holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

'rpfilter' option

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-07-15 10:05:32 -07:00
parent e7cd84a72c
commit 1db79a91eb
17 changed files with 204 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Shorewall/Perl/Shorewall/Config.pm
View File

@ -555,6 +555,7 @@ sub initialize( $;$ ) {
LOG_VERBOSITY => undef,
STARTUP_LOG => undef,
SFILTER_LOG_LEVEL => undef,
RPFILTER_LOG_LEVEL => undef,
#
# Location of Files
#
@ -655,6 +656,7 @@ sub initialize( $;$ ) {
BLACKLIST_DISPOSITION => undef,
SMURF_DISPOSITION => undef,
SFILTER_DISPOSITION => undef,
RPFILTER_DISPOSITION => undef,
RELATED_DISPOSITION => undef,
#
# Mark Geometry
@ -4312,6 +4314,15 @@ sub get_configuration( $$$ ) {
$config{SFILTER_DISPOSITION} = 'DROP';
}
default_log_level 'RPFILTER_LOG_LEVEL', 'info';
if ( $val = $config{RPFILTER_DISPOSITION} ) {
fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1;
} else {
$config{RPFILTER_DISPOSITION} = 'DROP';
}
if ( $val = $config{MACLIST_DISPOSITION} ) {
if ( $val =~ /^(?:A_)?DROP$/ ) {
$globals{MACLIST_TARGET} = $val;

38
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -749,7 +749,7 @@ sub add_common_rules ( $ ) {
my $interfaceref = find_interface $interface;
unless ( $interfaceref->{options}{ignore} & NO_SFILTER ) {
unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {
my @filters = @{$interfaceref->{filter}};
@ -787,6 +787,39 @@ sub add_common_rules ( $ ) {
}
}
$list = find_interfaces_by_option('rpfilter');
if ( @$list ) {
$policy = $config{RPFILTER_DISPOSITION};
$level = $config{RPFILTER_LOG_LEVEL};
$audit = $policy =~ s/^A_//;
if ( $level || $audit ) {
#
# Create a chain to log and/or audit and apply the policy
#
$chainref = ensure_mangle_chain 'rplog';
log_rule $level , $chainref , $policy , '' if $level ne '';
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
$target = 'rplog';
} else {
$target = $policy eq 'REJECT' ? 'reject' : $policy;
}
$chainref = ensure_mangle_chain( 'rpfilter' );
add_ijump( $chainref,
j => $target,
rpfilter => '--validmark --invert',
state_imatch 'NEW,RELATED,INVALID',
@ipsec
);
}
run_user_exit1 'initdone';
if ( $upgrade ) {
@ -1379,6 +1412,7 @@ sub add_interface_jumps {
our %forward_jump_added;
my $lo_jump_added = 0;
my @interfaces = grep $_ ne '%vserver%', @_;
my $dummy;
#
# Add Nat jumps
#
@ -1400,6 +1434,8 @@ sub add_interface_jumps {
insert_ijump ( $raw_table->{PREROUTING}, j => prerouting_chain( $interface ), 0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
insert_ijump ( $raw_table->{OUTPUT}, j => output_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $raw_table->{output_chain $interface};
}
add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
}
#
# Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT

9
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -299,6 +299,7 @@ sub initialize( $$ ) {
required => SIMPLE_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
routefilter => NUMERIC_IF_OPTION ,
rpfilter => SIMPLE_IF_OPTION,
sfilter => IPLIST_IF_OPTION,
sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@ -332,6 +333,7 @@ sub initialize( $$ ) {
proxyndp => BINARY_IF_OPTION,
required => SIMPLE_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
rpfilter => SIMPLE_IF_OPTION,
sfilter => IPLIST_IF_OPTION,
sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@ -1160,11 +1162,16 @@ sub process_interface( $$ ) {
}
}
fatal_error "Invalid combination of interface options"
fatal_error q(The 'required', 'optional' and 'ignore' options are mutually exclusive)
if ( ( $options{required} && $options{optional} ) ||
( $options{required} && $options{ignore} ) ||
( $options{optional} && $options{ignore} ) );
if ( $options{rpfilter} ) {
require_capability( 'RPFILTER_MATCH', q(The 'rpfilter' option), 's' ) ;
fatal_error q(The 'routefilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter};
}
if ( supplied( my $ignore = $options{ignore} ) ) {
fatal_error "Invalid value ignore=0" if ! $ignore;
} else {

