mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 10:18:58 +02:00
Add EXPAND_POLICIES option
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6909 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
700e645883
commit
fb488807cf
@ -1,3 +1,7 @@
|
||||
Changes in 4.0.1
|
||||
|
||||
1) Add EXPAND_POLICIES.
|
||||
|
||||
Changes in 4.0.0 Final
|
||||
|
||||
1) Fix lite install.sh manpage problem.
|
||||
|
@ -1,4 +1,4 @@
|
||||
Shorewall 4.0.0 Final.
|
||||
Shorewall 4.0.1
|
||||
----------------------------------------------------------------------------
|
||||
R E L E A S E H I G H L I G H T S
|
||||
----------------------------------------------------------------------------
|
||||
@ -25,26 +25,32 @@ Shorewall 4.0.0 Final.
|
||||
Shorewall-perl compiler. This support utilizes the reduced-function
|
||||
physdev match support available in Linux kernel 2.6.20 and later.
|
||||
|
||||
Problems corrected in 4.0.0 Final.
|
||||
Problems corrected in 4.0.1.
|
||||
|
||||
1) The shorewall-lite install.sh may now be run multiple times from
|
||||
the same directory. Previously, the manpages were gzipped in-place
|
||||
which made it impossible to rerun the script.
|
||||
None.
|
||||
|
||||
2) If shorewall.conf contained SHOREWALL_COMPILER=shell (which it can
|
||||
on Shorewall 3.4.2-4 systems) and the shorewall-shell RPM was
|
||||
removed, subsequent "shorewall [re]start" operations failed. When
|
||||
shorewall-shell is removed, the shorewall.conf file is modified to
|
||||
specify SHOREWALL_COMPILER= and the original is saved in
|
||||
shorewall.conf.rpmsave.
|
||||
Other changes in Shorewall 4.0.1.
|
||||
|
||||
3) The contents of the LOG LEVEL column in /etc/shorewall/policy are
|
||||
now validated at compile time by Shorewall-perl.
|
||||
1) A new EXPAND_POLICIES option is added to shorewall.conf. The
|
||||
option is recognized by Shorewall-perl and is ignored by
|
||||
Shorewall-shell.
|
||||
|
||||
Other changes in Shorewall 4.0.0 Final.
|
||||
Normally, when the SOURCE or DEST columns in shorewall-policy(5)
|
||||
contains 'all', a single policy chain is created and the policy is
|
||||
inforced in that chain. For example, if the policy entry is
|
||||
|
||||
1) The Perl modules in /usr/share/shorewall-perl/Shorewall/ have been
|
||||
consolidated somewhat, leading to slightly faster compilation.
|
||||
#SOURCE DEST POLICY LOG
|
||||
# LEVEL
|
||||
net all DROP info
|
||||
|
||||
then the chain name is 'net2all' which is also the chain named in
|
||||
Shorewall log messages generated as a result of the policy. If
|
||||
EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
|
||||
chain for each pair of zones covered by the policy. This makes the
|
||||
resulting log messages easier to interpret since the chain in the
|
||||
messages will have a name of the form 'a2b' where 'a' is the SOURCE
|
||||
zone and 'b' is the DEST zone. See
|
||||
http://linuxman.wikispaces.com/PPPPPPS for more information.
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
|
@ -163,6 +163,8 @@ OPTIMIZE=0
|
||||
|
||||
EXPORTPARAMS=Yes
|
||||
|
||||
EXPAND_POLICIES=Yes
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
@ -65,7 +65,7 @@ our @EXPORT = qw( STANDARD
|
||||
input_chain
|
||||
output_chain
|
||||
masq_chain
|
||||
syn_chain
|
||||
syn_flood_chain
|
||||
mac_chain
|
||||
macrecent_target
|
||||
dynamic_fwd
|
||||
@ -142,6 +142,7 @@ our $VERSION = 4.00;
|
||||
# policy => <policy>
|
||||
# loglevel => <level>
|
||||
# synparams => <burst/limit>
|
||||
# synchain => <name of synparam chain>
|
||||
# default => <default action>
|
||||
# policy_chain => <ref to policy chain -- self-reference if this is a policy chain>
|
||||
# loopcount => <number of open loops in runtime commands>
|
||||
@ -160,7 +161,7 @@ our $VERSION = 4.00;
