2007-03-15 22:55:22 +01:00
#
2007-12-01 18:45:43 +01:00
# Shorewall-perl 4.1 -- /usr/share/shorewall-perl/Shorewall/Rules.pm
2007-03-15 22:55:22 +01:00
#
2007-09-08 18:09:51 +02:00
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
2007-03-15 22:55:22 +01:00
#
# (c) 2007 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
2007-09-08 18:09:51 +02:00
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
2007-03-15 22:55:22 +01:00
#
2007-04-19 01:55:25 +02:00
# This module contains the high-level code for dealing with rules.
2007-03-15 22:55:22 +01:00
#
2007-03-15 04:17:56 +01:00
package Shorewall::Rules ;
require Exporter ;
2007-11-16 00:24:54 +01:00
use Shorewall::Config qw( :DEFAULT :internal ) ;
2007-05-11 17:39:11 +02:00
use Shorewall::IPAddrs ;
2007-03-15 04:17:56 +01:00
use Shorewall::Zones ;
2007-11-16 00:24:54 +01:00
use Shorewall::Chains qw( :DEFAULT :internal ) ;
2007-03-15 04:17:56 +01:00
use Shorewall::Actions ;
2007-03-15 04:25:08 +01:00
use Shorewall::Policy ;
2007-03-16 17:26:34 +01:00
use Shorewall::Proc ;
2007-03-15 04:17:56 +01:00
use strict ;
our @ ISA = qw( Exporter ) ;
2007-03-28 19:43:09 +02:00
our @ EXPORT = qw( process_tos
2007-03-28 20:48:43 +02:00
setup_ecn
2007-04-08 16:42:26 +02:00
add_common_rules
2007-03-21 21:08:05 +01:00
setup_mac_lists
process_criticalhosts
process_routestopped
process_rules
generate_matrix
setup_mss
2007-03-21 21:35:40 +01:00
dump_rule_chains
2007-03-21 21:08:05 +01:00
) ;
2007-06-14 01:02:39 +02:00
our @ EXPORT_OK = qw( process_rule process_rule1 initialize ) ;
2007-12-07 01:01:06 +01:00
our $ VERSION = 4.1 .2 ;
2007-03-15 04:17:56 +01:00
2007-03-21 21:08:05 +01:00
#
# Keep track of chains for the /var/lib/shorewall[-lite]/chains file
#
2007-06-05 18:49:13 +02:00
our @ rule_chains ;
2007-03-15 04:17:56 +01:00
#
# Set to one if we find a SECTION
#
2007-06-14 01:02:39 +02:00
our $ sectioned ;
2007-06-23 18:32:37 +02:00
our $ macro_nest_level ;
our $ current_param ;
our @ param_stack ;
2007-06-15 00:07:45 +02:00
#
# Initialize globals -- we take this novel approach to globals initialization to allow
# the compiler to run multiple times in the same process. The
# initialize() function does globals initialization for this
# module and is called from an INIT block below. The function is
# also called by Shorewall::Compiler::compiler at the beginning of
2007-07-26 20:36:18 +02:00
# the second and subsequent calls to that function.
2007-06-15 00:07:45 +02:00
#
2007-06-14 01:02:39 +02:00
sub initialize () {
@ rule_chains = ( ) ;
$ sectioned = 0 ;
2007-06-23 18:32:37 +02:00
$ macro_nest_level = 0 ;
$ current_param = '' ;
2008-01-12 01:35:07 +01:00
@ param_stack = ( ) ;
2007-06-14 01:02:39 +02:00
}
INIT {
initialize ;
}
2007-03-15 04:17:56 +01:00
2007-05-12 20:13:11 +02:00
use constant { MAX_MACRO_NEST_LEVEL = > 5 } ;
2007-03-15 22:55:22 +01:00
sub process_tos () {
2007-03-28 19:43:09 +02:00
my $ chain = $ capabilities { MANGLE_FORWARD } ? 'fortos' : 'pretos' ;
my $ stdchain = $ capabilities { MANGLE_FORWARD } ? 'FORWARD' : 'PREROUTING' ;
2007-03-15 22:55:22 +01:00
2007-05-03 19:28:03 +02:00
my % tosoptions = ( 'minimize-delay' = > 0x10 ,
'maximize-throughput' = > 0x08 ,
'maximize-reliability' = > 0x04 ,
'minimize-cost' = > 0x02 ,
'normal-service' = > 0x00 ) ;
2007-03-30 17:57:08 +02:00
if ( my $ fn = open_file 'tos' ) {
2007-03-29 20:57:53 +02:00
my $ first_entry = 1 ;
2007-11-16 00:24:54 +01:00
2007-03-29 20:57:53 +02:00
my ( $ pretosref , $ outtosref ) ;
2007-04-08 16:42:26 +02:00
2007-11-16 00:24:54 +01:00
first_entry ( sub { progress_message2 "$doing $fn..." ; $ pretosref = ensure_chain 'mangle' , $ chain ; $ outtosref = ensure_chain 'mangle' , 'outtos' ; } ) ;
2007-03-27 01:17:46 +02:00
2007-11-16 00:24:54 +01:00
while ( read_a_line ) {
2007-03-29 20:57:53 +02:00
2007-05-17 16:10:46 +02:00
my ( $ src , $ dst , $ proto , $ sports , $ ports , $ tos , $ mark ) = split_line 6 , 7 , 'tos file entry' ;
2007-05-09 21:03:09 +02:00
2007-11-16 00:24:54 +01:00
$ first_entry = 0 ;
2007-08-26 17:12:04 +02:00
fatal_error "A value must be supplied in the TOS column" if $ tos eq '-' ;
2007-07-26 20:36:18 +02:00
if ( defined ( my $ tosval = $ tosoptions { "\L$tos" } ) ) {
2007-05-03 19:28:03 +02:00
$ tos = $ tosval ;
2007-12-07 20:06:01 +01:00
} else {
my $ val = numeric_value ( $ tos ) ;
fatal_error "Invalid TOS value ($tos)" unless defined ( $ val ) && $ val < 0x1f ;
2007-05-03 19:28:03 +02:00
}
2007-07-26 20:36:18 +02:00
2007-03-25 21:27:25 +02:00
my $ chainref ;
my $ restriction = NO_RESTRICT ;
2007-05-17 16:10:46 +02:00
my ( $ srczone , $ source , $ remainder ) = split ( /:/ , $ src , 3 ) ;
fatal_error "Invalid SOURCE" if defined $ remainder ;
2007-03-27 01:17:46 +02:00
2007-09-10 17:52:57 +02:00
if ( $ srczone eq firewall_zone ) {
2007-03-25 21:27:25 +02:00
$ chainref = $ outtosref ;
$ src = $ source || '-' ;
$ restriction = OUTPUT_RESTRICT ;
} else {
$ chainref = $ pretosref ;
2007-03-25 21:52:01 +02:00
$ src =~ s/^all:?// ;
2007-03-25 21:27:25 +02:00
}
2007-03-25 21:43:33 +02:00
2007-03-25 23:04:24 +02:00
$ dst =~ s/^all:?// ;
2007-03-27 01:17:46 +02:00
2007-04-08 16:42:26 +02:00
expand_rule
2007-03-25 21:27:25 +02:00
$ chainref ,
$ restriction ,
2007-05-01 20:30:10 +02:00
do_proto ( $ proto , $ ports , $ sports ) . do_test ( $ mark , 0xFF ) ,
2007-03-25 21:27:25 +02:00
$ src ,
$ dst ,
'' ,
"-j TOS --set-tos $tos" ,
'' ,
'' ,
'' ;
2007-03-15 22:55:22 +01:00
}
2007-03-29 20:57:53 +02:00
unless ( $ first_entry ) {
2007-09-12 17:03:47 +02:00
add_rule $ mangle_table - > { $ stdchain } , "-j $chain" if $ pretosref - > { referenced } ;
add_rule $ mangle_table - > { OUTPUT } , "-j outtos" if $ outtosref - > { referenced } ;
2007-03-29 20:57:53 +02:00
}
2007-03-15 22:55:22 +01:00
}
}
2007-03-28 20:48:43 +02:00
#
# Setup ECN disabling rules
#
sub setup_ecn ()
{
my % interfaces ;
my @ hosts ;
2007-03-30 17:57:08 +02:00
if ( my $ fn = open_file 'ecn' ) {
2007-11-16 00:24:54 +01:00
first_entry "$doing $fn..." ;
2007-03-28 20:48:43 +02:00
2007-03-29 19:02:13 +02:00
while ( read_a_line ) {
2007-03-28 20:48:43 +02:00
2007-05-17 16:10:46 +02:00
my ( $ interface , $ hosts ) = split_line 1 , 2 , 'ecn file entry' ;
2007-05-09 21:03:09 +02:00
2007-06-16 23:08:12 +02:00
fatal_error "Unknown interface ($interface)" unless known_interface $ interface ;
2007-03-28 20:48:43 +02:00
$ interfaces { $ interface } = 1 ;
$ hosts = ALLIPv4 if $ hosts eq '-' ;
for my $ host ( split /,/ , $ hosts ) {
push @ hosts , [ $ interface , $ host ] ;
}
}
if ( @ hosts ) {
my @ interfaces = ( keys % interfaces ) ;
progress_message "$doing ECN control on @interfaces..." ;
for my $ interface ( @ interfaces ) {
2007-09-12 17:03:47 +02:00
my $ chainref = ensure_chain 'mangle' , ecn_chain ( $ interface ) ;
2007-04-08 16:42:26 +02:00
2007-09-12 17:03:47 +02:00
add_rule $ mangle_table - > { POSTROUTING } , "-p tcp -o $interface -j $chainref->{name}" ;
add_rule $ mangle_table - > { OUTPUT } , "-p tcp -o $interface -j $chainref->{name}" ;
2007-03-28 20:48:43 +02:00
}
for my $ host ( @ hosts ) {
2007-09-12 17:03:47 +02:00
add_rule $ mangle_table - > { ecn_chain $ host - > [ 0 ] } , join ( '' , '-p tcp ' , match_dest_net ( $ host - > [ 1 ] ) , ' -j ECN --ecn-tcp-remove' ) ;
2007-03-28 20:48:43 +02:00
}
}
}
}
2007-03-15 22:55:22 +01:00
sub add_rule_pair ( $$$$ ) {
my ( $ chainref , $ predicate , $ target , $ level ) = @ _ ;
2007-05-12 02:33:48 +02:00
log_rule ( $ level , $ chainref , "\U$target" , $ predicate ) if defined $ level && $ level ne '' ;
2007-03-15 22:55:22 +01:00
add_rule $ chainref , "${predicate}-j $target" ;
}
sub setup_rfc1918_filteration ( $ ) {
my $ listref = $ _ [ 0 ] ;
2007-09-12 17:03:47 +02:00
my $ norfc1918ref = new_standard_chain 'norfc1918' ;
my $ rfc1918ref = new_standard_chain 'rfc1918' ;
2007-03-15 22:55:22 +01:00
my $ chainref = $ norfc1918ref ;
log_rule $ config { RFC1918_LOG_LEVEL } , $ rfc1918ref , 'DROP' , '' ;
add_rule $ rfc1918ref , '-j DROP' ;
2007-09-12 17:03:47 +02:00
$ chainref = new_standard_chain 'rfc1918d' if $ config { RFC1918_STRICT } ;
2007-03-15 22:55:22 +01:00
2007-03-30 17:57:08 +02:00
my $ fn = open_file 'rfc1918' ;
2007-11-27 16:50:20 +01:00
first_entry "$doing $fn..." ;
2007-03-27 01:17:46 +02:00
2007-03-29 19:02:13 +02:00
while ( read_a_line ) {
2007-03-15 22:55:22 +01:00
2007-05-09 21:03:09 +02:00
my ( $ networks , $ target ) = split_line 2 , 2 , 'rfc1918 file' ;
my $ s_target ;
2007-03-15 22:55:22 +01:00
if ( $ target eq 'logdrop' ) {
$ target = 'rfc1918' ;
$ s_target = 'rfc1918' ;
} elsif ( $ target eq 'DROP' ) {
$ s_target = 'DROP' ;
} elsif ( $ target eq 'RETURN' ) {
2007-04-24 23:36:10 +02:00
$ s_target = $ config { RFC1918_STRICT } ? 'rfc1918d' : 'RETURN' ;
2007-03-15 22:55:22 +01:00
} else {
fatal_error "Invalid target ($target) for $networks" ;
}
for my $ network ( split /,/ , $ networks ) {
add_rule $ norfc1918ref , match_source_net ( $ network ) . "-j $s_target" ;
add_rule $ chainref , match_orig_dest ( $ network ) . "-j $target" ;
}
}
add_rule $ norfc1918ref , '-j rfc1918d' if $ config { RFC1918_STRICT } ;
for my $ hostref ( @$ listref ) {
my $ interface = $ hostref - > [ 0 ] ;
my $ ipsec = $ hostref - > [ 1 ] ;
my $ policy = $ capabilities { POLICY_MATCH } ? "-m policy --pol $ipsec --dir in " : '' ;
2007-10-19 21:43:14 +02:00
for my $ chain ( first_chains $ interface ) {
2007-09-12 17:03:47 +02:00
add_rule $ filter_table - > { $ chain } , join ( '' , '-m state --state NEW ' , match_source_net ( $ hostref - > [ 2 ] ) , "${policy}-j norfc1918" ) ;
2007-03-15 22:55:22 +01:00
}
}
}
sub setup_blacklist () {
2007-03-16 23:19:32 +01:00
my $ hosts = find_hosts_by_option 'blacklist' ;
2007-03-31 20:44:48 +02:00
my $ chainref ;
my ( $ level , $ disposition ) = @ config { 'BLACKLIST_LOGLEVEL' , 'BLACKLIST_DISPOSITION' } ;
my $ target = $ disposition eq 'REJECT' ? 'reject' : $ disposition ;
2007-03-15 22:55:22 +01:00
2007-03-16 23:19:32 +01:00
if ( @$ hosts ) {
2007-09-12 17:03:47 +02:00
$ chainref = new_standard_chain 'blacklst' ;
2007-03-16 23:19:32 +01:00
