Shorewall 1.4.8

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@794 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-11-28 19:09:18 +00:00
parent f9c596a465
commit ce7dddfc5a
6 changed files with 190 additions and 125 deletions

View File

@ -46,6 +46,8 @@
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
#
# You may rate-limit the rule by optionally
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with

View File

@ -350,11 +350,12 @@ CLAMPMSS=No
# ROUTE FILTERING
#
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
# interfaces (anti-spoofing measure).
# interfaces started while Shorewall is started (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is assumed.
# In that case, you can still enable route filtering on individual interfaces
# in the /etc/shorewall/interfaces file.
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
# on individual interfaces using the 'routefilter' option in the
# /etc/shorewall/interfaces file.
ROUTE_FILTER=No
@ -463,6 +464,28 @@ NEWNOTSYN=No
#
ADMINISABSENTMINDED=Yes
#
# BLACKLIST Behavior
#
# Shorewall offers two types of blacklisting:
#
# - static blacklisting through the /etc/shorewall/blacklist file together
# with the 'blacklist' interface option.
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
#
# The following variable determines whether the blacklist is checked for each
# packet or for each new connection.
#
# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection
# requests
#
# BLACKLISTNEWONLY=No Consult blacklists for all packets.
#
# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
# BLACKLISTNEWONLY=No is assumed.
#
BLACKLISTNEWONLY=Yes
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################

