holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement ADD/DEL commands

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-07-18 08:46:38 -07:00
parent d2bb96be88
commit cbb524b067
6 changed files with 70 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -65,6 +65,7 @@ our %EXPORT_TAGS = (
LOGRULE LOGRULE
NFQ NFQ
CHAIN CHAIN
SET
NO_RESTRICT NO_RESTRICT
PREROUTE_RESTRICT PREROUTE_RESTRICT
INPUT_RESTRICT INPUT_RESTRICT
@ -246,6 +247,7 @@ use constant { STANDARD => 1, #defined by Netfilter
LOGRULE => 256, #'LOG','NFLOG' LOGRULE => 256, #'LOG','NFLOG'
NFQ => 512, #'NFQUEUE' NFQ => 512, #'NFQUEUE'
CHAIN => 1024, #Manual Chain CHAIN => 1024, #Manual Chain
SET => 2048. #SET
}; };
our %targets; our %targets;
@ -1289,6 +1291,8 @@ sub initialize_chain_table()
'QUEUE!' => STANDARD, 'QUEUE!' => STANDARD,
'NFQUEUE' => STANDARD + NFQ, 'NFQUEUE' => STANDARD + NFQ,
'NFQUEUE!' => STANDARD + NFQ, 'NFQUEUE!' => STANDARD + NFQ,
'ADD' => STANDARD + SET,
'DEL' => STANDARD + SET,
); );
for my $chain qw(OUTPUT PREROUTING) { for my $chain qw(OUTPUT PREROUTING) {
@ -1330,6 +1334,8 @@ sub initialize_chain_table()
'QUEUE!' => STANDARD, 'QUEUE!' => STANDARD,
'NFQUEUE' => STANDARD + NFQ, 'NFQUEUE' => STANDARD + NFQ,
'NFQUEUE!' => STANDARD + NFQ, 'NFQUEUE!' => STANDARD + NFQ,
'ADD' => STANDARD + SET,
'DEL' => STANDARD + SET,
); );
for my $chain qw(OUTPUT PREROUTING) { for my $chain qw(OUTPUT PREROUTING) {

12
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1043,6 +1043,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
my $paramval = $param eq '' ? 0 : numeric_value( $param ); my $paramval = $param eq '' ? 0 : numeric_value( $param );
fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535; fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535;
$action = "NFQUEUE --queue-num $paramval"; $action = "NFQUEUE --queue-num $paramval";
} elsif ( $actiontype & SET ) {
require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
fatal_error "$action rules require a set name parameter" unless $param;
} else { } else {
fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq ''; fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
} }
@ -1079,6 +1082,15 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$action = ''; $action = '';
} elsif ( $actiontype & LOGRULE ) { } elsif ( $actiontype & LOGRULE ) {
fatal_error 'LOG requires a log level' unless defined $loglevel and $loglevel ne ''; fatal_error 'LOG requires a log level' unless defined $loglevel and $loglevel ne '';
} elsif ( $actiontype & SET ) {
my %xlate1 = ( ADD => 'add-set' , DEL => 'del-set' );
my %xlate2 = ( d => 'dst' , s => 'src' );
my ( $setname, $direction, $rest ) = split ',', $param;
fatal_error "Invalid ADD/DEL parameter ($param)" if $rest;
fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^[a-zA-Z]\w*$/;
fatal_error "Invalid address designator ($direction)" unless defined $direction && $direction =~ /^[ds]$/;
$action = join( ' ', 'SET --' . $xlate1{$basictarget} , $setname , $xlate2{$direction} );
} }
# #
# Isolate and validate source and destination zones # Isolate and validate source and destination zones

2
Shorewall/changelog.txt
View File

@ -4,6 +4,8 @@ Changes in Shorewall 4.4.12
2) Eradicate incorrect IPv6 Multicast Network 2) Eradicate incorrect IPv6 Multicast Network
3) Add ADD/DEL support.
Changes in Shorewall 4.4.11 Changes in Shorewall 4.4.11
1) Apply patch from Gabriel. 1) Apply patch from Gabriel.

5
Shorewall/releasenotes.txt
View File

@ -238,7 +238,10 @@ None.
V. N E W F E A T U R E S I N T H I S R E L E A S E V. N E W F E A T U R E S I N T H I S R E L E A S E
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
None. 1) Support has been added for ADD and DEL rules in
/etc/shorewall/rules. ADD allows either the SOURCE or DESTINATION
IP address to be added to an ipset; DEL deletes an address
previously added.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S

