Allow NFQUEUE 'bypass' in the policy file

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2019-10-21 14:34:37 -07:00
parent 6da498510c
commit 157abcbd37
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
2 changed files with 17 additions and 12 deletions

View File

@ -611,8 +611,8 @@ sub process_policy_actions( $$$ ) {
# #
# Verify an NFQUEUE specification and return the appropriate ip[6]tables target # Verify an NFQUEUE specification and return the appropriate ip[6]tables target
# #
sub handle_nfqueue( $$ ) { sub handle_nfqueue( $ ) {
my ($params, $allow_bypass ) = @_; my ($params) = @_;
my ( $action, $bypass, $fanout ); my ( $action, $bypass, $fanout );
my ( $queue1, $queue2, $queuenum1, $queuenum2 ); my ( $queue1, $queue2, $queuenum1, $queuenum2 );
@ -625,7 +625,6 @@ sub handle_nfqueue( $$ ) {
if ( supplied $queue ) { if ( supplied $queue ) {
if ( $queue eq 'bypass' ) { if ( $queue eq 'bypass' ) {
fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass; fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
return 'NFQUEUE --queue-bypass'; return 'NFQUEUE --queue-bypass';
} }
@ -653,7 +652,6 @@ sub handle_nfqueue( $$ ) {
if ( supplied $bypass ) { if ( supplied $bypass ) {
fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass'; fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
$bypass =' --queue-bypass'; $bypass =' --queue-bypass';
} else { } else {
@ -742,9 +740,7 @@ sub process_a_policy1($$$$$$$) {
my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions ); my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
if ( defined $queue ) { if ( defined $queue ) {
$policy = handle_nfqueue( $queue, $policy = handle_nfqueue( $queue );
0 # Don't allow 'bypass'
);
} elsif ( $policy eq 'NONE' ) { } elsif ( $policy eq 'NONE' ) {
fatal_error "NONE policy not allowed with \"all\"" fatal_error "NONE policy not allowed with \"all\""
if $clientwild || $serverwild; if $clientwild || $serverwild;
@ -2704,9 +2700,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
$macro_nest_level--; $macro_nest_level--;
goto EXIT; goto EXIT;
} elsif ( $actiontype & NFQ ) { } elsif ( $actiontype & NFQ ) {
$action = handle_nfqueue( $param, $action = handle_nfqueue( $param );
1 # Allow 'bypass'
);
} elsif ( $actiontype & SET ) { } elsif ( $actiontype & SET ) {
require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' ); require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
fatal_error "$action rules require a set name parameter" unless $param; fatal_error "$action rules require a set name parameter" unless $param;

View File

@ -131,7 +131,7 @@
role="bold">BLACKLIST</emphasis>|<emphasis role="bold">BLACKLIST</emphasis>|<emphasis
role="bold">CONTINUE</emphasis>|<emphasis role="bold">CONTINUE</emphasis>|<emphasis
role="bold">QUEUE</emphasis>|<emphasis role="bold">QUEUE</emphasis>|<emphasis
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]|<emphasis
role="bold">NONE</emphasis>}[<emphasis role="bold">NONE</emphasis>}[<emphasis
role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
role="bold">None</emphasis>}]</term> role="bold">None</emphasis>}]</term>
@ -236,7 +236,18 @@
given queues. This is useful for multicore systems: start given queues. This is useful for multicore systems: start
multiple instances of the userspace program on queues x, x+1, multiple instances of the userspace program on queues x, x+1,
.. x+n and use "x:x+n". Packets belonging to the same .. x+n and use "x:x+n". Packets belonging to the same
connection are put into the same nfqueue.</para> connection are put into the same nfqueue. Beginning with
Shorewall 5.1.0, queuenumber2 may be followed by the letter
'c' to indicate that the CPU ID will be used as an index to
map packets to the queues. The idea is that you can improve
performance if there's a queue per CPU. Requires the NFQUEUE
CPU Fanout capability in your kernel and iptables.</para>
<para>Beginning with Shorewall 4.6.10, the keyword <emphasis
role="bold">bypass</emphasis> can be given. By default, if no
userspace program is listening on an NFQUEUE, then all packets
that are to be queued are dropped. When this option is used,
the NFQUEUE rule behaves like ACCEPT instead.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>