From 0d00d30d947bbbebfe6ed87b29e5f427120db057 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 8 May 2007 19:05:25 +0000 Subject: [PATCH] More address validate changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6289 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/releasenotes.txt | 16 +- Shorewall-perl/Shorewall/Config.pm | 1 + Shorewall-perl/Shorewall/IPAddrs.pm | 14 +- Shorewall-perl/Shorewall/Providers.pm | 4 +- manpages/shorewall-accounting.xml | 49 +++ manpages/shorewall-interfaces.xml | 437 +++++++++++++++----------- manpages/shorewall-masq.xml | 49 +++ manpages/shorewall-rules.xml | 49 +++ manpages/shorewall-tcrules.xml | 3 +- manpages/shorewall-tos.xml | 85 ++++- manpages/shorewall-zones.xml | 8 +- manpages/shorewall.conf.xml | 120 ++++++- manpages/shorewall.xml | 4 +- 13 files changed, 644 insertions(+), 195 deletions(-) diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 7e90b282c..2b37334ca 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -40,9 +40,21 @@ Problems corrected in 3.9.7. 4) A value of 'detect' in the GATEWAY column of the providers file no longer generates an error during [re]start. -Other changes in Shorewall 3.9.6. +5) The command 'shorewall check -p' resulted in an indefinite loop. -None. +6) A number of problems having to do with SECTIONs in the rules file + have been corrected. + +7) The mss zone option now works correctly. + +8) The LOGBURST and LOGLIMIT options in shorewall.conf now work + correctly + +Other changes in Shorewall 3.9.7. + +1) Shorewall-perl now validates all IP addresses and addresses ranges + in rules. DNS names are resolved and an error is issued for any + name that cannot be resolved. Migration Considerations: diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index b106ebca0..7315c3ffd 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -44,6 +44,7 @@ our @EXPORT = qw( pop_open read_a_line validate_level + qt get_configuration require_capability report_capabilities diff --git a/Shorewall-perl/Shorewall/IPAddrs.pm b/Shorewall-perl/Shorewall/IPAddrs.pm index 457fb9c7c..b260b4e0c 100644 --- a/Shorewall-perl/Shorewall/IPAddrs.pm +++ b/Shorewall-perl/Shorewall/IPAddrs.pm @@ -31,6 +31,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( + validate_address validate_net validate_range ip_range_explicit @@ -50,14 +51,23 @@ sub valid_address( $ ) { 1; } +sub validate_address( $ ) { + unless ( valid_address $_[0] ) { + fatal_error "Unknown Host ($_[0])" unless qt "host $_[0]"; + } +} + sub validate_net( $ ) { my ($net, $vlsm) = split '/', $_[0]; if ( defined $vlsm ) { fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 32; + fatal_error "Invalid IP address ($net)" unless valid_address $net; + } else { + fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/'; + fatal_error "Invalid Network address ($_[0])" unless defined $net; + validate_address $net; } - - fatal_error "Invalid IP address ($net)" unless valid_address $net; } sub decodeaddr( $ ) { diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index 0d1c2df73..bcdca5df3 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -186,7 +186,9 @@ sub setup_providers() { "fi\n" ); $gateway = '$gateway'; } elsif ( $gateway && $gateway ne '-' ) { - emit "run_ip route replace $gateway src \$(find_first_interface_address $interface) dev $interface table $number"; + validate_address $gateway; + my $variable = get_interface_address $interface; + emit "run_ip route replace $gateway src $variable dev $interface table $number"; emit "run_ip route add default via $gateway dev $interface table $number"; } else { $gateway = ''; diff --git a/manpages/shorewall-accounting.xml b/manpages/shorewall-accounting.xml index 6c1ac35d3..0edb19a2d 100644 --- a/manpages/shorewall-accounting.xml +++ b/manpages/shorewall-accounting.xml @@ -244,6 +244,55 @@ + + + MARK — [!]value[/mask][:C] + + + Defines a test on the existing packet or connection mark. The + rule will match only if the test returns true. + + If you don't want to define a test but need to specify + anything in the following columns, place a "-" in this field. + + + + ! + + + Inverts the test (not equal) + + + + + value + + + Value of the packet or connection mark. + + + + + mask + + + A mask to be applied to the mark before testing. + + + + + :C + + + Designates a connection mark. If omitted, the packet + mark's value is tested. + + + + + In all of the above columns except If you don't want to give a value for this column but you want to enter a value in the OPTIONS column, enter - in this column. + + Note to Shorewall-perl users: + Shorewall-perl only supports in this column. + If you specify addresses, a compilation + warning will be issued. @@ -107,173 +112,7 @@ loc eth2 - - dhcp - - - Specify this option when any of the following are - true: - - - - the interface gets its IP address via DHCP - - - - the interface is used by a DHCP server running on - the firewall - - - - you have a static IP but are on a LAN segment with - lots of DHCP clients. - - - - the interface is a bridge with a DHCP server on one - port and DHCP clients on another port. - - - - - - - norfc1918 - - - This interface should not receive any packets whose - source is in one of the ranges reserved by RFC 1918 (i.e., - private or "non-routable" addresses). If packet mangling or - connection-tracking match is enabled in your kernel, packets - whose destination addresses are reserved by RFC 1918 are also - rejected. - - - - - routefilter - - - Turn on kernel route filtering for this interface - (anti-spoofing measure). - - - This option does not work with a wild-card - interface name (e.g., eth0.+) in - the INTERFACE column. - - - This option can also be enabled globally in the shorewall.conf(5) - file. - - - - - logmartians - - - Turn on kernel martian logging (logging of packets with - impossible source addresses. It is strongly suggested that if - you set routefilter on an - interface that you also set logmartians. Even if you do not specify - the option, it is a good idea to - specify because your distribution - may be enabling route filtering without you knowing it. - - To find out if route filtering is set on a given - interface, check the contents of - /proc/sys/net/ipv4/conf/interface/rp_filter - — a non-zero value indicates that route filtering is - enabled. - - Example: - - teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter - 1 - teastep@lists:~$ - - - This option does not work with a wild-card - interface name (e.g., eth0.+) in - the INTERFACE column. - - - This option may also be enabled globally in the shorewall.conf(5) - file. - - - - - blacklist - - - Check packets arriving on this interface against the - shorewall-blacklist(5) - file. - - - - - maclist - - - Connection requests from this interface are compared - against the contents of shorewall-maclist(5). If - this option is specified, the interface must be an ethernet - NIC and must be up before Shorewall is started. - - - - - tcpflags - - - Packets arriving on this interface are checked for - certain illegal combinations of TCP flags. Packets found to - have such a combination of flags are handled according to the - setting of TCP_FLAGS_DISPOSITION after having been logged - according to the setting of TCP_FLAGS_LOG_LEVEL. - - - - - proxyarp - - - Sets - /proc/sys/net/ipv4/conf/interface/proxy_arp. - Do NOT use this option if you are employing Proxy ARP through - entries in shorewall-proxyarp(5). - This option is intended solely for use with Proxy ARP - sub-networking as described at: http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html - This option does not work with a wild-card - interface name (e.g., eth0.+) - in the INTERFACE column. - - - - - - routeback - - - If specified, indicates that Shorewall should include - rules that allow filtering traffic arriving on this interface - back out that same interface. This option is also required - when you have used a wildcard in the INTERFACE column if you - want to allow traffic between the interfaces that match the - wildcard. - - - - - arp_filter + arp_filter[={0|1}] If specified, this interface will only respond to ARP @@ -282,6 +121,13 @@ loc eth2 - requests for IP addresses on any of the firewall's interface. The interface must be up when Shorewall is started. + The option value (0 or 1) may only be specified if you + are using Shorewall-perl. With Shorewall-perl, only those + interfaces with the option will + have their setting changes; the value assigned to the setting + will be the value specified (if any) or 1 if no value is + given. + This option does not work with a wild-card interface name (e.g., eth0.