4
Shorewall/Samples/Universal/shorewall.conf
View File

@ -41,6 +41,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@ -208,6 +210,8 @@ MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP

4
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -52,6 +52,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@ -219,6 +221,8 @@ MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP

4
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -50,6 +50,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@ -217,6 +219,8 @@ MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP

4
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -53,6 +53,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@ -220,6 +222,8 @@ MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP

4
Shorewall/configfiles/shorewall.conf
View File

@ -41,6 +41,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@ -208,6 +210,8 @@ MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP

24
Shorewall/manpages/shorewall-interfaces.xml
View File

@ -202,7 +202,7 @@ loc eth2 -</programlisting>
changed; the value assigned to the setting will be the value
specified (if any) or 1 if no value is given.</para>
<para/>
<para></para>
<note>
<para>This option does not work with a wild-card
@ -236,7 +236,7 @@ loc eth2 -</programlisting>
<para>8 - do not reply for all local addresses</para>
<para/>
<para></para>
<note>
<para>This option does not work with a wild-card
@ -244,7 +244,7 @@ loc eth2 -</programlisting>
the INTERFACE column.</para>
</note>
<para/>
<para></para>
<warning>
<para>Do not specify <emphasis
@ -394,7 +394,7 @@ loc eth2 -</programlisting>
1
teastep@lists:~$ </programlisting>
<para/>
<para></para>
<note>
<para>This option does not work with a wild-card
@ -636,6 +636,20 @@ loc eth2 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>rpfilter</term>
<listitem>
<para>Added in Shorewall 4.5.7. This is an anti-spoofing
measure that requires the 'RPFilter Match' capability in your
iptables and kernel. It provides a more efficient alternative
to the <option>sfilter</option> option below. It performs a
function similar to <option>routefilter</option> (see above)
but works with Multi-ISP configurations that do now use
balanced routes.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>sfilter=(<emphasis>net</emphasis>[,...])</term>
@ -668,7 +682,7 @@ loc eth2 -</programlisting>
changed; the value assigned to the setting will be the value
specified (if any) or 1 if no value is given.</para>
<para/>
<para></para>
<note>
<para>This option does not work with a wild-card

49
Shorewall/manpages/shorewall.conf.xml
View File

@ -96,7 +96,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -106,7 +106,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -116,7 +116,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -126,7 +126,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -482,7 +482,7 @@
</itemizedlist>
<blockquote>
<para/>
<para></para>
<para>If CONFIG_PATH is not given or if it is set to the empty
value then the contents of /usr/share/shorewall/configpath are
@ -829,7 +829,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</varlistentry>
</variablelist>
<para/>
<para></para>
<blockquote>
<para>If this variable is not set or is given an empty value
@ -1039,7 +1039,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</itemizedlist>
<para/>
<para></para>
<blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for
@ -1056,7 +1056,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
control your firewall after you enable this option.</para>
</important>
<para/>
<para></para>
<caution>
<para>Do not use this option if the resulting log messages will
@ -1709,7 +1709,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">"</emphasis></term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -1879,6 +1879,33 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">RPFILTER_DISPOSITION=</emphasis>[<emphasis
role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>|A_DROP|A_REJECT]</term>
<listitem>
<para>Added in Shorewall 4.5.7. Determines the disposition of
packets entering from interfaces the <option>rpfilter</option>
option (see <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
Packets disposed of by this option are those whose response packets
would not be sent through the same interface receiving the
packet.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">RPFILTER_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
<listitem>
<para>Added in shorewall 4.5.7. Determines the logging of packets
disposed via the RPFILTER_DISPOSITION. The default value is
<option>info</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -1900,7 +1927,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem>
<para>Added in Shorewall 4.4.20. Determines the disposition of
packets matching the <option>filter</option> option (see <ulink
packets matching the <option>sfilter</option> option (see <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
of <firstterm>hairpin</firstterm> packets on interfaces without the
<option>routeback</option> option.<footnote>
@ -1916,7 +1943,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem>
<para>Added on Shorewall 4.4.20. Determines the logging of packets
matching the <option>filter</option> option (see <ulink
matching the <option>sfilter</option> option (see <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
of <firstterm>hairpin</firstterm> packets on interfaces without the
<option>routeback</option> option.<footnote>

