From 6ba1d5413b55700932cf7bba505e17120100172f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 2 Dec 2017 10:45:06 -0800 Subject: [PATCH] Allow a protocol to be associated with an action Signed-off-by: Tom Eastep --- Shorewall/Actions/action.AllowICMPs | 1 - Shorewall/Perl/Shorewall/Rules.pm | 53 +++++++++++++++++++++--- Shorewall/actions.std | 19 +++++---- Shorewall/manpages/shorewall-actions.xml | 21 ++++++++++ Shorewall6/actions.std | 49 +++++++++++----------- 5 files changed, 105 insertions(+), 38 deletions(-) diff --git a/Shorewall/Actions/action.AllowICMPs b/Shorewall/Actions/action.AllowICMPs index 566436251..83115bd69 100644 --- a/Shorewall/Actions/action.AllowICMPs +++ b/Shorewall/Actions/action.AllowICMPs @@ -12,7 +12,6 @@ DEFAULTS ACCEPT @1 - - icmp fragmentation-needed {comment="Needed ICMP types"} @1 - - icmp time-exceeded {comment="Needed ICMP types"} ?else - CONTINUE - - !ipv6-icmp ?COMMENT Needed ICMP types (RFC4890) @1 - - ipv6-icmp destination-unreachable @1 - - ipv6-icmp packet-too-big diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 3d2dd0508..886fcdd0a 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -927,6 +927,28 @@ sub process_policies() # sub process_inline ($$$$$$$$$$$$$$$$$$$$$$); +# +# Determine the protocol to be used in the jump to the passed action +# +sub determine_action_protocol( $$ ) { + my ( $action, $proto ) = @_; + + if ( my $actionproto = $actions{$action}{proto} ) { + if ( $proto eq '-' ) { + $proto = $actionproto; + } else { + if ( defined( my $protonum = resolve_proto( $proto ) ) ) { + fatal_error( "The $action action is only usable with " . proto_name( $actionproto ) ) unless $actionproto == $protonum; + $proto = $protonum; + } else { + fatal_error( "Unknown protocol ($proto)" ); + } + } + } + + $proto; +} + sub add_policy_rules( $$$$$ ) { my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_; @@ -944,7 +966,11 @@ sub add_policy_rules( $$$$$ ) { # # Default action is a regular action -- jump to the action chain # - add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} ); + if ( ( my $proto = determine_action_protocol( $action, '-' ) ) ne '-' ) { + add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto ); + } else { + add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} ); + } } else { # # Default action is an inline @@ -1417,13 +1443,13 @@ sub external_name( $ ) { # # Define an Action # -sub new_action( $$$$$ ) { +sub new_action( $$$$$$ ) { - my ( $action , $type, $options , $actionfile , $state ) = @_; + my ( $action , $type, $options , $actionfile , $state, $proto ) = @_; fatal_error "Invalid action name($action)" if reserved_name( $action ); - $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state }; + $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto }; $targets{$action} = $type; } @@ -2049,6 +2075,7 @@ sub process_actions() { my $opts = $type == INLINE ? NOLOG_OPT : 0; my $state = ''; + my $proto = 0; if ( $action =~ /:/ ) { warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf'; @@ -2065,6 +2092,8 @@ sub process_actions() { } else { fatal_error( q(The 'state' option is reserved for use in the actions.std file) ); } + } elsif ( /^proto=(.+)$/ ) { + fatal_error "Unknown Protocol ($1)" unless defined( $proto = resolve_proto( $1 ) ); } else { fatal_error "Invalid option ($_)" unless $options{$_}; $opts |= $options{$_}; @@ -2097,6 +2126,8 @@ sub process_actions() { } if ( $opts & BUILTIN_OPT ) { + warning_message( "The 'proto' option has no effect when specified on a builtin action" ) if $proto; + my $actiontype = USERBUILTIN | OPTIONS; $actiontype |= MANGLE_TABLE if $opts & MANGLE_OPT; $actiontype |= RAW_TABLE if $opts & RAW_OPT; @@ -2129,7 +2160,7 @@ sub process_actions() { fatal_error "Missing Action File ($actionfile)" unless -f $actionfile; - new_action ( $action, $type, $opts, $actionfile , $state ); + new_action ( $action, $type, $opts, $actionfile , $state , $proto ); } } } @@ -3012,6 +3043,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) { my $actionchain; # Name of the action chain if ( $actiontype & ACTION ) { + # + # Verify action 'proto', if any + # + $proto = determine_action_protocol( $basictarget, $proto ); # # Save NAT-oriented column contents # @@ -4736,6 +4771,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) { function => sub() { fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE; # + # Verify action 'proto', if any + # + $proto = determine_action_protocol( $cmd, $proto ); + # # Create the action:level:tag:param tuple. # my $normalized_target = normalize_action( $cmd, '', $params ); @@ -5694,6 +5733,10 @@ sub process_snat1( $$$$$$$$$$$$ ) { if ( $actiontype & ACTION ) { fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE; # + # Verify action 'proto', if any + # + $proto = determine_action_protocol( $target, $proto ); + # # Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store # the interface name in the log tag # diff --git a/Shorewall/actions.std b/Shorewall/actions.std index a7648dad4..343e6cab1 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -26,18 +26,19 @@ Broadcast inline,audit # Handles Broadcast/Anycast ?else Broadcast noinline,audit # Handles Broadcast/Anycast ?endif -DNSAmp # Matches one-question recursive DNS queries +DNSAmp proto=17 # Matches one-question recursive DNS queries Drop # Default Action for DROP policy (deprecated) dropBcast inline # Silently Drop Broadcast dropBcasts inline # Silently Drop Broadcast dropInvalid inline # Drops packets in the INVALID conntrack state dropMcast inline # Silently Drop Multicast -dropNotSyn noinline # Silently Drop Non-syn TCP packets -DropDNSrep inline # Drops DNS replies +dropNotSyn noinline,proto=6 # Silently Drop Non-syn TCP packets +DropDNSrep inline,proto=17 # Drops DNS replies DropSmurfs noinline # Drop smurf packets Established inline,\ # Handles packets in the ESTABLISHED state state=ESTABLISHED # -FIN inline,audit # Handles ACK,FIN,PSH packets +FIN inline,audit,\ # Handles ACK,FIN,PSH packets + proto=6 forwardUPnP noinline # Allow traffic that upnpd has redirected from 'upnp' interfaces. GlusterFS inline # Handles GlusterFS IfEvent noinline # Perform an action based on an event @@ -50,14 +51,16 @@ Multicast inline,audit # Handles Multicast Multicast noinline,audit # Handles Multicast ?endif New inline,state=NEW # Handles packets in the NEW conntrack state -NotSyn inline,audit # Handles TCP packets which do not have SYN=1 and ACK=0 -rejNotSyn noinline # Silently Reject Non-syn TCP packets +NotSyn inline,audit,\ # Handles TCP packets which do not have SYN=1 and ACK=0 + proto=6 +rejNotSyn noinline,proto=6 # Silently Reject Non-syn TCP packets Reject # Default Action for REJECT policy (deprecated) Related inline,\ # Handles packets in the RELATED conntrack state state=RELATED # ResetEvent inline # Reset an Event -RST inline,audit # Handle packets with RST set +RST inline,audit,\ # Handle packets with RST set + proto=6 SetEvent inline # Initialize an event -TCPFlags # Handle bad flag combinations. +TCPFlags proto=6 # Handle bad flag combinations. Untracked inline,\ # Handles packets in the UNTRACKED conntrack state state=UNTRACKED # diff --git a/Shorewall/manpages/shorewall-actions.xml b/Shorewall/manpages/shorewall-actions.xml index d7b86c8d7..866478c79 100644 --- a/Shorewall/manpages/shorewall-actions.xml +++ b/Shorewall/manpages/shorewall-actions.xml @@ -191,6 +191,27 @@ + + =protocol + + + Added in Shorewall 5.1.10. Specifies that the action is + only usable with the specified + protocol (name or number). When the + action is invoked with no protocol specified in the PROTO + column, or if the action is used as a Policy Action, the named + protocol will be assumed. If a + protocol is specified in the PROTO column of an invocation, + then it must match the named + protocol. + + The option has no effect if the + or option is + specified. A warning is issued if is + specified along with . + + + diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std index 922ee8de1..239aa113e 100644 --- a/Shorewall6/actions.std +++ b/Shorewall6/actions.std @@ -8,42 +8,43 @@ # ############################################################################### #ACTION -A_Drop # Audited Default Action for DROP policy -A_Reject # Audited Default Action for REJECT policy -A_AllowICMPs # Audited Accept needed ICMP6 types -AllowICMPs # Accept needed ICMP6 types +A_Drop # Audited Default Action for DROP policy +A_Reject # Audited Default Action for REJECT policy +A_AllowICMPs proto=58 # Audited Accept needed ICMP6 types +AllowICMPs proto=58 # Accept needed ICMP6 types allowBcast inline # Silently Allow Broadcast allowInvalid inline # Accepts packets in the INVALID conntrack state allowMcast inline # Silently Allow Multicast -AutoBL noinline # Auto-blacklist IPs that exceed thesholds -AutoBLL noinline # Helper for AutoBL +AutoBL noinline # Auto-blacklist IPs that exceed thesholds +AutoBLL noinline # Helper for AutoBL BLACKLIST logjump,section # Add sender to the dynamic blacklist -Broadcast noinline # Handles Broadcast/Anycast -Drop # Default Action for DROP policy (deprecated) +Broadcast noinline # Handles Broadcast/Anycast +Drop # Default Action for DROP policy (deprecated) dropBcast inline # Silently Drop Broadcast dropBcasts inline # Silently Drop Broadcast dropInvalid inline # Drops packets in the INVALID conntrack state dropMcast inline # Silently Drop Multicast -dropNotSyn noinline # Silently Drop Non-syn TCP packets -DropDNSrep inline # Drops DNS replies -DropSmurfs noinline # Handles packets with a broadcast source address +dropNotSyn noinline,proto=6 # Silently Drop Non-syn TCP packets +DropDNSrep inline,proto=17 # Drops DNS replies +DropSmurfs noinline # Handles packets with a broadcast source address Established inline,\ # Handles packets in the ESTABLISHED state state=ESTABLISHED -FIN inline,audit # Handles ACK,FIN,PSH packets +FIN inline,audit,\ # Handles ACK,FIN,PSH packets + proto=6 forwardUPnP noinline # Allow traffic that upnpd has redirected from 'upnp' interfaces. -IfEvent noinline # Perform an action based on an event -Invalid inline,audit,\ # Handles packets in the INVALID conntrack state - state=INVALID -Multicast noinline # Handles Multicast +IfEvent noinline # Perform an action based on an event +Invalid inline,audit,\ # Handles packets in the INVALID conntrack state + state=INVALID +Multicast noinline # Handles Multicast New inline,state=NEW # Handles packets in the NEW conntrack state -NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0 -Reject # Default Action for REJECT policy (deprecated) -rejNotSyn noinline # Silently Reject Non-syn TCP packets -Related inline,\ # Handles packets in the RELATED conntrack state - state=RELATED +NotSyn inline,proto=6 # Handles TCP packets that do not have SYN=1 and ACK=0 +Reject # Default Action for REJECT policy (deprecated) +rejNotSyn noinline,proto=6 # Silently Reject Non-syn TCP packets +Related inline,\ # Handles packets in the RELATED conntrack state + state=RELATED ResetEvent inline # Reset an Event -RST inline # Handle packets with RST set +RST inline,proto=6 # Handle packets with RST set SetEvent inline # Initialize an event -TCPFlags # Handles bad flags combinations -Untracked inline,\ # Handles packets in the UNTRACKED conntrack state +TCPFlags proto=6 # Handles bad flags combinations +Untracked inline,\ # Handles packets in the UNTRACKED conntrack state state=UNTRACKED