forked from extern/shorewall_code
Add /proc setup
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5554 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d7af562c03
commit
908c3031da
New
@ -35,6 +35,7 @@ our @EXPORT = qw( add_group_to_zone
|
||||
dump_interface_info
|
||||
known_interface
|
||||
find_interfaces_by_option
|
||||
get_interface_option
|
||||
|
||||
@interfaces );
|
||||
our @EXPORT_OK = ();
|
||||
@ -288,4 +289,13 @@ sub find_interfaces_by_option( $ ) {
|
||||
\@ints;
|
||||
}
|
||||
|
||||
#
|
||||
# Return the value of an option for an interface
|
||||
#
|
||||
sub get_interface_option( $$ ) {
|
||||
my ( $interface, $option ) = @_;
|
||||
|
||||
$interfaces{$interface}{options}{$option};
|
||||
}
|
||||
|
||||
1;
|
||||
|
215
New/Shorewall/Proc.pm
Normal file
215
New/Shorewall/Proc.pm
Normal file
@ -0,0 +1,215 @@
|
||||
#
|
||||
# Shorewall 3.9 -- /usr/share/shorewall/Shorewall/Proc.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2007 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
#
|
||||
package Shorewall::Proc;
|
||||
require Exporter;
|
||||
use Shorewall::Common;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Interfaces;
|
||||
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw(
|
||||
setup_arp_filtering
|
||||
setup_route_filtering
|
||||
setup_martian_logging
|
||||
setup_source_routing
|
||||
setup_forwarding
|
||||
);
|
||||
our @EXPORT_OK = qw( );
|
||||
our @VERSION = 1.00;
|
||||
|
||||
|
||||
our %macros;
|
||||
|
||||
#
|
||||
# ARP Filtering
|
||||
#
|
||||
sub setup_arp_filtering() {
|
||||
save_progress_message "Setting up ARP filtering...";
|
||||
|
||||
emit "for f in /proc/sys/net/ipv4/conf/*; do
|
||||
[ -f \$f/arp_filter ] && echo 0 > \$f/arp_filter
|
||||
[ -f \$f/arp_ignore ] && echo 0 > \$f/arp_ignore
|
||||
done";
|
||||
|
||||
emit '';
|
||||
|
||||
my $interfaces = find_interfaces_by_option 'arp_filter';
|
||||
my $interfaces1 = find_interfaces_by_option 'arp_ignore';
|
||||
|
||||
if ( @$interfaces || @$interfaces1 ) {
|
||||
progress_message2 "$doing ARP Filtering...";
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
|
||||
emit "
|
||||
if [ -f $file ]; then
|
||||
echo 1 > $file
|
||||
else
|
||||
error_message \"WARNING: Cannot set ARP filtering on $interface\"
|
||||
fi";
|
||||
}
|
||||
|
||||
for my $interface ( @$interfaces1 ) {
|
||||
my $file = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
|
||||
my $value = get_interface_option $interface, 'arp_ignore';
|
||||
|
||||
fatal_error "Internal Error in setup_arp_filtering()" unless defined $value;
|
||||
|
||||
emit "if [ -f $file ]; then
|
||||
echo $value > $file
|
||||
else
|
||||
error_message \"WARNING: Cannot set ARP filtering on $interface\"
|
||||
fi";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Route Filtering
|
||||
#
|
||||
sub setup_route_filtering() {
|
||||
|
||||
my $interfaces = find_interfaces_by_option 'routefilter';
|
||||
|
||||
if ( @$interfaces || $config{ROUTE_FILTER} ) {
|
||||
|
||||
progress_message2 "$doing Kernel Route Filtering...";
|
||||
|
||||
save_progress_message "Setting up Route Filtering...";
|
||||
|
||||
emit "for f in /proc/sys/net/ipv4/conf/*; do
|
||||
[ -f \$f/log_martians ] && echo 0 > \$f/rp_filter
|
||||
done";
|
||||
|
||||
emit '';
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
|
||||
|
||||
emit "if [ -f $file ]; then
|
||||
echo 1 > $file
|
||||
else
|
||||
error_message \"WARNING: Cannot set route filtering on $interface\"
|
||||
fi";
|
||||
}
|
||||
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
|
||||
|
||||
if ( $config{ROUTE_FILTER} ) {
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
|
||||
}
|
||||
|
||||
emit "[ -n \"\$NOROUTES\" ] || ip route flush cache";
