Add EXPAND_POLICIES option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6909 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-07-19 18:36:04 +00:00
parent 700e645883
commit fb488807cf
7 changed files with 88 additions and 44 deletions

View File

@ -1,3 +1,7 @@
Changes in 4.0.1
1) Add EXPAND_POLICIES.
Changes in 4.0.0 Final Changes in 4.0.0 Final
1) Fix lite install.sh manpage problem. 1) Fix lite install.sh manpage problem.

View File

@ -1,4 +1,4 @@
Shorewall 4.0.0 Final. Shorewall 4.0.1
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
R E L E A S E H I G H L I G H T S R E L E A S E H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -25,26 +25,32 @@ Shorewall 4.0.0 Final.
Shorewall-perl compiler. This support utilizes the reduced-function Shorewall-perl compiler. This support utilizes the reduced-function
physdev match support available in Linux kernel 2.6.20 and later. physdev match support available in Linux kernel 2.6.20 and later.
Problems corrected in 4.0.0 Final. Problems corrected in 4.0.1.
1) The shorewall-lite install.sh may now be run multiple times from None.
the same directory. Previously, the manpages were gzipped in-place
which made it impossible to rerun the script.
2) If shorewall.conf contained SHOREWALL_COMPILER=shell (which it can Other changes in Shorewall 4.0.1.
on Shorewall 3.4.2-4 systems) and the shorewall-shell RPM was
removed, subsequent "shorewall [re]start" operations failed. When
shorewall-shell is removed, the shorewall.conf file is modified to
specify SHOREWALL_COMPILER= and the original is saved in
shorewall.conf.rpmsave.
3) The contents of the LOG LEVEL column in /etc/shorewall/policy are 1) A new EXPAND_POLICIES option is added to shorewall.conf. The
now validated at compile time by Shorewall-perl. option is recognized by Shorewall-perl and is ignored by
Shorewall-shell.
Other changes in Shorewall 4.0.0 Final. Normally, when the SOURCE or DEST columns in shorewall-policy(5)
contains 'all', a single policy chain is created and the policy is
inforced in that chain. For example, if the policy entry is
1) The Perl modules in /usr/share/shorewall-perl/Shorewall/ have been #SOURCE DEST POLICY LOG
consolidated somewhat, leading to slightly faster compilation. # LEVEL
net all DROP info
then the chain name is 'net2all' which is also the chain named in
Shorewall log messages generated as a result of the policy. If
EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
chain for each pair of zones covered by the policy. This makes the
resulting log messages easier to interpret since the chain in the
messages will have a name of the form 'a2b' where 'a' is the SOURCE
zone and 'b' is the DEST zone. See
http://linuxman.wikispaces.com/PPPPPPS for more information.
Migration Considerations: Migration Considerations:

View File

@ -163,6 +163,8 @@ OPTIMIZE=0
EXPORTPARAMS=Yes EXPORTPARAMS=Yes
EXPAND_POLICIES=Yes
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

View File

@ -65,7 +65,7 @@ our @EXPORT = qw( STANDARD
input_chain input_chain
output_chain output_chain
masq_chain masq_chain
syn_chain syn_flood_chain
mac_chain mac_chain
macrecent_target macrecent_target
dynamic_fwd dynamic_fwd
@ -142,6 +142,7 @@ our $VERSION = 4.00;
# policy => <policy> # policy => <policy>
# loglevel => <level> # loglevel => <level>
# synparams => <burst/limit> # synparams => <burst/limit>
# synchain => <name of synparam chain>
# default => <default action> # default => <default action>
# policy_chain => <ref to policy chain -- self-reference if this is a policy chain> # policy_chain => <ref to policy chain -- self-reference if this is a policy chain>
# loopcount => <number of open loops in runtime commands> # loopcount => <number of open loops in runtime commands>
@ -160,7 +161,7 @@ our $VERSION = 4.00;
# #
# Only 'referenced' chains get written to the iptables-restore input. # Only 'referenced' chains get written to the iptables-restore input.
# #
# 'loglevel', 'synparams' and 'default' only apply to policy chains. # 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
# #
our @policy_chains; our @policy_chains;
our %chain_table; our %chain_table;
@ -474,10 +475,10 @@ sub masq_chain($)
} }
# #
# Syn_chain # Syn_flood_chain -- differs from the other _chain functions in that the argument is a chain table reference
# #
sub syn_chain ( $ ) { sub syn_flood_chain ( $ ) {
'@' . $_[0]; '@' . $_[0]->{synchain};
} }
# #
# MAC Verification Chain for an interface # MAC Verification Chain for an interface
@ -687,7 +688,7 @@ sub finish_chain_section ($$) {
if ($sections{RELATED} ) { if ($sections{RELATED} ) {
if ( $chainref->{is_policy} ) { if ( $chainref->{is_policy} ) {
if ( $chainref->{synparams} ) { if ( $chainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', "\@$chain"; my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
if ( $section eq 'DONE' ) { if ( $section eq 'DONE' ) {
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) { if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) {
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
@ -699,7 +700,7 @@ sub finish_chain_section ($$) {
} else { } else {
my $policychainref = $filter_table->{$chainref->{policychain}}; my $policychainref = $filter_table->{$chainref->{policychain}};
if ( $policychainref->{synparams} ) { if ( $policychainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', syn_chain $policychainref->{name}; my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
} }
} }

