Some cleanup of policy actions

- Allow '+' in policy file action list

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-02-07 13:19:53 -08:00
parent af8d4e32c2
commit 7e984af094
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
8 changed files with 94 additions and 81 deletions

View File

@ -138,7 +138,7 @@ our %section_rmap = ( ALL_SECTION , 'ALL',
our @policy_chains;
our %default_actions;
our %policy_actions;
our %macros;
@ -311,12 +311,14 @@ sub initialize( $ ) {
# This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
# in the %config hash when shorewall[6].conf was processed.
#
%default_actions = ( DROP => [] ,
%policy_actions = ( DROP => [] ,
REJECT => [] ,
BLACKLIST => [] ,
ACCEPT => [] ,
QUEUE => [] ,
NFQUEUE => [] ,
CONTINUE => [] ,
NONE => [] ,
);
#
# These are set to 1 as sections are encountered.
@ -430,7 +432,7 @@ sub convert_to_policy_chain($$$$$$)
$chainref->{audit} = $audit;
$chainref->{policychain} = $chainref->{name};
$chainref->{policypair} = [ $source, $dest ];
$chainref->{defaults} = [];
$chainref->{pactions} = [];
}
#
@ -480,7 +482,7 @@ sub set_policy_chain($$$$$$)
$chainref->{synchain} = $polchainref->{synchain};
}
$chainref->{defaults} = $polchainref->{defaults};
$chainref->{pactions} = $polchainref->{pactions} || [];
$chainref->{is_policy} = 1;
push @policy_chains, $chainref;
} else {
@ -529,12 +531,12 @@ sub normalize_action( $$$ );
sub normalize_action_name( $ );
sub normalize_single_action( $ );
sub process_default_action( $$$$ ) {
my ( $originalpolicy, $policy, $default, $level ) = @_;
sub process_policy_action( $$$$ ) {
my ( $originalpolicy, $policy, $paction, $level ) = @_;
if ( supplied $default ) {
my $default_option = ( $policy =~ /_DEFAULT$/ );
my ( $def, $param ) = get_target_param( $default );
if ( supplied $paction ) {
my $paction_option = ( $policy =~ /_DEFAULT$/ );
my ( $act, $param ) = get_target_param( $paction );
if ( supplied $level ) {
validate_level( $level );
@ -542,46 +544,48 @@ sub process_default_action( $$$$ ) {
$level = 'none';
}
if ( ( $targets{$def} || 0 ) & ACTION ) {
$default = supplied $param ? normalize_action( $def, $level, $param ) :
$level eq 'none' ? normalize_action_name $def :
normalize_action( $def, $level, '' );
} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
$default = $def;
$default = "$def($param)" if supplied $param;
$default = join( ':', $default, $level ) if $level ne 'none';
} elsif ( $default_option ) {
fatal_error "Unknown Action ($default) in $policy setting";
if ( ( $targets{$act} || 0 ) & ACTION ) {
$paction = supplied $param ? normalize_action( $act, $level, $param ) :
$level eq 'none' ? normalize_action_name $act :
normalize_action( $act, $level, '' );
} elsif ( ( $targets{$act} || 0 ) == INLINE ) {
$paction = $act;
$paction = "$act($param)" if supplied $param;
$paction = join( ':', $paction, $level ) if $level ne 'none';
} elsif ( $paction_option ) {
fatal_error "Unknown Action ($paction) in $policy setting";
} else {
fatal_error "Unknown Default Action ($default)";
fatal_error "Unknown Policy Action ($paction)";
}
} else {
$default = $default_actions{$policy};
$paction = $policy_actions{$policy};
}
$default;
$paction;
}
sub process_default_actions( $$$ ) {
my ( $originalpolicy, $policy, $defaults ) = @_;
sub process_policy_actions( $$$ ) {
my ( $originalpolicy, $policy, $pactions ) = @_;
my @defaults;
if ( supplied $pactions ) {
my @pactions;
if ( supplied $defaults ) {
if ( $defaults ne 'none' ) {
for my $default ( split_list3( $defaults, 'Default Action' ) ) {
my ( $action, $level, $remainder ) = split( /:/, $default );
if ( $pactions ne 'none' ) {
@pactions = @{$policy_actions{policy}} if $pactions =~ s/^\+//;
fatal_error "Invalid default action ($default:$level:$remainder)" if defined $remainder;
for my $paction ( split_list3( $pactions, 'Policy Action' ) ) {
my ( $action, $level, $remainder ) = split( /:/, $paction, 3 );