+) in @@ -328,16 +174,13 @@ loc eth2 - - nosmurfs + blacklist - Filter packets for smurfs (packets with a broadcast - address as the source). - - Smurfs will be optionally logged based on the setting of - SMURF_LOG_LEVEL in shorewall.conf(5). After - logging, the packets are dropped. + Check packets arriving on this interface against the + shorewall-blacklist(5) + file. @@ -358,7 +201,230 @@ loc eth2 - - sourceroute + dhcp + + + Specify this option when any of the following are + true: + + + + the interface gets its IP address via DHCP + + + + the interface is used by a DHCP server running on + the firewall + + + + you have a static IP but are on a LAN segment with + lots of DHCP clients. + + + + the interface is a bridge with a DHCP server on one + port and DHCP clients on another port. + + + + + + + logmartians[={0|1}] + + + Turn on kernel martian logging (logging of packets with + impossible source addresses. It is strongly suggested that if + you set routefilter on an + interface that you also set logmartians. Even if you do not specify + the option, it is a good idea to + specify because your distribution + may be enabling route filtering without you knowing it. + + The option value (0 or 1) may only be specified if you + are using Shorewall-perl. With Shorewall-perl, only those + interfaces with the option will + have their setting changes; the value assigned to the setting + will be the value specified (if any) or 1 if no value is + given. + + To find out if route filtering is set on a given + interface, check the contents of + /proc/sys/net/ipv4/conf/interface/rp_filter + — a non-zero value indicates that route filtering is + enabled. + + Example: + + teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter + 1 + teastep@lists:~$ + + + This option does not work with a wild-card + interface name (e.g., eth0.+) in + the INTERFACE column. + + +
+ This option may also be enabled globally in the shorewall.conf(5) + file. +
+ + + + + maclist + + + Connection requests from this interface are compared + against the contents of shorewall-maclist(5). If + this option is specified, the interface must be an ethernet + NIC and must be up before Shorewall is started. + + + + + norfc1918 + + + This interface should not receive any packets whose + source is in one of the ranges reserved by RFC 1918 (i.e., + private or "non-routable" addresses). If packet mangling or + connection-tracking match is enabled in your kernel, packets + whose destination addresses are reserved by RFC 1918 are also + rejected. + + + + + nosmurfs + + + Filter packets for smurfs (packets with a broadcast + address as the source). + + Smurfs will be optionally logged based on the setting of + SMURF_LOG_LEVEL in shorewall.conf(5). After + logging, the packets are dropped. + + + + + optional + + + Only supported by Shorewall-perl. When + is specified for an interface, + Shorewall will be silent when: + + + + a /proc/sys/net/ipv4/conf/ + entry for the interface cannot be modified (including for + proxy ARP). + + + + The first address of the interface cannot be + obtained. + + + + I specify on interfaces to Xen + virtual machines that may or may not be running when Shorewall + is [re]started. + + + Use at your own risk. If you + [re]start Shorewall when an 'optional' interface is not + available and then do a shorewall save, + subsequent shorewall restore and + shorewall -f start operations will + instantiate a ruleset that does not support that interface, + even if it is available at the time of the + restore/start. + + + + + + proxyarp[={0|1}] + + + Sets + /proc/sys/net/ipv4/conf/interface/proxy_arp. + Do NOT use this option if you are employing Proxy ARP through + entries in shorewall-proxyarp(5). + This option is intended solely for use with Proxy ARP + sub-networking as described at: http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html. + + This option does not work with a wild-card + interface name (e.g., eth0.+) + in the INTERFACE column. + The option value (0 or 1) may only be specified if + you are using Shorewall-perl. With Shorewall-perl, only those + interfaces with the option will have + their setting changes; the value assigned to the setting will + be the value specified (if any) or 1 if no value is + given. + + + + + routeback + + + If specified, indicates that Shorewall should include + rules that allow filtering traffic arriving on this interface + back out that same interface. This option is also required + when you have used a wildcard in the INTERFACE column if you + want to allow traffic between the interfaces that match the + wildcard. + + + + + routefilter[={0|1}] + + + Turn on kernel route filtering for this interface + (anti-spoofing measure). + + The option value (0 or 1) may only be specified if you + are using Shorewall-perl. With Shorewall-perl, only those + interfaces with the option will + have their setting changes; the value assigned to the setting + will be the value specified (if any) or 1 if no value is + given. + + + This option does not work with a wild-card + interface name (e.g., eth0.+) in + the INTERFACE column. + + +
