holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Deprecate 'norfc1918' in favor of built-in actions

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8367 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-03-27 19:45:23 +00:00
parent 6b1f1df9f0
commit df41b69a04
7 changed files with 138 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-common/actions.std
View File

@ -21,6 +21,10 @@
# allowinUPnP # Allow UPnP inbound (to firewall) traffic
# forwardUPnP # Allow traffic that upnpd has redirected from
# # 'upnp' interfaces.
# drop1918src # Drop packets with an RFC 1918 source address
# drop1918dst # Drop packets with an RFC 1918 original dest address
# rej1918src # Reject packets with an RFC 1918 source address
# rej1918dst # Reject packets with an RFC 1918 original dest address
# Limit # Limit the rate of connections from each individual
# # IP address
#

2
Shorewall-common/changelog.txt
View File

@ -16,6 +16,8 @@ Changes in 4.1.7
8) Fix ":" parsing errors.
9) Add macros for RFC 1918 filtering.
Changes in 4.1.6
1) Deprecate IMPLICIT_CONTINUE=Yes

14
Shorewall-common/lib.cli
View File

@ -569,14 +569,18 @@ show_command() {
actions)
[ $# -gt 1 ] && usage 1
echo "allowBcast # Silently Allow Broadcast/multicast"
echo "dropBcast # Silently Drop Broadcast/multicast"
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
echo "dropBcast # Silently Drop Broadcast/multicast"
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
echo "drop1918src # Drop packets with an RFC 1918 source address (Shorewall-perl only)"
echo "drop1918dst # Drop packets with an RFC 1918 original dest address (Shorewall-perl only)"
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
echo "rej1918src # Reject packets with an RFC 1918 source address (Shorewall-perl only)"
echo "rej1918dst # Reject packets with an RFC 1918 original dest address (Shorewall-perl only)"
cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$'
return
;;

19
Shorewall-common/releasenotes.txt
View File

@ -186,7 +186,24 @@ New Features in 4.1.7.
traffic classification may only occur using the tcfilters file.
This allows for another application running on your firewall to
take over the mangle table and use it for it's own purposes.
take over the mangle table and use it for it's own purposes.
4) Shorewall-perl implements four new built-in actions that deal with
RFC 1918 addresses. These actions should be used in place of
the 'norfc1918' interface option which is deprecated.
drop1918src - Drops packets with an RFC 1918 source address.
drop1918dst - Drops packets with an RFC 1918 original
destination IP address.
rej1918dst - Rejects packets with an RFC 1918 source address.
rej1918dst - Rejectss packets with an RFC 1918 original
destination IP address.
The 'norfc1918' option on the interface associated with zone 'z'
and with RFC1018_STRICT=Yes is equivalent to:
drop1918src z all
drop1918dst z all
New Features in Shorewall 4.1.

79
Shorewall-perl/Shorewall/Actions.pm
View File

@ -815,16 +815,75 @@ sub process_actions3 () {
add_rule $chainref, '-j ACCEPT';
}
my %builtinops = ( 'dropBcast' => \&dropBcast,
'allowBcast' => \&allowBcast,
'dropNotSyn' => \&dropNotSyn,
'rejNotSyn' => \&rejNotSyn,
'dropInvalid' => \&dropInvalid,
'allowInvalid' => \&allowInvalid,
'allowinUPnP' => \&allowinUPnP,
'forwardUPnP' => \&forwardUPnP,
'Limit' => \&Limit,
);
sub drop1918src( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'dropRFC1918src', 'DROP', '', $tag, 'add', '-s 10.0.0.0/8 ';
log_rule_limit $level, $chainref, 'dropRFC1918src', 'DROP', '', $tag, 'add', '-s 172.16.0.0/12 ';
log_rule_limit $level, $chainref, 'dropRFC1918src', 'DROP', '', $tag, 'add', '-s 192.168.0.0/16 ';
}
add_rule $chainref, '-s 10.0.0.0/8 -j DROP';
add_rule $chainref, '-s 172.16.0.0/12 -j DROP';
add_rule $chainref, '-s 192.168.0.0/16 -j DROP';
}
sub drop1918dst( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'drop1918src', 'DROP', '', $tag, 'add', '-m conntrack --ctorigdst 10.0.0.0/8 ';
log_rule_limit $level, $chainref, 'drop1918src', 'DROP', '', $tag, 'add', '-m conntrack --ctorigdst 172.16.0.0/12 ';
log_rule_limit $level, $chainref, 'drop1918src', 'DROP', '', $tag, 'add', '-m conntrack --ctorigdst 192.168.0.0/16 ';
}
add_rule $chainref, '-m conntrack --ctorigdst 10.0.0.0/8 -j DROP';
add_rule $chainref, '-m conntrack --ctorigdst 172.16.0.0/12 -j DROP';
add_rule $chainref, '-m conntrack --ctorigdst 192.168.0.0/16 -j DROP';
}
sub rej1918src( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-s 10.0.0.0/8 ';
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-s 172.16.0.0/12 ';
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-s 192.168.0.0/16 ';
}
add_rule $chainref, '-s 10.0.0.0/8 -j reject';
add_rule $chainref, '-s 172.16.0.0/12 -j reject';
add_rule $chainref, '-s 192.168.0.0/16 -j reject';
}
sub rej1918dst( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-m conntrack --ctorigdst 10.0.0.0/8 ';
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-m conntrack --ctorigdst 172.16.0.0/12 ';
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-m conntrack --ctorigdst 192.168.0.0/16 ';
}
add_rule $chainref, '-m conntrack --ctorigdst 10.0.0.0/8 -j reject';
add_rule $chainref, '-m conntrack --ctorigdst 172.16.0.0/12 -j reject';
add_rule $chainref, '-m conntrack --ctorigdst 192.168.0.0/16 -j reject';
}
my %builtinops = ( 'dropBcast' => \&dropBcast,
'allowBcast' => \&allowBcast,
'dropNotSyn' => \&dropNotSyn,
'rejNotSyn' => \&rejNotSyn,
'dropInvalid' => \&dropInvalid,
'allowInvalid' => \&allowInvalid,
'allowinUPnP' => \&allowinUPnP,
'forwardUPnP' => \&forwardUPnP,
'drop1918src' => \&drop1918src,
'drop1918dst' => \&drop1918dst,
'rej1918src' => \&drop1918src,
'rej1918dst' => \&drop1918dst,
'Limit' => \&Limit, );
for my $wholeaction ( keys %usedactions ) {
my $chainref = find_logactionchain $wholeaction;

