holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add origin to the ip[6]tables input.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-01-23 15:13:12 -08:00
parent 3fe4619f66
commit 2235641c9f
3 changed files with 89 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -3742,6 +3742,8 @@ sub combine_dports {
my $comment = $baseref->{comment} || ''; my $comment = $baseref->{comment} || '';
my $lastcomment = $comment; my $lastcomment = $comment;
my $multi_sports = get_multi_sports( $baseref ); my $multi_sports = get_multi_sports( $baseref );
my $origin = $baseref->{origin} || '';
my $lastorigin = $origin;
RULE: RULE:
@ -3755,6 +3757,7 @@ sub combine_dports {
# We have a candidate # We have a candidate
# #
my $comment2 = $ruleref->{comment} || ''; my $comment2 = $ruleref->{comment} || '';
my $origin2 = $ruleref->{origin} || '';
last if $comment2 ne $lastcomment && length( $comment ) + length( $comment2 ) > 253; last if $comment2 ne $lastcomment && length( $comment ) + length( $comment2 ) > 253;
@ -3795,6 +3798,25 @@ sub combine_dports {
$lastcomment = $comment2; $lastcomment = $comment2;
} }
if ( $origin2 ) {
if ( $origin ) {
$origin .= ", $origin2" unless $origin2 eq $lastorigin;
} else {
$origin = 'Others and ';
$origin .= $origin2;
}
$lastorigin = $origin2;
} else {
if ( $origin ) {
unless ( ( $origin2 = ' and others' ) eq $lastorigin ) {
$origin .= $origin2;
}
}
$lastorigin = $origin2;
}
push @ports, split ',', $ports2; push @ports, split ',', $ports2;
trace( $chainref, 'D', $rulenum, $ruleref ) if $debug; trace( $chainref, 'D', $rulenum, $ruleref ) if $debug;
@ -3828,6 +3850,7 @@ sub combine_dports {
} }
$baseref->{comment} = $comment if $comment; $baseref->{comment} = $comment if $comment;
$baseref->{origin} = $origin if $origin;
trace ( $chainref, 'R', $basenum, $baseref ) if $debug; trace ( $chainref, 'R', $basenum, $baseref ) if $debug;
} }
@ -7899,6 +7922,11 @@ sub emitr( $$ ) {
# A rule # A rule
# #
enter_cat_mode unless $mode == CAT_MODE; enter_cat_mode unless $mode == CAT_MODE;
if ( my $origin = $ruleref->{origin} ) {
emit_unindented '# ' . $origin;
}
emit_unindented format_rule( $chainref, $ruleref ); emit_unindented format_rule( $chainref, $ruleref );
} else { } else {
# #

19
Shorewall/Perl/Shorewall/Config.pm
View File

@ -1195,10 +1195,7 @@ sub currentlineinfo() {
sub shortlineinfo1( $ ) { sub shortlineinfo1( $ ) {
if ( $currentfile ) { if ( $currentfile ) {
my $comment = '@@@ '. join( ':', $currentfilename, $currentlinenumber ) . ' @@@'; join( ':', $currentfilename, $currentlinenumber );
$comment = '@@@ ' . join( ':' , basename($currentfilename), $currentlinenumber) . ' @@@' if length $comment > 255;
$comment = '@@@ Filename Too Long @@@' if length $comment > 255;
$comment;
} else { } else {
# #
# Alternate lineinfo may have been passed # Alternate lineinfo may have been passed
@ -1208,7 +1205,19 @@ sub shortlineinfo1( $ ) {
} }
sub shortlineinfo( $ ) { sub shortlineinfo( $ ) {
$config{TRACK_RULES} ? &shortlineinfo1( @_ ) : ''; if ( $config{TRACK_RULES} ) {
if ( $currentfile ) {
my $comment = '@@@ '. join( ':', $currentfilename, $currentlinenumber ) . ' @@@';
$comment = '@@@ ' . join( ':' , basename($currentfilename), $currentlinenumber) . ' @@@' if length $comment > 255;
