Add MAC verification

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@306 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/fallback.sh

@@ -101,6 +101,8 @@ restore_file /etc/shorewall/proxyarp
 
 restore_file /etc/shorewall/routestopped
 
+restore_file /etc/shorewall/maclist
+
 restore_file /etc/shorewall/masq
 
 restore_file /etc/shorewall/modules

Shorewall/firewall

@@ -511,7 +511,7 @@ validate_interfaces_file() {
 	    case $option in
 	    dhcp|noping|filterping|routestopped|norfc1918|multi)
                 ;;
-	    routefilter|dropunclean|logunclean|blacklist|proxyarp|-)
+	    routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
 		;;
 	    *)
 		error_message "Warning: Invalid option ($option) in record \"$r\""
@@ -925,6 +925,30 @@ find_broadcasts() {
     done < $TMP_DIR/interfaces
 }
 
+################################################################################
+# Find interface broadcast addresses					       #
+################################################################################
+find_interface_broadcasts() # $1 = Interface name
+{
+    while read z interface bcast options; do
+	expandv interface bcast
+	if [ "$interface" = "$1" ]; then
+	    if [ "x$bcast" = "xdetect" ]; then
+		addr="`ip addr show $interface 2> /dev/null`"
+		if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
+		    addr="`echo "$addr" | \
+		grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`"
+		    echo $addr | cut -d' ' -f 1
+		fi
+	    elif [ "x${bcast}" != "x-" ]; then
+		echo `separate_list $bcast`
+	    fi
+	    
+	    return
+	fi
+    done < $TMP_DIR/interfaces
+}
+
 ################################################################################
 # Find interface address--returns the first IP address assigned to the passed  #
 # device								       #
@@ -1276,6 +1300,57 @@ setup_proxy_arp() {
     done
 }
 
+###############################################################################
+# Set up MAC List Chains						      #
+###############################################################################
+setup_mac_lists() {
+
+    for interface in $maclist_interfaces; do
+	createchain ${interface}_mac no
+    done
+
+    strip_file maclist
+
+    while read interface mac address; do
+	chain=${interface}_mac
+
+	if ! havechain $chain ; then
+	    error_message "Warning: $interface does not have the maclist option specified"
+	    continue
+	fi
+
+	[ -n "$address" ] && addr_match="-s $address" || addr_match=
+
+	run_iptables -A ${interface}_mac `mac_match $mac` $addr_match -j RETURN
+    done < $TMP_DIR/maclist
+
+    if [ -n "$MACLIST_LOG_LEVEL" ]; then
+	logpart="-j LOG $LOGPARMS --log-level $MACLIST_LOG_LEVEL --log-prefix"
+    else
+	logpart=
+    fi
+
+    for interface in $maclist_interfaces; do
+	chain=${interface}_mac
+	#
+	# Must take care of our own broadcasts
+	#
+	source="-s `find_interface_address $interface`"
+
+	for address in `find_interface_broadcasts $interface` 255.255.255.255 ; do
+	    run_iptables -A $chain $source -d $address -j RETURN
+	done
+
+	[ -n "$logpart" ] && \
+	    run_iptables -A $chain $logpart "Shorewall:$chain:$MACLIST_DISPOSITION:"
+
+	run_iptables -A $chain -j $maclist_target
+
+	run_iptables -A `input_chain $interface`   -m state --state NEW -j $chain
+	run_iptables -A `forward_chain $interface` -m state --state NEW -j $chain
+    done
+}    
+	
 ###############################################################################
 # Set up SYN flood protection						      #
 ###############################################################################
@@ -3335,6 +3410,13 @@ define_firewall() # $1 = Command (Start or Restart)
     [ -f $tunnels ] && \
 	echo "Processing $tunnels..." && setup_tunnels $tunnels
 
+    maclist_interfaces=`find_interfaces_by_option maclist`
+
+    if [ -n "$maclist_interfaces" ] ; then
+	echo "Setting up MAC Verification on $maclist_interfaces..."
+	setup_mac_lists
+    fi
+
     rules=`find_file rules`
 
     echo "Processing $rules..."
@@ -3882,6 +3964,8 @@ do_initialize() {
     NEWNOTSYN=
     LOGNEWNOTSYN=
     FORWARDPING=
+    MACLIST_DISPOSITION=
+    MACLIST_LOG_LEVEL=
     stopping=
     have_mutex=
     masq_seq=1
@@ -3961,6 +4045,24 @@ do_initialize() {
     MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
     FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
     NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
+
+    maclist_target=reject
+    
+    if [ -n "$MACLIST_DISPOSITION" ] ; then
+	case $MACLIST_DISPOSITION in
+	    REJECT)
+		;;
+	    ACCEPT|DROP)
+		maclist_target=$MACLIST_DISPOSITION
+		;;
+	    *)
+		startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
+		;;
+	esac
+    else
+	MACLIST_DISPOSITION=REJECT
+    fi
+
 }
 
 ################################################################################

Shorewall/install.sh

@@ -382,6 +382,15 @@ else
     echo -e "\nStopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
 fi
 #
+# Install the Mac List file
+#
+if [ -f ${PREFIX}/etc/shorewall/maclist ]; then
+    backup_file /etc/shorewall/maclist
+else
+    run_install -o $OWNER -g $GROUP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
+    echo -e "\nMAC list file installed as ${PREFIX}/etc/shorewall/maclist"
+fi
+#
 # Install the Masq file
 #
 if [ -f ${PREFIX}/etc/shorewall/masq ]; then

Shorewall/interfaces

@@ -81,6 +81,11 @@
 #	.	.	blacklist    - Check packets arriving on this interface
 #				       against the /etc/shorewall/blacklist
 #				       file.
+#			maclist	     - Connection requests from this interface
+#				       are compared against the contents of
+#				       /etc/shorewall/maclist. If this option
+#				       is specified, the interface must be
+#				       up before Shorewall is started.
 #			proxyarp     - 
 #				Sets 
 #				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.

Shorewall/shorewall.conf

@@ -383,4 +383,25 @@ FORWARDPING=Yes
  
 NEWNOTSYN=No
 
+#
+# MAC List Disposition
+#
+# This variable determines the disposition of connection requests arriving
+# on interfaces that have the 'maclist' option and that are from a device
+# that is not listed for that interface in /etc/shorewall/maclist. Valid
+# values are ACCEPT, DROP and REJECT. If not specified or specified as
+# empty (MACLIST_DISPOSITION="") then REJECT is assumed
+
+MACLIST_DISPOSITION=REJECT
+
+#
+# MAC List Log Level
+#
+# Specifies the logging level for connection requests that fail MAC
+# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
+# such connection requests will not be logged. 
+# 
+
+MACLIST_LOG_LEVEL=info
+
 #LAST LINE -- DO NOT REMOVE

Shorewall/shorewall.spec

@@ -85,6 +85,7 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/params
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped
+%attr(0600,root,root) %config(noreplace) /etc/shorewall/maclist
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/masq
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/modules
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules
@@ -100,6 +101,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Tue Oct 22 2002 Tom Eastep <tom@shorewall.net>
+- Added maclist file
 * Tue Oct 15 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.10
 - Replaced symlink with real file