mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Move section processing to the Rules module where it belongs
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
c03caf7c2f
commit
cf60752988
@ -35,7 +35,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_accounting );
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = '4.4.17';
|
||||
our $VERSION = '4.4.18';
|
||||
|
||||
#
|
||||
# Per-IP accounting tables. Each entry contains the associated network.
|
||||
@ -244,7 +244,7 @@ sub process_accounting_rule( ) {
|
||||
|
||||
if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
|
||||
expand_rule(
|
||||
ensure_filter_chain( 'accountout' , 0 ) ,
|
||||
ensure_rules_chain ( 'accountout' ) ,
|
||||
OUTPUT_RESTRICT ,
|
||||
$rule ,
|
||||
$source ,
|
||||
|
@ -86,6 +86,8 @@ our %EXPORT_TAGS = (
|
||||
no_comment
|
||||
macro_comment
|
||||
clear_comment
|
||||
push_coment
|
||||
pop_comment
|
||||
incr_cmd_level
|
||||
decr_cmd_level
|
||||
forward_chain
|
||||
@ -119,7 +121,6 @@ our %EXPORT_TAGS = (
|
||||
new_builtin_chain
|
||||
new_nat_chain
|
||||
ensure_filter_chain
|
||||
finish_section
|
||||
optimize_chain
|
||||
check_optimization
|
||||
optimize_ruleset
|
||||
@ -180,8 +181,6 @@ our %EXPORT_TAGS = (
|
||||
preview_netfilter_load
|
||||
create_chainlist_reload
|
||||
create_stop_load
|
||||
$section
|
||||
%sections
|
||||
%targets
|
||||
) ],
|
||||
);
|
||||
@ -242,15 +241,8 @@ our $raw_table;
|
||||
our $nat_table;
|
||||
our $mangle_table;
|
||||
our $filter_table;
|
||||
#
|
||||
# It is a layer violation to keep information about the rules file sections in this module but in Shorewall, the rules file
|
||||
# and the filter table are very closely tied. By keeping the information here, we avoid making several other modules dependent
|
||||
# on Shorewall::Rules.
|
||||
#
|
||||
our %sections;
|
||||
our $section;
|
||||
|
||||
our $comment;
|
||||
our @comments;
|
||||
|
||||
#
|
||||
# Target Types
|
||||
@ -406,22 +398,11 @@ sub initialize( $ ) {
|
||||
$nat_table = $chain_table{nat};
|
||||
$mangle_table = $chain_table{mangle};
|
||||
$filter_table = $chain_table{filter};
|
||||
|
||||
#
|
||||
# These are set to 1 as sections are encountered.
|
||||
#
|
||||
%sections = ( ESTABLISHED => 0,
|
||||
RELATED => 0,
|
||||
NEW => 0
|
||||
);
|
||||
#
|
||||
# Current rules file section.
|
||||
#
|
||||
$section = '';
|
||||
#
|
||||
# Contents of last COMMENT line.
|
||||
#
|
||||
$comment = '';
|
||||
$comment = '';
|
||||
@comments = ();
|
||||
#
|
||||
# Used to sequence chain names.
|
||||
#
|
||||
@ -472,10 +453,30 @@ sub no_comment() {
|
||||
}
|
||||
|
||||
#
|
||||
# Clear the $comment variable
|
||||
# Clear the $comment variable and the comment stack
|
||||
#
|
||||
sub clear_comment() {
|
||||
$comment = '';
|
||||
$comment = '';
|
||||
@comments = ();
|
||||
}
|
||||
|
||||
#
|
||||
# Push and Pop comment stack
|
||||
#
|
||||
sub push_comment( $ ) {
|
||||
push @comments, $comment;
|
||||
$comment = shift;
|
||||
}
|
||||
|
||||
sub pop_comment() {
|
||||
$comment = pop @comments;
|
||||
}
|
||||
|
||||
#
|
||||
# Set comment
|
||||
#
|
||||
sub set_comment( $ ) {
|
||||
$comment = shift;
|
||||
}
|
||||
|
||||
#
|
||||
@ -1312,10 +1313,8 @@ sub dont_move( $ ) {
|
||||
$chainref;
|
||||
}
|
||||
|
||||
sub finish_chain_section( $$ );
