holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Clean up rules file sectioning

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2565 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-26 22:23:56 +00:00
parent 0ae1bdfbc1
commit 86c837bf48
1 changed files with 46 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
Shorewall/firewall
View File

@ -235,10 +235,37 @@ run_ipset() {
# #
finish_chain_section() # $1 = canonical chain $2 = state list finish_chain_section() # $1 = canonical chain $2 = state list
{ {
local policy policychain
[ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
if list_search RELATED $(separate_list $2) ; then if list_search RELATED $(separate_list $2) ; then
[ -z "$NEWNOTSYN" ] && run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn [ -z "$NEWNOTSYN" ] && run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
fi
if is_policy_chain $1 ; then
if eval test -n \"\$${1}_synparams\" ; then
if [ $SECTION = DONE ]; then
eval policy=\$${1}_policy
case $policy in
ACCEPT|CONTINUE|QUEUE)
run_iptables -A $1 -p tcp --syn -j @$1
;;
*)
esac
else
run_iptables -A $1 -p tcp --syn -j @$1
fi
fi
else
eval policychain=\$${1}_policychain
if eval test -n \"\$${policychain}_synparams\" ; then
run_iptables -A $1 -p tcp --syn -j @$policychain
fi
fi
fi
} }
finish_section() # $1 = Section(s) finish_section() # $1 = Section(s)
@ -273,7 +300,7 @@ createchain() # $1 = chain name, $2 = If "yes", create newnotsyn rule
if [ $2 = yes ]; then if [ $2 = yes ]; then
case $SECTION in case $SECTION in
NEW) NEW|DONE)
finish_chain_section $1 ESTABLISHED,RELATED finish_chain_section $1 ESTABLISHED,RELATED
;; ;;
RELATED) RELATED)
@ -296,7 +323,7 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
if [ $2 = yes ]; then if [ $2 = yes ]; then
case $SECTION in case $SECTION in
NEW) NEW|DONE)
finish_chain_section $1 ESTABLISHED,RELATED finish_chain_section $1 ESTABLISHED,RELATED
;; ;;
RELATED) RELATED)
@ -1455,6 +1482,7 @@ validate_policy()
eval ${chain}_is_policy=Yes eval ${chain}_is_policy=Yes
eval ${chain}_is_optional=Yes eval ${chain}_is_optional=Yes
eval ${chain}_policy=ACCEPT eval ${chain}_policy=ACCEPT
eval ${chain}_policychain=$chain
ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
done done
@ -1511,8 +1539,8 @@ validate_policy()
fi fi
fi fi
[ "x$loglevel" = "x-" ] && loglevel= [ "x$loglevel" = "x-" ] && loglevel=
[ "x$synparms" = "x-" ] && synparms= [ "x$synparams" = "x-" ] && synparams=
[ $policy = NONE ] || ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" [ $policy = NONE ] || ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
@ -2782,17 +2810,6 @@ setup_syn_flood_chains()
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
done done
} }
#
# Enable SYN flood protection on a chain
#
# Insert a jump rule to the protection chain from the first chain. Inserted
# as the second rule and restrict the jump to SYN packets
#
enable_syn_flood_protection() # $1 = chain, $2 = protection chain
{
run_iptables -I $1 -p tcp --syn -j @$2
progress_message " Enabled SYN flood protection"
}
# #
# Delete existing Proxy ARP # Delete existing Proxy ARP
@ -5979,13 +5996,13 @@ process_rules() # $1 = "Yes" if the target is a macro.
