mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Add INVALID section to the rules file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
a03e793907
commit
c2bc74cdfe
@ -131,6 +131,7 @@ our %EXPORT_TAGS = (
|
|||||||
rules_chain
|
rules_chain
|
||||||
blacklist_chain
|
blacklist_chain
|
||||||
related_chain
|
related_chain
|
||||||
|
invalid_chain
|
||||||
zone_forward_chain
|
zone_forward_chain
|
||||||
use_forward_chain
|
use_forward_chain
|
||||||
input_chain
|
input_chain
|
||||||
@ -293,6 +294,7 @@ our $VERSION = 'MODULEVERSION';
|
|||||||
# level 8.
|
# level 8.
|
||||||
# complete => The last rule in the chain is a -g or a simple -j to a terminating target
|
# complete => The last rule in the chain is a -g or a simple -j to a terminating target
|
||||||
# Suppresses adding additional rules to the chain end of the chain
|
# Suppresses adding additional rules to the chain end of the chain
|
||||||
|
# sections => { <section> = 1, ... } - Records sections that have been completed.
|
||||||
# } ,
|
# } ,
|
||||||
# <chain2> => ...
|
# <chain2> => ...
|
||||||
# }
|
# }
|
||||||
@ -1628,6 +1630,13 @@ sub related_chain($$) {
|
|||||||
'+' . &rules_chain(@_);
|
'+' . &rules_chain(@_);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Name of the invalid chain between an ordered pair of zones
|
||||||
|
#
|
||||||
|
sub invalid_chain($$) {
|
||||||
|
'_' . &rules_chain(@_);
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Create the base for a chain involving the passed interface -- we make this a function so it will be
|
# Create the base for a chain involving the passed interface -- we make this a function so it will be
|
||||||
# easy to change the mapping should the need ever arrive.
|
# easy to change the mapping should the need ever arrive.
|
||||||
|
@ -642,7 +642,7 @@ sub initialize( $;$$) {
|
|||||||
EXPORT => 0,
|
EXPORT => 0,
|
||||||
KLUDGEFREE => '',
|
KLUDGEFREE => '',
|
||||||
STATEMATCH => '-m state --state',
|
STATEMATCH => '-m state --state',
|
||||||
VERSION => "4.5.13-Beta1",
|
VERSION => "4.5.13-Beta3",
|
||||||
CAPVERSION => 40512 ,
|
CAPVERSION => 40512 ,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
@ -663,6 +663,7 @@ sub initialize( $;$$) {
|
|||||||
LOGALLNEW => undef,
|
LOGALLNEW => undef,
|
||||||
BLACKLIST_LOGLEVEL => undef,
|
BLACKLIST_LOGLEVEL => undef,
|
||||||
RELATED_LOG_LEVEL => undef,
|
RELATED_LOG_LEVEL => undef,
|
||||||
|
INVALID_LOG_LEVEL => undef,
|
||||||
RFC1918_LOG_LEVEL => undef,
|
RFC1918_LOG_LEVEL => undef,
|
||||||
MACLIST_LOG_LEVEL => undef,
|
MACLIST_LOG_LEVEL => undef,
|
||||||
TCP_FLAGS_LOG_LEVEL => undef,
|
TCP_FLAGS_LOG_LEVEL => undef,
|
||||||
@ -782,6 +783,7 @@ sub initialize( $;$$) {
|
|||||||
SFILTER_DISPOSITION => undef,
|
SFILTER_DISPOSITION => undef,
|
||||||
RPFILTER_DISPOSITION => undef,
|
RPFILTER_DISPOSITION => undef,
|
||||||
RELATED_DISPOSITION => undef,
|
RELATED_DISPOSITION => undef,
|
||||||
|
INVALID_DISPOSITION => undef,
|
||||||
#
|
#
|
||||||
# Mark Geometry
|
# Mark Geometry
|
||||||
#
|
#
|
||||||
@ -5224,6 +5226,7 @@ sub get_configuration( $$$$ ) {
|
|||||||
default_log_level 'TCP_FLAGS_LOG_LEVEL', '';
|
default_log_level 'TCP_FLAGS_LOG_LEVEL', '';
|
||||||
