holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Merge branch 'master' into 4.5.13

Browse Source 
Conflicts:
	Shorewall/Perl/Shorewall/Rules.pm
	Shorewall/action.Established
	Shorewall/actions.std
This commit is contained in:
Tom Eastep 2013-01-29 07:30:52 -08:00
commit 316b67473e
9 changed files with 223 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall/Perl/Shorewall/Config.pm
View File

@ -2808,10 +2808,10 @@ sub embedded_perl( $ ) {
} }
# #
# Push/pop action params # Push/pop acton params
# #
sub push_action_params( $$$$$ ) { sub push_action_params( $$$$$$ ) {
my ( $chainref, $parms, $loglevel, $logtag, $caller ) = @_; my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
my @parms = ( undef , split_list3( $parms , 'parameter' ) ); my @parms = ( undef , split_list3( $parms , 'parameter' ) );
$actparms{modified} = $parmsmodified; $actparms{modified} = $parmsmodified;
@ -2829,6 +2829,7 @@ sub push_action_params( $$$$$ ) {
} }
$actparms{0} = $chainref; $actparms{0} = $chainref;
$actparms{action} = $action;
$actparms{loglevel} = $loglevel; $actparms{loglevel} = $loglevel;
$actparms{logtag} = $logtag; $actparms{logtag} = $logtag;
$actparms{caller} = $caller; $actparms{caller} = $caller;
@ -5358,7 +5359,6 @@ sub get_configuration( $$$$ ) {
$val = $config{TCP_FLAGS_DISPOSITION} = 'DROP'; $val = $config{TCP_FLAGS_DISPOSITION} = 'DROP';
} }
default 'TC_ENABLED' , $family == F_IPV4 ? 'Internal' : 'no'; default 'TC_ENABLED' , $family == F_IPV4 ? 'Internal' : 'no';
$val = "\L$config{TC_ENABLED}"; $val = "\L$config{TC_ENABLED}";

152
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -51,6 +51,8 @@ our @EXPORT = qw(
process_actions process_actions
process_rules process_rules
verify_audit verify_audit
perl_action_helper
perl_action_tcp_helper
); );
our @EXPORT_OK = qw( initialize process_rule1 ); our @EXPORT_OK = qw( initialize process_rule1 );
@ -153,6 +155,11 @@ our %auditpolicies = ( ACCEPT => 1,
DROP => 1, DROP => 1,
REJECT => 1 REJECT => 1
); );
our @columns;
our @columnstack;
our $actionresult;
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
@ -221,6 +228,9 @@ sub initialize( $ ) {
# #
%usedactions = (); %usedactions = ();
@columns = ();
@columnstack = ();
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/; @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
} else { } else {
@ -1681,7 +1691,7 @@ sub process_action($$) {
push_open $actionfile, 2, 1; push_open $actionfile, 2, 1;
my $oldparms = push_action_params( $chainref, $param, $level, $tag, $caller ); my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
my $nolog = $actions{$action}{nolog}; my $nolog = $actions{$action}{nolog};
@ -1895,7 +1905,8 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
my ( $level, $tag ) = split( ':', $loglevel, 2 ); my ( $level, $tag ) = split( ':', $loglevel, 2 );
my $oldparms = push_action_params( $chainref, my $oldparms = push_action_params( $inline,
$chainref,
$param, $param,
supplied $level ? $level : 'none', supplied $level ? $level : 'none',
defined $tag ? $tag : '' , defined $tag ? $tag : '' ,
@ -2429,6 +2440,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
$current_param = $param unless $param eq '' || $param eq 'PARAM'; $current_param = $param unless $param eq '' || $param eq 'PARAM';
push @columnstack, [ ( @columns ) ];
@columns = ( $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard );
my $generated = process_inline( $basictarget, my $generated = process_inline( $basictarget,
$chainref, $chainref,
$rule, $rule,
@ -2451,9 +2466,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
$helper, $helper,
$wildcard ); $wildcard );
@columns = @{pop @columnstack};
$macro_nest_level--; $macro_nest_level--;
return $generated; return $generated || $actionresult;
} }
# #
# Generate Fixed part of the rule # Generate Fixed part of the rule
@ -2628,6 +2645,95 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
return 1; return 1;
} }
#
# May be called by Perl code in action bodies (regular and inline) to generate a rule.
#
sub perl_action_helper($$) {
my ( $target, $matches ) = @_;
my $action = $actparms{action};
my $chainref = $actparms{0};
my $result;
assert( $chainref );
if ( $inlines{$action} ) {
&process_rule1( $chainref,
$matches,
$target,
'',
@columns );
} else {
$result = process_rule1( $chainref,
$matches,
$target,
'', # Current Param
'-', # Source
'-', # Dest
'-', # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
}
$actionresult ||= $result;
}
#
# May be called by Perl code in action bodies (regular and inline) to generate a rule.
#
sub perl_action_tcp_helper($$) {
my ( $target, $proto ) = @_;
my $action = $actparms{action};
my $chainref = $actparms{0};
my $result;
assert( $chainref );
if ( $inlines{$action} ) {
$result = &process_rule1( $chainref,
$proto,
$target,
'',
@columns[0,1],
'-',
@columns[3..14]
);
} else {
$result = process_rule1( $chainref,
$proto,
$target,
'', # Current Param
'-', # Source
'-', # Dest
"-", # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
}
$actionresult ||= $result;
}
# #
# Helper functions for process_rule(). That function deals with the ugliness of wildcard zones ('all' and 'any') and zone lists. # Helper functions for process_rule(). That function deals with the ugliness of wildcard zones ('all' and 'any') and zone lists.
# #
@ -2773,25 +2879,27 @@ sub process_rule ( ) {
if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) { if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
for my $proto ( @protos ) { for my $proto ( @protos ) {
for my $user ( @users ) { for my $user ( @users ) {
$generated |= process_rule1( undef, if ( process_rule1( undef,
'', '',
$target, $target,
'', '',
$source, $source,
$dest, $dest,
$proto, $proto,
$ports, $ports,
$sports, $sports,
$origdest, $origdest,
$ratelimit, $ratelimit,
$user, $user,
$mark, $mark,
$connlimit, $connlimit,
$time, $time,
$headers, $headers,
$condition, $condition,
$helper, $helper,
$wild ); $wild ) ) {
$generated = 1;
}
} }
} }
} }

