holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow Macros to be used as Default Actions.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-11-19 16:52:10 -08:00
parent 0d8931e49f
commit 3b20c0db54
3 changed files with 104 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -360,6 +360,9 @@ sub process_a_policy() {
} elsif ( $actions{$def} ) { } elsif ( $actions{$def} ) {
$default = supplied $param ? normalize_action( $def, 'none', $param ) : normalize_action_name $def; $default = supplied $param ? normalize_action( $def, 'none', $param ) : normalize_action_name $def;
use_policy_action( $default ); use_policy_action( $default );
} elsif ( find_macro( $def ) ) {
fatal_error "Default Action Macros may not have parameters" if supplied $param;
$default = join( '.', 'macro', $def ) unless $default =~ /^macro./;
} else { } else {
fatal_error "Unknown Default Action ($default)"; fatal_error "Unknown Default Action ($default)";
} }
@ -505,6 +508,9 @@ sub process_policies()
} elsif ( $actions{$act} ) { } elsif ( $actions{$act} ) {
$action = supplied $param ? normalize_action( $act, 'none', $param ) : normalize_action_name $act; $action = supplied $param ? normalize_action( $act, 'none', $param ) : normalize_action_name $act;
use_policy_action( $action ); use_policy_action( $action );
} elsif ( find_macro( $act ) ) {
fatal_error "Default Action Macros may not have parameters" if supplied $param;
$action = join( '.', 'macro', $act ) unless $action =~ /^macro\./;
} elsif ( $targets{$act} ) { } elsif ( $targets{$act} ) {
fatal_error "Invalid setting ($action) for $option"; fatal_error "Invalid setting ($action) for $option";
} else { } else {
@ -553,7 +559,34 @@ sub policy_rules( $$$$$ ) {
unless ( $target eq 'NONE' ) { unless ( $target eq 'NONE' ) {
add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT'; add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
add_ijump $chainref, j => $default if $default && $default ne 'none';
if ( $default && $default ne 'none' ) {
if ( $default =~ s/^macro\.// ) {
process_macro( $default, #Macro
$chainref, #Chain
$default, #Target
'', #Param
'-', #Source
'-', #Dest
'-', #Proto
'-', #Ports
'-', #Sports
'-', #Original Dest
'-', #Rate
'-', #User
'-', #Mark
'-', #ConnLimit
'-', #Time
'-', #Headers
'-', #Condition
'-', #Helper
0, #Wildcard
);
} else {
add_ijump $chainref, j => $default;
}
}
log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
fatal_error "Null target in policy_rules()" unless $target; fatal_error "Null target in policy_rules()" unless $target;
@ -589,6 +622,7 @@ sub default_policy( $$$ ) {
} else { } else {
add_ijump $chainref, g => $policyref; add_ijump $chainref, g => $policyref;
$chainref = $policyref; $chainref = $policyref;
policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
} }
} elsif ( $policy eq 'CONTINUE' ) { } elsif ( $policy eq 'CONTINUE' ) {
report_syn_flood_protection if $synparams; report_syn_flood_protection if $synparams;
@ -601,7 +635,6 @@ sub default_policy( $$$ ) {
} }
progress_message_nocompress " Policy $policy from $_[1] to $_[2] using chain $chainref->{name}"; progress_message_nocompress " Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
} }
sub ensure_rules_chain( $ ); sub ensure_rules_chain( $ );
@ -630,7 +663,11 @@ sub apply_policy_rules() {
# is a single jump. Generate_matrix() will just use the policy target when # is a single jump. Generate_matrix() will just use the policy target when
# needed. # needed.
# #
ensure_rules_chain $name if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ); ensure_rules_chain $name if ( $default ne 'none' ||
$loglevel ||
$synparms ||
$config{MULTICAST} ||
! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ) );
} else { } else {
ensure_rules_chain $name; ensure_rules_chain $name;
} }
@ -747,7 +784,7 @@ sub ensure_rules_chain( $ )
$chainref = new_chain( 'filter', $chain ) unless $chainref; $chainref = new_chain( 'filter', $chain ) unless $chainref;
unless ( $chainref->{referenced} ) { unless ( $chainref->{referenced} ) {
if ( $section =~/^(NEW|DONE)$/ ) { if ( $section =~/^(NEW|DEFAULTACTION)$/ ) {
finish_chain_section $chainref , 'ESTABLISHED,RELATED'; finish_chain_section $chainref , 'ESTABLISHED,RELATED';
} elsif ( $section eq 'RELATED' ) { } elsif ( $section eq 'RELATED' ) {
finish_chain_section $chainref , 'ESTABLISHED'; finish_chain_section $chainref , 'ESTABLISHED';
@ -796,7 +833,7 @@ sub finish_chain_section ($$) {
if ( $chainref->{is_policy} ) { if ( $chainref->{is_policy} ) {
if ( $chainref->{synparams} ) { if ( $chainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref; my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
if ( $section eq 'DONE' ) { if ( $section eq 'DEFAULTACTION' ) {
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) { if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
add_ijump $chainref, j => $synchainref, p => 'tcp --syn'; add_ijump $chainref, j => $synchainref, p => 'tcp --syn';
} }
@ -1095,7 +1132,7 @@ sub merge_levels ($$) {
sub find_macro( $ ) sub find_macro( $ )
{ {
my $macro = $_[0]; my $macro = $_[0];
my $macrofile = find_file "macro.$macro"; my $macrofile = find_file( $macro =~ /^macro\./ ? $macro : "macro.$macro" );
if ( -f $macrofile ) { if ( -f $macrofile ) {
$macros{$macro} = $macrofile; $macros{$macro} = $macrofile;
@ -1678,8 +1715,10 @@ sub verify_audit($;$$) {
# Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If # Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion. # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
# Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
# body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument. # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument. A chain