2007-04-25 01:15:27 +02:00
if ( defined $ level && $ level ne '' ) {
2007-09-12 17:03:47 +02:00
my $ logchainref = new_standard_chain 'blacklog' ;
2007-03-27 01:17:46 +02:00
2007-03-31 20:44:48 +02:00
log_rule_limit ( $ level , $ logchainref , 'blacklst' , $ disposition , "$globals{LOGLIMIT}" , '' , 'add' , '' ) ;
2007-03-27 01:17:46 +02:00
2007-03-31 20:44:48 +02:00
add_rule $ logchainref , "-j $target" ;
2007-03-15 22:55:22 +01:00
2007-03-16 23:19:32 +01:00
$ target = 'blacklog' ;
}
2007-03-31 20:44:48 +02:00
}
2007-03-15 22:55:22 +01:00
2007-03-31 20:44:48 +02:00
BLACKLIST:
{
2007-03-30 17:57:08 +02:00
if ( my $ fn = open_file 'blacklist' ) {
2007-03-16 23:19:32 +01:00
2007-03-30 17:57:08 +02:00
my $ first_entry = 1 ;
2007-11-16 00:24:54 +01:00
first_entry "$doing $fn..." ;
2007-03-16 23:19:32 +01:00
2007-03-29 19:02:13 +02:00
while ( read_a_line ) {
2007-03-27 01:17:46 +02:00
2007-03-30 17:57:08 +02:00
if ( $ first_entry ) {
2007-03-31 20:44:48 +02:00
unless ( @$ hosts ) {
warning_message "The entries in $fn have been ignored because there are no 'blacklist' interfaces" ;
close_file ;
last BLACKLIST ;
}
2007-03-30 17:57:08 +02:00
$ first_entry = 0 ;
}
2007-05-09 21:03:09 +02:00
my ( $ networks , $ protocol , $ ports ) = split_line 1 , 3 , 'blacklist file' ;
2007-04-08 16:42:26 +02:00
expand_rule (
2007-03-31 20:44:48 +02:00
$ chainref ,
NO_RESTRICT ,
do_proto ( $ protocol , $ ports , '' ) ,
$ networks ,
'' ,
'' ,
"-j $target" ,
'' ,
$ disposition ,
'' ) ;
2007-04-08 16:42:26 +02:00
2007-07-07 18:34:38 +02:00
progress_message " \"$currentline\" added to blacklist" ;
2007-03-16 23:19:32 +01:00
}
2007-03-15 22:55:22 +01:00
}
2007-03-16 23:19:32 +01:00
my $ state = $ config { BLACKLISTNEWONLY } ? '-m state --state NEW,INVALID ' : '' ;
2007-03-27 01:17:46 +02:00
2007-03-16 23:19:32 +01:00
for my $ hostref ( @$ hosts ) {
my $ interface = $ hostref - > [ 0 ] ;
my $ ipsec = $ hostref - > [ 1 ] ;
my $ policy = $ capabilities { POLICY_MATCH } ? "-m policy --pol $ipsec --dir in " : '' ;
my $ network = $ hostref - > [ 2 ] ;
my $ source = match_source_net $ network ;
2007-04-08 16:42:26 +02:00
2007-10-19 21:43:14 +02:00
for my $ chain ( first_chains $ interface ) {
2007-09-12 17:03:47 +02:00
add_rule $ filter_table - > { $ chain } , "${source}${state}${policy}-j blacklst" ;
2007-03-16 23:19:32 +01:00
}
2007-04-08 16:42:26 +02:00
2007-03-16 23:19:32 +01:00
progress_message " Blacklisting enabled on ${interface}:${network}" ;
}
2007-03-15 22:55:22 +01:00
}
}
2007-03-16 00:18:58 +01:00
sub process_criticalhosts () {
2007-03-31 00:38:09 +02:00
my @ critical = ( ) ;
2007-03-16 00:18:58 +01:00
2007-03-31 00:40:13 +02:00
my $ fn = open_file 'routestopped' ;
2007-03-16 00:18:58 +01:00
2007-11-27 16:50:20 +01:00
first_entry "$doing $fn for critical hosts..." ;
2007-03-16 00:18:58 +01:00
2007-03-29 19:02:13 +02:00
while ( read_a_line ) {
2007-03-16 00:18:58 +01:00
my $ routeback = 0 ;
2007-03-27 01:17:46 +02:00
2007-05-09 21:03:09 +02:00
my ( $ interface , $ hosts , $ options ) = split_line 1 , 3 , 'routestopped file' ;
2007-06-19 15:48:16 +02:00
fatal_error "Unknown interface ($interface)" unless known_interface $ interface ;
2007-04-01 17:38:05 +02:00
$ hosts = ALLIPv4 unless $ hosts ne '-' ;
2007-03-16 00:18:58 +01:00
my @ hosts ;
for my $ host ( split /,/ , $ hosts ) {
2007-09-21 18:55:28 +02:00
validate_net $ host , 1 ;
2007-06-19 00:06:43 +02:00
push @ hosts , "$interface:$host" ;
2007-03-16 00:18:58 +01:00
}
unless ( $ options eq '-' ) {
for my $ option ( split /,/ , $ options ) {
unless ( $ option eq 'routeback' || $ option eq 'source' || $ option eq 'dest' ) {
if ( $ option eq 'critical' ) {
2007-04-08 16:42:26 +02:00
push @ critical , @ hosts ;
2007-03-16 00:18:58 +01:00
} else {
2007-03-30 04:05:11 +02:00
warning_message "Unknown routestopped option ( $option ) ignored" ;
2007-03-16 00:18:58 +01:00
}
}
}
}
}
\ @ critical ;
}
sub process_routestopped () {
my ( @ allhosts , % source , % dest ) ;
2007-03-30 17:57:08 +02:00
my $ fn = open_file 'routestopped' ;
2007-03-16 00:18:58 +01:00
2007-11-27 16:50:20 +01:00
first_entry "$doing $fn..." ;
2007-03-16 00:18:58 +01:00
2007-03-29 19:02:13 +02:00
while ( read_a_line ) {
2007-03-16 00:18:58 +01:00
my $ routeback = 0 ;
2007-03-27 01:17:46 +02:00
2007-05-09 21:03:09 +02:00
my ( $ interface , $ hosts , $ options ) = split_line 1 , 3 , 'routestopped file' ;
2007-06-19 15:48:16 +02:00
fatal_error "Unknown interface ($interface)" unless known_interface $ interface ;
2007-03-16 00:18:58 +01:00
$ hosts = ALLIPv4 unless $ hosts && $ hosts ne '-' ;
my @ hosts ;
for my $ host ( split /,/ , $ hosts ) {
2007-09-21 18:55:28 +02:00
validate_net $ host , 1 ;
2007-06-18 23:42:36 +02:00
push @ hosts , "$interface:$host" ;
2007-03-16 00:18:58 +01:00
}
unless ( $ options eq '-' ) {
for my $ option ( split /,/ , $ options ) {
if ( $ option eq 'routeback' ) {
if ( $ routeback ) {
2007-03-30 04:05:11 +02:00
warning_message "Duplicate 'routeback' option ignored" ;
2007-03-16 00:18:58 +01:00
} else {
$ routeback = 1 ;
2007-03-27 01:17:46 +02:00
2007-03-16 00:18:58 +01:00
for my $ host ( split /,/ , $ hosts ) {
my $ source = match_source_net $ host ;
my $ dest = match_dest_net $ host ;
emit "run_iptables -A FORWARD -i $interface -o $interface $source $dest -j ACCEPT" ;
2007-04-25 23:03:40 +02:00
clearrule ;
2007-03-16 00:18:58 +01:00
}
}
} elsif ( $ option eq 'source' ) {
for my $ host ( split /,/ , $ hosts ) {
$ source { "$interface:$host" } = 1 ;
}
} elsif ( $ option eq 'dest' ) {
for my $ host ( split /,/ , $ hosts ) {
$ dest { "$interface:$host" } = 1 ;
2007-03-27 01:17:46 +02:00
}
2007-03-16 00:18:58 +01:00
} else {
2007-03-30 04:05:11 +02:00
warning_message "Unknown routestopped option ( $option ) ignored" unless $ option eq 'critical' ;
2007-03-16 00:18:58 +01:00
}
}
}
push @ allhosts , @ hosts ;
}
for my $ host ( @ allhosts ) {
2007-03-16 01:58:25 +01:00
my ( $ interface , $ h ) = split /:/ , $ host ;
2007-03-16 00:18:58 +01:00
my $ source = match_source_net $ h ;
my $ dest = match_dest_net $ h ;
2007-06-19 16:05:46 +02:00
my $ sourcei = match_source_dev $ interface ;
my $ desti = match_dest_dev $ interface ;
2007-03-27 01:17:46 +02:00
2007-06-19 16:05:46 +02:00
emit "\$IPTABLES -A INPUT $sourcei $source -j ACCEPT" ;
emit "\$IPTABLES -A OUTPUT $desti $dest -j ACCEPT" if $ config { ADMINISABSENTMINDED } ;
2007-03-27 01:17:46 +02:00
2007-03-16 00:18:58 +01:00
my $ matched = 0 ;
if ( $ source { $ host } ) {
2007-06-19 16:05:46 +02:00
emit "\$IPTABLES -A FORWARD $sourcei $source -j ACCEPT" ;
2007-03-16 00:18:58 +01:00
$ matched = 1 ;
}
if ( $ dest { $ host } ) {
2007-06-19 16:05:46 +02:00
emit "\$IPTABLES -A FORWARD $desti $dest -j ACCEPT" ;
2007-03-16 00:18:58 +01:00
$ matched = 1 ;
}
2007-03-27 01:17:46 +02:00
2007-03-16 00:18:58 +01:00
unless ( $ matched ) {
for my $ host1 ( @ allhosts ) {
unless ( $ host eq $ host1 ) {
2007-03-16 01:58:25 +01:00
my ( $ interface1 , $ h1 ) = split /:/ , $ host1 ;
2007-03-16 00:18:58 +01:00
my $ dest1 = match_dest_net $ h1 ;
2007-06-19 16:05:46 +02:00
my $ desti1 = match_dest_dev $ interface1 ;
emit "\$IPTABLES -A FORWARD $sourcei $desti1 $source $dest1 -j ACCEPT" ;
2007-04-25 23:03:40 +02:00
clearrule ;
2007-03-16 00:18:58 +01:00
}
}
}
}
}
2007-03-15 22:55:22 +01:00
sub add_common_rules () {
my $ interface ;
my $ chainref ;
my $ level ;
my $ target ;
my $ rule ;
my $ list ;
my $ chain ;
2007-08-26 17:12:04 +02:00
if ( $ config { FASTACCEPT } ) {
2007-10-19 21:43:14 +02:00
add_rule ( $ filter_table - > { $ _ } , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT ) ;
2007-08-26 17:12:04 +02:00
}
2007-09-12 17:03:47 +02:00
my $ rejectref = new_standard_chain 'reject' ;
2007-03-15 22:55:22 +01:00
2007-04-24 23:27:40 +02:00
$ level = $ config { BLACKLIST_LOGLEVEL } ;
2007-03-15 22:55:22 +01:00
2007-09-12 17:03:47 +02:00
add_rule_pair new_standard_chain ( 'logdrop' ) , ' ' , 'DROP' , $ level ;
add_rule_pair new_standard_chain ( 'logreject' ) , ' ' , 'reject' , $ level ;
2007-03-15 22:55:22 +01:00
2007-09-12 17:03:47 +02:00
new_standard_chain 'dynamic' ;
2007-03-16 23:19:32 +01:00
my $ state = $ config { BLACKLISTNEWONLY } ? '-m state --state NEW,INVALID ' : '' ;
2007-03-27 01:17:46 +02:00
2007-09-10 17:52:57 +02:00
for $ interface ( all_interfaces ) {
2007-10-19 21:43:14 +02:00
for $ chain ( first_chains $ interface ) {
2007-09-12 17:03:47 +02:00
add_rule new_standard_chain ( $ chain ) , "$state -j dynamic" ;
2007-03-15 22:55:22 +01:00
}
2007-09-12 17:03:47 +02:00
new_standard_chain output_chain ( $ interface ) ;
2007-03-15 22:55:22 +01:00
}
2007-05-20 17:51:42 +02:00
2007-05-20 18:25:53 +02:00
run_user_exit1 'initdone' ;
2007-07-26 20:36:18 +02:00
2007-03-15 22:55:22 +01:00
setup_blacklist ;
$ list = find_hosts_by_option 'nosmurfs' ;
2007-09-12 17:03:47 +02:00
$ chainref = new_standard_chain 'smurfs' ;
2007-07-26 20:36:18 +02:00
2007-07-26 01:15:37 +02:00
if ( $ capabilities { ADDRTYPE } ) {
add_rule $ chainref , '-s 0.0.0.0 -j RETURN' ;
add_rule_pair $ chainref , '-m addrtype --src-type BROADCAST ' , 'DROP' , $ config { SMURF_LOG_LEVEL } ;
} else {
add_command $ chainref , 'for address in $ALL_BCASTS; do' ;
2007-08-26 17:12:04 +02:00
incr_cmd_level $ chainref ;
2007-07-26 18:57:47 +02:00
log_rule ( $ config { SMURF_LOG_LEVEL } , $ chainref , 'DROP' , '-s $address ' ) ;
add_rule $ chainref , '-s $address -j DROP' ;
2007-08-26 17:12:04 +02:00
decr_cmd_level $ chainref ;
2007-07-26 01:15:37 +02:00
add_command $ chainref , 'done' ;
}
2007-03-15 22:55:22 +01:00
2007-05-15 22:40:15 +02:00
add_rule_pair $ chainref , '-s 224.0.0.0/4 ' , 'DROP' , $ config { SMURF_LOG_LEVEL } ;
2007-07-26 20:36:18 +02:00
2007-07-26 01:15:37 +02:00
if ( $ capabilities { ADDRTYPE } ) {
add_rule $ rejectref , '-m addrtype --src-type BROADCAST -j DROP' ;
} else {
add_command $ rejectref , 'for address in $ALL_BCASTS; do' ;
2007-08-26 17:12:04 +02:00
incr_cmd_level $ rejectref ;
2007-07-26 01:15:37 +02:00
add_rule $ rejectref , '-d $address -j DROP' ;