View File

@ -288,6 +288,7 @@ sub initialize() {
OPTIMIZE => undef, OPTIMIZE => undef,
EXPORTPARAMS => undef, EXPORTPARAMS => undef,
SHOREWALL_COMPILER => undef, SHOREWALL_COMPILER => undef,
EXPAND_POLICIES => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -1435,6 +1436,7 @@ sub get_configuration( $ ) {
warning_message 'USE_ACTIONS=No is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{USE_ACTIONS}; warning_message 'USE_ACTIONS=No is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{USE_ACTIONS};
default_yes_no 'EXPORTPARAMS' , ''; default_yes_no 'EXPORTPARAMS' , '';
default_yes_no 'EXPAND_POLICIES' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};

View File

@ -32,7 +32,7 @@ use Shorewall::Actions;
use strict; use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain ); our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
our @EXPORT_OK = qw( ); our @EXPORT_OK = qw( );
our $VERSION = 4.00; our $VERSION = 4.00;
@ -61,9 +61,30 @@ sub set_policy_chain($$$)
my ($chain1, $chainref, $policy) = @_; my ($chain1, $chainref, $policy) = @_;
my $chainref1 = $filter_table->{$chain1}; my $chainref1 = $filter_table->{$chain1};
$chainref1 = new_chain 'filter', $chain1 unless $chainref1; $chainref1 = new_chain 'filter', $chain1 unless $chainref1;
unless ( $chainref1->{policychain} ) { unless ( $chainref1->{policychain} ) {
$chainref1->{policychain} = $chainref->{name}; if ( $config{EXPAND_POLICIES} ) {
#
# We convert the canonical chain into a policy chain, using the settings of the
# passed policy chain.
#
$chainref1->{policychain} = $chain1;
$chainref1->{loglevel} = $chainref->{loglevel} if defined $chainref->{loglevel};
if ( defined $chainref->{synparams} ) {
$chainref1->{synparams} = $chainref->{synparams};
$chainref1->{synchain} = $chainref->{synchain};
}
$chainref1->{default} = $chainref->{default} if defined $chainref->{default};
$chainref1->{is_policy} = 1;
push @policy_chains, $chainref1;
} else {
$chainref1->{policychain} = $chainref->{name};
}
$chainref1->{policy} = $policy; $chainref1->{policy} = $policy;
} }
} }
@ -209,16 +230,21 @@ sub validate_policy()
$chainref->{is_policy} = 1; $chainref->{is_policy} = 1;
$chainref->{policy} = $policy; $chainref->{policy} = $policy;
$chainref->{policychain} = $chain; $chainref->{policychain} = $chain;
push @policy_chains, ( $chainref ); push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
} }
} else { } else {
$chainref = new_policy_chain $chain, $policy, 0; $chainref = new_policy_chain $chain, $policy, 0;
push @policy_chains, ( $chainref ); push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
} }
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne ''; $chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
$chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT' if $synparams ne '';
$chainref->{default} = $default if $default; if ( $synparams ne '' ) {
$chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT';
$chainref->{synchain} = $chain
}
$chainref->{default} = $default if $default;
if ( $clientwild ) { if ( $clientwild ) {
if ( $serverwild ) { if ( $serverwild ) {
@ -359,4 +385,21 @@ sub complete_standard_chain ( $$$ ) {
policy_rules $stdchainref , $policy , $loglevel, $default; policy_rules $stdchainref , $policy , $loglevel, $default;
} }
#
# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
#
sub setup_syn_flood_chains() {
for my $chainref ( @policy_chains ) {
my $limit = $chainref->{synparams};
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
my $level = $chainref->{loglevel};
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
add_rule $synchainref , "${limit}-j RETURN";
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
if $level ne '';
add_rule $synchainref, '-j DROP';
}
}
}
1; 1;

View File

@ -275,20 +275,6 @@ sub setup_rfc1918_filteration( $ ) {
} }
} }
sub setup_syn_flood_chains() {
for my $chainref ( @policy_chains ) {
my $limit = $chainref->{synparams};
if ( $limit ) {
my $level = $chainref->{loglevel};
my $synchainref = new_chain 'filter' , syn_chain $chainref->{name};
add_rule $synchainref , "${limit}-j RETURN";
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
if $level ne '';
add_rule $synchainref, '-j DROP';
}
}
}
sub setup_blacklist() { sub setup_blacklist() {
my $hosts = find_hosts_by_option 'blacklist'; my $hosts = find_hosts_by_option 'blacklist';