Add EXPAND_POLICIES option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6909 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -1,3 +1,7 @@
+Changes in 4.0.1
+
+1)  Add EXPAND_POLICIES.
+
 Changes in 4.0.0 Final
 
 1)  Fix lite install.sh manpage problem.

Shorewall-common/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.0.0 Final.
+Shorewall 4.0.1
 ----------------------------------------------------------------------------
                    R E L E A S E  H I G H L I G H T S
 ----------------------------------------------------------------------------
@@ -25,26 +25,32 @@ Shorewall 4.0.0 Final.
    Shorewall-perl compiler. This support utilizes the reduced-function
    physdev match support available in Linux kernel 2.6.20 and later.
 
-Problems corrected in 4.0.0 Final.
+Problems corrected in 4.0.1.
 
-1)  The shorewall-lite install.sh may now be run multiple times from
+None.
-    the same directory. Previously, the manpages were gzipped in-place
-    which made it impossible to rerun the script.
 
-2)  If shorewall.conf contained SHOREWALL_COMPILER=shell (which it can
+Other changes in Shorewall 4.0.1.
-    on Shorewall 3.4.2-4 systems) and the shorewall-shell RPM was
-    removed, subsequent "shorewall [re]start" operations failed. When
-    shorewall-shell is removed, the shorewall.conf file is modified to
-    specify SHOREWALL_COMPILER= and the original is saved in
-    shorewall.conf.rpmsave.
 
-3)  The contents of the LOG LEVEL column in /etc/shorewall/policy are
+1)  A new EXPAND_POLICIES option is added to shorewall.conf. The
-    now validated at compile time by Shorewall-perl.
+    option is recognized by Shorewall-perl and is ignored by
+    Shorewall-shell.
 
-Other changes in Shorewall 4.0.0 Final.
+    Normally, when the SOURCE or DEST columns in shorewall-policy(5)
+    contains 'all', a single policy chain is created and the policy is
+    inforced in that chain. For example, if the policy entry is
 
-1)  The Perl modules in /usr/share/shorewall-perl/Shorewall/ have been
+	     #SOURCE DEST POLICY LOG
-    consolidated somewhat, leading to slightly faster compilation.
+	     #                   LEVEL
+	     net     all  DROP   info
+
+    then the chain name is 'net2all' which is also the chain named in
+    Shorewall log messages generated as a result of the policy. If
+    EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
+    chain for each pair of zones covered by the policy. This makes the
+    resulting log messages easier to interpret since the chain in the
+    messages will have a name of the form 'a2b' where 'a' is the SOURCE
+    zone and 'b' is the DEST zone. See
+    http://linuxman.wikispaces.com/PPPPPPS for more information.
 
 Migration Considerations:
 

Shorewall-common/shorewall.conf

@@ -163,6 +163,8 @@ OPTIMIZE=0
 
 EXPORTPARAMS=Yes
 
+EXPAND_POLICIES=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-perl/Shorewall/Chains.pm

@@ -65,7 +65,7 @@ our @EXPORT = qw( STANDARD
 		  input_chain
 		  output_chain
 		  masq_chain
-		  syn_chain
+		  syn_flood_chain
 		  mac_chain
 		  macrecent_target
 		  dynamic_fwd
@@ -142,6 +142,7 @@ our $VERSION = 4.00;
 #                                               policy       => <policy>
 #                                               loglevel     => <level>
 #                                               synparams    => <burst/limit>
+#                                               synchain     => <name of synparam chain>
 #                                               default      => <default action>
 #                                               policy_chain => <ref to policy chain -- self-reference if this is a policy chain>
 #                                               loopcount    => <number of open loops in runtime commands>
@@ -160,7 +161,7 @@ our $VERSION = 4.00;
 #
 #       Only 'referenced' chains get written to the iptables-restore input.
 #
-#       'loglevel', 'synparams' and 'default' only apply to policy chains.
+#       'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
 #
 our @policy_chains;
 our %chain_table;
@@ -474,10 +475,10 @@ sub masq_chain($)
 }
 
 #
-# Syn_chain
+# Syn_flood_chain -- differs from the other _chain functions in that the argument is a chain table reference
 #
-sub syn_chain ( $ ) {
+sub syn_flood_chain ( $ ) {
-    '@' . $_[0];
+    '@' . $_[0]->{synchain};
 }
 #
 # MAC Verification Chain for an interface
@@ -687,7 +688,7 @@ sub finish_chain_section ($$) {
     if ($sections{RELATED} ) {
 	if ( $chainref->{is_policy} ) {
 	    if ( $chainref->{synparams} ) {
-		my $synchainref = ensure_chain 'filter', "\@$chain";
+		my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
 		if ( $section eq 'DONE' ) {
 		    if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) {
 			add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
@@ -699,7 +700,7 @@ sub finish_chain_section ($$) {
 	} else {
 	    my $policychainref = $filter_table->{$chainref->{policychain}};
 	    if ( $policychainref->{synparams} ) {
-		my $synchainref = ensure_chain 'filter', syn_chain $policychainref->{name};
+		my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
 		add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
 	    }
 	}

