Add EXPAND_POLICIES option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6909 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-07-19 18:36:04 +00:00
parent 700e645883
commit fb488807cf
7 changed files with 88 additions and 44 deletions

View File

@ -1,3 +1,7 @@
Changes in 4.0.1
1) Add EXPAND_POLICIES.
Changes in 4.0.0 Final
1) Fix lite install.sh manpage problem.

View File

@ -1,4 +1,4 @@
Shorewall 4.0.0 Final.
Shorewall 4.0.1
----------------------------------------------------------------------------
R E L E A S E H I G H L I G H T S
----------------------------------------------------------------------------
@ -25,26 +25,32 @@ Shorewall 4.0.0 Final.
Shorewall-perl compiler. This support utilizes the reduced-function
physdev match support available in Linux kernel 2.6.20 and later.
Problems corrected in 4.0.0 Final.
Problems corrected in 4.0.1.
1) The shorewall-lite install.sh may now be run multiple times from
the same directory. Previously, the manpages were gzipped in-place
which made it impossible to rerun the script.
None.
2) If shorewall.conf contained SHOREWALL_COMPILER=shell (which it can
on Shorewall 3.4.2-4 systems) and the shorewall-shell RPM was
removed, subsequent "shorewall [re]start" operations failed. When
shorewall-shell is removed, the shorewall.conf file is modified to
specify SHOREWALL_COMPILER= and the original is saved in
shorewall.conf.rpmsave.
Other changes in Shorewall 4.0.1.
3) The contents of the LOG LEVEL column in /etc/shorewall/policy are
now validated at compile time by Shorewall-perl.
1) A new EXPAND_POLICIES option is added to shorewall.conf. The
option is recognized by Shorewall-perl and is ignored by
Shorewall-shell.
Other changes in Shorewall 4.0.0 Final.
Normally, when the SOURCE or DEST columns in shorewall-policy(5)
contains 'all', a single policy chain is created and the policy is
inforced in that chain. For example, if the policy entry is
1) The Perl modules in /usr/share/shorewall-perl/Shorewall/ have been
consolidated somewhat, leading to slightly faster compilation.
#SOURCE DEST POLICY LOG
# LEVEL
net all DROP info
then the chain name is 'net2all' which is also the chain named in
Shorewall log messages generated as a result of the policy. If
EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
chain for each pair of zones covered by the policy. This makes the
resulting log messages easier to interpret since the chain in the
messages will have a name of the form 'a2b' where 'a' is the SOURCE
zone and 'b' is the DEST zone. See
http://linuxman.wikispaces.com/PPPPPPS for more information.
Migration Considerations:

View File

@ -163,6 +163,8 @@ OPTIMIZE=0
EXPORTPARAMS=Yes
EXPAND_POLICIES=Yes
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################

View File

@ -65,7 +65,7 @@ our @EXPORT = qw( STANDARD
input_chain
output_chain
masq_chain
syn_chain
syn_flood_chain
mac_chain
macrecent_target
dynamic_fwd
@ -142,6 +142,7 @@ our $VERSION = 4.00;
# policy => <policy>
# loglevel => <level>
# synparams => <burst/limit>
# synchain => <name of synparam chain>
# default => <default action>
# policy_chain => <ref to policy chain -- self-reference if this is a policy chain>
# loopcount => <number of open loops in runtime commands>
@ -160,7 +161,7 @@ our $VERSION = 4.00;
#
# Only 'referenced' chains get written to the iptables-restore input.
#
# 'loglevel', 'synparams' and 'default' only apply to policy chains.
# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
#
our @policy_chains;
our %chain_table;
@ -474,10 +475,10 @@ sub masq_chain($)
}
#
# Syn_chain
# Syn_flood_chain -- differs from the other _chain functions in that the argument is a chain table reference
#
sub syn_chain ( $ ) {
'@' . $_[0];
sub syn_flood_chain ( $ ) {
'@' . $_[0]->{synchain};
}
#
# MAC Verification Chain for an interface
@ -687,7 +688,7 @@ sub finish_chain_section ($$) {
if ($sections{RELATED} ) {
if ( $chainref->{is_policy} ) {
if ( $chainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', "\@$chain";
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
if ( $section eq 'DONE' ) {
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) {
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
@ -699,7 +700,7 @@ sub finish_chain_section ($$) {
} else {
my $policychainref = $filter_table->{$chainref->{policychain}};
if ( $policychainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', syn_chain $policychainref->{name};
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
}
}

