holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow a protocol to be associated with an action

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-12-02 10:45:06 -08:00
parent 4fc572f664
commit 6ba1d5413b
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
5 changed files with 105 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Shorewall/Actions/action.AllowICMPs
View File

@ -12,7 +12,6 @@ DEFAULTS ACCEPT
@1 - - icmp fragmentation-needed {comment="Needed ICMP types"} @1 - - icmp fragmentation-needed {comment="Needed ICMP types"}
@1 - - icmp time-exceeded {comment="Needed ICMP types"} @1 - - icmp time-exceeded {comment="Needed ICMP types"}
?else ?else
CONTINUE - - !ipv6-icmp
?COMMENT Needed ICMP types (RFC4890) ?COMMENT Needed ICMP types (RFC4890)
@1 - - ipv6-icmp destination-unreachable @1 - - ipv6-icmp destination-unreachable
@1 - - ipv6-icmp packet-too-big @1 - - ipv6-icmp packet-too-big

51
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -927,6 +927,28 @@ sub process_policies()
# #
sub process_inline ($$$$$$$$$$$$$$$$$$$$$$); sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
#
# Determine the protocol to be used in the jump to the passed action
#
sub determine_action_protocol( $$ ) {
my ( $action, $proto ) = @_;
if ( my $actionproto = $actions{$action}{proto} ) {
if ( $proto eq '-' ) {
$proto = $actionproto;
} else {
if ( defined( my $protonum = resolve_proto( $proto ) ) ) {
fatal_error( "The $action action is only usable with " . proto_name( $actionproto ) ) unless $actionproto == $protonum;
$proto = $protonum;
} else {
fatal_error( "Unknown protocol ($proto)" );
}
}
}
$proto;
}
sub add_policy_rules( $$$$$ ) { sub add_policy_rules( $$$$$ ) {
my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_; my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
@ -944,7 +966,11 @@ sub add_policy_rules( $$$$$ ) {
# #
# Default action is a regular action -- jump to the action chain # Default action is a regular action -- jump to the action chain
# #
if ( ( my $proto = determine_action_protocol( $action, '-' ) ) ne '-' ) {
add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
} else {
add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} ); add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
}
} else { } else {
# #
# Default action is an inline # Default action is an inline
@ -1417,13 +1443,13 @@ sub external_name( $ ) {
# #
# Define an Action # Define an Action
# #
sub new_action( $$$$$ ) { sub new_action( $$$$$$ ) {
my ( $action , $type, $options , $actionfile , $state ) = @_; my ( $action , $type, $options , $actionfile , $state, $proto ) = @_;
fatal_error "Invalid action name($action)" if reserved_name( $action ); fatal_error "Invalid action name($action)" if reserved_name( $action );
$actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state }; $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto };
$targets{$action} = $type; $targets{$action} = $type;
} }
@ -2049,6 +2075,7 @@ sub process_actions() {
my $opts = $type == INLINE ? NOLOG_OPT : 0; my $opts = $type == INLINE ? NOLOG_OPT : 0;
my $state = ''; my $state = '';
my $proto = 0;
if ( $action =~ /:/ ) { if ( $action =~ /:/ ) {
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf'; warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@ -2065,6 +2092,8 @@ sub process_actions() {
} else { } else {
fatal_error( q(The 'state' option is reserved for use in the actions.std file) ); fatal_error( q(The 'state' option is reserved for use in the actions.std file) );
} }
} elsif ( /^proto=(.+)$/ ) {
fatal_error "Unknown Protocol ($1)" unless defined( $proto = resolve_proto( $1 ) );
} else { } else {
fatal_error "Invalid option ($_)" unless $options{$_}; fatal_error "Invalid option ($_)" unless $options{$_};
$opts |= $options{$_}; $opts |= $options{$_};
@ -2097,6 +2126,8 @@ sub process_actions() {
} }
if ( $opts & BUILTIN_OPT ) { if ( $opts & BUILTIN_OPT ) {
warning_message( "The 'proto' option has no effect when specified on a builtin action" ) if $proto;
my $actiontype = USERBUILTIN | OPTIONS; my $actiontype = USERBUILTIN | OPTIONS;
$actiontype |= MANGLE_TABLE if $opts & MANGLE_OPT; $actiontype |= MANGLE_TABLE if $opts & MANGLE_OPT;
$actiontype |= RAW_TABLE if $opts & RAW_OPT; $actiontype |= RAW_TABLE if $opts & RAW_OPT;
@ -2129,7 +2160,7 @@ sub process_actions() {
fatal_error "Missing Action File ($actionfile)" unless -f $actionfile; fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
new_action ( $action, $type, $opts, $actionfile , $state ); new_action ( $action, $type, $opts, $actionfile , $state , $proto );
} }
} }
} }
@ -3012,6 +3043,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
my $actionchain; # Name of the action chain my $actionchain; # Name of the action chain
if ( $actiontype & ACTION ) { if ( $actiontype & ACTION ) {
#
# Verify action 'proto', if any
#
$proto = determine_action_protocol( $basictarget, $proto );
# #
# Save NAT-oriented column contents # Save NAT-oriented column contents
# #
@ -4736,6 +4771,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
function => sub() { function => sub() {
fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE; fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE;
# #
# Verify action 'proto', if any
#
$proto = determine_action_protocol( $cmd, $proto );
#
# Create the action:level:tag:param tuple. # Create the action:level:tag:param tuple.
# #
my $normalized_target = normalize_action( $cmd, '', $params ); my $normalized_target = normalize_action( $cmd, '', $params );
@ -5694,6 +5733,10 @@ sub process_snat1( $$$$$$$$$$$$ ) {
if ( $actiontype & ACTION ) { if ( $actiontype & ACTION ) {
fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE; fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
# #
# Verify action 'proto', if any
#
$proto = determine_action_protocol( $target, $proto );
#
# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store # Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
# the interface name in the log tag # the interface name in the log tag
# #