Shorewall-perl/Shorewall/Config.pm

@@ -288,6 +288,7 @@ sub initialize() {
 		OPTIMIZE => undef,
 		EXPORTPARAMS => undef,
 		SHOREWALL_COMPILER => undef,
+		EXPAND_POLICIES => undef,
 		#
 		# Packet Disposition
 		#
@@ -1435,6 +1436,7 @@ sub get_configuration( $ ) {
     warning_message 'USE_ACTIONS=No is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{USE_ACTIONS};
 
     default_yes_no 'EXPORTPARAMS'               , '';
+    default_yes_no 'EXPAND_POLICIES'            , '';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
 
     $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};

Shorewall-perl/Shorewall/Policy.pm

@@ -32,7 +32,7 @@ use Shorewall::Actions;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain );
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
 our @EXPORT_OK = qw(  );
 our $VERSION = 4.00;
 
@@ -61,9 +61,30 @@ sub set_policy_chain($$$)
     my ($chain1, $chainref, $policy) = @_;
 
     my $chainref1 = $filter_table->{$chain1};
+
     $chainref1 = new_chain 'filter', $chain1 unless $chainref1;
+
     unless ( $chainref1->{policychain} ) {
-	$chainref1->{policychain} = $chainref->{name};
+	if ( $config{EXPAND_POLICIES} ) {
+	    #
+	    # We convert the canonical chain into a policy chain, using the settings of the
+	    # passed policy chain.
+	    #
+	    $chainref1->{policychain} = $chain1;
+	    $chainref1->{loglevel}    = $chainref->{loglevel} if defined $chainref->{loglevel};
+
+	    if ( defined $chainref->{synparams} ) {
+		$chainref1->{synparams}   = $chainref->{synparams};
+		$chainref1->{synchain}    = $chainref->{synchain};
+	    }
+
+	    $chainref1->{default}     = $chainref->{default} if defined $chainref->{default};
+	    $chainref1->{is_policy}   = 1;
+	    push @policy_chains, $chainref1;
+	} else {
+	    $chainref1->{policychain} = $chainref->{name};
+	}
+
 	$chainref1->{policy} = $policy;
     }
 }
@@ -209,16 +230,21 @@ sub validate_policy()
 		$chainref->{is_policy} = 1;
 		$chainref->{policy} = $policy;
 		$chainref->{policychain} = $chain;
-		push @policy_chains, ( $chainref );
+		push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
 	    }
 	} else {
 	    $chainref = new_policy_chain $chain, $policy, 0;
-	    push @policy_chains, ( $chainref );
+	    push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
 	}
 
-	$chainref->{loglevel}  = validate_level( $loglevel )       if defined $loglevel && $loglevel ne '';
+	$chainref->{loglevel}  = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
-	$chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT' if $synparams ne '';
+	 
-	$chainref->{default}   = $default                          if $default;
+	if ( $synparams ne '' ) {
+	    $chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT';
+	    $chainref->{synchain}  = $chain 
+	}
+	
+	$chainref->{default}   = $default if $default;
 
 	if ( $clientwild ) {
 	    if ( $serverwild ) {
@@ -359,4 +385,21 @@ sub complete_standard_chain ( $$$ ) {
     policy_rules $stdchainref , $policy , $loglevel, $default;
 }
 
+#
+# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
+#
+sub setup_syn_flood_chains() {
+    for my $chainref ( @policy_chains ) {
+	my $limit = $chainref->{synparams};
+	if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
+	    my $level = $chainref->{loglevel}; 
+	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
+	    add_rule $synchainref , "${limit}-j RETURN";
+	    log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
+		if $level ne '';
+	    add_rule $synchainref, '-j DROP';
+	}
+    }
+}
+
 1;

Shorewall-perl/Shorewall/Rules.pm

@@ -275,20 +275,6 @@ sub setup_rfc1918_filteration( $ ) {
     }
 }
 
-sub setup_syn_flood_chains() {
-    for my $chainref ( @policy_chains ) {
-	my $limit = $chainref->{synparams};
-	if ( $limit ) {
-	    my $level = $chainref->{loglevel}; 
-	    my $synchainref = new_chain 'filter' , syn_chain $chainref->{name};
-	    add_rule $synchainref , "${limit}-j RETURN";
-	    log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
-		if $level ne '';
-	    add_rule $synchainref, '-j DROP';
-	}
-    }
-}
-
 sub setup_blacklist() {
 
     my $hosts = find_hosts_by_option 'blacklist';