mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
Reorganize rules file processing
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@84 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
98d57a3733
commit
a9d40f34b3
@ -1225,8 +1225,8 @@ setup_nat() {
|
||||
# Folks feel uneasy if they don't see all of the same
|
||||
# decoration on these IP addresses that they see when their
|
||||
# distro's net config tool adds them. In an attempt to reduce
|
||||
# the anxiety level, we'll introduce the following code to set
|
||||
# the VLSM and BRD just like the primary address
|
||||
# the anxiety level, we have the following code which sets
|
||||
# the VLSM and BRD from the primary address
|
||||
#
|
||||
# Get all of the lines that contain inet addresses with broadcast
|
||||
#
|
||||
@ -1374,36 +1374,37 @@ delete_tc()
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Process a record from the rules file #
|
||||
# #
|
||||
# The caller has loaded the column contents from the record into the following #
|
||||
# variables: #
|
||||
# #
|
||||
# target clients servers protocol ports cports address #
|
||||
# #
|
||||
# and has loaded a space-separated list of their values in "rule". #
|
||||
# #
|
||||
# The 'multioption' variable has also been loaded appropriately to reflect #
|
||||
# the setting of the MULTIPORT option in /etc/shorewall/shorewall.conf #
|
||||
# Add a NAT rule - Helper function for the rules file processor #
|
||||
#------------------------------------------------------------------------------#
|
||||
# The caller has established the following variables: #
|
||||
# cli = Source IP, interface or MAC Specification #
|
||||
# serv = Destination IP Specification #
|
||||
# dest_interface = Destination Interface Specification #
|
||||
# proto = Protocol Specification #
|
||||
# addr = Original Destination Address #
|
||||
# dports = Destination Port Specification #
|
||||
# cport = Source Port Specification #
|
||||
# multioption = String to invoke multiport match if appropriate #
|
||||
################################################################################
|
||||
process_rule() {
|
||||
|
||||
############################################################################
|
||||
# Add a NAT rule
|
||||
#
|
||||
add_nat_rule() {
|
||||
add_nat_rule() {
|
||||
local chain
|
||||
|
||||
# Be sure NAT is enabled
|
||||
|
||||
if [ -z "$NAT_ENABLED" ]; then
|
||||
fatal_error \
|
||||
"Error - Rule \"$rule\" requires NAT which is disabled"
|
||||
fi
|
||||
|
||||
# Onle ACCEPT (plus DNAT and REDIRECT) may result in NAT
|
||||
|
||||
if [ "$target" != "ACCEPT" ]; then
|
||||
fatal_error "Error - Only DNAT and REDIRECT rules may specify " \
|
||||
"port mapping; rule \"$rule\""
|
||||
fi
|
||||
|
||||
# Parse SNAT address if any
|
||||
|
||||
if [ "$addr" != "${addr%:*}" ]; then
|
||||
snat="${addr#*:}"
|
||||
addr="${addr%:*}"
|
||||
@ -1411,8 +1412,12 @@ process_rule() {
|
||||
snat=""
|
||||
fi
|
||||
|
||||
# Set original destination address
|
||||
|
||||
[ "$addr" = "all" ] && addr= || addr=${addr:+-d $addr}
|
||||
|
||||
# Select target
|
||||
|
||||
if [ -n "$serv" ]; then
|
||||
servport="${servport:+:$servport}"
|
||||
target1="DNAT --to-destination ${serv}${servport}"
|
||||
@ -1420,6 +1425,8 @@ process_rule() {
|
||||
target1="REDIRECT --to-port $servport"
|
||||
fi
|
||||
|
||||
# Generate nat table rules
|
||||
|
||||
if [ "$source" = "$FW" ]; then
|
||||
run_iptables -t nat -A OUTPUT $proto $sports $addr \
|
||||
$dports -j $target1
|
||||
@ -1444,8 +1451,12 @@ process_rule() {
|
||||
$addr $dports -j $target1
|
||||
fi
|
||||
|
||||
# Replace destination port by the new destination port
|
||||
|
||||
[ -n "$servport" ] && dports="--dport ${servport#*:}"
|
||||
|
||||
# Handle SNAT
|
||||
|
||||
if [ -n "$snat" ]; then
|
||||
if [ -n "$cli" ]; then
|
||||
run_iptables -t nat -A POSTROUTING $proto $cli \
|
||||
@ -1458,38 +1469,44 @@ process_rule() {
|
||||
done
|
||||
fi
|
||||
fi
|
||||
}
|
||||
}
|
||||
|
||||
############################################################################
|
||||
# Add one rule
|
||||
#
|
||||
################################################################################
|
||||
# Add one Filter Rule -- Helper function for the rules file processor #
|
||||
#------------------------------------------------------------------------------#
|
||||
# The caller has established the following variables: #
|
||||
# client = SOURCE IP or MAC #
|
||||
# server = DESTINATION IP or interface #
|
||||
# protocol = Protocol #
|
||||
# address = Original Destination Address #
|
||||
# port = Destination Port #
|
||||