22
Shorewall/action.Established
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# Established[([<action>|-[,{audit|-}])] # Established[([<action>])]
# #
# Default action is DROP # Default action is DROP
# #
@ -36,21 +36,25 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs; use Shorewall::IPAddrs;
use Shorewall::Config; use Shorewall::Config;
use Shorewall::Chains; use Shorewall::Chains;
use Shorewall::Rules qw( process_rule1 );
my ( $action, $audit ) = get_action_params( 2 ); my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Established parameter ($audit) to action Established" if supplied $audit && $audit ne 'audit'; if ( supplied $audit ) {
fatal_error "Established parameter ($action) to action Established" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/; fatal_error "Established parameter ($audit) to action Established" if $audit ne 'audit';
$action = "A_$action";
}
my $chainref = get_action_chain; my ( $level, $tag ) = get_action_logging;
my ( $level, $tag ) = get_action_logging; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'Established' , $action, '', $tag, 'add', "$globals{STATEMATCH} ESTABLISHED " if $level ne ''; perl_action_helper(
add_jump $chainref , $target, 0, "$globals{STATEMATCH} ESTABLISHED "; $action, # Target
"$globals{STATEMATCH} INVALID ", # Matches
);
allow_optimize( $chainref ); allow_optimize( get_action_chain );
1; 1;

22
Shorewall/action.Invalid
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# Invalid[([<action>|-[,{audit|-}])] # Invalid[([<action>])]
# #
# Default action is DROP # Default action is DROP
# #
@ -36,21 +36,25 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs; use Shorewall::IPAddrs;
use Shorewall::Config; use Shorewall::Config;
use Shorewall::Chains; use Shorewall::Chains;
use Shorewall::Rules;
my ( $action, $audit ) = get_action_params( 2 ); my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Invalid parameter ($audit) to action Invalid" if supplied $audit && $audit ne 'audit'; if ( supplied $audit ) {
fatal_error "Invalid parameter ($action) to action Invalid" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/; fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
$action = "A_$action";
}
my $chainref = get_action_chain; my ( $level, $tag ) = get_action_logging;
my ( $level, $tag ) = get_action_logging; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne ''; perl_action_helper(
add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID "; $action, # Target
"$globals{STATEMATCH} INVALID ", # Matches
);
allow_optimize( $chainref ); allow_optimize( get_action_chain);
1; 1;

22
Shorewall/action.NotSyn
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# NotSyn[([<action>|-[,{audit|-}])] # NotSyn[([<action>])]
# #
# Default action is DROP # Default action is DROP
# #
@ -36,21 +36,25 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs; use Shorewall::IPAddrs;
use Shorewall::Config; use Shorewall::Config;
use Shorewall::Chains; use Shorewall::Chains;
use Shorewall::Rules;
my ( $action, $audit ) = get_action_params( 2 ); my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Invalid parameter ($audit) to action NotSyn" if supplied $audit && $audit ne 'audit'; if ( supplied $audit ) {
fatal_error "Invalid parameter ($action) to action NotSyn" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/; fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
$action = "A_$action";
my $chainref = get_action_chain; }
my ( $level, $tag ) = get_action_logging; my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne ''; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
add_jump $chainref , $target, 0, '-p 6 ! --syn ';
allow_optimize( $chainref ); perl_action_tcp_helper(
$action,
'-p 6 ! --syn '
);
allow_optimize( get_action_chain );
1; 1;