push @defaults, process_default_action( $originalpolicy, $policy, $action, $level );
fatal_error "Invalid policy action ($paction:$level:$remainder)" if defined $remainder;
push @pactions, process_policy_action( $originalpolicy, $policy, $action, $level );
}
}
\@defaults;
\@pactions;
} else {
$default_actions{$policy};
$policy_actions{$policy};
}
}
@ -670,7 +674,7 @@ sub process_a_policy1($$$$$$$) {
require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
my ( $policy, $defaults ) = split( /:/, $originalpolicy, 2 );
my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
@ -682,7 +686,7 @@ sub process_a_policy1($$$$$$$) {
fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
}
my $default = process_default_actions( $originalpolicy, $policy, $defaults );
my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
if ( defined $queue ) {
$policy = handle_nfqueue( $queue,
@ -739,7 +743,7 @@ sub process_a_policy1($$$$$$$) {
$chainref->{synchain} = $chain
}
$chainref->{defaults} = $default;
$chainref->{pactions} = $pactionref;
$chainref->{origin} = shortlineinfo('');
if ( $clientwild ) {
@ -855,10 +859,10 @@ sub process_policies()
if ( $actions eq 'none' ) {
$actions = [];
} else {
$actions = process_default_actions( $actions, $option, $actions );
$actions = process_policy_actions( $actions, $option, $actions );
}
$default_actions{$map{$option}} = $actions;
$policy_actions{$map{$option}} = $actions;
}
for $zone ( all_zones ) {
@ -918,23 +922,23 @@ sub process_policies()
sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
sub add_policy_rules( $$$$$ ) {
my ( $chainref , $target, $loglevel, $defaults, $dropmulticast ) = @_;
my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
unless ( $target eq 'NONE' ) {
my @defaults;
my @pactions;
@defaults = @$defaults if defined $defaults;
@pactions = @$pactions;
add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
for my $default ( @defaults ) {
my ( $action ) = split ':', $default;
for my $paction ( @pactions ) {
my ( $action ) = split ':', $paction;
if ( ( $targets{$action} || 0 ) & ACTION ) {
#
# Default action is a regular action -- jump to the action chain
#
add_ijump $chainref, j => use_policy_action( $default, $chainref->{name} );
add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
} else {
#
# Default action is an inline
@ -946,7 +950,7 @@ sub add_policy_rules( $$$$$ ) {
'', #Matches
'', #Matches1
$loglevel, #Log Level and Tag
$default, #Target
$paction, #Target
$param || '', #Param
'-', #Source
'-', #Dest
@ -999,7 +1003,7 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
my $chainref = $_[0];
my $policyref = $filter_table->{$chainref->{policychain}};
my $synparams = $policyref->{synparams};
my $defaults = $policyref->{defaults};
my $defaults = $policyref->{pactions};
my $policy = $policyref->{policy};
my $loglevel = $policyref->{loglevel};
@ -1041,7 +1045,7 @@ sub complete_policy_chains() {
unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
my $loglevel = $chainref->{loglevel};
my $provisional = $chainref->{provisional};
my $defaults = $chainref->{defaults};
my $defaults = $chainref->{pactions};
my $name = $chainref->{name};
my $synparms = $chainref->{synparms};
@ -1094,17 +1098,17 @@ sub complete_standard_chain ( $$$$ ) {
my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
my ( $policy, $loglevel ) = ( $default , 6 );
my $defaultactions = $default_actions{$policy};
my $policy_actions = $policy_actions{$policy};
my $policychainref;
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
if ( $policychainref ) {
( $policy, $loglevel, $defaultactions ) = @{$policychainref}{'policy', 'loglevel', 'defaults' };
( $policy, $loglevel, $policy_actions ) = @{$policychainref}{'policy', 'loglevel', 'pactions' };
$stdchainref->{origin} = $policychainref->{origin};
}
add_policy_rules $stdchainref , $policy , $loglevel, $defaultactions, 0;
add_policy_rules $stdchainref , $policy , $loglevel, $policy_actions, 0;
}
#

