mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 02:08:48 +02:00
Add EXPAND_POLICIES option
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6909 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
700e645883
commit
fb488807cf
@ -1,3 +1,7 @@
|
|||||||
|
Changes in 4.0.1
|
||||||
|
|
||||||
|
1) Add EXPAND_POLICIES.
|
||||||
|
|
||||||
Changes in 4.0.0 Final
|
Changes in 4.0.0 Final
|
||||||
|
|
||||||
1) Fix lite install.sh manpage problem.
|
1) Fix lite install.sh manpage problem.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
Shorewall 4.0.0 Final.
|
Shorewall 4.0.1
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
R E L E A S E H I G H L I G H T S
|
R E L E A S E H I G H L I G H T S
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
@ -25,26 +25,32 @@ Shorewall 4.0.0 Final.
|
|||||||
Shorewall-perl compiler. This support utilizes the reduced-function
|
Shorewall-perl compiler. This support utilizes the reduced-function
|
||||||
physdev match support available in Linux kernel 2.6.20 and later.
|
physdev match support available in Linux kernel 2.6.20 and later.
|
||||||
|
|
||||||
Problems corrected in 4.0.0 Final.
|
Problems corrected in 4.0.1.
|
||||||
|
|
||||||
1) The shorewall-lite install.sh may now be run multiple times from
|
None.
|
||||||
the same directory. Previously, the manpages were gzipped in-place
|
|
||||||
which made it impossible to rerun the script.
|
|
||||||
|
|
||||||
2) If shorewall.conf contained SHOREWALL_COMPILER=shell (which it can
|
Other changes in Shorewall 4.0.1.
|
||||||
on Shorewall 3.4.2-4 systems) and the shorewall-shell RPM was
|
|
||||||
removed, subsequent "shorewall [re]start" operations failed. When
|
|
||||||
shorewall-shell is removed, the shorewall.conf file is modified to
|
|
||||||
specify SHOREWALL_COMPILER= and the original is saved in
|
|
||||||
shorewall.conf.rpmsave.
|
|
||||||
|
|
||||||
3) The contents of the LOG LEVEL column in /etc/shorewall/policy are
|
1) A new EXPAND_POLICIES option is added to shorewall.conf. The
|
||||||
now validated at compile time by Shorewall-perl.
|
option is recognized by Shorewall-perl and is ignored by
|
||||||
|
Shorewall-shell.
|
||||||
|
|
||||||
Other changes in Shorewall 4.0.0 Final.
|
Normally, when the SOURCE or DEST columns in shorewall-policy(5)
|
||||||
|
contains 'all', a single policy chain is created and the policy is
|
||||||
|
inforced in that chain. For example, if the policy entry is
|
||||||
|
|
||||||
1) The Perl modules in /usr/share/shorewall-perl/Shorewall/ have been
|
#SOURCE DEST POLICY LOG
|
||||||
consolidated somewhat, leading to slightly faster compilation.
|
# LEVEL
|
||||||
|
net all DROP info
|
||||||
|
|
||||||
|
then the chain name is 'net2all' which is also the chain named in
|
||||||
|
Shorewall log messages generated as a result of the policy. If
|
||||||
|
EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
|
||||||
|
chain for each pair of zones covered by the policy. This makes the
|
||||||
|
resulting log messages easier to interpret since the chain in the
|
||||||
|
messages will have a name of the form 'a2b' where 'a' is the SOURCE
|
||||||
|
zone and 'b' is the DEST zone. See
|
||||||
|
http://linuxman.wikispaces.com/PPPPPPS for more information.
|
||||||
|
|
||||||
Migration Considerations:
|
Migration Considerations:
|
||||||
|
|
||||||
|
@ -163,6 +163,8 @@ OPTIMIZE=0
|
|||||||
|
|
||||||
EXPORTPARAMS=Yes
|
EXPORTPARAMS=Yes
|
||||||
|
|
||||||
|
EXPAND_POLICIES=Yes
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -65,7 +65,7 @@ our @EXPORT = qw( STANDARD
|
|||||||
input_chain
|
input_chain
|
||||||
output_chain
|
output_chain
|
||||||
masq_chain
|
masq_chain
|
||||||
syn_chain
|
syn_flood_chain
|
||||||
mac_chain
|
mac_chain
|
||||||
macrecent_target
|
macrecent_target
|
||||||
dynamic_fwd
|
dynamic_fwd
|
||||||
@ -142,6 +142,7 @@ our $VERSION = 4.00;
|
|||||||
# policy => <policy>
|
# policy => <policy>
|
||||||
# loglevel => <level>
|
# loglevel => <level>
|
||||||
# synparams => <burst/limit>
|
# synparams => <burst/limit>
|
||||||
|
# synchain => <name of synparam chain>
|
||||||
# default => <default action>
|
# default => <default action>
|
||||||
# policy_chain => <ref to policy chain -- self-reference if this is a policy chain>
|
# policy_chain => <ref to policy chain -- self-reference if this is a policy chain>
|
||||||
# loopcount => <number of open loops in runtime commands>
|
# loopcount => <number of open loops in runtime commands>
|
||||||
@ -160,7 +161,7 @@ our $VERSION = 4.00;
