holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Eliminate builtin actions

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-03-05 12:09:33 -08:00
parent c1e7fce1c5
commit 80d93235b5
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
12 changed files with 174 additions and 242 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
Shorewall/Actions/action.Limit
View File

@ -22,6 +22,49 @@
#
# Limit(<recent-set>,<num-connections>,<timeout>)
#
# This is a built-in action.
#
###############################################################################
DEFAULTS -,-,-
?begin perl
use strict;
use Shorewall::Config;
use Shorewall::Chains;
my $chainref = get_action_chain;
my @param = get_action_params(3);
my ( $level, $tag ) = get_action_logging;
@param = split /,/, $tag unless supplied( join '', @param );
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
my $set = $param[0];
for ( @param[1,2] ) {
fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
}
my $count = $param[1] + 1;
require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
add_irule $chainref, recent => "--name $set --set";
if ( $level ne '' ) {
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' );
add_ijump $xchainref, j => 'DROP';
add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
} else {
add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
}
add_ijump $chainref, j => 'ACCEPT';
1;
?end perl

15
Shorewall/Actions/action.allowBcast
View File

@ -22,6 +22,17 @@
#
# allowBcast[([audit])]
#
# This is a built-in action.
#
###############################################################################
DEFAULTS -
?if passed(@1)
?if @1 eq 'audit'
?require AUDIT_TARGET
Broadcast(A_ACCEPT)
?else
?error "Invalid argument (@1) to allowBcast"
?endif
?else
Broadcast(ACCEPT)
?endif

15
Shorewall/Actions/action.allowMcast
View File

@ -22,6 +22,17 @@
#
# allowMcast[([audit])]
#
# This is a built-in action.
#
###############################################################################
DEFAULTS -
?if passed(@1)
?if @1 eq 'audit'
?require AUDIT_TARGET
Multicast(A_ACCEPT)
?else
?error "Invalid argument (@1) to allowMcast"
?endif
?else
Multicast(ACCEPT)
?endif

17
Shorewall/Actions/action.allowinUPnP
View File

@ -22,6 +22,19 @@
#
# allowinUPnP[([audit])]
#
# This is a built-in action.
#
###############################################################################
DEFAULTS -
?if passed(@1)
?if @1 eq 'audit'
?require AUDIT_TARGET
A_ACCEPT - - 17 1900
A_ACCEPT - - 6 49152
?else
?error "Invalid argument (@1) to allowinUPnP"
?endif
?else
ACCEPT - - 17 1900
ACCEPT - - 6 49152
?endif

16
Shorewall/Actions/action.dropBcast
View File

@ -22,6 +22,18 @@
#
# dropBcast[([audit])]
#
# This is a built-in action.
#
###############################################################################
DEFAULTS -
?if passed(@1)
?if @1 eq 'audit'
?require AUDIT_TARGET
Broadcast(A_DROP)
?else
?error "Invalid argument (@1) to dropBcast"
?endif
?else
Broadcast(DROP)
?endif

15
Shorewall/Actions/action.dropMcast
View File

@ -22,6 +22,17 @@
#
# dropMcast[([audit])]
#
# This is a built-in action.
#
###############################################################################
DEFAULTS -
?if passed(@1)
?if @1 eq 'audit'
?require AUDIT_TARGET
Multicast(A_DROP)
?else
?error "Invalid argument (@1) to dropMcast"
?endif
?else
Multicast(DROP)
?endif

15
Shorewall/Actions/action.dropNotSyn
View File

@ -22,6 +22,17 @@
#
# dropNotSyn[([audit])]
#
# This is a built-in action.
#
###############################################################################
DEFAULTS -
?if passed(@1)
?if @1 eq 'audit'
?require AUDIT_TARGET
A_DROP ;; -p 6 ! --syn
?else
?error "Invalid argument (@1) to dropNotSyn"
?endif
?else
DROP ;; -p 6 ! --syn
?endif

20
Shorewall/Actions/action.forwardUPnP
View File

@ -22,6 +22,22 @@
#
# forwardUPnP
#
# This is a built-in action.
#
###############################################################################
DEFAULTS -
?begin perl
use strict;
use Shorewall::Config;
use Shorewall::Chains;
my $chainref = get_action_chain;
set_optflags( $chainref, DONT_OPTIMIZE );
add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
1;
?end perl

16
Shorewall/Actions/action.rejNotSyn
View File

@ -22,6 +22,18 @@
#
# rejNotSyn[([audit])]
#
# This is a built-in action.
#
###############################################################################
DEFAULTS -
?if passed(@1)
?if @1 eq 'audit'
?require AUDIT_TARGET
A_REJECT ;; -p 6 ! --syn
?else
?error "Invalid argument (@1) to rejNotSyn"
?endif
?else
REJECT(--reject-with tcp-reset) ;; -p 6 ! --syn
?endif

