extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-11 20:26:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow parameters to be specified to Default Actions in the policy file

Browse Source 
and in shorewall.conf.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-06-11 14:58:54 -07:00
parent 68bf99ec69
commit a60fe6e665
5 changed files with 98 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -283,6 +283,9 @@ sub print_policy($$$$) {
} }
sub use_policy_action( $ ); sub use_policy_action( $ );
sub normalize_action( $$$ );
sub normalize_action_name( $ );
# #
# Process an entry in the policy file. # Process an entry in the policy file.
# #
@ -324,15 +327,18 @@ sub process_a_policy() {
} }
if ( $default ) { if ( $default ) {
my ( $def, $param ) = get_target_param( $default );
if ( "\L$default" eq 'none' ) { if ( "\L$default" eq 'none' ) {
$default = 'none'; $default = 'none';
} elsif ( $actions{$default} ) { } elsif ( $actions{$def} ) {
$default = defined $param && $param ne '' ? normalize_action( $def, 'none', $param ) : normalize_action_name $default;
use_policy_action( $default ); use_policy_action( $default );
} else { } else {
fatal_error "Unknown Default Action ($default)"; fatal_error "Unknown Default Action ($default)";
} }
} else { } else {
$default = $default_actions{$policy} || ''; $default = $default_actions{$policy} || 'none';
} }
if ( defined $queue ) { if ( defined $queue ) {
@ -390,7 +396,9 @@ sub process_a_policy() {
$chainref->{synchain} = $chain $chainref->{synchain} = $chain
} }
$chainref->{default} = $default if $default; assert( $default );
my $chainref1 = $usedactions{$default};
$chainref->{default} = $chainref1 ? $chainref1->{name} : $default;
if ( $clientwild ) { if ( $clientwild ) {
if ( $serverwild ) { if ( $serverwild ) {
@ -462,16 +470,21 @@ sub process_policies()
for my $option qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) { for my $option qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) {
my $action = $config{$option}; my $action = $config{$option};
next if $action eq 'none';
my $actiontype = $targets{$action}; unless ( $action eq 'none' ) {
my ( $act, $param ) = get_target_param( $action );
if ( defined $actiontype ) {
fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION;
} else {
fatal_error "Default Action $option=$action not found";
}
use_policy_action( $action ); if ( "\L$action" eq 'none' ) {
$action = 'none';
} elsif ( $actions{$act} ) {
$action = defined $param && $param ne '' ? normalize_action( $act, 'none', $param ) : normalize_action_name $action;
use_policy_action( $action );
} elsif ( $targets{$act} ) {
fatal_error "Invalid setting ($action) for $option";
} else {
fatal_error "Default Action $option=$action not found";
}
}
$default_actions{$map{$option}} = $action; $default_actions{$map{$option}} = $action;
} }
@ -1515,7 +1528,7 @@ sub process_action( $) {
# Create a policy action if it doesn't already exist # Create a policy action if it doesn't already exist
# #
sub use_policy_action( $ ) { sub use_policy_action( $ ) {
my $ref = use_action( normalize_action_name $_[0] ); my $ref = use_action( $_[0] );
process_action( $ref ) if $ref; process_action( $ref ) if $ref;
} }

24
Shorewall/action.Drop
View File

@ -15,11 +15,23 @@
# c) Ensure that certain ICMP packets that are necessary for successful # c) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed. # internet operation are always ACCEPTed.
# #
# The action accepts three optional parameters:
#
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
# actions.
# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
# depending on the setting of the first parameter.
# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
# depending on the setting of the first parameter.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
# #
############################################################################### ###############################################################################
FORMAT 2 FORMAT 2
#
# The following magic provides different defaults for $2 and $3, when $1 is
# 'audit'.
#
BEGIN PERL BEGIN PERL
use Shorewall::Config; use Shorewall::Config;
@ -28,15 +40,15 @@ my $p1 = read_action_param(1);
if ( defined $p1 && $p1 eq 'audit' ) { if ( defined $p1 && $p1 eq 'audit' ) {
my ( $p2, $p3 ) = ( read_action_param(2) , read_action_param(3) ); my ( $p2, $p3 ) = ( read_action_param(2) , read_action_param(3) );
set_action_param( 2, 'A_DROP') unless defined $p2; set_action_param( 2, 'A_REJECT') unless defined $p2;
set_action_param( 3, 'A_REJECT') unless defined $p3; set_action_param( 3, 'A_DROP') unless defined $p3;
}; };
1; 1;
END PERL END PERL
DEFAULTS -,DROP,REJECT DEFAULTS -,REJECT,DROP
#TARGET SOURCE DEST PROTO DPORT SPORT #TARGET SOURCE DEST PROTO DPORT SPORT
# #
@ -46,7 +58,7 @@ COUNT
# #
# Reject 'auth' # Reject 'auth'
# #
Auth($3) Auth($2)
# #
# Don't log broadcasts # Don't log broadcasts
# #
@ -63,7 +75,7 @@ dropInvalid($1)
# #
# Drop Microsoft noise so that it doesn't clutter up the log. # Drop Microsoft noise so that it doesn't clutter up the log.
# #
SMB($2) SMB($3)
DropUPnP($1) DropUPnP($1)
# #
# Drop 'newnotsyn' traffic so that it doesn't get logged. # Drop 'newnotsyn' traffic so that it doesn't get logged.

