Some cleanup of policy actions

- Allow '+' in policy file action list

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-02-07 13:19:53 -08:00
parent af8d4e32c2
commit 7e984af094
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
8 changed files with 94 additions and 81 deletions

View File

@ -138,7 +138,7 @@ our %section_rmap = ( ALL_SECTION , 'ALL',
our @policy_chains; our @policy_chains;
our %default_actions; our %policy_actions;
our %macros; our %macros;
@ -311,12 +311,14 @@ sub initialize( $ ) {
# This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
# in the %config hash when shorewall[6].conf was processed. # in the %config hash when shorewall[6].conf was processed.
# #
%default_actions = ( DROP => [] , %policy_actions = ( DROP => [] ,
REJECT => [] , REJECT => [] ,
BLACKLIST => [] , BLACKLIST => [] ,
ACCEPT => [] , ACCEPT => [] ,
QUEUE => [] , QUEUE => [] ,
NFQUEUE => [] , NFQUEUE => [] ,
CONTINUE => [] ,
NONE => [] ,
); );
# #
# These are set to 1 as sections are encountered. # These are set to 1 as sections are encountered.
@ -430,7 +432,7 @@ sub convert_to_policy_chain($$$$$$)
$chainref->{audit} = $audit; $chainref->{audit} = $audit;
$chainref->{policychain} = $chainref->{name}; $chainref->{policychain} = $chainref->{name};
$chainref->{policypair} = [ $source, $dest ]; $chainref->{policypair} = [ $source, $dest ];
$chainref->{defaults} = []; $chainref->{pactions} = [];
} }
# #
@ -480,7 +482,7 @@ sub set_policy_chain($$$$$$)
$chainref->{synchain} = $polchainref->{synchain}; $chainref->{synchain} = $polchainref->{synchain};
} }
$chainref->{defaults} = $polchainref->{defaults}; $chainref->{pactions} = $polchainref->{pactions} || [];
$chainref->{is_policy} = 1; $chainref->{is_policy} = 1;
push @policy_chains, $chainref; push @policy_chains, $chainref;
} else { } else {
@ -529,12 +531,12 @@ sub normalize_action( $$$ );
sub normalize_action_name( $ ); sub normalize_action_name( $ );
sub normalize_single_action( $ ); sub normalize_single_action( $ );
sub process_default_action( $$$$ ) { sub process_policy_action( $$$$ ) {
my ( $originalpolicy, $policy, $default, $level ) = @_; my ( $originalpolicy, $policy, $paction, $level ) = @_;
if ( supplied $default ) { if ( supplied $paction ) {
my $default_option = ( $policy =~ /_DEFAULT$/ ); my $paction_option = ( $policy =~ /_DEFAULT$/ );
my ( $def, $param ) = get_target_param( $default ); my ( $act, $param ) = get_target_param( $paction );
if ( supplied $level ) { if ( supplied $level ) {
validate_level( $level ); validate_level( $level );
@ -542,46 +544,48 @@ sub process_default_action( $$$$ ) {
$level = 'none'; $level = 'none';
} }
if ( ( $targets{$def} || 0 ) & ACTION ) { if ( ( $targets{$act} || 0 ) & ACTION ) {
$default = supplied $param ? normalize_action( $def, $level, $param ) : $paction = supplied $param ? normalize_action( $act, $level, $param ) :
$level eq 'none' ? normalize_action_name $def : $level eq 'none' ? normalize_action_name $act :
normalize_action( $def, $level, '' ); normalize_action( $act, $level, '' );
} elsif ( ( $targets{$def} || 0 ) == INLINE ) { } elsif ( ( $targets{$act} || 0 ) == INLINE ) {
$default = $def; $paction = $act;
$default = "$def($param)" if supplied $param; $paction = "$act($param)" if supplied $param;
$default = join( ':', $default, $level ) if $level ne 'none'; $paction = join( ':', $paction, $level ) if $level ne 'none';
} elsif ( $default_option ) { } elsif ( $paction_option ) {
fatal_error "Unknown Action ($default) in $policy setting"; fatal_error "Unknown Action ($paction) in $policy setting";
} else { } else {
fatal_error "Unknown Default Action ($default)"; fatal_error "Unknown Policy Action ($paction)";
} }
} else { } else {
$default = $default_actions{$policy}; $paction = $policy_actions{$policy};
} }
$default; $paction;
} }
sub process_default_actions( $$$ ) { sub process_policy_actions( $$$ ) {
my ( $originalpolicy, $policy, $defaults ) = @_; my ( $originalpolicy, $policy, $pactions ) = @_;
my @defaults; if ( supplied $pactions ) {
my @pactions;
if ( supplied $defaults ) { if ( $pactions ne 'none' ) {
if ( $defaults ne 'none' ) { @pactions = @{$policy_actions{policy}} if $pactions =~ s/^\+//;
for my $default ( split_list3( $defaults, 'Default Action' ) ) {
my ( $action, $level, $remainder ) = split( /:/, $default );
fatal_error "Invalid default action ($default:$level:$remainder)" if defined $remainder; for my $paction ( split_list3( $pactions, 'Policy Action' ) ) {
my ( $action, $level, $remainder ) = split( /:/, $paction, 3 );
push @defaults, process_default_action( $originalpolicy, $policy, $action, $level ); fatal_error "Invalid policy action ($paction:$level:$remainder)" if defined $remainder;
push @pactions, process_policy_action( $originalpolicy, $policy, $action, $level );
} }
} }
\@defaults; \@pactions;
} else { } else {
$default_actions{$policy}; $policy_actions{$policy};
} }
} }
@ -670,7 +674,7 @@ sub process_a_policy1($$$$$$$) {