default_log_level 'RFC1918_LOG_LEVEL', '';
|
default_log_level 'RFC1918_LOG_LEVEL', '';
|
||||||
default_log_level 'RELATED_LOG_LEVEL', '';
|
default_log_level 'RELATED_LOG_LEVEL', '';
|
||||||
|
default_log_level 'INVALID_LOG_LEVEL', '';
|
||||||
|
|
||||||
warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
|
warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
|
||||||
|
|
||||||
@ -5278,12 +5281,31 @@ sub get_configuration( $$$$ ) {
|
|||||||
fatal_error "Invalid value ($config{RELATED_DISPOSITION}) for RELATED_DISPOSITION"
|
fatal_error "Invalid value ($config{RELATED_DISPOSITION}) for RELATED_DISPOSITION"
|
||||||
}
|
}
|
||||||
|
|
||||||
require_capability 'AUDIT_TARGET' , "MACLIST_DISPOSITION=$val", 's' if $val =~ /^A_/;
|
require_capability 'AUDIT_TARGET' , "RELATED_DISPOSITION=$val", 's' if $val =~ /^A_/;
|
||||||
} else {
|
} else {
|
||||||
$config{RELATED_DISPOSITION} =
|
$config{RELATED_DISPOSITION} =
|
||||||
$globals{RELATED_TARGET} = 'ACCEPT';
|
$globals{RELATED_TARGET} = 'ACCEPT';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( $val = $config{INVALID_DISPOSITION} ) {
|
||||||
|
if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
|
||||||
|
$globals{INVALID_TARGET} = $val;
|
||||||
|
} elsif ( $val eq 'REJECT' ) {
|
||||||
|
$globals{INVALID_TARGET} = 'reject';
|
||||||
|
} elsif ( $val eq 'A_REJECT' ) {
|
||||||
|
$globals{INVALID_TARGET} = $val;
|
||||||
|
} elsif ( $val eq 'CONTINUE' ) {
|
||||||
|
$globals{INVALID_TARGET} = '';
|
||||||
|
} else {
|
||||||
|
fatal_error "Invalid value ($config{INVALID_DISPOSITION}) for INVALID_DISPOSITION"
|
||||||
|
}
|
||||||
|
|
||||||
|
require_capability 'AUDIT_TARGET' , "RELATED_DISPOSITION=$val", 's' if $val =~ /^A_/;
|
||||||
|
} else {
|
||||||
|
$config{INVALID_DISPOSITION} = 'CONTINUE';
|
||||||
|
$globals{INVALID_TARGET} = '';
|
||||||
|
}
|
||||||
|
|
||||||
if ( $val = $config{MACLIST_TABLE} ) {
|
if ( $val = $config{MACLIST_TABLE} ) {
|
||||||
if ( $val eq 'mangle' ) {
|
if ( $val eq 'mangle' ) {
|
||||||
fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
|
fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
|
||||||
|
@ -67,14 +67,16 @@ use constant { NULL_SECTION => 0,
|
|||||||
ALL_SECTION => 2,
|
ALL_SECTION => 2,
|
||||||
ESTABLISHED_SECTION => 4,
|
ESTABLISHED_SECTION => 4,
|
||||||
RELATED_SECTION => 8,
|
RELATED_SECTION => 8,
|
||||||
NEW_SECTION => 16,
|
INVALID_SECTION => 16,
|
||||||
DEFAULTACTION_SECTION => 32 };
|
NEW_SECTION => 32,
|
||||||
|
DEFAULTACTION_SECTION => 64 };
|
||||||
#
|
#
|
||||||
# These are the sections that may appear in a section header
|
# These are the sections that may appear in a section header
|
||||||
#
|
#
|
||||||
our %section_map = ( ALL => ALL_SECTION,
|
our %section_map = ( ALL => ALL_SECTION,
|
||||||
ESTABLISHED => ESTABLISHED_SECTION,
|
ESTABLISHED => ESTABLISHED_SECTION,
|
||||||
RELATED => RELATED_SECTION,
|
RELATED => RELATED_SECTION,
|
||||||
|
INVALID => INVALID_SECTION,
|
||||||
NEW => NEW_SECTION );
|
NEW => NEW_SECTION );
|
||||||
|
|
||||||
our @policy_chains;
|
our @policy_chains;
|
||||||
@ -170,6 +172,7 @@ sub initialize( $ ) {
|
|||||||
%sections = ( ALL => 0,
|
%sections = ( ALL => 0,
|
||||||