2007-08-26 17:12:04 +02:00
decr_cmd_level $ rejectref ;
2007-07-26 01:15:37 +02:00
add_command $ rejectref , 'done' ;
}
2007-05-15 22:40:15 +02:00
add_rule $ rejectref , '-s 224.0.0.0/4 -j DROP' ;
2007-03-27 01:17:46 +02:00
2007-03-15 22:55:22 +01:00
if ( @$ list ) {
2007-03-30 17:57:08 +02:00
progress_message2 'Adding Anti-smurf Rules' ;
2007-03-15 22:55:22 +01:00
for my $ hostref ( @$ list ) {
$ interface = $ hostref - > [ 0 ] ;
my $ ipsec = $ hostref - > [ 1 ] ;
my $ policy = $ capabilities { POLICY_MATCH } ? "-m policy --pol $ipsec --dir in " : '' ;
2007-10-19 21:43:14 +02:00
for $ chain ( first_chains $ interface ) {
2007-09-12 17:03:47 +02:00
add_rule $ filter_table - > { $ chain } , join ( '' , '-m state --state NEW,INVALID ' , match_source_net ( $ hostref - > [ 2 ] ) , "${policy}-j smurfs" ) ;
2007-03-15 22:55:22 +01:00
}
}
}
2007-03-27 01:17:46 +02:00
2007-03-15 22:55:22 +01:00
add_rule $ rejectref , '-p tcp -j REJECT --reject-with tcp-reset' ;
2007-03-27 01:17:46 +02:00
2007-03-15 22:55:22 +01:00
if ( $ capabilities { ENHANCED_REJECT } ) {
add_rule $ rejectref , '-p udp -j REJECT' ;
add_rule $ rejectref , '-p icmp -j REJECT --reject-with icmp-host-unreachable' ;
add_rule $ rejectref , '-j REJECT --reject-with icmp-host-prohibited' ;
} else {
add_rule $ rejectref , '-j REJECT' ;
}
$ list = find_interfaces_by_option 'dhcp' ;
if ( @$ list ) {
2007-03-30 17:57:08 +02:00
progress_message2 'Adding rules for DHCP' ;
2007-03-15 22:55:22 +01:00
for $ interface ( @$ list ) {
2007-05-10 20:31:24 +02:00
for $ chain ( input_chain $ interface , output_chain $ interface ) {
2007-09-12 17:03:47 +02:00
add_rule $ filter_table - > { $ chain } , '-p udp --dport 67:68 -j ACCEPT' ;
2007-03-15 22:55:22 +01:00
}
2007-09-12 17:03:47 +02:00
add_rule $ filter_table - > { forward_chain $ interface } , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option ( $ interface , 'bridge' ) ;
2007-03-15 22:55:22 +01:00
}
}
$ list = find_hosts_by_option 'norfc1918' ;
2007-03-30 17:57:08 +02:00
setup_rfc1918_filteration $ list if @$ list ;
2007-03-15 22:55:22 +01:00
$ list = find_hosts_by_option 'tcpflags' ;
if ( @$ list ) {
my $ disposition ;
2007-03-30 17:57:08 +02:00
progress_message2 "$doing TCP Flags filtering..." ;
2007-03-27 01:17:46 +02:00
2007-09-12 17:03:47 +02:00
$ chainref = new_standard_chain 'tcpflags' ;
2007-03-15 22:55:22 +01:00
2007-04-25 01:15:27 +02:00
if ( $ config { TCP_FLAGS_LOG_LEVEL } ne '' ) {
2007-09-12 17:03:47 +02:00
my $ logflagsref = new_standard_chain 'logflags' ;
2007-03-27 01:17:46 +02:00
2007-03-31 19:44:16 +02:00
my $ savelogparms = $ globals { LOGPARMS } ;
2007-03-15 22:55:22 +01:00
2007-11-18 19:05:08 +01:00
$ globals { LOGPARMS } = "$globals{LOGPARMS}--log-ip-options " ;
2007-03-27 01:17:46 +02:00
2007-03-15 22:55:22 +01:00
log_rule $ config { TCP_FLAGS_LOG_LEVEL } , $ logflagsref , $ config { TCP_FLAGS_DISPOSITION } , '' ;
2007-03-27 01:17:46 +02:00
2007-03-31 19:44:16 +02:00
$ globals { LOGPARMS } = $ savelogparms ;
2007-03-27 01:17:46 +02:00
2007-03-15 22:55:22 +01:00
if ( $ config { TCP_FLAGS_DISPOSITION } eq 'REJECT' ) {
add_rule $ logflagsref , '-j REJECT --reject-with tcp-reset' ;
} else {
add_rule $ logflagsref , "-j $config{TCP_FLAGS_DISPOSITION}" ;
}
$ disposition = 'logflags' ;
} else {
$ disposition = $ config { TCP_FLAGS_DISPOSITION } ;
}
add_rule $ chainref , "-p tcp --tcp-flags ALL FIN,URG,PSH -j $disposition" ;
add_rule $ chainref , "-p tcp --tcp-flags ALL NONE -j $disposition" ;
add_rule $ chainref , "-p tcp --tcp-flags SYN,RST SYN,RST -j $disposition" ;
add_rule $ chainref , "-p tcp --tcp-flags SYN,FIN SYN,FIN -j $disposition" ;
add_rule $ chainref , "-p tcp --syn --sport 0 -j $disposition" ;
for my $ hostref ( @$ list ) {
2007-10-19 21:43:14 +02:00
my $ policy = $ capabilities { POLICY_MATCH } ? "-m policy --pol $hostref->[1] --dir in " : '' ;
for $ chain ( first_chains $ hostref - > [ 0 ] ) {
add_rule $ filter_table - > { $ chain } , join ( '' , '-p tcp ' , match_source_net ( $ hostref - > [ 2 ] ) , "${policy}-j tcpflags" ) ;
2007-03-15 22:55:22 +01:00
}
}
}
if ( $ config { DYNAMIC_ZONES } ) {
2007-09-10 17:52:57 +02:00
for $ interface ( all_interfaces ) {
2007-10-19 21:43:14 +02:00
for $ chain ( dynamic_chains $ interface ) {
2007-09-12 17:03:47 +02:00
new_standard_chain $ chain ;
2007-03-15 22:55:22 +01:00
}
2007-03-27 01:17:46 +02:00
2007-12-17 21:53:27 +01:00
new_nat_chain ( $ chain = dynamic_in ( $ interface ) ) ;
2007-03-27 01:17:46 +02:00
2007-12-17 21:53:27 +01:00
add_rule $ filter_table - > { input_chain $ interface } , '-j ' . dynamic_in $ interface ;
2007-09-12 17:03:47 +02:00
add_rule $ filter_table - > { forward_chain $ interface } , '-j ' . dynamic_fwd $ interface ;
add_rule $ filter_table - > { output_chain $ interface } , '-j ' . dynamic_out $ interface ;
2007-07-26 20:36:18 +02:00
}
2007-03-27 01:17:46 +02:00
}
2007-03-15 22:55:22 +01:00
$ list = find_interfaces_by_option 'upnp' ;
if ( @$ list ) {
2007-03-30 17:57:08 +02:00
progress_message2 '$doing UPnP' ;
2007-03-15 22:55:22 +01:00
2007-12-17 21:53:27 +01:00
new_nat_chain ( 'UPnP' ) ;
2007-03-15 22:55:22 +01:00
for $ interface ( @$ list ) {
2007-09-12 17:03:47 +02:00
add_rule $ nat_table - > { PREROUTING } , match_source_dev ( $ interface ) . '-j UPnP' ;
2007-03-15 22:55:22 +01:00
}
}
setup_syn_flood_chains ;
}
my % maclist_targets = ( ACCEPT = > { target = > 'RETURN' , mangle = > 1 } ,
REJECT = > { target = > 'reject' , mangle = > 0 } ,
DROP = > { target = > 'DROP' , mangle = > 1 } ) ;
sub setup_mac_lists ( $ ) {
my $ phase = $ _ [ 0 ] ;
my % maclist_interfaces ;
my $ table = $ config { MACLIST_TABLE } ;
my $ maclist_hosts = find_hosts_by_option 'maclist' ;
2007-04-24 23:05:26 +02:00
my $ target = $ globals { MACLIST_TARGET } ;
my $ level = $ config { MACLIST_LOG_LEVEL } ;
my $ disposition = $ config { MACLIST_DISPOSITION } ;
my $ ttl = $ config { MACLIST_TTL } ;
2007-07-26 20:36:18 +02:00
2007-07-11 01:09:33 +02:00
progress_message2 "$doing MAC Filtration -- Phase $phase..." ;
2007-03-19 04:57:58 +01:00
for my $ hostref ( @$ maclist_hosts ) {
2007-03-22 15:41:32 +01:00
$ maclist_interfaces { $ hostref - > [ 0 ] } = 1 ;
2007-03-15 22:55:22 +01:00
}
my @ maclist_interfaces = ( sort keys % maclist_interfaces ) ;
2007-03-27 01:17:46 +02:00
2007-03-15 22:55:22 +01:00
progress_message " $doing MAC Verification for @maclist_interfaces -- Phase $phase..." ;
if ( $ phase == 1 ) {
2007-04-23 19:19:12 +02:00
2007-03-15 22:55:22 +01:00
for my $ interface ( @ maclist_interfaces ) {
2007-09-12 17:03:47 +02:00
my $ chainref = new_chain $ table , mac_chain $ interface ;
2007-03-27 01:17:46 +02:00
2007-03-15 22:55:22 +01:00
add_rule $ chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
2007-09-10 17:52:57 +02:00
if ( $ table eq 'mangle' ) && get_interface_option ( $ interface , 'dhcp' ) ;
2007-03-27 01:17:46 +02:00
2007-04-24 23:05:26 +02:00
if ( $ ttl ) {
2007-09-12 17:03:47 +02:00
my $ chain1ref = new_chain $ table , macrecent_target $ interface ;
2007-03-15 22:55:22 +01:00
my $ chain = $ chainref - > { name } ;
2007-04-24 23:05:26 +02:00
add_rule $ chainref , "-m recent --rcheck --seconds $ttl --name $chain -j RETURN" ;
2007-03-15 22:55:22 +01:00
add_rule $ chainref , "-j $chain1ref->{name}" ;
add_rule $ chainref , "-m recent --update --name $chain -j RETURN" ;
add_rule $ chainref , "-m recent --set --name $chain" ;
}
}
2007-03-30 17:57:08 +02:00
my $ fn = open_file 'maclist' ;
2007-11-27 16:50:20 +01:00
first_entry "$doing $fn..." ;
2007-03-15 22:55:22 +01:00
2007-03-29 19:02:13 +02:00
while ( read_a_line ) {
2007-03-15 22:55:22 +01:00
2007-05-10 17:29:41 +02:00
my ( $ disposition , $ interface , $ mac , $ addresses ) = split_line1 3 , 4 , 'maclist file' ;
2007-05-09 21:03:09 +02:00
2007-03-15 22:55:22 +01:00
if ( $ disposition eq 'COMMENT' ) {
2007-05-09 20:22:40 +02:00
process_comment ;
2007-03-15 22:55:22 +01:00
} else {
2007-05-17 16:10:46 +02:00
( $ disposition , my ( $ level , $ remainder ) ) = split ( /:/ , $ disposition , 3 ) ;
fatal_error "Invalid log level" if defined $ remainder ;
2007-03-15 22:55:22 +01:00
my $ targetref = $ maclist_targets { $ disposition } ;
2007-06-16 23:08:12 +02:00
fatal_error "Invalid DISPOSITION ($disposition)" if ! $ targetref || ( ( $ table eq 'mangle' ) && ! $ targetref - > { mangle } ) ;
2007-03-15 22:55:22 +01:00
2007-06-08 00:23:17 +02:00
unless ( $ maclist_interfaces { $ interface } ) {
fatal_error "No hosts on $interface have the maclist option specified" ;
}
2007-03-15 22:55:22 +01:00
2007-09-12 17:03:47 +02:00
my $ chainref = $ chain_table { $ table } { ( $ ttl ? macrecent_target $ interface : mac_chain $ interface ) } ;
2007-03-15 22:55:22 +01:00
$ mac = '' unless $ mac && ( $ mac ne '-' ) ;
$ addresses = '' unless $ addresses && ( $ addresses ne '-' ) ;
fatal_error "You must specify a MAC address or an IP address" unless $ mac || $ addresses ;
$ mac = mac_match $ mac if $ mac ;
if ( $ addresses ) {
for my $ address ( split ',' , $ addresses ) {
my $ source = match_source_net $ address ;
2007-07-26 20:36:18 +02:00
log_rule_limit $ level , $ chainref , mac_chain ( $ interface ) , $ disposition , '' , '' , 'add' , "${mac}${source}"
2007-04-25 01:15:27 +02:00
if defined $ level && $ level ne '' ;
2007-03-15 22:55:22 +01:00
add_rule $ chainref , "${mac}${source}-j $targetref->{target}" ;
}
} else {
2007-04-25 01:15:27 +02:00
log_rule_limit $ level , $ chainref , mac_chain ( $ interface ) , $ disposition , '' , '' , 'add' , $ mac
if defined $ level && $ level ne '' ;
2007-03-15 22:55:22 +01:00
add_rule $ chainref , "$mac-j $targetref->{target}" ;
}
2007-07-07 18:34:38 +02:00
progress_message " Maclist entry \"$currentline\" $done" ;
2007-03-15 22:55:22 +01:00
}
}
2007-09-10 17:52:57 +02:00
clear_comment ;
2007-04-18 22:53:25 +02:00
#
# Generate jumps from the input and forward chains
#
2007-03-15 22:55:22 +01:00
for my $ hostref ( @$ maclist_hosts ) {
my $ interface = $ hostref - > [ 0 ] ;
my $ ipsec = $ hostref - > [ 1 ] ;