require_capability 'AUDIT_TARGET', ":audit", "s" if $audit; require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
my ( $policy, $defaults ) = split( /:/, $originalpolicy, 2 ); my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy; fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
@ -682,7 +686,7 @@ sub process_a_policy1($$$$$$$) {
fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy}; fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
} }
my $default = process_default_actions( $originalpolicy, $policy, $defaults ); my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
if ( defined $queue ) { if ( defined $queue ) {
$policy = handle_nfqueue( $queue, $policy = handle_nfqueue( $queue,
@ -739,7 +743,7 @@ sub process_a_policy1($$$$$$$) {
$chainref->{synchain} = $chain $chainref->{synchain} = $chain
} }
$chainref->{defaults} = $default; $chainref->{pactions} = $pactionref;
$chainref->{origin} = shortlineinfo(''); $chainref->{origin} = shortlineinfo('');
if ( $clientwild ) { if ( $clientwild ) {
@ -855,10 +859,10 @@ sub process_policies()
if ( $actions eq 'none' ) { if ( $actions eq 'none' ) {
$actions = []; $actions = [];
} else { } else {
$actions = process_default_actions( $actions, $option, $actions ); $actions = process_policy_actions( $actions, $option, $actions );
} }
$default_actions{$map{$option}} = $actions; $policy_actions{$map{$option}} = $actions;
} }
for $zone ( all_zones ) { for $zone ( all_zones ) {
@ -918,23 +922,23 @@ sub process_policies()
sub process_inline ($$$$$$$$$$$$$$$$$$$$$$); sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
sub add_policy_rules( $$$$$ ) { sub add_policy_rules( $$$$$ ) {
my ( $chainref , $target, $loglevel, $defaults, $dropmulticast ) = @_; my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
unless ( $target eq 'NONE' ) { unless ( $target eq 'NONE' ) {
my @defaults; my @pactions;
@defaults = @$defaults if defined $defaults; @pactions = @$pactions;
add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT'; add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
for my $default ( @defaults ) { for my $paction ( @pactions ) {
my ( $action ) = split ':', $default; my ( $action ) = split ':', $paction;
if ( ( $targets{$action} || 0 ) & ACTION ) { if ( ( $targets{$action} || 0 ) & ACTION ) {
# #
# Default action is a regular action -- jump to the action chain # Default action is a regular action -- jump to the action chain
# #
add_ijump $chainref, j => use_policy_action( $default, $chainref->{name} ); add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
} else { } else {
# #
# Default action is an inline # Default action is an inline
@ -946,7 +950,7 @@ sub add_policy_rules( $$$$$ ) {
'', #Matches '', #Matches
'', #Matches1 '', #Matches1
$loglevel, #Log Level and Tag $loglevel, #Log Level and Tag
$default, #Target $paction, #Target
$param || '', #Param $param || '', #Param
'-', #Source '-', #Source
'-', #Dest '-', #Dest
@ -999,7 +1003,7 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
my $chainref = $_[0]; my $chainref = $_[0];
my $policyref = $filter_table->{$chainref->{policychain}}; my $policyref = $filter_table->{$chainref->{policychain}};
my $synparams = $policyref->{synparams}; my $synparams = $policyref->{synparams};
my $defaults = $policyref->{defaults}; my $defaults = $policyref->{pactions};
my $policy = $policyref->{policy}; my $policy = $policyref->{policy};
my $loglevel = $policyref->{loglevel}; my $loglevel = $policyref->{loglevel};
@ -1041,7 +1045,7 @@ sub complete_policy_chains() {
unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) { unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
my $loglevel = $chainref->{loglevel}; my $loglevel = $chainref->{loglevel};
my $provisional = $chainref->{provisional}; my $provisional = $chainref->{provisional};
my $defaults = $chainref->{defaults}; my $defaults = $chainref->{pactions};
my $name = $chainref->{name}; my $name = $chainref->{name};
my $synparms = $chainref->{synparms}; my $synparms = $chainref->{synparms};
@ -1094,17 +1098,17 @@ sub complete_standard_chain ( $$$$ ) {
my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) }; my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
my ( $policy, $loglevel ) = ( $default , 6 ); my ( $policy, $loglevel ) = ( $default , 6 );
my $defaultactions = $default_actions{$policy}; my $policy_actions = $policy_actions{$policy};
my $policychainref; my $policychainref;
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref; $policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
if ( $policychainref ) { if ( $policychainref ) {
( $policy, $loglevel, $defaultactions ) = @{$policychainref}{'policy', 'loglevel', 'defaults' }; ( $policy, $loglevel, $policy_actions ) = @{$policychainref}{'policy', 'loglevel', 'pactions' };
$stdchainref->{origin} = $policychainref->{origin}; $stdchainref->{origin} = $policychainref->{origin};
} }
add_policy_rules $stdchainref , $policy , $loglevel, $defaultactions, 0; add_policy_rules $stdchainref , $policy , $loglevel, $policy_actions, 0;
} }
# #

