holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow BROADCAST = detect with -e

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3277 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-01-13 19:29:23 +00:00
parent 222fb2c10f
commit 25e02e273f
3 changed files with 206 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

228
Shorewall/firewall
View File

@ -1218,8 +1218,6 @@ validate_interfaces_file() {
options=$(separate_list $options) options=$(separate_list $options)
iface=$(chain_base $interface) iface=$(chain_base $interface)
[ -n "$EXPORT" -a x$networks = detect ] && startup_error "BROADCAST 'detect' is incompatible with the -e run-line option: Interface \"$interface\""
eval ${iface}_broadcast="$networks" eval ${iface}_broadcast="$networks"
eval ${iface}_zone="$z" eval ${iface}_zone="$z"
eval ${iface}_options=\"$options\" eval ${iface}_options=\"$options\"
@ -1228,10 +1226,7 @@ validate_interfaces_file() {
case $option in case $option in
-) -)
;; ;;
dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|nosmurfs|upnp|-) dhcp|tcpflags|arp_filter|routefilter|maclist|logmartians|sourceroute|blacklist|proxyarp|nosmurfs|upnp|-)
;;
maclist)
[ -n "$EXPORT" ] && startup_error "The 'maclist' option is incompatible with the -e run-line option: Interface \"$interface\""
;; ;;
norfc1918) norfc1918)
if [ $COMMAND = generate ]; then if [ $COMMAND = generate ]; then
@ -1670,11 +1665,8 @@ validate_hosts_file() {
for option in $(separate_list $options) ; do for option in $(separate_list $options) ; do
case $option in case $option in
norfc1918|blacklist|tcpflags|nosmurfs|-) norfc1918|blacklist|maclist|tcpflags|nosmurfs|-)
;; ;;
maclist)
[ -n "$EXPORT" ] && startup_error "The 'maclist' option is incompatible with the -e run-line option: \"$host\""
;;
ipsec) ipsec)
[ -n "$POLICY_MATCH" ] || \ [ -n "$POLICY_MATCH" ] || \
startup_error "Your kernel and/or iptables does not support policy match: ipsec" startup_error "Your kernel and/or iptables does not support policy match: ipsec"
@ -1850,19 +1842,34 @@ validate_policy()
} }
# #
# Find broadcast addresses # Find broadcast addresses -- if we are compiling a script and 'detect' is specified for an interface
# the function returns nothing for that interface
# #
find_broadcasts() { find_broadcasts() {
for interface in $ALL_INTERFACES; do for interface in $ALL_INTERFACES; do
eval bcast=\$$(chain_base $interface)_broadcast eval bcast=\$$(chain_base $interface)_broadcast
if [ "x$bcast" = "xdetect" ]; then if [ "x$bcast" = "xdetect" ]; then
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u if [ $COMMAND != generate ]; then
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
fi
elif [ "x${bcast}" != "x-" ]; then elif [ "x${bcast}" != "x-" ]; then
echo $(separate_list $bcast) echo $(separate_list $bcast)
fi fi
done done
} }
#
# Find interfaces with BROADCAST=detect -- Only returns information if we are compiling a script
#
find_bcastdetect_interfaces() {
if [ $COMMAND = generate ]; then
for interface in $ALL_INTERFACES; do
eval bcast=\$$(chain_base $interface)_broadcast
[ "x$bcast" = "xdetect" ] && echo $interface
done
fi
}
# #
# Find interfaces that have the passed option specified # Find interfaces that have the passed option specified
# #
@ -1941,72 +1948,6 @@ run_user_exit() # $1 = file name
fi fi
} }
#
# Add a logging rule.
#
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
{
local level=$1
local chain=$2
local displayChain=$3
local disposition=$4
local rulenum=
local limit="${5:-$LOGLIMIT}"
local tag=${6:+$6 }
local command=${7:--A}
local prefix
local base=$(chain_base $displayChain)
shift 7
if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then
displayChain=$tag
tag=
fi
if [ -n "$LOGRULENUMBERS" ]; then
eval rulenum=\$${base}_logrules
rulenum=${rulenum:-1}
prefix="$(printf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}"
rulenum=$(($rulenum + 1))
eval ${base}_logrules=$rulenum
else
prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}"
fi
if [ ${#prefix} -gt 29 ]; then
prefix="$(echo $prefix | truncate 29)"
error_message "WARNING: Log Prefix shortened to \"$prefix\""
fi
case $level in
ULOG)
run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;;
*)
run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
;;
esac
if [ $? -ne 0 ] ; then
[ -z "$STOPPING" ] && { stop_firewall; exit 2; }
fi
}
log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
{
local level=$1
local chain=$2
local disposition=$3
shift 3
log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@
}
# #
# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING # Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
# #
@ -2997,20 +2938,38 @@ setup_mac_lists() {
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
blob=$(ip link show $interface 2> /dev/null) if [ $COMMAND = generate ]; then
cat >> $RESTOREBASE << __EOF__
[ -z "$blob" ] && \ blob=\$(ip link show $interface 2> /dev/null)
fatal_error "Interface $interface must be up before Shorewall can start"
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do [ -z "\$blob" ] && \
address=${address%/*} fatal_error "Interface $interface must be up before Shorewall can start"
if [ -n "$broadcast" ]; then
run_iptables -t $MACLIST_TABLE -A $chain -s $address -d $broadcast -j RETURN