my $ policy = $ capabilities { POLICY_MATCH } ? "-m policy --pol $ipsec --dir in " : '' ;
my $ source = match_source_net $ hostref - > [ 2 ] ;
my $ target = mac_chain $ interface ;
if ( $ table eq 'filter' ) {
2007-10-19 21:43:14 +02:00
for my $ chain ( first_chains $ interface ) {
2007-09-12 17:03:47 +02:00
add_rule $ filter_table - > { $ chain } , "${source}-m state --state NEW ${policy}-j $target" ;
2007-03-15 22:55:22 +01:00
}
} else {
2007-09-12 17:03:47 +02:00
add_rule $ mangle_table - > { PREROUTING } , match_source_dev ( $ interface ) . "${source}-m state --state NEW ${policy}-j $target" ;
2007-03-15 22:55:22 +01:00
}
}
} else {
for my $ interface ( @ maclist_interfaces ) {
2007-09-12 17:03:47 +02:00
my $ chainref = $ chain_table { $ table } { ( $ ttl ? macrecent_target $ interface : mac_chain $ interface ) } ;
2007-03-22 21:24:21 +01:00
my $ chain = $ chainref - > { name } ;
2007-04-24 22:53:07 +02:00
if ( $ level ne '' || $ disposition ne 'ACCEPT' ) {
2007-09-10 17:52:57 +02:00
my $ variable = get_interface_addresses source_port_to_bridge ( $ interface ) ;
2007-07-26 20:36:18 +02:00
2007-07-26 01:15:37 +02:00
if ( $ capabilities { ADDRTYPE } ) {
2007-07-26 20:36:18 +02:00
add_commands ( $ chainref ,
2007-07-26 01:15:37 +02:00
"for address in $variable; do" ,
" echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3" ,
" echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3" ,
'done' ) ;
} else {
2007-09-10 17:52:57 +02:00
my $ bridge = source_port_to_bridge ( $ interface ) ;
my $ bridgeref = find_interface ( $ bridge ) ;
2007-08-10 19:37:02 +02:00
2007-07-26 20:36:18 +02:00
add_commands ( $ chainref ,
2007-08-10 19:37:02 +02:00
"for address in $variable; do" ) ;
if ( $ bridgeref - > { broadcasts } ) {
for my $ address ( @ { $ bridgeref - > { broadcasts } } , '255.255.255.255' ) {
add_commands ( $ chainref ,
" echo \"-A $chainref->{name} -s \$address -d $address -j RETURN\" >&3" ) ;
}
} else {
my $ variable1 = get_interface_bcasts $ bridge ;
add_commands ( $ chainref ,
" for address1 in $variable1; do" ,
" echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3" ,
" done" ) ;
}
add_commands ( $ chainref ,
2007-07-26 01:15:37 +02:00
" echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3" ,
'done' ) ;
}
2007-03-22 21:24:21 +01:00
}
2007-05-20 18:37:09 +02:00
run_user_exit2 ( 'maclog' , $ chainref ) ;
2007-04-10 20:06:09 +02:00
2007-04-24 22:53:07 +02:00
log_rule_limit $ level , $ chainref , $ chain , $ disposition , '' , '' , 'add' , '' if $ level ne '' ;
2007-03-15 22:55:22 +01:00
add_rule $ chainref , "-j $target" ;
}
}
}
2007-06-06 02:47:27 +02:00
sub process_rule1 ( $ $ $ $ $ $ $ $ $ $ $ ) ;
2007-03-15 04:17:56 +01:00
#
# Expand a macro rule from the rules file
#
2007-06-06 02:47:27 +02:00
sub process_macro ( $$$$$$$$$$$$$ ) {
my ( $ macrofile , $ target , $ param , $ source , $ dest , $ proto , $ ports , $ sports , $ origdest , $ rate , $ user , $ mark , $ wildcard ) = @ _ ;
2007-03-15 04:17:56 +01:00
2007-12-07 00:49:21 +01:00
my $ nocomment = no_comment ;
2007-03-15 04:17:56 +01:00
progress_message "..Expanding Macro $macrofile..." ;
2007-03-29 19:02:13 +02:00
push_open $ macrofile ;
2007-03-15 04:17:56 +01:00
2007-03-29 19:02:13 +02:00
while ( read_a_line ) {
2007-03-27 01:17:46 +02:00
2007-12-07 00:49:21 +01:00
my ( $ mtarget , $ msource , $ mdest , $ mproto , $ mports , $ msports , $ mrate , $ muser ) = split_line1 1 , 8 , 'macro file' ;
if ( $ mtarget eq 'COMMENT' ) {
process_comment unless $ nocomment ;
next ;
}
2007-03-27 01:17:46 +02:00
2007-03-15 04:17:56 +01:00
$ mtarget = merge_levels $ target , $ mtarget ;
2007-03-27 01:17:46 +02:00
2007-10-19 21:43:14 +02:00
if ( $ mtarget =~ /^PARAM(:.*)?$/ ) {
2007-05-12 20:13:11 +02:00
fatal_error 'PARAM requires a parameter to be supplied in macro invocation' unless $ param ne '' ;
$ mtarget = substitute_param $ param , $ mtarget ;
2007-03-15 04:17:56 +01:00
}
2007-05-22 01:09:40 +02:00
my $ action = isolate_basic_target $ mtarget ;
2007-06-16 23:08:12 +02:00
fatal_error "Invalid or missing ACTION ($mtarget)" unless defined $ action ;
2007-05-22 01:09:40 +02:00
2007-05-12 20:13:11 +02:00
my $ actiontype = $ targets { $ action } || find_macro ( $ action ) ;
2007-03-15 04:17:56 +01:00
2007-05-13 17:39:20 +02:00
fatal_error "Invalid Action ($mtarget) in macro" unless $ actiontype & ( ACTION + STANDARD + NATRULE + MACRO ) ;
2007-03-15 04:17:56 +01:00
if ( $ msource ) {
if ( ( $ msource eq '-' ) || ( $ msource eq 'SOURCE' ) ) {
$ msource = $ source || '' ;
} elsif ( $ msource eq 'DEST' ) {
$ msource = $ dest || '' ;
} else {
$ msource = merge_macro_source_dest $ msource , $ source ;
}
} else {
$ msource = '' ;
}
if ( $ mdest ) {
if ( ( $ mdest eq '-' ) || ( $ mdest eq 'DEST' ) ) {
$ mdest = $ dest || '' ;
} elsif ( $ mdest eq 'SOURCE' ) {
$ mdest = $ source || '' ;
} else {
$ mdest = merge_macro_source_dest $ mdest , $ dest ;
}
} else {
$ mdest = '' ;
}
$ mproto = merge_macro_column $ mproto , $ proto ;
$ mports = merge_macro_column $ mports , $ ports ;
$ msports = merge_macro_column $ msports , $ sports ;
$ mrate = merge_macro_column $ mrate , $ rate ;
$ muser = merge_macro_column $ muser , $ user ;
2007-03-27 01:17:46 +02:00
2007-06-06 02:47:27 +02:00
process_rule1 $ mtarget , $ msource , $ mdest , $ mproto , $ mports , $ msports , $ origdest , $ mrate , $ muser , $ mark , $ wildcard ;
2007-03-15 04:17:56 +01:00
2007-07-07 18:34:38 +02:00
progress_message " Rule \"$currentline\" $done" ;
2007-04-23 20:28:07 +02:00
}
2007-03-15 04:17:56 +01:00
2007-03-29 19:02:13 +02:00
pop_open ;
2007-03-15 04:17:56 +01:00
2007-12-07 00:49:21 +01:00
progress_message "..End Macro $macrofile" ;
clear_comment unless $ nocomment ;
2007-03-15 04:17:56 +01:00
2007-12-07 00:49:21 +01:00
}
2007-03-15 04:17:56 +01:00
#
2007-10-19 21:43:14 +02:00
# Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If
# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
2007-03-15 04:17:56 +01:00
#
2007-06-06 02:47:27 +02:00
sub process_rule1 ( $$$$$$$$$$$ ) {
my ( $ target , $ source , $ dest , $ proto , $ ports , $ sports , $ origdest , $ ratelimit , $ user , $ mark , $ wildcard ) = @ _ ;
2007-03-15 04:17:56 +01:00
my ( $ action , $ loglevel ) = split_action $ target ;
2007-11-19 19:58:49 +01:00
my ( $ basictarget , $ param ) = get_target_param $ action ;
2007-03-15 04:17:56 +01:00
my $ rule = '' ;
my $ actionchainref ;
2007-06-06 18:20:33 +02:00
my $ optimize = $ wildcard ? ( $ basictarget =~ /!$/ ? 0 : $ config { OPTIMIZE } ) : 0 ;
2007-03-15 04:17:56 +01:00
2007-11-24 03:28:18 +01:00
unless ( defined $ param ) {
( $ basictarget , $ param ) = ( $ 1 , $ 2 ) if $ action =~ /^(\w+)[(](.*)[)]$/ ;
}
2007-05-12 20:13:11 +02:00
$ param = '' unless defined $ param ;
2007-07-26 20:36:18 +02:00
2007-03-15 04:17:56 +01:00
#
# Determine the validity of the action
#
2007-03-26 23:49:03 +02:00
my $ actiontype = $ targets { $ basictarget } || find_macro ( $ basictarget ) ;
2007-07-26 20:36:18 +02:00
2007-03-30 04:05:11 +02:00
fatal_error "Unknown action ($action)" unless $ actiontype ;
2007-03-15 04:17:56 +01:00
if ( $ actiontype == MACRO ) {
2007-03-29 06:22:10 +02:00
#
2007-11-16 00:24:54 +01:00
# process_macro() will call process_rule1() recursively for each rule in the macro body
2007-03-29 06:22:10 +02:00
#
2007-05-12 20:13:11 +02:00
fatal_error "Macro invocations nested too deeply" if + + $ macro_nest_level > MAX_MACRO_NEST_LEVEL ;
if ( $ param ne '' ) {
push @ param_stack , $ current_param ;
$ current_param = $ param ;
}
2007-07-26 20:36:18 +02:00
2007-05-04 16:16:18 +02:00
process_macro ( $ macros { $ basictarget } ,
$ target ,
2007-05-12 20:13:11 +02:00
$ current_param ,
2007-05-04 16:16:18 +02:00
$ source ,
$ dest ,
$ proto ,
$ ports ,
$ sports ,
$ origdest ,
$ ratelimit ,
$ user ,
2007-06-06 02:47:27 +02:00
$ mark ,
$ wildcard ) ;
2007-05-12 20:13:11 +02:00
$ macro_nest_level - - ;
2007-07-26 20:36:18 +02:00
2007-05-12 20:13:11 +02:00
$ current_param = pop @ param_stack if $ param ne '' ;
2007-03-15 04:17:56 +01:00
return ;
2007-08-26 17:12:04 +02:00
} elsif ( $ actiontype & NFQ ) {
require_capability ( 'NFQUEUE_TARGET' , 'NFQUEUE Rules' , '' ) ;
2007-12-07 20:06:01 +01:00
my $ paramval = $ param eq '' ? 0 : numeric_value ( $ param ) ;
fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined ( $ paramval ) && $ paramval <= 65535 ;
$ action = "NFQUEUE --queue-num $paramval" ;
2007-08-26 17:12:04 +02:00
} else {
fatal_error "The $basictarget TARGET does not accept a parameter" unless $ param eq '' ;
2007-03-15 04:17:56 +01:00
}
#
2007-11-16 00:24:54 +01:00
# We can now dispense with the postfix character
2007-03-15 04:17:56 +01:00
#
$ action =~ s/[\+\-!]$// ;
#
# Mark target as used
#
if ( $ actiontype & ACTION ) {
unless ( $ usedactions { $ target } ) {
$ usedactions { $ target } = 1 ;
createactionchain $ target ;
}
}
#
# Take care of irregular syntax and targets
#
if ( $ actiontype & REDIRECT ) {
2008-01-13 19:47:06 +01:00
my $ z = $ actiontype & NATONLY ? '' : firewall_zone ;
2007-03-15 04:17:56 +01:00
if ( $ dest eq '-' ) {
2008-01-13 19:47:06 +01:00
$ dest = join ( '' , $ z , '::' , $ ports =~ /[:,]/ ? '' : $ ports ) ;
2007-03-15 04:17:56 +01:00
} else {
2008-01-13 19:47:06 +01:00
$ dest = join ( '' , $ z , '::' , $ dest ) unless $ dest =~ /:/ ;
2007-03-15 04:17:56 +01:00
}
} elsif ( $ action eq 'REJECT' ) {
$ action = 'reject' ;
} elsif ( $ action eq 'CONTINUE' ) {
$ action = 'RETURN' ;
2007-04-30 17:25:07 +02:00
} elsif ( $ actiontype & LOGRULE ) {
fatal_error 'LOG requires a log level' unless defined $ loglevel and $ loglevel ne '' ;
2007-03-15 04:17:56 +01:00
}
#
# Isolate and validate source and destination zones
#
my $ sourcezone ;
my $ destzone ;
2007-09-10 17:52:57 +02:00
my $ sourceref ;
my $ destref ;
2007-07-26 20:36:18 +02:00
2007-03-15 04:17:56 +01:00
if ( $ source =~ /^(.+?):(.*)/ ) {
$ sourcezone = $ 1 ;
$ source = $ 2 ;
} else {
$ sourcezone = $ source ;
$ source = ALLIPv4 ;
}
2007-03-27 01:17:46 +02:00
2008-01-13 19:47:06 +01:00
if ( $ dest =~ /^(.*?):(.*)/ ) {