View File

@ -120,7 +120,7 @@
role="bold">QUEUE</emphasis>|<emphasis role="bold">QUEUE</emphasis>|<emphasis
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
role="bold">NONE</emphasis>}[<emphasis role="bold">NONE</emphasis>}[<emphasis
role="bold">:</emphasis>{<emphasis>default-action</emphasis>[:level][,...]|<emphasis role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
role="bold">None</emphasis>}]</term> role="bold">None</emphasis>}]</term>
<listitem> <listitem>
@ -140,7 +140,7 @@
<listitem> <listitem>
<para>The name of an action with optional parameters enclosed in <para>The name of an action with optional parameters enclosed in
parentheses. The action will be invoked before the policy is parentheses. The action will be invoked before the policy is
enforced. </para> enforced.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
@ -154,9 +154,13 @@
<para>Beginning with Shorewall 5.1.2, multiple <para>Beginning with Shorewall 5.1.2, multiple
<replaceable>action</replaceable>[:<replaceable>level</replaceable>] <replaceable>action</replaceable>[:<replaceable>level</replaceable>]
specification may be listeded, separated by commas. The actions are specification may be listeded, separated by commas. The actions are
invoked in the order listed.</para> invoked in the order listed. Also beginning with Shorewall 5.1.2,
the policy-action list can be prefixed with a plus sign ("+")
indicating that the listed actions are in addition to those listed
in the related _DEFAULT setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>Possible actions are:</para> <para>Possible policies are:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>

View File

@ -105,11 +105,11 @@ TC=
############################################################################### ###############################################################################
ACCEPT_DEFAULT=none ACCEPT_DEFAULT=none
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
NFQUEUE_DEFAULT=none NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none QUEUE_DEFAULT=none
REJECT_DEFAULT=AllowICMPs,dropBcasts REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
############################################################################### ###############################################################################
# R S H / R C P C O M M A N D S # R S H / R C P C O M M A N D S

View File

@ -106,11 +106,11 @@ TC=
############################################################################### ###############################################################################
ACCEPT_DEFAULT=none ACCEPT_DEFAULT=none
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
NFQUEUE_DEFAULT=none NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none QUEUE_DEFAULT=none
REJECT_DEFAULT=AllowICMPs,dropBcasts REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
############################################################################### ###############################################################################
# R S H / R C P C O M M A N D S # R S H / R C P C O M M A N D S

View File

@ -105,11 +105,11 @@ TC=
############################################################################### ###############################################################################
ACCEPT_DEFAULT=none ACCEPT_DEFAULT=none
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
NFQUEUE_DEFAULT=none NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none QUEUE_DEFAULT=none
REJECT_DEFAULT=AllowICMPs,dropBcasts REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
############################################################################### ###############################################################################
# R S H / R C P C O M M A N D S # R S H / R C P C O M M A N D S

