holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add SECMARK and CONNSECMARK support

Browse Source
This commit is contained in:
Tom Eastep 2010-09-04 15:12:08 -07:00
parent 6caff51c98
commit 15d8d6d8b7
7 changed files with 657 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -44,33 +44,40 @@ our $VERSION = '4.4_13';
our %tcs = ( T => { chain => 'tcpost',
connmark => 0,
fw => 1
fw => 1,
fwi => 0,
} ,
CT => { chain => 'tcpost' ,
target => 'CONNMARK --set-mark' ,
connmark => 1 ,
fw => 1
fw => 1 ,
fwi => 0,
} ,
C => { target => 'CONNMARK --set-mark' ,
connmark => 1 ,
fw => 1
fw => 1 ,
fwi => 1 ,
} ,
P => { chain => 'tcpre' ,
connmark => 0 ,
fw => 0
fw => 0 ,
fwi => 0 ,
} ,
CP => { chain => 'tcpre' ,
target => 'CONNMARK --set-mark' ,
connmark => 1 ,
fw => 0
fw => 0 ,
fwi => 0 ,
} ,
F => { chain => 'tcfor' ,
connmark => 0 ,
fw => 0
fw => 0 ,
fwi => 0 ,
} ,
CF => { chain => 'tcfor' ,
connmark => 1 ,
fw => 0 ,
fwi => 0 ,
} ,
);
@ -218,12 +225,23 @@ sub process_tc_rule( ) {
}
}
if ( $dest ) {
if ( $dest eq $fw ) {
$chain = 'tcin';
$dest = '';
} else {
$chain = 'tcin' if $dest =~ s/^($fw)://;
}
}
if ( $designator ) {
$tcsref = $tcs{$designator};
if ( $tcsref ) {
if ( $chain eq 'tcout' ) {
fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
} elsif ( $chain eq 'tcin' ) {
fatal_error "Invalid chain designator for dest $fw" unless $tcsref->{fwi};
}
$chain = $tcsref->{chain} if $tcsref->{chain};
@ -1350,6 +1368,46 @@ sub setup_traffic_shaping() {
}
}
#
# Process a record in the secmarks file
#
sub process_secmark_rule() {
my ( $secmark, $chain, $source, $dest, $proto, $dport, $sport, $mark ) = split_line( 2, 8 , 'Secmarks file' );
my %chns = ( T => [ 'tcpost' , POSTROUTE_RESTRICT ] ,
P => [ 'tcpre' , PREROUTE_RESTRICT ] ,
F => [ 'forward' , NO_RESTRICT ] ,
I => [ 'tcin' , , INPUT_RESTRICT ] ,
O => [ 'tcout' , , OUTPUT_RESTRICT ] );
my ( $chain1 , $restriction ) = @{$chns{$chain}};
fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
my $target = $mark eq 'SAVE' ? 'CONNSECMARK --save' :
$mark eq 'RESTORE' ? 'CONNSECMARK --restore' :
"SECMARK --selctx $secmark";
my $disposition = $target;
$disposition =~ s/ .*//;
expand_rule( ensure_mangle_chain( $chain1 ) ,
$restriction,
do_proto( $proto, $dport, $sport ) .
do_test( $mark, $globals{TC_MASK} ) ,
$source ,
$dest ,
'' ,
$target ,
'' ,
$disposition,
'' );
progress_message "Secmarks rule \"$currentline\" $done";
}
#
# Process the tcrules file and setup traffic shaping
#
@ -1362,6 +1420,7 @@ sub setup_tc() {
if ( have_capability( 'MANGLE_FORWARD' ) ) {
ensure_mangle_chain 'tcfor';
ensure_mangle_chain 'tcpost';
ensure_mangle_chain 'tcin';
}
my $mark_part = '';
@ -1388,6 +1447,7 @@ sub setup_tc() {
add_rule( $mangle_table->{FORWARD}, "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
add_jump $mangle_table->{FORWARD} , 'tcfor', 0;
add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
add_jump $mangle_table->{INPUT} , 'tcin' , 0;
}
}
@ -1456,10 +1516,20 @@ sub setup_tc() {
clear_comment;
}
}
if ( my $fn = open_file 'secmarks' ) {
first_entry "$doing $fn...";
process_secmark_rule while read_a_line;
clear_comment;
}
}
add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
handle_stickiness( $sticky );
}