ESTABLISHED => 0,
|
ESTABLISHED => 0,
|
||||||
RELATED => 0,
|
RELATED => 0,
|
||||||
|
INVALID => 0,
|
||||||
NEW => 0
|
NEW => 0
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
@ -212,6 +215,15 @@ sub initialize( $ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Create a rules chain
|
||||||
|
#
|
||||||
|
sub new_rules_chain( $ ) {
|
||||||
|
my $chainref = new_chain( 'filter', $_[0] );
|
||||||
|
$chainref->{sections} = {};
|
||||||
|
$chainref;
|
||||||
|
}
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Functions moved from the former Policy Module
|
# Functions moved from the former Policy Module
|
||||||
###############################################################################
|
###############################################################################
|
||||||
@ -250,7 +262,7 @@ sub new_policy_chain($$$$$)
|
|||||||
{
|
{
|
||||||
my ($source, $dest, $policy, $provisional, $audit) = @_;
|
my ($source, $dest, $policy, $provisional, $audit) = @_;
|
||||||
|
|
||||||
my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
|
my $chainref = new_rules_chain( rules_chain( ${source}, ${dest} ) );
|
||||||
|
|
||||||
convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional, $audit );
|
convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional, $audit );
|
||||||
|
|
||||||
@ -266,7 +278,7 @@ sub set_policy_chain($$$$$)
|
|||||||
|
|
||||||
my $chainref1 = $filter_table->{$chain1};
|
my $chainref1 = $filter_table->{$chain1};
|
||||||
|
|
||||||
$chainref1 = new_chain 'filter', $chain1 unless $chainref1;
|
$chainref1 = new_rules_chain $chain1 unless $chainref1;
|
||||||
|
|
||||||
unless ( $chainref1->{policychain} ) {
|
unless ( $chainref1->{policychain} ) {
|
||||||
if ( $config{EXPAND_POLICIES} ) {
|
if ( $config{EXPAND_POLICIES} ) {
|
||||||
@ -837,10 +849,12 @@ sub ensure_rules_chain( $ )
|
|||||||
|
|
||||||
my $chainref = $filter_table->{$chain};
|
my $chainref = $filter_table->{$chain};
|
||||||
|
|
||||||
$chainref = new_chain( 'filter', $chain ) unless $chainref;
|
$chainref = new_rules_chain( $chain ) unless $chainref;
|
||||||
|
|
||||||
unless ( $chainref->{referenced} ) {
|
unless ( $chainref->{referenced} ) {
|
||||||
if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
|
if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
|
||||||
|
finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID';
|
||||||
|
} elsif ( $section == INVALID_SECTION ) {
|
||||||
finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED';
|
finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED';
|
||||||
} elsif ( $section == RELATED_SECTION ) {
|
} elsif ( $section == RELATED_SECTION ) {
|
||||||
finish_chain_section $chainref , $chainref, 'ESTABLISHED';
|
finish_chain_section $chainref , $chainref, 'ESTABLISHED';
|
||||||
@ -853,7 +867,7 @@ sub ensure_rules_chain( $ )
|
|||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
|
# Add ESTABLISHED,RELATED,INVALID rules and synparam jumps to the passed chain
|
||||||
#
|
#
|
||||||
sub finish_chain_section ($$$) {
|
sub finish_chain_section ($$$) {
|
||||||
my ($chainref,
|
my ($chainref,
|
||||||
@ -862,8 +876,20 @@ sub finish_chain_section ($$$) {
|
|||||||
