diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 479986dd8..c84a4c1ac 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -52,9 +52,11 @@ our @EXPORT = qw( decr_cmd_level new_chain new_manual_chain + ensure_filter_chain ensure_manual_chain ensure_audit_chain require_audit + newlogchain log_rule_limit dont_optimize dont_delete @@ -139,7 +141,6 @@ our %EXPORT_TAGS = ( new_standard_chain new_builtin_chain new_nat_chain - ensure_filter_chain optimize_chain check_optimization optimize_ruleset diff --git a/Shorewall/action.DropSmurfs b/Shorewall/action.DropSmurfs new file mode 100644 index 000000000..5b818d4e5 --- /dev/null +++ b/Shorewall/action.DropSmurfs @@ -0,0 +1,82 @@ +# +# Shorewall version 4 - Drop Smurfs Action +# +# /usr/share/shorewall/action.DropSmurfs +# +# Accepts a single optional parameter: +# +# - = Do not Audit +# audit = Audit dropped packets. +# +################################################################################# +FORMAT 2 + +DEFAULTS - + +BEGIN PERL; +use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6); +use Shorewall::Chains; +use Shorewall::Rules; + +my ( $audit ) = get_action_params( 1 ); + +my $chainref = get_action_chain; +my ( $level, $tag ) = get_action_logging; + +if ( $level ne '-' || $audit ne '-' ) { + my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0; + + log_rule_limit( $level, + $logchainref, + $chainref->{name}, + $disposition, + '', + $tag, + 'add', + '' ); + + if ( supplied $audit ) { + fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit'; + require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's'; + add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition ); + } + + + add_ijump( $logchainref, j => 'DROP' ); + + $smurfdest = $logchainref; +} + +if ( have_capability( 'ADDRTYPE' ) ) { + if ( $family == F_IPV4 ) { + add_ijump $chainref , j => 'RETURN', s => '0.0.0.0'; ; + } else { + add_ijump $chainref , j => 'RETURN', s => '::'; + } + + add_ijump( $chainref, g => $smurfdest, addrtype => '--src-type BROADCAST' ) ; +} else { + if ( $family == F_IPV4 ) { + add_commands $chainref, 'for address in $ALL_BCASTS; do'; + } else { + add_commands $chainref, 'for address in $ALL_ACASTS; do'; + } + + incr_cmd_level $chainref; + add_ijump( $chainref, g => $smurfdest, s => '$address' ); + decr_cmd_level $chainref; + add_commands $chainref, 'done'; +} + +if ( $family == F_IPV4 ) { + add_ijump( $chainref, g => $smurfdest, s => '224.0.0.0/4' ); +} else { + add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST ); +} + +END PERL; + + + + + diff --git a/Shorewall/action.TCPFlags b/Shorewall/action.TCPFlags new file mode 100644 index 000000000..7405107bd --- /dev/null +++ b/Shorewall/action.TCPFlags @@ -0,0 +1,65 @@ +# +# Shorewall version 4 - Drop Smurfs Action +# +# /usr/share/shorewall/action.TCPFlags +# +# Accepts two optional parameters: +# +# Parameter 1: Disposition (default DROP). +# Must be ACCEPT, REJECT or DROP +# Parameter 2: Auditing +# - = Do not Audit +# audit = Audit ACCEPT, REJECT or DROP. +# +################################################################################# +FORMAT 2 + +DEFAULTS DROP,- + +BEGIN PERL; +use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6); +use Shorewall::Chains; + + +my ( $disposition, $audit ) = get_action_params( 2 ); + +my $chainref = get_action_chain; +my ( $level, $tag ) = get_action_logging; + +fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/; + +if ( $level ne '-' || $audit ne '-' ) { + my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0; + + log_rule_limit( $level, + $logchainref, + $chainref->{name}, + $disposition, + '', + $tag, + 'add', + '' ) if $level; + + if ( supplied $audit ) { + fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit'; + require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's'; + add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition ); + } + + add_ijump( $logchainref, g => $disposition ); + + $disposition = $logchainref; +} + +add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH'; +add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE'; +add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST'; +add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN'; +add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0'; + +END PERL; + + + + + diff --git a/Shorewall/actions.std b/Shorewall/actions.std index 64e24bf8f..fcb7a30ae 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -37,6 +37,8 @@ A_Drop # Audited Default Action for DROP policy A_Reject # Audited Default action for REJECT policy Broadcast # Handles Broadcast/Multicast/Anycast Drop # Default Action for DROP policy +DropSmurfs # Drop smurf packets Invalid # Handles packets in the INVALID conntrack state NotSyn # Handles TCP packets which do not have SYN=1 and ACK=0 Reject # Default Action for REJECT policy +TCPFlags # Handle bad flag combinations.