holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement format-3 conntrack files.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-11-22 20:56:56 -08:00
parent 3f7425b6a0
commit 30de211bda
4 changed files with 235 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -204,7 +204,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
sub process_format( $ ) {
my $format = shift;
fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/;
$format;
}
@ -252,13 +252,23 @@ sub setup_conntrack() {
$empty = 0;
if ( $source =~ /^all(-)?(:(.+))?$/ ) {
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch ) unless $1;
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch );
if ( $format < 3 ) {
if ( $source =~ /^all(-)?(:(.+))?$/ ) {
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch ) unless $1;
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch );
} else {
process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
} elsif ( $action =~ s/:0$// ) {
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} else {
process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
$action =~ s/:P//;
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
}
clear_comment;

24
Shorewall/configfiles/conntrack
View File

@ -4,50 +4,50 @@
# For information about entries in this file, type "man shorewall-conntrack"
#
##############################################################################################################
FORMAT 2
FORMAT 3
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
# PORT(S) PORT(S) GROUP
?if $AUTOHELPERS && __CT_TARGET
?if __AMANDA_HELPER
CT:helper:amanda all - udp 10080
CT:helper:amanda:PO - - udp 10080
?endif
?if __FTP_HELPER
CT:helper:ftp all - tcp 21
CT:helper:ftp:PO - - tcp 21
?endif
?if __H323_HELPER
CT:helper:RAS all - udp 1719
CT:helper:Q.931 all - tcp 1720
CT:helper:RAS;PO - - udp 1719
CT:helper:Q.931:PO - - tcp 1720
?endif
?if __IRC_HELPER
CT:helper:irc all - tcp 6667
CT:helper:irc:PO - - tcp 6667
?endif
?if __NETBIOS_NS_HELPER
CT:helper:netbios-ns all - udp 137
CT:helper:netbios-ns:PO - - udp 137
?endif
?if __PPTP_HELPER
CT:helper:pptp all - tcp 1723
CT:helper:pptp:PO - - tcp 1723
?endif
?if __SANE_HELPER
CT:helper:sane all - tcp 6566
CT:helper:sane:PO - - tcp 6566
?endif
?if __SIP_HELPER
CT:helper:sip all - udp 5060
CT:helper:sip:PO - - udp 5060
?endif
?if __SNMP_HELPER
CT:helper:snmp all - udp 161
CT:helper:snmp:PO - - udp 161
?endif
?if __TFTP_HELPER
CT:helper:tftp all - udp 69
CT:helper:tftp:PO - - udp 69
?endif
?endif

109
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -32,11 +32,26 @@
role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
<emphasis role="bold">conntrack</emphasis>.</para>
<para>The file supports two different column layouts: FORMAT 1 and FORMAT
2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
additional leading ACTION column. When an entry in the file of this form
is encountered, the format of the following entries are assumed to be of
the specified <replaceable>format</replaceable>.</para>
<para>The file supports two different column layouts: FORMAT 1, FORMAT 2,
and FORMAT 3, FORMAT 1 being the default. The three differ as
follows:</para>
<itemizedlist>
<listitem>
<para>in FORMAT 2 and 3, there is an additional leading ACTION
column.</para>
</listitem>
<listitem>
<para>in FORMAT 3, the SOURCE column accepts no zone name; rather the
ACTION column allows a SUFFIX that determines the chain(s) that the
generated rule will be added to.</para>
</listitem>
</itemizedlist>
<para>When an entry in the following form is encountered, the format of
the following entries are assumed to be of the specified
<replaceable>format</replaceable>.</para>
<simplelist>
<member><emphasis role="bold">FORMAT</emphasis>
@ -44,7 +59,10 @@
</simplelist>
<para>where <replaceable>format</replaceable> is either <emphasis
role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
role="bold">1</emphasis>,<emphasis role="bold">2</emphasis> or <emphasis
role="bold">3</emphasis>.</para>
<para>Format 3 was introduced in Shorewall 4.5.10.</para>
<para>Comments may be attached to Netfilter rules generated from entries
in this file through the use of COMMENT lines. These lines begin with the
@ -63,7 +81,7 @@
role="bold">NOTRACK</emphasis>|<emphasis
role="bold">CT</emphasis>:<emphasis
role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
role="bold">CT:notrack</emphasis>}</term>
role="bold">CT:notrack</emphasis>}[:<replaceable>chain-designator</replaceable>]</term>
<listitem>
<para>This column is only present when FORMAT = 2. Values other than
@ -151,10 +169,10 @@
</varlistentry>
<varlistentry>
<term></term>
<term/>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -232,11 +250,46 @@
<para>When FORMAT = 1, this column is not present and the rule is
processed as if NOTRACK had been entered in this column.</para>
<para>Beginning with Shoreall 4.5.10, when FORMAT = 3, this column
can end with a colon followed by a
<replaceable>chain-designator</replaceable>. The
<replaceable>chain-designator</replaceable> can be one of the
following:</para>
<variablelist>
<varlistentry>
<term>P</term>
<listitem>
<para>The rule is added to the raw table PREROUTING chain.
This is the default if no
<replaceable>chain-designator</replaceable> is present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>O</term>
<listitem>
<para>The rule is added to the raw table OUTPUT chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PO or OP</term>
<listitem>
<para>The rule is added to the raw table PREROUTING and OUTPUT
chains.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term>SOURCE
<term>SOURCE (formats 1 and 2)
{<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]|COMMENT}</term>
<listitem>
@ -267,6 +320,23 @@
</listitem>
</varlistentry>
<varlistentry>
<term>SOURCE (formats 3)
{-|[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>}</term>
<listitem>
<para>Where <replaceable>interface</replaceable> is an interface to
that zone, and <replaceable>address-list</replaceable> is a
comma-separated list of addresses (may contain exclusion - see
<ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
(5)).</para>
<para>COMMENT is only allowed in format 1; the remainder of the line
is treated as a comment that will be associated with the generated
rule(s).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DEST
[<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>
@ -393,9 +463,28 @@
<refsect1>
<title>EXAMPLE</title>
<para>Example 1:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
<para>Example 2 (Shorewall 4.5.10 or later):</para>
<para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
<programlisting>FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
DROP all-:1.2.3.4 -
DROP all 1.2.3.4</programlisting>
<para>or<programlisting>FORMAT 3
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
DROP:P 1.2.3.4 -
DROP:PO - 1.2.3.4
</programlisting></para>
</refsect1>
<refsect1>