my $chain = $chainref->{name};
|
my $chain = $chainref->{name};
|
||||||
my $related_level = $config{RELATED_LOG_LEVEL};
|
my $related_level = $config{RELATED_LOG_LEVEL};
|
||||||
my $related_target = $globals{RELATED_TARGET};
|
my $related_target = $globals{RELATED_TARGET};
|
||||||
|
my $invalid_level = $config{INVALID_LOG_LEVEL};
|
||||||
|
my $invalid_target = $globals{INVALID_TARGET};
|
||||||
my $save_comment = push_comment;
|
my $save_comment = push_comment;
|
||||||
my $relatedchain = $chainref->{name} =~ /^\+/;
|
my $relatedchain = $chainref->{name} =~ /^\+/;
|
||||||
|
my $invalidchain = $chainref->{name} =~ /^_/;
|
||||||
|
my %state;
|
||||||
|
|
||||||
|
$state{$_} = 1 for split ',', $state;
|
||||||
|
|
||||||
|
for ( qw/ESTABLISHED RELATED INVALID/ ) {
|
||||||
|
delete $state{$_} if $chain1ref->{sections}{$_};
|
||||||
|
}
|
||||||
|
|
||||||
|
$chain1ref->{sections}{$_} = 1 for keys %state;
|
||||||
|
|
||||||
if ( $state =~ /RELATED/ && ( $relatedchain || $related_level || $related_target ne 'ACCEPT' ) ) {
|
if ( $state =~ /RELATED/ && ( $relatedchain || $related_level || $related_target ne 'ACCEPT' ) ) {
|
||||||
|
|
||||||
@ -879,7 +905,7 @@ sub finish_chain_section ($$$) {
|
|||||||
log_rule( $related_level,
|
log_rule( $related_level,
|
||||||
$relatedref,
|
$relatedref,
|
||||||
$config{RELATED_DISPOSITION},
|
$config{RELATED_DISPOSITION},
|
||||||
'' ) if $related_level;
|
'' );
|
||||||
|
|
||||||
$related_target = ensure_audit_chain( $related_target ) if ( $targets{$related_target} || 0 ) & AUDIT;
|
$related_target = ensure_audit_chain( $related_target ) if ( $targets{$related_target} || 0 ) & AUDIT;
|
||||||
|
|
||||||
@ -890,15 +916,53 @@ sub finish_chain_section ($$$) {
|
|||||||
|
|
||||||
if ( $relatedchain ) {
|
if ( $relatedchain ) {
|
||||||
add_ijump $chainref, g => $related_target;
|
add_ijump $chainref, g => $related_target;
|
||||||
$state = '';
|
%state = ();
|
||||||
} else {
|
} else {
|
||||||
add_ijump $chainref, g => $related_target, state_imatch 'RELATED';
|
add_ijump $chainref, g => $related_target, state_imatch 'RELATED';
|
||||||
$state =~ s/,?RELATED//;
|
delete $state{RELATED};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $state ) {
|
if ( $state =~ /INVALID/ && ( $invalidchain || $invalid_level || $invalid_target ne 'ACCEPT' ) ) {
|
||||||
add_ijump $chain1ref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
|
|
||||||
|
if ( $invalid_level ) {
|
||||||
|
my $invalidref;
|
||||||
|
|
||||||
|
if ( $invalidchain ) {
|
||||||
|
$invalidref = $chainref;
|
||||||
|
} else {
|
||||||
|
$invalidref = new_chain( 'filter', "_$chainref->{name}" );
|
||||||
|
}
|
||||||
|
|
||||||
|
log_rule( $invalid_level,
|
||||||
|
$invalidref,
|
||||||
|
$config{INVALID_DISPOSITION},
|
||||||
|
'' );
|
||||||
|
|
||||||
|
$invalid_target = ensure_audit_chain( $invalid_target ) if ( $targets{$invalid_target} || 0 ) & AUDIT;
|
||||||
|
|
||||||
|
add_ijump( $invalidref, g => $invalid_target ) if $invalid_target;
|
||||||
|
|
||||||
|
$invalid_target = $invalidref->{name} unless $invalidchain;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $invalidchain ) {
|
||||||
|
add_ijump $chainref, g => $invalid_target;
