From e71fb3249aee91692f6a4aad3c04b6728986625c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 15 Jun 2016 16:35:41 -0700 Subject: [PATCH] Add 'dbl' interface option Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 4 +- Shorewall/Perl/Shorewall/Misc.pm | 27 +++++-- Shorewall/Perl/Shorewall/Zones.pm | 14 +++- Shorewall/manpages/shorewall-interfaces.xml | 73 ++++++++++++++++++- Shorewall6/manpages/shorewall6-interfaces.xml | 65 ++++++++++++++++- 5 files changed, 171 insertions(+), 12 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index b79a4b15d..b51dae1a2 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -6185,8 +6185,10 @@ sub get_configuration( $$$$ ) { require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' ); } else { - default_yes_no( 'DYNAMIC_BLACKLIST' , 'Yes' ); + default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' ); } + } else { + default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' ); } default_yes_no 'REQUIRE_INTERFACE' , ''; diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index ac02ed506..e06f13fa0 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -866,15 +866,30 @@ sub add_common_rules ( $ ) { } } - if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) { - add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" ); - add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/; - add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" ); - add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/; + if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) { + + my ( $in, $out ) = split /:/, $setting; + + if ( $in == 1 ) { + # + # src + # + add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" ); + add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" ); + } elsif ( $in == 2 ) { + add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ); + } + + if ( $out == 2 ) { + # + # dst + # + add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ); + } } for ( option_chains( $interface ) ) { - add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' ); + add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' ); add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT}; } } diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 74bcdf1cb..a572c37be 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -337,6 +337,7 @@ sub initialize( $$ ) { arp_ignore => ENUM_IF_OPTION, blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, bridge => SIMPLE_IF_OPTION, + dbl => ENUM_IF_OPTION, destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST, detectnets => OBSOLETE_IF_OPTION, dhcp => SIMPLE_IF_OPTION, @@ -387,6 +388,7 @@ sub initialize( $$ ) { %validinterfaceoptions = ( accept_ra => NUMERIC_IF_OPTION, blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, bridge => SIMPLE_IF_OPTION, + dbl => ENUM_IF_OPTION, destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST, dhcp => SIMPLE_IF_OPTION, ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, @@ -1191,6 +1193,7 @@ sub process_interface( $$ ) { my %options; $options{port} = 1 if $port; + $options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0'; my $hostoptionsref = {}; @@ -1234,6 +1237,8 @@ sub process_interface( $$ ) { } else { warning_message "The 'blacklist' option is ignored on multi-zone interfaces"; } + } elsif ( $option eq 'nodbl' ) { + $options{dbl} = '0:0'; } else { $options{$option} = 1; $hostoptions{$option} = 1 if $hostopt; @@ -1256,6 +1261,11 @@ sub process_interface( $$ ) { } else { $options{arp_ignore} = 1; } + } elsif ( $option eq 'dbl' ) { + my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' ); + + fatal_error q(The 'dbl' option requires a value) unless defined $value; + fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} ); } else { assert( 0 ); } @@ -1906,7 +1916,7 @@ sub verify_required_interfaces( $ ) { my $returnvalue = 0; - my $interfaces = find_interfaces_by_option 'wait'; + my $interfaces = find_interfaces_by_option( 'wait'); if ( @$interfaces ) { my $first = 1; @@ -1972,7 +1982,7 @@ sub verify_required_interfaces( $ ) { } - $interfaces = find_interfaces_by_option 'required'; + $interfaces = find_interfaces_by_option( 'required' ); if ( @$interfaces ) { diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml index 3b884df4a..8a73361d9 100644 --- a/Shorewall/manpages/shorewall-interfaces.xml +++ b/Shorewall/manpages/shorewall-interfaces.xml @@ -306,6 +306,72 @@ loc eth2 - + + dbl={none|src|dst|src-dst} + + + Added in Shorewall 5.0.10. This option defined whether + or not dynamic blacklisting is applied to packets entering the + firewall through this interface and whether the source address + and/or destination address is to be compared against the + ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in + shorewall.conf(5)). + The default is determine by the setting of + DYNAMIC_BLACKLIST: + + + + DYNAMIC_BLACKLIST=No + + + Default is none + (e.g., no dynamic blacklist checking). + + + + + DYNAMIC_BLACKLIST=Yes + + + Default is src + (e.g., the source IP address is checked). + + + + + DYNAMIC_BLACKLIST=ipset[-only] + + + Default is src. + + + + + DYNAMIC_BLACKLIST=ipset[-only],src-dst... + + + Default is src-dst (e.g., the source IP + addresses in checked against the ipset on input and the + destination IP address is checked against the ipset on + packets originating from the firewall and leaving + through this interface). + + + + + The normal setting for this option will be dst or none for internal interfaces and + src or src-dst for Internet-facing + interfaces. + + + destonly @@ -348,7 +414,7 @@ loc eth2 - url="../bridge-Shorewall-perl.html">Shorewall-perl for firewall/bridging, then you need to include DHCP-specific rules in shorewall-rules(8). + url="/manpages/shorewall-rules.html">shorewall-rules(5). DHCP uses UDP ports 67 and 68. @@ -493,7 +559,10 @@ loc eth2 - Added in Shorewall 5.0.8. When specified, dynamic - blacklisting is disabled on the interface. + blacklisting is disabled on the interface. Beginning with + Shorewall 5.0.10, nodbl is + equivalent to dbl=none. diff --git a/Shorewall6/manpages/shorewall6-interfaces.xml b/Shorewall6/manpages/shorewall6-interfaces.xml index ff2c6318b..de9e8b300 100644 --- a/Shorewall6/manpages/shorewall6-interfaces.xml +++ b/Shorewall6/manpages/shorewall6-interfaces.xml @@ -237,6 +237,66 @@ loc eth2 - + + dbl={none|src|dst|src-dst} + + + Added in Shorewall 5.0.10. This option defined whether + or not dynamic blacklisting is applied to packets entering the + firewall through this interface and whether the source address + and/or destination address is to be compared against the + ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in + shorewall6.conf(5)). + The default is determine by the setting of + DYNAMIC_BLACKLIST: + + + + DYNAMIC_BLACKLIST=No + + + Default is none + (e.g., no dynamic blacklist checking). + + + + + DYNAMIC_BLACKLIST=Yes + + + Default is src + (e.g., the source IP address is checked against the + ipset). + + + + + DYNAMIC_BLACKLIST=ipset[-only] + + + Default is src. + + + + + DYNAMIC_BLACKLIST=ipset[-only],src-dst... + + + Default is src-dst (e.g., the source IP + addresses in checked against the ipset on input and the + destination IP address is checked against the ipset on + packets originating from the firewall and leaving + through this interface). + + + + + + destonly @@ -370,7 +430,10 @@ loc eth2 - Added in Shorewall 5.0.8. When specified, dynamic - blacklisting is disabled on the interface. + blacklisting is disabled on the interface. Beginning with + Shorewall 5.0.10, nodbl is + equivalent to dbl=none.