61
docs/ipsets.xml
View File

@ -22,6 +22,8 @@
<year>2008</year> <year>2008</year>
<year>2010</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -36,6 +38,13 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 4.4 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation appropriate for your
version.</emphasis></para>
</caution>
<section id="Ipsets"> <section id="Ipsets">
<title>What are Ipsets?</title> <title>What are Ipsets?</title>
@ -62,6 +71,13 @@
contents of an ipset</ulink>. Again, you can then add or delete contents of an ipset</ulink>. Again, you can then add or delete
addresses to the ipset without restarting Shorewall.</para> addresses to the ipset without restarting Shorewall.</para>
</listitem> </listitem>
<listitem>
<para>Triggers. Using an iptree ipset with a timeout together with the
ADD and DEL commands in <ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) allows
you to implement triggers.</para>
</listitem>
</orderedlist> </orderedlist>
<para>See the ipsets site (URL above) for additional information about <para>See the ipsets site (URL above) for additional information about
@ -104,49 +120,26 @@
<para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT net:+sshok $FW tcp 22</programlisting></para> ACCEPT net:+sshok $FW tcp 22</programlisting></para>
<para>Shorewall is not in the ipset load/reload business because the <para>Shorewall can save/restore your ipset contents with certain
Netfilter rule set is never cleared. That means that there is no restrictions:</para>
opportunity for Shorewall to load/reload your ipsets since that cannot be
done while there are any current rules using ipsets.</para>
<para>So:</para> <orderedlist>
<orderedlist numeration="upperroman">
<listitem> <listitem>
<para>Your ipsets must be loaded before Shorewall starts. You are free <para>You must set SAVE_IPSETS=Yes in <ulink
to try to do that with the following code in url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
<filename>/etc/shorewall/init (it works for me; your mileage may
vary)</filename>:</para>
<programlisting>if [ "$COMMAND" = start ]; then
ipset -F
ipset -X
ipset -R &lt; /etc/shorewall/ipsets
fi</programlisting>
<para>The file <filename>/etc/shorewall/ipsets</filename> will
normally be produced using the <command>ipset -S</command>
command.</para>
<para>The above will work most of the time but will fail in a
<command>shorewall stop</command> - <command>shorewall start</command>
sequence if you use ipsets in your routestopped file (see
below).</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Your ipsets may not be reloaded until Shorewall is stopped or <para>You cannot use an ipset in <ulink
cleared.</para> url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
(5).</para>
</listitem> </listitem>
<listitem> <listitem>
<para>If you specify ipsets in your routestopped file then Shorewall <para>The <command>restore</command> command cannot restore ipset
must be cleared in order to reload your ipsets.</para> contents saved by the <command>save</command> command unless the
firewall is first stopped.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>As a consequence, scripts generated by the Perl-based compiler will
ignore <filename>/etc/shorewall/ipsets</filename> and will issue a warning
if you set SAVE_IPSETS=Yes in <filename>shorewall.conf</filename></para>
</section> </section>
</article> </article>

70
manpages/shorewall-rules.xml
View File

@ -403,22 +403,31 @@
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">TRIGGER(<replaceable>trigger</replaceable>[:<replaceable>direction</replaceable>])</emphasis></term> role="bold">ADD(<replaceable>ipset</replaceable>,<replaceable>direction</replaceable>)</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.12. Causes either the SOURCE or <para>Added in Shorewall 4.4.12. Causes either the SOURCE or
DESTINATION address of the connection to be added to the named DESTINATION address of the connection to be added to the named
<replaceable>trigger</replaceable>. By default, the SOURCE <replaceable>ipset</replaceable>. If
address is added to the trigger but if
<replaceable>direction</replaceable> is <option>d</option> <replaceable>direction</replaceable> is <option>d</option>
(e.g., trig:d) then the DESTINATION address is added. See the (e.g., ipset,d) then the DESTINATION address is added; if it
TRIGGER column below.</para> is <emphasis role="bold">s</emphasis>, then the SOURCE address
is added.</para>
</listitem>
</varlistentry>
<para>When a TRIGGER rule is placed in the NEW section, the <varlistentry>
SOURCE is added to the trigger at the time of the connection. <term><emphasis
If it is placed in the ESTABLISHED section, each packet that role="bold">DEL(<replaceable>ipset</replaceable>,<replaceable>direction</replaceable>)</emphasis></term>
matches the rule causes the trigger time of the address
(SOURCE or DEST) to be set to the current time.</para> <listitem>
<para>Added in Shorewall 4.4.12. Causes either the SOURCE or
DESTINATION address of the connection to be deleted from the
named <replaceable>ipset</replaceable>. If
<replaceable>direction</replaceable> is <option>d</option>
(e.g., ipset,d) then the DESTINATION address is added; if it
is <emphasis role="bold">s</emphasis>, then the SOURCE address
is deleteded.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -1123,22 +1132,6 @@
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">TRIGGER -
<replaceable>trigger</replaceable>[:[<replaceable>seconds</replaceable>][:[<replaceable>direction</replaceable>]]]</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.12. An entry in this column restrict
the rule to matching an address that has been previously triggered
by a TRIGGER rule. Normally the SOURCE address is checked but you
can cause the DESTINATION address to be used instead by supplying a
<replaceable>direction</replaceable> of <option>d</option> (e.g.,
foo::d). By default, the address must have been triggered within the
last 60 seconds but you can specify a different time using the
<replaceable>seconds</replaceable> option (e.g., foo:30).</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>
@ -1303,31 +1296,6 @@
that traffic.</para> that traffic.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>Example 10:</term>
<listitem>
<para>Allow a connection from internet host to the firewall's TCP
port 1088 within 30 seconds after the firewall establishes an SSH
connection to that host.</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME TRIGGER
# PORT(S) PORT(S) DEST LIMIT GROUP
#
# Trigger the incoming connection
#
TRIGGER(port1088:d) fw net tcp 22
#
# Note that the TRIGGER rule must precede the ACCEPT rule; the ACCEPT rule can be omitted if the fw-&gt;net policy is ACCEPT
#
ACCEPT fw net tcp 22
#
# Now accept the return connection on port 1088
#
ACCEPT net fw tcp 1088 - - - - - - - port1088:30 </programlisting>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>