Add RFC1918_STRICT Option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1993 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-03-10 22:27:33 +00:00 · 2005-03-10 22:27:33 +00:00 · 88745ab74c
commit 88745ab74c
parent 4f46ce9f6f
3 changed files with 72 additions and 5 deletions
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -5632,6 +5632,10 @@ initialize_netfilter () {
 	[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
    fi

+
+    [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
+	startup_error "RFC1918_STRICT=Yes requires conntrack state match"
+
    echo "Determining Zones..."

    determine_zones
@ -5922,7 +5926,15 @@ add_common_rules() {
 	
 	run_iptables -A rfc1918 -j DROP

-	if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
+	chain=norfc1918
+
+	if [ -n "$RFC1918_STRICT" ]; then
+	    #
+	    # We'll generate two chains - one for source and one for destination
+	    #
+	    chain=rfc1918d
+	    createchain $chain no	    
+	elif [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
 	    #
 	    # Mangling is enabled but conntrack match isn't available -- 
 	    # create a chain in the mangle table to filter RFC1918 destination
@ -5941,8 +5953,13 @@ add_common_rules() {
 	    case $target in
 		logdrop)
 		    target=rfc1918
+		    s_target=rfc1918
 		    ;;
-		DROP|RETURN)
+		DROP)
+		    s_target=DROP
+		    ;;
+		RETURN)
+		    [ -n "$RFC1918_STRICT" ] && s_target=rfc1918d || s_target=RETURN
 		    ;;
 		*)
 		    fatal_error "Invalid target ($target) for $networks"
@ -5950,13 +5967,13 @@ add_common_rules() {
 	    esac

 	    for network in $(separate_list $networks); do
-		run_iptables2 -A norfc1918 $(source_ip_range $network) -j $target
+		run_iptables2 -A norfc1918 $(source_ip_range $network) -j $s_target
 	
 		if [ -n "$CONNTRACK_MATCH" ]; then
 		    #
 		    # We have connection tracking match -- match on the original destination
 		    #
-		    run_iptables2 -A norfc1918 -m conntrack --ctorigdst $network -j $target
+		    run_iptables2 -A $chain -m conntrack --ctorigdst $network -j $target
 		elif [ -n "$MANGLE_ENABLED" ]; then
 		    #
 		    # No connection tracking match but we have mangling -- add a rule to
@ -5967,6 +5984,8 @@ add_common_rules() {
 	    done
 	done < $TMP_DIR/rfc1918

+	[ -n "$RFC1918_STRICT" ] && run_iptables -A norfc1918 -j rfc1918d
+ 
 	for host in $hosts; do
 	    ipsec=${host%^*}
 	    host=${host#*^}
@ -7207,6 +7226,7 @@ do_initialize() {
    LOGTAGONLY=
    LOGALLNEW=
    DROPINVALID=
+    RFC1918_STRICT=

    RESTOREBASE=
    TMP_DIR=
@ -7402,6 +7422,7 @@ do_initialize() {
    DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
    LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
    DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
+    RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
    #
    # Strip the files that we use often
    #
--- a/Shorewall2/rfc1918
+++ b/Shorewall2/rfc1918
@ -21,7 +21,24 @@
 #			DROP	- silently drop the packet
 #			logdrop - log then drop
 #
-###############################################################################
+# By default, the RETURN target in the 'rfc1918' causes 'norfc1918'
+# processing to cease for a packet if the packet's source IP address matches
+# the rule. Thus, if you have:
+#
+#	SUBNETS			TARGET
+#	192.168.1.0/24		RETURN
+#
+# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you 
+# also have:
+#
+#	SUBNETS			TARGET
+#	10.0.0.0/8		logdrop
+#
+# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be
+# logged and dropped since while the packet's source matches the RETURN rule,
+# the packet's destination matches the 'logdrop' rule.
+#
+################################################################################
 #SUBNETS		TARGET
 172.16.0.0/12		logdrop		# RFC 1918
 192.168.0.0/16		logdrop		# RFC 1918
--- a/Shorewall2/shorewall.conf
+++ b/Shorewall2/shorewall.conf
@ -739,6 +739,35 @@ PKTTYPE=Yes
 # DROPINVALID=Yes is assumed.

 DROPINVALID=No
+
+#
+# RFC 1918 BEHAVIOR
+#
+# Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918'
+# processing to cease for a packet if the packet's source IP address matches
+# the rule. Thus, if you have:
+#
+#	SUBNETS			TARGET
+#	192.168.1.0/24		RETURN
+#
+# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you 
+# also have:
+#
+#	SUBNETS			TARGET
+#	10.0.0.0/8		logdrop
+#
+# Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped
+# since while the packet's source matches the RETURN rule, the packet's
+# destination matches the 'logdrop' rule.
+#
+# If not specified or specified as empty (e.g., RFC1918_STRICT="") then
+# RFC1918_STRICT=No is assumed.
+#
+# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
+#          'conntrack state' match.
+
+RFC1918_STRICT=No
+
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################