extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix IPv6 'nosmurfs'. Make 'nosmurfs' logging more efficient.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-02-03 15:03:15 -08:00
parent 97f3e5b8de
commit f4e175f149
5 changed files with 64 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -41,6 +41,7 @@ our @EXPORT = qw(
new_chain new_chain
new_manual_chain new_manual_chain
ensure_manual_chain ensure_manual_chain
newlogchain
log_rule_limit log_rule_limit
dont_optimize dont_optimize
dont_delete dont_delete

67
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -451,11 +451,32 @@ sub add_common_rules() {
$list = find_hosts_by_option 'nosmurfs'; $list = find_hosts_by_option 'nosmurfs';
if ( @$list ) {
progress_message2 'Adding Anti-smurf Rules';
$chainref = new_standard_chain 'smurfs'; $chainref = new_standard_chain 'smurfs';
my $smurfdest;
if ( defined $config{SMURF_LOG_LEVEL} && $config{SMURF_LOG_LEVEL} ne '' ) {
my $smurfref = new_chain( 'filter', $smurfdest = newlogchain );
log_rule_limit( $config{SMURF_LOG_LEVEL},
$smurfref,
'smurfs' ,
'DROP',
$globals{LOGLIMIT},
'',
'add',
'' );
add_rule( $smurfref, '-j DROP' );
} else {
$smurfdest = 'DROP';
}
if ( have_capability( 'ADDRTYPE' ) ) { if ( have_capability( 'ADDRTYPE' ) ) {
add_rule $chainref , '-s 0.0.0.0 -j RETURN'; add_rule $chainref , '-s 0.0.0.0 -j RETURN';
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ; add_jump( $chainref, $smurfdest, 1, '-m addrtype --src-type BROADCAST ' ) ;
} else { } else {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_commands $chainref, 'for address in $ALL_BCASTS; do'; add_commands $chainref, 'for address in $ALL_BCASTS; do';
@ -464,16 +485,32 @@ sub add_common_rules() {
} }
incr_cmd_level $chainref; incr_cmd_level $chainref;
log_rule( $config{SMURF_LOG_LEVEL} , $chainref, 'DROP', '-s $address ' ); add_jump( $chainref, $smurfdest, 1, '-s $address ' );
add_rule $chainref, '-s $address -j DROP';
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
} }
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL}; add_jump( $chainref, $smurfdest, 1, '-s 224.0.0.0/4 ' );
} else { } else {
add_rule_pair $chainref, '-s ff00::/10 ', 'DROP', $config{SMURF_LOG_LEVEL} if $family == F_IPV4; add_jump( $chainref, $smurfdest, 1, '-s ff00::/10 ' );
}
my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
for my $hostref ( @$list ) {
$interface = $hostref->[0];
my $ipsec = $hostref->[1];
my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
my $target = source_exclusion( $hostref->[3], $chainref );
for $chain ( first_chains $interface ) {
add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ), $policy );
}
set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1;
}
} }
if ( have_capability( 'ADDRTYPE' ) ) { if ( have_capability( 'ADDRTYPE' ) ) {
@ -497,26 +534,6 @@ sub add_common_rules() {
add_rule $rejectref , '-s ff00::/10 -j DROP'; add_rule $rejectref , '-s ff00::/10 -j DROP';
} }
if ( @$list ) {
progress_message2 'Adding Anti-smurf Rules';
my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
for my $hostref ( @$list ) {
$interface = $hostref->[0];
my $ipsec = $hostref->[1];
my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
my $target = source_exclusion( $hostref->[3], $chainref );
for $chain ( first_chains $interface ) {
add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ), $policy );
}
set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1;
}
}
add_rule $rejectref , '-p 2 -j DROP'; add_rule $rejectref , '-p 2 -j DROP';
add_rule $rejectref , '-p 6 -j REJECT --reject-with tcp-reset'; add_rule $rejectref , '-p 6 -j REJECT --reject-with tcp-reset';

2
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -248,7 +248,7 @@ sub initialize( $ ) {
dhcp => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY, nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
nosmurfs => SIMPLE_IF_OPTION, nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
optional => SIMPLE_IF_OPTION, optional => SIMPLE_IF_OPTION,
proxyndp => BINARY_IF_OPTION, proxyndp => BINARY_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,

2
Shorewall/changelog.txt
View File

@ -18,6 +18,8 @@ Changes in Shorewall 4.4.7
9) Correct defects in generate_matrix(). 9) Correct defects in generate_matrix().
10) Fix and optimize 'nosmurfs'.
Changes in Shorewall 4.4.6 Changes in Shorewall 4.4.6
1) Fix for rp_filter and kernel 2.6.31. 1) Fix for rp_filter and kernel 2.6.31.

5
Shorewall/releasenotes.txt
View File

@ -204,6 +204,11 @@ Shorewall 4.4.7 RC 2
then 'shorewall start' would fail. then 'shorewall start' would fail.
4) Previously, the 'nosmurfs' option was ignored in IPv6
compilations. As part of this fix, 'nosmurfs' handling when
SMURF_LOG_LEVEL is specified has been improved for both IPv4 and
IPv6.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G K N O W N P R O B L E M S R E M A I N I N G
---------------------------------------------------------------------------- ----------------------------------------------------------------------------