forked from extern/shorewall_code
Add some insurance
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8414 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
b99813a1b5
commit
0927fcb95c
@ -27,6 +27,7 @@
|
||||
package Shorewall::Chains;
|
||||
require Exporter;
|
||||
|
||||
use Scalar::Util 'reftype';
|
||||
use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::IPAddrs;
|
||||
@ -35,6 +36,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw(
|
||||
add_rule
|
||||
add_jump
|
||||
insert_rule
|
||||
new_chain
|
||||
new_manual_chain
|
||||
@ -430,7 +432,9 @@ sub push_rule( $$ ) {
|
||||
#
|
||||
sub add_rule($$;$)
|
||||
{
|
||||
my ($chainref, $rule, $expandports) = @_;
|
||||
my ($chainref, $rule, $expandports) = @_;
|
||||
|
||||
fatal_error 'Internal Error in add_rule()' if reftype $rule;
|
||||
|
||||
$iprangematch = 0;
|
||||
#
|
||||
@ -487,6 +491,31 @@ sub add_rule($$;$)
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Add a jump from the chain represented by the reference in the first argument to
|
||||
# the chain named in the second argument. The optional third argument specifies any
|
||||
# matches to be included in the rule and must end with a space character if it is passed.
|
||||
#
|
||||
|
||||
sub add_jump( $$;$ ) {
|
||||
my ( $fromref, $to, $predicate ) = @_;
|
||||
|
||||
$predicate |= '';
|
||||
|
||||
my $toref;
|
||||
|
||||
if ( reftype $to ) {
|
||||
$toref = $to;
|
||||
$to = $toref->{name};
|
||||
} else {
|
||||
$toref = ensure_chain( $fromref->{table} , $to ) unless ($targets{$to} | 0 ) & STANDARD;
|
||||
}
|
||||
|
||||
$toref->{referenced} = 1 if $toref;
|
||||
|
||||
add_rule ($fromref, join( '', $predicate, "-j $to" ) );
|
||||
}
|
||||
|
||||
#
|
||||
# Insert a rule into a chain. Arguments are:
|
||||
#
|
||||
|
||||
@ -438,22 +438,22 @@ sub apply_policy_rules() {
|
||||
# - If no applicable policy is found, add rules for an assummed
|
||||
# policy of DROP INFO
|
||||
#
|
||||
sub complete_standard_chain ( $$$ ) {
|
||||
my ( $stdchainref, $zone, $zone2 ) = @_;
|
||||
sub complete_standard_chain ( $$$$ ) {
|
||||
my ( $stdchainref, $zone, $zone2, $default ) = @_;
|
||||
|
||||
add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT};
|
||||
|
||||
run_user_exit $stdchainref;
|
||||
|
||||
my $ruleschainref = $filter_table->{"${zone}2${zone2}"};
|
||||
my ( $policy, $loglevel, $default ) = ( 'DROP', 6, $config{DROP_DEFAULT} );
|
||||
my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
|
||||
my $policychainref;
|
||||
|
||||
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
|
||||
|
||||
( $policy, $loglevel, $default ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref;
|
||||
( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref;
|
||||
|
||||
policy_rules $stdchainref , $policy , $loglevel, $default, 0;
|
||||
policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
|
||||
}
|
||||
|
||||
#
|
||||
|
||||
@ -1693,15 +1693,15 @@ sub generate_matrix() {
|
||||
|
||||
if ( @$exclusions ) {
|
||||
my $output = zone_output_chain $zone;
|
||||
add_rule $outputref , join( '', $interfacematch, $dest, $ipsec_out_match, "-j $output" );
|
||||
add_rule $filter_table->{$output} , "-j $chain1";
|
||||
add_jump $outputref , $output, join( '', $interfacematch, $dest, $ipsec_out_match );
|
||||
add_jump $filter_table->{$output} , $chain1;
|
||||
$nextchain = $output;
|
||||
} else {
|
||||
add_rule $outputref , join( '', $interfacematch, $dest, $ipsec_out_match, "-j $chain1" );
|
||||
add_jump $outputref , $chain1, join( '', $interfacematch, $dest, $ipsec_out_match );
|
||||
$nextchain = $chain1;
|
||||
}
|
||||
|
||||
add_rule( $outputref , join('', $interfacematch, '-d 255.255.255.255 ' , $ipsec_out_match, "-j $nextchain" ) )
|
||||
add_jump( $outputref , $nextchain, join('', $interfacematch, '-d 255.255.255.255 ' , $ipsec_out_match ) )
|
||||
if $hostref->{options}{broadcast};
|
||||
|
||||
move_rules( $filter_table->{output_chain $interface} , $filter_table->{$nextchain} ) unless use_output_chain $interface;