|
||||
|
||||
#
|
||||
# Create a filter chain if necessary. Optionally populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
|
||||
# Create a filter chain if necessary.
|
||||
#
|
||||
# Return a reference to the chain's table entry.
|
||||
#
|
||||
@ -1325,17 +1324,7 @@ sub ensure_filter_chain( $$ )
|
||||
|
||||
my $chainref = ensure_chain 'filter', $chain;
|
||||
|
||||
unless ( $chainref->{referenced} ) {
|
||||
if ( $populate ) {
|
||||
if ( $section eq 'NEW' or $section eq 'DONE' ) {
|
||||
finish_chain_section $chainref , 'ESTABLISHED,RELATED';
|
||||
} elsif ( $section eq 'RELATED' ) {
|
||||
finish_chain_section $chainref , 'ESTABLISHED';
|
||||
}
|
||||
}
|
||||
|
||||
$chainref->{referenced} = 1;
|
||||
}
|
||||
$chainref->{referenced} = 1;
|
||||
|
||||
$chainref;
|
||||
}
|
||||
@ -1554,60 +1543,6 @@ sub initialize_chain_table()
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
|
||||
#
|
||||
sub finish_chain_section ($$) {
|
||||
my ($chainref, $state ) = @_;
|
||||
my $chain = $chainref->{name};
|
||||
my $savecomment = $comment;
|
||||
|
||||
$comment = '';
|
||||
|
||||
add_rule $chainref, "$globals{STATEMATCH} $state -j ACCEPT" unless $config{FASTACCEPT};
|
||||
|
||||
if ($sections{NEW} ) {
|
||||
if ( $chainref->{is_policy} ) {
|
||||
if ( $chainref->{synparams} ) {
|
||||
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
|
||||
if ( $section eq 'DONE' ) {
|
||||
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
|
||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
||||
}
|
||||
} else {
|
||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
||||
}
|
||||
}
|
||||
} else {
|
||||
my $policychainref = $filter_table->{$chainref->{policychain}};
|
||||
if ( $policychainref->{synparams} ) {
|
||||
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
|
||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
||||
}
|
||||
}
|
||||
|
||||
$chainref->{new} = @{$chainref->{rules}};
|
||||
}
|
||||
|
||||
$comment = $savecomment;
|
||||
}
|
||||
|
||||
#
|
||||
# Do section-end processing
|
||||
#
|
||||
sub finish_section ( $ ) {
|
||||
my $sections = $_[0];
|
||||
|
||||
$sections{$_} = 1 for split /,/, $sections;
|
||||
|
||||
for my $zone ( all_zones ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
|
||||
finish_chain_section $chainref, $sections if $chainref->{referenced};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Delete redundant ACCEPT rules from the end of a policy chain whose policy is ACCEPT
|
||||
#
|
||||
|
@ -12,7 +12,7 @@
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty ofs
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
@ -1091,7 +1091,7 @@ sub generate_matrix() {
|
||||
#
|
||||
if ( $zoneref->{options}{in}{blacklist} ) {
|
||||
my $blackref = $filter_table->{blacklst};
|
||||
add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
|
||||
add_jump ensure_rules_chain( rules_chain( $zone, $_ ) ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
|
||||
|
||||
if ( $simple ) {
|
||||
#
|
||||
@ -1102,7 +1102,7 @@ sub generate_matrix() {
|
||||
my $ruleschainref = $filter_table->{$ruleschain};
|
||||
|
||||
if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
|
||||
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
|
||||
add_jump( ensure_rules_chain( $ruleschain ), $blackref, 0, $state, 0, -1 );
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1110,14 +1110,14 @@ sub generate_matrix() {
|
||||
|
||||
if ( $zoneref->{options}{out}{blacklist} ) {
|
||||
my $blackref = $filter_table->{blackout};
|
||||
add_jump ensure_filter_chain( rules_chain( firewall_zone, $zone ), 1 ) , $blackref , 0, $state, 0, -1;
|
||||
add_jump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , $blackref , 0, $state, 0, -1;
|
||||
|
||||
for my $zone1 ( @zones, @vservers ) {
|
||||
my $ruleschain = rules_chain( $zone1, $zone );
|
||||
my $ruleschainref = $filter_table->{$ruleschain};
|
||||
|
||||
if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
|
||||
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
|
||||
add_jump( ensure_rules_chain( $ruleschain ), $blackref, 0, $state, 0, -1 );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -20,9 +20,10 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# This module contains
