From 21770a89d639c6bb4496e9c1c20077ace243d352 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 2 Aug 2012 15:38:23 -0700 Subject: [PATCH] Detect which matches are available. Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 52 +++++++++- Shorewall/Perl/Shorewall/Chains.pm | 31 +++--- Shorewall/Perl/Shorewall/Config.pm | 111 ++++++++++++++++++++- Shorewall/configfiles/conntrack | 29 +++++- Shorewall/manpages/shorewall-conntrack.xml | 100 ++++++++++++++++++- Shorewall6/configfiles/conntrack | 30 +++++- 6 files changed, 322 insertions(+), 31 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 5ac506ec2..ef2beb7af 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -2020,6 +2020,16 @@ determine_capabilities() { GEOIP_MATCH= RPFILTER_MATCH= NFACCT_MATCH= + AMANDA_HELPER= + FTP_HELPER= + IRC_HELPER= + NETBIOS_NS_HELPER= + H323_HELPERS= + PPTP_HELPER= + SANE_HELPER= + SIP_HELPER= + SNMP_HELPER= + TFTP_HELPER= chain=fooX$$ @@ -2173,15 +2183,30 @@ determine_capabilities() { qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes fi - qt $g_tool -t raw -L -n && RAW_TABLE=Yes + qt $g_tool -t raw -L -n && RAW_TABLE=Yes qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes if [ -n "$RAW_TABLE" ]; then - qt $g_tool -t raw -N $chain - qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes - qt $g_tool -t raw -N $chain qt $g_tool -t raw -F $chain qt $g_tool -t raw -X $chain + qt $g_tool -t raw -N $chain + + if qt $g_tool -t raw -A $chain -j CT --notrack; then + CT_TARGET=Yes + qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes + qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes + qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPERS=Yes + qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes + qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes + qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes + qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes + qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes + qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes + qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes + fi + + qt $g_tool -t raw -F $chain + qt $g_tool -t raw -X $chain fi if qt mywhich ipset; then @@ -2360,6 +2385,16 @@ report_capabilities() { report_capability "Geo IP match" $GEOIP_MATCH report_capability "RPFilter match" $RPFILTER_MATCH report_capability "NFAcct match" $NFACCT_MATCH + report_capability "Amanda Helper" $AMANDA_HELPER + report_capability "FTP Helper" $FTP_HELPER + report_capability "IRC Helper" $IRC_HELPER + report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER + report_capability "H323 Helpers" H323_HELPERS + report_capability "PPTP Helper" $PPTP_HELPER + report_capability "SANE Helper" $SANE_HELPER + report_capability "SIP Helper" $SIP_HELPER + report_capability "SNMP Helper" $SNMP_HELPER + report_capability "TFTP Helper" $TFTP_HELPER if [ $g_family -eq 4 ]; then report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S @@ -2453,6 +2488,15 @@ report_capabilities1() { report_capability1 GEOIP_MATCH report_capability1 RPFILTER_MATCH report_capability1 NFACCT_MATCH + report_capability1 AMANDA_HELPER + report_capability1 FTP_HELPER + report_capability1 IRC_HELPER + report_capability1 NETBIOS_NS_HELPER + report_capability1 H323_HELPERS + report_capability1 PPTP_HELPER + report_capability1 SANE_HELPER + report_capability1 SNMP_HELPER + report_capability1 TFTP_HELPER echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 67eb43c73..709801f2b 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -28,7 +28,7 @@ package Shorewall::Chains; require Exporter; use Scalar::Util 'reftype'; -use Digest::SHA1 