holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Fix sectioned IPSEC accounting.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-05-30 14:37:29 -07:00
parent ea173ab628
commit de184b32bc
3 changed files with 101 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -46,6 +46,7 @@ my $jumpchainref;
my %accountingjumps;
my $asection;
my $defaultchain;
my $ipsecdir;
my $defaultrestriction;
my $restriction;
my $accounting_commands = { COMMENT => 0, SECTION => 2 };
@ -92,6 +93,7 @@ sub initialize() {
# These are the legacy values
#
$defaultchain = 'accounting';
$ipsecdir = '';
$defaultrestriction = NO_RESTRICT;
$sectionname = '';
}
@ -111,20 +113,25 @@ sub process_section ($) {
if ( $sectionname eq 'INPUT' ) {
$defaultchain = 'accountin';
$ipsecdir = 'in';
$defaultrestriction = INPUT_RESTRICT;
} elsif ( $sectionname eq 'OUTPUT' ) {
$defaultchain = 'accountout';
$ipsecdir = 'out';
$defaultrestriction = OUTPUT_RESTRICT;
} elsif ( $sectionname eq 'FORWARD' ) {
$defaultchain = 'accountfwd';
$ipsecdir = '';
$defaultrestriction = NO_RESTRICT;
} else {
fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
if ( $sectionname eq 'PREROUTING' ) {
$defaultchain = 'accountpre';
$ipsecdir = 'in';
$defaultrestriction = PREROUTE_RESTRICT;
} else {
$defaultchain = 'accountpost';
$ipsecdir = 'out';
$defaultrestriction = POSTROUTE_RESTRICT;
}
}
@ -285,7 +292,21 @@ sub process_accounting_rule( ) {
}
my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
my $dir;
my $dir = $ipsecdir;
if ( $asection && $ipsec ne '-' ) {
if ( $ipsecdir ) {
fatal_error "Invalid IPSEC ($ipsec)" if $ipsec =~ /^(?:in|out)\b/;
} else {
if ( $ipsec =~ s/^(?:(in|out)\b)// ) {
$dir = $1;
} else {
fatal_error q(IPSEC rules in the $asection section require that the value begin with 'in' or 'out');
}
}
$rule .= do_ipsec( $dir, $ipsec );
}
if ( ! $chainref ) {
if ( reserved_chain_name( $chain ) ) {
@ -297,28 +318,32 @@ sub process_accounting_rule( ) {
$chainref = ensure_accounting_chain $chain, 0 , $restriction;
}
$dir = ipsec_chain_name( $chain );
unless ( $asection ) {
$dir = ipsec_chain_name( $chain );
if ( $ipsec ne '-' ) {
if ( $dir ) {
$rule .= do_ipsec( $dir, $ipsec );
$chainref->{ipsec} = $dir;
if ( $ipsec ne '-' ) {
if ( $dir ) {
$rule .= do_ipsec( $dir, $ipsec );
$chainref->{ipsec} = $dir;
} else {
fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
}
} else {
fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
$chainref->{ipsec} = $dir;
}
} else {
warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
$chainref->{ipsec} = $dir;
}
} else {
fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
if ( $ipsec ne '-' ) {
$dir = $chainref->{ipsec};
fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
$rule .= do_ipsec( $dir , $ipsec );
} elsif ( $asection ) {
$restriction |= $chainref->{restriction};
unless ( $asection ) {
if ( $ipsec ne '-' ) {
$dir = $chainref->{ipsec};
fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
$rule .= do_ipsec( $dir , $ipsec );
} elsif ( $asection ) {
$restriction |= $chainref->{restriction};
}
}
}
@ -366,7 +391,6 @@ sub process_accounting_rule( ) {
} else {
$jumpchainref->{ipsec} = $chainref->{ipsec};
}
}
if ( $rule2 ) {

34
Shorewall/manpages/shorewall-accounting.xml
View File

@ -539,7 +539,8 @@
<varlistentry>
<term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
(Optional - Added in Shorewall 4.4.13 )</emphasis></term>
(Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1
)</emphasis></term>
<listitem>
<para>The option-list consists of a comma-separated list of options
@ -653,9 +654,30 @@
match the rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">in</emphasis></term>
<listitem>
<para>May only be used in the FORWARD section and must be the
first or the only item the list. Indicates that matching
packets have been decrypted in input.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">out</emphasis></term>
<listitem>
<para>May only be used in the FORWARD section and must be the
first or the only item in the list. Indicates that matching
packets will be encrypted on output.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If this column is non-empty, then:</para>
<para>If this column is non-empty and sections are not used,
then:</para>
<itemizedlist>
<listitem>
@ -671,10 +693,12 @@
role="bold">accipsecout</emphasis> or a chain branched either
directly or indirectly from those chains.</para>
</listitem>
</itemizedlist>
<para>These rules will NOT appear in the <emphasis
role="bold">accounting</emphasis> chain.</para>
<listitem>
<para>These rules will NOT appear in the <emphasis
role="bold">accounting</emphasis> chain.</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
</variablelist>

37
Shorewall6/manpages/shorewall6-accounting.xml
View File

@ -480,13 +480,15 @@
<varlistentry>
<term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
(Optional - Added in Shorewall 4.4.13 )</emphasis></term>
(Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1
)</emphasis></term>
<listitem>
<para>The option-list consists of a comma-separated list of options
from the following list. Only packets that will be encrypted or have
been de-crypted via an SA that matches these options will have their
source address changed.</para>
source address changed. May only be specified when sections are
used.</para>
<variablelist>
<varlistentry>
@ -594,9 +596,30 @@
match the rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">in</emphasis></term>
<listitem>
<para>May only be used in the FORWARD section and must be the
first or the only item the list. Indicates that matching
packets have been decrypted in input.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">out</emphasis></term>
<listitem>
<para>May only be used in the FORWARD section and must be the
first or the only item in the list. Indicates that matching
packets will be encrypted on output.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If this column is non-empty, then:</para>
<para>If this column is non-empty and sections are not used,
then:</para>
<itemizedlist>
<listitem>
@ -612,10 +635,12 @@
role="bold">accipsecout</emphasis> or a chain branched either
directly or indirectly from those chains.</para>
</listitem>
</itemizedlist>
<para>These rules will NOT appear in the <emphasis
role="bold">accounting</emphasis> chain.</para>
<listitem>
<para>These rules will NOT appear in the <emphasis
role="bold">accounting</emphasis> chain.</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>