mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 02:08:48 +02:00
Document and correct implementation of EXCLUSION_MASK
1. Require KLUDGEFREE if existing rule uses mark match 2. Pretty up the code 3. Use MASK_BITS rather than TC_BITS when calculating the offset of EXCLUSION_MASK Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
c98cf8aea6
commit
c2558af9c8
@ -3487,21 +3487,29 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
|
|
||||||
if ( $iexcl || $dexcl || $oexcl ) {
|
if ( $iexcl || $dexcl || $oexcl ) {
|
||||||
#
|
#
|
||||||
# We have non-trivial exclusion -- need to create an exclusion chain
|
# We have non-trivial exclusion
|
||||||
#
|
#
|
||||||
if ( $disposition eq 'RETURN' || $disposition eq 'CONTINUE' ) {
|
if ( $disposition eq 'RETURN' || $disposition eq 'CONTINUE' ) {
|
||||||
#
|
#
|
||||||
# We can't use an exclusion chain -- we mark those packets to be excluded and then condition the following rules based on the mark value
|
# We can't use an exclusion chain -- we mark those packets to be excluded and then condition the following rules based on the mark value
|
||||||
#
|
#
|
||||||
require_capability 'MARK_ANYWHERE' , 'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's';
|
require_capability 'MARK_ANYWHERE' , 'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's' unless $chainref->{table} eq 'mangle';
|
||||||
|
require_capability 'KLUDGEFREE' , 'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's' if $rule -~ / -m mark /;
|
||||||
|
#
|
||||||
|
# Clear the exclusion bit
|
||||||
|
#
|
||||||
add_rule $chainref = $chainref , '-j MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
|
add_rule $chainref = $chainref , '-j MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
|
||||||
|
#
|
||||||
|
# Mark packet if it matches any of the exclusions
|
||||||
|
#
|
||||||
my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} );
|
my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} );
|
||||||
|
|
||||||
add_rule $chainref, ( match_source_net $_ , $restriction ) . $exclude for ( mysplit $iexcl );
|
add_rule $chainref, ( match_source_net $_ , $restriction ) . $exclude for ( mysplit $iexcl );
|
||||||
add_rule $chainref, ( match_dest_net $_ ) . $exclude for ( mysplit $dexcl );
|
add_rule $chainref, ( match_dest_net $_ ) . $exclude for ( mysplit $dexcl );
|
||||||
add_rule $chainref, ( match_orig_dest $_ ) . $exclude for ( mysplit $oexcl );
|
add_rule $chainref, ( match_orig_dest $_ ) . $exclude for ( mysplit $oexcl );
|
||||||
|
#
|
||||||
|
# Augment the rule to include 'not excluded'
|
||||||
|
#
|
||||||
$rule .= '-m mark --mark 0/' . in_hex( $globals{EXCLUSION_MASK} ) . ' ';
|
$rule .= '-m mark --mark 0/' . in_hex( $globals{EXCLUSION_MASK} ) . ' ';
|
||||||
} else {
|
} else {
|
||||||
#
|
#
|
||||||
@ -3514,23 +3522,25 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
# Use the current rule and send all possible matches to the exclusion chain
|
# Use the current rule and send all possible matches to the exclusion chain
|
||||||
#
|
#
|
||||||
for my $onet ( mysplit $onets ) {
|
for my $onet ( mysplit $onets ) {
|
||||||
|
|
||||||
$onet = match_orig_dest $onet;
|
$onet = match_orig_dest $onet;
|
||||||
|
|
||||||
for my $inet ( mysplit $inets ) {
|
for my $inet ( mysplit $inets ) {
|
||||||
|
|
||||||
|
my $source_match = match_source_net( $inet, $restriction ) if have_capability( 'KLUDGEFREE' );
|
||||||
|
|
||||||
for my $dnet ( mysplit $dnets ) {
|
for my $dnet ( mysplit $dnets ) {
|
||||||
#
|
$source_match = match_source_net( $inet, $restriction ) unless have_capability( 'KLUDGEFREE' );
|
||||||
# We evaluate the source net match in the inner loop to accomodate systems without $capabilities{KLUDGEFREE}
|
add_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ), 1 );
|
||||||
#
|
|
||||||
add_jump( $chainref, $echainref, 0, join( '', $rule, match_source_net( $inet, $restriction ), match_dest_net( $dnet ), $onet ), 1 );
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Generate RETURNs for each exclusion
|
# Generate RETURNs for each exclusion
|
||||||
#
|
#
|
||||||
