extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Some cleanup of policy actions

Browse Source 
- Allow '+' in policy file action list

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-02-07 13:19:53 -08:00
parent af8d4e32c2
commit 7e984af094
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
8 changed files with 94 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -138,7 +138,7 @@ our %section_rmap = ( ALL_SECTION , 'ALL',
our @policy_chains; our @policy_chains;
our %default_actions; our %policy_actions;
our %macros; our %macros;
@ -311,12 +311,14 @@ sub initialize( $ ) {
# This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
# in the %config hash when shorewall[6].conf was processed. # in the %config hash when shorewall[6].conf was processed.
# #
%default_actions = ( DROP => [] , %policy_actions = ( DROP => [] ,
REJECT => [] , REJECT => [] ,
BLACKLIST => [] , BLACKLIST => [] ,
ACCEPT => [] , ACCEPT => [] ,
QUEUE => [] , QUEUE => [] ,
NFQUEUE => [] , NFQUEUE => [] ,
CONTINUE => [] ,
NONE => [] ,
); );
# #
# These are set to 1 as sections are encountered. # These are set to 1 as sections are encountered.
@ -430,7 +432,7 @@ sub convert_to_policy_chain($$$$$$)
$chainref->{audit} = $audit; $chainref->{audit} = $audit;
$chainref->{policychain} = $chainref->{name}; $chainref->{policychain} = $chainref->{name};
$chainref->{policypair} = [ $source, $dest ]; $chainref->{policypair} = [ $source, $dest ];
$chainref->{defaults} = []; $chainref->{pactions} = [];
} }
# #
@ -480,7 +482,7 @@ sub set_policy_chain($$$$$$)
$chainref->{synchain} = $polchainref->{synchain}; $chainref->{synchain} = $polchainref->{synchain};
} }
$chainref->{defaults} = $polchainref->{defaults}; $chainref->{pactions} = $polchainref->{pactions} || [];
$chainref->{is_policy} = 1; $chainref->{is_policy} = 1;
push @policy_chains, $chainref; push @policy_chains, $chainref;
} else { } else {
@ -529,12 +531,12 @@ sub normalize_action( $$$ );
sub normalize_action_name( $ ); sub normalize_action_name( $ );
sub normalize_single_action( $ ); sub normalize_single_action( $ );
sub process_default_action( $$$$ ) { sub process_policy_action( $$$$ ) {
my ( $originalpolicy, $policy, $default, $level ) = @_; my ( $originalpolicy, $policy, $paction, $level ) = @_;
if ( supplied $default ) { if ( supplied $paction ) {
my $default_option = ( $policy =~ /_DEFAULT$/ ); my $paction_option = ( $policy =~ /_DEFAULT$/ );
my ( $def, $param ) = get_target_param( $default ); my ( $act, $param ) = get_target_param( $paction );
if ( supplied $level ) { if ( supplied $level ) {
validate_level( $level ); validate_level( $level );
@ -542,46 +544,48 @@ sub process_default_action( $$$$ ) {
$level = 'none'; $level = 'none';
} }
if ( ( $targets{$def} || 0 ) & ACTION ) { if ( ( $targets{$act} || 0 ) & ACTION ) {
$default = supplied $param ? normalize_action( $def, $level, $param ) : $paction = supplied $param ? normalize_action( $act, $level, $param ) :
$level eq 'none' ? normalize_action_name $def : $level eq 'none' ? normalize_action_name $act :
normalize_action( $def, $level, '' ); normalize_action( $act, $level, '' );
} elsif ( ( $targets{$def} || 0 ) == INLINE ) { } elsif ( ( $targets{$act} || 0 ) == INLINE ) {
$default = $def; $paction = $act;
$default = "$def($param)" if supplied $param; $paction = "$act($param)" if supplied $param;
$default = join( ':', $default, $level ) if $level ne 'none'; $paction = join( ':', $paction, $level ) if $level ne 'none';
} elsif ( $default_option ) { } elsif ( $paction_option ) {
fatal_error "Unknown Action ($default) in $policy setting"; fatal_error "Unknown Action ($paction) in $policy setting";
} else { } else {
fatal_error "Unknown Default Action ($default)"; fatal_error "Unknown Policy Action ($paction)";
} }
} else { } else {
$default = $default_actions{$policy}; $paction = $policy_actions{$policy};
} }
$default; $paction;
} }
sub process_default_actions( $$$ ) { sub process_policy_actions( $$$ ) {
my ( $originalpolicy, $policy, $defaults ) = @_; my ( $originalpolicy, $policy, $pactions ) = @_;
my @defaults; if ( supplied $pactions ) {
my @pactions;
if ( supplied $defaults ) { if ( $pactions ne 'none' ) {
if ( $defaults ne 'none' ) { @pactions = @{$policy_actions{policy}} if $pactions =~ s/^\+//;
for my $default ( split_list3( $defaults, 'Default Action' ) ) {
my ( $action, $level, $remainder ) = split( /:/, $default );
fatal_error "Invalid default action ($default:$level:$remainder)" if defined $remainder; for my $paction ( split_list3( $pactions, 'Policy Action' ) ) {
my ( $action, $level, $remainder ) = split( /:/, $paction, 3 );
push @defaults, process_default_action( $originalpolicy, $policy, $action, $level ); fatal_error "Invalid policy action ($paction:$level:$remainder)" if defined $remainder;
push @pactions, process_policy_action( $originalpolicy, $policy, $action, $level );
} }
} }
\@defaults; \@pactions;
} else { } else {
$default_actions{$policy}; $policy_actions{$policy};
} }
} }
@ -670,7 +674,7 @@ sub process_a_policy1($$$$$$$) {
