holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement stoppedrules file (less manpages)

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-09-03 08:44:03 -07:00
parent 01696e7298
commit 8e5bd3637d
8 changed files with 156 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -225,6 +225,7 @@ our %EXPORT_TAGS = (
handle_network_list handle_network_list
expand_rule expand_rule
addnatjump addnatjump
mysplit
set_chain_variables set_chain_variables
mark_firewall_not_started mark_firewall_not_started
mark_firewall6_not_started mark_firewall6_not_started

1
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -919,6 +919,7 @@ sub compiler {
# call that function during normal 'check', we must validate routestopped here. # call that function during normal 'check', we must validate routestopped here.
# #
process_routestopped; process_routestopped;
process_stoppedrules;
} }
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {

1
Shorewall/Perl/Shorewall/Config.pm
View File

@ -430,6 +430,7 @@ our %config_files = ( #accounting => 1,
started => 1, started => 1,
stop => 1, stop => 1,
stopped => 1, stopped => 1,
stoppedrules => 1,
tcclasses => 1, tcclasses => 1,
tcclear => 1, tcclear => 1,
tcdevices => 1, tcdevices => 1,

134
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -41,6 +41,7 @@ our @EXPORT = qw( process_tos
add_common_rules add_common_rules
setup_mac_lists setup_mac_lists
process_routestopped process_routestopped
process_stoppedrules
compile_stop_firewall compile_stop_firewall
generate_matrix generate_matrix
); );
@ -548,9 +549,9 @@ EOF
sub process_routestopped() { sub process_routestopped() {
if ( my $fn = open_file 'routestopped' ) { if ( my $fn = open_file 'routestopped' ) {
my ( @allhosts, %source, %dest , %notrack, @rule ); my ( @allhosts, %source, %dest , %destonly, %notrack, @rule );
my $seq = 0; my $seq = 0;
first_entry "$doing $fn..."; first_entry "$doing $fn...";
@ -573,12 +574,7 @@ sub process_routestopped() {
my $rule = do_proto( $proto, $ports, $sports, 0 ); my $rule = do_proto( $proto, $ports, $sports, 0 );
for my $host ( split /,/, $hosts ) { my $verified;
imatch_source_net( $host );
push @hosts, "$interface|$host|$seq";
push @rule, $rule;
}
unless ( $options eq '-' ) { unless ( $options eq '-' ) {
for my $option (split /,/, $options ) { for my $option (split /,/, $options ) {
@ -589,13 +585,23 @@ sub process_routestopped() {
$routeback = 1; $routeback = 1;
} }
} elsif ( $option eq 'source' ) { } elsif ( $option eq 'source' ) {
for my $host ( split /,/, $hosts ) { $verified = 1;
for my $host ( mysplit $hosts ) {
imatch_source_net( $host );
$source{"$interface|$host|$seq"} = 1; $source{"$interface|$host|$seq"} = 1;
} }
} elsif ( $option eq 'dest' ) { } elsif ( $option eq 'dest' ) {
for my $host ( split /,/, $hosts ) { $verified = 1;
for my $host ( mysplit $hosts ) {
imatch_dest_net( $host );
$dest{"$interface|$host|$seq"} = 1; $dest{"$interface|$host|$seq"} = 1;
} }
} elsif ( $option eq 'destonly' ) {
$verified = 1;
for my $host ( mysplit $hosts ) {
imatch_dest_net( $host );
$destonly{"$interface|$host|$seq"} = 1;
}
} elsif ( $option eq 'notrack' ) { } elsif ( $option eq 'notrack' ) {
for my $host ( split /,/, $hosts ) { for my $host ( split /,/, $hosts ) {
$notrack{"$interface|$host|$seq"} = 1; $notrack{"$interface|$host|$seq"} = 1;
@ -610,7 +616,7 @@ sub process_routestopped() {
if ( $routeback || $interfaceref->{options}{routeback} ) { if ( $routeback || $interfaceref->{options}{routeback} ) {
my $chainref = $filter_table->{FORWARD}; my $chainref = $filter_table->{FORWARD};
for my $host ( split /,/, $hosts ) { for my $host ( mysplit $hosts ) {
add_ijump( $chainref , add_ijump( $chainref ,
j => 'ACCEPT', j => 'ACCEPT',
imatch_source_dev( $interface ) , imatch_source_dev( $interface ) ,
@ -619,9 +625,21 @@ sub process_routestopped() {
imatch_dest_net( $host ) ); imatch_dest_net( $host ) );
clearrule; clearrule;
} }
$verified = 1;
}
for my $host ( mysplit $hosts ) {
unless ( $verified ) {
imatch_source_net( $host );
imatch_dest_net( $host );
}
push @hosts, "$interface|$host|$seq";
push @rule, $rule;
} }
push @allhosts, @hosts; push @allhosts, @hosts;
} }
for my $host ( @allhosts ) { for my $host ( @allhosts ) {
@ -632,7 +650,7 @@ sub process_routestopped() {
my $desti = match_dest_dev $interface; my $desti = match_dest_dev $interface;
my $rule = shift @rule; my $rule = shift @rule;
add_rule $filter_table->{INPUT}, "$sourcei $source $rule -j ACCEPT", 1; add_rule $filter_table->{INPUT}, "$sourcei $source $rule -j ACCEPT", 1 unless $destonly{$host};
my $matched = 0; my $matched = 0;
@ -641,15 +659,20 @@ sub process_routestopped() {
$matched = 1; $matched = 1;
} }
if ( $dest{$host} ) { if ( $dest{$host} || $destonly{$host} ) {
add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED}; add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED};
add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1; add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1;
$matched = 1; $matched = 1;
} }
if ( $notrack{$host} ) { if ( $notrack{$host} ) {
add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1; if ( have_capability 'CT_TARGET' ) {
add_rule $raw_table->{OUTPUT}, "$desti $dest $rule -j NOTRACK", 1; add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j CT --notrack", 1;
add_rule $raw_table->{OUTPUT}, "$desti $dest $rule -j CT --notrack", 1;
} else {
add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1;
add_rule $raw_table->{OUTPUT}, "$desti $dest $rule -j NOTRACK", 1;
}
} }
unless ( $matched ) { unless ( $matched ) {
@ -667,6 +690,86 @@ sub process_routestopped() {
} }
} }
#
# Process the stoppedrules file
#
sub process_stoppedrules() {
my $fw = firewall_zone;
if ( my $fn = open_file 'stoppedrules' ) {
first_entry "$doing $fn...";
while ( read_a_line( NORMAL_READ ) ) {
my ( $target, $source, $dest, $proto, $ports, $sports ) =
split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0, FORMAT => 2 };
fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/;
my $tableref;
my $chainref;
my $restriction = NO_RESTRICT;
if ( $target eq 'NOTRACK' ) {
$tableref = $raw_table;
require_capability 'RAW_TABLE', 'NOTRACK', 's';
$chainref = $raw_table->{PREROUTING};
$restriction = PREROUTE_RESTRICT | DESTIFACE_DISALLOW;
} else {
$tableref = $filter_table;
}
if ( $source eq $fw ) {
$chainref = $tableref->{OUTPUT};
$source = '';
$restriction = OUTPUT_RESTRICT;
}
if ( $source =~ s/^($fw):// ) {
$chainref = $filter_table->{OUTPUT};
$restriction = OUTPUT_RESTRICT;
}
if ( $dest eq $fw ) {
fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
$chainref = $filter_table->{INPUT};
$dest = '';
$restriction = INPUT_RESTRICT;
}
if ( $dest =~ s/^($fw):// ) {
fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
$chainref = $filter_table->{INPUT};
$restriction = INPUT_RESTRICT;
}
$chainref = $tableref->{FORWARD} unless $chainref;
my $disposition = $target;
$target = 'CT --notrack' if $target eq 'NOTRACK' and have_capability( 'CT_TARGET' );
unless ( $restriction == OUTPUT_RESTRICT
&& $target eq 'ACCEPT'
&& $config{ADMINISABSENTMINDED} ) {
expand_rule( $chainref ,
$restriction ,
do_proto( $proto, $ports, $sports ) ,
$source ,
$dest ,
'' ,
$target,
'',
$disposition,
do_proto( $proto, '-', '-' ) );
}
}
}
clear_comment;
}
sub setup_mss(); sub setup_mss();
sub add_common_rules ( $ ) { sub add_common_rules ( $ ) {
@ -2415,6 +2518,7 @@ EOF
} }
process_routestopped; process_routestopped;
process_stoppedrules;
add_ijump $input, j => 'ACCEPT', i => 'lo'; add_ijump $input, j => 'ACCEPT', i => 'lo';
add_ijump $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED}; add_ijump $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED};

