diff --git a/New/Shorewall/Interfaces.pm b/New/Shorewall/Interfaces.pm index 76d5a07a1..735a49900 100644 --- a/New/Shorewall/Interfaces.pm +++ b/New/Shorewall/Interfaces.pm @@ -35,6 +35,7 @@ our @EXPORT = qw( add_group_to_zone dump_interface_info known_interface find_interfaces_by_option + get_interface_option @interfaces ); our @EXPORT_OK = (); @@ -288,4 +289,13 @@ sub find_interfaces_by_option( $ ) { \@ints; } +# +# Return the value of an option for an interface +# +sub get_interface_option( $$ ) { + my ( $interface, $option ) = @_; + + $interfaces{$interface}{options}{$option}; +} + 1; diff --git a/New/Shorewall/Proc.pm b/New/Shorewall/Proc.pm new file mode 100644 index 000000000..045277778 --- /dev/null +++ b/New/Shorewall/Proc.pm @@ -0,0 +1,215 @@ +# +# Shorewall 3.9 -- /usr/share/shorewall/Shorewall/Proc.pm +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2007 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# +package Shorewall::Proc; +require Exporter; +use Shorewall::Common; +use Shorewall::Config; +use Shorewall::Zones; +use Shorewall::Chains; +use Shorewall::Interfaces; + +use strict; + +our @ISA = qw(Exporter); +our @EXPORT = qw( + setup_arp_filtering + setup_route_filtering + setup_martian_logging + setup_source_routing + setup_forwarding + ); +our @EXPORT_OK = qw( ); +our @VERSION = 1.00; + + +our %macros; + +# +# ARP Filtering +# +sub setup_arp_filtering() { + save_progress_message "Setting up ARP filtering..."; + + emit "for f in /proc/sys/net/ipv4/conf/*; do + [ -f \$f/arp_filter ] && echo 0 > \$f/arp_filter + [ -f \$f/arp_ignore ] && echo 0 > \$f/arp_ignore +done"; + + emit ''; + + my $interfaces = find_interfaces_by_option 'arp_filter'; + my $interfaces1 = find_interfaces_by_option 'arp_ignore'; + + if ( @$interfaces || @$interfaces1 ) { + progress_message2 "$doing ARP Filtering..."; + + for my $interface ( @$interfaces ) { + my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter"; + emit " +if [ -f $file ]; then + echo 1 > $file +else + error_message \"WARNING: Cannot set ARP filtering on $interface\" +fi"; + } + + for my $interface ( @$interfaces1 ) { + my $file = "/proc/sys/net/ipv4/conf/$interface/arp_ignore"; + my $value = get_interface_option $interface, 'arp_ignore'; + + fatal_error "Internal Error in setup_arp_filtering()" unless defined $value; + + emit "if [ -f $file ]; then + echo $value > $file +else + error_message \"WARNING: Cannot set ARP filtering on $interface\" +fi"; + } + } +} + +# +# Route Filtering +# +sub setup_route_filtering() { + + my $interfaces = find_interfaces_by_option 'routefilter'; + + if ( @$interfaces || $config{ROUTE_FILTER} ) { + + progress_message2 "$doing Kernel Route Filtering..."; + + save_progress_message "Setting up Route Filtering..."; + + emit "for f in /proc/sys/net/ipv4/conf/*; do + [ -f \$f/log_martians ] && echo 0 > \$f/rp_filter +done"; + + emit ''; + + for my $interface ( @$interfaces ) { + my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter"; + + emit "if [ -f $file ]; then + echo 1 > $file +else + error_message \"WARNING: Cannot set route filtering on $interface\" +fi"; + } + + emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter'; + + if ( $config{ROUTE_FILTER} ) { + emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter'; + emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter'; + } + + emit "[ -n \"\$NOROUTES\" ] || ip route flush cache"; + } +} + +# +# Martian Logging +# + +sub setup_martian_logging() { + my $interfaces = find_interfaces_by_option 'logmartians'; + + if ( @$interfaces || $config{LOG_MARTIANS} ) { + + progress_message2 "$doing Martian Logging..."; + + save_progress_message "Setting up Martian Logging..."; + + emit "for f in /proc/sys/net/ipv4/conf/*; do + [ -f \$f/log_martians ] && echo 0 > \$f/log_martians +done"; + + emit ''; + + for my $interface ( @$interfaces ) { + my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians"; + + emit "if [ -f $file ]; then + echo 1 > $file +else + error_message \"WARNING: Cannot set Martian logging on $interface\" +fi"; + } + + emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians'; + + if ( $config{LOG_MARTIANS} ) { + emit 'echo 1 > /proc/sys/net/ipv4/conf/default/log_martians'; + emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians'; + } + + } +} + +# +# Source Routing +# +sub setup_source_routing() { + + save_progress_message 'Setting up Accept Source Routing...'; + + emit "for f in /proc/sys/net/ipv4/conf/*; do + [ -f \$f/accept_source_route ] && echo 0 > \$f/accept_source_route +done"; + + emit ''; + + my $interfaces = find_interfaces_by_option 'sourceroute'; + + if ( @$interfaces ) { + progress_message2 "$doing Accept Source