require_capability 'AUDIT_TARGET', ":audit", "s" if $audit; require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
my ( $policy, $defaults ) = split( /:/, $originalpolicy, 2 ); my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy; fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
@ -682,7 +686,7 @@ sub process_a_policy1($$$$$$$) {
fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy}; fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
} }
my $default = process_default_actions( $originalpolicy, $policy, $defaults ); my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
if ( defined $queue ) { if ( defined $queue ) {
$policy = handle_nfqueue( $queue, $policy = handle_nfqueue( $queue,
@ -739,7 +743,7 @@ sub process_a_policy1($$$$$$$) {
$chainref->{synchain} = $chain $chainref->{synchain} = $chain
} }
$chainref->{defaults} = $default; $chainref->{pactions} = $pactionref;
$chainref->{origin} = shortlineinfo(''); $chainref->{origin} = shortlineinfo('');
if ( $clientwild ) { if ( $clientwild ) {
@ -855,10 +859,10 @@ sub process_policies()
if ( $actions eq 'none' ) { if ( $actions eq 'none' ) {
$actions = []; $actions = [];
} else { } else {
$actions = process_default_actions( $actions, $option, $actions ); $actions = process_policy_actions( $actions, $option, $actions );
} }
$default_actions{$map{$option}} = $actions; $policy_actions{$map{$option}} = $actions;
} }
for $zone ( all_zones ) { for $zone ( all_zones ) {
@ -918,23 +922,23 @@ sub process_policies()
sub process_inline ($$$$$$$$$$$$$$$$$$$$$$); sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
sub add_policy_rules( $$$$$ ) { sub add_policy_rules( $$$$$ ) {
my ( $chainref , $target, $loglevel, $defaults, $dropmulticast ) = @_; my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
unless ( $target eq 'NONE' ) { unless ( $target eq 'NONE' ) {
my @defaults; my @pactions;
@defaults = @$defaults if defined $defaults; @pactions = @$pactions;
add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT'; add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
for my $default ( @defaults ) { for my $paction ( @pactions ) {
my ( $action ) = split ':', $default; my ( $action ) = split ':', $paction;
if ( ( $targets{$action} || 0 ) & ACTION ) { if ( ( $targets{$action} || 0 ) & ACTION ) {
# #
# Default action is a regular action -- jump to the action chain # Default action is a regular action -- jump to the action chain
# #
add_ijump $chainref, j => use_policy_action( $default, $chainref->{name} ); add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
} else { } else {
# #
# Default action is an inline # Default action is an inline
@ -946,7 +950,7 @@ sub add_policy_rules( $$$$$ ) {
'', #Matches '', #Matches
'', #Matches1 '', #Matches1
$loglevel, #Log Level and Tag $loglevel, #Log Level and Tag
$default, #Target $paction, #Target
$param || '', #Param $param || '', #Param
'-', #Source '-', #Source
'-', #Dest '-', #Dest
@ -999,7 +1003,7 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
my $chainref = $_[0]; my $chainref = $_[0];
my $policyref = $filter_table->{$chainref->{policychain}}; my $policyref = $filter_table->{$chainref->{policychain}};
my $synparams = $policyref->{synparams}; my $synparams = $policyref->{synparams};
my $defaults = $policyref->{defaults}; my $defaults = $policyref->{pactions};
my $policy = $policyref->{policy}; my $policy = $policyref->{policy};
my $loglevel = $policyref->{loglevel}; my $loglevel = $policyref->{loglevel};
@ -1041,7 +1045,7 @@ sub complete_policy_chains() {
unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) { unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
my $loglevel = $chainref->{loglevel}; my $loglevel = $chainref->{loglevel};
my $provisional = $chainref->{provisional}; my $provisional = $chainref->{provisional};
my $defaults = $chainref->{defaults}; my $defaults = $chainref->{pactions};
my $name = $chainref->{name}; my $name = $chainref->{name};
my $synparms = $chainref->{synparms}; my $synparms = $chainref->{synparms};
@ -1094,17 +1098,17 @@ sub complete_standard_chain ( $$$$ ) {
my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) }; my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
my ( $policy, $loglevel ) = ( $default , 6 ); my ( $policy, $loglevel ) = ( $default , 6 );
my $defaultactions = $default_actions{$policy}; my $policy_actions = $policy_actions{$policy};
my $policychainref; my $policychainref;
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref; $policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
if ( $policychainref ) { if ( $policychainref ) {
( $policy, $loglevel, $defaultactions ) = @{$policychainref}{'policy', 'loglevel', 'defaults' }; ( $policy, $loglevel, $policy_actions ) = @{$policychainref}{'policy', 'loglevel', 'pactions' };
$stdchainref->{origin} = $policychainref->{origin}; $stdchainref->{origin} = $policychainref->{origin};
} }
add_policy_rules $stdchainref , $policy , $loglevel, $defaultactions, 0; add_policy_rules $stdchainref , $policy , $loglevel, $policy_actions, 0;
} }
# #