2
Shorewall/configfiles/routestopped
View File

@ -1,6 +1,8 @@
# #
# Shorewall version 4 - Routestopped File # Shorewall version 4 - Routestopped File
# #
# This file is deprecated in favor of the stoppedrules file
#
# For information about entries in this file, type "man shorewall-routestopped" # For information about entries in this file, type "man shorewall-routestopped"
# #
# The manpage is also online at # The manpage is also online at

15
Shorewall/configfiles/stoppedrules Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall version 4 - Stopped Rules File
#
# For information about entries in this file, type "man shorewall-stoppedrules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
#
# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
FORMAT 2
###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)

2
Shorewall6/configfiles/routestopped
View File

@ -1,6 +1,8 @@
# #
# Shorewall6 version 4 - Routestopped File # Shorewall6 version 4 - Routestopped File
# #
# This file is deprecated in favor of the stoppedrules file.
#
# For information about entries in this file, type "man shorewall6-routestopped" # For information about entries in this file, type "man shorewall6-routestopped"
# #
# The manpage is also online at # The manpage is also online at

15
Shorewall6/configfiles/stoppedrules Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall6 version 4 - Stopped Rules File
#
# For information about entries in this file, type "man shorewall6-stoppedrules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall6-stoppedrules.html
#
# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
FORMAT 2
###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)