19
Shorewall/actions.std
View File

@ -26,18 +26,19 @@ Broadcast inline,audit # Handles Broadcast/Anycast
?else ?else
Broadcast noinline,audit # Handles Broadcast/Anycast Broadcast noinline,audit # Handles Broadcast/Anycast
?endif ?endif
DNSAmp # Matches one-question recursive DNS queries DNSAmp proto=17 # Matches one-question recursive DNS queries
Drop # Default Action for DROP policy (deprecated) Drop # Default Action for DROP policy (deprecated)
dropBcast inline # Silently Drop Broadcast dropBcast inline # Silently Drop Broadcast
dropBcasts inline # Silently Drop Broadcast dropBcasts inline # Silently Drop Broadcast
dropInvalid inline # Drops packets in the INVALID conntrack state dropInvalid inline # Drops packets in the INVALID conntrack state
dropMcast inline # Silently Drop Multicast dropMcast inline # Silently Drop Multicast
dropNotSyn noinline # Silently Drop Non-syn TCP packets dropNotSyn noinline,proto=6 # Silently Drop Non-syn TCP packets
DropDNSrep inline # Drops DNS replies DropDNSrep inline,proto=17 # Drops DNS replies
DropSmurfs noinline # Drop smurf packets DropSmurfs noinline # Drop smurf packets
Established inline,\ # Handles packets in the ESTABLISHED state Established inline,\ # Handles packets in the ESTABLISHED state
state=ESTABLISHED # state=ESTABLISHED #
FIN inline,audit # Handles ACK,FIN,PSH packets FIN inline,audit,\ # Handles ACK,FIN,PSH packets
proto=6
forwardUPnP noinline # Allow traffic that upnpd has redirected from 'upnp' interfaces. forwardUPnP noinline # Allow traffic that upnpd has redirected from 'upnp' interfaces.
GlusterFS inline # Handles GlusterFS GlusterFS inline # Handles GlusterFS
IfEvent noinline # Perform an action based on an event IfEvent noinline # Perform an action based on an event
@ -50,14 +51,16 @@ Multicast inline,audit # Handles Multicast
Multicast noinline,audit # Handles Multicast Multicast noinline,audit # Handles Multicast
?endif ?endif
New inline,state=NEW # Handles packets in the NEW conntrack state New inline,state=NEW # Handles packets in the NEW conntrack state
NotSyn inline,audit # Handles TCP packets which do not have SYN=1 and ACK=0 NotSyn inline,audit,\ # Handles TCP packets which do not have SYN=1 and ACK=0
rejNotSyn noinline # Silently Reject Non-syn TCP packets proto=6
rejNotSyn noinline,proto=6 # Silently Reject Non-syn TCP packets
Reject # Default Action for REJECT policy (deprecated) Reject # Default Action for REJECT policy (deprecated)
Related inline,\ # Handles packets in the RELATED conntrack state Related inline,\ # Handles packets in the RELATED conntrack state
state=RELATED # state=RELATED #
ResetEvent inline # Reset an Event ResetEvent inline # Reset an Event
RST inline,audit # Handle packets with RST set RST inline,audit,\ # Handle packets with RST set
proto=6
SetEvent inline # Initialize an event SetEvent inline # Initialize an event
TCPFlags # Handle bad flag combinations. TCPFlags proto=6 # Handle bad flag combinations.
Untracked inline,\ # Handles packets in the UNTRACKED conntrack state Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
state=UNTRACKED # state=UNTRACKED #