|
||||||
|
%state = ();
|
||||||
|
} else {
|
||||||
|
add_ijump $chainref, g => $invalid_target, state_imatch 'INVALID' if $invalid_target;
|
||||||
|
delete $state{INVALID};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( keys %state && ! $config{FASTACCEPT} ) {
|
||||||
|
my @state;
|
||||||
|
|
||||||
|
for ( qw/ESTABLISHED RELATED/ ) {
|
||||||
|
push @state, $_ if $state{$_};
|
||||||
|
}
|
||||||
|
|
||||||
|
add_ijump $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) if @state;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($sections{NEW} ) {
|
if ($sections{NEW} ) {
|
||||||
@ -939,6 +1003,8 @@ sub finish_section ( $ ) {
|
|||||||
|
|
||||||
if ( $section == RELATED_SECTION ) {
|
if ( $section == RELATED_SECTION ) {
|
||||||
$function = \&related_chain;
|
$function = \&related_chain;
|
||||||
|
} elsif ( $section == INVALID_SECTION ) {
|
||||||
|
$function = \&invalid_chain;
|
||||||
} else {
|
} else {
|
||||||
$function = \&rules_chain;
|
$function = \&rules_chain;
|
||||||
}
|
}
|
||||||
@ -2258,14 +2324,16 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
$chainref = ensure_rules_chain $chain;
|
$chainref = ensure_rules_chain $chain;
|
||||||
#
|
#
|
||||||
# Handle rules in the BLACKLIST and RELATED sections
|
# Handle rules in the BLACKLIST, RELATED and INVALID sections
|
||||||
#
|
#
|
||||||
if ( $section & ( BLACKLIST_SECTION | RELATED_SECTION ) ) {
|
if ( $section & ( BLACKLIST_SECTION | RELATED_SECTION | INVALID_SECTION ) ) {
|
||||||
my $auxchain;
|
my $auxchain;
|
||||||
my $auxref;
|
my $auxref;
|
||||||
|
|
||||||
if ( $blacklist ) {
|
if ( $blacklist ) {
|
||||||
$auxchain = blacklist_chain( ${sourcezone}, ${destzone} );
|
$auxchain = blacklist_chain( ${sourcezone}, ${destzone} );
|
||||||
|
} elsif ( $section == INVALID_SECTION ) {
|
||||||
|
$auxchain = invalid_chain( ${sourcezone}, ${destzone} );
|
||||||
} else {
|
} else {
|
||||||
$auxchain = related_chain( ${sourcezone}, ${destzone} );
|
$auxchain = related_chain( ${sourcezone}, ${destzone} );
|
||||||
}
|
}
|
||||||
@ -2280,6 +2348,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
if ( $blacklist ) {
|
if ( $blacklist ) {
|
||||||
@state = state_imatch( 'NEW,INVALID' ) if $config{BLACKLISTNEWONLY};
|
@state = state_imatch( 'NEW,INVALID' ) if $config{BLACKLISTNEWONLY};
|
||||||
$auxref->{blacklistsection} = 1;
|
$auxref->{blacklistsection} = 1;
|
||||||
|
} elsif ( $section == INVALID_SECTION ) {
|
||||||
|
@state = state_imatch( 'INVALID' );
|
||||||
} else {
|
} else {
|
||||||
@state = state_imatch 'RELATED';
|
@state = state_imatch 'RELATED';
|
||||||
};
|
};
|
||||||
@ -2369,7 +2439,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
do_headers( $headers ) ,
|
do_headers( $headers ) ,
|
||||||
do_condition( $condition , $chain ) ,
|
do_condition( $condition , $chain ) ,
|
||||||
);
|
);
|
||||||
} elsif ( $section == RELATED_SECTION ) {
|
} elsif ( $section & ( INVALID_SECTION | RELATED_SECTION ) ) {
|
||||||
$rule = join( '',
|
$rule = join( '',
|
||||||
do_proto($proto, $ports, $sports),
|
do_proto($proto, $ports, $sports),
|
||||||
do_ratelimit( $ratelimit, $basictarget ) ,
|
do_ratelimit( $ratelimit, $basictarget ) ,
|
||||||