# cport = Source Port #
|
||||
# multioption = String to invoke multiport match if appropriate #
|
||||
# servport = Port the server listens on #
|
||||
# chain = The canonical chain for this rule #
|
||||
################################################################################
|
||||
add_a_rule()
|
||||
{
|
||||
# Set source variables
|
||||
|
||||
add_a_rule() {
|
||||
########################################################################
|
||||
# Determine the format of the client
|
||||
#
|
||||
cli=
|
||||
|
||||
[ -n "$client" ] && case "$client" in
|
||||
-)
|
||||
;;
|
||||
[0-9]*|![0-9]*)
|
||||
#
|
||||
# IP Address or subnet
|
||||
#
|
||||
cli="-s $client"
|
||||
;;
|
||||
~*)
|
||||
cli=`mac_match $client`
|
||||
;;
|
||||
*)
|
||||
#
|
||||
# Assume that this is a device name
|
||||
#
|
||||
cli="-i $client"
|
||||
;;
|
||||
esac
|
||||
|
||||
# Set destination variables
|
||||
|
||||
dest_interface=
|
||||
|
||||
[ -n "$server" ] && case "$server" in
|
||||
@ -1504,9 +1521,9 @@ process_rule() {
|
||||
serv=
|
||||
;;
|
||||
esac
|
||||
################################################################
|
||||
# Setup PROTOCOL, PORT and STATE variables
|
||||
#
|
||||
|
||||
# Setup protocol and port variables
|
||||
|
||||
sports=
|
||||
dports=
|
||||
state="-m state --state NEW"
|
||||
@ -1556,6 +1573,8 @@ process_rule() {
|
||||
|
||||
proto="${proto:+-p $proto}"
|
||||
|
||||
# Some misc. setup
|
||||
|
||||
case "$logtarget" in
|
||||
REJECT)
|
||||
target=reject
|
||||
@ -1571,21 +1590,18 @@ process_rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# Complain if the rule is really a policy
|
||||
|
||||
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
|
||||
error_message "Warning -- Rule \"$rule\" is a POLICY"
|
||||
error_message " -- and should be moved to the policy file"
|
||||
fi
|
||||
|
||||
if [ -n "${serv}${servport}" ]; then
|
||||
##################################################################
|
||||
# Destination is a Specific Server or we're redirecting a port
|
||||
#
|
||||
if [ -n "$addr" -a "$addr" != "$serv" ]; then
|
||||
##############################################################
|
||||
# Must use Prerouting DNAT or REDIRECT
|
||||
#
|
||||
add_nat_rule
|
||||
fi
|
||||
|
||||
# A specific server or server port given
|
||||
|
||||
[ -n "$addr" -a "$addr" != "$serv" ] && add_nat_rule
|
||||
|
||||
serv="${serv:+-d $serv}"
|
||||
|
||||
@ -1596,9 +1612,9 @@ process_rule() {
|
||||
run_iptables -A $chain $proto $multiport $state $cli $sports \
|
||||
$serv $dports -j $target
|
||||
else
|
||||
####################################################################
|
||||
# Destination is just a zone or an interface
|
||||
#
|
||||
|
||||
# Destination is a simple zone
|
||||
|
||||
[ -n "$addr" ] && fatal_error \
|
||||
"Error: An ADDRESS ($addr) is only allowed in" \
|
||||
" a DNAT or REDIRECT: \"$rule\""
|
||||
@ -1611,11 +1627,24 @@ process_rule() {
|
||||
run_iptables -A $chain $proto $multiport $dest_interface $state \
|
||||
$cli $sports $dports -j $target
|
||||
fi
|
||||
}
|
||||
}
|
||||
|
||||
############################################################################
|
||||
# Return the number of elements in the passed comma-separated list
|
||||
#
|
||||
################################################################################
|
||||
# Process a record from the rules file #
|
||||
# #
|
||||
# The caller has loaded the column contents from the record into the following #
|
||||
# variables: #
|
||||
# #
|
||||
# target clients servers protocol ports cports address #
|
||||
# #
|
||||
# and has loaded a space-separated list of their values in "rule". #
|
||||
# #
|
||||
# The 'multioption' variable has also been loaded appropriately to reflect #
|
||||
# the setting of the MULTIPORT option in /etc/shorewall/shorewall.conf #
|
||||
################################################################################
|
||||
process_rule() {
|
||||
|
||||
# Function to count list elements
|
||||
|
||||
list_count() {
|
||||
local temp=`separate_list $1`
|
||||
@ -1623,11 +1652,8 @@ process_rule() {
|
||||
echo $temp | wc -w
|
||||
}
|
||||
|
||||
############################################################################
|
||||
# P r o c e s s _ R u l e S t a r t s H e r e
|
||||
############################################################################
|
||||
# Parse the Target and Clients columns
|
||||
#
|
||||
# Function Body -- isolate log level
|
||||
|
||||
if [ "$target" = "${target%:*}" ]; then
|
||||
loglevel=
|
||||
else
|
||||
@ -1637,12 +1663,8 @@ process_rule() {
|
||||
fi
|
||||
|
||||
logtarget="$target"