2007-03-15 04:17:56 +01:00
$ destzone = $ 1 ;
$ dest = $ 2 ;
} else {
$ destzone = $ dest ;
$ dest = ALLIPv4 ;
}
2007-07-26 20:36:18 +02:00
2007-10-19 21:43:14 +02:00
fatal_error "Missing source zone" if $ sourcezone eq '-' || $ sourcezone =~ /^:/ ;
2007-09-10 17:52:57 +02:00
fatal_error "Unknown source zone ($sourcezone)" unless $ sourceref = defined_zone ( $ sourcezone ) ;
2008-01-13 19:47:06 +01:00
if ( $ actiontype & NATONLY ) {
warning_message "Destination zone ($destzone) ignored" unless $ destzone eq '-' || $ destzone eq '' ;
} else {
fatal_error "Missing destination zone" if $ destzone eq '-' || $ destzone eq '' ;
fatal_error "Unknown destination zone ($destzone)" unless $ destref = defined_zone ( $ destzone ) ;
}
2007-03-25 21:43:33 +02:00
my $ restriction = NO_RESTRICT ;
2007-09-10 17:52:57 +02:00
if ( $ sourcezone eq firewall_zone ) {
$ restriction = $ destzone eq firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT ;
2007-03-25 21:43:33 +02:00
} else {
2007-09-10 17:52:57 +02:00
$ restriction = INPUT_RESTRICT if $ destzone eq firewall_zone ;
2007-03-25 21:43:33 +02:00
}
2007-10-19 21:43:14 +02:00
2008-01-13 19:47:06 +01:00
my ( $ chain , $ chainref , $ policy ) ;
2007-11-16 00:24:54 +01:00
#
# For compatibility with older Shorewall versions
#
$ origdest = ALLIPv4 if $ origdest eq 'all' ;
2007-06-06 02:47:27 +02:00
#
2007-03-15 04:17:56 +01:00
# Take care of chain
#
2008-01-13 19:47:06 +01:00
unless ( $ actiontype & NATONLY ) {
#
# Check for illegal bridge port rule
#
if ( $ destref - > { type } eq 'bport4' ) {
unless ( $ sourceref - > { bridge } eq $ destref - > { bridge } || single_interface ( $ sourcezone ) eq $ destref - > { bridge } ) {
return 1 if $ wildcard ;
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge" ;
}
}
2007-06-06 02:47:27 +02:00
2008-01-13 19:47:06 +01:00
$ chain = "${sourcezone}2${destzone}" ;
$ chainref = ensure_chain 'filter' , $ chain ;
$ policy = $ chainref - > { policy } ;
2007-10-19 21:43:14 +02:00
2008-01-13 19:47:06 +01:00
if ( $ policy eq 'NONE' ) {
return 1 if $ wildcard ;
fatal_error "Rules may not override a NONE policy" ;
2007-06-06 18:20:33 +02:00
}
2008-01-13 19:47:06 +01:00
#
# Handle Optimization
#
if ( $ optimize > 0 ) {
my $ loglevel = $ filter_table - > { $ chainref - > { policychain } } { loglevel } ;
if ( $ loglevel ne '' ) {
return 1 if $ target eq "${policy}:$loglevel}" ;
} else {
return 1 if $ basictarget eq $ policy ;
}
}
#
# Mark the chain as referenced and add appropriate rules from earlier sections.
#
$ chainref = ensure_filter_chain $ chain , 1 ;
2007-06-06 18:20:33 +02:00
}
2007-10-19 21:43:14 +02:00
2007-06-16 18:36:51 +02:00
#
2007-03-15 04:17:56 +01:00
# Generate Fixed part of the rule
#
2007-05-03 18:30:59 +02:00
$ rule = join ( '' , do_proto ( $ proto , $ ports , $ sports ) , do_ratelimit ( $ ratelimit , $ basictarget ) , do_user ( $ user ) , do_test ( $ mark , 0xFF ) ) ;
2007-03-15 04:17:56 +01:00
2007-05-09 00:28:48 +02:00
unless ( $ section eq 'NEW' ) {
2007-05-08 16:16:20 +02:00
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $ config { FASTACCEPT } ;
2007-11-16 00:24:54 +01:00
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $ actiontype & ( NATRULE | NONAT ) ;
2007-07-26 20:36:18 +02:00
$ rule . = "-m state --state $section "
2007-05-08 16:16:20 +02:00
}
2007-03-15 04:17:56 +01:00
#
# Generate NAT rule(s), if any
#
if ( $ actiontype & NATRULE ) {
2007-05-04 17:12:29 +02:00
my ( $ server , $ serverport ) ;
2007-11-16 00:24:54 +01:00
my $ randomize = $ dest =~ s/:random$// ? '--random ' : '' ;
2007-05-04 17:12:29 +02:00
require_capability ( 'NAT_ENABLED' , "$basictarget rules" , '' ) ;
2007-03-15 04:17:56 +01:00
#
2007-11-16 00:24:54 +01:00
# Isolate server port
2007-03-15 04:17:56 +01:00
#
2007-10-19 21:43:14 +02:00
if ( $ dest =~ /^(.*)(:(.+))$/ ) {
2007-11-16 00:24:54 +01:00
#
# Server IP and Port
#
$ server = $ 1 ; # May be empty
$ serverport = $ 3 ; # Not Empty due to RE
if ( $ serverport =~ /^(\d+)-(\d+)$/ ) {
#
# Server Port Range
#
fatal_error "Invalid port range ($serverport)" unless $ 1 < $ 2 ;
my @ ports = ( $ 1 , $ 2 ) ;
$ _ = validate_port ( proto_name ( $ proto ) , $ _ ) for ( @ ports ) ;
( $ ports = $ serverport ) =~ tr /-/ : / ;
} else {
$ serverport = $ ports = validate_port ( proto_name ( $ proto ) , $ serverport ) ;
}
} elsif ( $ dest eq ':' ) {
#
# Rule with no server IP or port ( zone:: )
#
$ server = $ serverport = '' ;
2007-03-15 04:17:56 +01:00
} else {
2007-11-16 00:24:54 +01:00
#
# Simple server IP address (may be empty or "-")
#
2007-03-15 04:17:56 +01:00
$ server = $ dest ;
$ serverport = '' ;
}
2007-05-04 16:16:18 +02:00
2007-03-15 04:17:56 +01:00
#
# Generate the target
#
my $ target = '' ;
2007-03-23 23:47:21 +01:00
if ( $ actiontype & REDIRECT ) {
2007-10-19 21:43:14 +02:00
fatal_error "A server IP address may not be specified in a REDIRECT rule" if $ server ;
2007-11-16 00:24:54 +01:00
$ target = '-j REDIRECT ' ;
$ target . = "--to-port $serverport " if $ serverport ;
2007-08-26 17:12:04 +02:00
if ( $ origdest eq '' || $ origdest eq '-' ) {
$ origdest = ALLIPv4 ;
} elsif ( $ origdest eq 'detect' ) {
2007-09-10 17:52:57 +02:00
if ( $ config { DETECT_DNAT_IPADDRS } && $ sourcezone ne firewall_zone ) {
my $ interfacesref = $ sourceref - > { interfaces } ;
2007-08-26 17:12:04 +02:00
my @ interfaces = keys %$ interfacesref ;
$ origdest = @ interfaces ? "detect:@interfaces" : ALLIPv4 ;
} else {
$ origdest = ALLIPv4 ;
}
}
2007-03-23 23:47:21 +01:00
} else {
2007-10-19 21:43:14 +02:00
fatal_error "A server must be specified in the DEST column in $action rules" if $ server eq '' ;
2008-01-13 19:47:06 +01:00
if ( $ server =~ /^(.+)-(.+)$/ ) {
validate_range ( $ 1 , $ 2 ) ;
} else {
validate_address $ server , 0 ;
}
2007-10-19 21:43:14 +02:00
2007-03-23 23:47:21 +01:00
if ( $ action eq 'SAME' ) {
fatal_error 'Port mapping not allowed in SAME rules' if $ serverport ;
2007-09-10 17:52:57 +02:00
fatal_error 'SAME not allowed with SOURCE=$FW' if $ sourcezone eq firewall_zone ;
2007-11-16 00:24:54 +01:00
fatal_error "':random' is not supported by the SAME target" if $ randomize ;
warning_message 'Netfilter support for SAME is being dropped in early 2008' ;
2007-03-23 23:47:21 +01:00
$ target = '-j SAME ' ;
for my $ serv ( split /,/ , $ server ) {
$ target . = "--to $serv " ;
}
2007-03-29 05:07:48 +02:00
} elsif ( $ action eq 'DNAT' ) {
$ target = '-j DNAT ' ;
2007-03-23 23:47:21 +01:00
$ serverport = ":$serverport" if $ serverport ;
for my $ serv ( split /,/ , $ server ) {
2007-03-29 05:07:48 +02:00
$ target . = "--to-destination ${serv}${serverport} " ;
2007-03-23 23:47:21 +01:00
}
2007-03-15 04:17:56 +01:00
}
2007-03-29 06:22:10 +02:00
unless ( $ origdest && $ origdest ne '-' && $ origdest ne 'detect' ) {
2007-09-10 17:52:57 +02:00
if ( $ config { DETECT_DNAT_IPADDRS } && $ sourcezone ne firewall_zone ) {
my $ interfacesref = $ sourceref - > { interfaces } ;
2007-03-23 23:47:21 +01:00
my @ interfaces = keys %$ interfacesref ;
$ origdest = @ interfaces ? "detect:@interfaces" : ALLIPv4 ;
} else {
$ origdest = ALLIPv4 ;
}
2007-03-23 02:37:23 +01:00
}
}
2007-08-26 17:12:04 +02:00
2007-11-16 00:24:54 +01:00
$ target . = $ randomize ;
2007-03-15 04:17:56 +01:00
#
# And generate the nat table rule(s)
#
2007-09-12 17:03:47 +02:00
expand_rule ( ensure_chain ( 'nat' , $ sourceref - > { type } eq 'firewall' ? 'OUTPUT' : dnat_chain $ sourcezone ) ,
2007-05-04 16:16:18 +02:00
PREROUTE_RESTRICT ,
$ rule ,
$ source ,
$ origdest ,
'' ,
$ target ,
$ loglevel ,
$ action ,
$ serverport ? do_proto ( $ proto , '' , '' ) : '' ) ;
2007-03-15 04:17:56 +01:00
#
2007-03-29 06:22:10 +02:00
# After NAT:
2007-11-16 00:24:54 +01:00
# - the destination port will be the server port ($ports) -- we did that above
# - the destination IP will be the server IP ($dest)
2007-03-29 06:22:10 +02:00
# - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
2007-05-09 00:42:35 +02:00
# - the target will be ACCEPT.
2007-03-15 04:17:56 +01:00
#
unless ( $ actiontype & NATONLY ) {
2007-11-16 00:24:54 +01:00
$ rule = join ( '' , do_proto ( $ proto , $ ports , $ sports ) , do_ratelimit ( $ ratelimit , 'ACCEPT' ) , do_user $ user , do_test ( $ mark , 0xFF ) ) ;
2007-03-15 04:17:56 +01:00
$ loglevel = '' ;
2007-03-29 05:07:48 +02:00
$ dest = $ server ;
$ action = 'ACCEPT' ;
2007-03-15 04:17:56 +01:00
}
2007-05-09 00:28:48 +02:00
} elsif ( $ actiontype & NONAT ) {
#
# NONAT or ACCEPT+ -- May not specify a destination interface
#
fatal_error "Invalid DEST ($dest) in $action rule" if $ dest =~ /:/ ;
$ origdest = '' unless $ origdest and $ origdest ne '-' ;
2007-03-23 17:12:36 +01:00
2007-05-09 00:28:48 +02:00
if ( $ origdest eq 'detect' ) {
2007-09-10 17:52:57 +02:00
my $ interfacesref = $ sourceref - > { interfaces } ;
2007-05-09 00:28:48 +02:00
my $ interfaces = "@$interfacesref" ;
$ origdest = $ interfaces ? "detect:$interfaces" : ALLIPv4 ;
2007-03-23 02:37:23 +01:00
}
2007-05-09 00:28:48 +02:00
2007-09-12 17:03:47 +02:00
expand_rule ( ensure_chain ( 'nat' , $ sourceref - > { type } eq 'firewall' ? 'OUTPUT' : dnat_chain $ sourcezone ) ,
2007-05-09 00:28:48 +02:00
PREROUTE_RESTRICT ,
$ rule ,
$ source ,
$ dest ,
$ origdest ,
'-j RETURN ' ,
$ loglevel ,
$ action ,
'' ) ;
2007-03-15 04:17:56 +01:00
}
#
# Add filter table rule, unless this is a NATONLY rule type
#
unless ( $ actiontype & NATONLY ) {
if ( $ actiontype & ACTION ) {
$ action = ( find_logactionchain $ target ) - > { name } ;
$ loglevel = '' ;
}
2007-03-29 06:22:10 +02:00
unless ( $ origdest eq '-' ) {
2007-05-04 17:12:29 +02:00
require_capability ( 'CONNTRACK_MATCH' , 'ORIGINAL DEST in a non-NAT rule' , 's' ) unless $ actiontype & NATRULE ;
2007-03-29 06:22:10 +02:00
} else {
$ origdest = '' ;
}
2007-09-12 17:03:47 +02:00
expand_rule ( ensure_chain ( 'filter' , $ chain ) ,
2007-05-04 16:16:18 +02:00
$ restriction ,
$ rule ,
$ source ,
$ dest ,
$ origdest ,
2007-11-20 21:47:19 +01:00
"-j $action " ,
2007-05-04 16:16:18 +02:00
$ loglevel ,
$ action ,
'' ) ;