2
Shorewall/changelog.txt
View File

@ -10,6 +10,8 @@ Changes in Shorewall 4.4.13
5) Re-implement optional interface handling.
6) Add secmark config file.
Changes in Shorewall 4.4.12
1) Fix IPv6 shorecap program.

9
Shorewall/configfiles/secmarks Normal file
View File

@ -0,0 +1,9 @@
#
# Shorewall version 4 - Secmarks File
#
# For information about entries in this file, type "man shorewall-secmarks"
#
############################################################################################################
#SECMARK CHAIN SOURCE DEST PROTO DEST SOURCE MARK
# PORT(S) PORT(S)

6
Shorewall/releasenotes.txt
View File

@ -166,6 +166,12 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
The named chain contains accounting rules but no JUMP or COUNT
specifies that chain as the target.
3) Shorewall now supports the SECMARK and CONNSECMARK targets for
manipulating the SELinux context of packets.
See the shorewall-secmarks and shorewall6-secmarks manpages for
details.
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------

8
Shorewall6/secmarks Normal file
View File

@ -0,0 +1,8 @@
#
# Shorewall6 version 4 - Secmarks File
#
# For information about entries in this file, type "man shorewall-secmarks"
#
############################################################################################################
#SECMARK CHAIN SOURCE DEST PROTO DEST SOURCE MARK
# PORT(S) PORT(S)

278
manpages/shorewall-secmarks.xml Normal file
View File

@ -0,0 +1,278 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-secmarks</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>secmarks</refname>
<refpurpose>Shorewall file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/secmarks</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The secmarks file is used to associate an SELinux context with
packets.</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">SECMARK -
{SAVE|RESTORE|<replaceable>context</replaceable>}</emphasis></term>
<listitem>
<variablelist>
<varlistentry>
<term><emphasis role="bold">SAVE</emphasis></term>
<listitem>
<para>If an SELinux context is associated with the packet, the
context is saved in the connection.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">RESTORE</emphasis></term>
<listitem>
<para>If an SELinux context is not currently associated with
the packet, then the saved context (if any) is associated with
the packet.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable role="bold">context</replaceable></term>
<listitem>
<para>An SELinux context.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CHAIN - {P|I|F|O|T}</emphasis></term>
<listitem>
<simplelist>
<member>P - PREROUTING</member>
<member>I - INPUT</member>
<member>F - FORWARD</member>
<member>O - OUTPUT</member>
<member>T - POSTROUTING</member>
</simplelist>
</listitem>
</varlistentry>
</variablelist>
<variablelist>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
role="bold">-</emphasis><emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
<listitem>
<para>May be:</para>
<orderedlist>
<listitem>
<para>An interface name - matches traffic entering the firewall
on the specified interface. May not be used in classify rules or
in rules using the T in the CHAIN column.</para>
</listitem>
<listitem>
<para>A comma-separated list of host or network IP addresses or
MAC addresses. </para>
</listitem>
<listitem>
<para>An interface name followed by a colon (":") followed by a
comma-separated list of host or network IP addresses or MAC
addresses.</para>
</listitem>
</orderedlist>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
<para>Example: ~00-A0-C9-15-39-78</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
<listitem>
<para>May be:</para>
<orderedlist>
<listitem>
<para>An interface name. May not be used in the PREROUTING or
INPUT chains. The interface name may be optionally followed by a
colon (":") and an IP address list.</para>
</listitem>
<listitem>
<para>A comma-separated list of host or network IP addresses.
The list may include ip address ranges if your kernel and
iptables include iprange support.</para>
</listitem>
</orderedlist>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">tcp:syn</emphasis>|<emphasis
role="bold">ipp2p</emphasis>|<emphasis
role="bold">ipp2p:udp</emphasis>|<emphasis
role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
role="bold">all}</emphasis></term>
<listitem>
<para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
ipp2p match support in your kernel and iptables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) - [<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
<listitem>
<para>Destination Ports. A comma-separated list of Port names (from
services(5)), <emphasis>port number</emphasis>s or <emphasis>port
range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numberic type and code separated by a slash (e.g., 3/4), or
a typename. See <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
this column is interpreted as an ipp2p option without the leading
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
assumed.</para>
<para>This column is ignored if PROTOCOL = all but must be entered
if any of the following field is supplied. In that case, it is
suggested that this field contain "-"</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
[<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
<listitem>
<para>Source port(s). If omitted, any source port is acceptable.
Specified as a comma-separated list of port names, port numbers or
port ranges.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/secmarks</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