View File

@ -288,6 +288,7 @@ sub initialize() {
OPTIMIZE => undef,
EXPORTPARAMS => undef,
SHOREWALL_COMPILER => undef,
EXPAND_POLICIES => undef,
#
# Packet Disposition
#
@ -1435,6 +1436,7 @@ sub get_configuration( $ ) {
warning_message 'USE_ACTIONS=No is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{USE_ACTIONS};
default_yes_no 'EXPORTPARAMS' , '';
default_yes_no 'EXPAND_POLICIES' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};

View File

@ -32,7 +32,7 @@ use Shorewall::Actions;
use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain );
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
our @EXPORT_OK = qw( );
our $VERSION = 4.00;
@ -61,9 +61,30 @@ sub set_policy_chain($$$)
my ($chain1, $chainref, $policy) = @_;
my $chainref1 = $filter_table->{$chain1};
$chainref1 = new_chain 'filter', $chain1 unless $chainref1;
unless ( $chainref1->{policychain} ) {
if ( $config{EXPAND_POLICIES} ) {
#
# We convert the canonical chain into a policy chain, using the settings of the
# passed policy chain.
#
$chainref1->{policychain} = $chain1;
$chainref1->{loglevel} = $chainref->{loglevel} if defined $chainref->{loglevel};
if ( defined $chainref->{synparams} ) {
$chainref1->{synparams} = $chainref->{synparams};
$chainref1->{synchain} = $chainref->{synchain};
}
$chainref1->{default} = $chainref->{default} if defined $chainref->{default};
$chainref1->{is_policy} = 1;
push @policy_chains, $chainref1;
} else {
$chainref1->{policychain} = $chainref->{name};
}
$chainref1->{policy} = $policy;
}
}
@ -209,15 +230,20 @@ sub validate_policy()
$chainref->{is_policy} = 1;
$chainref->{policy} = $policy;
$chainref->{policychain} = $chain;
push @policy_chains, ( $chainref );
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
}
} else {
$chainref = new_policy_chain $chain, $policy, 0;
push @policy_chains, ( $chainref );
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
}
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
$chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT' if $synparams ne '';
if ( $synparams ne '' ) {
$chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT';
$chainref->{synchain} = $chain
}
$chainref->{default} = $default if $default;
if ( $clientwild ) {
@ -359,4 +385,21 @@ sub complete_standard_chain ( $$$ ) {
policy_rules $stdchainref , $policy , $loglevel, $default;
}
#
# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
#
sub setup_syn_flood_chains() {
for my $chainref ( @policy_chains ) {
my $limit = $chainref->{synparams};
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
my $level = $chainref->{loglevel};
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
add_rule $synchainref , "${limit}-j RETURN";
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
if $level ne '';
add_rule $synchainref, '-j DROP';
}
}
}
1;

View File

@ -275,20 +275,6 @@ sub setup_rfc1918_filteration( $ ) {
}
}
sub setup_syn_flood_chains() {
for my $chainref ( @policy_chains ) {
my $limit = $chainref->{synparams};
if ( $limit ) {
my $level = $chainref->{loglevel};
my $synchainref = new_chain 'filter' , syn_chain $chainref->{name};
add_rule $synchainref , "${limit}-j RETURN";
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
if $level ne '';
add_rule $synchainref, '-j DROP';
}
}
}
sub setup_blacklist() {
my $hosts = find_hosts_by_option 'blacklist';