Resolve RFC 1918 Mess

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8372 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-03-28 00:05:25 +00:00
parent ab1b25a2a6
commit a141478319
9 changed files with 115 additions and 133 deletions

View File

@ -16,7 +16,7 @@ Changes in 4.1.7
8) Fix ":" parsing errors. 8) Fix ":" parsing errors.
9) Add macros for RFC 1918 filtering. 9) Add ORIGINAL DEST column to macros.
Changes in 4.1.6 Changes in 4.1.6

View File

@ -0,0 +1,14 @@
#
# Shorewall version 4 - Macro Template
#
# /usr/share/shorewall/macro.Rfc1918
#
# This macro handles pkts with a SOURCE or ORIGINAL DEST address reserved by RFC 1918
#############################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT(S) PORT(S) DEST LIMIT GROUP
FORMAT 2
PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
DEST - - - - - -
PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -264,6 +264,10 @@
# Otherwise, a separate rule will be generated for each # Otherwise, a separate rule will be generated for each
# port. # port.
# #
# ORIGINAL Original destination IP address. Must be omitted (
# DEST or '-') if the macro is to be used from within
# an action. See 'man shorewall-rules'.
#
# RATE LIMIT You may rate-limit the rule by placing a value in # RATE LIMIT You may rate-limit the rule by placing a value in
# this colume: # this colume:
# #
@ -304,8 +308,8 @@
# #
# /etc/shorewall/macro.FwdFTP: # /etc/shorewall/macro.FwdFTP:
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT(S) PORT(S) LIMIT GROUP # # PORT(S) PORT(S) DEST LIMIT GROUP
# DNAT - - tcp 21 # DNAT - - tcp 21
# #
# /etc/shorewall/rules: # /etc/shorewall/rules:
@ -345,7 +349,6 @@
# the rules file is appended with a ":" # the rules file is appended with a ":"
# separator. # separator.
# #
#
# Example: ############################################### # Example: ###############################################
# #ACTION SOURCE DEST PROTO DEST # #ACTION SOURCE DEST PROTO DEST
# # PORT(S) # # PORT(S)
@ -356,8 +359,10 @@
# Remaining Any value in the rules file REPLACES the value # Remaining Any value in the rules file REPLACES the value
# columns given in the macro file. # columns given in the macro file.
# #
# #######################################################################################################
############################################################################### # DO NOT REMOVE THE FOLLOWING LINE
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ FORMAT 2
# PORT(S) PORT(S) LIMIT GROUP #######################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ ORIGINAL
# PORT(S) PORT(S) DEST LIMIT GROUP DEST
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -71,6 +71,10 @@ Migration Issues.
5) The value of IMPLICIT_CONTINUE in shorewall.conf (and samples) has 5) The value of IMPLICIT_CONTINUE in shorewall.conf (and samples) has
been changed from Yes to No. been changed from Yes to No.
6) The 'norfc1918' option is deprecated. Use explicit rules instead.
Note that there is a new 'Rfc1918' option that acts on addresses
reserved by RFC 1918.
Problems corrected in Shorewall-perl 4.1.7. Problems corrected in Shorewall-perl 4.1.7.
1) Perl run-time errors occurred if an unknown service was named in 1) Perl run-time errors occurred if an unknown service was named in
@ -188,22 +192,29 @@ New Features in 4.1.7.
This allows for another application running on your firewall to This allows for another application running on your firewall to
take over the mangle table and use it for it's own purposes. take over the mangle table and use it for it's own purposes.
4) Shorewall-perl implements four new built-in actions that deal with 4) Shorewall-perl now supports an ORIGINAL DEST column in macro files.
RFC 1918 addresses. These actions should be used in place of The column must be left empty if the macro is to be used in the
body of an action.
Note that the position of the ORIGINAL DEST column is different
from its position in the /etc/shorewall/rules file. Beware!
5) Shorewall-perl implements a new Rfc1918 macro that deals with
RFC 1918 addresses. This macro should be used in place of
the 'norfc1918' interface option which is deprecated. the 'norfc1918' interface option which is deprecated.
drop1918src - Drops packets with an RFC 1918 source address. The macro body is:
drop1918dst - Drops packets with an RFC 1918 original
destination IP address. #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ ORIGINAL
rej1918dst - Rejects packets with an RFC 1918 source address. # PORT(S) PORT(S) LIMIT GROUP DEST
rej1918dst - Rejectss packets with an RFC 1918 original PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
destination IP address. DEST - - - - - -
PARAM SOURCE DEST - - - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
The 'norfc1918' option on the interface associated with zone 'z' The 'norfc1918' option on the interface associated with zone 'z'
and with RFC1018_STRICT=Yes is equivalent to: and with RFC1018_STRICT=Yes is equivalent to:
drop1918src z all Rfc1918(DROP) z all
drop1918dst z all
New Features in Shorewall 4.1. New Features in Shorewall 4.1.