10
Shorewall/manpages/shorewall-policy.xml
View File

@ -120,7 +120,7 @@
role="bold">QUEUE</emphasis>|<emphasis role="bold">QUEUE</emphasis>|<emphasis
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
role="bold">NONE</emphasis>}[<emphasis role="bold">NONE</emphasis>}[<emphasis
role="bold">:</emphasis>{<emphasis>default-action</emphasis>[:level][,...]|<emphasis role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
role="bold">None</emphasis>}]</term> role="bold">None</emphasis>}]</term>
<listitem> <listitem>
@ -154,9 +154,13 @@
<para>Beginning with Shorewall 5.1.2, multiple <para>Beginning with Shorewall 5.1.2, multiple
<replaceable>action</replaceable>[:<replaceable>level</replaceable>] <replaceable>action</replaceable>[:<replaceable>level</replaceable>]
specification may be listeded, separated by commas. The actions are specification may be listeded, separated by commas. The actions are
invoked in the order listed.</para> invoked in the order listed. Also beginning with Shorewall 5.1.2,
the policy-action list can be prefixed with a plus sign ("+")
indicating that the listed actions are in addition to those listed
in the related _DEFAULT setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>Possible actions are:</para> <para>Possible policies are:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>

6
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -105,11 +105,11 @@ TC=
############################################################################### ###############################################################################
ACCEPT_DEFAULT=none ACCEPT_DEFAULT=none
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
NFQUEUE_DEFAULT=none NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none QUEUE_DEFAULT=none
REJECT_DEFAULT=AllowICMPs,dropBcasts REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
############################################################################### ###############################################################################
# R S H / R C P C O M M A N D S # R S H / R C P C O M M A N D S

6
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -106,11 +106,11 @@ TC=
############################################################################### ###############################################################################
ACCEPT_DEFAULT=none ACCEPT_DEFAULT=none
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
NFQUEUE_DEFAULT=none NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none QUEUE_DEFAULT=none
REJECT_DEFAULT=AllowICMPs,dropBcasts REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
############################################################################### ###############################################################################
# R S H / R C P C O M M A N D S # R S H / R C P C O M M A N D S