qw(sha1); +use Digest::SHA qw(sha1); use File::Basename; use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::Zones; @@ -331,7 +331,19 @@ our $rawpost_table; our $nat_table; our $mangle_table; our $filter_table; -our %helpers; +our %helpers = ( amanda => UDP, + ftp => TCP, + irc => TCP, + 'netbios-ns' => UDP, + pptp => TCP, + 'Q.931' => TCP, + RAS => UDP, + sane => TCP, + sip => UDP, + snmp => UDP, + tftp => UDP, + ); + my $comment; my @comments; my $export; @@ -654,19 +666,6 @@ sub initialize( $$$ ) { %ipset_exists = (); - %helpers = ( amanda => UDP, - ftp => TCP, - irc => TCP, - 'netbios-ns' => UDP, - pptp => TCP, - 'Q.931' => TCP, - RAS => UDP, - sane => TCP, - sip => UDP, - snmp => UDP, - tftp => UDP, - ); - %isocodes = (); %nfobjects = (); @@ -4341,6 +4340,8 @@ sub validate_helper( $;$ ) { # Recognized helper # if ( supplied $proto ) { + require_capability $helpers_map{$helper}, "Helper $helper", 's'; + my $protonum = -1; fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) ); diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 654083b42..68fe47b8a 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -144,6 +144,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script %config_files %shorewallrc + %helpers_map + @auditoptions F_IPV4 @@ -314,6 +316,17 @@ my %capdesc = ( NAT_ENABLED => 'NAT', GEOIP_MATCH => 'GeoIP Match' , RPFILTER_MATCH => 'RPFilter Match', NFACCT_MATCH => 'NFAcct Match', + AMANDA_HELPER => 'Amanda Helper', + FTP_HELPER => 'FTP Helper', + H323_HELPERS => 'H323 Helpers', + IRC_HELPER => 'IRC Helper', + NETBIOS_NS_HELPER => + 'Amanda Helper', + PPTP_HELPER => 'PPTP Helper', + SANE_HELPER => 'Amanda Helper', + SIP_HELPER => 'SIP Helper', + SNMP_HELPER => 'SNMP Helper', + TFTP_HELPER => 'TFTP Helper', # # Constants # @@ -322,6 +335,19 @@ my %capdesc = ( NAT_ENABLED => 'NAT', KERNELVERSION => 'Kernel Version', ); +our %helpers_map = ( amanda => 'AMANDA_HELPER', + ftp => 'FTP_HELPER', + irc => 'IRC_HELPER', + 'netbios-ns' => 'NETBIOS_NS_HELPER', + pptp => 'PPTP_HELPER', + 'Q.931' => 'H323_HELPERS', + RAS => 'H323_HELPERS', + sane => 'SANE_HELPER', + sip => 'SIP_HELPER', + snmp => 'SNMP_HELPER', + tftp => 'TFTP_HELPER', + ); + our %config_files = ( #accounting => 1, actions => 1, blacklist => 1, @@ -773,6 +799,17 @@ sub initialize( $;$ ) { GEOIP_MATCH => undef, RPFILTER_MATCH => undef, NFACCT_MATCH => undef, + AMANDA_HELPER => undef, + FTP_HELPER => undef, + H323_HELPERS => undef, + IRC_HELPER => undef, + NETBIOS_NS_HELPER => undef, + PPTP_HELPER => undef, + SANE_HELPER => undef, + SIP_HELPER => undef, + SNMP_HELPER => undef, + TFTP_HELPER => undef, + CAPVERSION => undef, LOG_OPTIONS => 1, KERNELVERSION => undef, @@ -949,6 +986,12 @@ sub cleanup() { qt1( "$iptables -X $sillyname1" ); qt1( "$iptables -t mangle -F $sillyname" ); qt1( "$iptables -t mangle -X $sillyname" ); + qt1( "$iptables -t nat -F $sillyname" ); + qt1( "$iptables -t nat -X $sillyname" ); + qt1( "$iptables -t raw -F $sillyname" ); + qt1( "$iptables -t raw -X $sillyname" ); + qt1( "$iptables -t rawpost -F $sillyname" ); + qt1( "$iptables -t rawpost -X $sillyname" ); $sillyname = ''; } } @@ -3200,17 +3243,56 @@ sub Ct_Target() { if ( have_capability 'RAW_TABLE' ) { qt1( "$iptables -t raw -N $sillyname" ); $ct_target = qt1( "$iptables -t raw -A $sillyname -j CT --notrack" ); - qt1( "$iptables -t raw -F $sillyname" ); - qt1( "$iptables -t raw -X $sillyname" ); } $ct_target; } +sub Amanda_Helper() { + have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 10080 -j CT --helper amanda" ); +} + +sub FTP_Helper() { + have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 21 -j CT --helper