diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 98dc73202..81fbab2c6 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -283,6 +283,9 @@ sub print_policy($$$$) { } sub use_policy_action( $ ); +sub normalize_action( $$$ ); +sub normalize_action_name( $ ); + # # Process an entry in the policy file. # @@ -324,15 +327,18 @@ sub process_a_policy() { } if ( $default ) { + my ( $def, $param ) = get_target_param( $default ); + if ( "\L$default" eq 'none' ) { $default = 'none'; - } elsif ( $actions{$default} ) { + } elsif ( $actions{$def} ) { + $default = defined $param && $param ne '' ? normalize_action( $def, 'none', $param ) : normalize_action_name $default; use_policy_action( $default ); } else { fatal_error "Unknown Default Action ($default)"; } } else { - $default = $default_actions{$policy} || ''; + $default = $default_actions{$policy} || 'none'; } if ( defined $queue ) { @@ -390,7 +396,9 @@ sub process_a_policy() { $chainref->{synchain} = $chain } - $chainref->{default} = $default if $default; + assert( $default ); + my $chainref1 = $usedactions{$default}; + $chainref->{default} = $chainref1 ? $chainref1->{name} : $default; if ( $clientwild ) { if ( $serverwild ) { @@ -462,16 +470,21 @@ sub process_policies() for my $option qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) { my $action = $config{$option}; - next if $action eq 'none'; - my $actiontype = $targets{$action}; - - if ( defined $actiontype ) { - fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION; - } else { - fatal_error "Default Action $option=$action not found"; - } + + unless ( $action eq 'none' ) { + my ( $act, $param ) = get_target_param( $action ); - use_policy_action( $action ); + if ( "\L$action" eq 'none' ) { + $action = 'none'; + } elsif ( $actions{$act} ) { + $action = defined $param && $param ne '' ? normalize_action( $act, 'none', $param ) : normalize_action_name $action; + use_policy_action( $action ); + } elsif ( $targets{$act} ) { + fatal_error "Invalid setting ($action) for $option"; + } else { + fatal_error "Default Action $option=$action not found"; + } + } $default_actions{$map{$option}} = $action; } @@ -1515,7 +1528,7 @@ sub process_action( $) { # Create a policy action if it doesn't already exist # sub use_policy_action( $ ) { - my $ref = use_action( normalize_action_name $_[0] ); + my $ref = use_action( $_[0] ); process_action( $ref ) if $ref; } diff --git a/Shorewall/action.Drop b/Shorewall/action.Drop index ea83d7b22..2848228b5 100644 --- a/Shorewall/action.Drop +++ b/Shorewall/action.Drop @@ -15,11 +15,23 @@ # c) Ensure that certain ICMP packets that are necessary for successful # internet operation are always ACCEPTed. # +# The action accepts three optional parameters: +# +# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin +# actions. +# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT, +# depending on the setting of the first parameter. +# 3 - Action to take with SMB requests. Default is DROP or A_DROP, +# depending on the setting of the first parameter. +# # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! # ############################################################################### FORMAT 2 - +# +# The following magic provides different defaults for $2 and $3, when $1 is +# 'audit'. +# BEGIN PERL use Shorewall::Config; @@ -28,15 +40,15 @@ my $p1 = read_action_param(1); if ( defined $p1 && $p1 eq 'audit' ) { my ( $p2, $p3 ) = ( read_action_param(2) , read_action_param(3) ); - set_action_param( 2, 'A_DROP') unless defined $p2; - set_action_param( 3, 'A_REJECT') unless defined $p3; + set_action_param( 2, 'A_REJECT') unless defined $p2; + set_action_param( 3, 'A_DROP') unless defined $p3; }; 1; END PERL -DEFAULTS -,DROP,REJECT +DEFAULTS -,REJECT,DROP #TARGET SOURCE DEST PROTO DPORT SPORT # @@ -46,7 +58,7 @@ COUNT # # Reject 'auth' # -Auth($3) +Auth($2) # # Don't log broadcasts # @@ -63,7 +75,7 @@ dropInvalid($1) # # Drop Microsoft noise so that it doesn't clutter up the log. # -SMB($2) +SMB($3) DropUPnP($1) # # Drop 'newnotsyn' traffic so that it doesn't get logged. diff --git a/Shorewall/action.Reject b/Shorewall/action.Reject index 179787ea2..3d11be9c3 100644 --- a/Shorewall/action.Reject +++ b/Shorewall/action.Reject @@ -12,10 +12,22 @@ # b) Ensure that certain ICMP packets that are necessary for successful # internet operation are always ACCEPTed. # +# The action accepts three optional parameters: +# +# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin +# actions. +# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT, +# depending on the setting of the first parameter. +# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT, +# depending on the setting of the first parameter. +# # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! ############################################################################### FORMAT 2 - +# +# The following magic provides different defaults for $2 and $3, when $1 is +# 'audit'. +# BEGIN PERL use Shorewall::Config; @@ -24,8 +36,8 @@ my $p1 = read_action_param(1); if ( defined $p1 && $p1 eq 'audit' ) { my ( $p2, $p3 ) = ( read_action_param(2) , read_action_param(3) ); - set_action_param( 2, 'A_DROP') unless defined $p2; - set_action_param( 3, 'A_REJECT') unless defined $p3; + set_action_param( 2, 'A_REJECT') unless defined $p2; + set_action_param( 3, 'A_REJECT') unless defined $p3; }; 1; @@ -42,7 +54,7 @@ COUNT # # Don't log 'auth' -- REJECT # -Auth($3) +Auth($2) # # Drop Broadcasts so they don't clutter up the log # (broadcasts must *not* be rejected). @@ -61,7 +73,7 @@ dropInvalid($1) # # Reject Microsoft noise so that it doesn't clutter up the log. # -SMB($2) +SMB($3) DropUPnP($1) # # Drop 'newnotsyn' traffic so that it doesn't get logged. diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 0ea690120..736cc89a9 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,6 +6,8 @@ Changes in Shorewall 4.4.21 Beta 1 3) Default values for action parameters. +4) Parameterize Drop and Reject actions. + Changes in Shorewall 4.4.20.1 1) Corrected FSF address. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index c4eb3ddcc..14afba313 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -41,6 +41,41 @@ None. is the default value for the second parameter and so on. To specify an empty default, use '-'. +4) The standard Drop and Reject actions are now parameterized. Each + has three parameters: + + 1) Pass 'audit' if you want all ACCEPTs, DROPs and REJECTs audited. + Pass '-' otherwise. + + 2) The action to be applied to Auth requests + + FIRST PARAMETER DEFAULT + + - REJECT + audit A_REJECT + + 3) The action to be applied to SMB traffic. The default depends on + the first parameter: + + ACTION FIRST PARAMETER DEFAULT + + Reject - REJECT + Drop - DROP + Reject audit A_REJECT + Drop audit A_DROP + + The parameters can be passed in the POLICY column of the policy + file. + + Examples: + + SOURCE DEST POLICY + net all DROP:Drop(audit):audit #Same as + #DROP:A_DROP:audit + + SOURCE DEST POLICY + net all DROP:Drop(-,DROP) #DROP rather than REJECT Auth + ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S ----------------------------------------------------------------------------