forked from extern/shorewall_code
Add HELPERS to rules file
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
ccf517307e
commit
ee28638604
@ -666,11 +666,6 @@ sub compiler {
|
||||
# (Produces no output to the compiled script)
|
||||
#
|
||||
process_policies;
|
||||
#
|
||||
# N O T R A C K
|
||||
# (Produces no output to the compiled script)
|
||||
#
|
||||
setup_notrack;
|
||||
|
||||
enable_script;
|
||||
|
||||
@ -799,6 +794,10 @@ sub compiler {
|
||||
#
|
||||
process_rules( $convert );
|
||||
#
|
||||
# Process the conntrack file
|
||||
#
|
||||
setup_conntrack;
|
||||
#
|
||||
# Add Tunnel rules.
|
||||
#
|
||||
setup_tunnels;
|
||||
|
||||
@ -606,7 +606,6 @@ sub initialize( $;$ ) {
|
||||
EXPORT => 0,
|
||||
KLUDGEFREE => '',
|
||||
STATEMATCH => '-m state --state',
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.5.6",
|
||||
CAPVERSION => 40507 ,
|
||||
);
|
||||
|
||||
@ -681,7 +681,7 @@ sub add_common_rules ( $ ) {
|
||||
my $chain;
|
||||
my $dynamicref;
|
||||
|
||||
my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
|
||||
my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
|
||||
my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
|
||||
my $level = $config{BLACKLIST_LOGLEVEL};
|
||||
my $rejectref = $filter_table->{reject};
|
||||
@ -882,7 +882,7 @@ sub add_common_rules ( $ ) {
|
||||
add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST );
|
||||
}
|
||||
|
||||
my @state = $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';
|
||||
my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';
|
||||
|
||||
for my $hostref ( @$list ) {
|
||||
$interface = $hostref->[0];
|
||||
@ -1187,7 +1187,7 @@ sub setup_mac_lists( $ ) {
|
||||
my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
|
||||
my @source = imatch_source_net $hostref->[2];
|
||||
|
||||
my @state = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
|
||||
my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
|
||||
|
||||
if ( $table eq 'filter' ) {
|
||||
my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
|
||||
|
||||
@ -32,8 +32,8 @@ use Shorewall::Chains qw(:DEFAULT :internal);
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_notrack );
|
||||
our @EXPORT_OK = qw( );
|
||||
our @EXPORT = qw( setup_conntrack );
|
||||
our @EXPORT_OK = qw( process_conntrack_rule );
|
||||
our $VERSION = 'MODULEVERSION';
|
||||
|
||||
my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
|
||||
@ -41,7 +41,7 @@ my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured
|
||||
#
|
||||
# Notrack
|
||||
#
|
||||
sub process_notrack_rule( $$$$$$$ ) {
|
||||
sub process_conntrack_rule( $$$$$$$ ) {
|
||||
|
||||
my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
|
||||
|
||||
@ -122,9 +122,7 @@ sub process_notrack_rule( $$$$$$$ ) {
|
||||
$target ,
|
||||
$exception_rule );
|
||||
|
||||
progress_message " Notrack rule \"$currentline\" $done";
|
||||
|
||||
$globals{UNTRACKED} = 1;
|
||||
progress_message " Conntrack rule \"$currentline\" $done";
|
||||
}
|
||||
|
||||
sub process_format( $ ) {
|
||||
@ -135,7 +133,7 @@ sub process_format( $ ) {
|
||||
$format;
|
||||
}
|
||||
|
||||
sub setup_notrack() {
|
||||
sub setup_conntrack() {
|
||||
|
||||
my $format = 1;
|
||||
my $action = 'NOTRACK';
|
||||
@ -188,10 +186,10 @@ sub setup_notrack() {
|
||||
|
||||
if ( $source eq 'all' ) {
|
||||
for my $zone (all_zones) {
|
||||
process_notrack_rule( $action, $zone, $dest, $proto, $ports, $sports, $user );
|
||||
process_conntrack_rule( $action, $zone, $dest, $proto, $ports, $sports, $user );
|
||||
}
|
||||
} else {
|
||||
process_notrack_rule( $action, $source, $dest, $proto, $ports, $sports, $user );
|
||||
process_conntrack_rule( $action, $source, $dest, $proto, $ports, $sports, $user );