2007-03-15 04:17:56 +01:00
}
}
#
2007-07-26 20:36:18 +02:00
# Process a Record in the rules file
2007-04-21 23:24:38 +02:00
#
2007-05-09 17:08:39 +02:00
# Deals with the ugliness of wildcard zones ('all' in SOURCE and/or DEST column).
2007-03-15 04:17:56 +01:00
#
2007-05-01 20:30:10 +02:00
sub process_rule ( $$$$$$$$$$ ) {
my ( $ target , $ source , $ dest , $ proto , $ ports , $ sports , $ origdest , $ ratelimit , $ user , $ mark ) = @ _ ;
2007-03-15 04:17:56 +01:00
my $ intrazone = 0 ;
my $ includesrcfw = 1 ;
my $ includedstfw = 1 ;
2007-07-07 18:34:38 +02:00
my $ thisline = $ currentline ;
2007-03-15 04:17:56 +01:00
#
# Section Names are optional so once we get to an actual rule, we need to be sure that
# we close off any missing sections.
#
unless ( $ sectioned ) {
finish_section 'ESTABLISHED,RELATED' ;
2007-05-10 18:13:16 +02:00
$ sections { $ section = 'NEW' } = 1 ;
2007-03-15 04:17:56 +01:00
$ sectioned = 1 ;
}
2007-04-01 01:43:10 +02:00
2007-03-15 04:17:56 +01:00
#
# Handle Wildcards
#
if ( $ source =~ /^all[-+]/ ) {
if ( $ source eq 'all+' ) {
$ source = 'all' ;
$ intrazone = 1 ;
} elsif ( ( $ source eq 'all+-' ) || ( $ source eq 'all-+' ) ) {
$ source = 'all' ;
$ intrazone = 1 ;
$ includesrcfw = 0 ;
} elsif ( $ source eq 'all-' ) {
$ source = 'all' ;
$ includesrcfw = 0 ;
2007-05-09 17:08:39 +02:00
} else {
2007-11-22 17:53:49 +01:00
fatal_error "Invalid SOURCE ($source)" ;
2007-03-15 04:17:56 +01:00
}
}
if ( $ dest =~ /^all[-+]/ ) {
if ( $ dest eq 'all+' ) {
$ dest = 'all' ;
$ intrazone = 1 ;
} elsif ( ( $ dest eq 'all+-' ) || ( $ dest eq 'all-+' ) ) {
$ dest = 'all' ;
$ intrazone = 1 ;
$ includedstfw = 0 ;
2007-05-09 17:08:39 +02:00
} elsif ( $ dest eq 'all-' ) {
2007-03-15 04:17:56 +01:00
$ dest = 'all' ;
$ includedstfw = 0 ;
2007-05-09 17:08:39 +02:00
} else {
2007-11-22 17:53:49 +01:00
fatal_error "Invalid DEST ($dest)" ;
2007-03-15 04:17:56 +01:00
}
2007-07-26 20:36:18 +02:00
2007-03-15 04:17:56 +01:00
}
my $ action = isolate_basic_target $ target ;
2007-06-16 23:08:12 +02:00
fatal_error "Invalid or missing ACTION ($target)" unless defined $ action ;
2007-05-21 21:50:24 +02:00
2007-03-15 04:17:56 +01:00
if ( $ source eq 'all' ) {
2007-09-10 17:52:57 +02:00
for my $ zone ( all_zones ) {
2007-09-12 17:03:47 +02:00
if ( $ includesrcfw || ( zone_type ( $ zone ) ne 'firewall' ) ) {
2007-03-15 04:17:56 +01:00
if ( $ dest eq 'all' ) {
2007-09-10 17:52:57 +02:00
for my $ zone1 ( all_zones ) {
2007-09-12 17:03:47 +02:00
if ( $ includedstfw || ( zone_type ( $ zone1 ) ne 'firewall' ) ) {
2007-03-15 04:17:56 +01:00
if ( $ intrazone || ( $ zone ne $ zone1 ) ) {
2007-06-06 02:47:27 +02:00
process_rule1 $ target , $ zone , $ zone1 , $ proto , $ ports , $ sports , $ origdest , $ ratelimit , $ user , $ mark , 1 ;
2007-03-15 04:17:56 +01:00
}
2007-04-08 16:42:26 +02:00
}
2007-03-15 04:17:56 +01:00
}
} else {
2007-05-17 16:10:46 +02:00
my $ destzone = ( split ( /:/ , $ dest , 2 ) ) [ 0 ] ;
2007-09-10 17:52:57 +02:00
$ destzone = firewall_zone unless defined_zone ( $ destzone ) ; # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
2007-04-21 16:07:37 +02:00
if ( $ intrazone || ( $ zone ne $ destzone ) ) {
2007-06-06 02:47:27 +02:00
process_rule1 $ target , $ zone , $ dest , $ proto , $ ports , $ sports , $ origdest , $ ratelimit , $ user , $ mark , 1 ;
2007-04-20 02:02:41 +02:00
}
2007-03-15 04:17:56 +01:00
}
2007-04-08 16:42:26 +02:00
}
2007-03-15 04:17:56 +01:00
}
} elsif ( $ dest eq 'all' ) {
2007-09-10 17:52:57 +02:00
for my $ zone ( all_zones ) {
2007-05-17 16:10:46 +02:00
my $ sourcezone = ( split ( /:/ , $ source , 2 ) ) [ 0 ] ;
2007-09-12 17:03:47 +02:00
if ( ( $ includedstfw || ( zone_type ( $ zone ) ne 'firewall' ) ) && ( ( $ sourcezone ne $ zone ) || $ intrazone ) ) {
2007-06-06 02:47:27 +02:00
process_rule1 $ target , $ source , $ zone , $ proto , $ ports , $ sports , $ origdest , $ ratelimit , $ user , $ mark , 1 ;
2007-03-15 04:17:56 +01:00
}
}
} else {
2007-06-06 02:47:27 +02:00
process_rule1 $ target , $ source , $ dest , $ proto , $ ports , $ sports , $ origdest , $ ratelimit , $ user , $ mark , 0 ;
2007-03-15 04:17:56 +01:00
}
progress_message " Rule \"$thisline\" $done" ;
}
#
# Process the Rules File
#
sub process_rules () {
2007-03-30 17:57:08 +02:00
my $ fn = open_file 'rules' ;
2007-11-27 16:50:20 +01:00
first_entry "$doing $fn..." ;
2007-03-15 04:17:56 +01:00
2007-03-29 19:02:13 +02:00
while ( read_a_line ) {
2007-03-15 04:17:56 +01:00
2007-05-10 17:29:41 +02:00
my ( $ target , $ source , $ dest , $ proto , $ ports , $ sports , $ origdest , $ ratelimit , $ user , $ mark ) = split_line2 1 , 10 , 'rules file' ;
2007-05-09 21:03:09 +02:00
2007-03-15 04:17:56 +01:00
if ( $ target eq 'COMMENT' ) {
2007-05-09 20:22:40 +02:00
process_comment ;
2007-03-15 04:17:56 +01:00
} elsif ( $ target eq 'SECTION' ) {
2007-07-21 17:13:50 +02:00
#
# read_a_line has already verified that there are exactly two tokens on the line
#
2007-03-15 04:17:56 +01:00
fatal_error "Invalid SECTION $source" unless defined $ sections { $ source } ;
fatal_error "Duplicate or out of order SECTION $source" if $ sections { $ source } ;
$ sectioned = 1 ;
$ sections { $ source } = 1 ;
2007-05-08 02:48:05 +02:00
if ( $ source eq 'RELATED' ) {
2007-03-15 04:17:56 +01:00
$ sections { ESTABLISHED } = 1 ;
finish_section 'ESTABLISHED' ;
2007-05-08 02:48:05 +02:00
} elsif ( $ source eq 'NEW' ) {
2007-03-15 04:17:56 +01:00
@ sections { 'ESTABLISHED' , 'RELATED' } = ( 1 , 1 ) ;
finish_section ( ( $ section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' ) ;
}
$ section = $ source ;
} else {
2007-04-19 23:24:25 +02:00
if ( "\L$source" =~ /^none(:.*)?$/ || "\L$dest" =~ /^none(:.*)?$/ ) {
2007-07-07 18:34:38 +02:00
progress_message "Rule \"$currentline\" ignored."
2007-04-19 23:24:25 +02:00
} else {
2007-05-01 20:30:10 +02:00
process_rule $ target , $ source , $ dest , $ proto , $ ports , $ sports , $ origdest , $ ratelimit , $ user , $ mark ;
2007-04-19 23:24:25 +02:00
}
2007-03-15 04:17:56 +01:00
}
}
2007-03-27 01:17:46 +02:00
2007-09-10 17:52:57 +02:00
clear_comment ;
2007-03-15 04:17:56 +01:00
$ section = 'DONE' ;
}
2007-03-15 04:25:08 +01:00
#
2007-09-21 18:55:28 +02:00
# To quote an old comment, "generate_matrix makes a sow's ear out of a silk purse".
2007-03-15 04:25:08 +01:00
#
# The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
2007-09-21 18:55:28 +02:00
# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
2007-03-15 04:25:08 +01:00
#
2007-11-16 00:24:54 +01:00
# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules.
2007-04-08 16:42:26 +02:00
#
2007-03-15 04:25:08 +01:00
sub generate_matrix () {
#
# Helper functions for generate_matrix()
#-----------------------------------------
#
2007-06-08 22:10:43 +02:00
# Return the target for rules from $zone to $zone1.
2007-03-15 04:25:08 +01:00
#
sub rules_target ( $$ ) {
my ( $ zone , $ zone1 ) = @ _ ;
my $ chain = "${zone}2${zone1}" ;
2007-09-12 17:03:47 +02:00
my $ chainref = $ filter_table - > { $ chain } ;
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
return $ chain if $ chainref && $ chainref - > { referenced } ;
2007-06-08 22:12:39 +02:00
return 'ACCEPT' if $ zone eq $ zone1 ;
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
if ( $ chainref - > { policy } ne 'CONTINUE' ) {
2007-09-12 17:03:47 +02:00
my $ policyref = $ filter_table - > { $ chainref - > { policychain } } ;
2007-03-15 04:25:08 +01:00
return $ policyref - > { name } if $ policyref ;
fatal_error "No policy defined for zone $zone to zone $zone1" ;
}
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
'' ;
}
#
# Add a jump to the passed chain ($chainref) to the dynamic zone chain for the passed zone.
#
sub create_zone_dyn_chain ( $$ ) {
my ( $ zone , $ chainref ) = @ _ ;
my $ name = "${zone}_dyn" ;
2007-09-12 17:03:47 +02:00
new_standard_chain $ name ;
2007-03-15 04:25:08 +01:00
add_rule $ chainref , "-j $name" ;
}
#
# Insert the passed exclusions at the front of the passed chain.
#
sub insert_exclusions ( $$ ) {
my ( $ chainref , $ exclusionsref ) = @ _ ;
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
my $ num = 1 ;
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
for my $ host ( @ { $ exclusionsref } ) {
my ( $ interface , $ net ) = split /:/ , $ host ;
2007-06-08 18:15:21 +02:00
insert_rule $ chainref , $ num + + , join ( '' , match_dest_dev $ interface , match_dest_net ( $ net ) , '-j RETURN' ) ;
2007-03-15 04:25:08 +01:00
}
}
#
# Add the passed exclusions at the end of the passed chain.
#
sub add_exclusions ( $$ ) {
my ( $ chainref , $ exclusionsref ) = @ _ ;
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
for my $ host ( @ { $ exclusionsref } ) {
my ( $ interface , $ net ) = split /:/ , $ host ;
2007-06-08 18:15:21 +02:00
add_rule $ chainref , join ( '' , match_dest_dev $ interface , match_dest_net ( $ net ) , '-j RETURN' ) ;