202
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -144,8 +144,6 @@ our %macros;
our $family;
our @builtins;
#
# Commands that can be embedded in a basic rule and how many total tokens on the line (0 => unlimited).
#
@ -352,7 +350,7 @@ sub initialize( $ ) {
#
$macro_nest_level = 0;
#
# All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
# All actions mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
#
%actions = ();
#
@ -363,7 +361,6 @@ sub initialize( $ ) {
@columns = ( ( '-' ) x LAST_COLUMN, 0 );
if ( $family == F_IPV4 ) {
@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
%reject_options = ( 'icmp-net-unreachable' => 1,
'icmp-host-unreachable' => 1,
'icmp-port-unreachable' => 1,
@ -375,7 +372,6 @@ sub initialize( $ ) {
);
} else {
@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn/;
%reject_options = ( 'icmp6-no-route' => 1,
'no-route' => 1,
'icmp6-adm-prohibited' => 1,
@ -1708,191 +1704,6 @@ sub map_old_actions( $ ) {
}
}
#
# The following small functions generate rules for the builtin actions of the same name
#
sub dropBcast( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_;
my $target = require_audit ( 'DROP', $audit );
if ( have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) {
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
if ( $family == F_IPV4 ) {
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' );
} else {
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST );
}
}
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
} else {
if ( $family == F_IPV4 ) {
add_commands $chainref, 'for address in $ALL_BCASTS; do';
} else {
add_commands $chainref, 'for address in $ALL_ACASTS; do';
}
incr_cmd_level $chainref;
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '$address' ) if $level ne '';
add_ijump $chainref, j => $target, d => '$address';
decr_cmd_level $chainref;
add_commands $chainref, 'done';
}
}
sub dropMcast( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_;
my $target = require_audit ( 'DROP', $audit );
if ( $family == F_IPV4 ) {
log_irule_limit $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
add_ijump $chainref, j => $target, d => '224.0.0.0/4';
} else {
log_irule_limit( $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
}
}
sub allowBcast( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_;
my $target = require_audit( 'ACCEPT', $audit );
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) {
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' );
}
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
} else {
if ( $family == F_IPV4 ) {
add_commands $chainref, 'for address in $ALL_BCASTS; do';
} else {
add_commands $chainref, 'for address in $ALL_MACASTS; do';
}
incr_cmd_level $chainref;
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '$address' ) if $level ne '';
add_ijump $chainref, j => $target, d => '$address';
decr_cmd_level $chainref;
add_commands $chainref, 'done';
}
}
sub allowMcast( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_;
my $target = require_audit( 'ACCEPT', $audit );
if ( $family == F_IPV4 ) {
log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
add_ijump $chainref, j => $target, d => '224.0.0.0/4';
} else {
log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', '', $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
}
}
sub dropNotSyn ( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_;
my $target = require_audit( 'DROP', $audit );
log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
add_ijump $chainref , j => $target, p => '6 ! --syn';
}
sub rejNotSyn ( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_;
warning_message "rejNotSyn is deprecated in favor of NotSyn(REJECT)";
my $target = 'REJECT --reject-with tcp-reset';
if ( supplied $audit ) {
$target = require_audit( 'REJECT' , $audit );
}
log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
add_ijump $chainref , j => $target, p => '6 ! --syn';
}
sub forwardUPnP ( $$$$ ) {
my $chainref = set_optflags( 'forwardUPnP', DONT_OPTIMIZE );
add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
}
sub allowinUPnP ( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_;
my $target = require_audit( 'ACCEPT', $audit );
if ( $level ne '' ) {
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '17 --dport 1900' );
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '6 --dport 49152' );
}
add_ijump $chainref, j => $target, p => '17 --dport 1900';
add_ijump $chainref, j => $target, p => '6 --dport 49152';
}
sub Limit( $$$$ ) {
my ($chainref, $level, $tag, $param ) = @_;
my @param;
if ( $param ) {
@param = split /,/, $param;
} else {
@param = split /,/, $tag;
$tag = '';
}
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
my $set = $param[0];
for ( @param[1,2] ) {
fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
}
my $count = $param[1] + 1;
require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
add_irule $chainref, recent => "--name $set --set";
if ( $level ne '' ) {
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' );
add_ijump $xchainref, j => 'DROP';
add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
} else {
add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
}
add_ijump $chainref, j => 'ACCEPT';
}
my %builtinops = ( 'dropBcast' => \&dropBcast,
'dropMcast' => \&dropMcast,
'allowBcast' => \&allowBcast,
'allowMcast' => \&allowMcast,
'dropNotSyn' => \&dropNotSyn,
'rejNotSyn' => \&rejNotSyn,
'allowinUPnP' => \&allowinUPnP,
'forwardUPnP' => \&forwardUPnP,
'Limit' => \&Limit,
);
sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
sub process_snat1( $$$$$$$$$$$$ );
@ -1914,12 +1725,6 @@ sub process_action(\$\$$) {
my $actionref = $actions{$action};
my $matches = fetch_inline_matches;
if ( $type & BUILTIN ) {
$level = '' if $level =~ /none!?/;
$builtinops{$action}->( $chainref, $level, $tag, $param );
return 0;
}
if ( $type & MANGLE_TABLE ) {
fatal_error "Action $action may only be used in the mangle file" unless $chainref->{table} eq 'mangle';
} else {
@ -2192,7 +1997,6 @@ sub process_action(\$\$$) {
#
# This function is called prior to processing of the policy file. It:
#
# - Adds the builtin actions to the target table
# - Reads actions.std and actions (in that order) and for each entry:
# o Adds the action to the target table
# o Verifies that the corresponding action file exists
@ -2201,10 +2005,6 @@ sub process_action(\$\$$) {
sub process_actions() {
progress_message2 "Locating Action Files...";
#
# Add built-in actions to the target table and create those actions
#
$targets{$_} = new_action( $_ , ACTION + BUILTIN, NOINLINE_OPT, '' , '' ) for @builtins;
for my $file ( qw/actions.std actions/ ) {
open_file( $file, 2 );

