Shorewall 2.2.0 Beta 1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1714 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-24 21:23:15 +00:00
parent 30bf899901
commit 6b28b09037
6 changed files with 283 additions and 66 deletions

View File

@ -47,9 +47,12 @@
# Format the same as the SOURCE column. # Format the same as the SOURCE column.
# #
# PROTOCOL A protocol name (from /etc/protocols), a protocol # PROTOCOL A protocol name (from /etc/protocols), a protocol
# number. # number, or "ipp2p"
# #
# DEST PORT Destination Port number # DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then
# this column must contain an ipp2p option ("iptables -m
# ipp2p --help") without the leading "--". If no option
# is given in this column, "ipp2p" is assumed.
# #
# Service name from /etc/services or port number. May # Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6 # only be specified if the protocol is TCP or UDP (6

View File

@ -24,7 +24,9 @@
# spi=<number> where <number> is the SPI of # spi=<number> where <number> is the SPI of
# the SA used to encrypt/decrypt packets. # the SA used to encrypt/decrypt packets.
# #
# proto=ah|esp|ipcomp # proto=ah|esp|ipcomp
#
# mss=<number> (sets the MSS field in TCP packets)
# #
# mode=transport|tunnel # mode=transport|tunnel
# #
@ -49,7 +51,7 @@
# #
# If you wish to leave a column empty but need to make an entry # If you wish to leave a column empty but need to make an entry
# in a following column, use "-". # in a following column, use "-".
################################################################################ ###################################################################################
#ZONE IPSEC OPTIONS IN OUT #ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS # ONLY OPTIONS OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -130,6 +130,18 @@ LOGTAGONLY=No
LOGRATE= LOGRATE=
LOGBURST= LOGBURST=
#
# LOG ALL NEW
#
# This option should only be used when you are trying to analyze a problem.
# It causes all packets in the Netfilter NEW state to be logged as the
# first rule in each builtin chain. To use this option, set LOGALLNEW to
# the log level that you want these packets logged at (e.g.,
# LOGALLNEW=debug).
#
LOGALLNEW=
# #
# BLACKLIST LOG LEVEL # BLACKLIST LOG LEVEL
# #

View File

@ -29,6 +29,22 @@
# determined by the setting of MARK_IN_FORWARD_CHAIN in # determined by the setting of MARK_IN_FORWARD_CHAIN in
# /etc/shorewall/shorewall.conf. # /etc/shorewall/shorewall.conf.
# #
# If your kernel and iptables include CONNMARK support
# then you can also mark the connection rather than
# the packet.
#
# The mark value may be optionally followed by "/"
# and a mask value (used to determine those bits of
# the connection mark to actually be set). The
# mark and optional mask are then followed by one of:
#
# C - Mark the connection in the chain determined
# by the setting of MARK_IN_FORWARD_CHAIN
#
# CF: Mark the conneciton in the FORWARD chain
#
# CP: Mark the connection in the PREROUTING chain.
#
# b) A classification of the form <major>:<minor> where # b) A classification of the form <major>:<minor> where
# <major> and <minor> are integers. Corresponds to # <major> and <minor> are integers. Corresponds to
# the 'class' specification in these traffic shaping # the 'class' specification in these traffic shaping
@ -41,7 +57,21 @@
# - htb # - htb
# - prio # - prio
# #
# Marking always occurs in the POSTROUTING chain. # Classify always occurs in the POSTROUTING chain.
#
# c) RESTORE[/mask] -- restore the packet's mark from the
# connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK support.
# As in a) above, may be followed by ":P" or ":F
#
# c) SAVE[/mask] -- save the packet's mark to the
# connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK support.
# As in a) above, may be followed by ":P" or ":F
#
# d) CONTINUE -- don't process any more marking rules in
# the table. As in a) above, may be followed by ":P" or
# ":F".
# #
# SOURCE Source of the packet. A comma-separated list of # SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses # interface names, IP addresses, MAC addresses
@ -62,14 +92,20 @@
# iptables include iprange match support, IP address # iptables include iprange match support, IP address
# ranges are also allowed. # ranges are also allowed.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# or "all". # a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables.
