diff --git a/Shorewall/Actions/action.Limit b/Shorewall/Actions/action.Limit index 100adce13..dab00f760 100644 --- a/Shorewall/Actions/action.Limit +++ b/Shorewall/Actions/action.Limit @@ -22,6 +22,49 @@ # # Limit(,,) # -# This is a built-in action. -# ############################################################################### + +DEFAULTS -,-,- + +?begin perl + +use strict; +use Shorewall::Config; +use Shorewall::Chains; + +my $chainref = get_action_chain; +my @param = get_action_params(3); +my ( $level, $tag ) = get_action_logging; + +@param = split /,/, $tag unless supplied( join '', @param ); + +fatal_error 'Limit rules must include ,, as the log tag or as parameters' unless @param == 3; + +my $set = $param[0]; + +for ( @param[1,2] ) { + fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/ +} + +my $count = $param[1] + 1; + +require_capability( 'RECENT_MATCH' , 'Limit rules' , '' ); + +warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column"; + +add_irule $chainref, recent => "--name $set --set"; + +if ( $level ne '' ) { + my $xchainref = new_chain 'filter' , "$chainref->{name}%"; + log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' ); + add_ijump $xchainref, j => 'DROP'; + add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count"; +} else { + add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count"; +} + +add_ijump $chainref, j => 'ACCEPT'; + +1; + +?end perl diff --git a/Shorewall/Actions/action.allowBcast b/Shorewall/Actions/action.allowBcast index b40c9ee1c..9cc8be9b7 100644 --- a/Shorewall/Actions/action.allowBcast +++ b/Shorewall/Actions/action.allowBcast @@ -22,6 +22,17 @@ # # allowBcast[([audit])] # -# This is a built-in action. -# ############################################################################### + +DEFAULTS - + +?if passed(@1) + ?if @1 eq 'audit' + ?require AUDIT_TARGET + Broadcast(A_ACCEPT) + ?else + ?error "Invalid argument (@1) to allowBcast" + ?endif +?else + Broadcast(ACCEPT) +?endif diff --git a/Shorewall/Actions/action.allowMcast b/Shorewall/Actions/action.allowMcast index 2dd33adc6..36151c7fb 100644 --- a/Shorewall/Actions/action.allowMcast +++ b/Shorewall/Actions/action.allowMcast @@ -22,6 +22,17 @@ # # allowMcast[([audit])] # -# This is a built-in action. -# ############################################################################### + +DEFAULTS - + +?if passed(@1) + ?if @1 eq 'audit' + ?require AUDIT_TARGET + Multicast(A_ACCEPT) + ?else + ?error "Invalid argument (@1) to allowMcast" + ?endif +?else + Multicast(ACCEPT) +?endif diff --git a/Shorewall/Actions/action.allowinUPnP b/Shorewall/Actions/action.allowinUPnP index 83834ac00..af5de9963 100644 --- a/Shorewall/Actions/action.allowinUPnP +++ b/Shorewall/Actions/action.allowinUPnP @@ -22,6 +22,19 @@ # # allowinUPnP[([audit])] # -# This is a built-in action. -# ############################################################################### + +DEFAULTS - + +?if passed(@1) + ?if @1 eq 'audit' + ?require AUDIT_TARGET + A_ACCEPT - - 17 1900 + A_ACCEPT - - 6 49152 + ?else + ?error "Invalid argument (@1) to allowinUPnP" + ?endif +?else + ACCEPT - - 17 1900 + ACCEPT - - 6 49152 +?endif diff --git a/Shorewall/Actions/action.dropBcast b/Shorewall/Actions/action.dropBcast index e48804127..046368bf7 100644 --- a/Shorewall/Actions/action.dropBcast +++ b/Shorewall/Actions/action.dropBcast @@ -22,6 +22,18 @@ # # dropBcast[([audit])] # -# This is a built-in action. -# ############################################################################### + +DEFAULTS - + +?if passed(@1) + ?if @1 eq 'audit' + ?require AUDIT_TARGET + Broadcast(A_DROP) + ?else + ?error "Invalid argument (@1) to dropBcast" + ?endif +?else + Broadcast(DROP) +?endif + diff --git a/Shorewall/Actions/action.dropMcast b/Shorewall/Actions/action.dropMcast index 8d0d4a892..9017f524a 100644 --- a/Shorewall/Actions/action.dropMcast +++ b/Shorewall/Actions/action.dropMcast @@ -22,6 +22,17 @@ # # dropMcast[([audit])] # -# This is a built-in action. -# ############################################################################### + +DEFAULTS - + +?if passed(@1) + ?if @1 eq 'audit' + ?require AUDIT_TARGET + Multicast(A_DROP) + ?else + ?error "Invalid argument (@1) to dropMcast" + ?endif +?else + Multicast(DROP) +?endif diff --git a/Shorewall/Actions/action.dropNotSyn b/Shorewall/Actions/action.dropNotSyn index 863946150..0b5007009 100644 --- a/Shorewall/Actions/action.dropNotSyn +++ b/Shorewall/Actions/action.dropNotSyn @@ -22,6 +22,17 @@ # # dropNotSyn[([audit])] # -# This is a built-in