22
Shorewall/action.RST
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# RST[([<action>|-[,{audit|-}])] # RST[([<action>])]
# #
# Default action is DROP # Default action is DROP
# #
@ -35,21 +35,25 @@ DEFAULTS DROP,-
use Shorewall::Config; use Shorewall::Config;
use Shorewall::Chains; use Shorewall::Chains;
use Shorewall::Rules;
my ( $action, $audit ) = get_action_params( 2 ); my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Invalid parameter ($audit) to action RST" if supplied $audit && $audit ne 'audit'; if ( supplied $audit ) {
fatal_error "Invalid parameter ($action) to action RST" unless $action =~ /^(?:ACCEPT|DROP)$/; fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
$action = "A_$action";
my $chainref = get_action_chain; }
my ( $level, $tag ) = get_action_logging; my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne ''; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST ';
allow_optimize( $chainref ); perl_action_tcp_helper(
$action,
'-p 6 --tcp-flags RST RST '
);
allow_optimize( get_action_chain );
1; 1;

27
Shorewall/action.Related
View File

@ -1,11 +1,11 @@
# #
# Shorewall 4 - Invalid Action # Shorewall 4 - Related Action
# #
# /usr/share/shorewall/action.Related # /usr/share/shorewall/action.Related
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2013 - Tom Eastep (teastep@shorewall.net) # (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #
@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# Related[([<action>|-[,{audit|-}])] # Related[([<action>])]
# #
# Default action is DROP # Default action is DROP
# #
@ -33,24 +33,29 @@ DEFAULTS DROP,-
?BEGIN PERL; ?BEGIN PERL;
use strict;
use Shorewall::IPAddrs; use Shorewall::IPAddrs;
use Shorewall::Config; use Shorewall::Config;
use Shorewall::Chains; use Shorewall::Chains;
use Shorewall::Rules qw( process_rule1 );
my ( $action, $audit ) = get_action_params( 2 ); my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Related parameter ($audit) to action Related" if supplied $audit && $audit ne 'audit'; if ( supplied $audit ) {
fatal_error "Related parameter ($action) to action Related" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/; fatal_error "Related parameter ($audit) to action Related" if $audit ne 'audit';
$action = "A_$action";
}
my $chainref = get_action_chain; my ( $level, $tag ) = get_action_logging;
my ( $level, $tag ) = get_action_logging; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'Related' , $action, '', $tag, 'add', "$globals{STATEMATCH} RELATED " if $level ne ''; perl_action_helper(
add_jump $chainref , $target, 0, "$globals{STATEMATCH} RELATED "; $action, # Target
"$globals{STATEMATCH} RELATED ", # Matches
);
allow_optimize( $chainref ); allow_optimize( get_action_chain );
1; 1;

25
Shorewall/action.Untracked
View File

@ -5,7 +5,7 @@
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2013 - Tom Eastep (teastep@shorewall.net) # (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #
@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# Untracked[([<action>|-[,{audit|-}])] # Untracked[([<action>])]
# #
# Default action is DROP # Default action is DROP
# #
@ -36,21 +36,26 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs; use Shorewall::IPAddrs;
use Shorewall::Config; use Shorewall::Config;
use Shorewall::Chains; use Shorewall::Chains;
use Shorewall::Rules qw( process_rule1 );
my ( $action, $audit ) = get_action_params( 2 ); my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Untracked parameter ($audit) to action Untracked" if supplied $audit && $audit ne 'audit'; if ( supplied $audit ) {
fatal_error "Untracked parameter ($action) to action Untracked" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/; fatal_error "Untracked parameter ($audit) to action Untracked" if $audit ne 'audit';
$action = "A_$action";
}
my $chainref = get_action_chain; my ( $level, $tag ) = get_action_logging;
my ( $level, $tag ) = get_action_logging; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'Untracked' , $action, '', $tag, 'add', "$globals{STATEMATCH} UNTRACKED " if $level ne ''; perl_action_helper(
add_jump $chainref , $target, 0, "$globals{STATEMATCH} UNTRACKED "; $action, # Target
"$globals{STATEMATCH} UNTRACKED ", # Matches
);
allow_optimize( $chainref );
allow_optimize( get_action_chain );
1; 1;

12
Shorewall/actions.std
View File

@ -38,11 +38,11 @@ A_Reject # Audited Default action for REJECT policy
Broadcast noinline # Handles Broadcast/Multicast/Anycast Broadcast noinline # Handles Broadcast/Multicast/Anycast
Drop # Default Action for DROP policy Drop # Default Action for DROP policy
DropSmurfs noinline # Drop smurf packets DropSmurfs noinline # Drop smurf packets
Established noinline # Handles packets in the ESTABLISHED state Established inline # Handles packets in the ESTABLISHED state
Invalid noinline # Handles packets in the INVALID conntrack state Invalid inline # Handles packets in the INVALID conntrack state
NotSyn noinline # Handles TCP packets which do not have SYN=1 and ACK=0 NotSyn inline # Handles TCP packets which do not have SYN=1 and ACK=0
Reject # Default Action for REJECT policy Reject # Default Action for REJECT policy
Related noinline # Handles packets in the RELATED conntrack state Related inline # Handles packets in the RELATED conntrack state
RST noinline # Handle packets with RST set RST inline # Handle packets with RST set
TCPFlags noinline # Handle bad flag combinations. TCPFlags noinline # Handle bad flag combinations.
Untracked noinline # Handles packets in the UNTRACKED conntrack state Untracked inline # Handles packets in the UNTRACKED conntrack state