Add MACLIST_TTL

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2013 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-03-25 14:57:07 +00:00
parent c4288e3808
commit f4cae112fd
3 changed files with 59 additions and 8 deletions

View File

@ -4,6 +4,8 @@ Changes in 2.2.3
2) Obey 'routestopped' rules during [re]start.
3) MACLIST_TTL added.
Changes in 2.2.2
1) The 'check' command disclaimer is toned down further and only

View File

@ -464,6 +464,11 @@ mac_chain() # $1 = interface
echo $(chain_base $1)_mac
}
macrecent_target() # $1 - interface
{
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
}
#
# Functions for creating dynamic zone rules
#
@ -2000,6 +2005,7 @@ setup_mac_lists() {
local addresses
local address
local chain
local chain1
local macpart
local blob
local hosts
@ -2024,10 +2030,19 @@ setup_mac_lists() {
progress_message "Setting up MAC Verification on $maclist_interfaces..."
#
# Be sure that they are all ethernet interfaces
# Create chains.
#
for interface in $maclist_interfaces; do
createchain $(mac_chain $interface) no
chain=$(mac_chain $interface)
createchain $chain no
if [ -n "$MACLIST_TTL" ]; then
chain1=$(macrecent_target $interface)
createchain $chain1 no
run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
run_iptables -A $chain1 -m recent --update --name $chain -j ACCEPT
run_iptables -A $chain1 -m recent --set --name $chain -j ACCEPT
fi
done
#
# Process the maclist file producing the verification rules
@ -2047,6 +2062,7 @@ setup_mac_lists() {
fi
chain=$(mac_chain $interface)
chain1=$(macrecent_target $interface)
if ! havechain $chain ; then
fatal_error "No hosts on $interface have the maclist option specified"
@ -2055,10 +2071,10 @@ setup_mac_lists() {
macpart=$(mac_match $mac)
if [ -z "$addresses" ]; then
run_iptables -A $chain $macpart $physdev_part -j RETURN
run_iptables -A $chain $macpart $physdev_part -j $chain1
else
for address in $(separate_list $addresses) ; do
run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1
done
fi
done < $TMP_DIR/maclist
@ -2068,6 +2084,7 @@ setup_mac_lists() {
#
for interface in $maclist_interfaces; do
chain=$(mac_chain $interface)
chain1=$(macrecent_target $interface)
blob=$(ip link show $interface 2> /dev/null)
@ -2076,11 +2093,11 @@ setup_mac_lists() {
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
if [ -n "$broadcast" ]; then
run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN
run_iptables -A $chain -s ${address%/*} -d $broadcast -j $chain1
fi
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN
run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j $chain1
done
if [ -n "$MACLIST_LOG_LEVEL" ]; then
@ -5600,6 +5617,7 @@ determine_capabilities() {
POLICY_MATCH=
PHYSDEV_MATCH=
IPRANGE_MATCH=
RECENT_MATCH=
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
@ -5608,7 +5626,7 @@ determine_capabilities() {
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
if [ -n "$PKTTYPE" ]; then
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
@ -5638,6 +5656,7 @@ report_capabilities() {
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
}
#
@ -7263,6 +7282,7 @@ do_initialize() {
LOGALLNEW=
DROPINVALID=
RFC1918_STRICT=
MACLIST_TTL=
RESTOREBASE=
TMP_DIR=
@ -7459,6 +7479,12 @@ do_initialize() {
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
#
# Strip the files that we use often
#

View File

@ -768,6 +768,29 @@ DROPINVALID=No
RFC1918_STRICT=No
#
# MACLIST caching
#
# If your iptables and kernel support the "Recent Match" (see the output of
# "shorewall check" near the top), you can cache the results of a 'maclist'
# file lookup and thus reduce the overhead associated with MAC Verification
# (/etc/shorewall/maclist).
#
# When a new connection arrives from a 'maclist' interface, the packet passes
# through then list of entries for that interface in /etc/shorewall/maclist. If
# there is a match then the source IP address is added to the 'Recent' set for
# that interface. Subsequent connection attempts from that IP address occuring
# within $MACLIST_TTL seconds will be accepted without having to scan all of
# the entries. After $MACLIST_TTL from the first accepted connection request,
# the next connection request from that IP address will be checked against
# the entire list.
#
# If MACLIST_TTL is not specified or is specified as empty (e.g,
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
# be cached.
MACLIST_TTL=
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################