# #
# PORT(S) Destination Ports. A comma-separated list of Port # PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port # names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is # ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
# #
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example "bit"
# for bit-torrent). If no PORT is given, "ipp2p" is
# assumed.
#
# This column is ignored if PROTOCOL = all but must be # This column is ignored if PROTOCOL = all but must be
# entered if any of the following field is supplied. # entered if any of the following field is supplied.
# In that case, it is suggested that this field contain # In that case, it is suggested that this field contain
@ -92,9 +128,21 @@
# [<user name or number>]:[<group name or number>] # [<user name or number>]:[<group name or number>]
# #
# The colon is optionnal when specifying only a user. # The colon is optionnal when specifying only a user.
# Examples : john: / john / :users / john:users # Examples : john: / john / :users / john:users
# #
# TEST Defines a test on the existing packet or connection mark.
# The rule will match only if the test returns true. Tests
# have the format [!]<value>[/<mask>][:C]
#
# Where:
#
# ! Inverts the test (not equal)
# <value> Value of the packet or connection mark.
# <mask> A mask to be applied to the mark before
# testing
# :C Designates a connection mark. If omitted,
# the packet mark's value is tested.
############################################################################## ##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S) # PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -765,6 +765,17 @@ find_hosts() # $1 = host zone
done < $TMP_DIR/hosts done < $TMP_DIR/hosts
} }
#
# Check for duplicate zone definitions
#
check_duplicate_zones() {
local localzones=
for zone in $zones; do
list_search $zone $localzones && startup_error "Zone $zone is defined more than once"
localzones="$localzones $zone"
done
}
# #
# Determine the interfaces on the firewall # Determine the interfaces on the firewall
# #
@ -1241,7 +1252,7 @@ run_user_exit() # $1 = file name
# #
# Add a logging rule. # Add a logging rule.
# #
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $... = predicates for the rule log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
{ {
local level=$1 local level=$1
local chain=$2 local chain=$2
@ -1250,10 +1261,11 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
local rulenum= local rulenum=
local limit="${5:-$LOGLIMIT}" local limit="${5:-$LOGLIMIT}"
local tag=${6:+$6 } local tag=${6:+$6 }
local command=${7:--A}
local prefix local prefix
local base=$(chain_base $displayChain) local base=$(chain_base $displayChain)
shift;shift;shift;shift;shift shift;shift;shift;shift;shift;shift;shift
if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then
displayChain=$tag displayChain=$tag
@ -1280,10 +1292,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
case $level in case $level in
ULOG) ULOG)
iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;; ;;
*) *)
iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
;; ;;
esac esac
@ -1300,7 +1312,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
shift;shift;shift shift;shift;shift
log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" $@ log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@
} }
# #
@ -1733,32 +1745,71 @@ setup_tunnels() # $1 = name of tunnels file
done < $TMP_DIR/tunnels done < $TMP_DIR/tunnels
} }
#
# Process the ipsec file
#
setup_ipsec() { setup_ipsec() {
#
# Add a --set-mss rule to the passed chain
#
set_mss1() # $1 = chain, $2 = MSS
{
eval local policy=\$${1}_policy
if [ "$policy" != NONE ]; then
ensurechain $1
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
fi
}
#
# Set up rules to set MSS to and/or from zone "$zone"
#
set_mss() # $1 = MSS value, $2 = _in, _out or ""
{
if [ $COMMAND != check ]; then
for z in $zones; do
case $2 in
_in)
set_mss1 ${zone}2${z} $1
;;
_out)
set_mss1 ${z}2${zone} $1
;;
*)
set_mss1 ${z}2${zone} $1
set_mss1 ${zone}2${z} $1
;;
esac
done
fi
}
do_options() # $1 = _in, _out or "" - $2 = option list do_options() # $1 = _in, _out or "" - $2 = option list
{ {
local option opts newoptions= local option opts newoptions= val
[ x${2} = x- ] && return [ x${2} = x- ] && return