action. -# ############################################################################### + +DEFAULTS - + +?if passed(@1) + ?if @1 eq 'audit' + ?require AUDIT_TARGET + A_DROP ;; -p 6 ! --syn + ?else + ?error "Invalid argument (@1) to dropNotSyn" + ?endif +?else + DROP ;; -p 6 ! --syn +?endif diff --git a/Shorewall/Actions/action.forwardUPnP b/Shorewall/Actions/action.forwardUPnP index a36325ed8..33e909a98 100644 --- a/Shorewall/Actions/action.forwardUPnP +++ b/Shorewall/Actions/action.forwardUPnP @@ -22,6 +22,22 @@ # # forwardUPnP # -# This is a built-in action. -# ############################################################################### + +DEFAULTS - + +?begin perl + +use strict; +use Shorewall::Config; +use Shorewall::Chains; + +my $chainref = get_action_chain; + +set_optflags( $chainref, DONT_OPTIMIZE ); + +add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' ); + +1; + +?end perl diff --git a/Shorewall/Actions/action.rejNotSyn b/Shorewall/Actions/action.rejNotSyn index 625e3c1d3..97513e31e 100644 --- a/Shorewall/Actions/action.rejNotSyn +++ b/Shorewall/Actions/action.rejNotSyn @@ -22,6 +22,18 @@ # # rejNotSyn[([audit])] # -# This is a built-in action. -# ############################################################################### + +DEFAULTS - + +?if passed(@1) + ?if @1 eq 'audit' + ?require AUDIT_TARGET + A_REJECT ;; -p 6 ! --syn + ?else + ?error "Invalid argument (@1) to rejNotSyn" + ?endif +?else + REJECT(--reject-with tcp-reset) ;; -p 6 ! --syn +?endif + diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 668d772a2..d1e27dacf 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -144,8 +144,6 @@ our %macros; our $family; -our @builtins; - # # Commands that can be embedded in a basic rule and how many total tokens on the line (0 => unlimited). # @@ -352,7 +350,7 @@ sub initialize( $ ) { # $macro_nest_level = 0; # - # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std + # All actions mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std # %actions = (); # @@ -363,7 +361,6 @@ sub initialize( $ ) { @columns = ( ( '-' ) x LAST_COLUMN, 0 ); if ( $family == F_IPV4 ) { - @builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/; %reject_options = ( 'icmp-net-unreachable' => 1, 'icmp-host-unreachable' => 1, 'icmp-port-unreachable' => 1, @@ -375,7 +372,6 @@ sub initialize( $ ) { ); } else { - @builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn/; %reject_options = ( 'icmp6-no-route' => 1, 'no-route' => 1, 'icmp6-adm-prohibited' => 1, @@ -1708,191 +1704,6 @@ sub map_old_actions( $ ) { } } -# -# The following small functions generate rules for the builtin actions of the same name -# -sub dropBcast( $$$$ ) { - my ($chainref, $level, $tag, $audit) = @_; - - my $target = require_audit ( 'DROP', $audit ); - - if ( have_capability( 'ADDRTYPE' ) ) { - if ( $level ne '' ) { - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' ); - if ( $family == F_IPV4 ) { - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' ); - } else { - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ); - } - } - - add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST'; - } else { - if ( $family == F_IPV4 ) { - add_commands $chainref, 'for address in $ALL_BCASTS; do'; - } else { - add_commands $chainref, 'for address in $ALL_ACASTS; do'; - } - - incr_cmd_level $chainref; - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '$address' ) if $level ne ''; - add_ijump $chainref, j => $target, d => '$address'; - decr_cmd_level $chainref; - add_commands $chainref, 'done'; - } -} - -sub dropMcast( $$$$ ) { - my ($chainref, $level, $tag, $audit) = @_; - - my $target = require_audit ( 'DROP', $audit ); - - if ( $family == F_IPV4 ) { - log_irule_limit $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne ''; - add_ijump $chainref, j => $target, d => '224.0.0.0/4'; - } else { - log_irule_limit( $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne ''; - add_ijump $chainref, j => $target, d => IPv6_MULTICAST; - } -} - -sub allowBcast( $$$$ ) { - my ($chainref, $level, $tag, $audit) = @_; - - my $target = require_audit( 'ACCEPT', $audit ); - - if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) { - if ( $level ne '' ) { - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' ); - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ); - } - - add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST'; - } else { - if ( $family == F_IPV4 ) { - add_commands $chainref, 'for address in $ALL_BCASTS; do'; - } else { - add_commands $chainref, 'for address in $ALL_MACASTS; do'; - } - - incr_cmd_level $chainref; - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '$address' ) if $level ne ''; - add_ijump $chainref, j => $target, d => '$address'; - decr_cmd_level $chainref; - add_commands $chainref, 'done'; - } -} - -sub allowMcast( $$$$ ) { - my ($chainref, $level, $tag, $audit) = @_; - - my $target = require_audit( 'ACCEPT', $audit ); - - if ( $family == F_IPV4 ) { - log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne ''; - add_ijump $chainref, j => $target, d => '224.0.0.0/4'; - } else { - log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', '', $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne ''; - add_ijump $chainref, j => $target, d => IPv6_MULTICAST; - } -} - -sub dropNotSyn ( $$$$ ) { - my ($chainref, $level, $tag, $audit) = @_; - - my $target = require_audit( 'DROP', $audit ); - - log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne ''; - add_ijump $chainref , j => $target, p => '6 ! --syn'; -} - -sub rejNotSyn ( $$$$ ) { - my ($chainref, $level, $tag, $audit) = @_; - - warning_message "rejNotSyn is deprecated in favor of NotSyn(REJECT)"; - - my $target = 'REJECT --reject-with tcp-reset'; - - if ( supplied $audit ) { - $target = require_audit( 'REJECT' , $audit ); - } - - log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne ''; - add_ijump $chainref , j => $target, p => '6 ! --syn'; -} - -sub forwardUPnP ( $$$$ ) { - my $chainref = set_optflags( 'forwardUPnP', DONT_OPTIMIZE ); - - add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' ); -} - -sub allowinUPnP ( $$$$ ) { - my ($chainref, $level, $tag, $audit) = @_; - - my $target = require_audit( 'ACCEPT', $audit ); - - if ( $level ne '' ) { - log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '17 --dport 1900' ); - log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '6 --dport 49152' ); - } - - add_ijump $chainref, j => $target, p => '17 --dport 1900'; - add_ijump $chainref, j => $target, p => '6 --dport 49152'; -} - -sub Limit( $$$$ ) { - my ($chainref, $level, $tag, $param ) = @_; - - my @param; - - if ( $param ) { - @param = split /,/, $param; - } else { - @param = split /,/, $tag; - $tag = ''; - } - - fatal_error 'Limit rules must include ,, as the log tag or as parameters' unless @param == 3; - - my $set = $param[0]; - - for ( @param[1,2] ) { - fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/ - } - - my $count = $param[1] + 1; - - require_capability( 'RECENT_MATCH' , 'Limit rules' , '' ); - - warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column"; - - add_irule $chainref, recent => "--name $set --set"; - - if ( $level ne '' ) { - my $xchainref = new_chain 'filter' , "$chainref->{name}%"; - log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' ); - add_ijump $xchainref, j => 'DROP'; - add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count"; - } else { - add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count"; - } - - add_ijump $chainref, j => 'ACCEPT'; -} - -my %builtinops = ( 'dropBcast' => \&dropBcast, - 'dropMcast' => \&dropMcast, - 'allowBcast' => \&allowBcast, - 'allowMcast' => \&allowMcast, - 'dropNotSyn' => \&dropNotSyn, - 'rejNotSyn' => \&rejNotSyn, - 'allowinUPnP' => \&allowinUPnP, - 'forwardUPnP' => \&forwardUPnP, - 'Limit' => \&Limit, - ); - - sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ); sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ); sub process_snat1( $$$$$$$$$$$$ ); @@ -1914,12 +1725,6 @@ sub process_action(\$\$$) { my $actionref = $actions{$action}; my $matches = fetch_inline_matches; - if ( $type & BUILTIN ) { - $level = '' if $level =~ /none!?/; - $builtinops{$action}->( $chainref, $level, $tag, $param ); - return 0; - } - if ( $type & MANGLE_TABLE ) { fatal_error "Action $action may only be used in the mangle file" unless $chainref->{table} eq 'mangle'; } else { @@ -2192,7 +1997,6 @@ sub process_action(\$\$$) { # # This function is called prior to processing of the policy file. It: # -# - Adds the builtin actions to the target table # - Reads actions.std and actions (in that order) and for each entry: # o Adds the action to the target table # o Verifies that the corresponding action file exists @@ -2201,10 +2005,6 @@ sub process_action(\$\$$) { sub process_actions() { progress_message2 "Locating Action Files..."; - # - # Add built-in actions to the target table and create those actions - # - $targets{$_} = new_action( $_ , ACTION + BUILTIN, NOINLINE_OPT, '' , '' ) for @builtins; for my $file ( qw/actions.std actions/ ) { open_file( $file, 2 ); diff --git a/Shorewall/actions.std b/Shorewall/actions.std index fcf1f15b6..c7bb3808e 