mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-09 15:18:12 +01:00
Unify actions
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
02bb717d7d
commit
c5c4211081
9
Shorewall/Actions/action.A_AllowICMPs
Normal file
9
Shorewall/Actions/action.A_AllowICMPs
Normal file
@ -0,0 +1,9 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
|
||||
#
|
||||
# This action A_ACCEPTs needed ICMP types
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT
|
||||
|
||||
AllowICMPs(A_ACCEPT)
|
||||
@ -7,5 +7,39 @@
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
|
||||
DEFAULTS ACCEPT
|
||||
|
||||
?if __IPV4
|
||||
@1 - - icmp fragmentation-needed {comment="Needed ICMP types"}
|
||||
@1 - - icmp time-exceeded {comment="Needed ICMP types"}
|
||||
?else
|
||||
?COMMENT Needed ICMP types (RFC4890)
|
||||
|
||||
@1 - - ipv6-icmp destination-unreachable
|
||||
@1 - - ipv6-icmp packet-too-big
|
||||
@1 - - ipv6-icmp time-exceeded
|
||||
@1 - - ipv6-icmp parameter-problem
|
||||
|
||||
# The following should have a ttl of 255 and must be allowed to transit a bridge
|
||||
@1 - - ipv6-icmp router-solicitation
|
||||
@1 - - ipv6-icmp router-advertisement
|
||||
@1 - - ipv6-icmp neighbour-solicitation
|
||||
@1 - - ipv6-icmp neighbour-advertisement
|
||||
@1 - - ipv6-icmp 137 # Redirect
|
||||
@1 - - ipv6-icmp 141 # Inverse neighbour discovery solicitation
|
||||
@1 - - ipv6-icmp 142 # Inverse neighbour discovery advertisement
|
||||
|
||||
# The following should have a link local source address and must be allowed to transit a bridge
|
||||
@1 fe80::/10 - ipv6-icmp 130 # Listener query
|
||||
@1 fe80::/10 - ipv6-icmp 131 # Listener report
|
||||
@1 fe80::/10 - ipv6-icmp 132 # Listener done
|
||||
@1 fe80::/10 - ipv6-icmp 143 # Listener report v2
|
||||
|
||||
# The following should be received with a ttl of 255 and must be allowed to transit a bridge
|
||||
@1 - - ipv6-icmp 148 # Certificate path solicitation
|
||||
@1 - - ipv6-icmp 149 # Certificate path advertisement
|
||||
|
||||
# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
|
||||
@1 fe80::/10 - ipv6-icmp 151 # Multicast router advertisement
|
||||
@1 fe80::/10 - ipv6-icmp 152 # Multicast router solicitation
|
||||
@1 fe80::/10 - ipv6-icmp 153 # Multicast router termination
|
||||
?endif
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Broadcast[([<action>|-[,{audit|-}])]
|
||||
# Broadcast[([<action>|[,{audit|-}])]
|
||||
#
|
||||
# Default action is DROP
|
||||
#
|
||||
@ -31,7 +31,7 @@ DEFAULTS DROP,-
|
||||
?if __ADDRTYPE
|
||||
@1 - - - ;; -m addrtype --dst-type BROADCAST
|
||||
@1 - - - ;; -m addrtype --dst-type ANYCAST
|
||||
?else
|
||||
?elseif __IPV4
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
@ -41,11 +41,17 @@ use Shorewall::Chains;
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
my $chainref = get_action_chain;
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
my $target = require_audit ( $action , $audit );
|
||||
|
||||
if ( $family == F_IPv4 ) {
|
||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
||||
} else {
|
||||
add_commands $chainref, 'for address in $ALL_ACASTS; do';
|
||||
}
|
||||
|
||||
incr_cmd_level $chainref;
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||
add_jump $chainref, $action, 0, "-d \$address ";
|
||||
add_jump $chainref, $target, 0, "-d \$address ";
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
|
||||
|
||||
@ -41,8 +41,17 @@ my ( $action ) = get_action_params( 1 );
|
||||
my $chainref = get_action_chain;
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
|
||||
fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $audit ne 'audit';
|
||||
|
||||
my $target = require_audit ( $action , $audit );
|
||||
|
||||
if ( $family == F_IPv4 ) {
|
||||
log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
|
||||
} else {
|
||||
log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) ) if $level ne '';
|
||||
add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
|
||||
@ -8,6 +8,7 @@
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION
|
||||
A_AllowICMPs inline # Audited version of AllowICMPs
|
||||
A_Drop # Audited Default Action for DROP policy
|
||||
A_REJECT noinline,logjump # Audits then rejects a connection request
|
||||
A_REJECT! inline # Audits then rejects a connection request
|
||||
|
||||
@ -1,38 +0,0 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall6/action.A_AllowICMPs
|
||||
#
|
||||
# This action A_ACCEPTs needed ICMP types
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT
|
||||
|
||||
?comment Needed ICMP types (RFC4890)
|
||||
|
||||
A_ACCEPT - - ipv6-icmp destination-unreachable
|
||||
A_ACCEPT - - ipv6-icmp packet-too-big
|
||||
A_ACCEPT - - ipv6-icmp time-exceeded
|
||||
A_ACCEPT - - ipv6-icmp parameter-problem
|
||||
|
||||
# The following should have a ttl of 255 and must be allowed to transit a bridge
|
||||
A_ACCEPT - - ipv6-icmp router-solicitation
|
||||
A_ACCEPT - - ipv6-icmp router-advertisement