ftp" ); +} + +sub H323_Helpers() { + have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 1719 -j CT --helper RAS" ); +} + +sub IRC_Helper() { + have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 6667 -j CT --helper irc" ); +} + +sub Netbios_ns_Helper() { + have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 137 -j CT --helper netbios-ns" ); +} + +sub PPTP_Helper() { + have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 1729 -j CT --helper pptp" ); +} + +sub SANE_Helper() { + have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 6566 -j CT --helper sane" ); +} + +sub SIP_Helper() { + have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 5060 -j CT --helper sip" ); +} + +sub SNMP_Helper() { + have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 161 -j CT --helper snmp" ); +} + +sub TFTP_Helper() { + have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 69 -j CT --helper tftp" ); +} + sub Statistic_Match() { qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" ); } + sub Imq_Target() { have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" ); } @@ -3245,6 +3327,7 @@ sub GeoIP_Match() { our %detect_capability = ( ACCOUNT_TARGET =>\&Account_Target, + AMANDA_HELPER => \&Amanda_Helper, AUDIT_TARGET => \&Audit_Target, ADDRTYPE => \&Addrtype, BASIC_FILTER => \&Basic_Filter, @@ -3261,9 +3344,11 @@ our %detect_capability = ENHANCED_REJECT => \&Enhanced_Reject, EXMARK => \&Exmark, FLOW_FILTER => \&Flow_Filter, + FTP_HELPER => \&FTP_Helper, FWMARK_RT_MASK => \&Fwmark_Rt_Mask, GEOIP_MATCH => \&GeoIP_Match, GOTO_TARGET => \&Goto_Target, + H323_HELPERS => \&H323_Helpers, HASHLIMIT_MATCH => \&Hashlimit_Match, HEADER_MATCH => \&Header_Match, HELPER_MATCH => \&Helper_Match, @@ -3272,6 +3357,7 @@ our %detect_capability = IPP2P_MATCH => \&Ipp2p_Match, IPRANGE_MATCH => \&IPRange_Match, IPSET_MATCH => \&IPSet_Match, + IRC_HELPER => \&IRC_Helper, OLD_IPSET_MATCH => \&Old_IPSet_Match, IPSET_V5 => \&IPSET_V5, IPTABLES_S => \&Iptables_S, @@ -3287,6 +3373,7 @@ our %detect_capability = MARK_ANYWHERE => \&Mark_Anywhere, MULTIPORT => \&Multiport, NAT_ENABLED => \&Nat_Enabled, + NETBIOS_NS_HELPER => \&Netbios_ns_Helper, NEW_CONNTRACK_MATCH => \&New_Conntrack_Match, NFACCT_MATCH => \&NFAcct_Match, NFQUEUE_TARGET => \&Nfqueue_Target, @@ -3299,13 +3386,18 @@ our %detect_capability = PHYSDEV_BRIDGE => \&Physdev_Bridge, PHYSDEV_MATCH => \&Physdev_Match, POLICY_MATCH => \&Policy_Match, + PPTP_HELPER => \&PPTP_Helper, RAW_TABLE => \&Raw_Table, RAWPOST_TABLE => \&Rawpost_Table, REALM_MATCH => \&Realm_Match, RECENT_MATCH => \&Recent_Match, RPFILTER_MATCH => \&RPFilter_Match, + SANE_HELPER => \&SANE_Helper, + SIP_HELPER => \&SIP_Helper, + SNMP_HELPER => \&SNMP_Helper, STATISTIC_MATCH => \&Statistic_Match, TCPMSS_MATCH => \&Tcpmss_Match, + TFTP_HELPER => \&TFTP_Helper, TIME_MATCH => \&Time_Match, TPROXY_TARGET => \&Tproxy_Target, USEPKTTYPE => \&Usepkttype, @@ -3445,6 +3537,12 @@ sub determine_capabilities() { $capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' ); $capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' ); $capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' ); + + if ( $capabilities{CT_TARGET} ) { + for ( values %helpers_map ) { + $capabilities{$_} = detect_capability $_; + } + } qt1( "$iptables -F $sillyname" ); qt1( "$iptables -X $sillyname" ); @@ -3461,6 +3559,11 @@ sub determine_capabilities() { qt1( "$iptables -t nat -X $sillyname" ); } + if ( $capabilities{RAW_ENABLED} ) { + qt1( "$iptables -t raw -F $sillyname" ); + qt1( "$iptables -t raw -X $sillyname" ); + } + $sillyname = $sillyname1 = undef; } } @@ -3743,7 +3846,9 @@ sub