holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow override of :syn assumption in CT rules

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-12-29 15:12:57 -08:00
parent 46f68c6dcb
commit 078c781dfa
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
3 changed files with 22 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -4782,6 +4782,7 @@ sub do_proto( $$$;$ )
if ( $proto ne '' ) { if ( $proto ne '' ) {
my $synonly = ( $proto =~ s/:(!)?syn$//i ); my $synonly = ( $proto =~ s/:(!)?syn$//i );
my $all = ( $proto =~ s/:all$//i );
my $notsyn = $1; my $notsyn = $1;
my $invert = ( $proto =~ s/^!// ? '! ' : '' ); my $invert = ( $proto =~ s/^!// ? '! ' : '' );
my $protonum = resolve_proto $proto; my $protonum = resolve_proto $proto;
@ -4797,6 +4798,7 @@ sub do_proto( $$$;$ )
# $proto now contains the protocol number and $pname contains the canonical name of the protocol # $proto now contains the protocol number and $pname contains the canonical name of the protocol
# #
unless ( $synonly ) { unless ( $synonly ) {
fatal_error '":all" is only allowed with tcp' if $all && $proto != TCP;
$output = "${invert}-p ${proto} "; $output = "${invert}-p ${proto} ";
} else { } else {
fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert; fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
@ -4992,6 +4994,7 @@ sub do_iproto( $$$ )
if ( $proto ne '' ) { if ( $proto ne '' ) {
my $synonly = ( $proto =~ s/:syn$//i ); my $synonly = ( $proto =~ s/:syn$//i );
my $all = ( $proto =~ s/:all$//i );
my $invert = ( $proto =~ s/^!// ? '! ' : '' ); my $invert = ( $proto =~ s/^!// ? '! ' : '' );
my $protonum = resolve_proto $proto; my $protonum = resolve_proto $proto;
@ -5006,6 +5009,7 @@ sub do_iproto( $$$ )
# $proto now contains the protocol number and $pname contains the canonical name of the protocol # $proto now contains the protocol number and $pname contains the canonical name of the protocol
# #
unless ( $synonly ) { unless ( $synonly ) {
fatal_error '":all" is only allowed with tcp' if $all && $proto != TCP;
@output = ( p => "${invert}${proto}" ); @output = ( p => "${invert}${proto}" );
} else { } else {
fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert; fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;

6
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -138,7 +138,11 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
require_capability 'CT_TARGET', 'CT entries in the conntrack file', ''; require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
$proto = TCP . ':syn' if $proto !~ /:syn$/ && resolve_proto( $proto ) == TCP; if ( $proto =~ s/:all$// ) {
fatal_error '":all" may only be used with TCP' unless resolve_proto( $proto ) == TCP;
} else {
$proto = TCP . ':syn' if $proto !~ /:syn/ && resolve_proto( $proto ) == TCP;
}
if ( $option eq 'notrack' ) { if ( $option eq 'notrack' ) {
fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args; fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;

17
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -579,14 +579,23 @@
<listitem> <listitem>
<para>A protocol name from <filename>/etc/protocols</filename> or a <para>A protocol name from <filename>/etc/protocols</filename> or a
protocol number.</para> protocol number. tcp and 6 may be optionally followed by <emphasis
role="bold">:syn </emphasis>to match only the SYN packet (first
packet in the three-way handshake).</para>
<para>Beginning with Shorewall 4.5.12, this column is labeled <para>Beginning with Shorewall 4.5.12, this column can accept a
<emphasis role="bold">PROTOS</emphasis> and can accept a comma-separated list of protocols and either <emphasis
comma-separated list of protocols. Either <emphasis
role="bold">proto</emphasis> or <emphasis role="bold">proto</emphasis> or <emphasis
role="bold">protos</emphasis> is accepted in the alternate input role="bold">protos</emphasis> is accepted in the alternate input
format.</para> format.</para>
<para>Beginning with Shorewall 5.1.11, when <emphasis
role="bold">tcp</emphasis> or <emphasis role="bold">6</emphasis> is
specified and the ACTION is <emphasis role="bold">CT</emphasis>, the
compiler will default to <emphasis role="bold">:syn</emphasis>. If
you wish the rule to match packets with any valid combination of TCP
flags, you may specify <emphasis role="bold">tcp:all</emphasis> or
<emphasis role="bold">6:all</emphasis>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>