|
||||
A_ACCEPT - - ipv6-icmp neighbour-solicitation
|
||||
A_ACCEPT - - ipv6-icmp neighbour-advertisement
|
||||
A_ACCEPT - - ipv6-icmp 137 # Redirect
|
||||
A_ACCEPT - - ipv6-icmp 141 # Inverse neighbour discovery solicitation
|
||||
A_ACCEPT - - ipv6-icmp 142 # Inverse neighbour discovery advertisement
|
||||
|
||||
# The following should have a link local source address and must be allowed to transit a bridge
|
||||
A_ACCEPT fe80::/10 - ipv6-icmp 130 # Listener query
|
||||
A_ACCEPT fe80::/10 - ipv6-icmp 131 # Listener report
|
||||
A_ACCEPT fe80::/10 - ipv6-icmp 132 # Listener done
|
||||
A_ACCEPT fe80::/10 - ipv6-icmp 143 # Listener report v2
|
||||
|
||||
# The following should be received with a ttl of 255 and must be allowed to transit a bridge
|
||||
A_ACCEPT - - ipv6-icmp 148 # Certificate path solicitation
|
||||
A_ACCEPT - - ipv6-icmp 149 # Certificate path advertisement
|
||||
|
||||
# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
|
||||
A_ACCEPT fe80::/10 - ipv6-icmp 151 # Multicast router advertisement
|
||||
A_ACCEPT fe80::/10 - ipv6-icmp 152 # Multicast router solicitation
|
||||
A_ACCEPT fe80::/10 - ipv6-icmp 153 # Multicast router termination
|
||||
@ -1,40 +0,0 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall6/action.AllowICMPs
|
||||
#
|
||||
# This action ACCEPTs needed ICMP types
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT
|
||||
|
||||
DEFAULTS ACCEPT
|
||||
|
||||
?COMMENT Needed ICMP types (RFC4890)
|
||||
|
||||
$1 - - ipv6-icmp destination-unreachable
|
||||
$1 - - ipv6-icmp packet-too-big
|
||||
$1 - - ipv6-icmp time-exceeded
|
||||
$1 - - ipv6-icmp parameter-problem
|
||||
|
||||
# The following should have a ttl of 255 and must be allowed to transit a bridge
|
||||
$1 - - ipv6-icmp router-solicitation
|
||||
$1 - - ipv6-icmp router-advertisement
|
||||
$1 - - ipv6-icmp neighbour-solicitation
|
||||
$1 - - ipv6-icmp neighbour-advertisement
|
||||
$1 - - ipv6-icmp 137 # Redirect
|
||||
$1 - - ipv6-icmp 141 # Inverse neighbour discovery solicitation
|
||||
$1 - - ipv6-icmp 142 # Inverse neighbour discovery advertisement
|
||||
|
||||
# The following should have a link local source address and must be allowed to transit a bridge
|
||||
$1 fe80::/10 - ipv6-icmp 130 # Listener query
|
||||
$1 fe80::/10 - ipv6-icmp 131 # Listener report
|
||||
$1 fe80::/10 - ipv6-icmp 132 # Listener done
|
||||
$1 fe80::/10 - ipv6-icmp 143 # Listener report v2
|
||||
|
||||
# The following should be received with a ttl of 255 and must be allowed to transit a bridge
|
||||
$1 - - ipv6-icmp 148 # Certificate path solicitation
|
||||
$1 - - ipv6-icmp 149 # Certificate path advertisement
|
||||
|
||||
# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
|
||||
$1 fe80::/10 - ipv6-icmp 151 # Multicast router advertisement
|
||||
$1 fe80::/10 - ipv6-icmp 152 # Multicast router solicitation
|
||||
$1 fe80::/10 - ipv6-icmp 153 # Multicast router termination
|
||||
@ -1,65 +0,0 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall6/action.Broadcast
|
||||
#
|
||||
# Multicast/Anycast IPv6 Action
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Broadcast[([<action>|-[,{audit|-}])]
|
||||
#
|
||||
# Default action is DROP
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
|
||||
my $chainref = get_action_chain;
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
my $target = require_audit ( $action , $audit );
|
||||
|
||||
fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $audit ne 'audit';
|
||||
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
if ( $level ne '' ) {
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
|
||||
}
|
||||
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
|
||||
} else {
|
||||
add_commands $chainref, 'for address in $ALL_ACASTS; do';
|
||||
incr_cmd_level $chainref;
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||
add_jump $chainref, $target, 0, "-d \$address ";
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
@ -1,59 +0,0 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall6/action.Multicast
|
||||
#
|
||||
# Multicast/Anycast IPv6 Action
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Multicast[([<action>|-[,{audit|-}])]
|
||||
#
|
||||
# Default action is DROP
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
|
||||
my $chainref = get_action_chain;
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
my $target = require_audit ( $action , $audit );
|
||||
|
||||
fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $audit ne 'audit';
|
||||
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
if ( $level ne '' ) {
|
||||
log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
|
||||
}
|
||||
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
|
||||
} else {
|
||||
log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) ) if $level ne '';
|
||||
add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
Loading…
Reference in New Issue
Block a user