read_capabilities() { next; } - $capabilities{$var} = $val =~ /^\"([^\"]*)\"$/ ? $1 : $val; + $val = $val =~ /^\"([^\"]*)\"$/ ? $1 : $val; + + $capabilities{$var} = $val ne ''; } else { fatal_error "Unrecognized capabilities entry"; } diff --git a/Shorewall/configfiles/conntrack b/Shorewall/configfiles/conntrack index 5e4733b5b..34cb07071 100644 --- a/Shorewall/configfiles/conntrack +++ b/Shorewall/configfiles/conntrack @@ -9,17 +9,38 @@ FORMAT 2 # PORT(S) PORT(S) GROUP ?IF $AUTOHELPERS && __CT_TARGET COMMENT AUTOHELPERS -CT:helper:ftp all - tcp 21 +?IF __AMANDA_HELPER CT:helper:amanda all - udp 10080 +?ENDIF +?IF __FTP_HELPER +CT:helper:ftp all - tcp 21 +?ENDIF +?IF __H323_HELPERS COMMENT AUTOHELPERS - H323 CT:helper:RAS all - udp 1719 CT:helper:Q.931 all - tcp 1720 COMMENT AUTOHELPERS -CT:helper:sip all - udp 5060 -CT:helper:tftp all - udp 69 -CT:helper:sane all - tcp 6566 +?ENDIF +?IF __IRC_HELPER CT:helper:irc all - tcp 6667 +?ENDIF +?IF __NETBIOS_NS_HELPER CT:helper:netbios-ns all - udp 137 +?ENDIF +?IF __PPTP_HELPER CT:helper:pptp all - tcp 1729 +?ENDIF +?IF __SANE_HELPER +CT:helper:sane all - tcp 6566 +?ENDIF +?IF __SIP_HELPER +CT:helper:sip all - udp 5060 +?ENDIF +?IF __SNMP_HELPER +CT:helper:snmp all - udp 161 +?ENDIF +?IF __TFTP_HELPER +CT:helper:tftp all - udp 69 +?ENDIF COMMENT ?ENDIF diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index eb6cdd907..b401e1a5a 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -76,8 +76,104 @@ Attach the helper identified by the name to this connection. This is more - flexible than loading the conntrack helper with preset ports. - May be followed by an option list of + flexible than loading the conntrack helper with preset + ports. + + At this writing, the available helpers are: + + + + amanda + + + Requires that the amanda netfilter helper is + present. + + + + + ftp + + + Requires that the FTP netfilter helper is + present. + + + + + irc + + + Requires that the IRC netfilter helper is + present. + + + + + netbios-ns + + + Requires that the netbios_ns (sic) helper is + present. + + + + + RAS and Q.931 + + + These require that the H323 netfilter helper is + present. + + + + + pptp + + + Requires that the pptp netfilter helper is + present. + + + + + sane + + + Requires that the SANE netfilter helper is + present. + + + + + sip + + + Requires that the SIP netfilter helper is + present. + + + + + snmp + + + Requires that the SNMP netfilter helper is + present. + + + + + tftp + + + Requires that the TFTP netfilter helper is + present. + + + + + May be followed by an option list of arg=val pairs in parentheses: diff --git a/Shorewall6/configfiles/conntrack b/Shorewall6/configfiles/conntrack index cca4209ab..a8a0e315a 100644 --- a/Shorewall6/configfiles/conntrack +++ b/Shorewall6/configfiles/conntrack @@ -9,14 +9,38 @@ FORMAT 2 # PORT(S) PORT(S) GROUP ?IF $AUTOHELPERS && __CT_TARGET COMMENT AUTOHELPERS -CT:helper:ftp all - tcp 21 +?IF __AMANDA_HELPER CT:helper:amanda all - udp 10080 +?ENDIF +?IF __FTP_HELPER +CT:helper:ftp all - tcp 21 +?ENDIF +?IF __H323_HELPERS COMMENT AUTOHELPERS - H323 CT:helper:RAS all - udp 1719 CT:helper:Q.931 all - tcp 1720 COMMENT AUTOHELPERS -CT:helper:sip all - udp 5060 -CT:helper:tftp all - udp 69 +?ENDIF +?IF __IRC_HELPER +CT:helper:irc all - tcp 6667 +?ENDIF +?IF __NETBIOS_NS_HELPER +CT:helper:netbios-ns all - udp 137 +?ENDIF +?IF __PPTP_HELPER +CT:helper:pptp all - tcp 1729 +?ENDIF +?IF __SANE_HELPER CT:helper:sane all - tcp 6566 +?ENDIF +?IF __SIP_HELPER +CT:helper:sip all - udp 5060 +?ENDIF +?IF __SNMP_HELPER +CT:helper:snmp all - udp 161 +?ENDIF +?IF __TFTP_HELPER +CT:helper:tftp all - udp 69 +?ENDIF COMMENT ?ENDIF