# reference is also passed when rules are being generated during processing of a macro used as a default action.
# #
sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
my ( $chainref, #reference to Action Chain if we are being called from process_action(); undef otherwise my ( $chainref, #reference to Action Chain if we are being called from process_action(); undef otherwise
$target, $target,
@ -1704,12 +1743,15 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
my ( $basictarget, $param ) = get_target_param $action; my ( $basictarget, $param ) = get_target_param $action;
my $rule = ''; my $rule = '';
my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 5 ) : 0; my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 5 ) : 0;
my $inaction = ''; my $inaction = ''; # Set to true when we are process rules in an action file
my $inchain = ''; # Set to true when a chain reference is passed.
my $normalized_target; my $normalized_target;
my $normalized_action; my $normalized_action;
my $blacklist = ( $section eq 'BLACKLIST' ); my $blacklist = ( $section eq 'BLACKLIST' );
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref; if ( $inchain = defined $chainref ) {
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
}
$param = '' unless defined $param; $param = '' unless defined $param;
@ -1722,16 +1764,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || $param; ( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || $param;
} }
unless ( $actiontype ) {
if ( $action =~ /^NFLOG\(?/ ) {
$basictarget = 'LOG';
$actiontype = $targets{LOG};
fatal_error "Invalid NFLOG action($action:$loglevel)" if $loglevel;
$loglevel = supplied $param ? "NFLOG($param)" : 'NFLOG';
$param = '';
}
}
fatal_error "Unknown ACTION ($action)" unless $actiontype; fatal_error "Unknown ACTION ($action)" unless $actiontype;
if ( $actiontype == MACRO ) { if ( $actiontype == MACRO ) {
@ -1848,8 +1880,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
REDIRECT => sub () { REDIRECT => sub () {
my $z = $actiontype & NATONLY ? '' : firewall_zone; my $z = $actiontype & NATONLY ? '' : firewall_zone;
if ( $dest eq '-' ) { if ( $dest eq '-' ) {
$dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports ); $dest = ( $inchain ) ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
} elsif ( $inaction ) { } elsif ( $inchain ) {
$dest = ":$dest"; $dest = ":$dest";
} else { } else {
$dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/; $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
@ -1900,7 +1932,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
my $destref; my $destref;
my $origdstports; my $origdstports;
unless ( $inaction ) { unless ( $inchain ) {
if ( $source =~ /^(.+?):(.*)/ ) { if ( $source =~ /^(.+?):(.*)/ ) {
fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq ''; fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq '';
$sourcezone = $1; $sourcezone = $1;
@ -1941,7 +1973,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
} }
} }
} else { } else {
unless ( $inaction ) { unless ( $inchain ) {
fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq ''; fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone ); fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
} }
@ -1949,7 +1981,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
my $restriction = NO_RESTRICT; my $restriction = NO_RESTRICT;
unless ( $inaction ) { unless ( $inchain ) {
if ( $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) ) ) { if ( $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) ) ) {
$restriction = $destref && ( $destref->{type} & ( FIREWALL | VSERVER ) ) ? ALL_RESTRICT : OUTPUT_RESTRICT; $restriction = $destref && ( $destref->{type} & ( FIREWALL | VSERVER ) ) ? ALL_RESTRICT : OUTPUT_RESTRICT;
} else { } else {
@ -1967,9 +1999,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
# #
my $chain; my $chain;
if ( $inaction ) { if ( $inchain ) {
# #
# We are generating rules in an action chain -- the chain name is the name of that action chain # We are generating rules in a chain -- get its name
# #
$chain = $chainref->{name}; $chain = $chainref->{name};
} else { } else {
@ -2072,7 +2104,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
); );
} }
unless ( $section eq 'NEW' || $inaction ) { unless ( $section eq 'NEW' || $inchain ) {
if ( $config{FASTACCEPT} ) { if ( $config{FASTACCEPT} ) {
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
$section eq 'BLACKLIST' || $section eq 'BLACKLIST' ||
@ -2094,7 +2126,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
$sports, $sports,
$sourceref, $sourceref,
( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '', ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
$inaction ? $chain : '' , $inchain ? $chain : '' ,
$user , $user ,
$rule , $rule ,
); );
@ -2506,7 +2538,7 @@ sub process_rules( $ ) {
clear_comment; clear_comment;
} }
$section = 'DONE'; $section = 'DEFAULTACTION';
} }
1; 1;

35
Shorewall/manpages/shorewall.conf.xml
View File

@ -96,7 +96,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -106,7 +106,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -116,7 +116,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -126,7 +126,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -153,10 +153,15 @@
<para>The value applied to these may be:</para> <para>The value applied to these may be:</para>
