From cf6075298821eb150f8778f66fc3f8036dec7f21 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 20 Feb 2011 15:35:58 -0800 Subject: [PATCH] Move section processing to the Rules module where it belongs Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Accounting.pm | 4 +- Shorewall/Perl/Shorewall/Chains.pm | 123 ++++++------------------- Shorewall/Perl/Shorewall/Misc.pm | 10 +- Shorewall/Perl/Shorewall/Rules.pm | 122 ++++++++++++++++++++++-- Shorewall/Perl/Shorewall/Tunnels.pm | 11 ++- Shorewall/changelog.txt | 4 + Shorewall/releasenotes.txt | 3 + 7 files changed, 163 insertions(+), 114 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index a73c9487d..1b1d28ac0 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -35,7 +35,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_accounting ); our @EXPORT_OK = qw( ); -our $VERSION = '4.4.17'; +our $VERSION = '4.4.18'; # # Per-IP accounting tables. Each entry contains the associated network. @@ -244,7 +244,7 @@ sub process_accounting_rule( ) { if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) { expand_rule( - ensure_filter_chain( 'accountout' , 0 ) , + ensure_rules_chain ( 'accountout' ) , OUTPUT_RESTRICT , $rule , $source , diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 76f7df9cf..a28401d91 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -86,6 +86,8 @@ our %EXPORT_TAGS = ( no_comment macro_comment clear_comment + push_coment + pop_comment incr_cmd_level decr_cmd_level forward_chain @@ -119,7 +121,6 @@ our %EXPORT_TAGS = ( new_builtin_chain new_nat_chain ensure_filter_chain - finish_section optimize_chain check_optimization optimize_ruleset @@ -180,8 +181,6 @@ our %EXPORT_TAGS = ( preview_netfilter_load create_chainlist_reload create_stop_load - $section - %sections %targets ) ], ); @@ -242,15 +241,8 @@ our $raw_table; our $nat_table; our $mangle_table; our $filter_table; -# -# It is a layer violation to keep information about the rules file sections in this module but in Shorewall, the rules file -# and the filter table are very closely tied. By keeping the information here, we avoid making several other modules dependent -# on Shorewall::Rules. -# -our %sections; -our $section; - our $comment; +our @comments; # # Target Types @@ -406,22 +398,11 @@ sub initialize( $ ) { $nat_table = $chain_table{nat}; $mangle_table = $chain_table{mangle}; $filter_table = $chain_table{filter}; - - # - # These are set to 1 as sections are encountered. - # - %sections = ( ESTABLISHED => 0, - RELATED => 0, - NEW => 0 - ); - # - # Current rules file section. - # - $section = ''; # # Contents of last COMMENT line. # - $comment = ''; + $comment = ''; + @comments = (); # # Used to sequence chain names. # @@ -472,10 +453,30 @@ sub no_comment() { } # -# Clear the $comment variable +# Clear the $comment variable and the comment stack # sub clear_comment() { - $comment = ''; + $comment = ''; + @comments = (); +} + +# +# Push and Pop comment stack +# +sub push_comment( $ ) { + push @comments, $comment; + $comment = shift; +} + +sub pop_comment() { + $comment = pop @comments; +} + +# +# Set comment +# +sub set_comment( $ ) { + $comment = shift; } # @@ -1312,10 +1313,8 @@ sub dont_move( $ ) { $chainref; } -sub finish_chain_section( $$ ); - # -# Create a filter chain if necessary. Optionally populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting. +# Create a filter chain if necessary. # # Return a reference to the chain's table entry. # @@ -1325,17 +1324,7 @@ sub ensure_filter_chain( $$ ) my $chainref = ensure_chain 'filter', $chain; - unless ( $chainref->{referenced} ) { - if ( $populate ) { - if ( $section eq 'NEW' or $section eq 'DONE' ) { - finish_chain_section $chainref , 'ESTABLISHED,RELATED'; - } elsif ( $section eq 'RELATED' ) { - finish_chain_section $chainref , 'ESTABLISHED'; - } - } - - $chainref->{referenced} = 1; - } + $chainref->{referenced} = 1; $chainref; } @@ -1554,60 +1543,6 @@ sub initialize_chain_table() } } -# -# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain -# -sub finish_chain_section ($$) { - my ($chainref, $state ) = @_; - my $chain = $chainref->{name}; - my $savecomment = $comment; - - $comment = ''; - - add_rule $chainref, "$globals{STATEMATCH} $state -j ACCEPT" unless $config{FASTACCEPT}; - - if ($sections{NEW} ) { - if ( $chainref->{is_policy} ) { - if ( $chainref->{synparams} ) { - my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref; - if ( $section eq 'DONE' ) { - if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) { - add_jump $chainref, $synchainref, 0, "-p tcp --syn "; - } - } else { - add_jump $chainref, $synchainref, 0, "-p tcp --syn "; - } - } - } else { - my $policychainref = $filter_table->{$chainref->{policychain}}; - if ( $policychainref->{synparams} ) { - my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref; - add_jump $chainref, $synchainref, 0, "-p tcp --syn "; - } - } - - $chainref->{new} = @{$chainref->{rules}}; - } - - $comment = $savecomment; -} - -# -# Do section-end processing -# -sub finish_section ( $ ) { - my $sections = $_[0]; - - $sections{$_} = 1 for split /,/, $sections; - - for my $zone ( all_zones ) { - for my $zone1 ( all_zones ) { - my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )}; - finish_chain_section $chainref, $sections if $chainref->{referenced}; - } - } -} - # # Delete redundant ACCEPT rules from the end of a policy chain whose policy is ACCEPT # diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 073368bb5..733e5ef30 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -12,7 +12,7 @@ # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of +# but WITHOUT ANY WARRANTY; without even the implied warranty ofs # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # @@ -1091,7 +1091,7 @@ sub generate_matrix() { # if ( $zoneref->{options}{in}{blacklist} ) { my $blackref = $filter_table->{blacklst}; - add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers; + add_jump ensure_rules_chain( rules_chain( $zone, $_ ) ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers; if ( $simple ) { # @@ -1102,7 +1102,7 @@ sub generate_matrix() { my $ruleschainref = $filter_table->{$ruleschain}; if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) { - add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 ); + add_jump( ensure_rules_chain( $ruleschain ), $blackref, 0, $state, 0, -1 ); } } } @@ -1110,14 +1110,14 @@ sub generate_matrix() { if ( $zoneref->{options}{out}{blacklist} ) { my $blackref = $filter_table->{blackout}; - add_jump ensure_filter_chain( rules_chain( firewall_zone, $zone ), 1 ) , $blackref , 0, $state, 0, -1; + add_jump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , $blackref , 0, $state, 0, -1; for my $zone1 ( @zones, @vservers ) { my $ruleschain = rules_chain( $zone1, $zone ); my $ruleschainref = $filter_table->{$ruleschain}; if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) { - add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 ); + add_jump( ensure_rules_chain( $ruleschain ), $blackref, 0, $state, 0, -1 ); } } } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 5e361b18c..537c3f271 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -20,9 +20,10 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# This module contains +# This module handles policies and rules. It contains: +# # validate_policy() and it's associated helpers. -# process_rule() and it's associated helpers for handling Actions and Macros. +# process_rules() and it's associated helpers for handling Actions and Macros. # # This module combines the former Policy, Rules and Actions modules. # @@ -43,6 +44,7 @@ our @EXPORT = qw( complete_standard_chain setup_syn_flood_chains save_policies + ensure_rules_chain optimize_policy_chains process_actions1 process_actions2 @@ -50,9 +52,11 @@ our @EXPORT = qw( ); our @EXPORT_OK = qw( initialize ); -our $VERSION = '4.4_17'; +our $VERSION = '4.4_18'; -# @policy_chains is a list of references to policy chains in the filter table +our %sections; + +our $section; our @policy_chains; @@ -106,6 +110,17 @@ sub initialize( $ ) { REJECT => 'none' , ACCEPT => 'none' , QUEUE => 'none' ); + # + # These are set to 1 as sections are encountered. + # + %sections = ( ESTABLISHED => 0, + RELATED => 0, + NEW => 0 + ); + # + # Current rules file section. + # + $section = ''; %macros = (); @actionstack = (); %active = (); @@ -120,6 +135,9 @@ sub initialize( $ ) { } } +############################################################################### +# Functions moved from the former Policy Module +############################################################################### # # Split the passed target into the basic target and parameter # @@ -500,6 +518,8 @@ sub default_policy( $$$ ) { } +sub ensure_rules_chain( $ ); + sub apply_policy_rules() { progress_message2 'Applying Policies...'; @@ -521,9 +541,9 @@ sub apply_policy_rules() { # is a single jump. Generate_matrix() will just use the policy target when # needed. # - ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ); + ensure_rules_chain $name if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ); } else { - ensure_filter_chain $name, 1; + ensure_rules_chain $name; } } @@ -546,6 +566,9 @@ sub apply_policy_rules() { } } +################################################################################ +# Modules moved from the Chains module in 4.4.18 +################################################################################ # # Complete a standard chain # @@ -620,6 +643,87 @@ sub optimize_policy_chains() { progress_message ''; } +sub finish_chain_section( $$ ); + +# +# Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting. +# +# Return a reference to the chain's table entry. +# +sub ensure_rules_chain( $ ) +{ + my ($chain) = @_; + + my $chainref = ensure_chain 'filter', $chain; + + unless ( $chainref->{referenced} ) { + if ( $section eq 'NEW' or $section eq 'DONE' ) { + finish_chain_section $chainref , 'ESTABLISHED,RELATED'; + } elsif ( $section eq 'RELATED' ) { + finish_chain_section $chainref , 'ESTABLISHED'; + } + + $chainref->{referenced} = 1; + } + + $chainref; +} + +# +# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain +# +sub finish_chain_section ($$) { + my ($chainref, $state ) = @_; + my $chain = $chainref->{name}; + + push_comment(''); #These rules should not have comments + + add_rule $chainref, "$globals{STATEMATCH} $state -j ACCEPT" unless $config{FASTACCEPT}; + + if ($sections{NEW} ) { + if ( $chainref->{is_policy} ) { + if ( $chainref->{synparams} ) { + my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref; + if ( $section eq 'DONE' ) { + if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) { + add_jump $chainref, $synchainref, 0, "-p tcp --syn "; + } + } else { + add_jump $chainref, $synchainref, 0, "-p tcp --syn "; + } + } + } else { + my $policychainref = $filter_table->{$chainref->{policychain}}; + if ( $policychainref->{synparams} ) { + my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref; + add_jump $chainref, $synchainref, 0, "-p tcp --syn "; + } + } + + $chainref->{new} = @{$chainref->{rules}}; + } + + pop_comment; +} + +# +# Do section-end processing +# +sub finish_section ( $ ) { + my $sections = $_[0]; + + $sections{$_} = 1 for split /,/, $sections; + + for my $zone ( all_zones ) { + for my $zone1 ( all_zones ) { + my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )}; + finish_chain_section $chainref, $sections if $chainref->{referenced}; + } + } +} +################################################################################ +# Functions moved from the Actions module in 4.4.16 +################################################################################ # # Return ( action, level[:tag] ) from passed full action # @@ -1276,7 +1380,9 @@ sub process_actions2 () { } } } - +################################################################################ +# End of functions moved from the Actions module in 4.4.16 +################################################################################ # # Expand a macro rule from the rules file # @@ -1681,7 +1787,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) { # # Mark the chain as referenced and add appropriate rules from earlier sections. # - $chainref = ensure_filter_chain $chain, 1; + $chainref = ensure_rules_chain $chain; # # Don't let the rules in this chain be moved elsewhere # diff --git a/Shorewall/Perl/Shorewall/Tunnels.pm b/Shorewall/Perl/Shorewall/Tunnels.pm index 586f8b32d..4ca224329 100644 --- a/Shorewall/Perl/Shorewall/Tunnels.pm +++ b/Shorewall/Perl/Shorewall/Tunnels.pm @@ -28,13 +28,14 @@ use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::Zones; use Shorewall::IPAddrs; use Shorewall::Chains qw(:DEFAULT :internal); +use Shorewall::Rules; use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_tunnels ); our @EXPORT_OK = ( ); -our $VERSION = '4.4_14'; +our $VERSION = '4.4_18'; # # Here starts the tunnel stuff -- we really should get rid of this crap... @@ -83,8 +84,8 @@ sub setup_tunnels() { for my $zone ( split_list $gatewayzones, 'zone' ) { my $type = zone_type( $zone ); fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT; - $inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1; - $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1; + $inchainref = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) ); + $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) ); unless ( have_ipsec ) { add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT"; @@ -239,8 +240,8 @@ sub setup_tunnels() { fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT; - my $inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1; - my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1; + my $inchainref = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) ); + my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) ); $gateway = ALLIP if $gateway eq '-'; diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 1821b253d..9b58d032a 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -4,6 +4,10 @@ Changes in Shorewall 4.4.18 Beta 4 2) Change default value of MODULE_PREFIX. +3) Combine Policy and Rules Modules + +4) Move section processing to the Rules modules. + Changes in Shorewall 4.4.18 Beta 3 1) Change default chain in FORWARD section of the accounting file. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 2dd44515c..39105217a 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -127,6 +127,9 @@ None. Netfilter releases which disallow the owner match in rules reachable from the INPUT and FORWARD hooks. +3) Internals Change: The Policy.pm module has been merged into the + Rules.pm module. + ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S ----------------------------------------------------------------------------