Move section processing to the Rules module where it belongs

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-02-20 15:35:58 -08:00
parent c03caf7c2f
commit cf60752988
7 changed files with 163 additions and 114 deletions

View File

@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_accounting );
our @EXPORT_OK = qw( );
our $VERSION = '4.4.17';
our $VERSION = '4.4.18';
#
# Per-IP accounting tables. Each entry contains the associated network.
@ -244,7 +244,7 @@ sub process_accounting_rule( ) {
if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
expand_rule(
ensure_filter_chain( 'accountout' , 0 ) ,
ensure_rules_chain ( 'accountout' ) ,
OUTPUT_RESTRICT ,
$rule ,
$source ,

View File

@ -86,6 +86,8 @@ our %EXPORT_TAGS = (
no_comment
macro_comment
clear_comment
push_coment
pop_comment
incr_cmd_level
decr_cmd_level
forward_chain
@ -119,7 +121,6 @@ our %EXPORT_TAGS = (
new_builtin_chain
new_nat_chain
ensure_filter_chain
finish_section
optimize_chain
check_optimization
optimize_ruleset
@ -180,8 +181,6 @@ our %EXPORT_TAGS = (
preview_netfilter_load
create_chainlist_reload
create_stop_load
$section
%sections
%targets
) ],
);
@ -242,15 +241,8 @@ our $raw_table;
our $nat_table;
our $mangle_table;
our $filter_table;
#
# It is a layer violation to keep information about the rules file sections in this module but in Shorewall, the rules file
# and the filter table are very closely tied. By keeping the information here, we avoid making several other modules dependent
# on Shorewall::Rules.
#
our %sections;
our $section;
our $comment;
our @comments;
#
# Target Types
@ -406,22 +398,11 @@ sub initialize( $ ) {
$nat_table = $chain_table{nat};
$mangle_table = $chain_table{mangle};
$filter_table = $chain_table{filter};
#
# These are set to 1 as sections are encountered.
#
%sections = ( ESTABLISHED => 0,
RELATED => 0,
NEW => 0
);
#
# Current rules file section.
#
$section = '';
#
# Contents of last COMMENT line.
#
$comment = '';
@comments = ();
#
# Used to sequence chain names.
#
@ -472,10 +453,30 @@ sub no_comment() {
}
#
# Clear the $comment variable
# Clear the $comment variable and the comment stack
#
sub clear_comment() {
$comment = '';
@comments = ();
}
#
# Push and Pop comment stack
#
sub push_comment( $ ) {
push @comments, $comment;
$comment = shift;
}
sub pop_comment() {
$comment = pop @comments;
}
#
# Set comment
#
sub set_comment( $ ) {
$comment = shift;
}
#
@ -1312,10 +1313,8 @@ sub dont_move( $ ) {
$chainref;
}
sub finish_chain_section( $$ );
#
# Create a filter chain if necessary. Optionally populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
# Create a filter chain if necessary.
#
# Return a reference to the chain's table entry.
#
@ -1325,17 +1324,7 @@ sub ensure_filter_chain( $$ )
my $chainref = ensure_chain 'filter', $chain;
unless ( $chainref->{referenced} ) {
if ( $populate ) {
if ( $section eq 'NEW' or $section eq 'DONE' ) {
finish_chain_section $chainref , 'ESTABLISHED,RELATED';
} elsif ( $section eq 'RELATED' ) {
finish_chain_section $chainref , 'ESTABLISHED';
}
}
$chainref->{referenced} = 1;
}
$chainref;
}
@ -1554,60 +1543,6 @@ sub initialize_chain_table()
}
}
#
# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
#
sub finish_chain_section ($$) {
my ($chainref, $state ) = @_;
my $chain = $chainref->{name};
my $savecomment = $comment;
$comment = '';
add_rule $chainref, "$globals{STATEMATCH} $state -j ACCEPT" unless $config{FASTACCEPT};
if ($sections{NEW} ) {
if ( $chainref->{is_policy} ) {
if ( $chainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
if ( $section eq 'DONE' ) {
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
}
} else {
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
}
}
} else {
my $policychainref = $filter_table->{$chainref->{policychain}};
if ( $policychainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
}
}
$chainref->{new} = @{$chainref->{rules}};
}
$comment = $savecomment;
}
#
# Do section-end processing
#
sub finish_section ( $ ) {
my $sections = $_[0];
$sections{$_} = 1 for split /,/, $sections;
for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) {
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
finish_chain_section $chainref, $sections if $chainref->{referenced};
}
}
}
#
# Delete redundant ACCEPT rules from the end of a policy chain whose policy is ACCEPT
#