@ -2400,8 +2470,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
$basictarget eq 'dropInvalid' ) {
|
$basictarget eq 'dropInvalid' ) {
|
||||||
if ( $config{FASTACCEPT} ) {
|
if ( $config{FASTACCEPT} ) {
|
||||||
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
|
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
|
||||||
$section == RELATED_SECTION && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} )
|
( $section & ( RELATED_SECTION | INVALID_SECTION ) ) && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} )
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
|
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
|
||||||
$rule .= "$globals{STATEMATCH} ESTABLISHED " if $section == ESTABLISHED_SECTION;
|
$rule .= "$globals{STATEMATCH} ESTABLISHED " if $section == ESTABLISHED_SECTION;
|
||||||
@ -2535,7 +2605,6 @@ sub process_section ($) {
|
|||||||
#
|
#
|
||||||
fatal_error "Invalid SECTION ($sect)" unless defined $sections{$sect};
|
fatal_error "Invalid SECTION ($sect)" unless defined $sections{$sect};
|
||||||
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
|
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
|
||||||
$sections{$sect} = 1;
|
|
||||||
|
|
||||||
if ( $sect eq 'BLACKLIST' ) {
|
if ( $sect eq 'BLACKLIST' ) {
|
||||||
fatal_error "The BLACKLIST section has been eliminated. Please move your BLACKLIST rules to the 'blrules' file";
|
fatal_error "The BLACKLIST section has been eliminated. Please move your BLACKLIST rules to the 'blrules' file";
|
||||||
@ -2544,9 +2613,14 @@ sub process_section ($) {
|
|||||||
} elsif ( $sect eq 'RELATED' ) {
|
} elsif ( $sect eq 'RELATED' ) {
|
||||||
@sections{'ALL','ESTABLISHED'} = ( 1, 1);
|
@sections{'ALL','ESTABLISHED'} = ( 1, 1);
|
||||||
finish_section 'ESTABLISHED';
|
finish_section 'ESTABLISHED';
|
||||||
} elsif ( $sect eq 'NEW' ) {
|
} elsif ( $sect eq 'INVALID' ) {
|
||||||
@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
|
@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
|
||||||
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
|
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
|
||||||
|
} elsif ( $sect eq 'NEW' ) {
|
||||||
|
@sections{'ALL','ESTABLISHED','RELATED','INVALID','NEW'} = ( 1, 1, 1, 1, 1 );
|
||||||
|
finish_section ( ( $section == RELATED_SECTION ) ? 'RELATED,INVALID' :
|
||||||
|
( $section == INVALID_SECTION ) ? 'INVALID' :
|
||||||
|
'ESTABLISHED,RELATED,INVALID' );
|
||||||
}
|
}
|
||||||
|
|
||||||
$section = $section_map{$sect};
|
$section = $section_map{$sect};
|
||||||
@ -2822,7 +2896,9 @@ sub process_rules( $ ) {
|
|||||||
|
|
||||||
process_rule while read_a_line( NORMAL_READ );
|
process_rule while read_a_line( NORMAL_READ );
|
||||||
}
|
}
|
||||||
|
#
|
||||||
|
# No need to finish the NEW section since no rules need to be generated
|
||||||
|
#
|
||||||
$section = DEFAULTACTION_SECTION;
|
$section = DEFAULTACTION_SECTION;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -23,6 +23,8 @@ VERBOSITY=1
|
|||||||
|
|
||||||
BLACKLIST_LOGLEVEL=
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
INVALID_LOG_LEVEL=
|
||||||
|
|
||||||
LOG_MARTIANS=Yes
|
LOG_MARTIANS=Yes
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