21
Shorewall/manpages/shorewall-actions.xml
View File

@ -191,6 +191,27 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><option>proto</option>=<replaceable>protocol</replaceable></term>
<listitem>
<para>Added in Shorewall 5.1.10. Specifies that the action is
only usable with the specified
<replaceable>protocol</replaceable> (name or number). When the
action is invoked with no protocol specified in the PROTO
column, or if the action is used as a Policy Action, the named
<replaceable>protocol</replaceable> will be assumed. If a
protocol is specified in the PROTO column of an invocation,
then it must match the named
<replaceable>protocol</replaceable>.</para>
<para>The <option>proto</option> option has no effect if the
<option>inline</option> or <option>builtin</option> option is
specified. A warning is issued if <option>proto</option> is
specified along with <option>builtin</option>.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><option>section</option></term> <term><option>section</option></term>

19
Shorewall6/actions.std
View File

@ -10,8 +10,8 @@
#ACTION #ACTION
A_Drop # Audited Default Action for DROP policy A_Drop # Audited Default Action for DROP policy
A_Reject # Audited Default Action for REJECT policy A_Reject # Audited Default Action for REJECT policy
A_AllowICMPs # Audited Accept needed ICMP6 types A_AllowICMPs proto=58 # Audited Accept needed ICMP6 types
AllowICMPs # Accept needed ICMP6 types AllowICMPs proto=58 # Accept needed ICMP6 types
allowBcast inline # Silently Allow Broadcast allowBcast inline # Silently Allow Broadcast
allowInvalid inline # Accepts packets in the INVALID conntrack state allowInvalid inline # Accepts packets in the INVALID conntrack state
allowMcast inline # Silently Allow Multicast allowMcast inline # Silently Allow Multicast
@ -24,26 +24,27 @@ dropBcast inline # Silently Drop Broadcast
dropBcasts inline # Silently Drop Broadcast dropBcasts inline # Silently Drop Broadcast
dropInvalid inline # Drops packets in the INVALID conntrack state dropInvalid inline # Drops packets in the INVALID conntrack state
dropMcast inline # Silently Drop Multicast dropMcast inline # Silently Drop Multicast
dropNotSyn noinline # Silently Drop Non-syn TCP packets dropNotSyn noinline,proto=6 # Silently Drop Non-syn TCP packets
DropDNSrep inline # Drops DNS replies DropDNSrep inline,proto=17 # Drops DNS replies
DropSmurfs noinline # Handles packets with a broadcast source address DropSmurfs noinline # Handles packets with a broadcast source address
Established inline,\ # Handles packets in the ESTABLISHED state Established inline,\ # Handles packets in the ESTABLISHED state
state=ESTABLISHED state=ESTABLISHED
FIN inline,audit # Handles ACK,FIN,PSH packets FIN inline,audit,\ # Handles ACK,FIN,PSH packets
proto=6
forwardUPnP noinline # Allow traffic that upnpd has redirected from 'upnp' interfaces. forwardUPnP noinline # Allow traffic that upnpd has redirected from 'upnp' interfaces.
IfEvent noinline # Perform an action based on an event IfEvent noinline # Perform an action based on an event
Invalid inline,audit,\ # Handles packets in the INVALID conntrack state Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
state=INVALID state=INVALID
Multicast noinline # Handles Multicast Multicast noinline # Handles Multicast
New inline,state=NEW # Handles packets in the NEW conntrack state New inline,state=NEW # Handles packets in the NEW conntrack state
NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0 NotSyn inline,proto=6 # Handles TCP packets that do not have SYN=1 and ACK=0
Reject # Default Action for REJECT policy (deprecated) Reject # Default Action for REJECT policy (deprecated)
rejNotSyn noinline # Silently Reject Non-syn TCP packets rejNotSyn noinline,proto=6 # Silently Reject Non-syn TCP packets
Related inline,\ # Handles packets in the RELATED conntrack state Related inline,\ # Handles packets in the RELATED conntrack state
state=RELATED state=RELATED
ResetEvent inline # Reset an Event ResetEvent inline # Reset an Event
RST inline # Handle packets with RST set RST inline,proto=6 # Handle packets with RST set
SetEvent inline # Initialize an event SetEvent inline # Initialize an event
TCPFlags # Handles bad flags combinations TCPFlags proto=6 # Handles bad flags combinations
Untracked inline,\ # Handles packets in the UNTRACKED conntrack state Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
state=UNTRACKED state=UNTRACKED