holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Fix sectioned IPSEC accounting.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-05-30 14:37:29 -07:00
parent ea173ab628
commit de184b32bc
3 changed files with 101 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -46,6 +46,7 @@ my $jumpchainref;
my %accountingjumps; my %accountingjumps;
my $asection; my $asection;
my $defaultchain; my $defaultchain;
my $ipsecdir;
my $defaultrestriction; my $defaultrestriction;
my $restriction; my $restriction;
my $accounting_commands = { COMMENT => 0, SECTION => 2 }; my $accounting_commands = { COMMENT => 0, SECTION => 2 };
@ -92,6 +93,7 @@ sub initialize() {
# These are the legacy values # These are the legacy values
# #
$defaultchain = 'accounting'; $defaultchain = 'accounting';
$ipsecdir = '';
$defaultrestriction = NO_RESTRICT; $defaultrestriction = NO_RESTRICT;
$sectionname = ''; $sectionname = '';
} }
@ -111,20 +113,25 @@ sub process_section ($) {
if ( $sectionname eq 'INPUT' ) { if ( $sectionname eq 'INPUT' ) {
$defaultchain = 'accountin'; $defaultchain = 'accountin';
$ipsecdir = 'in';
$defaultrestriction = INPUT_RESTRICT; $defaultrestriction = INPUT_RESTRICT;
} elsif ( $sectionname eq 'OUTPUT' ) { } elsif ( $sectionname eq 'OUTPUT' ) {
$defaultchain = 'accountout'; $defaultchain = 'accountout';
$ipsecdir = 'out';
$defaultrestriction = OUTPUT_RESTRICT; $defaultrestriction = OUTPUT_RESTRICT;
} elsif ( $sectionname eq 'FORWARD' ) { } elsif ( $sectionname eq 'FORWARD' ) {
$defaultchain = 'accountfwd'; $defaultchain = 'accountfwd';
$ipsecdir = '';
$defaultrestriction = NO_RESTRICT; $defaultrestriction = NO_RESTRICT;
} else { } else {
fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle'; fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
if ( $sectionname eq 'PREROUTING' ) { if ( $sectionname eq 'PREROUTING' ) {
$defaultchain = 'accountpre'; $defaultchain = 'accountpre';
$ipsecdir = 'in';
$defaultrestriction = PREROUTE_RESTRICT; $defaultrestriction = PREROUTE_RESTRICT;
} else { } else {
$defaultchain = 'accountpost'; $defaultchain = 'accountpost';
$ipsecdir = 'out';
$defaultrestriction = POSTROUTE_RESTRICT; $defaultrestriction = POSTROUTE_RESTRICT;
} }
} }
@ -285,7 +292,21 @@ sub process_accounting_rule( ) {
} }
my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain}; my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
my $dir; my $dir = $ipsecdir;
if ( $asection && $ipsec ne '-' ) {
if ( $ipsecdir ) {
fatal_error "Invalid IPSEC ($ipsec)" if $ipsec =~ /^(?:in|out)\b/;
} else {
if ( $ipsec =~ s/^(?:(in|out)\b)// ) {
$dir = $1;
} else {
fatal_error q(IPSEC rules in the $asection section require that the value begin with 'in' or 'out');
}
}
$rule .= do_ipsec( $dir, $ipsec );
}
if ( ! $chainref ) { if ( ! $chainref ) {
if ( reserved_chain_name( $chain ) ) { if ( reserved_chain_name( $chain ) ) {
@ -297,28 +318,32 @@ sub process_accounting_rule( ) {
$chainref = ensure_accounting_chain $chain, 0 , $restriction; $chainref = ensure_accounting_chain $chain, 0 , $restriction;
} }
$dir = ipsec_chain_name( $chain ); unless ( $asection ) {
$dir = ipsec_chain_name( $chain );
if ( $ipsec ne '-' ) { if ( $ipsec ne '-' ) {
if ( $dir ) { if ( $dir ) {
$rule .= do_ipsec( $dir, $ipsec ); $rule .= do_ipsec( $dir, $ipsec );
$chainref->{ipsec} = $dir; $chainref->{ipsec} = $dir;
} else {
fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
}
} else { } else {
fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed"; warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
$chainref->{ipsec} = $dir;
} }
} else {
warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
$chainref->{ipsec} = $dir;
} }
} else { } else {
fatal_error "$chain is not an accounting chain" unless $chainref->{accounting}; fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
if ( $ipsec ne '-' ) { unless ( $asection ) {
$dir = $chainref->{ipsec}; if ( $ipsec ne '-' ) {
fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir; $dir = $chainref->{ipsec};
$rule .= do_ipsec( $dir , $ipsec ); fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
} elsif ( $asection ) { $rule .= do_ipsec( $dir , $ipsec );
$restriction |= $chainref->{restriction}; } elsif ( $asection ) {
$restriction |= $chainref->{restriction};
}
} }
} }
@ -366,7 +391,6 @@ sub process_accounting_rule( ) {
} else { } else {
$jumpchainref->{ipsec} = $chainref->{ipsec}; $jumpchainref->{ipsec} = $chainref->{ipsec};
} }
} }
if ( $rule2 ) { if ( $rule2 ) {