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Martian Logging
|
||||
#
|
||||
|
||||
sub setup_martian_logging() {
|
||||
my $interfaces = find_interfaces_by_option 'logmartians';
|
||||
|
||||
if ( @$interfaces || $config{LOG_MARTIANS} ) {
|
||||
|
||||
progress_message2 "$doing Martian Logging...";
|
||||
|
||||
save_progress_message "Setting up Martian Logging...";
|
||||
|
||||
emit "for f in /proc/sys/net/ipv4/conf/*; do
|
||||
[ -f \$f/log_martians ] && echo 0 > \$f/log_martians
|
||||
done";
|
||||
|
||||
emit '';
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
|
||||
|
||||
emit "if [ -f $file ]; then
|
||||
echo 1 > $file
|
||||
else
|
||||
error_message \"WARNING: Cannot set Martian logging on $interface\"
|
||||
fi";
|
||||
}
|
||||
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians';
|
||||
|
||||
if ( $config{LOG_MARTIANS} ) {
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/default/log_martians';
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians';
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Source Routing
|
||||
#
|
||||
sub setup_source_routing() {
|
||||
|
||||
save_progress_message 'Setting up Accept Source Routing...';
|
||||
|
||||
emit "for f in /proc/sys/net/ipv4/conf/*; do
|
||||
[ -f \$f/accept_source_route ] && echo 0 > \$f/accept_source_route
|
||||
done";
|
||||
|
||||
emit '';
|
||||
|
||||
my $interfaces = find_interfaces_by_option 'sourceroute';
|
||||
|
||||
if ( @$interfaces ) {
|
||||
progress_message2 "$doing Accept Source Routing...";
|
||||
|
||||
save_progress_message 'Setting up Source Routing...';
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
my $file = "/proc/sys/net/ipv4/conf/$interface/accept_source_route";
|
||||
|
||||
emit "if [ -f $file ]; then
|
||||
echo 1 > $file
|
||||
else
|
||||
error_message \"WARNING: Cannot set Accept Source Routing on $interface\"
|
||||
fi";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_forwarding() {
|
||||
if ( "\L$config{IP_FORWARDING}" eq 'on' ) {
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/ip_forward';
|
||||
emit 'progress_message2 IP Forwarding Enabled';
|
||||
} elsif ( "\L$config{IP_FORWARDING}" eq 'off' ) {
|
||||
emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
|
||||
emit 'progress_message2 IP Forwarding Disabled!';
|
||||
}
|
||||
|
||||
emit '';
|
||||
}
|
||||
|
||||
1;
|
@ -32,6 +32,7 @@ use Shorewall::Hosts;
|
||||
use Shorewall::Actions;
|
||||
use Shorewall::Macros;
|
||||
use Shorewall::Policy;
|
||||
use Shorewall::Proc;
|
||||
|
||||
use strict;
|
||||
|
||||
@ -351,18 +352,6 @@ sub process_routestopped() {
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_forwarding() {
|
||||
if ( "\L$config{IP_FORWARDING}" eq 'on' ) {
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/ip_forward';
|
||||
emit 'progress_message2 IP Forwarding Enabled';
|
||||
} elsif ( "\L$config{IP_FORWARDING}" eq 'off' ) {
|
||||
emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
|
||||
emit 'progress_message2 IP Forwarding Disabled!';
|
||||
}
|
||||
|
||||
emit '';
|
||||
}
|
||||
|
||||
sub add_common_rules() {
|
||||
my $interface;
|
||||
my $chainref;
|
||||
@ -526,7 +515,6 @@ sub add_common_rules() {
|
||||
|
||||
setup_syn_flood_chains;
|
||||
|
||||
setup_forwarding;
|
||||
}
|
||||
|
||||
my %maclist_targets = ( ACCEPT => { target => 'RETURN' , mangle => 1 } ,
|
||||
|
@ -57,6 +57,7 @@ use Shorewall::Macros;
|
||||
use Shorewall::Actions;
|
||||
use Shorewall::Accounting;
|
||||
use Shorewall::Rules;
|
||||
use Shorewall::Proc;
|
||||
|
||||
sub generate_script_1 {
|
||||
copy find_file 'prog.header';
|
||||
@ -150,12 +151,15 @@ sub generate_script_1 {
|
||||
pop_indent;
|
||||
|
||||
emit "}\n";
