extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-02 02:49:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

Replace A_* builtin actions with builtin targets

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-21 15:02:04 -07:00
parent d9b095bdea
commit 83cdf78b18
7 changed files with 92 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -66,6 +66,7 @@ our %EXPORT_TAGS = (
NFQ
CHAIN
SET
AUDIT
NO_RESTRICT
PREROUTE_RESTRICT
DESTIFACE_DISALLOW
@ -261,7 +262,8 @@ use constant { STANDARD => 1, #defined by Netfilter
LOGRULE => 256, #'LOG','NFLOG'
NFQ => 512, #'NFQUEUE'
CHAIN => 1024, #Manual Chain
SET => 2048. #SET
SET => 2048, #SET
AUDIT => 4096, #A_ACCEPT, etc
};
#
# Valid Targets -- value is a combination of one or more of the above
@ -1510,11 +1512,17 @@ sub initialize_chain_table()
%targets = ('ACCEPT' => STANDARD,
'ACCEPT+' => STANDARD + NONAT,
'ACCEPT!' => STANDARD,
'A_ACCEPT' => STANDARD + AUDIT,
'A_ACCEPT+' => STANDARD + NONAT + AUDIT,
'NONAT' => STANDARD + NONAT + NATONLY,
'DROP' => STANDARD,
'DROP!' => STANDARD,
'A_DROP' => STANDARD + AUDIT,
'A_DROP!' => STANDARD + AUDIT,
'REJECT' => STANDARD,
'REJECT!' => STANDARD,
'A_REJECT' => STANDARD + AUDIT,
'A_REJECT!' => STANDARD + AUDIT,
'DNAT' => NATRULE,
'DNAT-' => NATRULE + NATONLY,
'REDIRECT' => NATRULE + REDIRECT,

9
Shorewall/Perl/Shorewall/Config.pm
View File

@ -546,6 +546,7 @@ sub initialize( $ ) {
MACLIST_DISPOSITION => undef,
TCP_FLAGS_DISPOSITION => undef,
BLACKLIST_DISPOSITION => undef,
SMURF_DISPOSITION => undef,
#
# Mark Geometry
#
@ -3351,6 +3352,14 @@ sub get_configuration( $ ) {
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$val", 's' if $val =~ /^A_/;
default 'SMURF_DISPOSITION' , 'DROP';
unless ( ( $val = $config{SMURF_DISPOSITION} ) =~ /^(?:A_)?DROP$/ ) {
fatal_error q(SMURF_DISPOSITION must be 'DROP' or 'A_DROP');
}
require_capability 'AUDIT_TARGET', "SMURF_DISPOSITION=$val", 's' if $val =~ /^A_/;
default_log_level 'BLACKLIST_LOGLEVEL', '';
default_log_level 'MACLIST_LOG_LEVEL', '';
default_log_level 'TCP_FLAGS_LOG_LEVEL', '';