+ This option can also be enabled globally in the shorewall.conf(5) + file. +
+ + + + + sourceroute[={0|1}] If this option is not specified for an interface, then @@ -369,6 +435,13 @@ loc eth2 - This might represent a security risk and is not usually needed. + The option value (0 or 1) may only be specified if you + are using Shorewall-perl. With Shorewall-perl, only those + interfaces with the option will + have their setting changes; the value assigned to the setting + will be the value specified (if any) or 1 if no value is + given. + This option does not work with a wild-card interface name (e.g., eth0.+) in @@ -377,6 +450,18 @@ loc eth2 - + + tcpflags + + + Packets arriving on this interface are checked for + certain illegal combinations of TCP flags. Packets found to + have such a combination of flags are handled according to the + setting of TCP_FLAGS_DISPOSITION after having been logged + according to the setting of TCP_FLAGS_LOG_LEVEL. + + + upnp diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml index f1b51d44c..780510b51 100644 --- a/manpages/shorewall-masq.xml +++ b/manpages/shorewall-masq.xml @@ -302,6 +302,55 @@ + + + MARK — [!]value[/mask][:C] + + + Defines a test on the existing packet or connection mark. The + rule will match only if the test returns true. + + If you don't want to define a test but need to specify + anything in the following columns, place a "-" in this field. + + + + ! + + + Inverts the test (not equal) + + + + + value + + + Value of the packet or connection mark. + + + + + mask + + + A mask to be applied to the mark before testing. + + + + + :C + + + Designates a connection mark. If omitted, the packet + mark's value is tested. + + + + + diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index f0eef1007..f7a9cfbc0 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -891,6 +891,55 @@ + + + MARK — [!]value[/mask][:C] + + + Defines a test on the existing packet or connection mark. The + rule will match only if the test returns true. + + If you don't want to define a test but need to specify + anything in the following columns, place a "-" in this field. + + + + ! + + + Inverts the test (not equal) + + + + + value + + + Value of the packet or connection mark. + + + + + mask + + + A mask to be applied to the mark before testing. + + + + + :C + + + Designates a connection mark. If omitted, the packet + mark's value is tested. + + + + + diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml index d130777b0..de864a084 100644 --- a/manpages/shorewall-tcrules.xml +++ b/manpages/shorewall-tcrules.xml @@ -410,8 +410,7 @@ Defines a test on the existing packet or connection mark. The - rule will match only if the test returns true. Tests have the - format + rule will match only if the test returns true. If you don't want to define a test but need to specify anything in the following columns, place a "-" in this field. diff --git a/manpages/shorewall-tos.xml b/manpages/shorewall-tos.xml index bb86015c6..a8471e112 100644 --- a/manpages/shorewall-tos.xml +++ b/manpages/shorewall-tos.xml @@ -28,10 +28,10 @@ SOURCE - - {zone[all[:address]|all|$FW} + role="bold">all|$FW} + (Shorewall-shell) Name of a zone declared in + + SOURCE - {all|address]|all:address|$FW} (Shorewall-perl) + + + If all, may optionally be + followed by ":" and an IP address, a MAC address, a subnet + specification or the name of an interface. + + Example: all:192.168.2.3 + + MAC addresses must be prefixed with "~" and use "-" as a + separator. + + Example: ~00-A0-C9-15-39-78 + + + DEST - {zone[:address]|all} + role="bold">all} (Shorewall-shell) Name of a zone declared in + + DEST - {all|address]|all:address} + (Shorewall-perl) + + + Example: 192.168.2.3 + + + PROTOCOLproto-name-or-number @@ -114,6 +145,52 @@ tos-normal-service (0) + + + MARK — [!]value[/mask][:C] + + + If you don't want to define a test but need to specify + anything in the following columns, place a "-" in this field. + + + + ! + + + Inverts the test (not equal) + + + + + value + + + Value of the packet or connection mark. + + + + + mask + + + A mask to be applied to the mark before testing. + + + + + :C + + + Designates a connection mark. If omitted, the packet + mark's value is tested. + + + + + diff --git a/manpages/shorewall-zones.xml b/manpages/shorewall-zones.xml index 73c07bb67..434661901 100644 --- a/manpages/shorewall-zones.xml +++ b/manpages/shorewall-zones.xml @@ -36,10 +36,10 @@ role="bold">,parent-zone]...] - Name of the zone. The names "all" and - "none" are reserved and