case $SECTION in case $SECTION in
ESTABLISHED) ESTABLISHED)
finish_section ESTABLISHED,RELATED finish_section ESTABLISHED,RELATED
SECTION=NEW
;; ;;
RELATED) RELATED)
finish_section RELATED finish_section RELATED
SECTION=NEW
;; ;;
esac esac
SECTION=DONE
} }
# #
@ -6250,6 +6267,11 @@ default_policy() # $1 = client $2 = server
chain=$chain1 chain=$chain1
} }
report_syn_flood_protection()
{
progress_message " Enabled SYN flood protection"
}
apply_default() apply_default()
{ {
# #
@ -6280,7 +6302,7 @@ default_policy() # $1 = client $2 = server
# To avoid double-counting SYN packets, enforce the policy # To avoid double-counting SYN packets, enforce the policy
# in this chain. # in this chain.
# #
enable_syn_flood_protection $chain $chain1 report_syn_flood_protection
policy_rules $chain $policy $loglevel policy_rules $chain $policy $loglevel
else else
# #
@ -6296,7 +6318,7 @@ default_policy() # $1 = client $2 = server
# rules and enable SYN flood protection if requested # rules and enable SYN flood protection if requested
# #
[ -n "$synparams" ] && \ [ -n "$synparams" ] && \
enable_syn_flood_protection $chain $chain1 report_syn_flood_protection
policy_rules $chain $policy $loglevel policy_rules $chain $policy $loglevel
;; ;;
*) *)
@ -6305,7 +6327,7 @@ default_policy() # $1 = client $2 = server
# enable SYN flood protection if requested. # enable SYN flood protection if requested.
# #
[ -n "$synparams" ] && \ [ -n "$synparams" ] && \
enable_syn_flood_protection $chain $chain1 report_syn_flood_protection
jump_to_policy_chain jump_to_policy_chain
;; ;;
esac esac
@ -7815,11 +7837,7 @@ apply_policy_rules() {
eval loglevel=\$${chain}_loglevel eval loglevel=\$${chain}_loglevel
eval optional=\$${chain}_is_optional eval optional=\$${chain}_is_optional
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel if ! havechain $chain && [ -z "$optional" -a "$policy" != CONTINUE ]; then
if havechain $chain ; then
[ -n "$synparms" ] && run_iptables -I $chain -p tcp --syn -j @$chain
elif [ -z "$optional" -a "$policy" != CONTINUE ]; then
# #
# The chain doesn't exist. Create the chain and add policy # The chain doesn't exist. Create the chain and add policy
# rules # rules
@ -7832,14 +7850,6 @@ apply_policy_rules() {
# Otherwise, this is a canonical chain which will be handled in # Otherwise, this is a canonical chain which will be handled in
# the for loop below # the for loop below
# #
if [ -n "$synparams" ]; then
case $policy in
ACCEPT|CONTINUE|QUEUE)
run_iptables -I $chain -p tcp --syn -j @$chain
;;
esac
fi
case $chain in case $chain in
all2*|*2all) all2*|*2all)
policy_rules $chain $policy $loglevel policy_rules $chain $policy $loglevel
@ -8233,6 +8243,8 @@ define_firewall() # $1 = Command (Start or Restart)
echo "Setting up NETMAP..."; setup_netmap echo "Setting up NETMAP..."; setup_netmap
echo "Adding Common Rules"; add_common_rules echo "Adding Common Rules"; add_common_rules
setup_syn_flood_chains
tunnels=$(find_file tunnels) tunnels=$(find_file tunnels)
[ -f $tunnels ] && \ [ -f $tunnels ] && \
echo "Processing $tunnels..." && setup_tunnels $tunnels echo "Processing $tunnels..." && setup_tunnels $tunnels
@ -8242,8 +8254,6 @@ define_firewall() # $1 = Command (Start or Restart)
maclist_hosts=$(find_hosts_by_option maclist) maclist_hosts=$(find_hosts_by_option maclist)
[ -n "$maclist_hosts" ] && setup_mac_lists [ -n "$maclist_hosts" ] && setup_mac_lists
setup_syn_flood_chains
echo "Processing $(find_file rules)..."; process_rules echo "Processing $(find_file rules)..."; process_rules
echo "Processing Actions..."; process_actions2 echo "Processing Actions..."; process_actions2
process_actions3 process_actions3