opts=$(separate_list $2) opts=$(separate_list $2)
for option in $opts; do for option in $opts; do
val=${option#*=}
case $option in case $option in
mss=[0-9]*) set_mss $val $1 ;;
strict) newoptions="$newoptions --strict" ;; strict) newoptions="$newoptions --strict" ;;
next) newoptions="$newoptions --next" ;; next) newoptions="$newoptions --next" ;;
reqid=*) newoptions="$newoptions --reqid ${option#*=}" ;; reqid=*) newoptions="$newoptions --reqid $val" ;;
spi=*) newoptions="$newoptions --spi ${option#*=}" ;; spi=*) newoptions="$newoptions --spi $val" ;;
proto=*) newoptions="$newoptions --proto ${option#*=}" ;; proto=*) newoptions="$newoptions --proto $val" ;;
mode=*) newoptions="$newoptions --mode ${option#*=}" ;; mode=*) newoptions="$newoptions --mode $val" ;;
tunnel-src=*) newoptions="$newoptions --tunnel-src ${option#*=}" ;; tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;;
tunnel-dst=*) newoptions="$newoptions --tunnel-dst ${option#*=}" ;; tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;;
reqid!=*) newoptions="$newoptions ! --reqid ${option#*=}" ;; reqid!=*) newoptions="$newoptions ! --reqid $val" ;;
spi!=*) newoptions="$newoptions ! --spi ${option#*=}" ;; spi!=*) newoptions="$newoptions ! --spi $val" ;;
proto!=*) newoptions="$newoptions ! --proto ${option#*=}" ;; proto!=*) newoptions="$newoptions ! --proto $val" ;;
mode!=*) newoptions="$newoptions ! --mode ${option#*=}" ;; mode!=*) newoptions="$newoptions ! --mode $val" ;;
tunnel-src!=*) newoptions="$newoptions ! --tunnel-src ${option#*=}" ;; tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;;
tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst ${option#*=}" ;; tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;;
*) fatal_error "Invalid option \"$option\" for zone $zone" ;; *) fatal_error "Invalid option \"$option\" for zone $zone" ;;
esac esac
done done
@ -1771,8 +1822,8 @@ setup_ipsec() {
strip_file ipsec $1 strip_file ipsec $1
while read zone ipsec options in_options out_options; do while read zone ipsec options in_options out_options mss; do
expandv zone ipsec options in_options out_options expandv zone ipsec options in_options out_options mss
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
@ -1793,7 +1844,7 @@ setup_ipsec() {
do_options "" $options do_options "" $options
do_options "_in" $in_options do_options "_in" $in_options
do_options "_out" $out_options do_options "_out" $out_options
done < $TMP_DIR/ipsec done < $TMP_DIR/ipsec
} }
@ -2242,7 +2293,7 @@ setup_ecn() # $1 = file name
# #
process_tc_rule() process_tc_rule()
{ {
chain=$MARKING_CHAIN chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
verify_designator() { verify_designator() {
[ "$chain" = tcout ] && \ [ "$chain" = tcout ] && \
@ -2292,11 +2343,20 @@ process_tc_rule()
esac esac
fi fi
[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
[ "x$dest" = "x-" ] || r="${r}$(dest_ip_range $dest) " [ "x$dest" = "x-" ] || r="${r}$(dest_ip_range $dest) "
[ "x$proto" = "x-" ] && proto=all
[ "x$proto" = "x" ] && proto=all if [ "x$proto" = xipp2p ]; then
[ "$proto" = "all" ] || r="${r}-p $proto " [ "x$port" = "x-" ] && port="ipp2p"
[ "x$port" = "x-" ] || r="${r}--dport $port " r="${r}-p tcp -m ipp2p --${port} "
else
[ "x$proto" = "x-" ] && proto=all
[ "x$proto" = "x" ] && proto=all
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port "
fi
[ "x$sport" = "x-" ] || r="${r}--sport $sport " [ "x$sport" = "x-" ] || r="${r}--sport $sport "
case $chain in case $chain in
@ -2304,7 +2364,7 @@ process_tc_rule()
run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark
;; ;;
*) *)
run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark run_iptables2 -t mangle -A $chain $r -j $target $mark
;; ;;
esac esac
@ -2315,16 +2375,71 @@ process_tc_rule()
p|P) p|P)
verify_designator tcpre verify_designator tcpre
;; ;;
cp|CP)
verify_designator tcpre
target="CONNMARK --set-mark"
;;
f|F) f|F)
verify_designator tcfor verify_designator tcfor
;; ;;
cf|CF)
verify_designator tcfor
target="CONNMARK --set-mark"
;;
c|C)
target="CONNMARK --set-mark"
mark=${mark%:*}
;;
*) *)
chain=tcpost chain=tcpost
;; ;;
esac esac
fi fi
case $mark in
SAVE)
target="CONNMARK --save-mark"
mark=
;;
SAVE/*)
target="CONNMARK --save-mark --mask"
mark=${mark#*/}
;;
RESTORE)