22
Shorewall/actions.std
View File

@ -6,44 +6,40 @@
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Builtin Actions are:
#
?if 0
allowBcast # Silently Allow Broadcast
allowMcast # Silently Allow Multicast
dropBcast # Silently Drop Broadcast
dropMcast # Silently Drop Multicast
dropNotSyn # Silently Drop Non-syn TCP packets
rejNotSyn # Silently Reject Non-syn TCP packets
allowinUPnP # Allow UPnP inbound (to firewall) traffic
forwardUPnP # Allow traffic that upnpd has redirected from 'upnp' interfaces.
Limit # Limit the rate of connections from each individual IP address
?endif
###############################################################################
#ACTION
A_Drop # Audited Default Action for DROP policy
A_REJECT noinline,logjump # Audits then rejects a connection request
A_REJECT! inline # Audits then rejects a connection request
A_Reject # Audited Default action for REJECT policy
allowBcast inline # Silently Allow Broadcast
allowinUPnP inline # Allow UPnP inbound (to firewall) traffic
allowInvalid inline # Accepts packets in the INVALID conntrack state
allowMcast inline # Silently Allow Multicast
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
AutoBLL noinline # Helper for AutoBL
BLACKLIST logjump,section # Add sender to the dynamic blacklist
Broadcast noinline,audit # Handles Broadcast/Anycast
DNSAmp # Matches one-question recursive DNS queries
Drop # Default Action for DROP policy (deprecated)
dropBcast inline # Silently Drop Broadcast
dropInvalid inline # Drops packets in the INVALID conntrack state
dropMcast inline # Silently Drop Multicast
dropNotSyn noinline # Silently Drop Non-syn TCP packets
DropDNSrep inline # Drops DNS replies
DropSmurfs noinline # Drop smurf packets
Established inline,\ # Handles packets in the ESTABLISHED state
state=ESTABLISHED #
forwardUPnP noinline # Allow traffic that upnpd has redirected from 'upnp' interfaces.
GlusterFS inline # Handles GlusterFS
IfEvent noinline # Perform an action based on an event
Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
state=INVALID #
Limit noinline # Limit the rate of connections from each individual IP address
Multicast noinline,audit # Handles Multicast
New inline,state=NEW # Handles packets in the NEW conntrack state
NotSyn inline,audit # Handles TCP packets which do not have SYN=1 and ACK=0
rejNotSyn noinline # Silently Reject Non-syn TCP packets
Reject # Default Action for REJECT policy (deprecated)
Related inline,\ # Handles packets in the RELATED conntrack state
state=RELATED #

16
Shorewall6/actions.std
View File

@ -6,28 +6,23 @@
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Builtin Actions are:
#
?if 0
allowBcasts # Accept anycast packets
allowMcasts # Accept multicast packets
dropBcasts # Silently Drop anycast packets
dropMcasts # Silently Drop multicast packets
dropNotSyn # Silently Drop Non-syn TCP packets
rejNotSyn # Silently Reject Non-syn TCP packets
?endif
###############################################################################
#ACTION
A_Drop # Audited Default Action for DROP policy
A_Reject # Audited Default Action for REJECT policy
A_AllowICMPs # Audited Accept needed ICMP6 types
AllowICMPs # Accept needed ICMP6 types
allowBcast inline # Silently Allow Broadcast
allowInvalid inline # Accepts packets in the INVALID conntrack state
allowMcast inline # Silently Allow Multicast
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
AutoBLL noinline # Helper for AutoBL
Broadcast noinline # Handles Broadcast/Anycast
Drop # Default Action for DROP policy (deprecated)
dropBcast inline # Silently Drop Broadcast
dropInvalid inline # Drops packets in the INVALID conntrack state
dropMcast inline # Silently Drop Multicast
dropNotSyn noinline # Silently Drop Non-syn TCP packets
DropDNSrep inline # Drops DNS replies
DropSmurfs noinline # Handles packets with a broadcast source address
Established inline,\ # Handles packets in the ESTABLISHED state
@ -39,6 +34,7 @@ Multicast noinline # Handles Multicast
New inline,state=NEW # Handles packets in the NEW conntrack state
NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0
Reject # Default Action for REJECT policy (deprecated)
rejNotSyn noinline # Silently Reject Non-syn TCP packets
Related inline,\ # Handles packets in the RELATED conntrack state
state=RELATED
ResetEvent inline # Reset an Event