<simplelist> <simplelist>
<member>a) The name of an <member>a) The name of an <replaceable>action</replaceable>. The
<replaceable>action</replaceable>.</member> name may optionally be followed by a comma-separated list of
parameters enclosed in parentheses if the specified action accepts
parameters (e.g., 'Drop(audit)').</member>
<member>b) <emphasis role="bold">None</emphasis> or <emphasis <member>b) The name of a <replaceable>macro</replaceable>
(Shorewall 4.5.10 and Laater)</member>
<member>c) <emphasis role="bold">None</emphasis> or <emphasis
role="bold">none</emphasis></member> role="bold">none</emphasis></member>
</simplelist> </simplelist>
@ -178,6 +183,12 @@
default action will be used and the default action or macro must be default action will be used and the default action or macro must be
specified in <ulink specified in <ulink
url="shorewall-policy.html">shorewall-policy</ulink>(5).</para> url="shorewall-policy.html">shorewall-policy</ulink>(5).</para>
<para>Beginning with Shorewall 4.5.10,
<replaceable>action</replaceable> may name a macro. If you wish to
use a macro with the same name as an existing action, you may
specify the name of the macro file (e.g., <emphasis
role="bold">macro.</emphasis><replaceable>macro-name</replaceable>).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -521,7 +532,7 @@
</itemizedlist> </itemizedlist>
<blockquote> <blockquote>
<para/> <para></para>
<para>If CONFIG_PATH is not given or if it is set to the empty <para>If CONFIG_PATH is not given or if it is set to the empty
value then the contents of /usr/share/shorewall/configpath are value then the contents of /usr/share/shorewall/configpath are
@ -928,7 +939,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para/> <para></para>
<blockquote> <blockquote>
<para>If this variable is not set or is given an empty value <para>If this variable is not set or is given an empty value
@ -1138,7 +1149,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para/> <para></para>
<blockquote> <blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for <para>For example, using the default LOGFORMAT, the log prefix for
@ -1155,7 +1166,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
control your firewall after you enable this option.</para> control your firewall after you enable this option.</para>
</important> </important>
<para/> <para></para>
<caution> <caution>
<para>Do not use this option if the resulting log messages will <para>Do not use this option if the resulting log messages will
@ -1819,7 +1830,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">"</emphasis></term> role="bold">"</emphasis></term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>

30
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -82,7 +82,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -92,7 +92,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -102,7 +102,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -112,7 +112,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -131,11 +131,13 @@
<para>The value applied to these may be:</para> <para>The value applied to these may be:</para>
<simplelist> <simplelist>
<member>a) The name of an <member>a) The name of an <replaceable>action</replaceable>. The
<replaceable>action</replaceable>.</member> name may optionally be followed by a comma-separated list of
parameters enclosed in parentheses if the specified action accepts
parameters (e.g., 'Drop(audit)').</member>
<member>b) The name of a <replaceable>macro</replaceable> <member>b) The name of a <replaceable>macro</replaceable>
(Shorewall6-shell only)</member> (Shorewall 4.5.10 and Laater)</member>
<member>c) <emphasis role="bold">None</emphasis> or <emphasis <member>c) <emphasis role="bold">None</emphasis> or <emphasis
role="bold">none</emphasis></member> role="bold">none</emphasis></member>
@ -159,6 +161,14 @@
default action will be used and the default action or macro must be default action will be used and the default action or macro must be
specified in <ulink specified in <ulink
url="shorewall6-policy.html">shorewall6-policy</ulink>(5).</para> url="shorewall6-policy.html">shorewall6-policy</ulink>(5).</para>
<para></para>
<para>Beginning with Shorewall 4.5.10,
<replaceable>action</replaceable> may name a macro. If you wish to
use a macro with the same name as an existing action, you may
specify the name of the macro file here (e.g., <emphasis
role="bold">macro.</emphasis><replaceable>macro-name</replaceable>).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -997,7 +1007,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para/> <para></para>
<blockquote> <blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for <para>For example, using the default LOGFORMAT, the log prefix for
@ -1014,7 +1024,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
control your firewall after you enable this option.</para> control your firewall after you enable this option.</para>
</important> </important>
<para/> <para></para>
<caution> <caution>
<para>Do not use this option if the resulting log messages will <para>Do not use this option if the resulting log messages will
@ -1613,7 +1623,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">"</emphasis></term> role="bold">"</emphasis></term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>