LOG_VERBOSITY=2
|
||||||
@ -224,6 +226,8 @@ ZONE2ZONE=2
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
|
INVALID_DISPOSITION=CONTINUE
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
RELATED_DISPOSITION=ACCEPT
|
||||||
|
@ -34,6 +34,8 @@ VERBOSITY=1
|
|||||||
|
|
||||||
BLACKLIST_LOGLEVEL=
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
INVALID_LOG_LEVEL=
|
||||||
|
|
||||||
LOG_MARTIANS=Yes
|
LOG_MARTIANS=Yes
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
LOG_VERBOSITY=2
|
||||||
@ -235,6 +237,8 @@ ZONE2ZONE=2
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
|
INVALID_DISPOSITION=CONTINUE
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
RELATED_DISPOSITION=ACCEPT
|
||||||
|
@ -32,6 +32,8 @@ VERBOSITY=1
|
|||||||
|
|
||||||
BLACKLIST_LOGLEVEL=
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
INVALID_LOG_LEVEL=
|
||||||
|
|
||||||
LOG_MARTIANS=Yes
|
LOG_MARTIANS=Yes
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
LOG_VERBOSITY=2
|
||||||
@ -233,6 +235,8 @@ ZONE2ZONE=2
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
|
INVALID_DISPOSITION=CONTINUE
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
RELATED_DISPOSITION=ACCEPT
|
||||||
|
@ -35,6 +35,8 @@ VERBOSITY=1
|
|||||||
|
|
||||||
BLACKLIST_LOGLEVEL=
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
INVALID_LOG_LEVEL=
|
||||||
|
|
||||||
LOG_MARTIANS=Yes
|
LOG_MARTIANS=Yes
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
LOG_VERBOSITY=2
|
||||||
@ -236,6 +238,8 @@ ZONE2ZONE=2
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
|
INVALID_DISPOSITION=CONTINUE
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
RELATED_DISPOSITION=ACCEPT
|
||||||
|
@ -23,6 +23,8 @@ VERBOSITY=1
|
|||||||
|
|
||||||
BLACKLIST_LOGLEVEL=
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
INVALID_LOG_LEVEL=
|
||||||
|
|
||||||
LOG_MARTIANS=Yes
|
LOG_MARTIANS=Yes
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
LOG_VERBOSITY=2
|
||||||
@ -224,6 +226,8 @@ ZONE2ZONE=2
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
|
INVALID_DISPOSITION=CONTINUE
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
RELATED_DISPOSITION=ACCEPT
|
||||||
|
@ -81,8 +81,25 @@
|
|||||||
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
||||||
REJECT, LOG and QUEUE</para>
|
REJECT, LOG and QUEUE</para>
|
||||||
|
|
||||||
<para>There is an implicit ACCEPT rule inserted at the end of this
|
<para>There is an implicit rule added at the end of this section
|
||||||
section.</para>
|
that invokes the RELATED_DISPOSITION (<ulink
|
||||||
|
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">INVALID</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.13. Packets in the INVALID state are
|
||||||
|
processed by rules in this section.</para>
|
||||||
|
|
||||||
|
<para>The only Actions allowed in this section are ACCEPT, DROP,
|
||||||
|
REJECT, LOG and QUEUE.</para>
|
||||||
|
|
||||||
|
<para>There is an implicit rule added at the end of this section
|
||||||
|
that invokes the INVALID_DISPOSITION (<ulink
|
||||||
|
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -24,6 +24,8 @@ VERBOSITY=1
|
|||||||
|
|
||||||
BLACKLIST_LOGLEVEL=