2007-03-15 04:25:08 +01:00
}
2007-03-27 01:17:46 +02:00
}
2007-05-16 00:42:00 +02:00
#
2007-07-26 20:36:18 +02:00
# Set a breakpoint in this function if you want to step through generate_matrix().
2007-05-16 00:42:00 +02:00
#
sub start_matrix () {
2007-07-11 01:09:33 +02:00
progress_message2 'Generating Rule Matrix...' ;
2007-05-16 00:42:00 +02:00
}
#
2007-11-16 00:24:54 +01:00
# G e n e r a t e _ M a t r i x ( ) S t a r t s H e r e
2007-05-16 00:42:00 +02:00
#
start_matrix ;
2007-03-15 04:25:08 +01:00
my $ exclusion_seq = 1 ;
my % chain_exclusions ;
my % policy_exclusions ;
2007-09-10 17:52:57 +02:00
my @ interfaces = ( all_interfaces ) ;
2008-01-12 02:32:18 +01:00
my $ preroutingref = ensure_chain 'nat' , 'dnat' ;
my @ returnstack ;
2008-01-12 18:39:14 +01:00
my $ fw = firewall_zone ;
2007-06-08 22:10:43 +02:00
#
# Special processing for complex zones
#
2007-09-10 17:52:57 +02:00
for my $ zone ( complex_zones ) {
2007-09-12 17:03:47 +02:00
my $ frwd_ref = new_standard_chain "${zone}_frwd" ;
2007-09-10 17:52:57 +02:00
my $ zoneref = find_zone ( $ zone ) ;
2007-03-15 04:25:08 +01:00
my $ exclusions = $ zoneref - > { exclusions } ;
if ( @$ exclusions ) {
2007-09-12 17:03:47 +02:00
my $ in_ref = new_standard_chain "${zone}_input" ;
my $ out_ref = new_standard_chain "${zone}_output" ;
2007-03-27 01:17:46 +02:00
2007-09-12 17:03:47 +02:00
add_rule ensure_filter_chain ( "${zone}2${zone}" , 1 ) , '-j ACCEPT' if rules_target ( $ zone , $ zone ) eq 'ACCEPT' ;
2007-03-15 04:25:08 +01:00
for my $ host ( @$ exclusions ) {
my ( $ interface , $ net ) = split /:/ , $ host ;
2007-06-08 18:08:55 +02:00
my $ rule = match_source_dev ( $ interface ) . match_source_net ( $ net ) . "-j RETURN" ;
2007-06-06 02:47:27 +02:00
add_rule $ frwd_ref , $ rule ;
add_rule $ in_ref , $ rule ;
add_rule $ out_ref , $ rule ;
2007-03-15 04:25:08 +01:00
}
2007-05-15 01:14:30 +02:00
}
2007-03-27 01:17:46 +02:00
2007-05-15 01:14:30 +02:00
if ( $ capabilities { POLICY_MATCH } ) {
my $ type = $ zoneref - > { type } ;
2007-09-12 17:03:47 +02:00
my $ source_ref = ( $ zoneref - > { hosts } { ipsec4 } ) || { } ;
2007-03-15 04:25:08 +01:00
2007-05-15 01:14:30 +02:00
if ( $ config { DYNAMIC_ZONES } ) {
no warnings ;
2007-09-12 17:03:47 +02:00
create_zone_dyn_chain $ zone , $ frwd_ref if ( %$ source_ref || $ type eq 'ipsec4' ) ;
2007-05-15 01:14:30 +02:00
}
2007-03-27 01:17:46 +02:00
2007-05-15 01:14:30 +02:00
for my $ interface ( keys %$ source_ref ) {
my $ arrayref = $ source_ref - > { $ interface } ;
for my $ hostref ( @ { $ arrayref } ) {
my $ ipsec_match = match_ipsec_in $ zone , $ hostref ;
for my $ net ( @ { $ hostref - > { hosts } } ) {
2007-07-26 20:36:18 +02:00
add_rule (
2007-09-12 17:03:47 +02:00
$ filter_table - > { forward_chain $ interface } ,
2007-05-15 22:03:18 +02:00
join ( '' , match_source_net ( $ net ) , $ ipsec_match , "-j $frwd_ref->{name}" )
) ;
2007-03-15 04:25:08 +01:00
}
}
2007-03-27 01:17:46 +02:00
}
2007-03-15 04:25:08 +01:00
}
}
#
# Main source-zone matrix-generation loop
#
2007-09-10 17:52:57 +02:00
for my $ zone ( non_firewall_zones ) {
my $ zoneref = find_zone ( $ zone ) ;
2007-03-15 04:25:08 +01:00
my $ source_hosts_ref = $ zoneref - > { hosts } ;
2007-09-10 17:52:57 +02:00
my $ chain1 = rules_target firewall_zone , $ zone ;
my $ chain2 = rules_target $ zone , firewall_zone ;
2007-06-30 01:59:12 +02:00
my $ chain3 = rules_target $ zone , $ zone ;
2007-04-08 16:42:26 +02:00
my $ complex = $ zoneref - > { options } { complex } || 0 ;
2007-03-15 04:25:08 +01:00
my $ type = $ zoneref - > { type } ;
my $ exclusions = $ zoneref - > { exclusions } ;
2007-04-08 16:42:26 +02:00
my $ frwd_ref = 0 ;
2007-03-15 04:25:08 +01:00
my $ chain = 0 ;
2008-01-14 17:34:26 +01:00
my $ dnatref = $ nat_table - > { dnat_chain $ zone } || { } ;
2008-01-13 19:47:06 +01:00
my $ nested = $ zoneref - > { options } { nested } ;
2007-03-15 04:25:08 +01:00
if ( $ complex ) {
2007-09-12 17:03:47 +02:00
$ frwd_ref = $ filter_table - > { "${zone}_frwd" } ;
2008-01-14 17:34:26 +01:00
$ dnatref = ensure_chain 'nat' , dnat_chain ( $ zone ) ;
2007-03-15 04:25:08 +01:00
if ( @$ exclusions ) {
2008-01-14 17:34:26 +01:00
insert_exclusions $ dnatref , $ exclusions if $ dnatref - > { referenced } ;
2007-03-15 04:25:08 +01:00
}
}
2007-03-21 21:08:05 +01:00
if ( $ config { DYNAMIC_ZONES } ) {
2007-09-10 17:52:57 +02:00
push @ rule_chains , [ firewall_zone , $ zone , $ chain1 ] if $ chain1 ;
push @ rule_chains , [ $ zone , firewall_zone , $ chain2 ] ;
2007-03-21 21:08:05 +01:00
}
2008-01-14 17:34:26 +01:00
if ( $ nested ) {
#
# This is a sub-zone. We need to determine if
#
# a) A parent zone defines DNAT/REDIRECT rules; and
# b) The current zone has a CONTINUE policy to some other zone.
#
# If a) but not b), then we must avoid sending packets from this
# zone through the DNAT/REDIRECT chain for the parent.
#
my $ parenthasnat = 0 ;
for my $ parent ( @ { $ zoneref - > { parents } } ) {
my $ ref = $ nat_table - > { dnat_chain $ parent } || { } ;
$ parenthasnat = 1 , last if $ ref - > { referenced } ;
}
if ( $ parenthasnat ) {
for my $ zone1 ( all_zones ) {
if ( $ filter_table - > { "${zone}2${zone1}" } - > { policy } eq 'CONTINUE' ) {
#
# This zone has a continue policy to another zone. We must
# send packets from this zone through the parent's DNAT/REDIRECT chain.
#
$ nested = 0 ;
last ;
}
2008-01-13 19:47:06 +01:00
}
2008-01-14 17:34:26 +01:00
} else {
#
# No parent has DNAT so there is nothing to worry about. Don't bother to generate needless RETURN rules in the 'dnat' chain.
#
$ nested = 0 ;
2008-01-13 19:47:06 +01:00
}
}
2007-03-15 04:25:08 +01:00
#
# Take care of PREROUTING, INPUT and OUTPUT jumps
#
for my $ typeref ( values %$ source_hosts_ref ) {
2007-03-19 05:28:47 +01:00
for my $ interface ( keys %$ typeref ) {
my $ arrayref = $ typeref - > { $ interface } ;
2007-03-15 04:25:08 +01:00
for my $ hostref ( @$ arrayref ) {
my $ ipsec_in_match = match_ipsec_in $ zone , $ hostref ;
2007-04-08 16:42:26 +02:00
my $ ipsec_out_match = match_ipsec_out $ zone , $ hostref ;
2007-03-15 04:25:08 +01:00
for my $ net ( @ { $ hostref - > { hosts } } ) {
2007-04-26 18:56:04 +02:00
my $ dest = match_dest_net $ net ;
2007-03-15 04:25:08 +01:00
if ( $ chain1 ) {
2007-09-29 00:26:29 +02:00
my $ nextchain ;
my $ outputref = $ filter_table - > { output_chain $ interface } ;
2007-03-15 04:25:08 +01:00
if ( @$ exclusions ) {
2007-09-29 00:26:29 +02:00
add_rule $ outputref , join ( '' , $ dest , $ ipsec_out_match , "-j ${zone}_output" ) ;
2007-09-12 17:03:47 +02:00
add_rule $ filter_table - > { "${zone}_output" } , "-j $chain1" ;
2007-09-29 00:26:29 +02:00
$ nextchain = "${zone}_output" ;
2007-03-15 04:25:08 +01:00
} else {
2007-09-29 00:26:29 +02:00
add_rule $ outputref , join ( '' , $ dest , $ ipsec_out_match , "-j $chain1" ) ;
$ nextchain = $ chain1 ;
2007-03-15 04:25:08 +01:00
}
2007-09-29 00:26:29 +02:00
add_rule ( $ outputref , join ( '' , match_source_net $ net , '-d 255.255.255.255 ' . $ ipsec_out_match , "-j $nextchain" ) )
if $ hostref - > { options } { broadcast } ;
2007-03-15 04:25:08 +01:00
}
2007-03-27 01:17:46 +02:00
2007-10-19 21:43:14 +02:00
next if $ hostref - > { options } { destonly } ;
2007-09-29 00:26:29 +02:00
2007-04-25 23:03:40 +02:00
my $ source = match_source_net $ net ;
2008-01-13 19:47:06 +01:00
if ( $ dnatref - > { referenced } ) {
2008-01-12 02:32:18 +01:00
add_rule $ preroutingref , $ _ for ( @ returnstack ) ;
@ returnstack = ( ) ;
2008-01-13 19:47:06 +01:00
add_rule $ preroutingref , join ( '' , match_source_dev ( $ interface ) , $ source , $ ipsec_in_match , '-j ' , $ dnatref - > { name } ) ;
2008-01-12 02:32:18 +01:00
}
2008-01-13 19:47:06 +01:00
push @ returnstack , join ( '' , match_source_dev ( $ interface ) , $ source , $ ipsec_in_match , '-j RETURN' ) if $ nested ;
2007-03-15 04:25:08 +01:00
if ( $ chain2 ) {
if ( @$ exclusions ) {
2007-09-12 17:03:47 +02:00
add_rule $ filter_table - > { input_chain $ interface } , join ( '' , $ source , $ ipsec_in_match , "-j ${zone}_input" ) ;
add_rule $ filter_table - > { "${zone}_input" } , "-j $chain2" ;
2007-03-15 04:25:08 +01:00
} else {
2007-09-12 17:03:47 +02:00
add_rule $ filter_table - > { input_chain $ interface } , join ( '' , $ source , $ ipsec_in_match , "-j $chain2" ) ;
2007-03-15 04:25:08 +01:00
}
}
2007-09-12 17:03:47 +02:00
add_rule $ filter_table - > { forward_chain $ interface } , join ( '' , $ source , $ ipsec_in_match . "-j $frwd_ref->{name}" )
2007-03-15 04:25:08 +01:00
if $ complex && $ hostref - > { ipsec } ne 'ipsec' ;
}
}
}
}
2007-04-22 17:26:47 +02:00
2007-03-15 04:25:08 +01:00
#
# F O R W A R D I N G
#
my @ dest_zones ;
my $ last_chain = '' ;
if ( $ config { OPTIMIZE } > 0 ) {
my @ temp_zones ;
ZONE1:
2007-09-10 17:52:57 +02:00
for my $ zone1 ( non_firewall_zones ) {
my $ zone1ref = find_zone ( $ zone1 ) ;
2007-09-12 17:03:47 +02:00
my $ policy = $ filter_table - > { "${zone}2${zone1}" } - > { policy } ;
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
next if $ policy eq 'NONE' ;
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
my $ chain = rules_target $ zone , $ zone1 ;
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
next unless $ chain ;
if ( $ zone eq $ zone1 ) {
2007-08-09 17:16:08 +02:00
next if ( scalar ( keys ( % { $ zoneref - > { interfaces } } ) ) < 2 ) && ! ( $ zoneref - > { options } { in_out } { routeback } || @$ exclusions ) ;
2007-03-15 04:25:08 +01:00
}
2007-03-27 01:17:46 +02:00
2007-09-12 17:03:47 +02:00
if ( $ zone1ref - > { type } eq 'bport4' ) {
2007-06-06 17:34:47 +02:00
next unless $ zoneref - > { bridge } eq $ zone1ref - > { bridge } ;
}
2007-03-15 04:25:08 +01:00
if ( $ chain =~ /2all$/ ) {
if ( $ chain ne $ last_chain ) {
$ last_chain = $ chain ;
push @ dest_zones , @ temp_zones ;
@ temp_zones = ( $ zone1 ) ;
} elsif ( $ policy eq 'ACCEPT' ) {
push @ temp_zones , $ zone1 ;
} else {
$ last_chain = $ chain ;
@ temp_zones = ( $ zone1 ) ;
}
} else {
push @ dest_zones , @ temp_zones , $ zone1 ;
@ temp_zones = ( ) ;
$ last_chain = '' ;
}
}
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
if ( $ last_chain && @ temp_zones == 1 ) {
push @ dest_zones , @ temp_zones ;
$ last_chain = '' ;
}
} else {
2007-09-10 17:52:57 +02:00
@ dest_zones = non_firewall_zones ;