22
Shorewall/action.Reject
View File

@ -12,10 +12,22 @@
# b) Ensure that certain ICMP packets that are necessary for successful # b) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed. # internet operation are always ACCEPTed.
# #
# The action accepts three optional parameters:
#
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
# actions.
# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
# depending on the setting of the first parameter.
# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
# depending on the setting of the first parameter.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
############################################################################### ###############################################################################
FORMAT 2 FORMAT 2
#
# The following magic provides different defaults for $2 and $3, when $1 is
# 'audit'.
#
BEGIN PERL BEGIN PERL
use Shorewall::Config; use Shorewall::Config;
@ -24,8 +36,8 @@ my $p1 = read_action_param(1);
if ( defined $p1 && $p1 eq 'audit' ) { if ( defined $p1 && $p1 eq 'audit' ) {
my ( $p2, $p3 ) = ( read_action_param(2) , read_action_param(3) ); my ( $p2, $p3 ) = ( read_action_param(2) , read_action_param(3) );
set_action_param( 2, 'A_DROP') unless defined $p2; set_action_param( 2, 'A_REJECT') unless defined $p2;
set_action_param( 3, 'A_REJECT') unless defined $p3; set_action_param( 3, 'A_REJECT') unless defined $p3;
}; };
1; 1;
@ -42,7 +54,7 @@ COUNT
# #
# Don't log 'auth' -- REJECT # Don't log 'auth' -- REJECT
# #
Auth($3) Auth($2)
# #
# Drop Broadcasts so they don't clutter up the log # Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected). # (broadcasts must *not* be rejected).
@ -61,7 +73,7 @@ dropInvalid($1)
# #
# Reject Microsoft noise so that it doesn't clutter up the log. # Reject Microsoft noise so that it doesn't clutter up the log.
# #
SMB($2) SMB($3)
DropUPnP($1) DropUPnP($1)
# #
# Drop 'newnotsyn' traffic so that it doesn't get logged. # Drop 'newnotsyn' traffic so that it doesn't get logged.

2
Shorewall/changelog.txt
View File

@ -6,6 +6,8 @@ Changes in Shorewall 4.4.21 Beta 1
3) Default values for action parameters. 3) Default values for action parameters.
4) Parameterize Drop and Reject actions.
Changes in Shorewall 4.4.20.1 Changes in Shorewall 4.4.20.1
1) Corrected FSF address. 1) Corrected FSF address.

35
Shorewall/releasenotes.txt
View File

@ -41,6 +41,41 @@ None.
is the default value for the second parameter and so on. To specify is the default value for the second parameter and so on. To specify
an empty default, use '-'. an empty default, use '-'.
4) The standard Drop and Reject actions are now parameterized. Each
has three parameters:
1) Pass 'audit' if you want all ACCEPTs, DROPs and REJECTs audited.
Pass '-' otherwise.
2) The action to be applied to Auth requests
FIRST PARAMETER DEFAULT
- REJECT
audit A_REJECT
3) The action to be applied to SMB traffic. The default depends on
the first parameter:
ACTION FIRST PARAMETER DEFAULT
Reject - REJECT
Drop - DROP
Reject audit A_REJECT
Drop audit A_DROP
The parameters can be passed in the POLICY column of the policy
file.
Examples:
SOURCE DEST POLICY
net all DROP:Drop(audit):audit #Same as
#DROP:A_DROP:audit
SOURCE DEST POLICY
net all DROP:Drop(-,DROP) #DROP rather than REJECT Auth
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S I V. R E L E A S E 4 . 4 H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------