|
||||
# This module handles policies and rules. It contains:
|
||||
#
|
||||
# validate_policy() and it's associated helpers.
|
||||
# process_rule() and it's associated helpers for handling Actions and Macros.
|
||||
# process_rules() and it's associated helpers for handling Actions and Macros.
|
||||
#
|
||||
# This module combines the former Policy, Rules and Actions modules.
|
||||
#
|
||||
@ -43,6 +44,7 @@ our @EXPORT = qw(
|
||||
complete_standard_chain
|
||||
setup_syn_flood_chains
|
||||
save_policies
|
||||
ensure_rules_chain
|
||||
optimize_policy_chains
|
||||
process_actions1
|
||||
process_actions2
|
||||
@ -50,9 +52,11 @@ our @EXPORT = qw(
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.4_17';
|
||||
our $VERSION = '4.4_18';
|
||||
|
||||
# @policy_chains is a list of references to policy chains in the filter table
|
||||
our %sections;
|
||||
|
||||
our $section;
|
||||
|
||||
our @policy_chains;
|
||||
|
||||
@ -106,6 +110,17 @@ sub initialize( $ ) {
|
||||
REJECT => 'none' ,
|
||||
ACCEPT => 'none' ,
|
||||
QUEUE => 'none' );
|
||||
#
|
||||
# These are set to 1 as sections are encountered.
|
||||
#
|
||||
%sections = ( ESTABLISHED => 0,
|
||||
RELATED => 0,
|
||||
NEW => 0
|
||||
);
|
||||
#
|
||||
# Current rules file section.
|
||||
#
|
||||
$section = '';
|
||||
%macros = ();
|
||||
@actionstack = ();
|
||||
%active = ();
|
||||
@ -120,6 +135,9 @@ sub initialize( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Functions moved from the former Policy Module
|
||||
###############################################################################
|
||||
#
|
||||
# Split the passed target into the basic target and parameter
|
||||
#
|
||||
@ -500,6 +518,8 @@ sub default_policy( $$$ ) {
|
||||
|
||||
}
|
||||
|
||||
sub ensure_rules_chain( $ );
|
||||
|
||||
sub apply_policy_rules() {
|
||||
progress_message2 'Applying Policies...';
|
||||
|
||||
@ -521,9 +541,9 @@ sub apply_policy_rules() {
|
||||
# is a single jump. Generate_matrix() will just use the policy target when
|
||||
# needed.
|
||||
#
|
||||
ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
|
||||
ensure_rules_chain $name if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
|
||||
} else {
|
||||
ensure_filter_chain $name, 1;
|
||||
ensure_rules_chain $name;
|
||||
}
|
||||
}
|
||||
|
||||
@ -546,6 +566,9 @@ sub apply_policy_rules() {
|
||||
}
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Modules moved from the Chains module in 4.4.18
|
||||
################################################################################
|
||||
#
|
||||
# Complete a standard chain
|
||||
#
|
||||
@ -620,6 +643,87 @@ sub optimize_policy_chains() {
|
||||
progress_message '';
|
||||
}
|
||||
|
||||
sub finish_chain_section( $$ );