Routing..."; + + save_progress_message 'Setting up Source Routing...'; + + for my $interface ( @$interfaces ) { + my $file = "/proc/sys/net/ipv4/conf/$interface/accept_source_route"; + + emit "if [ -f $file ]; then + echo 1 > $file +else + error_message \"WARNING: Cannot set Accept Source Routing on $interface\" +fi"; + } + } +} + +sub setup_forwarding() { + if ( "\L$config{IP_FORWARDING}" eq 'on' ) { + emit 'echo 1 > /proc/sys/net/ipv4/ip_forward'; + emit 'progress_message2 IP Forwarding Enabled'; + } elsif ( "\L$config{IP_FORWARDING}" eq 'off' ) { + emit 'echo 0 > /proc/sys/net/ipv4/ip_forward'; + emit 'progress_message2 IP Forwarding Disabled!'; + } + + emit ''; +} + +1; diff --git a/New/Shorewall/Rules.pm b/New/Shorewall/Rules.pm index b20861205..8544ca110 100644 --- a/New/Shorewall/Rules.pm +++ b/New/Shorewall/Rules.pm @@ -32,6 +32,7 @@ use Shorewall::Hosts; use Shorewall::Actions; use Shorewall::Macros; use Shorewall::Policy; +use Shorewall::Proc; use strict; @@ -351,18 +352,6 @@ sub process_routestopped() { } } -sub setup_forwarding() { - if ( "\L$config{IP_FORWARDING}" eq 'on' ) { - emit 'echo 1 > /proc/sys/net/ipv4/ip_forward'; - emit 'progress_message2 IP Forwarding Enabled'; - } elsif ( "\L$config{IP_FORWARDING}" eq 'off' ) { - emit 'echo 0 > /proc/sys/net/ipv4/ip_forward'; - emit 'progress_message2 IP Forwarding Disabled!'; - } - - emit ''; -} - sub add_common_rules() { my $interface; my $chainref; @@ -526,7 +515,6 @@ sub add_common_rules() { setup_syn_flood_chains; - setup_forwarding; } my %maclist_targets = ( ACCEPT => { target => 'RETURN' , mangle => 1 } , diff --git a/New/compiler.pl b/New/compiler.pl index 02453769d..654d784e0 100755 --- a/New/compiler.pl +++ b/New/compiler.pl @@ -57,6 +57,7 @@ use Shorewall::Macros; use Shorewall::Actions; use Shorewall::Accounting; use Shorewall::Rules; +use Shorewall::Proc; sub generate_script_1 { copy find_file 'prog.header'; @@ -150,12 +151,15 @@ sub generate_script_1 { pop_indent; emit "}\n"; - } sub compile_stop_firewall() { - +# +# Emacs doesn't handle 'here documents' in Perl Mode nearly as well as it does in Shell mode +# (it basically doesn't understand it at all and gets lost). So we use the following rather +# unfortunate style in place of 'here docs'. +# emit " # # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command @@ -296,23 +300,21 @@ stop_firewall() { rm -f \${VARDIR}/proxyarp\n"; - push_indent; - - emit 'delete_tc1' if $config{CLEAR_TC}; - emit 'undo_routing'; - emit 'restore_default_route'; + emit ' delete_tc1' if $config{CLEAR_TC}; + emit ' undo_routing'; + emit ' restore_default_route'; my $criticalhosts = process_criticalhosts; if ( @$criticalhosts ) { if ( $config{ADMINISABSENTMINDED} ) { - emit 'for chain in INPUT OUTPUT; do'; - emit ' setpolicy \$chain ACCEPT'; - emit "done\n"; + emit ' for chain in INPUT OUTPUT; do'; + emit ' setpolicy \$chain ACCEPT'; + emit " done\n"; - emit "setpolicy FORWARD DROP\n"; + emit " setpolicy FORWARD DROP\n"; - emit 'deleteallchains'; + emit ' deleteallchains'; emit ''; for my $hosts ( @$criticalhosts ) { @@ -320,18 +322,16 @@ stop_firewall() { my $source = match_source_net $host; my $dest = match_dest_net $host; - emit "\$IPTABLES -A INPUT -i $interface $source -j ACCEPT"; - emit "\$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT"; + emit " \$IPTABLES -A INPUT -i $interface $source -j ACCEPT"; + emit " \$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT"; } - pop_indent; emit " for chain in INPUT OUTPUT; do setpolicy \$chain DROP done"; emit ''; } else { - pop_indent; emit " for chain in INPUT OUTPUT; do setpolicy \$chain ACCEPT @@ -348,8 +348,8 @@ stop_firewall() { my $source = match_source_net $host; my $dest = match_dest_net $host; - emit "\$IPTABLES -A INPUT -i $interface $source -j ACCEPT"; - emit "\$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT"; + emit " \$IPTABLES -A INPUT -i $interface $source -j ACCEPT"; + emit " \$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT"; } emit " @@ -362,7 +362,6 @@ stop_firewall() { emit ''; } } elsif ( ! $config{ADMINISABSENTMINDED} ) { - pop_indent; emit " for chain in INPUT OUTPUT FORWARD; do setpolicy \$chain DROP @@ -370,7 +369,6 @@ stop_firewall() { deleteallchains"; } else { - pop_indent; emit " for chain in INPUT FORWARD; do setpolicy \$chain DROP @@ -438,6 +436,7 @@ stop_firewall() { ;; esac }\n"; + } sub generate_script_2 () { @@ -594,6 +593,14 @@ sub compile_firewall( $ ) { progress_message2 "Setting up Common Rules..."; add_common_rules; # + # /proc stuff + # + setup_arp_filtering; + setup_route_filtering; + setup_martian_logging; + setup_source_routing; + setup_forwarding; + # # [Re-]establish Routing # if ( -s "$ENV{TMP_DIR}/providers" ) {