6
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -105,11 +105,11 @@ TC=
############################################################################### ###############################################################################
ACCEPT_DEFAULT=none ACCEPT_DEFAULT=none
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
NFQUEUE_DEFAULT=none NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none QUEUE_DEFAULT=none
REJECT_DEFAULT=AllowICMPs,dropBcasts REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
############################################################################### ###############################################################################
# R S H / R C P C O M M A N D S # R S H / R C P C O M M A N D S

6
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -105,11 +105,11 @@ TC=
############################################################################### ###############################################################################
ACCEPT_DEFAULT=none ACCEPT_DEFAULT=none
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
NFQUEUE_DEFAULT=none NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none QUEUE_DEFAULT=none
REJECT_DEFAULT=AllowICMPs,dropBcasts REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
############################################################################### ###############################################################################
# R S H / R C P C O M M A N D S # R S H / R C P C O M M A N D S

10
Shorewall6/manpages/shorewall6-policy.xml
View File

@ -119,7 +119,7 @@
role="bold">QUEUE</emphasis>|<emphasis role="bold">QUEUE</emphasis>|<emphasis
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
role="bold">NONE</emphasis>}[<emphasis role="bold">NONE</emphasis>}[<emphasis
role="bold">:</emphasis>{<emphasis>default-action</emphasis>[:level][,...]|<emphasis role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
role="bold">None</emphasis>}]</term> role="bold">None</emphasis>}]</term>
<listitem> <listitem>
@ -152,9 +152,13 @@
<para>Beginning with Shorewall 5.1.2, multiple <para>Beginning with Shorewall 5.1.2, multiple
<replaceable>action</replaceable>[:<replaceable>level</replaceable>] <replaceable>action</replaceable>[:<replaceable>level</replaceable>]
pairs may be specified, separated by commas. The actions are invoked pairs may be specified, separated by commas. The actions are invoked
in the order listed.</para> in the order listed. Also beginning with Shorewall 5.1.2, the
policy-action list can be prefixed with a plus sign ("+") indicating
that the listed actions are in addition to those listed in the
related _DEFAULT setting in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>Possible actions are:</para> <para>Possible policies are:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>

13
docs/Actions.xml
View File

@ -136,9 +136,10 @@ ACCEPT - - tcp 135,139,445</programlisting>
<para>Shorewall allows the association of a <firstterm>policy <para>Shorewall allows the association of a <firstterm>policy
action</firstterm> with policies. A separate policy action may be action</firstterm> with policies. A separate policy action may be
associated with ACCEPT, DROP, REJECT, QUEUE and NFQUEUE policies. Policy associated with ACCEPT, DROP, REJECT, QUEUE, NFQUEUE and BLACKLIST
actions provide a way to invoke a set of common rules just before the policies. Policy actions provide a way to invoke a set of common rules
policy is enforced. Policy actions accomplish two goals:</para> just before the policy is enforced. Policy actions accomplish two
goals:</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -153,8 +154,8 @@ ACCEPT - - tcp 135,139,445</programlisting>
</orderedlist> </orderedlist>
<para>Shorewall supports policy actions for the ACCEPT, REJECT, DROP, <para>Shorewall supports policy actions for the ACCEPT, REJECT, DROP,
QUEUE and NFQUEUE policies. These default actions are specified in the QUEUE, NFQUEUE and BLACKLIST policies. These default actions are specified
<filename>/etc/shorewall/shorewall.conf</filename> file using the in the <filename>/etc/shorewall/shorewall.conf</filename> file using the
ACCEPT_DEFAULT, REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and ACCEPT_DEFAULT, REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and
NFQUEUE_DEFAULT options respectively. Policies whose default is set to a NFQUEUE_DEFAULT options respectively. Policies whose default is set to a
value of <quote>none</quote> have no default action.</para> value of <quote>none</quote> have no default action.</para>
@ -295,7 +296,7 @@ ACCEPT - - tcp 135,139,445</programlisting>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>Broadcasts[(<replaceable>disposition</replaceable>)]</term> <term>Broadcast[(<replaceable>disposition</replaceable>)]</term>
<listitem> <listitem>
<para>Handles broadcasts and multicasts based on the <para>Handles broadcasts and multicasts based on the