277
manpages6/shorewall6-secmarks.xml Normal file
View File

@ -0,0 +1,277 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-secmarks</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>secmarks</refname>
<refpurpose>Shorewall6 file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/secmarks</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The secmarks file is used to associate an SELinux context with
packets.</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">SECMARK -
{SAVE|RESTORE|<replaceable>context</replaceable>}</emphasis></term>
<listitem>
<variablelist>
<varlistentry>
<term><emphasis role="bold">SAVE</emphasis></term>
<listitem>
<para>If an SELinux context is associated with the packet, the
context is saved in the connection.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">RESTORE</emphasis></term>
<listitem>
<para>If an SELinux context is not currently associated with
the packet, then the saved context (if any) is associated with
the packet.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable role="bold">context</replaceable></term>
<listitem>
<para>An SELinux context.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CHAIN - {P|I|F|O|T}</emphasis></term>
<listitem>
<simplelist>
<member>P - PREROUTING</member>
<member>I - INPUT</member>
<member>F - FORWARD</member>
<member>O - OUTPUT</member>
<member>T - POSTROUTING</member>
</simplelist>
</listitem>
</varlistentry>
</variablelist>
<variablelist>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
role="bold">-</emphasis><emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
<listitem>
<para>May be:</para>
<orderedlist>
<listitem>
<para>An interface name - matches traffic entering the firewall
on the specified interface. May not be used in classify rules or
in rules using the T in the CHAIN column.</para>
</listitem>
<listitem>
<para>A comma-separated list of host or network IP addresses or
MAC addresses. </para>
</listitem>
<listitem>
<para>An interface name followed by a colon (":") followed by a
comma-separated list of host or network IP addresses or MAC
addresses.</para>
</listitem>
</orderedlist>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
<para>Example: ~00-A0-C9-15-39-78</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
<listitem>
<para>May be:</para>
<orderedlist>
<listitem>
<para>An interface name. May not be used in the PREROUTING or
INPUT chains. The interface name may be optionally followed by a
colon (":") and an IP address list.</para>
</listitem>
<listitem>
<para>A comma-separated list of host or network IP addresses.
The list may include ip address ranges if your kernel and
iptables include iprange support.</para>
</listitem>
</orderedlist>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">tcp:syn</emphasis>|<emphasis
role="bold">ipp2p</emphasis>|<emphasis
role="bold">ipp2p:udp</emphasis>|<emphasis
role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
role="bold">all}</emphasis></term>
<listitem>
<para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
ipp2p match support in your kernel and iptables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) - [<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
<listitem>
<para>Destination Ports. A comma-separated list of Port names (from
services(5)), <emphasis>port number</emphasis>s or <emphasis>port
range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numberic type and code separated by a slash (e.g., 3/4), or
a typename. See <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
this column is interpreted as an ipp2p option without the leading
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
assumed.</para>
<para>This column is ignored if PROTOCOL = all but must be entered
if any of the following field is supplied. In that case, it is
suggested that this field contain "-"</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
[<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
<listitem>
<para>Source port(s). If omitted, any source port is acceptable.
Specified as a comma-separated list of port names, port numbers or
port ranges.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/secmarks</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>