53
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -203,9 +203,8 @@ sub setup_blacklist() {
my $chainref;
my $chainref1;
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
my $audit = $disposition =~ s/^A_//;
my $audit = $disposition =~ /^A_/;
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
my $auditref;
#
# We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
# for 'refresh' to work properly.
@ -214,7 +213,7 @@ sub setup_blacklist() {
$chainref = dont_delete new_standard_chain 'blacklst' if @$zones;
$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
if ( $audit || ( defined $level && $level ne '' ) ) {
if ( defined $level && $level ne '' ) {
my $logchainref = new_standard_chain 'blacklog';
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
@ -224,7 +223,10 @@ sub setup_blacklist() {
add_jump $logchainref, $target, 1;
$target = 'blacklog';
}
} elsif ( $audit ) {
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
$target = verify_audit( $disposition );
}
}
BLACKLIST:
@ -272,13 +274,7 @@ sub setup_blacklist() {
} else {
warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
unless ( $auditref ) {
$auditref = new_standard_chain 'blackaud';
add_rule $auditref, '-j AUDIT --type ' . lc $target;
add_jump $auditref, $target, 1;
}
$tgt = 'blackaud';
$tgt = verify_audit( 'A_' . $target );
}
}
@ -501,10 +497,10 @@ sub add_common_rules() {
$chainref = new_standard_chain 'smurfs';
my $smurfdest;
my $smurfdest = $config{SMURF_DISPOSITION};
if ( defined $config{SMURF_LOG_LEVEL} && $config{SMURF_LOG_LEVEL} ne '' ) {
my $smurfref = new_chain( 'filter', $smurfdest = 'smurflog' );
my $smurfref = new_chain( 'filter', 'smurflog' );
log_rule_limit( $config{SMURF_LOG_LEVEL},
$smurfref,
@ -514,9 +510,12 @@ sub add_common_rules() {
'',
'add',
'' );
add_rule( $smurfref, '-j AUDIT --type drop' ) if $smurfdest eq 'A_DROP';
add_rule( $smurfref, '-j DROP' );
$smurfdest = 'smurflog';
} else {
$smurfdest = 'DROP';
verify_audit( $smurfdest ) if $smurfdest eq 'A_DROP';
}
if ( have_capability( 'ADDRTYPE' ) ) {
@ -629,34 +628,38 @@ sub add_common_rules() {
if ( @$list ) {
my $level = $config{TCP_FLAGS_LOG_LEVEL};
my $disposition = $config{TCP_FLAGS_DISPOSITION};
my $audit = $disposition =~ s/^A_//;
my $audit = $disposition =~ /^A_/;
progress_message2 "$doing TCP Flags filtering...";
$chainref = new_standard_chain 'tcpflags';
if ( $audit || $level ) {
if ( $level ) {
my $logflagsref = new_standard_chain 'logflags';
if ( $level ) {
my $savelogparms = $globals{LOGPARMS};
my $savelogparms = $globals{LOGPARMS};
$globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";
$globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";
log_rule $level , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, '';
log_rule $level , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, '';
$globals{LOGPARMS} = $savelogparms;
$globals{LOGPARMS} = $savelogparms;
if ( $audit ) {
$disposition =~ s/^A_//;
add_rule( $logflagsref, '-j AUDIT --type ' . lc $disposition );
}
add_rule( $logflagsref, '-j AUDIT --type ' . lc $disposition ) if $audit;
if ( $config{TCP_FLAGS_DISPOSITION} eq 'REJECT' ) {
if ( $disposition eq 'REJECT' ) {
add_rule $logflagsref , '-p 6 -j REJECT --reject-with tcp-reset';
} else {
add_rule $logflagsref , "-j $config{TCP_FLAGS_DISPOSITION}";
add_rule $logflagsref , "-j $disposition";
}
$disposition = 'logflags';
} elsif ( $audit ) {
require_capability( 'AUDIT_TARGET', "TCP_FLAGS_DISPOSITION=$disposition", 's' );
verify_audit( $disposition );
}
add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags ALL FIN,URG,PSH ';

