mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-07 16:24:01 +01:00
Add OWNER_NAME_MATCH to do_user
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
ee15baf98c
commit
dee20c8d74
@ -28,7 +28,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40500
|
||||
SHOREWALL_CAPVERSION=40501
|
||||
SHOREWALL_CAPVERSION=40502
|
||||
|
||||
[ -n "${g_program:=shorewall}" ]
|
||||
|
||||
|
@ -1928,6 +1928,7 @@ determine_capabilities() {
|
||||
IPRANGE_MATCH=
|
||||
RECENT_MATCH=
|
||||
OWNER_MATCH=
|
||||
OWNER_NAME_MATCH=
|
||||
IPSET_MATCH=
|
||||
OLD_IPSET_MATCH=
|
||||
IPSET_V5=
|
||||
@ -2066,6 +2067,11 @@ determine_capabilities() {
|
||||
qt $g_tool -A $chain -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||
qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
|
||||
|
||||
local name
|
||||
name=$(id -un 2> /dev/null)
|
||||
|
||||
[ -n "$name" ] && qt $g_tool -A $chain -m owner --uid-owner $name -j ACCEPT && OWNER_NAME_MATCH=Yes
|
||||
|
||||
if qt $g_tool -A $chain -m connmark --mark 2 -j ACCEPT; then
|
||||
CONNMARK_MATCH=Yes
|
||||
qt $g_tool -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
|
||||
@ -2246,6 +2252,7 @@ report_capabilities() {
|
||||
report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
|
||||
report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
|
||||
report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
|
||||
report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
|
||||
if [ -n "$IPSET_MATCH" ]; then
|
||||
report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
|
||||
[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH
|
||||
@ -2334,6 +2341,7 @@ report_capabilities1() {
|
||||
report_capability1 IPRANGE_MATCH
|
||||
report_capability1 RECENT_MATCH
|
||||
report_capability1 OWNER_MATCH
|
||||
report_capability1 OWNER_NAME_MATCH
|
||||
report_capability1 IPSET_MATCH
|
||||
report_capability1 OLD_IPSET_MATCH
|
||||
report_capability1 CONNMARK
|
||||
|
@ -4066,6 +4066,21 @@ sub do_time( $ ) {
|
||||
$result;
|
||||
}
|
||||
|
||||
sub resolve_id( $$ ) {
|
||||
my ( $id, $type ) = @_;
|
||||
|
||||
if ( $globals{EXPORT} ) {
|
||||
require_capability 'OWNER_NAME_MATCH', "Specifying a $type name", 's';
|
||||
} else {
|
||||
my $num = $type eq 'user' ? getpwnam( $id ) : getgrnam( $id );
|
||||
fatal_error "Unknown $type ($id)" unless supplied $num;
|
||||
$id = $num;
|
||||
}
|
||||
|
||||
$id;
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Create a "-m owner" match for the passed USER/GROUP
|
||||
#
|
||||
@ -4075,6 +4090,8 @@ sub do_user( $ ) {
|
||||
|
||||
return '' unless defined $user and $user ne '-';
|
||||
|
||||
require_capability 'OWNER_MATCH', 'A non-empty USER column', 's';
|
||||
|
||||
if ( $user =~ /^(!)?(.*)\+(.*)$/ ) {
|
||||
$rule .= "! --cmd-owner $2 " if supplied $2;
|
||||
$user = "!$1";
|
||||
@ -4086,24 +4103,26 @@ sub do_user( $ ) {
|
||||
if ( $user =~ /^(!)?(.*):(.*)$/ ) {
|
||||
my $invert = $1 ? '! ' : '';
|
||||
my $group = defined $3 ? $3 : '';
|
||||
|
||||
if ( supplied $2 ) {
|
||||
$user = $2;
|
||||
fatal_error "Unknown user ($user)" unless $user =~ /^\d+$/ || $globals{EXPORT} || defined getpwnam( $user );
|
||||
$user = $2;
|
||||
$user = resolve_id( $user, 'user' ) unless $user =~ /\d+$/;
|
||||
$rule .= "${invert}--uid-owner $user ";
|
||||
}
|
||||
|
||||
if ( $group ne '' ) {
|
||||
fatal_error "Unknown group ($group)" unless $group =~ /\d+$/ || $globals{EXPORT} || defined getgrnam( $group );
|
||||
$group = resolve_id( $group, 'group' ) unless $group =~ /^\d+$/;
|
||||
$rule .= "${invert}--gid-owner $group ";
|
||||
}
|
||||
} elsif ( $user =~ /^(!)?(.*)$/ ) {
|
||||
my $invert = $1 ? '! ' : '';
|
||||
$user = $2;
|
||||
|
||||
fatal_error "Invalid USER/GROUP (!)" if $user eq '';
|
||||
fatal_error "Unknown user ($user)" unless $user =~ /^\d+$/ || $globals{EXPORT} || defined getpwnam( $user );
|
||||
$user = resolve_id ($user, 'user' ) unless $user =~ /\d+$/;
|
||||
$rule .= "${invert}--uid-owner $user ";
|
||||
} else {
|
||||
fatal_error "Unknown user ($user)" unless $user =~ /^\d+$/ || $globals{EXPORT} || defined getpwnam( $user );
|
||||
$user = resolve_id( $user, 'user' ) unless $user =~ /\d+$/;
|
||||
$rule .= "--uid-owner $user ";
|
||||
}
|
||||
|
||||
|
@ -244,6 +244,8 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
IPRANGE_MATCH => 'IP Range Match',
|
||||
RECENT_MATCH => 'Recent Match',
|
||||
OWNER_MATCH => 'Owner Match',
|
||||
OWNER_NAME_MATCH
|
||||
=> 'Owner Name Match',
|
||||
IPSET_MATCH => 'Ipset Match',
|
||||
OLD_IPSET_MATCH => 'Old Ipset Match',
|
||||
IPSET_V5 => 'Version 5 ipsets',
|
||||
@ -488,7 +490,7 @@ sub initialize( $ ) {
|
||||
STATEMATCH => '-m state --state',
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.4.22.1",
|
||||
CAPVERSION => 40501 ,
|
||||
CAPVERSION => 40502 ,
|
||||
);
|
||||
#
|
||||
# From shorewall.conf file
|
||||
@ -668,6 +670,7 @@ sub initialize( $ ) {
|
||||
IPRANGE_MATCH => undef,
|
||||
RECENT_MATCH => undef,
|
||||
OWNER_MATCH => undef,
|
||||
OWNER_NAME_MATCH => undef,
|
||||
IPSET_MATCH => undef,
|
||||
OLD_IPSET_MATCH => undef,
|
||||
IPSET_V5 => undef,
|
||||
@ -2715,6 +2718,12 @@ sub Owner_Match() {
|
||||
qt1( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
|
||||
}
|
||||
|
||||
sub Owner_Name_Match() {
|
||||
if ( my $name = `id -un 2> /dev/null` ) {
|
||||
qt1( "$iptables -A $sillyname -m owner --uid-owner $name -j ACCEPT" );
|
||||
}
|
||||
}
|
||||
|
||||
sub Connmark_Match() {
|
||||
qt1( "$iptables -A $sillyname -m connmark --mark 2 -j ACCEPT" );
|
||||
}
|
||||
@ -3038,6 +3047,7 @@ our %detect_capability =
|
||||
OLD_HL_MATCH => \&Old_Hashlimit_Match,
|
||||
OLD_IPP2P_MATCH => \&Old_Ipp2p_Match,
|
||||
OWNER_MATCH => \&Owner_Match,
|
||||
OWNER_NAME_MATCH => \&Owner_Name_Match,
|
||||
PERSISTENT_SNAT => \&Persistent_Snat,
|
||||
PHYSDEV_BRIDGE => \&Physdev_Bridge,
|
||||
PHYSDEV_MATCH => \&Physdev_Match,
|
||||
@ -3133,6 +3143,8 @@ sub determine_capabilities() {
|
||||
$capabilities{IPRANGE_MATCH} = detect_capability( 'IPRANGE_MATCH' );
|
||||
$capabilities{RECENT_MATCH} = detect_capability( 'RECENT_MATCH' );
|
||||
$capabilities{OWNER_MATCH} = detect_capability( 'OWNER_MATCH' );
|
||||
$capabilities{OWNER_NAME_MATCH}
|
||||
= detect_capability( 'OWNER_NAME_MATCH' );
|
||||
$capabilities{CONNMARK_MATCH} = detect_capability( 'CONNMARK_MATCH' );
|
||||
$capabilities{XCONNMARK_MATCH} = detect_capability( 'XCONNMARK_MATCH' );
|
||||
$capabilities{IPP2P_MATCH} = detect_capability( 'IPP2P_MATCH' );
|
||||
|
Loading…
Reference in New Issue
Block a user