mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 12:14:32 +01:00
Add MACLIST_TTL
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2013 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
c4288e3808
commit
f4cae112fd
@ -4,6 +4,8 @@ Changes in 2.2.3
|
||||
|
||||
2) Obey 'routestopped' rules during [re]start.
|
||||
|
||||
3) MACLIST_TTL added.
|
||||
|
||||
Changes in 2.2.2
|
||||
|
||||
1) The 'check' command disclaimer is toned down further and only
|
||||
|
||||
@ -464,6 +464,11 @@ mac_chain() # $1 = interface
|
||||
echo $(chain_base $1)_mac
|
||||
}
|
||||
|
||||
macrecent_target() # $1 - interface
|
||||
{
|
||||
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
|
||||
}
|
||||
|
||||
#
|
||||
# Functions for creating dynamic zone rules
|
||||
#
|
||||
@ -2000,6 +2005,7 @@ setup_mac_lists() {
|
||||
local addresses
|
||||
local address
|
||||
local chain
|
||||
local chain1
|
||||
local macpart
|
||||
local blob
|
||||
local hosts
|
||||
@ -2024,10 +2030,19 @@ setup_mac_lists() {
|
||||
|
||||
progress_message "Setting up MAC Verification on $maclist_interfaces..."
|
||||
#
|
||||
# Be sure that they are all ethernet interfaces
|
||||
# Create chains.
|
||||
#
|
||||
for interface in $maclist_interfaces; do
|
||||
createchain $(mac_chain $interface) no
|
||||
chain=$(mac_chain $interface)
|
||||
createchain $chain no
|
||||
|
||||
if [ -n "$MACLIST_TTL" ]; then
|
||||
chain1=$(macrecent_target $interface)
|
||||
createchain $chain1 no
|
||||
run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
|
||||
run_iptables -A $chain1 -m recent --update --name $chain -j ACCEPT
|
||||
run_iptables -A $chain1 -m recent --set --name $chain -j ACCEPT
|
||||
fi
|
||||
done
|
||||
#
|
||||
# Process the maclist file producing the verification rules
|
||||
@ -2047,6 +2062,7 @@ setup_mac_lists() {
|
||||
fi
|
||||
|
||||
chain=$(mac_chain $interface)
|
||||
chain1=$(macrecent_target $interface)
|
||||
|
||||
if ! havechain $chain ; then
|
||||
fatal_error "No hosts on $interface have the maclist option specified"
|
||||
@ -2055,10 +2071,10 @@ setup_mac_lists() {
|
||||
macpart=$(mac_match $mac)
|
||||
|
||||
if [ -z "$addresses" ]; then
|
||||
run_iptables -A $chain $macpart $physdev_part -j RETURN
|
||||
run_iptables -A $chain $macpart $physdev_part -j $chain1
|
||||
else
|
||||
for address in $(separate_list $addresses) ; do
|
||||
run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
|
||||
run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1
|
||||
done
|
||||
fi
|
||||
done < $TMP_DIR/maclist
|
||||
@ -2068,6 +2084,7 @@ setup_mac_lists() {
|
||||
#
|
||||
for interface in $maclist_interfaces; do
|
||||
chain=$(mac_chain $interface)
|
||||
chain1=$(macrecent_target $interface)
|
||||
|
||||
blob=$(ip link show $interface 2> /dev/null)
|
||||
|
||||
@ -2076,11 +2093,11 @@ setup_mac_lists() {
|
||||
|
||||
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
|
||||
if [ -n "$broadcast" ]; then
|
||||
run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN
|
||||
run_iptables -A $chain -s ${address%/*} -d $broadcast -j $chain1
|
||||
fi
|
||||
|
||||
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
|
||||
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN
|
||||
run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1
|
||||
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j $chain1
|
||||
done
|
||||
|
||||
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
||||
@ -5600,6 +5617,7 @@ determine_capabilities() {
|
||||
POLICY_MATCH=
|
||||
PHYSDEV_MATCH=
|
||||
IPRANGE_MATCH=
|
||||
RECENT_MATCH=
|
||||
|
||||
qt $IPTABLES -N fooX1234
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
@ -5608,7 +5626,7 @@ determine_capabilities() {
|
||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||
|
||||
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||
|
||||
if [ -n "$PKTTYPE" ]; then
|
||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
||||
@ -5638,6 +5656,7 @@ report_capabilities() {
|
||||
report_capability "Policy Match" $POLICY_MATCH
|
||||
report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||
report_capability "IP range Match" $IPRANGE_MATCH
|
||||
report_capability "Recent Match" $RECENT_MATCH
|
||||
}
|
||||
|
||||
#
|
||||
@ -7263,6 +7282,7 @@ do_initialize() {
|
||||
LOGALLNEW=
|
||||
DROPINVALID=
|
||||
RFC1918_STRICT=
|
||||
MACLIST_TTL=
|
||||
|
||||
RESTOREBASE=
|
||||
TMP_DIR=
|
||||
@ -7459,6 +7479,12 @@ do_initialize() {
|
||||
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
||||
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
||||
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||
|
||||
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
|
||||
|
||||
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
|
||||
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
||||
fi
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
|
||||
@ -768,6 +768,29 @@ DROPINVALID=No
|
||||
|
||||
RFC1918_STRICT=No
|
||||
|
||||
#
|
||||
# MACLIST caching
|
||||
#
|
||||
# If your iptables and kernel support the "Recent Match" (see the output of
|
||||
# "shorewall check" near the top), you can cache the results of a 'maclist'
|
||||
# file lookup and thus reduce the overhead associated with MAC Verification
|
||||
# (/etc/shorewall/maclist).
|
||||
#
|
||||
# When a new connection arrives from a 'maclist' interface, the packet passes
|
||||
# through then list of entries for that interface in /etc/shorewall/maclist. If
|
||||
# there is a match then the source IP address is added to the 'Recent' set for
|
||||
# that interface. Subsequent connection attempts from that IP address occuring
|
||||
# within $MACLIST_TTL seconds will be accepted without having to scan all of
|
||||
# the entries. After $MACLIST_TTL from the first accepted connection request,
|
||||
# the next connection request from that IP address will be checked against
|
||||
# the entire list.
|
||||
#
|
||||
# If MACLIST_TTL is not specified or is specified as empty (e.g,
|
||||
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
|
||||
# be cached.
|
||||
|
||||
MACLIST_TTL=
|
||||
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
|
||||
Loading…
Reference in New Issue
Block a user