4
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT
SFILTER_DISPOSITION=DROP
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP

4
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT
SFILTER_DISPOSITION=DROP
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP

4
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT
SFILTER_DISPOSITION=DROP
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP

4
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT
SFILTER_DISPOSITION=DROP
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP

4
Shorewall6/configfiles/shorewall6.conf
View File

@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@ -187,6 +189,8 @@ RELATED_DISPOSITION=ACCEPT
SFILTER_DISPOSITION=DROP
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP

18
Shorewall6/manpages/shorewall6-interfaces.xml
View File

@ -366,9 +366,21 @@ loc eth2 -</programlisting>
if you want to allow traffic between the interfaces that match
the wildcard.</para>
<para>Beginning with Shorewall 4.4.20, if you specify this
option, then you should also specify <option>sfilter</option>
(see below).</para>
<para>If you specify this option, then you should also specify
<option>rpfilter</option> (see below) if you are running
Shorewall 4.5.7 or later; otherwise, you should specify
<option>sfilter</option> (see below).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>rpfilter</term>
<listitem>
<para>Added in Shorewall 4.5.7. This is an anti-spoofing
measure that requires the 'RPFilter Match' capability in your
iptables and kernel. It provides a more efficient alternative
to the <option>sfilter</option> option below.</para>
</listitem>
</varlistentry>

45
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -82,7 +82,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -92,7 +92,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -102,7 +102,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -112,7 +112,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -902,7 +902,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</itemizedlist>
<para/>
<para></para>
<blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for
@ -919,7 +919,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
control your firewall after you enable this option.</para>
</important>
<para/>
<para></para>
<caution>
<para>Do not use this option if the resulting log messages will
@ -1507,7 +1507,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">"</emphasis></term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -1612,6 +1612,33 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">RPFILTER_DISPOSITION=</emphasis>[<emphasis
role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>|A_DROP|A_REJECT]</term>
<listitem>
<para>Added in Shorewall 4.5.7. Determines the disposition of
packets entering from interfaces with the <option>rpfilter</option>
option (see <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
Packets disposed of by this option are those whose response packets
would not be sent through the same interface receiving the
packet.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">RPFILTER_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
<listitem>
<para>Added in shorewall 4.5.7. Determines the logging of packets
disposed via the RPFILTER_DISPOSITION. The default value is
<option>info</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">SHOREWALL_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term>
@ -1658,7 +1685,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem>
<para>Added in Shorewall 4.4.20. Determines the disposition of
packets matching the <option>filter</option> option (see <ulink
packets matching the <option>sfilter</option> option (see <ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
and of <firstterm>hairpin</firstterm> packets on interfaces without
the <option>routeback</option> option.<footnote>
@ -1674,7 +1701,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem>
<para>Added on Shorewall 4.4.20. Determines the logging of packets
matching the <option>filter</option> option (see <ulink
matching the <option>sfilter</option> option (see <ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))
and of <firstterm>hairpin</firstterm> packets on interfaces without
the <option>routeback</option> option.<footnote>