View File

@ -183,6 +183,8 @@ AUTO_COMMENT=Yes
MANGLE_ENABLED=Yes MANGLE_ENABLED=Yes
NEW_MACRO_LAYOUT=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

View File

@ -53,6 +53,7 @@ our @EXPORT = qw( merge_levels
%actions %actions
%macros %macros
%macro_commands
); );
our @EXPORT_OK = qw( initialize ); our @EXPORT_OK = qw( initialize );
our $VERSION = 4.1.1; our $VERSION = 4.1.1;
@ -82,6 +83,11 @@ our %logactionchains;
our %macros; our %macros;
#
# Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
#
our %macro_commands = ( COMMENT => 0, FORMAT => 2 );
# #
# Initialize globals -- we take this novel approach to globals initialization to allow # Initialize globals -- we take this novel approach to globals initialization to allow
# the compiler to run multiple times in the same process. The # the compiler to run multiple times in the same process. The
@ -401,9 +407,9 @@ sub process_macro1 ( $$ ) {
push_open( $macrofile ); push_open( $macrofile );
while ( read_a_line ) { while ( read_a_line ) {
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file'; my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', \%macro_commands;
next if $mtarget eq 'COMMENT'; next if $mtarget eq 'COMMENT' || $mtarget eq 'FORMAT';
$mtarget =~ s/:.*$//; $mtarget =~ s/:.*$//;
@ -576,6 +582,8 @@ sub process_macro3( $$$$$$$$$$$ ) {
my $nocomment = no_comment; my $nocomment = no_comment;
my $format = 1;
macro_comment $macro; macro_comment $macro;
my $fn = $macros{$macro}; my $fn = $macros{$macro};
@ -586,18 +594,34 @@ sub process_macro3( $$$$$$$$$$$ ) {
while ( read_a_line ) { while ( read_a_line ) {
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file'; my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
if ( $format == 1 ) {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', \%macro_commands;
} else {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', \%macro_commands;
}
if ( $mtarget eq 'COMMENT' ) { if ( $mtarget eq 'COMMENT' ) {
process_comment unless $nocomment; process_comment unless $nocomment;
next; next;
} }
if ( $mtarget eq 'FORMAT' ) {
fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/;
$format = $msource;
next;
}
fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
if ( $mtarget =~ /^PARAM:?/ ) { if ( $mtarget =~ /^PARAM:?/ ) {
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param; fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
$mtarget = substitute_param $param, $mtarget; $mtarget = substitute_param $param, $mtarget;
} }
fatal_error "Macros used within Actions may not specify an ORIGINAL DEST " if $morigdest ne '-';
if ( $msource ) { if ( $msource ) {
if ( ( $msource eq '-' ) || ( $msource eq 'SOURCE' ) ) { if ( ( $msource eq '-' ) || ( $msource eq 'SOURCE' ) ) {
$msource = $source || ''; $msource = $source || '';