View File

@ -105,11 +105,11 @@ TC=
############################################################################### ###############################################################################
ACCEPT_DEFAULT=none ACCEPT_DEFAULT=none
BLACKLIST_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
DROP_DEFAULT=AllowICMPs,dropBcasts,dropNotSyn:$LOG DROP_DEFAULT="AllowICMPs,Broadcast(DROP),dropNotSyn:$LOG"
NFQUEUE_DEFAULT=none NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none QUEUE_DEFAULT=none
REJECT_DEFAULT=AllowICMPs,dropBcasts REJECT_DEFAULT="AllowICMPs,Broadcast(DROP)"
############################################################################### ###############################################################################
# R S H / R C P C O M M A N D S # R S H / R C P C O M M A N D S

View File

@ -119,7 +119,7 @@
role="bold">QUEUE</emphasis>|<emphasis role="bold">QUEUE</emphasis>|<emphasis
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
role="bold">NONE</emphasis>}[<emphasis role="bold">NONE</emphasis>}[<emphasis
role="bold">:</emphasis>{<emphasis>default-action</emphasis>[:level][,...]|<emphasis role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
role="bold">None</emphasis>}]</term> role="bold">None</emphasis>}]</term>
<listitem> <listitem>
@ -152,9 +152,13 @@
<para>Beginning with Shorewall 5.1.2, multiple <para>Beginning with Shorewall 5.1.2, multiple
<replaceable>action</replaceable>[:<replaceable>level</replaceable>] <replaceable>action</replaceable>[:<replaceable>level</replaceable>]
pairs may be specified, separated by commas. The actions are invoked pairs may be specified, separated by commas. The actions are invoked
in the order listed.</para> in the order listed. Also beginning with Shorewall 5.1.2, the
policy-action list can be prefixed with a plus sign ("+") indicating
that the listed actions are in addition to those listed in the
related _DEFAULT setting in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>Possible actions are:</para> <para>Possible policies are:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>

View File

@ -136,9 +136,10 @@ ACCEPT - - tcp 135,139,445</programlisting>
<para>Shorewall allows the association of a <firstterm>policy <para>Shorewall allows the association of a <firstterm>policy
action</firstterm> with policies. A separate policy action may be action</firstterm> with policies. A separate policy action may be
associated with ACCEPT, DROP, REJECT, QUEUE and NFQUEUE policies. Policy associated with ACCEPT, DROP, REJECT, QUEUE, NFQUEUE and BLACKLIST
actions provide a way to invoke a set of common rules just before the policies. Policy actions provide a way to invoke a set of common rules
policy is enforced. Policy actions accomplish two goals:</para> just before the policy is enforced. Policy actions accomplish two
goals:</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -153,8 +154,8 @@ ACCEPT - - tcp 135,139,445</programlisting>
</orderedlist> </orderedlist>
<para>Shorewall supports policy actions for the ACCEPT, REJECT, DROP, <para>Shorewall supports policy actions for the ACCEPT, REJECT, DROP,
QUEUE and NFQUEUE policies. These default actions are specified in the QUEUE, NFQUEUE and BLACKLIST policies. These default actions are specified
<filename>/etc/shorewall/shorewall.conf</filename> file using the in the <filename>/etc/shorewall/shorewall.conf</filename> file using the
ACCEPT_DEFAULT, REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and ACCEPT_DEFAULT, REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and
NFQUEUE_DEFAULT options respectively. Policies whose default is set to a NFQUEUE_DEFAULT options respectively. Policies whose default is set to a
value of <quote>none</quote> have no default action.</para> value of <quote>none</quote> have no default action.</para>
@ -295,7 +296,7 @@ ACCEPT - - tcp 135,139,445</programlisting>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>Broadcasts[(<replaceable>disposition</replaceable>)]</term> <term>Broadcast[(<replaceable>disposition</replaceable>)]</term>
<listitem> <listitem>
<para>Handles broadcasts and multicasts based on the <para>Handles broadcasts and multicasts based on the
@ -335,7 +336,7 @@ ACCEPT - - tcp 135,139,445</programlisting>
<listitem> <listitem>
<para>Allows ICMP packets mandated by RFC 4890. In particular, this <para>Allows ICMP packets mandated by RFC 4890. In particular, this
ensures that Neighbor Discovery won't be broken </para> ensures that Neighbor Discovery won't be broken</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>