|
|||||||
#
|
#
|
||||||
# Only 'referenced' chains get written to the iptables-restore input.
|
# Only 'referenced' chains get written to the iptables-restore input.
|
||||||
#
|
#
|
||||||
# 'loglevel', 'synparams' and 'default' only apply to policy chains.
|
# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
|
||||||
#
|
#
|
||||||
our @policy_chains;
|
our @policy_chains;
|
||||||
our %chain_table;
|
our %chain_table;
|
||||||
@ -474,10 +475,10 @@ sub masq_chain($)
|
|||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Syn_chain
|
# Syn_flood_chain -- differs from the other _chain functions in that the argument is a chain table reference
|
||||||
#
|
#
|
||||||
sub syn_chain ( $ ) {
|
sub syn_flood_chain ( $ ) {
|
||||||
'@' . $_[0];
|
'@' . $_[0]->{synchain};
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
# MAC Verification Chain for an interface
|
# MAC Verification Chain for an interface
|
||||||
@ -687,7 +688,7 @@ sub finish_chain_section ($$) {
|
|||||||
if ($sections{RELATED} ) {
|
if ($sections{RELATED} ) {
|
||||||
if ( $chainref->{is_policy} ) {
|
if ( $chainref->{is_policy} ) {
|
||||||
if ( $chainref->{synparams} ) {
|
if ( $chainref->{synparams} ) {
|
||||||
my $synchainref = ensure_chain 'filter', "\@$chain";
|
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
|
||||||
if ( $section eq 'DONE' ) {
|
if ( $section eq 'DONE' ) {
|
||||||
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) {
|
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) {
|
||||||
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
|
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
|
||||||
@ -699,7 +700,7 @@ sub finish_chain_section ($$) {
|
|||||||
} else {
|
} else {
|
||||||
my $policychainref = $filter_table->{$chainref->{policychain}};
|
my $policychainref = $filter_table->{$chainref->{policychain}};
|
||||||
if ( $policychainref->{synparams} ) {
|
if ( $policychainref->{synparams} ) {
|
||||||
my $synchainref = ensure_chain 'filter', syn_chain $policychainref->{name};
|
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
|
||||||
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
|
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -288,6 +288,7 @@ sub initialize() {
|
|||||||
OPTIMIZE => undef,
|
OPTIMIZE => undef,
|
||||||
EXPORTPARAMS => undef,
|
EXPORTPARAMS => undef,
|
||||||
SHOREWALL_COMPILER => undef,
|
SHOREWALL_COMPILER => undef,
|
||||||
|
EXPAND_POLICIES => undef,
|
||||||
#
|
#
|
||||||
# Packet Disposition
|
# Packet Disposition
|
||||||
#
|
#
|
||||||
@ -1435,6 +1436,7 @@ sub get_configuration( $ ) {
|
|||||||
warning_message 'USE_ACTIONS=No is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{USE_ACTIONS};
|
warning_message 'USE_ACTIONS=No is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{USE_ACTIONS};
|
||||||
|
|
||||||
default_yes_no 'EXPORTPARAMS' , '';
|
default_yes_no 'EXPORTPARAMS' , '';
|
||||||
|
default_yes_no 'EXPAND_POLICIES' , '';
|
||||||
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||||
|
|
||||||
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
||||||
|
@ -32,7 +32,7 @@ use Shorewall::Actions;
|
|||||||
use strict;
|
use strict;
|
||||||
|
|
||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain );
|
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
|
||||||
our @EXPORT_OK = qw( );
|
our @EXPORT_OK = qw( );
|
||||||
our $VERSION = 4.00;
|
our $VERSION = 4.00;
|
||||||
|
|
||||||
@ -61,9 +61,30 @@ sub set_policy_chain($$$)
|
|||||||
my ($chain1, $chainref, $policy) = @_;
|
my ($chain1, $chainref, $policy) = @_;
|
||||||
|
|
||||||
my $chainref1 = $filter_table->{$chain1};
|
my $chainref1 = $filter_table->{$chain1};
|
||||||
|
|
||||||
$chainref1 = new_chain 'filter', $chain1 unless $chainref1;
|
$chainref1 = new_chain 'filter', $chain1 unless $chainref1;