|
||||
|
||||
#
|
||||
# Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
|
||||
#
|
||||
# Return a reference to the chain's table entry.
|
||||
#
|
||||
sub ensure_rules_chain( $ )
|
||||
{
|
||||
my ($chain) = @_;
|
||||
|
||||
my $chainref = ensure_chain 'filter', $chain;
|
||||
|
||||
unless ( $chainref->{referenced} ) {
|
||||
if ( $section eq 'NEW' or $section eq 'DONE' ) {
|
||||
finish_chain_section $chainref , 'ESTABLISHED,RELATED';
|
||||
} elsif ( $section eq 'RELATED' ) {
|
||||
finish_chain_section $chainref , 'ESTABLISHED';
|
||||
}
|
||||
|
||||
$chainref->{referenced} = 1;
|
||||
}
|
||||
|
||||
$chainref;
|
||||
}
|
||||
|
||||
#
|
||||
# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
|
||||
#
|
||||
sub finish_chain_section ($$) {
|
||||
my ($chainref, $state ) = @_;
|
||||
my $chain = $chainref->{name};
|
||||
|
||||
push_comment(''); #These rules should not have comments
|
||||
|
||||
add_rule $chainref, "$globals{STATEMATCH} $state -j ACCEPT" unless $config{FASTACCEPT};
|
||||
|
||||
if ($sections{NEW} ) {
|
||||
if ( $chainref->{is_policy} ) {
|
||||
if ( $chainref->{synparams} ) {
|
||||
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
|
||||
if ( $section eq 'DONE' ) {
|
||||
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
|
||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
||||
}
|
||||
} else {
|
||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
||||
}
|
||||
}
|
||||
} else {
|
||||
my $policychainref = $filter_table->{$chainref->{policychain}};
|
||||
if ( $policychainref->{synparams} ) {
|
||||
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
|
||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
||||
}
|
||||
}
|
||||
|
||||
$chainref->{new} = @{$chainref->{rules}};
|
||||
}
|
||||
|
||||
pop_comment;
|
||||
}
|
||||
|
||||
#
|
||||
# Do section-end processing
|
||||
#
|
||||
sub finish_section ( $ ) {
|
||||
my $sections = $_[0];
|
||||
|
||||
$sections{$_} = 1 for split /,/, $sections;
|
||||
|
||||
for my $zone ( all_zones ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
|
||||
finish_chain_section $chainref, $sections if $chainref->{referenced};
|
||||
}
|
||||
}
|
||||
}
|
||||
################################################################################
|
||||
# Functions moved from the Actions module in 4.4.16
|
||||
################################################################################
|
||||
#
|
||||
# Return ( action, level[:tag] ) from passed full action
|
||||
#
|
||||
@ -1276,7 +1380,9 @@ sub process_actions2 () {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# End of functions moved from the Actions module in 4.4.16
|
||||
################################################################################
|
||||
#
|
||||
# Expand a macro rule from the rules file
|
||||
#
|
||||
@ -1681,7 +1787,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
|
||||
#
|
||||
# Mark the chain as referenced and add appropriate rules from earlier sections.
|
||||
#
|
||||
$chainref = ensure_filter_chain $chain, 1;
|
||||
$chainref = ensure_rules_chain $chain;
|
||||
#
|
||||
# Don't let the rules in this chain be moved elsewhere
|
||||
#
|
||||
|
@ -28,13 +28,14 @@ use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Chains qw(:DEFAULT :internal);
|
||||
use Shorewall::Rules;
|
||||
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_tunnels );
|
||||
our @EXPORT_OK = ( );
|
||||
our $VERSION = '4.4_14';
|
||||
our $VERSION = '4.4_18';
|
||||
|
||||
#
|
||||
# Here starts the tunnel stuff -- we really should get rid of this crap...
|
||||
@ -83,8 +84,8 @@ sub setup_tunnels() {
|
||||
for my $zone ( split_list $gatewayzones, 'zone' ) {
|
||||
my $type = zone_type( $zone );
|
||||
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
|
||||
$inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
|
||||
$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
|
||||
$inchainref = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
|
||||
$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
|
||||
|
||||
unless ( have_ipsec ) {
|
||||
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||
@ -239,8 +240,8 @@ sub setup_tunnels() {
|
||||
|
||||
fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
|
||||
|
||||
my $inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
|
||||
my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
|
||||
my $inchainref = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
|
||||
my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
|
||||
|
||||
$gateway = ALLIP if $gateway eq '-';
|
||||
|
||||
|
@ -4,6 +4,10 @@ Changes in Shorewall 4.4.18 Beta 4
|
||||
|
||||
2) Change default value of MODULE_PREFIX.
|
||||
|
||||
3) Combine Policy and Rules Modules
|
||||
|
||||
4) Move section processing to the Rules modules.
|
||||
|
||||
Changes in Shorewall 4.4.18 Beta 3
|
||||
|
||||
1) Change default chain in FORWARD section of the accounting file.
|
||||
|
@ -127,6 +127,9 @@ None.
|
||||
Netfilter releases which disallow the owner match in rules
|
||||
reachable from the INPUT and FORWARD hooks.
|
||||
|
||||
3) Internals Change: The Policy.pm module has been merged into the
|
||||
Rules.pm module.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
||||
----------------------------------------------------------------------------
|
||||
|
Loading…
Reference in New Issue
Block a user