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
INVALID_LOG_LEVEL=
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
LOG_VERBOSITY=2
|
||||||
|
|
||||||
LOGALLNEW=
|
LOGALLNEW=
|
||||||
@ -197,6 +199,8 @@ ZONE2ZONE=2
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
|
INVALID_DISPOSITION=CONTINUE
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
RELATED_DISPOSITION=ACCEPT
|
||||||
|
@ -24,6 +24,8 @@ VERBOSITY=1
|
|||||||
|
|
||||||
BLACKLIST_LOGLEVEL=
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
INVALID_LOG_LEVEL=
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
LOG_VERBOSITY=2
|
||||||
|
|
||||||
LOGALLNEW=
|
LOGALLNEW=
|
||||||
@ -197,6 +199,8 @@ ZONE2ZONE=2
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
|
INVALID_DISPOSITION=CONTINUE
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
RELATED_DISPOSITION=ACCEPT
|
||||||
|
@ -24,6 +24,8 @@ VERBOSITY=1
|
|||||||
|
|
||||||
BLACKLIST_LOGLEVEL=
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
INVALID_LOG_LEVEL=
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
LOG_VERBOSITY=2
|
||||||
|
|
||||||
LOGALLNEW=
|
LOGALLNEW=
|
||||||
@ -197,6 +199,8 @@ ZONE2ZONE=2
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
|
INVALID_DISPOSITION=CONTINUE
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
RELATED_DISPOSITION=ACCEPT
|
||||||
|
@ -24,6 +24,8 @@ VERBOSITY=1
|
|||||||
|
|
||||||
BLACKLIST_LOGLEVEL=
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
INVALID_LOG_LEVEL=
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
LOG_VERBOSITY=2
|
||||||
|
|
||||||
LOGALLNEW=
|
LOGALLNEW=
|
||||||
@ -197,6 +199,8 @@ ZONE2ZONE=2
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
|
INVALID_DISPOSITION=CONTINUE
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
RELATED_DISPOSITION=ACCEPT
|
||||||
|
@ -24,6 +24,8 @@ VERBOSITY=1
|
|||||||
|
|
||||||
BLACKLIST_LOGLEVEL=
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
INVALID_LOG_LEVEL=
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
LOG_VERBOSITY=2
|
||||||
|
|
||||||
LOGALLNEW=
|
LOGALLNEW=
|
||||||
@ -197,6 +199,8 @@ ZONE2ZONE=2
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
|
INVALID_DISPOSITION=CONTINUE
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
RELATED_DISPOSITION=ACCEPT
|
||||||
|
@ -74,8 +74,25 @@
|
|||||||
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
||||||
REJECT, LOG and QUEUE</para>
|
REJECT, LOG and QUEUE</para>
|
||||||
|
|
||||||
<para>There is an implicit ACCEPT rule inserted at the end of this
|
<para>There is an implicit rule added at the end of this section
|
||||||
section.</para>
|
that invokes the RELATED_DISPOSITION (<ulink
|
||||||
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">INVALID</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.13. Packets in the INVALID state are
|
||||||
|
processed by rules in this section.</para>
|
||||||
|
|
||||||
|
<para>The only Actions allowed in this section are ACCEPT, DROP,
|
||||||
|
REJECT, LOG and QUEUE.</para>
|
||||||
|
|
||||||
|
<para>There is an implicit rule added at the end of this section
|
||||||
|
that invokes the INVALID_DISPOSITION (<ulink
|
||||||
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user