add_rule $echainref, ( match_source_net $_ , $restriction ) . '-j RETURN' for ( mysplit $iexcl );
|
add_rule $echainref, ( match_source_net $_ , $restriction ) . '-j RETURN' for ( mysplit $iexcl );
|
||||||
add_rule $echainref, ( match_dest_net $_ ) . '-j RETURN' for ( mysplit $dexcl );
|
add_rule $echainref, ( match_dest_net $_ ) . '-j RETURN' for ( mysplit $dexcl );
|
||||||
add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN' for ( mysplit $oexcl );
|
add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN' for ( mysplit $oexcl );
|
||||||
#
|
#
|
||||||
# Log rule
|
# Log rule
|
||||||
#
|
#
|
||||||
@ -3554,7 +3564,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
|
|
||||||
unless ( $done ) {
|
unless ( $done ) {
|
||||||
#
|
#
|
||||||
# No exclusions
|
# No non-trivial exclusions or we're using marks to handle them
|
||||||
#
|
#
|
||||||
for my $onet ( mysplit $onets ) {
|
for my $onet ( mysplit $onets ) {
|
||||||
$onet = match_orig_dest $onet;
|
$onet = match_orig_dest $onet;
|
||||||
|
@ -3094,8 +3094,8 @@ sub get_configuration( $ ) {
|
|||||||
$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
|
$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
|
||||||
fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
|
fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
|
||||||
$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
|
$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
|
||||||
} elsif ( $config{TC_BITS} >= $config{PROVIDER_BITS} ) {
|
} elsif ( $config{MASK_BITS} >= $config{PROVIDER_BITS} ) {
|
||||||
$globals{EXCLUSION_MASK} = 1 << $config{TC_BITS};
|
$globals{EXCLUSION_MASK} = 1 << $config{MASK_BITS};
|
||||||
} else {
|
} else {
|
||||||
$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
|
$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
|
||||||
}
|
}
|
||||||
|
@ -35,7 +35,8 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
|||||||
address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
|
address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
|
||||||
valid but incorrect iptables input. This has been corrected but
|
valid but incorrect iptables input. This has been corrected but
|
||||||
requires that your iptables/kernel support marking rules in any
|
requires that your iptables/kernel support marking rules in any
|
||||||
Netfilter table.
|
Netfilter table (CONTINUE in the tcrules file does not require this
|
||||||
|
support).
|
||||||
|
|
||||||
This fix implements a new 'Mark in any table' capability; those
|
This fix implements a new 'Mark in any table' capability; those
|
||||||
who utilize a capabilities file should re-generate the file using
|
who utilize a capabilities file should re-generate the file using
|
||||||
|
@ -331,7 +331,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
|
|||||||
<row>
|
<row>
|
||||||
<entry>WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=No</entry>
|
<entry>WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=No</entry>
|
||||||
|
|
||||||
<entry>TC_BITS=8, PROVIDER_BITS=0, PROVIDER_OFFSET=0,
|
<entry>TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=0,
|
||||||
MASK_BITS=8</entry>
|
MASK_BITS=8</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
@ -364,7 +364,11 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
|
|||||||
than 16 when WIDE_TC_MARKS=Yes.</para>
|
than 16 when WIDE_TC_MARKS=Yes.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.12, the field between MASK_BITS and
|
<para>Beginning with Shorewall 4.4.12, the field between MASK_BITS and
|
||||||
PROVIDER_OFFSET can be used for any purpose you want. </para>
|
PROVIDER_OFFSET can be used for any purpose you want.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 4.4.13, The first unused bit on the left is
|
||||||
|
used by Shorewall as an <firstterm>exclusion mark</firstterm>, allowing
|
||||||
|
exclusion in CONTINUE, NONAT and ACCEPT+ rules.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Shorewall">
|
<section id="Shorewall">
|
||||||
|
Binary file not shown.
Binary file not shown.
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 17 KiB |
Loading…
x
Reference in New Issue
Block a user