34
Shorewall/manpages/shorewall-accounting.xml
View File

@ -539,7 +539,8 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis> <term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
(Optional - Added in Shorewall 4.4.13 )</emphasis></term> (Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1
)</emphasis></term>
<listitem> <listitem>
<para>The option-list consists of a comma-separated list of options <para>The option-list consists of a comma-separated list of options
@ -653,9 +654,30 @@
match the rule.</para> match the rule.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">in</emphasis></term>
<listitem>
<para>May only be used in the FORWARD section and must be the
first or the only item the list. Indicates that matching
packets have been decrypted in input.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">out</emphasis></term>
<listitem>
<para>May only be used in the FORWARD section and must be the
first or the only item in the list. Indicates that matching
packets will be encrypted on output.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para>If this column is non-empty, then:</para> <para>If this column is non-empty and sections are not used,
then:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -671,10 +693,12 @@
role="bold">accipsecout</emphasis> or a chain branched either role="bold">accipsecout</emphasis> or a chain branched either
directly or indirectly from those chains.</para> directly or indirectly from those chains.</para>
</listitem> </listitem>
</itemizedlist>
<para>These rules will NOT appear in the <emphasis <listitem>
role="bold">accounting</emphasis> chain.</para> <para>These rules will NOT appear in the <emphasis
role="bold">accounting</emphasis> chain.</para>
</listitem>
</itemizedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

37
Shorewall6/manpages/shorewall6-accounting.xml
View File

@ -480,13 +480,15 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis> <term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
(Optional - Added in Shorewall 4.4.13 )</emphasis></term> (Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1
)</emphasis></term>
<listitem> <listitem>
<para>The option-list consists of a comma-separated list of options <para>The option-list consists of a comma-separated list of options
from the following list. Only packets that will be encrypted or have from the following list. Only packets that will be encrypted or have
been de-crypted via an SA that matches these options will have their been de-crypted via an SA that matches these options will have their
source address changed.</para> source address changed. May only be specified when sections are
used.</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -594,9 +596,30 @@
match the rule.</para> match the rule.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">in</emphasis></term>
<listitem>
<para>May only be used in the FORWARD section and must be the
first or the only item the list. Indicates that matching
packets have been decrypted in input.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">out</emphasis></term>
<listitem>
<para>May only be used in the FORWARD section and must be the
first or the only item in the list. Indicates that matching
packets will be encrypted on output.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para>If this column is non-empty, then:</para> <para>If this column is non-empty and sections are not used,
then:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -612,10 +635,12 @@
role="bold">accipsecout</emphasis> or a chain branched either role="bold">accipsecout</emphasis> or a chain branched either
directly or indirectly from those chains.</para> directly or indirectly from those chains.</para>
</listitem> </listitem>
</itemizedlist>
<para>These rules will NOT appear in the <emphasis <listitem>
role="bold">accounting</emphasis> chain.</para> <para>These rules will NOT appear in the <emphasis
role="bold">accounting</emphasis> chain.</para>
</listitem>
</itemizedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>