$comment = '@@@ Filename Too Long @@@' if length $comment > 255;
$comment;
} else {
#
# Alternate lineinfo may have been passed
#
$_[0] || ''
}
}
} }
sub handle_first_entry(); sub handle_first_entry();

88
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -1722,8 +1722,8 @@ sub handle_nested_zone( $$ ) {
# #
# Add output jump to the passed zone:interface:hostref:net # Add output jump to the passed zone:interface:hostref:net
# #
sub add_output_jumps( $$$$$$$ ) { sub add_output_jumps( $$$$$$$$ ) {
my ( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge, ) = @_; my ( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge, $origin ) = @_;
our @vservers; our @vservers;
our %output_jump_added; our %output_jump_added;
@ -1752,15 +1752,16 @@ sub add_output_jumps( $$$$$$$ ) {
# #
# It is a bridge port zone -- use the bridges output chain and match the physdev # It is a bridge port zone -- use the bridges output chain and match the physdev
# #
add_ijump( $filter_table->{ output_chain $bridge }, add_ijump_extended( $filter_table->{ output_chain $bridge },
j => $outputref , j => $outputref ,
imatch_dest_dev( $interface, 1 ) ) $origin ,
imatch_dest_dev( $interface, 1 ) )
unless $output_jump_added{$interface}++; unless $output_jump_added{$interface}++;
} else { } else {
# #
# Not a bridge -- match the input interface # Not a bridge -- match the input interface
# #
add_ijump $filter_table->{OUTPUT}, j => $outputref, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++; add_ijump_extended $filter_table->{OUTPUT}, j => $outputref, $origin, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
} }
$use_output = 1; $use_output = 1;
@ -1789,11 +1790,11 @@ sub add_output_jumps( $$$$$$$ ) {
# #
# Add the jump # Add the jump
# #
add_ijump $outputref , j => $nextchain, @interfacematch, @dest, @ipsec_out_match; add_ijump_extended $outputref , j => $nextchain, $origin, @interfacematch, @dest, @ipsec_out_match;
# #
# Add jump for broadcast # Add jump for broadcast
# #
add_ijump( $outputref , j => $nextchain, @interfacematch, d => '255.255.255.255' , @ipsec_out_match ) add_ijump_extended( $outputref , j => $nextchain, get_interface_origin( $interface ), @interfacematch, d => '255.255.255.255' , @ipsec_out_match )
if $family == F_IPV4 && $hostref->{options}{broadcast}; if $family == F_IPV4 && $hostref->{options}{broadcast};
# #
# Move the rules from the interface output chain if we didn't use it # Move the rules from the interface output chain if we didn't use it
@ -1804,8 +1805,8 @@ sub add_output_jumps( $$$$$$$ ) {
# #
# Add prerouting jumps from the passed zone:interface:hostref:net # Add prerouting jumps from the passed zone:interface:hostref:net
# #
sub add_prerouting_jumps( $$$$$$$$ ) { sub add_prerouting_jumps( $$$$$$$$$ ) {
my ( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack ) = @_; my ( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack , $origin ) = @_;
my $dnatref = $nat_table->{dnat_chain( $zone )}; my $dnatref = $nat_table->{dnat_chain( $zone )};
my $preroutingref = $nat_table->{PREROUTING}; my $preroutingref = $nat_table->{PREROUTING};
@ -1820,11 +1821,12 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
# There are DNAT/REDIRECT rules with this zone as the source. # There are DNAT/REDIRECT rules with this zone as the source.