|
||||
|
||||
|
||||
}
|
||||
|
||||
sub compile_stop_firewall() {
|
||||
|
||||
#
|
||||
# Emacs doesn't handle 'here documents' in Perl Mode nearly as well as it does in Shell mode
|
||||
# (it basically doesn't understand it at all and gets lost). So we use the following rather
|
||||
# unfortunate style in place of 'here docs'.
|
||||
#
|
||||
emit "
|
||||
#
|
||||
# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
|
||||
@ -296,23 +300,21 @@ stop_firewall() {
|
||||
|
||||
rm -f \${VARDIR}/proxyarp\n";
|
||||
|
||||
push_indent;
|
||||
|
||||
emit 'delete_tc1' if $config{CLEAR_TC};
|
||||
emit 'undo_routing';
|
||||
emit 'restore_default_route';
|
||||
emit ' delete_tc1' if $config{CLEAR_TC};
|
||||
emit ' undo_routing';
|
||||
emit ' restore_default_route';
|
||||
|
||||
my $criticalhosts = process_criticalhosts;
|
||||
|
||||
if ( @$criticalhosts ) {
|
||||
if ( $config{ADMINISABSENTMINDED} ) {
|
||||
emit 'for chain in INPUT OUTPUT; do';
|
||||
emit ' setpolicy \$chain ACCEPT';
|
||||
emit "done\n";
|
||||
emit ' for chain in INPUT OUTPUT; do';
|
||||
emit ' setpolicy \$chain ACCEPT';
|
||||
emit " done\n";
|
||||
|
||||
emit "setpolicy FORWARD DROP\n";
|
||||
emit " setpolicy FORWARD DROP\n";
|
||||
|
||||
emit 'deleteallchains';
|
||||
emit ' deleteallchains';
|
||||
emit '';
|
||||
|
||||
for my $hosts ( @$criticalhosts ) {
|
||||
@ -320,18 +322,16 @@ stop_firewall() {
|
||||
my $source = match_source_net $host;
|
||||
my $dest = match_dest_net $host;
|
||||
|
||||
emit "\$IPTABLES -A INPUT -i $interface $source -j ACCEPT";
|
||||
emit "\$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT";
|
||||
emit " \$IPTABLES -A INPUT -i $interface $source -j ACCEPT";
|
||||
emit " \$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT";
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
emit "
|
||||
for chain in INPUT OUTPUT; do
|
||||
setpolicy \$chain DROP
|
||||
done";
|
||||
emit '';
|
||||
} else {
|
||||
pop_indent;
|
||||
emit "
|
||||
for chain in INPUT OUTPUT; do
|
||||
setpolicy \$chain ACCEPT
|
||||
@ -348,8 +348,8 @@ stop_firewall() {
|
||||
my $source = match_source_net $host;
|
||||
my $dest = match_dest_net $host;
|
||||
|
||||
emit "\$IPTABLES -A INPUT -i $interface $source -j ACCEPT";
|
||||
emit "\$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT";
|
||||
emit " \$IPTABLES -A INPUT -i $interface $source -j ACCEPT";
|
||||
emit " \$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT";
|
||||
}
|
||||
|
||||
emit "
|
||||
@ -362,7 +362,6 @@ stop_firewall() {
|
||||
emit '';
|
||||
}
|
||||
} elsif ( ! $config{ADMINISABSENTMINDED} ) {
|
||||
pop_indent;
|
||||
emit "
|
||||
for chain in INPUT OUTPUT FORWARD; do
|
||||
setpolicy \$chain DROP
|
||||
@ -370,7 +369,6 @@ stop_firewall() {
|
||||
|
||||
deleteallchains";
|
||||
} else {
|
||||
pop_indent;
|
||||
emit "
|
||||
for chain in INPUT FORWARD; do
|
||||
setpolicy \$chain DROP
|
||||
@ -438,6 +436,7 @@ stop_firewall() {
|
||||
;;
|
||||
esac
|
||||
}\n";
|
||||
|
||||
}
|
||||
|
||||
sub generate_script_2 () {
|
||||
@ -594,6 +593,14 @@ sub compile_firewall( $ ) {
|
||||
progress_message2 "Setting up Common Rules...";
|
||||
add_common_rules;
|
||||
#
|
||||
# /proc stuff
|
||||
#
|
||||
setup_arp_filtering;
|
||||
setup_route_filtering;
|
||||
setup_martian_logging;
|
||||
setup_source_routing;
|
||||
setup_forwarding;
|
||||
#
|
||||
# [Re-]establish Routing
|
||||
#
|
||||
if ( -s "$ENV{TMP_DIR}/providers" ) {
|
||||
|
Loading…
Reference in New Issue
Block a user