|
||||||
|
|
||||||
unless ( $chainref1->{policychain} ) {
|
unless ( $chainref1->{policychain} ) {
|
||||||
|
if ( $config{EXPAND_POLICIES} ) {
|
||||||
|
#
|
||||||
|
# We convert the canonical chain into a policy chain, using the settings of the
|
||||||
|
# passed policy chain.
|
||||||
|
#
|
||||||
|
$chainref1->{policychain} = $chain1;
|
||||||
|
$chainref1->{loglevel} = $chainref->{loglevel} if defined $chainref->{loglevel};
|
||||||
|
|
||||||
|
if ( defined $chainref->{synparams} ) {
|
||||||
|
$chainref1->{synparams} = $chainref->{synparams};
|
||||||
|
$chainref1->{synchain} = $chainref->{synchain};
|
||||||
|
}
|
||||||
|
|
||||||
|
$chainref1->{default} = $chainref->{default} if defined $chainref->{default};
|
||||||
|
$chainref1->{is_policy} = 1;
|
||||||
|
push @policy_chains, $chainref1;
|
||||||
|
} else {
|
||||||
$chainref1->{policychain} = $chainref->{name};
|
$chainref1->{policychain} = $chainref->{name};
|
||||||
|
}
|
||||||
|
|
||||||
$chainref1->{policy} = $policy;
|
$chainref1->{policy} = $policy;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -209,15 +230,20 @@ sub validate_policy()
|
|||||||
$chainref->{is_policy} = 1;
|
$chainref->{is_policy} = 1;
|
||||||
$chainref->{policy} = $policy;
|
$chainref->{policy} = $policy;
|
||||||
$chainref->{policychain} = $chain;
|
$chainref->{policychain} = $chain;
|
||||||
push @policy_chains, ( $chainref );
|
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$chainref = new_policy_chain $chain, $policy, 0;
|
$chainref = new_policy_chain $chain, $policy, 0;
|
||||||
push @policy_chains, ( $chainref );
|
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
|
||||||
}
|
}
|
||||||
|
|
||||||
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
|
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
|
||||||
$chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT' if $synparams ne '';
|
|
||||||
|
if ( $synparams ne '' ) {
|
||||||
|
$chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT';
|
||||||
|
$chainref->{synchain} = $chain
|
||||||
|
}
|
||||||
|
|
||||||
$chainref->{default} = $default if $default;
|
$chainref->{default} = $default if $default;
|
||||||
|
|
||||||
if ( $clientwild ) {
|
if ( $clientwild ) {
|
||||||
@ -359,4 +385,21 @@ sub complete_standard_chain ( $$$ ) {
|
|||||||
policy_rules $stdchainref , $policy , $loglevel, $default;
|
policy_rules $stdchainref , $policy , $loglevel, $default;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
|
||||||
|
#
|
||||||
|
sub setup_syn_flood_chains() {
|
||||||
|
for my $chainref ( @policy_chains ) {
|
||||||
|
my $limit = $chainref->{synparams};
|
||||||
|
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
|
||||||
|
my $level = $chainref->{loglevel};
|
||||||
|
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
|
||||||
|
add_rule $synchainref , "${limit}-j RETURN";
|
||||||
|
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
|
||||||
|
if $level ne '';
|
||||||
|
add_rule $synchainref, '-j DROP';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
@ -275,20 +275,6 @@ sub setup_rfc1918_filteration( $ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub setup_syn_flood_chains() {
|
|
||||||
for my $chainref ( @policy_chains ) {
|
|
||||||
my $limit = $chainref->{synparams};
|
|
||||||
if ( $limit ) {
|
|
||||||
my $level = $chainref->{loglevel};
|
|
||||||
my $synchainref = new_chain 'filter' , syn_chain $chainref->{name};
|
|
||||||
add_rule $synchainref , "${limit}-j RETURN";
|
|
||||||
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
|
|
||||||
if $level ne '';
|
|
||||||
add_rule $synchainref, '-j DROP';
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
sub setup_blacklist() {
|
sub setup_blacklist() {
|
||||||
|
|
||||||
my $hosts = find_hosts_by_option 'blacklist';
|
my $hosts = find_hosts_by_option 'blacklist';
|
||||||
|
Loading…
x
Reference in New Issue
Block a user