View File

@ -120,7 +120,7 @@
role="bold">QUEUE</emphasis>|<emphasis
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
role="bold">NONE</emphasis>}[<emphasis
role="bold">:</emphasis>{<emphasis>default-action</emphasis>[:level][,...]|<emphasis
role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
role="bold">None</emphasis>}]</term>
<listitem>
@ -140,7 +140,7 @@
<listitem>
<para>The name of an action with optional parameters enclosed in
parentheses. The action will be invoked before the policy is
enforced. </para>
enforced.</para>
</listitem>
</orderedlist>
@ -154,9 +154,13 @@
<para>Beginning with Shorewall 5.1.2, multiple
<replaceable>action</replaceable>[:<replaceable>level</replaceable>]
specification may be listeded, separated by commas. The actions are
invoked in the order listed.</para>
invoked in the order listed. Also beginning with Shorewall 5.1.2,
the policy-action list can be prefixed with a plus sign ("+")
indicating that the listed actions are in addition to those listed
in the related _DEFAULT setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>Possible actions are:</para>
<para>Possible policies are:</para>
<variablelist>
<varlistentry>

View File

@ -105,11 +105,11 @@ TC=
###############################################################################
ACCEPT_DEFAULT=none
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=AllowICMPs,dropBcasts
REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
###############################################################################
# R S H / R C P C O M M A N D S

View File

@ -106,11 +106,11 @@ TC=
###############################################################################
ACCEPT_DEFAULT=none
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=AllowICMPs,dropBcasts
REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
###############################################################################
# R S H / R C P C O M M A N D S

View File

@ -105,11 +105,11 @@ TC=
###############################################################################
ACCEPT_DEFAULT=none
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=AllowICMPs,dropBcasts
REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
###############################################################################
# R S H / R C P C O M M A N D S

View File

@ -105,11 +105,11 @@ TC=
###############################################################################
ACCEPT_DEFAULT=none
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG
BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=AllowICMPs,dropBcasts
REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
###############################################################################
# R S H / R C P C O M M A N D S

View File

@ -119,7 +119,7 @@
role="bold">QUEUE</emphasis>|<emphasis
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
role="bold">NONE</emphasis>}[<emphasis
role="bold">:</emphasis>{<emphasis>default-action</emphasis>[:level][,...]|<emphasis
role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
role="bold">None</emphasis>}]</term>
<listitem>
@ -152,9 +152,13 @@
<para>Beginning with Shorewall 5.1.2, multiple
<replaceable>action</replaceable>[:<replaceable>level</replaceable>]
pairs may be specified, separated by commas. The actions are invoked
in the order listed.</para>
in the order listed. Also beginning with Shorewall 5.1.2, the
policy-action list can be prefixed with a plus sign ("+") indicating
that the listed actions are in addition to those listed in the
related _DEFAULT setting in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>Possible actions are:</para>
<para>Possible policies are:</para>
<variablelist>
<varlistentry>

View File

@ -136,9 +136,10 @@ ACCEPT - - tcp 135,139,445</programlisting>
<para>Shorewall allows the association of a <firstterm>policy
action</firstterm> with policies. A separate policy action may be
associated with ACCEPT, DROP, REJECT, QUEUE and NFQUEUE policies. Policy
actions provide a way to invoke a set of common rules just before the
policy is enforced. Policy actions accomplish two goals:</para>
associated with ACCEPT, DROP, REJECT, QUEUE, NFQUEUE and BLACKLIST
policies. Policy actions provide a way to invoke a set of common rules
just before the policy is enforced. Policy actions accomplish two
goals:</para>
<orderedlist>
<listitem>
@ -153,8 +154,8 @@ ACCEPT - - tcp 135,139,445</programlisting>
</orderedlist>
<para>Shorewall supports policy actions for the ACCEPT, REJECT, DROP,
QUEUE and NFQUEUE policies. These default actions are specified in the
<filename>/etc/shorewall/shorewall.conf</filename> file using the
QUEUE, NFQUEUE and BLACKLIST policies. These default actions are specified
in the <filename>/etc/shorewall/shorewall.conf</filename> file using the
ACCEPT_DEFAULT, REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and
NFQUEUE_DEFAULT options respectively. Policies whose default is set to a
value of <quote>none</quote> have no default action.</para>
@ -295,7 +296,7 @@ ACCEPT - - tcp 135,139,445</programlisting>
<variablelist>
<varlistentry>
<term>Broadcasts[(<replaceable>disposition</replaceable>)]</term>
<term>Broadcast[(<replaceable>disposition</replaceable>)]</term>
<listitem>
<para>Handles broadcasts and multicasts based on the
@ -335,7 +336,7 @@ ACCEPT - - tcp 135,139,445</programlisting>
<listitem>
<para>Allows ICMP packets mandated by RFC 4890. In particular, this
ensures that Neighbor Discovery won't be broken </para>
ensures that Neighbor Discovery won't be broken</para>
</listitem>
</varlistentry>
</variablelist>