fi
run_iptables -t $MACLIST_TABLE -A $chain -s $address -d 255.255.255.255 -j RETURN ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
run_iptables -t $MACLIST_TABLE -A $chain -s $address -d 224.0.0.0/4 -j RETURN address=\${address%/*}
done if [ -n "\$broadcast" ]; then
$IPTABLES -t $MACLIST_TABLE -A $chain -s \$address -d \$broadcast -j RETURN
fi
done
__EOF__
else
blob=$(ip link show $interface 2> /dev/null)
[ -z "$blob" ] && \
fatal_error "Interface $interface must be up before Shorewall can start"
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
address=${address%/*}
if [ -n "$broadcast" ]; then
run_iptables -t $MACLIST_TABLE -A $chain -s $address -d $broadcast -j RETURN
fi
run_iptables -t $MACLIST_TABLE -A $chain -s $address -d 255.255.255.255 -j RETURN
run_iptables -t $MACLIST_TABLE -A $chain -s $address -d 224.0.0.0/4 -j RETURN
done
fi
if [ -n "$MACLIST_LOG_LEVEL" ]; then if [ -n "$MACLIST_LOG_LEVEL" ]; then
log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
@ -5312,6 +5271,29 @@ process_actions3() {
run_iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP run_iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP
else else
for interface in $(find_bcastdetect_interfaces); do
cat >> $RESTOREBASE << __EOF__
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
__EOF__
case $xlevel in
none*)
;;
*)
[ -n "$xlevel" ] && \
cat >> $RESTOREBASE << __EOF__
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d \$address
__EOF__
;;
esac
cat >> $RESTOREBASE << __EOF__
$IPTABLES -A $xchain -d \$address -j DROP
done
__EOF__
done
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
case $xlevel in case $xlevel in
none*) none*)
@ -5344,6 +5326,29 @@ process_actions3() {
run_iptables -A allowBcast -m pkttype --pkt-type broadcast -j ACCEPT run_iptables -A allowBcast -m pkttype --pkt-type broadcast -j ACCEPT
run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT
else else
for interface in $(find_bcastdetect_interfaces); do
cat >> $RESTOREBASE << __EOF__
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
__EOF__
case $xlevel in
none*)
;;
*)
[ -n "$xlevel" ] && \
cat >> $RESTOREBASE << __EOF__
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d \$address
__EOF__
;;
esac
cat >> $RESTOREBASE << __EOF__
$IPTABLES -A $xchain -d \$address -j
done
__EOF__
done
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
case $xlevel in case $xlevel in
none*) none*)
@ -7979,19 +7984,45 @@ add_common_rules() {
local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4" local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
drop_broadcasts() { drop_broadcasts() {
for interface in $(find_bcastdetect_interfaces); do
cat >> $RESTOREBASE << __EOF__
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
$IPTABLES -A reject -d \$address -j DROP
done
__EOF__
done
for address in $broadcasts ; do for address in $broadcasts ; do
run_iptables -A reject -d $address -j DROP run_iptables -A reject -d $address -j DROP
done done
} }
# #
# Populate the smurf chain # Populate the smurf chain
# #
[ $COMMAND = generate ] && save_progress_message "Setting up SMURF control..." [ $COMMAND = generate ] && save_progress_message "Setting up SMURF control..."
for interface in $(find_bcastdetect_interfaces); do
cat >> $RESTOREBASE << __EOF__
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
__EOF__
[ -n "$SMURF_LOG_LEVEL" ] && \
cat >> $RESTOREBASE << __EOF__
log_rule $SMURF_LOG_LEVEL smurfs DROP -s \$address
__EOF__
cat >> $RESTOREBASE << __EOF__
$IPTABLES -A smurfs -s \$address -j DROP
done
__EOF__
done
for address in $broadcasts ; do for address in $broadcasts ; do
[ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address [ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address
run_iptables -A smurfs $(source_ip_range $address) -j DROP run_iptables -A smurfs $(source_ip_range $address) -j DROP
run_iptables -A reject -s $address -j DROP
done done
# #
# Reject Rules -- Don't respond to broadcasts with an ICMP # Reject Rules -- Don't respond to broadcasts with an ICMP
@ -8997,12 +9028,22 @@ compile_firewall() # $1 = File Name
# #
. /usr/share/shorewall/functions . /usr/share/shorewall/functions
stop_firewall()
{
exit 2
}
fatal_error() fatal_error()
{ {
echo " ERROR: \$@" >&2 echo " ERROR: \$@" >&2
exit 2 exit 2
} }
run_iptables()
{
$IPTABLES \$@
}
if [ ! -f /usr/share/shorewall/version ] || [ \$(cat /usr/share/shorewall/version) != $VERSION ]; then if [ ! -f /usr/share/shorewall/version ] || [ \$(cat /usr/share/shorewall/version) != $VERSION ]; then
fatal_error "This script requires Shorewall version $VERSION" fatal_error "This script requires Shorewall version $VERSION"
fi fi
@ -9014,10 +9055,17 @@ __EOF__
save_command ". $(resolve_file $f)" save_command ". $(resolve_file $f)"
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
# #
# These variables are required by the library functions called in this script
#
COMMAND=restore COMMAND=restore
[ -n \${QUIET:=0} ] [ -n \${QUIET:=0} ]
MODULESDIR="$MODULESDIR" MODULESDIR="$MODULESDIR"
MODULE_SUFFIX="$MODULE_SUFFIX" MODULE_SUFFIX="$MODULE_SUFFIX"
LOGLIMIT="$LOGLIMIT"
LOGTAGONLY="$LOGTAGONLY"
LOGRULENUMBERS="$LOGRULENUMBERS"
LOGFORMAT="$LOGFORMAT"
STOPPING=
load_kernel_modules load_kernel_modules