# Add a jump from this source network to this zone's DNAT/REDIRECT chain # Add a jump from this source network to this zone's DNAT/REDIRECT chain
# #
add_ijump( $preroutingref, add_ijump_extended( $preroutingref,
j => source_exclusion( $exclusions, $dnatref), j => source_exclusion( $exclusions, $dnatref),
imatch_source_dev( $interface), $origin,
@source, imatch_source_dev( $interface),
@ipsec_in_match ); @source,
@ipsec_in_match );
check_optimization( $dnatref ) if @source; check_optimization( $dnatref ) if @source;
} }
@ -1842,7 +1844,7 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
# #
if ( $nested ) { if ( $nested ) {
if ( $parenthasnat ) { if ( $parenthasnat ) {
add_ijump $preroutingref, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match; add_ijump_extended $preroutingref, j => 'RETURN', $origin, imatch_source_dev( $interface), @source, @ipsec_in_match;
} }
if ( $parenthasnotrack ) { if ( $parenthasnotrack ) {
my $rawref = $raw_table->{PREROUTING}; my $rawref = $raw_table->{PREROUTING};
@ -1854,8 +1856,8 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
# #
# Add input jump from the passed zone:interface:hostref:net # Add input jump from the passed zone:interface:hostref:net
# #
sub add_input_jumps( $$$$$$$$ ) { sub add_input_jumps( $$$$$$$$$ ) {
my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) = @_; my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge, $origin ) = @_;
our @vservers; our @vservers;
our %input_jump_added; our %input_jump_added;
@ -1884,15 +1886,16 @@ sub add_input_jumps( $$$$$$$$ ) {
# #
# It is a bridge port zone -- use the bridges input chain and match the physdev # It is a bridge port zone -- use the bridges input chain and match the physdev
# #
add_ijump( $filter_table->{ input_chain $bridge }, add_ijump_extended( $filter_table->{ input_chain $bridge },
j => $inputchainref , j => $inputchainref ,
imatch_source_dev($interface, 1) ) $origin ,
imatch_source_dev($interface, 1) )
unless $input_jump_added{$interface}++; unless $input_jump_added{$interface}++;
} else { } else {
# #
# Not a bridge -- match the input interface # Not a bridge -- match the input interface
# #
add_ijump $filter_table->{INPUT}, j => $inputchainref, imatch_source_dev($interface) unless $input_jump_added{$interface}++; add_ijump_extended $filter_table->{INPUT}, j => $inputchainref, $origin, imatch_source_dev($interface) unless $input_jump_added{$interface}++;
} }
$use_input = 1; $use_input = 1;
@ -1903,7 +1906,7 @@ sub add_input_jumps( $$$$$$$$ ) {
# #
for my $vzone ( @vservers ) { for my $vzone ( @vservers ) {
my $target = rules_target( $zone, $vzone ); my $target = rules_target( $zone, $vzone );
generate_dest_rules( $inputchainref, $target, $vzone, '', @source, @ipsec_in_match ) if $target; generate_dest_rules( $inputchainref, $target, $vzone, $origin, @source, @ipsec_in_match ) if $target;
} }
} }
} elsif ( $isport ) { } elsif ( $isport ) {
@ -1924,7 +1927,7 @@ sub add_input_jumps( $$$$$$$$ ) {
# #
# Add the jump from the input chain to the rules chain # Add the jump from the input chain to the rules chain
# #
add_ijump $inputchainref, j => source_exclusion( $exclusions, $chain2 ), @interfacematch, @source, @ipsec_in_match; add_ijump_extended $inputchainref, j => source_exclusion( $exclusions, $chain2 ), $origin, @interfacematch, @source, @ipsec_in_match;
move_rules( $interfacechainref , $chain2ref ) unless $use_input; move_rules( $interfacechainref , $chain2ref ) unless $use_input;
} }
} }
@ -1932,8 +1935,8 @@ sub add_input_jumps( $$$$$$$$ ) {
# #
# This function is called when there is forwarding and this net isn't IPSEC protected. It adds the jump for this net to the zone forwarding chain. # This function is called when there is forwarding and this net isn't IPSEC protected. It adds the jump for this net to the zone forwarding chain.
# #
sub add_forward_jump( $$$$$$$$ ) { sub add_forward_jump( $$$$$$$$$ ) {
my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) = @_; my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge, $origin ) = @_;
our %forward_jump_added; our %forward_jump_added;
@ -1947,37 +1950,39 @@ sub add_forward_jump( $$$$$$$$ ) {
# #
# We must use the interface forwarding chain -- add the jump from the interface forward chain to the zone forward chain. # We must use the interface forwarding chain -- add the jump from the interface forward chain to the zone forward chain.