119
Shorewall6/manpages/shorewall6-conntrack.xml
View File

@ -25,25 +25,44 @@
<para>The original intent of the <emphasis role="bold">notrack</emphasis>
file was to exempt certain traffic from Netfilter connection tracking.
Traffic matching entries in that file were not to be tracked.</para>
Traffic matching entries in the file were not to be tracked.</para>
<para>The role of the file was expanded in Shorewall 4.4.27 to include all
rules that can be added in the Netfilter <emphasis
role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
<emphasis role="bold">conntrack</emphasis>.</para>
<para>The file supports two different column layouts: FORMAT 1 and FORMAT
2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
additional leading ACTION column. When an entry in the file of this form
is encountered, the format of the following entries are assumed to be of
the specified <replaceable>format</replaceable>.</para>
<para>The file supports two different column layouts: FORMAT 1, FORMAT 2,
and FORMAT 3, FORMAT 1 being the default. The three differ as
follows:</para>
<itemizedlist>
<listitem>
<para>in FORMAT 2 and 3, there is an additional leading ACTION
column.</para>
</listitem>
<listitem>
<para>in FORMAT 3, the SOURCE column accepts no zone name; rather the
ACTION column allows a SUFFIX that determines the chain(s) that the
generated rule will be added to.</para>
</listitem>
</itemizedlist>
<para>When an entry in the following form is encountered, the format of
the following entries are assumed to be of the specified
<replaceable>format</replaceable>.</para>
<simplelist>
<member>FORMAT <replaceable>format</replaceable></member>
<member><emphasis role="bold">FORMAT</emphasis>
<replaceable>format</replaceable></member>
</simplelist>
<para>where <replaceable>format</replaceable> is either <emphasis
role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
role="bold">1</emphasis>,<emphasis role="bold">2</emphasis> or <emphasis
role="bold">3</emphasis>.</para>
<para>Format 3 was introduced in Shorewall 4.5.10.</para>
<para>Comments may be attached to Netfilter rules generated from entries
in this file through the use of COMMENT lines. These lines begin with the
@ -62,7 +81,7 @@
role="bold">NOTRACK</emphasis>|<emphasis
role="bold">CT</emphasis>:<emphasis
role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
role="bold">CT:notrack</emphasis>}</term>
role="bold">CT:notrack</emphasis>}[:<replaceable>chain-designator</replaceable>]</term>
<listitem>
<para>This column is only present when FORMAT = 2. Values other than
@ -127,11 +146,46 @@
<para>When FORMAT = 1, this column is not present and the rule is
processed as if NOTRACK had been entered in this column.</para>
<para>Beginning with Shoreall 4.5.10, when FORMAT = 3, this column
can end with a colon followed by a
<replaceable>chain-designator</replaceable>. The
<replaceable>chain-designator</replaceable> can be one of the
following:</para>
<variablelist>
<varlistentry>
<term>P</term>
<listitem>
<para>The rule is added to the raw table PREROUTING chain.
This is the default if no
<replaceable>chain-designator</replaceable> is present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>O</term>
<listitem>
<para>The rule is added to the raw table OUTPUT chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PO or OP</term>
<listitem>
<para>The rule is added to the raw table PREROUTING and OUTPUT
chains.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term>SOURCE
<term>SOURCE (formats 1 and 2)
<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]</term>
<listitem>
@ -162,6 +216,23 @@
</listitem>
</varlistentry>
<varlistentry>
<term>SOURCE (formats 3)
{-|[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>}</term>
<listitem>
<para>Where <replaceable>interface</replaceable> is an interface to
that zone, and <replaceable>address-list</replaceable> is a
comma-separated list of addresses (may contain exclusion - see
<ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
(5)).</para>
<para>COMMENT is only allowed in format 1; the remainder of the line
is treated as a comment that will be associated with the generated
rule(s).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DEST
[<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>
@ -277,11 +348,35 @@
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<title>EXAMPLES</title>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
<para>Example 1:</para>
<para>Use the FTP helper for TCP port 21 connections from the firewall
itself.</para>
<programlisting>FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
<para>Example 2 (Shorewall 4.5.10 or later):</para>
<para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
<programlisting>FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
DROP all-:2001:1.2.3::4 -
DROP all 2001:1.2.3::4
</programlisting>
<para>or<programlisting>FORMAT 3
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
DROP:P 2001:1.2.3::4 -
DROP:PO - 2001:1.2.3::4
</programlisting></para>
</refsect1>
<refsect1>