone my $chainref = $_[0]; my $policyref = $filter_table->{$chainref->{policychain}}; my $synparams = $policyref->{synparams}; - my $defaults = $policyref->{defaults}; + my $defaults = $policyref->{pactions}; my $policy = $policyref->{policy}; my $loglevel = $policyref->{loglevel}; @@ -1041,7 +1045,7 @@ sub complete_policy_chains() { unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) { my $loglevel = $chainref->{loglevel}; my $provisional = $chainref->{provisional}; - my $defaults = $chainref->{defaults}; + my $defaults = $chainref->{pactions}; my $name = $chainref->{name}; my $synparms = $chainref->{synparms}; @@ -1094,17 +1098,17 @@ sub complete_standard_chain ( $$$$ ) { my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) }; my ( $policy, $loglevel ) = ( $default , 6 ); - my $defaultactions = $default_actions{$policy}; + my $policy_actions = $policy_actions{$policy}; my $policychainref; $policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref; if ( $policychainref ) { - ( $policy, $loglevel, $defaultactions ) = @{$policychainref}{'policy', 'loglevel', 'defaults' }; + ( $policy, $loglevel, $policy_actions ) = @{$policychainref}{'policy', 'loglevel', 'pactions' }; $stdchainref->{origin} = $policychainref->{origin}; } - add_policy_rules $stdchainref , $policy , $loglevel, $defaultactions, 0; + add_policy_rules $stdchainref , $policy , $loglevel, $policy_actions, 0; } # diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml index dd71dbf16..9389dcb9a 100644 --- a/Shorewall/manpages/shorewall-policy.xml +++ b/Shorewall/manpages/shorewall-policy.xml @@ -120,7 +120,7 @@ role="bold">QUEUE|NFQUEUE[(queuenumber1[:queuenumber2])]|NONE}[:{default-action[:level][,...]|:{[+]policy-action[:level][,...]|None}] @@ -140,7 +140,7 @@ The name of an action with optional parameters enclosed in parentheses. The action will be invoked before the policy is - enforced. + enforced. @@ -154,9 +154,13 @@ Beginning with Shorewall 5.1.2, multiple action[:level] specification may be listeded, separated by commas. The actions are - invoked in the order listed. + invoked in the order listed. Also beginning with Shorewall 5.1.2, + the policy-action list can be prefixed with a plus sign ("+") + indicating that the listed actions are in addition to those listed + in the related _DEFAULT setting in shorewall.conf(5). - Possible actions are: + Possible policies are: diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index 8ddf88fe0..3cb45e8b8 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -105,11 +105,11 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG -DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none -REJECT_DEFAULT=AllowICMPs,dropBcasts +REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index f7961193f..737057345 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -106,11 +106,11 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG -DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none -REJECT_DEFAULT=AllowICMPs,dropBcasts +REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index 1ec15b597..f147208ec 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -105,11 +105,11 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG -DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none -REJECT_DEFAULT=AllowICMPs,dropBcasts +REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index 905918ea8..1cba7dc86 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -105,11 +105,11 @@ TC= ############################################################################### ACCEPT_DEFAULT=none -BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG -DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG" NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none -REJECT_DEFAULT=AllowICMPs,dropBcasts +REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S diff --git a/Shorewall6/manpages/shorewall6-policy.xml b/Shorewall6/manpages/shorewall6-policy.xml index a760bde7e..97a6b5c91 100644 --- a/Shorewall6/manpages/shorewall6-policy.xml +++ b/Shorewall6/manpages/shorewall6-policy.xml @@ -119,7 +119,7 @@ role="bold">QUEUE|NFQUEUE[(queuenumber1[:queuenumber2])]|NONE}[:{default-action[:level][,...]|:{[+]policy-action[:level][,...]|None}] @@ -152,9 +152,13 @@ Beginning with Shorewall 5.1.2, multiple action[:level] pairs may be specified, separated by commas. The actions are invoked - in the order listed. + in the order listed. Also beginning with Shorewall 5.1.2, the + policy-action list can be prefixed with a plus sign ("+") indicating + that the listed actions are in addition to those listed in the + related _DEFAULT setting in shorewall6.conf(5). - Possible actions are: + Possible policies are: diff --git a/docs/Actions.xml b/docs/Actions.xml index bebcdc308..270aa4436 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -136,9 +136,10 @@ ACCEPT - - tcp 135,139,445 Shorewall allows the association of a policy action with policies. A separate policy action may be - associated with ACCEPT, DROP, REJECT, QUEUE and NFQUEUE policies. Policy - actions provide a way to invoke a set of common rules just before the - policy is enforced. Policy actions accomplish two goals: + associated with ACCEPT, DROP, REJECT, QUEUE, NFQUEUE and BLACKLIST + policies. Policy actions provide a way to invoke a set of common rules + just before the policy is enforced. Policy actions accomplish two + goals: @@ -153,8 +154,8 @@ ACCEPT - - tcp 135,139,445 Shorewall supports policy actions for the ACCEPT, REJECT, DROP, - QUEUE and NFQUEUE policies. These default actions are specified in the - /etc/shorewall/shorewall.conf file using the + QUEUE, NFQUEUE and BLACKLIST policies. These default actions are specified + in the /etc/shorewall/shorewall.conf file using the ACCEPT_DEFAULT, REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options respectively. Policies whose default is set to a value of none have no default action. @@ -295,7 +296,7 @@ ACCEPT - - tcp 135,139,445 - Broadcasts[(disposition)] + Broadcast[(disposition)] Handles broadcasts and multicasts based on the @@ -335,7 +336,7 @@ ACCEPT - - tcp 135,139,445 Allows ICMP packets mandated by RFC 4890. In particular, this - ensures that Neighbor Discovery won't be broken + ensures that Neighbor Discovery won't be broken