From fb488807cf921cb36162ac45e9b0416e0c798ec3 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 19 Jul 2007 18:36:04 +0000 Subject: [PATCH] Add EXPAND_POLICIES option git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6909 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/changelog.txt | 4 +++ Shorewall-common/releasenotes.txt | 38 +++++++++++--------- Shorewall-common/shorewall.conf | 2 ++ Shorewall-perl/Shorewall/Chains.pm | 15 ++++---- Shorewall-perl/Shorewall/Config.pm | 2 ++ Shorewall-perl/Shorewall/Policy.pm | 57 ++++++++++++++++++++++++++---- Shorewall-perl/Shorewall/Rules.pm | 14 -------- 7 files changed, 88 insertions(+), 44 deletions(-) diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 6c5b827e0..3c9c35f6a 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -1,3 +1,7 @@ +Changes in 4.0.1 + +1) Add EXPAND_POLICIES. + Changes in 4.0.0 Final 1) Fix lite install.sh manpage problem. diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 339ca561e..600f8c786 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 4.0.0 Final. +Shorewall 4.0.1 ---------------------------------------------------------------------------- R E L E A S E H I G H L I G H T S ---------------------------------------------------------------------------- @@ -25,26 +25,32 @@ Shorewall 4.0.0 Final. Shorewall-perl compiler. This support utilizes the reduced-function physdev match support available in Linux kernel 2.6.20 and later. -Problems corrected in 4.0.0 Final. +Problems corrected in 4.0.1. -1) The shorewall-lite install.sh may now be run multiple times from - the same directory. Previously, the manpages were gzipped in-place - which made it impossible to rerun the script. +None. -2) If shorewall.conf contained SHOREWALL_COMPILER=shell (which it can - on Shorewall 3.4.2-4 systems) and the shorewall-shell RPM was - removed, subsequent "shorewall [re]start" operations failed. When - shorewall-shell is removed, the shorewall.conf file is modified to - specify SHOREWALL_COMPILER= and the original is saved in - shorewall.conf.rpmsave. +Other changes in Shorewall 4.0.1. -3) The contents of the LOG LEVEL column in /etc/shorewall/policy are - now validated at compile time by Shorewall-perl. +1) A new EXPAND_POLICIES option is added to shorewall.conf. The + option is recognized by Shorewall-perl and is ignored by + Shorewall-shell. -Other changes in Shorewall 4.0.0 Final. + Normally, when the SOURCE or DEST columns in shorewall-policy(5) + contains 'all', a single policy chain is created and the policy is + inforced in that chain. For example, if the policy entry is -1) The Perl modules in /usr/share/shorewall-perl/Shorewall/ have been - consolidated somewhat, leading to slightly faster compilation. + #SOURCE DEST POLICY LOG + # LEVEL + net all DROP info + + then the chain name is 'net2all' which is also the chain named in + Shorewall log messages generated as a result of the policy. If + EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate + chain for each pair of zones covered by the policy. This makes the + resulting log messages easier to interpret since the chain in the + messages will have a name of the form 'a2b' where 'a' is the SOURCE + zone and 'b' is the DEST zone. See + http://linuxman.wikispaces.com/PPPPPPS for more information. Migration Considerations: diff --git a/Shorewall-common/shorewall.conf b/Shorewall-common/shorewall.conf index 78eb0177d..4eb5cb91b 100644 --- a/Shorewall-common/shorewall.conf +++ b/Shorewall-common/shorewall.conf @@ -163,6 +163,8 @@ OPTIMIZE=0 EXPORTPARAMS=Yes +EXPAND_POLICIES=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 0fb44832c..3fa44306f 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -65,7 +65,7 @@ our @EXPORT = qw( STANDARD input_chain output_chain masq_chain - syn_chain + syn_flood_chain mac_chain macrecent_target dynamic_fwd @@ -142,6 +142,7 @@ our $VERSION = 4.00; # policy => # loglevel => # synparams => +# synchain => # default => # policy_chain => # loopcount => @@ -160,7 +161,7 @@ our $VERSION = 4.00; # # Only 'referenced' chains get written to the iptables-restore input. # -# 'loglevel', 'synparams' and 'default' only apply to policy chains. +# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains. # our @policy_chains; our %chain_table; @@ -474,10 +475,10 @@ sub masq_chain($) } # -# Syn_chain +# Syn_flood_chain -- differs from the other _chain functions in that the argument is a chain table reference # -sub syn_chain ( $ ) { - '@' . $_[0]; +sub syn_flood_chain ( $ ) { + '@' . $_[0]->{synchain}; } # # MAC Verification Chain for an interface @@ -687,7 +688,7 @@ sub finish_chain_section ($$) { if ($sections{RELATED} ) { if ( $chainref->{is_policy} ) { if ( $chainref->{synparams} ) { - my $synchainref = ensure_chain 'filter', "\@$chain"; + my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref; if ( $section eq 'DONE' ) { if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) { add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; @@ -699,7 +700,7 @@ sub finish_chain_section ($$) { } else { my $policychainref = $filter_table->{$chainref->{policychain}}; if ( $policychainref->{synparams} ) { - my $synchainref = ensure_chain 'filter', syn_chain $policychainref->{name}; + my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref; add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; } } diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 89f1fe323..31ebf3a1f 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -288,6 +288,7 @@ sub initialize() { OPTIMIZE => undef, EXPORTPARAMS => undef, SHOREWALL_COMPILER => undef, + EXPAND_POLICIES => undef, # # Packet Disposition # @@ -1435,6 +1436,7 @@ sub get_configuration( $ ) { warning_message 'USE_ACTIONS=No is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{USE_ACTIONS}; default_yes_no 'EXPORTPARAMS' , ''; + default_yes_no 'EXPAND_POLICIES' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm index d605e0b3d..c05a62198 100644 --- a/Shorewall-perl/Shorewall/Policy.pm +++ b/Shorewall-perl/Shorewall/Policy.pm @@ -32,7 +32,7 @@ use Shorewall::Actions; use strict; our @ISA = qw(Exporter); -our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain ); +our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains ); our @EXPORT_OK = qw( ); our $VERSION = 4.00; @@ -61,9 +61,30 @@ sub set_policy_chain($$$) my ($chain1, $chainref, $policy) = @_; my $chainref1 = $filter_table->{$chain1}; + $chainref1 = new_chain 'filter', $chain1 unless $chainref1; + unless ( $chainref1->{policychain} ) { - $chainref1->{policychain} = $chainref->{name}; + if ( $config{EXPAND_POLICIES} ) { + # + # We convert the canonical chain into a policy chain, using the settings of the + # passed policy chain. + # + $chainref1->{policychain} = $chain1; + $chainref1->{loglevel} = $chainref->{loglevel} if defined $chainref->{loglevel}; + + if ( defined $chainref->{synparams} ) { + $chainref1->{synparams} = $chainref->{synparams}; + $chainref1->{synchain} = $chainref->{synchain}; + } + + $chainref1->{default} = $chainref->{default} if defined $chainref->{default}; + $chainref1->{is_policy} = 1; + push @policy_chains, $chainref1; + } else { + $chainref1->{policychain} = $chainref->{name}; + } + $chainref1->{policy} = $policy; } } @@ -209,16 +230,21 @@ sub validate_policy() $chainref->{is_policy} = 1; $chainref->{policy} = $policy; $chainref->{policychain} = $chain; - push @policy_chains, ( $chainref ); + push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); } } else { $chainref = new_policy_chain $chain, $policy, 0; - push @policy_chains, ( $chainref ); + push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); } - $chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne ''; - $chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT' if $synparams ne ''; - $chainref->{default} = $default if $default; + $chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne ''; + + if ( $synparams ne '' ) { + $chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT'; + $chainref->{synchain} = $chain + } + + $chainref->{default} = $default if $default; if ( $clientwild ) { if ( $serverwild ) { @@ -359,4 +385,21 @@ sub complete_standard_chain ( $$$ ) { policy_rules $stdchainref , $policy , $loglevel, $default; } +# +# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy +# +sub setup_syn_flood_chains() { + for my $chainref ( @policy_chains ) { + my $limit = $chainref->{synparams}; + if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) { + my $level = $chainref->{loglevel}; + my $synchainref = new_chain 'filter' , syn_flood_chain $chainref; + add_rule $synchainref , "${limit}-j RETURN"; + log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , '' + if $level ne ''; + add_rule $synchainref, '-j DROP'; + } + } +} + 1; diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 8a424ceb1..401465505 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -275,20 +275,6 @@ sub setup_rfc1918_filteration( $ ) { } } -sub setup_syn_flood_chains() { - for my $chainref ( @policy_chains ) { - my $limit = $chainref->{synparams}; - if ( $limit ) { - my $level = $chainref->{loglevel}; - my $synchainref = new_chain 'filter' , syn_chain $chainref->{name}; - add_rule $synchainref , "${limit}-j RETURN"; - log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , '' - if $level ne ''; - add_rule $synchainref, '-j DROP'; - } - } -} - sub setup_blacklist() { my $hosts = find_hosts_by_option 'blacklist';