@ -815,62 +839,6 @@ sub process_actions3 () {
add_rule $chainref, '-j ACCEPT'; add_rule $chainref, '-j ACCEPT';
} }
sub drop1918src( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'dropRFC1918src', 'DROP', '', $tag, 'add', '-s 10.0.0.0/8 ';
log_rule_limit $level, $chainref, 'dropRFC1918src', 'DROP', '', $tag, 'add', '-s 172.16.0.0/12 ';
log_rule_limit $level, $chainref, 'dropRFC1918src', 'DROP', '', $tag, 'add', '-s 192.168.0.0/16 ';
}
add_rule $chainref, '-s 10.0.0.0/8 -j DROP';
add_rule $chainref, '-s 172.16.0.0/12 -j DROP';
add_rule $chainref, '-s 192.168.0.0/16 -j DROP';
}
sub drop1918dst( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'drop1918src', 'DROP', '', $tag, 'add', '-m conntrack --ctorigdst 10.0.0.0/8 ';
log_rule_limit $level, $chainref, 'drop1918src', 'DROP', '', $tag, 'add', '-m conntrack --ctorigdst 172.16.0.0/12 ';
log_rule_limit $level, $chainref, 'drop1918src', 'DROP', '', $tag, 'add', '-m conntrack --ctorigdst 192.168.0.0/16 ';
}
add_rule $chainref, '-m conntrack --ctorigdst 10.0.0.0/8 -j DROP';
add_rule $chainref, '-m conntrack --ctorigdst 172.16.0.0/12 -j DROP';
add_rule $chainref, '-m conntrack --ctorigdst 192.168.0.0/16 -j DROP';
}
sub rej1918src( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-s 10.0.0.0/8 ';
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-s 172.16.0.0/12 ';
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-s 192.168.0.0/16 ';
}
add_rule $chainref, '-s 10.0.0.0/8 -j reject';
add_rule $chainref, '-s 172.16.0.0/12 -j reject';
add_rule $chainref, '-s 192.168.0.0/16 -j reject';
}
sub rej1918dst( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-m conntrack --ctorigdst 10.0.0.0/8 ';
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-m conntrack --ctorigdst 172.16.0.0/12 ';
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-m conntrack --ctorigdst 192.168.0.0/16 ';
}
add_rule $chainref, '-m conntrack --ctorigdst 10.0.0.0/8 -j reject';
add_rule $chainref, '-m conntrack --ctorigdst 172.16.0.0/12 -j reject';
add_rule $chainref, '-m conntrack --ctorigdst 192.168.0.0/16 -j reject';
}
my %builtinops = ( 'dropBcast' => \&dropBcast, my %builtinops = ( 'dropBcast' => \&dropBcast,
'allowBcast' => \&allowBcast, 'allowBcast' => \&allowBcast,
'dropNotSyn' => \&dropNotSyn, 'dropNotSyn' => \&dropNotSyn,
@ -879,10 +847,6 @@ sub process_actions3 () {
'allowInvalid' => \&allowInvalid, 'allowInvalid' => \&allowInvalid,
'allowinUPnP' => \&allowinUPnP, 'allowinUPnP' => \&allowinUPnP,
'forwardUPnP' => \&forwardUPnP, 'forwardUPnP' => \&forwardUPnP,
'drop1918src' => \&drop1918src,
'drop1918dst' => \&drop1918dst,
'rej1918src' => \&drop1918src,
'rej1918dst' => \&drop1918dst,
'Limit' => \&Limit, ); 'Limit' => \&Limit, );
for my $wholeaction ( keys %usedactions ) { for my $wholeaction ( keys %usedactions ) {