|
||||
@ -1716,7 +1716,7 @@ sub generate_matrix() {
|
||||
# There are DNAT/REDIRECT rules with this zone as the source.
|
||||
# Add a jump from this source network to this zone's DNAT/REDIRECT chain
|
||||
#
|
||||
add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j ', $dnatref->{name} );
|
||||
add_jump $preroutingref, $dnatref, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
|
||||
}
|
||||
#
|
||||
# If this zone has parents with DNAT/REDIRECT rules and there are no CONTINUE polcies with this zone as the source
|
||||
@ -1739,11 +1739,11 @@ sub generate_matrix() {
|
||||
|
||||
if ( @$exclusions ) {
|
||||
my $input = zone_input_chain $zone;
|
||||
add_rule $inputchainref, join( '', $interfacematch, $source, $ipsec_in_match, "-j $input" );
|
||||
add_rule $filter_table->{ $input } , "-j $chain2";
|
||||
add_jump $inputchainref, $input, join( '', $interfacematch, $source, $ipsec_in_match );
|
||||
add_jump $filter_table->{ $input } , $chain2;
|
||||
$nextchain = $input;
|
||||
} else {
|
||||
add_rule $inputchainref, join( '', $interfacematch, $source, $ipsec_in_match, "-j $chain2" );
|
||||
add_jump $inputchainref, $chain2, join( '', $interfacematch, $source, $ipsec_in_match );
|
||||
$nextchain = $chain2;
|
||||
}
|
||||
|
||||
@ -1864,7 +1864,7 @@ sub generate_matrix() {
|
||||
$policy_exclusions{"${chain}_${zone1}"} = $chain1;
|
||||
my $chain1ref = ensure_filter_chain $chain1, 0;
|
||||
add_exclusions $chain1ref, $exclusions1;
|
||||
add_rule $chain1ref, "-j $chain";
|
||||
add_jump $chain1ref, $chain;
|
||||
}
|
||||
|
||||
$chain = $chain1;
|
||||
@ -1883,7 +1883,7 @@ sub generate_matrix() {
|
||||
if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
|
||||
my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
add_rule $frwd_ref, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match, "-j $chain" );
|
||||
add_jump $frwd_ref, $chain, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match );
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1917,15 +1917,15 @@ sub generate_matrix() {
|
||||
#
|
||||
# We defer evaluation of the source net match to accomodate systems without $capabilities{KLUDEFREE};
|
||||
#
|
||||
add_rule(
|
||||
add_jump(
|
||||
$chain3ref ,
|
||||
$chain ,
|
||||
join( '',
|
||||
$match_source_dev,
|
||||
match_dest_dev($interface1),
|
||||
match_source_net($net),
|
||||
match_dest_net($net1),
|
||||
$ipsec_out_match,
|
||||
"-j $chain" )
|
||||
$ipsec_out_match )
|
||||
);
|
||||
}
|
||||
}
|
||||
@ -1942,7 +1942,7 @@ sub generate_matrix() {
|
||||
#
|
||||
# Now add an unconditional jump to the last unique policy-only chain determined above, if any
|
||||
#
|
||||
add_rule $frwd_ref , "-j $last_chain" if $last_chain;
|
||||
add_jump $frwd_ref , $last_chain if $last_chain;
|
||||
}
|
||||
}
|
||||
#
|
||||
@ -1974,11 +1974,11 @@ sub generate_matrix() {
|
||||
#
|
||||
for my $interface ( @interfaces ) {
|
||||
|
||||
add_rule $filter_table->{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface if use_forward_chain $interface;
|
||||
add_rule $filter_table->{INPUT} , match_source_dev( $interface ) . "-j " . input_chain($interface) if use_input_chain $interface;
|
||||
add_jump( $filter_table->{FORWARD} , forward_chain $interface , match_source_dev( $interface ) ) if use_forward_chain $interface;
|
||||
add_jump( $filter_table->{INPUT} , input_chain $interface , match_source_dev( $interface ) ) if use_input_chain $interface;
|
||||
|
||||
if ( use_output_chain $interface ) {
|
||||
add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' );
|
||||
add_jump $filter_table->{OUTPUT} , output_chain $interface , "-o $interface " unless get_interface_option( $interface, 'port' );
|
||||
}
|
||||
}
|
||||
|
||||
@ -1991,9 +1991,9 @@ sub generate_matrix() {
|
||||
nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
|
||||
filter=> [ qw/INPUT FORWARD OUTPUT/ ] );
|
||||
|
||||
complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone;
|
||||
complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all';
|
||||
complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all';
|
||||
complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone , 'DROP';
|
||||
complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all', 'REJECT';
|
||||
complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all', 'REJECT';
|
||||
|
||||
if ( $config{LOGALLNEW} ) {
|
||||
for my $table qw/mangle nat filter/ {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user