64
Shorewall-perl/Shorewall/Chains.pm
View File

@ -280,36 +280,40 @@ sub initialize() {
#
# As new targets (Actions and Macros) are discovered, they are added to the table
#
%targets = ('ACCEPT' => STANDARD,
'ACCEPT+' => STANDARD + NONAT,
'ACCEPT!' => STANDARD,
'NONAT' => STANDARD + NONAT + NATONLY,
'DROP' => STANDARD,
'DROP!' => STANDARD,
'REJECT' => STANDARD,
'REJECT!' => STANDARD,
'DNAT' => NATRULE,
'DNAT-' => NATRULE + NATONLY,
'REDIRECT' => NATRULE + REDIRECT,
'REDIRECT-' => NATRULE + REDIRECT + NATONLY,
'LOG' => STANDARD + LOGRULE,
'CONTINUE' => STANDARD,
'CONTINUE!' => STANDARD,
'QUEUE' => STANDARD,
'QUEUE!' => STANDARD,
'NFQUEUE' => STANDARD + NFQ,
'NFQUEUE!' => STANDARD + NFQ,
'SAME' => NATRULE,
'SAME-' => NATRULE + NATONLY,
'dropBcast' => BUILTIN + ACTION,
'allowBcast' => BUILTIN + ACTION,
'dropNotSyn' => BUILTIN + ACTION,
'rejNotSyn' => BUILTIN + ACTION,
'dropInvalid' => BUILTIN + ACTION,
'allowInvalid' => BUILTIN + ACTION,
'allowinUPnP' => BUILTIN + ACTION,
'forwardUPnP' => BUILTIN + ACTION,
'Limit' => BUILTIN + ACTION,
%targets = ('ACCEPT' => STANDARD,
'ACCEPT+' => STANDARD + NONAT,
'ACCEPT!' => STANDARD,
'NONAT' => STANDARD + NONAT + NATONLY,
'DROP' => STANDARD,
'DROP!' => STANDARD,
'REJECT' => STANDARD,
'REJECT!' => STANDARD,
'DNAT' => NATRULE,
'DNAT-' => NATRULE + NATONLY,
'REDIRECT' => NATRULE + REDIRECT,
'REDIRECT-' => NATRULE + REDIRECT + NATONLY,
'LOG' => STANDARD + LOGRULE,
'CONTINUE' => STANDARD,
'CONTINUE!' => STANDARD,
'QUEUE' => STANDARD,
'QUEUE!' => STANDARD,
'NFQUEUE' => STANDARD + NFQ,
'NFQUEUE!' => STANDARD + NFQ,
'SAME' => NATRULE,
'SAME-' => NATRULE + NATONLY,
'dropBcast' => BUILTIN + ACTION,
'allowBcast' => BUILTIN + ACTION,
'dropNotSyn' => BUILTIN + ACTION,
'rejNotSyn' => BUILTIN + ACTION,
'dropInvalid' => BUILTIN + ACTION,
'allowInvalid' => BUILTIN + ACTION,
'allowinUPnP' => BUILTIN + ACTION,
'forwardUPnP' => BUILTIN + ACTION,
'drop1918src' => BUILTIN + ACTION,
'drop1918dst' => BUILTIN + ACTION,
'rej1918src' => BUILTIN + ACTION,
'rej1918dst' => BUILTIN + ACTION,
'Limit' => BUILTIN + ACTION,
);
#
# Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ...

2
Shorewall-perl/Shorewall/Rules.pm
View File

@ -215,6 +215,8 @@ sub setup_rfc1918_filteration( $ ) {
my $rfc1918ref = new_standard_chain 'rfc1918';
my $chainref = $norfc1918ref;
warning_message q(The 'norfc1918' option is deprecated in favor of the RFC1918-oriented built-in actions);
log_rule $config{RFC1918_LOG_LEVEL} , $rfc1918ref , 'DROP' , '';
add_rule $rfc1918ref , '-j DROP';