# #
add_ijump $forwardref , j => $ref, @source, @ipsec_in_match; add_ijump_extended $forwardref , j => $ref, $origin, @source, @ipsec_in_match;
if ( $isport ) { if ( $isport ) {
# #
# It is a bridge port zone -- use the bridges input chain and match the physdev # It is a bridge port zone -- use the bridges input chain and match the physdev
# #
add_ijump( $filter_table->{ forward_chain $bridge } , add_ijump_extended( $filter_table->{ forward_chain $bridge } ,
j => $forwardref , j => $forwardref ,
imatch_source_dev( $interface , 1 ) ) $origin ,
imatch_source_dev( $interface , 1 ) )
unless $forward_jump_added{$interface}++; unless $forward_jump_added{$interface}++;
} else { } else {
# #
# Not a bridge -- match the input interface # Not a bridge -- match the input interface
# #
add_ijump $filter_table->{FORWARD} , j => $forwardref, imatch_source_dev( $interface ) unless $forward_jump_added{$interface}++; add_ijump_extended $filter_table->{FORWARD} , j => $forwardref, $origin, imatch_source_dev( $interface ) unless $forward_jump_added{$interface}++;
} }
} else { } else {
if ( $isport ) { if ( $isport ) {
# #
# It is a bridge port zone -- use the bridges input chain and match the physdev # It is a bridge port zone -- use the bridges input chain and match the physdev
# #
add_ijump( $filter_table->{ forward_chain $bridge } , add_ijump_extended( $filter_table->{ forward_chain $bridge } ,
j => $ref , j => $ref ,
imatch_source_dev( $interface, 1 ) , $origin ,
@source, imatch_source_dev( $interface, 1 ) ,
@ipsec_in_match ); @source,
@ipsec_in_match );
} else { } else {
# #
# Not a bridge -- match the input interface # Not a bridge -- match the input interface
# #
add_ijump $filter_table->{FORWARD} , j => $ref, imatch_source_dev( $interface ) , @source, @ipsec_in_match; add_ijump_extended $filter_table->{FORWARD} , j => $ref, $origin, imatch_source_dev( $interface ) , @source, @ipsec_in_match;
} }
move_rules ( $forwardref , $frwd_ref ); move_rules ( $forwardref , $frwd_ref );
@ -2118,6 +2123,7 @@ sub generate_matrix() {
for my $hostref ( @{$typeref->{$interface}} ) { for my $hostref ( @{$typeref->{$interface}} ) {
my $exclusions = $hostref->{exclusions}; my $exclusions = $hostref->{exclusions};
my $origin = $hostref->{origin};
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
# #
@ -2127,7 +2133,7 @@ sub generate_matrix() {
# #
# Policy from the firewall to this zone is not 'CONTINUE' and this isn't a bport zone # Policy from the firewall to this zone is not 'CONTINUE' and this isn't a bport zone
# #
add_output_jumps( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge ); add_output_jumps( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge, $origin );
} }
clearrule; clearrule;
@ -2136,15 +2142,15 @@ sub generate_matrix() {
# #
# PREROUTING # PREROUTING
# #
add_prerouting_jumps( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack ); add_prerouting_jumps( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack , $origin );
# #
# INPUT # INPUT
# #
add_input_jumps( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ); add_input_jumps( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge , $origin );
# #
# FORWARDING Jump for non-IPSEC host group # FORWARDING Jump for non-IPSEC host group
# #
add_forward_jump( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) if $frwd_ref && $hostref->{ipsec} ne 'ipsec'; add_forward_jump( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge, $origin ) if $frwd_ref && $hostref->{ipsec} ne 'ipsec';
} }
} # Subnet Loop } # Subnet Loop
} # Hostref Loop } # Hostref Loop