|
||||
#
|
||||
# Only 'referenced' chains get written to the iptables-restore input.
|
||||
#
|
||||
# 'loglevel', 'synparams' and 'default' only apply to policy chains.
|
||||
# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
|
||||
#
|
||||
our @policy_chains;
|
||||
our %chain_table;
|
||||
@ -474,10 +475,10 @@ sub masq_chain($)
|
||||
}
|
||||
|
||||
#
|
||||
# Syn_chain
|
||||
# Syn_flood_chain -- differs from the other _chain functions in that the argument is a chain table reference
|
||||
#
|
||||
sub syn_chain ( $ ) {
|
||||
'@' . $_[0];
|
||||
sub syn_flood_chain ( $ ) {
|
||||
'@' . $_[0]->{synchain};
|
||||
}
|
||||
#
|
||||
# MAC Verification Chain for an interface
|
||||
@ -687,7 +688,7 @@ sub finish_chain_section ($$) {
|
||||
if ($sections{RELATED} ) {
|
||||
if ( $chainref->{is_policy} ) {
|
||||
if ( $chainref->{synparams} ) {
|
||||
my $synchainref = ensure_chain 'filter', "\@$chain";
|
||||
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
|
||||
if ( $section eq 'DONE' ) {
|
||||
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) {
|
||||
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
|
||||
@ -699,7 +700,7 @@ sub finish_chain_section ($$) {
|
||||
} else {
|
||||
my $policychainref = $filter_table->{$chainref->{policychain}};
|
||||
if ( $policychainref->{synparams} ) {
|
||||
my $synchainref = ensure_chain 'filter', syn_chain $policychainref->{name};
|
||||
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
|
||||
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
|
||||
}
|
||||
}
|
||||
|
@ -288,6 +288,7 @@ sub initialize() {
|
||||
OPTIMIZE => undef,
|
||||
EXPORTPARAMS => undef,
|
||||
SHOREWALL_COMPILER => undef,
|
||||
EXPAND_POLICIES => undef,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@ -1435,6 +1436,7 @@ sub get_configuration( $ ) {
|
||||
warning_message 'USE_ACTIONS=No is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{USE_ACTIONS};
|
||||
|
||||
default_yes_no 'EXPORTPARAMS' , '';
|
||||
default_yes_no 'EXPAND_POLICIES' , '';
|
||||
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||
|
||||
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
||||
|
@ -32,7 +32,7 @@ use Shorewall::Actions;
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain );
|
||||
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = 4.00;
|
||||
|
||||
@ -61,9 +61,30 @@ sub set_policy_chain($$$)
|
||||
my ($chain1, $chainref, $policy) = @_;
|
||||
|
||||
my $chainref1 = $filter_table->{$chain1};
|
||||
|
||||
$chainref1 = new_chain 'filter', $chain1 unless $chainref1;
|
||||
|
||||
unless ( $chainref1->{policychain} ) {
|
||||
$chainref1->{policychain} = $chainref->{name};
|
||||
if ( $config{EXPAND_POLICIES} ) {
|
||||
#
|
||||
# We convert the canonical chain into a policy chain, using the settings of the
|
||||
# passed policy chain.
|
||||
#
|
||||
$chainref1->{policychain} = $chain1;
|
||||
$chainref1->{loglevel} = $chainref->{loglevel} if defined $chainref->{loglevel};
|
||||
|
||||
if ( defined $chainref->{synparams} ) {
|
||||
$chainref1->{synparams} = $chainref->{synparams};
|
||||
$chainref1->{synchain} = $chainref->{synchain};
|
||||
}
|
||||
|
||||
$chainref1->{default} = $chainref->{default} if defined $chainref->{default};
|
||||
$chainref1->{is_policy} = 1;
|
||||
push @policy_chains, $chainref1;
|
||||
} else {
|
||||
$chainref1->{policychain} = $chainref->{name};
|
||||
}
|
||||
|
||||
$chainref1->{policy} = $policy;
|
||||
}
|
||||
}
|
||||
@ -209,16 +230,21 @@ sub validate_policy()
|
||||
$chainref->{is_policy} = 1;
|
||||
$chainref->{policy} = $policy;
|
||||
$chainref->{policychain} = $chain;
|
||||
push @policy_chains, ( $chainref );
|
||||
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
|
||||
}
|
||||
} else {
|
||||
$chainref = new_policy_chain $chain, $policy, 0;
|
||||
push @policy_chains, ( $chainref );
|
||||
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
|
||||
}
|
||||
|
||||
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
|
||||
$chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT' if $synparams ne '';
|
||||
$chainref->{default} = $default if $default;
|
||||
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
|
||||
|
||||
if ( $synparams ne '' ) {
|
||||
$chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT';
|
||||
$chainref->{synchain} = $chain
|
||||
}
|
||||
|
||||
$chainref->{default} = $default if $default;
|
||||
|
||||
if ( $clientwild ) {
|
||||
if ( $serverwild ) {
|
||||
@ -359,4 +385,21 @@ sub complete_standard_chain ( $$$ ) {
|
||||
policy_rules $stdchainref , $policy , $loglevel, $default;
|
||||
}
|
||||
|
||||
#
|
||||
# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
|
||||
#
|
||||
sub setup_syn_flood_chains() {
|
||||
for my $chainref ( @policy_chains ) {
|
||||
my $limit = $chainref->{synparams};
|
||||
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
|
||||
my $level = $chainref->{loglevel};
|
||||
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
|
||||
add_rule $synchainref , "${limit}-j RETURN";
|
||||
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
|
||||
if $level ne '';
|
||||
add_rule $synchainref, '-j DROP';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
@ -275,20 +275,6 @@ sub setup_rfc1918_filteration( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_syn_flood_chains() {
|
||||
for my $chainref ( @policy_chains ) {
|
||||
my $limit = $chainref->{synparams};
|
||||
if ( $limit ) {
|
||||
my $level = $chainref->{loglevel};
|
||||
my $synchainref = new_chain 'filter' , syn_chain $chainref->{name};
|
||||
add_rule $synchainref , "${limit}-j RETURN";
|
||||
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
|
||||
if $level ne '';
|
||||
add_rule $synchainref, '-j DROP';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_blacklist() {
|
||||
|
||||
my $hosts = find_hosts_by_option 'blacklist';
|
||||
|
Loading…
x
Reference in New Issue
Block a user