target="CONNMARK --restore-mark"
mark=
;;
RESTORE/*)
target="CONNMARK --restore-mark --mask"
mark=${mark#*/}
;;
CONTINUE)
target=RETURN
mark=
;;
esac
case $testval in
-)
;;
!*:C)
marktest="connmark ! "
testval=${testval%:*}
testval=${testval#!}
;;
*:C)
marktest="connmark "
testval=${testval%:*}
;;
!*)
marktest="mark ! "
testval=${testval#!}
;;
*)
[ -n "$testval" ] && marktest="mark "
;;
esac
for source in $(separate_list ${sources:=-}); do for source in $(separate_list ${sources:=-}); do
for dest in $(separate_list ${dests:=-}); do for dest in $(separate_list ${dests:=-}); do
for port in $(separate_list ${ports:=-}); do for port in $(separate_list ${ports:=-}); do
@ -2355,9 +2470,9 @@ setup_tc1() {
# #
strip_file tcrules strip_file tcrules
while read mark sources dests proto ports sports user; do while read mark sources dests proto ports sports user testval; do
expandv mark sources dests proto ports sports user expandv mark sources dests proto ports sports user testval
rule=$(echo "$mark $sources $dests $proto $ports $sports $user") rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval")
process_tc_rule process_tc_rule
done < $TMP_DIR/tcrules done < $TMP_DIR/tcrules
# #
@ -2506,6 +2621,10 @@ process_accounting_rule() {
[ -n "$proto" ] && case $proto in [ -n "$proto" ] && case $proto in
-|any|all) -|any|all)
;; ;;
ipp2p)
rule="$rule -p tcp -m ipp2p --${port:-ipp2p}"
port=
;;
*) *)
rule="$rule -p $proto" rule="$rule -p $proto"
;; ;;
@ -2631,6 +2750,7 @@ check_config() {
echo "Determining Zones..." echo "Determining Zones..."
determine_zones determine_zones
check_dupliate_zones
[ -z "$zones" ] && startup_error "ERROR: No Zones Defined" [ -z "$zones" ] && startup_error "ERROR: No Zones Defined"
@ -2859,7 +2979,7 @@ add_an_action()
for serv1 in $(separate_list $serv); do for serv1 in $(separate_list $serv); do
for srv in $(firewall_ip_range $serv1); do for srv in $(firewall_ip_range $serv1); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \ log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \
$(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports) $(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports)
fi fi
@ -2869,7 +2989,7 @@ add_an_action()
done done
else else
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \ log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dest_interface $dports) $(fix_bang $proto $sports $multiport $cli $dest_interface $dports)
fi fi
@ -3379,8 +3499,8 @@ process_actions3() {
;; ;;
*) *)
if [ -n "$xlevel" ]; then if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -m pkttype --pkt-type multicast log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
fi fi
;; ;;
esac esac
@ -3394,7 +3514,7 @@ process_actions3() {
;; ;;
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -d $address log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address
;; ;;
esac esac
@ -3411,8 +3531,8 @@ process_actions3() {
;; ;;
*) *)
if [ -n "$xlevel" ]; then if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type multicast log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
fi fi
;; ;;
esac esac
@ -3426,7 +3546,7 @@ process_actions3() {
;; ;;
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -d $address log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address
;; ;;
esac esac
@ -3440,28 +3560,28 @@ process_actions3() {
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP run_iptables -A $xchain -p tcp ! --syn -j DROP
fi fi
;; ;;
dropNotSyn) dropNotSyn)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP run_iptables -A $xchain -p tcp ! --syn -j DROP
fi fi
;; ;;
rejNotSyn) rejNotSyn)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
fi fi
;; ;;
dropInvalid) dropInvalid)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -m state --state INVALID log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j DROP run_iptables -A $xchain -m state --state INVALID -j DROP
fi fi
;; ;;
@ -3612,7 +3732,7 @@ add_nat_rule() {
else else
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \ log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -A -t nat \
$(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports) $(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports)
fi fi
@ -3643,7 +3763,7 @@ add_nat_rule() {
done done