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -6,44 +6,40 @@ # Please see http://shorewall.net/Actions.html for additional # information. # -# Builtin Actions are: -# -?if 0 -allowBcast # Silently Allow Broadcast -allowMcast # Silently Allow Multicast -dropBcast # Silently Drop Broadcast -dropMcast # Silently Drop Multicast -dropNotSyn # Silently Drop Non-syn TCP packets -rejNotSyn # Silently Reject Non-syn TCP packets -allowinUPnP # Allow UPnP inbound (to firewall) traffic -forwardUPnP # Allow traffic that upnpd has redirected from 'upnp' interfaces. -Limit # Limit the rate of connections from each individual IP address -?endif ############################################################################### #ACTION A_Drop # Audited Default Action for DROP policy A_REJECT noinline,logjump # Audits then rejects a connection request A_REJECT! inline # Audits then rejects a connection request A_Reject # Audited Default action for REJECT policy +allowBcast inline # Silently Allow Broadcast +allowinUPnP inline # Allow UPnP inbound (to firewall) traffic allowInvalid inline # Accepts packets in the INVALID conntrack state +allowMcast inline # Silently Allow Multicast AutoBL noinline # Auto-blacklist IPs that exceed thesholds AutoBLL noinline # Helper for AutoBL BLACKLIST logjump,section # Add sender to the dynamic blacklist Broadcast noinline,audit # Handles Broadcast/Anycast DNSAmp # Matches one-question recursive DNS queries Drop # Default Action for DROP policy (deprecated) +dropBcast inline # Silently Drop Broadcast dropInvalid inline # Drops packets in the INVALID conntrack state +dropMcast inline # Silently Drop Multicast +dropNotSyn noinline # Silently Drop Non-syn TCP packets DropDNSrep inline # Drops DNS replies DropSmurfs noinline # Drop smurf packets Established inline,\ # Handles packets in the ESTABLISHED state state=ESTABLISHED # +forwardUPnP noinline # Allow traffic that upnpd has redirected from 'upnp' interfaces. GlusterFS inline # Handles GlusterFS IfEvent noinline # Perform an action based on an event Invalid inline,audit,\ # Handles packets in the INVALID conntrack state state=INVALID # +Limit noinline # Limit the rate of connections from each individual IP address Multicast noinline,audit # Handles Multicast New inline,state=NEW # Handles packets in the NEW conntrack state NotSyn inline,audit # Handles TCP packets which do not have SYN=1 and ACK=0 +rejNotSyn noinline # Silently Reject Non-syn TCP packets Reject # Default Action for REJECT policy (deprecated) Related inline,\ # Handles packets in the RELATED conntrack state state=RELATED # diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std index 3537dfe1f..e481fca77 100644 --- a/Shorewall6/actions.std +++ b/Shorewall6/actions.std @@ -6,28 +6,23 @@ # Please see http://shorewall.net/Actions.html for additional # information. # -# Builtin Actions are: -# -?if 0 -allowBcasts # Accept anycast packets -allowMcasts # Accept multicast packets -dropBcasts # Silently Drop anycast packets -dropMcasts # Silently Drop multicast packets -dropNotSyn # Silently Drop Non-syn TCP packets -rejNotSyn # Silently Reject Non-syn TCP packets -?endif ############################################################################### #ACTION A_Drop # Audited Default Action for DROP policy A_Reject # Audited Default Action for REJECT policy A_AllowICMPs # Audited Accept needed ICMP6 types AllowICMPs # Accept needed ICMP6 types +allowBcast inline # Silently Allow Broadcast allowInvalid inline # Accepts packets in the INVALID conntrack state +allowMcast inline # Silently Allow Multicast AutoBL noinline # Auto-blacklist IPs that exceed thesholds AutoBLL noinline # Helper for AutoBL Broadcast noinline # Handles Broadcast/Anycast Drop # Default Action for DROP policy (deprecated) +dropBcast inline # Silently Drop Broadcast dropInvalid inline # Drops packets in the INVALID conntrack state +dropMcast inline # Silently Drop Multicast +dropNotSyn noinline # Silently Drop Non-syn TCP packets DropDNSrep inline # Drops DNS replies DropSmurfs noinline # Handles packets with a broadcast source address Established inline,\ # Handles packets in the ESTABLISHED state @@ -39,6 +34,7 @@ Multicast noinline # Handles Multicast New inline,state=NEW # Handles packets in the NEW conntrack state NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0 Reject # Default Action for REJECT policy (deprecated) +rejNotSyn noinline # Silently Reject Non-syn TCP packets Related inline,\ # Handles packets in the RELATED conntrack state state=RELATED ResetEvent inline # Reset an Event