View File

@ -57,14 +57,18 @@ list_search() # $1 = element to search for , $2-$n = list
}
#
# Function to count list elements
# Functions to count list elements
# - - - - - - - - - - - - - - - -
# Whitespace-separated list
#
list_count1() {
echo $#
}
#
# Comma-separated list
#
list_count() {
arg_count() {
echo $#
}
arg_count `separate_list $1`
list_count1 `separate_list $1`
}
#
@ -225,11 +229,13 @@ run_tc() {
#
# If the chain isn't one of the common chains then add a rule to the chain
# allowing packets that are part of an established connection. Create a
# variable ${1}_exists and set its value to Yes to indicate that the chain now
# variable exists_${1} and set its value to Yes to indicate that the chain now
# exists.
#
createchain() # $1 = chain name, $2 = If "yes", create default rules
{
local c=`chain_base $1`
run_iptables -N $1
if [ $2 = yes ]; then
@ -238,11 +244,13 @@ createchain() # $1 = chain name, $2 = If "yes", create default rules
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
fi
eval ${1}_exists=Yes
eval exists_${c}=Yes
}
createchain2() # $1 = chain name, $2 = If "yes", create default rules
{
local c=`chain_base $1`
if iptables -N $1; then
if [ $2 = yes ]; then
@ -251,20 +259,22 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
fi
eval ${1}_exists=Yes
eval exists_${c}=Yes
fi
}
#
# Determine if a chain exists
#
# When we create a chain "chain", we create a variable named chain_exists and
# set its value to Yes. This function tests for the "_exists" variable
# When we create a chain "chain", we create a variable named exists_chain and
# set its value to Yes. This function tests for the "exists_" variable
# corresponding to the passed chain having the value of "Yes".
#
havechain() # $1 = name of chain
{
eval test \"\$${1}_exists\" = Yes
local c=`chain_base $1`
eval test \"\$exists_${c}\" = Yes
}
#
@ -303,26 +313,26 @@ addrule() # $1 = chain name, remainder of arguments specify the rule
#
# Create a nat chain
#
# Create a variable ${1}_nat_exists and set its value to Yes to indicate that
# Create a variable exists_nat_${1} and set its value to Yes to indicate that
# the chain now exists.
#
createnatchain() # $1 = chain name
{
run_iptables -t nat -N $1
eval ${1}_nat_exists=Yes
eval exists_nat_${1}=Yes
}
#
# Determine if a nat chain exists
#
# When we create a chain "chain", we create a variable named chain_nat_exists
# and set its value to Yes. This function tests for the "_exists" variable
# When we create a chain "chain", we create a variable named exists_nat_chain
# and set its value to Yes. This function tests for the "exists_" variable
# corresponding to the passed chain having the value of "Yes".
#
havenatchain() # $1 = name of chain
{
eval test \"\$${1}_nat_exists\" = Yes
eval test \"\$exists_nat_${1}\" = Yes
}
#
@ -626,11 +636,11 @@ validate_interfaces_file() {
all_interfaces="$all_interfaces $interface"
options=`separate_list $options`
interface=`chain_base $interface`
iface=`chain_base $interface`
eval ${interface}_broadcast="$subnet"
eval ${interface}_zone="$z"
eval ${interface}_options=\"$options\"
eval ${iface}_broadcast="$subnet"
eval ${iface}_zone="$z"
eval ${iface}_options=\"$options\"
for option in $options; do
case $option in
@ -753,7 +763,14 @@ validate_policy()
esac
case $policy in
ACCEPT|REJECT|DROP|CONTINUE|NONE)
ACCEPT|REJECT|DROP|CONTINUE)
;;
NONE)
[ "$client" = "$FW" -o "$server" = "$FW" ] && \
startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone"
[ -n "$clientwild" -o -n "$serverwild" ] && \
startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
;;
*)
startup_error "Invalid policy $policy"
@ -771,8 +788,6 @@ validate_policy()
[ "x$loglevel" = "x-" ] && loglevel=
chain=${client}2${server}
[ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
eval ${chain}_is_policy=Yes
@ -960,7 +975,7 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi
local chain=$2
local disposition=$3
local rulenum=
local limit=${4:-$LOGLIMIT}
local limit="${4:-$LOGLIMIT}"
shift;shift;shift;shift
@ -1452,28 +1467,19 @@ setup_mac_lists() {
#
for interface in $maclist_interfaces; do
chain=`mac_chain $interface`
blob=`ip -f inet addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;'`
blob=`ip link show $interface 2> /dev/null`
[ -z "$blob" ] && \
fatal_error "Interface $interface must be up before Shorewall can start"
set -- $blob
while [ $# -gt 0 ]; do
address=${1%/*}
case $1 in
*/32)
;;
*)
run_iptables -A $chain -s $address -d $2 -j RETURN
shift
;;
esac
ip -f inet addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
if [ -n "$broadcast" ]; then
run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN
fi
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN
shift
done
if [ -n "$MACLIST_LOG_LEVEL" ]; then
@ -1668,9 +1674,10 @@ setup_ecn() # $1 = file name
#
process_tc_rule()
{
chain=$marking_chain
add_a_tc_rule() {
r=
chain=$marking_chain
if [ "x$source" != "x-" ]; then
case $source in
@ -1693,6 +1700,15 @@ process_tc_rule()
esac
fi
[ "x$dest" = "x-" ] || r="${r}-d $dest "
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port "
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark
}
if [ "$mark" != "${mark%:*}" ]; then
[ "$chain" = tcout ] && \
@ -1713,15 +1729,6 @@ process_tc_rule()
mark="${mark%:*}"
fi
[ "x$dest" = "x-" ] || r="${r}-d $dest "
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port "
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark
}
for source in `separate_list ${sources:=-}`; do
for dest in `separate_list ${dests:=-}`; do