View File

@ -309,10 +309,6 @@ sub initialize() {
'allowInvalid' => BUILTIN + ACTION, 'allowInvalid' => BUILTIN + ACTION,
'allowinUPnP' => BUILTIN + ACTION, 'allowinUPnP' => BUILTIN + ACTION,
'forwardUPnP' => BUILTIN + ACTION, 'forwardUPnP' => BUILTIN + ACTION,
'drop1918src' => BUILTIN + ACTION,
'drop1918dst' => BUILTIN + ACTION,
'rej1918src' => BUILTIN + ACTION,
'rej1918dst' => BUILTIN + ACTION,
'Limit' => BUILTIN + ACTION, 'Limit' => BUILTIN + ACTION,
); );
# #

View File

@ -80,7 +80,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
split_list split_list
split_line split_line
split_line1 split_line1
split_line2
first_entry first_entry
open_file open_file
close_file close_file
@ -920,52 +919,19 @@ sub split_line( $$$ ) {
} }
# #
# Version of 'split_line' that handles COMMENT lines # Version of 'split_line' used on files with exceptions
# #
sub split_line1( $$$ ) { sub split_line1( $$$;$ ) {
my ( $mincolumns, $maxcolumns, $description ) = @_; my ( $mincolumns, $maxcolumns, $description, $nopad) = @_;
fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $currentline =~ /["`\\]/; fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $currentline =~ /["`\\]/;
my @line = split( ' ', $currentline ); my @line = split( ' ', $currentline );
return @line if $line[0] eq 'COMMENT'; $nopad = { COMMENT => 0 } unless $nopad;
fatal_error "Shorewall Configuration file entries may not contain single quotes" if $currentline =~ /'/;
fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
my $line = @line;
fatal_error "Invalid $description entry (too many columns)" if $line > $maxcolumns;
$line-- while $line > 0 && $line[$line-1] eq '-';
fatal_error "Invalid $description entry (too few columns)" if $line < $mincolumns;
push @line, '-' while @line < $maxcolumns;
@line;
}
#
# When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these
#
my %no_pad = ( COMMENT => 0,
SECTION => 2 );
#
# Version of 'split_line' used on rules file entries
#
sub split_line2( $$$ ) {
my ( $mincolumns, $maxcolumns, $description ) = @_;
fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $currentline =~ /["`\\]/;
my @line = split( ' ', $currentline );
my $first = $line[0]; my $first = $line[0];
my $columns = $no_pad{$first}; my $columns = $nopad->{$first};
if ( defined $columns ) { if ( defined $columns ) {
if ( $columns ) { if ( $columns ) {

View File

@ -60,6 +60,14 @@ our $sectioned;
our $macro_nest_level; our $macro_nest_level;
our $current_param; our $current_param;
our @param_stack; our @param_stack;
#
# When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these
#
my %rules_commands = ( COMMENT => 0,
SECTION => 2 );
# #
# Initialize globals -- we take this novel approach to globals initialization to allow # Initialize globals -- we take this novel approach to globals initialization to allow
# the compiler to run multiple times in the same process. The # the compiler to run multiple times in the same process. The
@ -215,7 +223,7 @@ sub setup_rfc1918_filteration( $ ) {
my $rfc1918ref = new_standard_chain 'rfc1918'; my $rfc1918ref = new_standard_chain 'rfc1918';
my $chainref = $norfc1918ref; my $chainref = $norfc1918ref;
warning_message q(The 'norfc1918' option is deprecated in favor of the RFC1918-oriented built-in actions); warning_message q(The 'norfc1918' option is deprecated);
log_rule $config{RFC1918_LOG_LEVEL} , $rfc1918ref , 'DROP' , ''; log_rule $config{RFC1918_LOG_LEVEL} , $rfc1918ref , 'DROP' , '';
@ -834,6 +842,8 @@ sub process_macro ( $$$$$$$$$$$$$ ) {
my $nocomment = no_comment; my $nocomment = no_comment;
my $format = 1;
macro_comment $macro; macro_comment $macro;
my $macrofile = $macros{$macro}; my $macrofile = $macros{$macro};
@ -844,13 +854,27 @@ sub process_macro ( $$$$$$$$$$$$$ ) {
while ( read_a_line ) { while ( read_a_line ) {
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file'; my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
if ( $format == 1 ) {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', \%macro_commands;
} else {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', \%macro_commands;
}
if ( $mtarget eq 'COMMENT' ) { if ( $mtarget eq 'COMMENT' ) {
process_comment unless $nocomment; process_comment unless $nocomment;
next; next;
} }
if ( $mtarget eq 'FORMAT' ) {
fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/;
$format = $msource;
next;
}
fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
$mtarget = merge_levels $target, $mtarget; $mtarget = merge_levels $target, $mtarget;
if ( $mtarget =~ /^PARAM(:.*)?$/ ) { if ( $mtarget =~ /^PARAM(:.*)?$/ ) {
@ -899,7 +923,7 @@ sub process_macro ( $$$$$$$$$$$$$ ) {
merge_macro_column( $mproto, $proto ) , merge_macro_column( $mproto, $proto ) ,
merge_macro_column( $mports, $ports ) , merge_macro_column( $mports, $ports ) ,
merge_macro_column( $msports, $sports ) , merge_macro_column( $msports, $sports ) ,
$origdest, merge_macro_column( $morigdest, $origdest ) ,
merge_macro_column( $mrate, $rate ) , merge_macro_column( $mrate, $rate ) ,
merge_macro_column( $muser, $user ) , merge_macro_column( $muser, $user ) ,
$mark, $mark,
@ -1397,7 +1421,7 @@ sub process_rules() {
while ( read_a_line ) { while ( read_a_line ) {
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark ) = split_line2 1, 10, 'rules file'; my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark ) = split_line1 1, 10, 'rules file', \%rules_commands;
if ( $target eq 'COMMENT' ) { if ( $target eq 'COMMENT' ) {
process_comment; process_comment;