88
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -48,6 +48,7 @@ our @EXPORT = qw(
optimize_policy_chains
process_actions
process_rules
verify_audit
);
our @EXPORT_OK = qw( initialize );
@ -91,14 +92,6 @@ my %actions;
#
my %usedactions;
#
# Enumerate the AUDIT builtins
#
my %auditactions = ( A_ACCEPT => 1,
A_DROP => 1,
A_REJECT => 1
);
#
# Policies for which AUDIT is allowed
#
@ -169,9 +162,9 @@ sub initialize( $ ) {
%usedactions = ();
if ( $family == F_IPV4 ) {
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit A_ACCEPT A_DROP A_REJECT/;
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
} else {
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid A_ACCEPT A_DROP A_REJECT/;
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
}
}
@ -451,9 +444,6 @@ sub process_policies()
ACCEPT => undef,
REJECT => undef,
DROP => undef,
A_ACCEPT => undef,
A_DROP => undef,
A_REJECT => undef,
CONTINUE => undef,
QUEUE => undef,
NFQUEUE => undef,
@ -1141,10 +1131,10 @@ sub require_audit($$) {
return $action unless defined $audit and $audit ne '';
fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
my $target = 'A_' . $action;
fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
require_capability 'AUDIT_TARGET', 'audit', 's';
my $ref = $filter_table->{$target};
@ -1159,8 +1149,6 @@ sub require_audit($$) {
} else {
add_rule $ref , "-j $action";
}
$usedactions{normalize_action_name $target} = $ref;
}
return $target;
@ -1342,36 +1330,6 @@ sub Limit( $$$$ ) {
add_rule $chainref, '-j ACCEPT';
}
sub A_ACCEPT ( $$$ ) {
my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'A_ACCEPT rules', '';
log_rule_limit $level, $chainref, $chainref->{name} , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type accept';
add_rule $chainref , '-j ACCEPT';
}
sub A_DROP ( $$$ ) {
my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'A_DROP rules', '';
log_rule_limit $level, $chainref, $chainref->{name} , 'DROP', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type drop';
add_rule $chainref , '-j DROP';
}
sub A_REJECT ( $$$ ) {
my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'A_REJECT rules', '';
log_rule_limit $level, $chainref, $chainref->{name} , 'REJECT', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type reject';
add_rule $chainref , '-j reject';
}
my %builtinops = ( 'dropBcast' => \&dropBcast,
'allowBcast' => \&allowBcast,
'dropNotSyn' => \&dropNotSyn,
@ -1381,9 +1339,6 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
'allowinUPnP' => \&allowinUPnP,
'forwardUPnP' => \&forwardUPnP,
'Limit' => \&Limit,
'A_ACCEPT' => \&A_ACCEPT,
'A_DROP' => \&A_DROP,
'A_REJECT' => \&A_REJECT
);
#
@ -1641,6 +1596,32 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
return $generated;
}
sub verify_audit($) {
my ($target, $audit ) = @_;
require_capability 'AUDIT_TARGET', "$target rules", '';
my $ref = $filter_table->{$target};
unless ( $ref ) {
$ref = new_chain 'filter', $target;
my $action = $target;
$action =~ s/^A_//;
add_rule $ref, '-j AUDIT --type ' . lc $action;
if ( $action eq 'REJECT' ) {
add_jump $ref , 'reject', 1;
} else {
add_rule $ref , "-j $action";
}
}
return $target;
}
#
# Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
@ -2095,7 +2076,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
$target ,
$loglevel ,
$log_action ,
$serverport ? do_proto( $proto, '', '' ) : '' );
$serverport ? do_proto( $proto, '', '' ) : '',
);
#
# After NAT:
# - the destination port will be the server port ($ports) -- we did that above
@ -2189,7 +2171,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
$tgt,
$loglevel ,
$log_action ,
'' ,
'',
);
#
# Possible optimization if the rule just generated was a simple jump to the nonat chain
@ -2226,6 +2208,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
$rule .= "-m conntrack --ctorigdstport $origdstports " if have_capability( 'NEW_CONNTRACK_MATCH' ) && $origdstports;
verify_audit( $action ) if $actiontype & AUDIT;
expand_rule( ensure_chain( 'filter', $chain ) ,
$restriction ,
$rule ,

2
Shorewall/configfiles/shorewall.conf
View File

@ -208,4 +208,6 @@ MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

8
Shorewall/releasenotes.txt
View File

@ -113,12 +113,16 @@ All bug fixes from 4.4.19.1 - 4.4.19.4.
MACLIST_TABLE=mangle
TCP_FLAGS_DISPOSITION A_DROP or A_REJECT
e) An 'audit' option has been added to the
e) A SMURF_DISPOSITION option has been added to
shorewall.conf. The default value is DROP; if the option is set
to A_DROP, then dropped smurfs are audited.
f) An 'audit' option has been added to the
/etc/shorewall/blacklist file which causes the packets matching
the entryto be audited. 'audit' may not be specified together
with 'accept'.
f) With the exception of 'Limit', the builtin actions
g) With the exception of 'Limit', the builtin actions
(dropBroadcast, rejNonSyn, etc.) now support
an 'audit' parameter which causes all ACCEPT, DROP and REJECTs
performed by the action to be audited. This allows creation of

2
Shorewall6/shorewall6.conf
View File

@ -169,4 +169,6 @@ BLACKLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE