extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add HELPERS to rules file

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-08 07:23:20 -07:00
parent ccf517307e
commit ee28638604
7 changed files with 68 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -666,11 +666,6 @@ sub compiler {
# (Produces no output to the compiled script) # (Produces no output to the compiled script)
# #
process_policies; process_policies;
#
# N O T R A C K
# (Produces no output to the compiled script)
#
setup_notrack;
enable_script; enable_script;
@ -799,6 +794,10 @@ sub compiler {
# #
process_rules( $convert ); process_rules( $convert );
# #
# Process the conntrack file
#
setup_conntrack;
#
# Add Tunnel rules. # Add Tunnel rules.
# #
setup_tunnels; setup_tunnels;

1
Shorewall/Perl/Shorewall/Config.pm
View File

@ -606,7 +606,6 @@ sub initialize( $;$ ) {
EXPORT => 0, EXPORT => 0,
KLUDGEFREE => '', KLUDGEFREE => '',
STATEMATCH => '-m state --state', STATEMATCH => '-m state --state',
UNTRACKED => 0,
VERSION => "4.5.6", VERSION => "4.5.6",
CAPVERSION => 40507 , CAPVERSION => 40507 ,
); );

6
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -681,7 +681,7 @@ sub add_common_rules ( $ ) {
my $chain; my $chain;
my $dynamicref; my $dynamicref;
my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : (); my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED'; my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
my $level = $config{BLACKLIST_LOGLEVEL}; my $level = $config{BLACKLIST_LOGLEVEL};
my $rejectref = $filter_table->{reject}; my $rejectref = $filter_table->{reject};
@ -882,7 +882,7 @@ sub add_common_rules ( $ ) {
add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST ); add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST );
} }
my @state = $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID'; my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';
for my $hostref ( @$list ) { for my $hostref ( @$list ) {
$interface = $hostref->[0]; $interface = $hostref->[0];
@ -1187,7 +1187,7 @@ sub setup_mac_lists( $ ) {
my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : (); my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
my @source = imatch_source_net $hostref->[2]; my @source = imatch_source_net $hostref->[2];
my @state = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW'; my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
if ( $table eq 'filter' ) { if ( $table eq 'filter' ) {
my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} ); my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );

16
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -32,8 +32,8 @@ use Shorewall::Chains qw(:DEFAULT :internal);
use strict; use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( setup_notrack ); our @EXPORT = qw( setup_conntrack );
our @EXPORT_OK = qw( ); our @EXPORT_OK = qw( process_conntrack_rule );
our $VERSION = 'MODULEVERSION'; our $VERSION = 'MODULEVERSION';
my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 ); my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
@ -41,7 +41,7 @@ my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured
# #
# Notrack # Notrack
# #
sub process_notrack_rule( $$$$$$$ ) { sub process_conntrack_rule( $$$$$$$ ) {
my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_; my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
@ -122,9 +122,7 @@ sub process_notrack_rule( $$$$$$$ ) {
$target , $target ,
$exception_rule ); $exception_rule );
progress_message " Notrack rule \"$currentline\" $done"; progress_message " Conntrack rule \"$currentline\" $done";
$globals{UNTRACKED} = 1;
} }
sub process_format( $ ) { sub process_format( $ ) {
@ -135,7 +133,7 @@ sub process_format( $ ) {
$format; $format;
} }
sub setup_notrack() { sub setup_conntrack() {
my $format = 1; my $format = 1;
my $action = 'NOTRACK'; my $action = 'NOTRACK';
@ -188,10 +186,10 @@ sub setup_notrack() {
if ( $source eq 'all' ) { if ( $source eq 'all' ) {
for my $zone (all_zones) { for my $zone (all_zones) {
process_notrack_rule( $action, $zone, $dest, $proto, $ports, $sports, $user ); process_conntrack_rule( $action, $zone, $dest, $proto, $ports, $sports, $user );
} }
} else { } else {
process_notrack_rule( $action, $source, $dest, $proto, $ports, $sports, $user ); process_conntrack_rule( $action, $source, $dest, $proto, $ports, $sports, $user );
} }
} }

60
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -34,6 +34,7 @@ use Shorewall::Zones;
use Shorewall::Chains qw(:DEFAULT :internal); use Shorewall::Chains qw(:DEFAULT :internal);
use Shorewall::IPAddrs; use Shorewall::IPAddrs;
use Shorewall::Nat qw(:rules); use Shorewall::Nat qw(:rules);
use Shorewall::Raw qw( process_conntrack_rule );
use Scalar::Util 'reftype'; use Scalar::Util 'reftype';
use strict; use strict;
@ -91,7 +92,9 @@ my %rulecolumns = ( action => 0,
connlimit => 10, connlimit => 10,
time => 11, time => 11,
headers => 12, headers => 12,
switch => 13 ); switch => 13,
helper => 14,
);
use constant { MAX_MACRO_NEST_LEVEL => 5 }; use constant { MAX_MACRO_NEST_LEVEL => 5 };
@ -118,6 +121,10 @@ my %auditpolicies = ( ACCEPT => 1,
REJECT => 1 REJECT => 1
); );
# #
# Source zone of the rule being processed
#
my $rulezone;
#
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
# #
@ -1424,7 +1431,7 @@ sub process_actions() {
} }
sub process_rule1 ( $$$$$$$$$$$$$$$$$ ); sub process_rule1 ( $$$$$$$$$$$$$$$$$$ );
# #
# Populate an action invocation chain. As new action tuples are encountered, # Populate an action invocation chain. As new action tuples are encountered,
@ -1457,14 +1464,14 @@ sub process_action( $) {
while ( read_a_line( NORMAL_READ ) ) { while ( read_a_line( NORMAL_READ ) ) {
my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition ); my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );
if ( $format == 1 ) { if ( $format == 1 ) {
($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands; split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
$origdest = $connlimit = $time = $headers = $condition = '-'; $origdest = $connlimit = $time = $headers = $condition = '-';
} else { } else {
($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition ) ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
= split_line1 'action file', \%rulecolumns, $action_commands; = split_line1 'action file', \%rulecolumns, $action_commands;
} }
@ -1502,6 +1509,7 @@ sub process_action( $) {
$time, $time,
$headers, $headers,
$condition, $condition,
$helper,
0 ); 0 );
} }
@ -1531,8 +1539,8 @@ sub use_policy_action( $ ) {
# #
# Expand a macro rule from the rules file # Expand a macro rule from the rules file
# #
sub process_macro ( $$$$$$$$$$$$$$$$$$ ) { sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $wildcard ) = @_; my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
my $nocomment = no_comment; my $nocomment = no_comment;
@ -1550,13 +1558,13 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
while ( read_a_line( NORMAL_READ ) ) { while ( read_a_line( NORMAL_READ ) ) {
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ); my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);
if ( $format == 1 ) { if ( $format == 1 ) {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands; ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/; ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = qw/- - - - - - -/;
} else { } else {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 'macro file', \%rulecolumns, $rule_commands; ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
} }
fatal_error 'TARGET must be specified' if $mtarget eq '-'; fatal_error 'TARGET must be specified' if $mtarget eq '-';
@ -1635,6 +1643,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
merge_macro_column( $mtime, $time ), merge_macro_column( $mtime, $time ),
merge_macro_column( $mheaders, $headers ), merge_macro_column( $mheaders, $headers ),
merge_macro_column( $mcondition, $condition ), merge_macro_column( $mcondition, $condition ),
merge_macro_column( $mhelper, $helper ),
$wildcard $wildcard
); );
@ -1667,7 +1676,7 @@ sub verify_audit($;$$) {
# Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
# body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument. # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
# #
sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) { sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
my ( $chainref, #reference to Action Chain if we are being called from process_action(); undef otherwise my ( $chainref, #reference to Action Chain if we are being called from process_action(); undef otherwise
$target, $target,
$current_param, $current_param,
@ -1684,6 +1693,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
$time, $time,
$headers, $headers,
$condition, $condition,
$helper,
$wildcard ) = @_; $wildcard ) = @_;
my ( $action, $loglevel) = split_action $target; my ( $action, $loglevel) = split_action $target;
@ -1735,6 +1745,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
$time, $time,
$headers, $headers,
$condition, $condition,
$helper,
$wildcard ); $wildcard );
$macro_nest_level--; $macro_nest_level--;
@ -1884,6 +1895,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/; fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone ); fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone; fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone;
$rulezone = $sourcezone;
} }
if ( $actiontype & NATONLY ) { if ( $actiontype & NATONLY ) {
@ -2049,8 +2062,18 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
$rule, $rule,
$source, $source,
( $actiontype & ACTION ) ? '' : $loglevel, ( $actiontype & ACTION ) ? '' : $loglevel,
$log_action $log_action,
); );
unless ( $helper eq '-' ) {
process_conntrack_rule( "CT:helper:$helper" ,
"$rulezone:$source",
$origdest,
$proto,
$ports,
$sports,
$user );
}
# #
# After NAT: # After NAT:
# - the destination port will be the server port ($ports) -- we did that above # - the destination port will be the server port ($ports) -- we did that above
@ -2121,6 +2144,16 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
$loglevel , $loglevel ,
$log_action , $log_action ,
'' ); '' );
if ( ! ( $helper eq '-' || ( $actiontype & NATRULE ) ) ) {
process_conntrack_rule( "CT:helper:$helper" ,
"$rulezone:$source",
$origdest ? $origdest : $dest,
$proto,
$ports,
$sports,
$user );
}
} }
return 1; return 1;
@ -2224,7 +2257,7 @@ sub build_zone_list( $$$\$\$ ) {
# Process a Record in the rules file # Process a Record in the rules file
# #
sub process_rule ( ) { sub process_rule ( ) {
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition ) my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
= split_line1 'rules file', \%rulecolumns, $rule_commands; = split_line1 'rules file', \%rulecolumns, $rule_commands;
fatal_error 'ACTION must be specified' if $target eq '-'; fatal_error 'ACTION must be specified' if $target eq '-';
@ -2281,6 +2314,7 @@ sub process_rule ( ) {
$time, $time,
$headers, $headers,
$condition, $condition,
$helper,
$wild ); $wild );
} }
} }
@ -2305,7 +2339,7 @@ sub classic_blacklist() {
my $fw = firewall_zone; my $fw = firewall_zone;
my @zones = off_firewall_zones; my @zones = off_firewall_zones;
my @vservers = vserver_zones; my @vservers = vserver_zones;
my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : (); my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
my $result; my $result;
for my $zone ( @zones ) { for my $zone ( @zones ) {

2
Shorewall/Perl/Shorewall/Tunnels.pm
View File

@ -61,7 +61,7 @@ sub setup_tunnels() {
} }
} }
my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW'; my @options = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
add_tunnel_rule $inchainref, p => 50, @$source; add_tunnel_rule $inchainref, p => 50, @$source;
add_tunnel_rule $outchainref, p => 50, @$dest; add_tunnel_rule $outchainref, p => 50, @$dest;

5
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -57,6 +57,7 @@ our @EXPORT = qw( NOTHING
all_parent_zones all_parent_zones
complex_zones complex_zones
vserver_zones vserver_zones
on_firewall_zones
off_firewall_zones off_firewall_zones
non_firewall_zones non_firewall_zones
single_interface single_interface
@ -838,6 +839,10 @@ sub all_zones() {
@zones; @zones;
} }
sub on_firewall_zones() {
grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) ) , @zones );
}
sub off_firewall_zones() { sub off_firewall_zones() {
grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) ) , @zones ); grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) ) , @zones );
} }