for port in `separate_list ${ports:=-}`; do
@ -2315,6 +2322,26 @@ add_a_rule()
{
local natrule=
do_ports() {
if [ -n "$port" ]; then
dports="--dport"
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
multiport="$multioption"
dports="--dports"
fi
dports="$dports $port"
fi
if [ -n "$cport" ]; then
sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
multiport="$multioption"
sports="--sports"
fi
sports="$sports $cport"
fi
}
# Set source variables. The 'cli' variable will hold the client match predicate(s).
cli=
@ -2369,24 +2396,12 @@ add_a_rule()
[ x$cport = x- ] && cport=
case $proto in
tcp|udp|TCP|UDP|6|17)
if [ -n "$port" ]; then
dports="--dport"
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
multiport="$multioption"
dports="--dports"
fi
dports="$dports $port"
fi
if [ -n "$cport" ]; then
sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
multiport="$multioption"
sports="--sports"
fi
sports="$sports $cport"
fi
tcp|TCP|6)
do_ports
[ "$target" = QUEUE ] && proto="$proto --syn"
;;
udp|UDP|17)
do_ports
;;
icmp|ICMP|1)
[ -n "$port" ] && dports="--icmp-type $port"
@ -2761,10 +2776,13 @@ process_rule() # $1 = target
# Generate Netfilter rule(s)
protocol=${protocol:=all}
case $logtarget in
DNAT*)
if [ -n "$MULTIPORT" -a \
"$ports" = "${ports%:*}" -a \
if [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
`list_count $ports` -le 15 -a \
`list_count $cports` -le 15 ]
@ -2800,8 +2818,9 @@ process_rule() # $1 = target
;;
*)
if [ -n "$MULTIPORT" -a \
"$ports" = "${ports%:*}" -a \
if [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
`list_count $ports` -le 15 -a \
`list_count $cports` -le 15 ]
@ -2869,7 +2888,7 @@ process_rules()
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do
temp="${xtarget%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE)
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset
if [ "x$xclients" = xall ]; then
@ -3387,7 +3406,7 @@ setup_masq()
;;
*)
subnets=`get_routed_subnets $subnet`
[ -z "$subnets" ] && startup_error "Unable to determine the routes through interface $subnet"
[ -z "$subnets" ] && fatal_error "Unable to determine the routes through interface $subnet"
subnet="$subnets"
;;
esac
@ -3578,9 +3597,11 @@ setup_blacklist() {
createchain blacklst no
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
for interface in $interfaces; do
for chain in `first_chains $interface`; do
run_iptables -A $chain -j blacklst
run_iptables -A $chain $state -j blacklst
done
echo " Blacklisting enabled on $interface"
@ -3899,13 +3920,15 @@ initialize_netfilter () {
fi
fi
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
echo "Creating Interface Chains..."
for interface in $all_interfaces; do
createchain `forward_chain $interface` no
run_iptables -A `forward_chain $interface` -j dynamic
run_iptables -A `forward_chain $interface` $state -j dynamic
createchain `input_chain $interface` no
run_iptables -A `input_chain $interface` -j dynamic
run_iptables -A `input_chain $interface` $state -j dynamic
done
}
@ -4003,7 +4026,7 @@ add_common_rules() {
if [ -n "$interfaces" ]; then
createchain logpkt no
[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
[ -z "$LOGUNCLEAN" ] && LOGUNCLEAN=info
LOGPARMS="$LOGPARMS --log-ip-options"
@ -4175,6 +4198,7 @@ add_common_rules() {
if [ -n "$interfaces" ]; then
echo "Setting up ARP Filtering..."
for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/arp_filter
if [ -f $file ]; then
@ -4188,18 +4212,15 @@ add_common_rules() {
#
# Route Filtering
#
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
interfaces="`find_interfaces_by_option routefilter`"
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
echo "Setting up Kernel Route Filtering..."
if [ -n "$ROUTE_FILTER" ]; then
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
else
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/rp_filter
if [ -f $file ]; then
@ -4209,7 +4230,10 @@ add_common_rules() {
"Warning: Cannot set route filtering on $interface"
fi
done
fi
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
[ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
run_ip route flush cache
fi
#
# IP Forwarding
@ -4381,6 +4405,7 @@ activate_rules()
[ -n "$complex" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
done
for zone1 in $zones; do
@ -4401,14 +4426,23 @@ activate_rules()
routeback=
fi
if [ -n "$complex" ]; then
for host1 in $dest_hosts; do
interface1=${host1%:*}
subnet1=${host1#*:}
if [ `list_count1 $source_hosts` -eq 1 -a "$source_hosts" = "$host1" ]; then
if list_search $host1 $routeback; then
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
fi
else
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
fi
done
else
for host in $source_hosts; do
interface=${host%:*}
if [ -n "$complex" ]; then
chain1=$frwd_chain
else
chain1=`forward_chain $interface`
fi
for host1 in $dest_hosts; do
interface1=${host1%:*}
@ -4419,6 +4453,7 @@ activate_rules()
fi
done
done
fi
done
done
@ -5021,6 +5056,7 @@ do_initialize() {
LOGFORMAT=
LOGRULENUMBERS=
ADMINISABSENTMINDED=
BLACKLISTNEWONLY=
stopping=
have_mutex=
@ -5170,6 +5206,7 @@ do_initialize() {
LOGFORMAT="Shorewall:%s:%s:"
fi
ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED`
BLACKLISTNEWONLY=`added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY`
#
# Strip the files that we use often
#

View File

@ -425,6 +425,9 @@ chain_base() #$1 = interface
*.*)
c="${c%.*}_${c##*.}"
;;
*-*)
c="${c%-*}_${c##*-}"
;;
*)
echo ${c:=common}
return

View File

@ -1 +1 @@
1.4.7
1.4.8

View File

@ -1 +1 @@
1.4.7
1.4.8