Re-implement exclusion in CONTINUE/NONAT/ACCEPT+ rules

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-30 11:33:28 +01:00 · 2010-08-27 10:09:42 -07:00 · 2010-08-27 10:09:42 -07:00 · c98cf8aea6
commit c98cf8aea6
parent 57bcfee559
5 changed files with 87 additions and 45 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -3483,59 +3483,76 @@ sub expand_rule( $$$$$$$$$$;$ )
    fatal_error "SOURCE interface may not be specified with a source IP address in the POSTROUTING chain"   if $restriction == POSTROUTE_RESTRICT && $iiface && ( $inets ne ALLIP || $iexcl || $trivialiexcl);
    fatal_error "DEST interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT &&  $diface && ( $dnets ne ALLIP || $dexcl || $trivialdexcl);
-    my $fromref;
+    my ( $fromref, $done );
    if ( $iexcl || $dexcl || $oexcl ) {
 	#
 	# We have non-trivial exclusion -- need to create an exclusion chain
 	#
-	fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN' || $disposition eq 'CONTINUE';
+	if ( $disposition eq 'RETURN' || $disposition eq 'CONTINUE' ) {
 	    #
 	    # We can't use an exclusion chain -- we mark those packets to be excluded and then condition the following rules based on the mark value
 	    #
 	    require_capability 'MARK_ANYWHERE' , 'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's';
 	    add_rule $chainref = $chainref , '-j MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
 	    my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} );
-	#
+	    add_rule $chainref, ( match_source_net $_ , $restriction ) . $exclude for ( mysplit $iexcl );
-	# Create the Exclusion Chain
+	    add_rule $chainref, ( match_dest_net $_ )                  . $exclude for ( mysplit $dexcl );
-	#
+	    add_rule $chainref, ( match_orig_dest $_ )                 . $exclude for ( mysplit $oexcl );
 	my $echain = newexclusionchain;
-	my $echainref = new_chain $chainref->{table}, $echain;
+	    $rule .= '-m mark --mark 0/' . in_hex( $globals{EXCLUSION_MASK} ) . ' ';
 	} else {
 	    #
 	    # Create the Exclusion Chain
 	    #
 	    my $echain = newexclusionchain;
-	#
+	    my $echainref = new_chain $chainref->{table}, $echain;
-	# Use the current rule and send all possible matches to the exclusion chain
+	    #
-	#
+	    # Use the current rule and send all possible matches to the exclusion chain
-	for my $onet ( mysplit $onets ) {
+	    #
-	    $onet = match_orig_dest $onet;
+	    for my $onet ( mysplit $onets ) {
-	    for my $inet ( mysplit $inets ) {
+		$onet = match_orig_dest $onet;
-		for my $dnet ( mysplit $dnets ) {
+		for my $inet ( mysplit $inets ) {
-		    #
+		    for my $dnet ( mysplit $dnets ) {
-		    # We evaluate the source net match in the inner loop to accomodate systems without $capabilities{KLUDGEFREE}
+			#
-		    #
+			# We evaluate the source net match in the inner loop to accomodate systems without $capabilities{KLUDGEFREE}
-		    add_jump( $chainref, $echainref, 0, join( '', $rule, match_source_net( $inet, $restriction ), match_dest_net( $dnet ), $onet ), 1 );
+			#
 			add_jump( $chainref, $echainref, 0, join( '', $rule, match_source_net( $inet, $restriction ), match_dest_net( $dnet ), $onet ), 1 );
 		    }
 		}
 	    }
 	}
-	#
+	    #
-	# Generate RETURNs for each exclusion
+	    # Generate RETURNs for each exclusion
-	#
+	    #
-	add_rule $echainref, ( match_source_net $_ , $restriction ) . '-j RETURN' for ( mysplit $iexcl );
+	    add_rule $echainref, ( match_source_net $_ , $restriction ) . '-j RETURN' for ( mysplit $iexcl );
-	add_rule $echainref, ( match_dest_net $_ ) .   '-j RETURN' for ( mysplit $dexcl );
+	    add_rule $echainref, ( match_dest_net $_ ) .   '-j RETURN' for ( mysplit $dexcl );
-	add_rule $echainref, ( match_orig_dest $_ ) .  '-j RETURN' for ( mysplit $oexcl );
+	    add_rule $echainref, ( match_orig_dest $_ ) .  '-j RETURN' for ( mysplit $oexcl );
-	#
+	    #
-	# Log rule
+	    # Log rule
-	#
+	    #
-	log_rule_limit( $loglevel , 
+	    log_rule_limit( $loglevel , 
-			$echainref , 
+			    $echainref , 
-			$chain, 
+			    $chain, 
-			$disposition eq 'reject' ? 'REJECT' : $disposition ,
+			    $disposition eq 'reject' ? 'REJECT' : $disposition ,
-			'' ,  
+			    '' ,  
-			$logtag , 
+			    $logtag , 
-			'add' ,
+			    'add' ,
-			'' ) 
+			    '' ) 
-	    if $loglevel;
+		if $loglevel;
-	#
+	    #
-	# Generate Final Rule
+	    # Generate Final Rule
-	#
+	    #
-	add_rule $fromref = $echainref, $exceptionrule . $jump , 1 unless $disposition eq 'LOG';
+	    add_rule $fromref = $echainref, $exceptionrule . $jump , 1 unless $disposition eq 'LOG';
-    } else {
+
 	    $done = 1;
 	}
    }
    unless ( $done ) {
 	#
 	# No exclusions
 	#
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -3092,7 +3092,12 @@ sub get_configuration( $ ) {
    if ( $config{PROVIDER_OFFSET} ) {
 	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
-	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 32;
+	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
 	$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
    } elsif ( $config{TC_BITS} >= $config{PROVIDER_BITS} ) {
 	$globals{EXCLUSION_MASK} = 1 << $config{TC_BITS};
    } else {
 	$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
    }
    $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -393,7 +393,7 @@ sub process_tc_rule( ) {
 				     '' ,
 				     "$target $mark" ,
 				     '' ,
-				     '' ,
+				     $target ,
 				     '' ) )
 	  && $device ) {
 	#
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -2,6 +2,12 @@ Changes in Shorewall 4.4.13
 1)  Allow zone lists in rules SOURCE and DEST.
 2)  Fix exclusion in the blacklist file.
 3)  Correct several old exclusion bugs.
 4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
 Changes in Shorewall 4.4.12
 1)  Fix IPv6 shorecap program.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -28,11 +28,25 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
    if the last optional interface tested was not available.
 5)  Exclusion in the blacklist file was correctly validated but was then
    ignored when generating iptables (ip6tables) rules.
 6)  Previously, non-trivial exclusion (more than one excluded
    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
    valid but incorrect iptables input. This has been corrected but
    requires that your iptables/kernel support marking rules in any
    Netfilter table.
    This fix implements a new 'Mark in any table' capability; those
    who utilize a capabilities file should re-generate the file using
    this release.
 ----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
-None.
+1)  On systems running Upstart, shorewall-init cannot reliably start the
    firewall before interfaces are brought up.
 ----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E