View File

@ -12,7 +12,7 @@
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# but WITHOUT ANY WARRANTY; without even the implied warranty ofs
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
@ -1091,7 +1091,7 @@ sub generate_matrix() {
#
if ( $zoneref->{options}{in}{blacklist} ) {
my $blackref = $filter_table->{blacklst};
add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
add_jump ensure_rules_chain( rules_chain( $zone, $_ ) ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
if ( $simple ) {
#
@ -1102,7 +1102,7 @@ sub generate_matrix() {
my $ruleschainref = $filter_table->{$ruleschain};
if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
add_jump( ensure_rules_chain( $ruleschain ), $blackref, 0, $state, 0, -1 );
}
}
}
@ -1110,14 +1110,14 @@ sub generate_matrix() {
if ( $zoneref->{options}{out}{blacklist} ) {
my $blackref = $filter_table->{blackout};
add_jump ensure_filter_chain( rules_chain( firewall_zone, $zone ), 1 ) , $blackref , 0, $state, 0, -1;
add_jump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , $blackref , 0, $state, 0, -1;
for my $zone1 ( @zones, @vservers ) {
my $ruleschain = rules_chain( $zone1, $zone );
my $ruleschainref = $filter_table->{$ruleschain};
if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
add_jump( ensure_rules_chain( $ruleschain ), $blackref, 0, $state, 0, -1 );
}
}
}