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat
fi fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
@ -3651,7 +3771,7 @@ add_nat_rule() {
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
ensurenatchain $chain ensurenatchain $chain
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat \ log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \
$(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports) $(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports)
fi fi
@ -3806,6 +3926,12 @@ add_a_rule()
fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\"" fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
proto= proto=
;; ;;
ipp2p)
sport="-m ipp2p --${port:-ipp2p}"
port=
proto=tcp
do_ports
;;
*) *)
[ -n "$port" ] && \ [ -n "$port" ] && \
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
@ -3858,7 +3984,7 @@ add_a_rule()
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \ log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
$userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
fi fi
@ -3867,7 +3993,7 @@ add_a_rule()
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
fi fi
@ -3883,7 +4009,7 @@ add_a_rule()
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dports) $(fix_bang $proto $sports $multiport $cli $dports)
fi fi
@ -3907,7 +4033,7 @@ add_a_rule()
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports) $(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
fi fi
@ -4823,12 +4949,12 @@ setup_masq()
source="$networks" source="$networks"
case $networks in case $source in
*.*.*) *.*.*)
;; ;;
*) *)
networks=$(get_routed_networks $networks) networks=$(get_routed_networks $networks)
[ -z "$networks" ] && fatal_error "Unable to determine the routes through interface $networks" [ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\""
networks="$networks" networks="$networks"
;; ;;
esac esac
@ -5387,6 +5513,7 @@ initialize_netfilter () {
echo "Determining Zones..." echo "Determining Zones..."
determine_zones determine_zones
check_duplicate_zones
[ -z "$zones" ] && startup_error "No Zones Defined" [ -z "$zones" ] && startup_error "No Zones Defined"
@ -6083,6 +6210,7 @@ activate_rules()
fi fi
} }
# #
# Add jumps to early SNAT chains # Add jumps to early SNAT chains
# #
@ -6112,19 +6240,20 @@ activate_rules()
# Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain. # Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain.
# #
for zone in $zones; do for zone in $zones; do
if eval test -n \$${zone}_is_complex ; then if eval test -n \"\$${zone}_is_complex\" ; then
frwd_chain=${zone}_frwd frwd_chain=${zone}_frwd
createchain $frwd_chain No createchain $frwd_chain No
if [ -n "$POLICY_MATCH" ]; then if [ -n "$POLICY_MATCH" ]; then
eval source_hosts=\$${zone}_hosts eval is_ipsec=\$${zone}_is_ipsec
[ -n "$is_ipsec" ] && eval source_hosts=\$${zone}_hosts || eval source_hosts=\$${zone}_ipsec_hosts
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%%:*} interface=${host%%:*}
networks=${host#*:} networks=${host#*:}
is_ipsec_host $zone $host && \ run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
done done
fi fi
fi fi
@ -6138,6 +6267,8 @@ activate_rules()
eval complex=\$${zone}_is_complex eval complex=\$${zone}_is_complex
[ -n "$complex" ] && frwd_chain=${zone}_frwd
if [ -n "$DYNAMIC_ZONES" ]; then if [ -n "$DYNAMIC_ZONES" ]; then
echo $zone $source_hosts >> ${STATEDIR}/zones echo $zone $source_hosts >> ${STATEDIR}/zones
echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$FW $zone $chain1" >> ${STATEDIR}/chains
@ -6288,6 +6419,26 @@ activate_rules()
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -D $chain -p udp --dport 53 -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT
done done
if [ -n "$LOGALLNEW" ]; then
for table in mangle nat filter; do
case $table in
mangle)
chains="PREROUTING INPUT FORWARD POSTROUTING"
;;
nat)
chains="PREROUTING POSTROUTING OUTPUT"
;;
*)
chains="INPUT FORWARD OUTPUT"
;;
esac
for chain in $chains; do
log_rule_limit $LOGALLNEW $chain $table $chain "" "" -I -m state --state NEW -t $table
done
done
fi
} }
# #
@ -6869,6 +7020,7 @@ do_initialize() {
RETAIN_ALIASES= RETAIN_ALIASES=
DELAYBLACKLISTLOAD= DELAYBLACKLISTLOAD=
LOGTAGONLY= LOGTAGONLY=
LOGALLNEW=
RESTOREBASE= RESTOREBASE=
TMP_DIR= TMP_DIR=

View File

@ -1 +1 @@
2.1.11 2.2.0-Beta1