NewNotSyn Reimplimentation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1365 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-05-27 18:18:41 +00:00 · 2004-05-27 18:18:41 +00:00 · 102743a0e3
commit 102743a0e3
parent ccb3c8740c
4 changed files with 82 additions and 35 deletions
--- a/Shorewall2/action.Drop
+++ b/Shorewall2/action.Drop
@ -10,6 +10,6 @@ RejectAuth
 dropBcast
 DropSMB
 DropUPnP
-dropNonSyn
+dropNotSyn
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall2/action.Reject
+++ b/Shorewall2/action.Reject
@ -10,6 +10,6 @@ RejectAuth
 dropBcast
 RejectSMB
 DropUPnP
-dropNonSyn
+dropNotSyn
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -2745,37 +2745,9 @@ createactionchain() # $1 = chain name
 #

 process_actions1() {
-    #
-    # Add the builtin actions
-    #
-    add_builtin_actions() {
 	
-	if [ "$COMMAND" != check ]; then
-	    createchain dropBcast no
-	    qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
-	    if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
-                #
-                # No pkttype support -- do it the hard way
-                #
-		for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
-		    run_iptables -A dropBcast -d $address -j DROP
-		done
-	    fi
-
-	    createchain dropNonSyn no
-	    run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
-
-	    createchain rejectNonSyn no
-	    run_iptables -A rejectNonSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
-
-	fi
-
-	ACTIONS="dropBcast dropNonSyn RejectNonSyn"
-	USEDACTIONS="dropBcast dropNonSyn RejectNonSyn"
-	
-    }
-	
-    add_builtin_actions
+    ACTIONS="dropBcast dropNonSyn dropNotSyn rejectNotSyn logNotSyn rLogNotSyn dLogNotSyn"
+    USEDACTIONS=

    strip_file actions

@ -2888,6 +2860,10 @@ process_actions2() {
 	process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec

    }
+
+    log_action() {
+	[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
+    }
    #
    # Generate the transitive closure of $USEDACTIONS
    #
@ -2911,7 +2887,38 @@ process_actions2() {
    #
    for xaction in $USEDACTIONS; do
 	case $xaction in
-	    dropNonSyn|dropBcast|RejectNonSyn)
+	    dropBcast)
+		if [ "$COMMAND" != check ]; then
+		    qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
+		    if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
+                        #
+                        # No pkttype support -- do it the hard way
+                        #
+			for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
+			    run_iptables -A dropBcast -d $address -j DROP
+			done
+		    fi
+		fi
+		;;
+	    dropNonSyn)
+		error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
+		[ "$COMMAND" != check ] && run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
+		;;
+
+	    dropNotSyn)
+		[ "$COMMAND" != check ] && run_iptables -A dropNotSyn -p tcp ! --syn -j DROP
+		;;
+	    rejectNotSyn)
+		[ "$COMMAND" != check ] && run_iptables -A rejectNotSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
+		;;
+	    logNotSyn)
+		log_action logNotSyn LOG
+		;;
+	    rLogNotSyn)
+		log_action rLogNotSyn REJECT
+		;;
+	    dLogNotSyn)
+		log_action dLogNotSyn DROP		
 		;;
 	    *)
 		f=action.$xaction
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -26,7 +26,14 @@ Problems Corrected since 2.0.2
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:

-None.
+1) The 'dropNonSyn' standard builtin action has been replaced with the
+   'dropNotSyn' standard builtin action. The old name can still be used
+   but will generate a warning.
+
+2) To lay the groundwork for eventual removal of NEWNOTSYN from
+   shorewall.conf and removal of the 'newnotsyn' interface option,
+   several new standard builtin actions have been defined. See New
+   Feature 3 below.
 -----------------------------------------------------------------------
 New Features:

@ -41,4 +48,37 @@ New Features:
 3) A new 'rejectNonSyn' built-in standard action has been added. This
   action responds to "New not SYN" packets with an RST.

-   
+   The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
+   action. The old name will be accepted until the next major release
+   of Shorewall but will generate a warning.
+
+   Several new logging actions involving "New not SYN" packets have
+   been added:
+
+	logNewNotSyn  -- logs the packet with disposition = LOG
+	dLogNewNotSyn -- logs the packet with disposition = DROP
+	rLogNewNotSyn -- logs the packet with disposition = REJECT
+
+   The packets are logged at the log level specified in the
+   LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
+   not specified, then 'info' is assumed.
+
+   Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
+
+   A: To simulate the behavior of NEWNOTSYN=No:
+
+      a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
+      b) Create /etc/shorewall/action.NoNewNotSyn containing:
+
+	    dLogNotSyn
+	    dropNotSyn
+
+      c) Early in your rules file, place:
+
+	 NoNewNotSyn   all   all     tcp
+
+   B: Drop 'New not SYN' packets from the net only. Don't log them.
+
+      a) Early in your rules file, place:
+
+         dropNotSyn    net	  all	tcp