View File

@ -20,9 +20,10 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This module contains
# This module handles policies and rules. It contains:
#
# validate_policy() and it's associated helpers.
# process_rule() and it's associated helpers for handling Actions and Macros.
# process_rules() and it's associated helpers for handling Actions and Macros.
#
# This module combines the former Policy, Rules and Actions modules.
#
@ -43,6 +44,7 @@ our @EXPORT = qw(
complete_standard_chain
setup_syn_flood_chains
save_policies
ensure_rules_chain
optimize_policy_chains
process_actions1
process_actions2
@ -50,9 +52,11 @@ our @EXPORT = qw(
);
our @EXPORT_OK = qw( initialize );
our $VERSION = '4.4_17';
our $VERSION = '4.4_18';
# @policy_chains is a list of references to policy chains in the filter table
our %sections;
our $section;
our @policy_chains;
@ -106,6 +110,17 @@ sub initialize( $ ) {
REJECT => 'none' ,
ACCEPT => 'none' ,
QUEUE => 'none' );
#
# These are set to 1 as sections are encountered.
#
%sections = ( ESTABLISHED => 0,
RELATED => 0,
NEW => 0
);
#
# Current rules file section.
#
$section = '';
%macros = ();
@actionstack = ();
%active = ();
@ -120,6 +135,9 @@ sub initialize( $ ) {
}
}
###############################################################################
# Functions moved from the former Policy Module
###############################################################################
#
# Split the passed target into the basic target and parameter
#
@ -500,6 +518,8 @@ sub default_policy( $$$ ) {
}
sub ensure_rules_chain( $ );
sub apply_policy_rules() {
progress_message2 'Applying Policies...';
@ -521,9 +541,9 @@ sub apply_policy_rules() {
# is a single jump. Generate_matrix() will just use the policy target when
# needed.
#
ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
ensure_rules_chain $name if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
} else {
ensure_filter_chain $name, 1;
ensure_rules_chain $name;
}
}
@ -546,6 +566,9 @@ sub apply_policy_rules() {
}
}
################################################################################
# Modules moved from the Chains module in 4.4.18
################################################################################
#
# Complete a standard chain
#
@ -620,6 +643,87 @@ sub optimize_policy_chains() {
progress_message '';
}
sub finish_chain_section( $$ );
#
# Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
#
# Return a reference to the chain's table entry.
#
sub ensure_rules_chain( $ )
{
my ($chain) = @_;
my $chainref = ensure_chain 'filter', $chain;
unless ( $chainref->{referenced} ) {
if ( $section eq 'NEW' or $section eq 'DONE' ) {
finish_chain_section $chainref , 'ESTABLISHED,RELATED';
} elsif ( $section eq 'RELATED' ) {
finish_chain_section $chainref , 'ESTABLISHED';
}
$chainref->{referenced} = 1;
}
$chainref;
}
#
# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
#
sub finish_chain_section ($$) {
my ($chainref, $state ) = @_;
my $chain = $chainref->{name};
push_comment(''); #These rules should not have comments
add_rule $chainref, "$globals{STATEMATCH} $state -j ACCEPT" unless $config{FASTACCEPT};
if ($sections{NEW} ) {
if ( $chainref->{is_policy} ) {
if ( $chainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
if ( $section eq 'DONE' ) {
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
}
} else {
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
}
}
} else {
my $policychainref = $filter_table->{$chainref->{policychain}};
if ( $policychainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
}
}
$chainref->{new} = @{$chainref->{rules}};
}
pop_comment;
}
#
# Do section-end processing
#
sub finish_section ( $ ) {
my $sections = $_[0];
$sections{$_} = 1 for split /,/, $sections;
for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) {
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
finish_chain_section $chainref, $sections if $chainref->{referenced};
}
}
}
################################################################################
# Functions moved from the Actions module in 4.4.16
################################################################################
#
# Return ( action, level[:tag] ) from passed full action
#
@ -1276,7 +1380,9 @@ sub process_actions2 () {
}
}
}
################################################################################
# End of functions moved from the Actions module in 4.4.16
################################################################################
#
# Expand a macro rule from the rules file
#
@ -1681,7 +1787,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
#
# Mark the chain as referenced and add appropriate rules from earlier sections.
#
$chainref = ensure_filter_chain $chain, 1;
$chainref = ensure_rules_chain $chain;
#
# Don't let the rules in this chain be moved elsewhere
#

View File

@ -28,13 +28,14 @@ use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::Zones;
use Shorewall::IPAddrs;
use Shorewall::Chains qw(:DEFAULT :internal);
use Shorewall::Rules;
use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tunnels );
our @EXPORT_OK = ( );
our $VERSION = '4.4_14';
our $VERSION = '4.4_18';
#
# Here starts the tunnel stuff -- we really should get rid of this crap...
@ -83,8 +84,8 @@ sub setup_tunnels() {
for my $zone ( split_list $gatewayzones, 'zone' ) {
my $type = zone_type( $zone );
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
$inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
$inchainref = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
unless ( have_ipsec ) {
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
@ -239,8 +240,8 @@ sub setup_tunnels() {
fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
my $inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
my $inchainref = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
$gateway = ALLIP if $gateway eq '-';

View File

@ -4,6 +4,10 @@ Changes in Shorewall 4.4.18 Beta 4
2) Change default value of MODULE_PREFIX.
3) Combine Policy and Rules Modules
4) Move section processing to the Rules modules.
Changes in Shorewall 4.4.18 Beta 3
1) Change default chain in FORWARD section of the accounting file.

View File

@ -127,6 +127,9 @@ None.
Netfilter releases which disallow the owner match in rules
reachable from the INPUT and FORWARD hooks.
3) Internals Change: The Policy.pm module has been merged into the
Rules.pm module.
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------