2007-03-15 04:25:08 +01:00
}
#
# Here it is -- THE BIG UGLY!!!!!!!!!!!!
#
# We now loop through the destination zones creating jumps to the rules chain for each source/dest combination.
# @dest_zones is the list of destination zones that we need to handle from this source zone
#
ZONE1:
for my $ zone1 ( @ dest_zones ) {
2007-09-10 17:52:57 +02:00
my $ zone1ref = find_zone ( $ zone1 ) ;
2007-09-12 17:03:47 +02:00
my $ policy = $ filter_table - > { "${zone}2${zone1}" } - > { policy } ;
2007-03-15 04:25:08 +01:00
next if $ policy eq 'NONE' ;
my $ chain = rules_target $ zone , $ zone1 ;
2007-05-07 16:28:23 +02:00
next unless $ chain ; # CONTINUE policy with no rules
2007-03-21 21:08:05 +01:00
push @ rule_chains , [ $ zone , $ zone1 , $ chain ] if $ config { DYNAMIC_ZONES } ;
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
my $ num_ifaces = 0 ;
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
if ( $ zone eq $ zone1 ) {
2007-08-09 17:16:08 +02:00
next ZONE1 if ( $ num_ifaces = scalar ( keys ( % { $ zoneref - > { interfaces } } ) ) ) < 2 && ! ( $ zoneref - > { options } { in_out } { routeback } || @$ exclusions ) ;
2007-03-15 04:25:08 +01:00
}
2007-09-12 17:03:47 +02:00
if ( $ zone1ref - > { type } eq 'bport4' ) {
2007-06-06 17:34:47 +02:00
next ZONE1 unless $ zoneref - > { bridge } eq $ zone1ref - > { bridge } ;
}
2007-09-12 17:03:47 +02:00
my $ chainref = $ filter_table - > { $ chain } ;
2007-03-15 04:25:08 +01:00
my $ exclusions1 = $ zone1ref - > { exclusions } ;
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
my $ dest_hosts_ref = $ zone1ref - > { hosts } ;
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
if ( @$ exclusions1 ) {
if ( $ chain eq "all2$zone1" ) {
unless ( $ chain_exclusions { $ chain } ) {
$ chain_exclusions { $ chain } = 1 ;
insert_exclusions $ chainref , $ exclusions1 ;
}
} elsif ( $ chain =~ /2all$/ ) {
my $ chain1 = $ policy_exclusions { "${chain}_${zone1}" } ;
2007-03-27 01:17:46 +02:00
2007-05-06 17:43:30 +02:00
unless ( $ chain1 ) {
2007-03-15 04:25:08 +01:00
$ chain1 = newexclusionchain ;
$ policy_exclusions { "${chain}_${zone1}" } = $ chain1 ;
2007-09-12 17:03:47 +02:00
my $ chain1ref = ensure_filter_chain $ chain1 , 0 ;
2007-03-15 04:25:08 +01:00
add_exclusions $ chain1ref , $ exclusions1 ;
add_rule $ chain1ref , "-j $chain" ;
}
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
$ chain = $ chain1 ;
2007-06-08 22:10:43 +02:00
} else {
fatal_error "Fatal Error in generate_matrix()" if $ chain eq 'ACCEPT' ;
2007-03-15 04:25:08 +01:00
insert_exclusions $ chainref , $ exclusions1 ;
}
}
2007-03-27 01:17:46 +02:00
2007-03-15 04:25:08 +01:00
if ( $ complex ) {
for my $ typeref ( values %$ dest_hosts_ref ) {
2007-03-19 05:28:47 +01:00
for my $ interface ( keys %$ typeref ) {
my $ arrayref = $ typeref - > { $ interface } ;
2007-03-15 04:25:08 +01:00
for my $ hostref ( @$ arrayref ) {
if ( $ zone ne $ zone1 || $ num_ifaces > 1 || $ hostref - > { options } { routeback } ) {
2007-04-08 16:42:26 +02:00
my $ ipsec_out_match = match_ipsec_out $ zone1 , $ hostref ;
2007-03-15 04:25:08 +01:00
for my $ net ( @ { $ hostref - > { hosts } } ) {
2007-06-06 02:47:27 +02:00
add_rule $ frwd_ref , join ( '' , match_dest_dev ( $ interface ) , match_dest_net ( $ net ) , $ ipsec_out_match , "-j $chain" ) ;
2007-03-15 04:25:08 +01:00
}
}
}
}
}
} else {
for my $ typeref ( values %$ source_hosts_ref ) {
2007-03-19 05:28:47 +01:00
for my $ interface ( keys %$ typeref ) {
my $ arrayref = $ typeref - > { $ interface } ;
2007-09-12 17:03:47 +02:00
my $ chain3ref = $ filter_table - > { forward_chain $ interface } ;
2007-03-15 04:25:08 +01:00
for my $ hostref ( @$ arrayref ) {
2007-09-29 00:26:29 +02:00
next if $ hostref - > { options } { destonly } ;
2007-03-15 04:25:08 +01:00
for my $ net ( @ { $ hostref - > { hosts } } ) {
for my $ type1ref ( values %$ dest_hosts_ref ) {
2007-03-19 05:28:47 +01:00
for my $ interface1 ( keys %$ type1ref ) {
my $ array1ref = $ type1ref - > { $ interface1 } ;
2007-03-15 04:25:08 +01:00
for my $ host1ref ( @$ array1ref ) {
2007-04-08 16:42:26 +02:00
my $ ipsec_out_match = match_ipsec_out $ zone1 , $ host1ref ;
2007-03-15 04:25:08 +01:00
for my $ net1 ( @ { $ host1ref - > { hosts } } ) {
unless ( $ interface eq $ interface1 && $ net eq $ net1 && ! $ host1ref - > { options } { routeback } ) {
2007-04-26 18:56:04 +02:00
#
2007-05-07 16:28:23 +02:00
# We defer evaluation of the source net match to accomodate systems without $capabilities{KLUDEFREE};
2007-04-26 18:56:04 +02:00
#
2007-05-15 22:03:18 +02:00
add_rule (
$ chain3ref ,
2007-06-06 15:49:30 +02:00
join ( '' , match_dest_dev ( $ interface1 ) , match_source_net ( $ net ) , match_dest_net ( $ net1 ) , $ ipsec_out_match , "-j $chain" )
2007-05-15 22:03:18 +02:00
) ;
2007-03-15 04:25:08 +01:00
}
}
}
}
}
}
}
}
}
}
#
# E N D F O R W A R D I N G
#
# Now add (an) unconditional jump(s) to the last unique policy-only chain determined above, if any
#
if ( $ last_chain ) {
if ( $ complex ) {
add_rule $ frwd_ref , "-j $last_chain" ;
} else {
for my $ typeref ( values %$ source_hosts_ref ) {
2007-03-19 05:28:47 +01:00
for my $ interface ( keys %$ typeref ) {
my $ arrayref = $ typeref - > { $ interface } ;
2007-09-12 17:03:47 +02:00
my $ chain2ref = $ filter_table - > { forward_chain $ interface } ;
2007-03-15 04:25:08 +01:00
for my $ hostref ( @$ arrayref ) {
for my $ net ( @ { $ hostref - > { hosts } } ) {
add_rule $ chain2ref , match_source_net ( $ net ) . "-j $last_chain" ;
}
}
}
}
}
}
}
}
2008-01-10 20:56:44 +01:00
#
# Add Nat jumps
#
for my $ interface ( @ interfaces ) {
addnatjump 'POSTROUTING' , snat_chain ( $ interface ) , match_dest_dev ( $ interface ) ;
}
2008-01-12 02:32:18 +01:00
addnatjump 'PREROUTING' , 'dnat' , '' ;
2008-01-10 20:56:44 +01:00
if ( $ config { DYNAMIC_ZONES } ) {
for my $ interface ( @ interfaces ) {
addnatjump 'PREROUTING' , dynamic_in ( $ interface ) , match_source_dev ( $ interface ) ;
}
}
addnatjump 'PREROUTING' , 'nat_in' , '' ;
addnatjump 'POSTROUTING' , 'nat_out' , '' ;
for my $ interface ( @ interfaces ) {
addnatjump 'PREROUTING' , input_chain ( $ interface ) , match_source_dev ( $ interface ) ;
addnatjump 'POSTROUTING' , output_chain ( $ interface ) , match_dest_dev ( $ interface ) ;
}
2007-03-15 04:25:08 +01:00
#
# Now add the jumps to the interface chains from FORWARD, INPUT, OUTPUT and POSTROUTING
#
for my $ interface ( @ interfaces ) {
2007-09-12 17:03:47 +02:00
add_rule $ filter_table - > { FORWARD } , match_source_dev ( $ interface ) . "-j " . forward_chain $ interface ;
add_rule $ filter_table - > { INPUT } , match_source_dev ( $ interface ) . "-j " . input_chain $ interface ;
add_rule $ filter_table - > { OUTPUT } , "-o $interface -j " . output_chain $ interface unless get_interface_option ( $ interface , 'port' ) ;
2007-06-06 02:47:27 +02:00
addnatjump 'POSTROUTING' , masq_chain ( $ interface ) , match_dest_dev ( $ interface ) ;
2007-03-15 04:25:08 +01:00
}
2007-09-12 17:03:47 +02:00
my $ chainref = $ filter_table - > { "${fw}2${fw}" } ;
2007-03-15 04:25:08 +01:00
2007-09-12 17:03:47 +02:00
add_rule $ filter_table - > { OUTPUT } , "-o lo -j " . ( $ chainref - > { referenced } ? "$chainref->{name}" : 'ACCEPT' ) ;
add_rule $ filter_table - > { INPUT } , '-i lo -j ACCEPT' ;
2007-03-15 04:25:08 +01:00
my % builtins = ( mangle = > [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
nat = > [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
filter = > [ qw/INPUT FORWARD OUTPUT/ ] ) ;
2007-09-12 17:03:47 +02:00
complete_standard_chain $ filter_table - > { INPUT } , 'all' , firewall_zone ;
complete_standard_chain $ filter_table - > { OUTPUT } , firewall_zone , 'all' ;
complete_standard_chain $ filter_table - > { FORWARD } , 'all' , 'all' ;
2007-04-09 19:26:28 +02:00
2007-03-15 04:25:08 +01:00
if ( $ config { LOGALLNEW } ) {
for my $ table qw/mangle nat filter/ {
for my $ chain ( @ { $ builtins { $ table } } ) {
2007-04-08 16:42:26 +02:00
log_rule_limit
$ config { LOGALLNEW } ,
2007-09-12 17:03:47 +02:00
$ chain_table { $ table } { $ chain } ,
2007-03-15 04:25:08 +01:00
$ table ,
$ chain ,
'' ,
'' ,
'insert' ,
2007-04-24 02:16:53 +02:00
'-m state --state NEW ' ;
2007-03-15 04:25:08 +01:00
}
}
}
}
2007-08-26 17:12:04 +02:00
sub setup_mss ( ) {
my $ clampmss = $ config { CLAMPMSS } ;
2007-06-14 01:50:26 +02:00
my $ option ;
my $ match = '' ;
2007-09-12 17:03:47 +02:00
my $ chainref = $ filter_table - > { FORWARD } ;
2007-03-17 00:57:43 +01:00
2007-08-26 17:12:04 +02:00
if ( $ clampmss ) {
if ( "\L$clampmss" eq 'yes' ) {
$ option = '--clamp-mss-to-pmtu' ;
} else {
$ match = "-m tcpmss --mss $clampmss: " if $ capabilities { TCPMSS_MATCH } ;
$ option = "--set-mss $clampmss" ;
}
$ match . = '-m policy --pol none --dir out ' if $ capabilities { POLICY_MATCH } ;
2007-06-14 01:50:26 +02:00
}
2007-07-26 20:36:18 +02:00
2007-08-26 17:12:04 +02:00
my $ interfaces = find_interfaces_by_option ( 'mss' ) ;
if ( @$ interfaces ) {
#
# Since we will need multiple rules, we create a separate chain
#
2007-09-12 17:03:47 +02:00
$ chainref = new_chain 'filter' , 'settcpmss' ;
2007-08-26 17:12:04 +02:00
#
# Send all forwarded SYN packets to the 'settcpmss' chain
#
2007-09-12 17:03:47 +02:00
add_rule $ filter_table - > { FORWARD } , "-p tcp --tcp-flags SYN,RST SYN -j settcpmss" ;
2007-08-26 17:12:04 +02:00
my $ in_match = '' ;
my $ out_match = '' ;
if ( $ capabilities { POLICY_MATCH } ) {
$ in_match = '-m policy --pol none --dir in ' ;
$ out_match = '-m policy --pol none --dir out ' ;
}
for ( @$ interfaces ) {
2007-09-10 17:52:57 +02:00
my $ mss = get_interface_option ( $ _ , 'mss' ) ;
2007-08-26 17:12:04 +02:00
my $ mssmatch = $ capabilities { TCPMSS_MATCH } ? "-m tcpmss --mss $mss: " : '' ;
add_rule $ chainref , "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss" ;
add_rule $ chainref , "-o $_ -j RETURN" if $ clampmss ;
add_rule $ chainref , "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss" ;
add_rule $ chainref , "-i $_ -j RETURN" if $ clampmss ;
}
}
add_rule $ chainref , "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS $option" if $ clampmss ;
2007-03-17 00:57:43 +01:00
}
2007-03-21 21:35:40 +01:00
sub dump_rule_chains () {
2007-08-26 17:12:04 +02:00
emit_unindented "@$_" for ( @ rule_chains ) ;
2007-03-27 01:17:46 +02:00
}
2007-03-21 21:35:40 +01:00
2007-03-15 04:17:56 +01:00
1 ;