|
||||
#
|
||||
# DNAT and REDIRECT targets were implemented in version 1.3 to replace
|
||||
# an older syntax. We simply map the new syntax into the old and proceed;
|
||||
# that way, people who have files with the old syntax don't need to
|
||||
# convert right away.
|
||||
#
|
||||
|
||||
# Convert 1.3 Rule formats to 1.2 format
|
||||
|
||||
case $target in
|
||||
DNAT)
|
||||
@ -1660,6 +1682,8 @@ process_rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# Parse and validate source
|
||||
|
||||
if [ "$clients" = "${clients%:*}" ]; then
|
||||
clientzone="$clients"
|
||||
clients=
|
||||
@ -1678,20 +1702,16 @@ process_rule() {
|
||||
fatal_error "Error: Exclude list only allowed with DNAT or REDIRECT"
|
||||
fi
|
||||
|
||||
############################################################################
|
||||
# Validate the Source Zone
|
||||
|
||||
if ! validate_zone $clientzone; then
|
||||
fatal_error "Error: Undefined Client Zone in rule \"$rule\""
|
||||
fi
|
||||
|
||||
# Parse and validate destination
|
||||
|
||||
source=$clientzone
|
||||
|
||||
[ $source = $FW ] && source_hosts= || eval source_hosts=\"\$${source}_hosts\"
|
||||
|
||||
############################################################################
|
||||
# Parse the servers column
|
||||
#
|
||||
if [ "$servers" = "${servers%:*}" ] ; then
|
||||
serverzone="$servers"
|
||||
servers=
|
||||
@ -1706,22 +1726,20 @@ process_rule() {
|
||||
serverport=
|
||||
fi
|
||||
fi
|
||||
############################################################################
|
||||
# Validate the destination zone
|
||||
#
|
||||
|
||||
if ! validate_zone $serverzone; then
|
||||
fatal_error "Error: Undefined Server Zone in rule \"$rule\""
|
||||
fi
|
||||
|
||||
dest=$serverzone
|
||||
############################################################################
|
||||
# Create the canonical chain if it doesn't exist
|
||||
#
|
||||
|
||||
# Create canonical chain if necessary
|
||||
|
||||
chain=${source}2${dest}
|
||||
ensurechain $chain
|
||||
############################################################################
|
||||
# Iterate through the various lists creating individual rules
|
||||
#
|
||||
|
||||
# Generate Netfilter rule(s)
|
||||
|
||||
if [ -n "$MULTIPORT" -a \
|
||||
"$ports" = "${ports%:*}" -a \
|
||||
"$cports" = "${cports%:*}" -a \
|
||||
@ -2646,6 +2664,9 @@ add_common_rules() {
|
||||
#
|
||||
drop_broadcasts `find_broadcasts`
|
||||
|
||||
###########################################################################
|
||||
# RFC 1918
|
||||
#
|
||||
norfc1918_interfaces="`find_interfaces_by_option norfc1918`"
|
||||
|
||||
if [ -n "$norfc1918_interfaces" ]; then
|
||||
@ -2710,7 +2731,9 @@ add_common_rules() {
|
||||
# Enable icmp output
|
||||
#
|
||||
run_iptables -A OUTPUT -m state --state ! INVALID -p icmp -j ACCEPT
|
||||
|
||||
############################################################################
|
||||
# Route Filtering
|
||||
#
|
||||
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
||||
echo 0 > $f
|
||||
done
|
||||
@ -2736,7 +2759,9 @@ add_common_rules() {
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
############################################################################
|
||||
# IP Forwarding
|
||||
#
|
||||
case "$IP_FORWARDING" in
|
||||
[Oo][Nn])
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
@ -2754,7 +2779,9 @@ add_common_rules() {
|
||||
# Add the appropriate policy rule(s) to the end of each canonical chain #
|
||||
################################################################################
|
||||
apply_policy_rules() {
|
||||
|
||||
############################################################################
|
||||
# Create policy chains
|
||||
#
|
||||
while read client server policy loglevel synparams; do
|
||||
expandv client server policy loglevel synparams
|
||||
validate_zone $client
|
||||
@ -2788,7 +2815,9 @@ apply_policy_rules() {
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/policy
|
||||
|
||||
############################################################################
|
||||
# Add policy rules to canonical chains
|
||||
#
|
||||
for zone in $FW $zones; do
|
||||
setup_intrazone $zone
|
||||
for zone1 in $FW $zones; do
|
||||
|
||||
Loading…
Reference in New Issue
Block a user