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -34,6 +34,7 @@ use Shorewall::Zones;
|
||||
use Shorewall::Chains qw(:DEFAULT :internal);
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Nat qw(:rules);
|
||||
use Shorewall::Raw qw( process_conntrack_rule );
|
||||
use Scalar::Util 'reftype';
|
||||
|
||||
use strict;
|
||||
@ -91,7 +92,9 @@ my %rulecolumns = ( action => 0,
|
||||
connlimit => 10,
|
||||
time => 11,
|
||||
headers => 12,
|
||||
switch => 13 );
|
||||
switch => 13,
|
||||
helper => 14,
|
||||
);
|
||||
|
||||
use constant { MAX_MACRO_NEST_LEVEL => 5 };
|
||||
|
||||
@ -118,6 +121,10 @@ my %auditpolicies = ( ACCEPT => 1,
|
||||
REJECT => 1
|
||||
);
|
||||
#
|
||||
# Source zone of the rule being processed
|
||||
#
|
||||
my $rulezone;
|
||||
#
|
||||
# Rather than initializing globals in an INIT block or during declaration,
|
||||
# we initialize them in a function. This is done for two reasons:
|
||||
#
|
||||
@ -1424,7 +1431,7 @@ sub process_actions() {
|
||||
|
||||
}
|
||||
|
||||
sub process_rule1 ( $$$$$$$$$$$$$$$$$ );
|
||||
sub process_rule1 ( $$$$$$$$$$$$$$$$$$ );
|
||||
|
||||
#
|
||||
# Populate an action invocation chain. As new action tuples are encountered,
|
||||
@ -1457,14 +1464,14 @@ sub process_action( $) {
|
||||
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
|
||||
my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );
|
||||
my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );
|
||||
|
||||
if ( $format == 1 ) {
|
||||
($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
|
||||
split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
|
||||
$origdest = $connlimit = $time = $headers = $condition = '-';
|
||||
} else {
|
||||
($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition )
|
||||
($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
|
||||
= split_line1 'action file', \%rulecolumns, $action_commands;
|
||||
}
|
||||
|
||||
@ -1502,6 +1509,7 @@ sub process_action( $) {
|
||||
$time,
|
||||
$headers,
|
||||
$condition,
|
||||
$helper,
|
||||
0 );
|
||||
}
|
||||
|
||||
@ -1531,8 +1539,8 @@ sub use_policy_action( $ ) {
|
||||
#
|
||||
# Expand a macro rule from the rules file
|
||||
#
|
||||
sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
|
||||
my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $wildcard ) = @_;
|
||||
sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
|
||||
my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
|
||||
|
||||
my $nocomment = no_comment;
|
||||
|
||||
@ -1550,13 +1558,13 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
|
||||
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
|
||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );
|
||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);
|
||||
|
||||
if ( $format == 1 ) {
|
||||
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
|
||||
( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/;
|
||||
( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = qw/- - - - - - -/;
|
||||
} else {
|
||||
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
|
||||
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
|
||||
}
|
||||
|
||||
fatal_error 'TARGET must be specified' if $mtarget eq '-';
|
||||
@ -1635,6 +1643,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
|
||||
merge_macro_column( $mtime, $time ),
|
||||
merge_macro_column( $mheaders, $headers ),
|
||||
merge_macro_column( $mcondition, $condition ),
|
||||
merge_macro_column( $mhelper, $helper ),
|
||||
$wildcard
|
||||
);
|
||||
|
||||
@ -1667,7 +1676,7 @@ sub verify_audit($;$$) {
|
||||
# Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
|
||||
# body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
|
||||
#
|
||||
sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
||||
sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
||||
my ( $chainref, #reference to Action Chain if we are being called from process_action(); undef otherwise
|
||||
$target,
|
||||
$current_param,
|
||||
@ -1684,6 +1693,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
||||
$time,
|
||||
$headers,
|
||||
$condition,
|
||||
$helper,
|
||||
$wildcard ) = @_;
|
||||
|
||||
my ( $action, $loglevel) = split_action $target;
|
||||
@ -1735,6 +1745,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
||||
$time,
|
||||
$headers,
|
||||
$condition,
|
||||
$helper,
|
||||
$wildcard );
|
||||
|
||||
$macro_nest_level--;
|
||||
@ -1884,6 +1895,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
||||
fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
|
||||
fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
|
||||
fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone;
|
||||
|
||||
$rulezone = $sourcezone;
|
||||
}
|
||||
|
||||
if ( $actiontype & NATONLY ) {
|
||||
@ -2049,8 +2062,18 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
||||
$rule,
|
||||
$source,
|
||||
( $actiontype & ACTION ) ? '' : $loglevel,
|
||||
$log_action
|
||||
);
|
||||
$log_action,
|
||||
);
|
||||
|
||||
unless ( $helper eq '-' ) {
|
||||
process_conntrack_rule( "CT:helper:$helper" ,
|
||||
"$rulezone:$source",
|
||||
$origdest,
|
||||
$proto,
|
||||
$ports,
|
||||
$sports,
|
||||
$user );
|
||||
}
|
||||
#
|
||||
# After NAT:
|
||||
# - the destination port will be the server port ($ports) -- we did that above
|
||||
@ -2121,6 +2144,16 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
||||
$loglevel ,
|
||||
$log_action ,
|
||||
'' );
|
||||
|
||||
if ( ! ( $helper eq '-' || ( $actiontype & NATRULE ) ) ) {
|
||||
process_conntrack_rule( "CT:helper:$helper" ,
|
||||
"$rulezone:$source",
|
||||
$origdest ? $origdest : $dest,
|
||||
$proto,
|
||||
$ports,
|
||||
$sports,
|
||||
$user );
|
||||
}
|
||||
}
|
||||
|
||||
return 1;
|
||||
@ -2224,7 +2257,7 @@ sub build_zone_list( $$$\$\$ ) {
|
||||
# Process a Record in the rules file
|
||||
#
|
||||
sub process_rule ( ) {
|
||||
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition )
|
||||
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
|
||||
= split_line1 'rules file', \%rulecolumns, $rule_commands;
|
||||
|
||||
fatal_error 'ACTION must be specified' if $target eq '-';
|
||||
@ -2281,6 +2314,7 @@ sub process_rule ( ) {
|
||||
$time,
|
||||
$headers,
|
||||
$condition,
|
||||
$helper,
|
||||
$wild );
|
||||
}
|
||||
}
|
||||
@ -2305,7 +2339,7 @@ sub classic_blacklist() {
|
||||
my $fw = firewall_zone;
|
||||
my @zones = off_firewall_zones;
|
||||
my @vservers = vserver_zones;
|
||||
my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
|
||||
my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
|
||||
my $result;
|
||||
|
||||
for my $zone ( @zones ) {
|
||||
|
||||
@ -61,7 +61,7 @@ sub setup_tunnels() {
|
||||
}
|
||||
}
|
||||
|
||||
my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
|
||||
my @options = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
|
||||
|
||||
add_tunnel_rule $inchainref, p => 50, @$source;
|
||||
add_tunnel_rule $outchainref, p => 50, @$dest;
|
||||
|
||||
@ -57,6 +57,7 @@ our @EXPORT = qw( NOTHING
|
||||
all_parent_zones
|
||||
complex_zones
|
||||
vserver_zones
|
||||
on_firewall_zones
|
||||
off_firewall_zones
|
||||
non_firewall_zones
|
||||
single_interface
|
||||
@ -838,6 +839,10 @@ sub all_zones() {
|
||||
@zones;
|
||||
}
|
||||
|
||||
sub on_firewall_zones() {
|
||||
grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) ) , @zones );
|
||||
}
|
||||
|
||||
sub off_firewall_zones() {
|
||||
grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) ) , @zones );
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user