66
Shorewall/functions
View File

@ -1129,4 +1129,70 @@ disable_ipv6() {
fi fi
} }
#
# Add a logging rule.
#
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
{
local level=$1
local chain=$2
local displayChain=$3
local disposition=$4
local rulenum=
local limit="${5:-$LOGLIMIT}"
local tag=${6:+$6 }
local command=${7:--A}
local prefix
local base=$(chain_base $displayChain)
shift 7
if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then
displayChain=$tag
tag=
fi
if [ -n "$LOGRULENUMBERS" ]; then
eval rulenum=\$${base}_logrules
rulenum=${rulenum:-1}
prefix="$(printf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}"
rulenum=$(($rulenum + 1))
eval ${base}_logrules=$rulenum
else
prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}"
fi
if [ ${#prefix} -gt 29 ]; then
prefix="$(echo $prefix | truncate 29)"
error_message "WARNING: Log Prefix shortened to \"$prefix\""
fi
case $level in
ULOG)
run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;;
*)
run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
;;
esac
if [ $? -ne 0 ] ; then
[ -z "$STOPPING" ] && { stop_firewall; exit 2; }
fi
}
log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
{
local level=$1
local chain=$2
local disposition=$3
shift 3
log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@
}
SHOREWALL_LIBRARY=Loaded SHOREWALL_LIBRARY=Loaded

4
Shorewall/releasenotes.txt
View File

@ -79,8 +79,8 @@ New Features:
1) The same version of Shorewall must be running on the remote system 1) The same version of Shorewall must be running on the remote system
2) The 'detectnets' interface option is not allowed. 2) The 'detectnets' interface option is not allowed.
3) 'detect' in the BROADCAST column of /etc/shorewall/ is not allowed. 3) DETECT_DNAT_ADDRS=Yes is not allowed.
4) DETECT_DNAT_ADDRS=Yes is not allowed. 4) An interface name in the SUBNET column of /etc/shorewall/masq is not allowed.
b) If you have extension scripts, they may need modification. The scripts b) If you have extension scripts, they may need modification. The scripts
will be run at generation time, rather than when the generated script will be run at generation time, rather than when the generated script