may not be used as zone names. The maximum - length of a zone name is determined by the setting of the LOGFORMAT - option in Name of the zone. The names "all", + "none", "SOURCE" and "DEST" are reserved and may not be used as zone + names. The maximum length of a zone name is determined by the + setting of the LOGFORMAT option in shorewall.conf(5). With the default LOGFORMAT, zone names can be at most 5 characters long. diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index 38797571b..919ce2466 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -256,6 +256,26 @@ + + BLACKLISTNEWONLY={Yes|No} + + + When set to Yes or yes, blacklists are only consulted for new + connections. When set to No or + no, blacklists are consulted for + every packet (will slow down your firewall noticably if you have + large blacklists). If the BLACKLISTNEWONLY option is not set or is + set to the empty value then BLACKLISTNEWONLY=No is assumed. + + + BLACKLISTNEWONLY=No is incompatible with + FASTACCEPT=Yes. + + + + BRIDGING={Yes|No} @@ -363,6 +383,11 @@ role="bold">shorewall [re]start. + + + DELAYBLACKLISTLOAD=Yes is not supported by + Shorewall-perl. + @@ -429,6 +454,11 @@ set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or RELATED sections of shorewall-rules(5). + + + FASTACCEPT=Yes is incompatible with + BLACKLISTNEWONLY=No. + @@ -574,7 +604,8 @@ LOG_MARTIANS=[Yes|No] + role="bold">Yes|No|Keep] If set to Yes or logmartians interface option in shorewall-interfaces(5). + + The value Keep is only + allowed under Shorewall-perl. It causes Shorewall to ignore the + option. If the option is set to Yes, then martians are logged on all + interfaces. If the option is set to No, then martian logging is disabled on all + interfaces except those specified in shorewall-interfaces(5). @@ -807,7 +847,13 @@ parameterized macros. For compatibility, Shorewall can map the old names into invocations of the new macros if you set MAPOLDACTIONS=Yes. If this option is not set or is set to the empty - value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed + value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed. + + + MAPOLDACTIONS=Yes is not supported by Shorewall-perl. With + Shorewall-perl, if MAPOLDACTIONS is not set or is set to the ampty + value then MAPOLDACTIONS=No is assumed. + @@ -940,6 +986,60 @@ + + RCP_COMMAND="command" + + + + + + + + RSH_COMMAND="command" + + + Eariler generations of Shorewall Lite required that remote + root login via ssh be enabled in order to use the + load and reload commands. + Beginning with release 3.9.5, you may define an alternative means + for accessing the remote firewall system. In that release, two new + options were added to shorewall.conf: + RSH_COMMAND + + RCP_COMMAND + The default values for these are as + follows: + RSH_COMMAND: ssh ${root}@${system} ${command} + + RCP_COMMAND: scp ${files} + ${root}@${system}:${destination} + Shell variables that will be set when the commands + are envoked are as follows: + root - root user. Normally + but may be overridden using the '-r' + option. + + system - The name/IP address + of the remote firewall system. + + command - For RSH_COMMAND, + the command to be executed on the firewall system. + + files - For RCP_COMMAND, a + space-separated list of files to be copied to the remote + firewall system. + + destination - The directory + on the remote system that the files are to be copied + into. + + + + RESTOREFILE=filename @@ -1025,7 +1125,8 @@ ROUTE_FILTER=[Yes|No] + role="bold">Yes|No|Keep] If this parameter is given the value no. + + The value Keep is only + allowed under Shorewall-perl. It causes Shorewall to ignore the + option. If the option is set to Yes, then route filtering occurs on all + interfaces. If the option is set to No, then route filtering is disabled on all + interfaces except those specified in shorewall-interfaces(5). @@ -1182,6 +1292,10 @@ a sizable amount of code to implement. By setting USE_ACTIONS=No, embedded Shorewall installations can omit the large library /usr/share/shorewall/lib.actions. + + + USE_ACTIONS=No is not supported by Shorewall-perl. + diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index 9bed80121..c1c561b35 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -735,7 +735,9 @@ The rules involving the the black list, ECN control rules, and traffic shaping are recreated to reflect any changes made to your - configuration files. Existing connections are untouched. + configuration files. Existing connections are untouched. Under + Shorewall-perl, refresh is synonamous with + restart.