forked from extern/shorewall_code
Add MACLIST_TTL
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2013 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
c4288e3808
commit
f4cae112fd
@ -4,6 +4,8 @@ Changes in 2.2.3
|
|||||||
|
|
||||||
2) Obey 'routestopped' rules during [re]start.
|
2) Obey 'routestopped' rules during [re]start.
|
||||||
|
|
||||||
|
3) MACLIST_TTL added.
|
||||||
|
|
||||||
Changes in 2.2.2
|
Changes in 2.2.2
|
||||||
|
|
||||||
1) The 'check' command disclaimer is toned down further and only
|
1) The 'check' command disclaimer is toned down further and only
|
||||||
|
|||||||
@ -464,6 +464,11 @@ mac_chain() # $1 = interface
|
|||||||
echo $(chain_base $1)_mac
|
echo $(chain_base $1)_mac
|
||||||
}
|
}
|
||||||
|
|
||||||
|
macrecent_target() # $1 - interface
|
||||||
|
{
|
||||||
|
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Functions for creating dynamic zone rules
|
# Functions for creating dynamic zone rules
|
||||||
#
|
#
|
||||||
@ -2000,6 +2005,7 @@ setup_mac_lists() {
|
|||||||
local addresses
|
local addresses
|
||||||
local address
|
local address
|
||||||
local chain
|
local chain
|
||||||
|
local chain1
|
||||||
local macpart
|
local macpart
|
||||||
local blob
|
local blob
|
||||||
local hosts
|
local hosts
|
||||||
@ -2024,10 +2030,19 @@ setup_mac_lists() {
|
|||||||
|
|
||||||
progress_message "Setting up MAC Verification on $maclist_interfaces..."
|
progress_message "Setting up MAC Verification on $maclist_interfaces..."
|
||||||
#
|
#
|
||||||
# Be sure that they are all ethernet interfaces
|
# Create chains.
|
||||||
#
|
#
|
||||||
for interface in $maclist_interfaces; do
|
for interface in $maclist_interfaces; do
|
||||||
createchain $(mac_chain $interface) no
|
chain=$(mac_chain $interface)
|
||||||
|
createchain $chain no
|
||||||
|
|
||||||
|
if [ -n "$MACLIST_TTL" ]; then
|
||||||
|
chain1=$(macrecent_target $interface)
|
||||||
|
createchain $chain1 no
|
||||||
|
run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
|
||||||
|
run_iptables -A $chain1 -m recent --update --name $chain -j ACCEPT
|
||||||
|
run_iptables -A $chain1 -m recent --set --name $chain -j ACCEPT
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
#
|
#
|
||||||
# Process the maclist file producing the verification rules
|
# Process the maclist file producing the verification rules
|
||||||
@ -2047,6 +2062,7 @@ setup_mac_lists() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
chain=$(mac_chain $interface)
|
chain=$(mac_chain $interface)
|
||||||
|
chain1=$(macrecent_target $interface)
|
||||||
|
|
||||||
if ! havechain $chain ; then
|
if ! havechain $chain ; then
|
||||||
fatal_error "No hosts on $interface have the maclist option specified"
|
fatal_error "No hosts on $interface have the maclist option specified"
|
||||||
@ -2055,10 +2071,10 @@ setup_mac_lists() {
|
|||||||
macpart=$(mac_match $mac)
|
macpart=$(mac_match $mac)
|
||||||
|
|
||||||
if [ -z "$addresses" ]; then
|
if [ -z "$addresses" ]; then
|
||||||
run_iptables -A $chain $macpart $physdev_part -j RETURN
|
run_iptables -A $chain $macpart $physdev_part -j $chain1
|
||||||
else
|
else
|
||||||
for address in $(separate_list $addresses) ; do
|
for address in $(separate_list $addresses) ; do
|
||||||
run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
|
run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
done < $TMP_DIR/maclist
|
done < $TMP_DIR/maclist
|
||||||
@ -2068,6 +2084,7 @@ setup_mac_lists() {
|
|||||||
#
|
#
|
||||||
for interface in $maclist_interfaces; do
|
for interface in $maclist_interfaces; do
|
||||||
chain=$(mac_chain $interface)
|
chain=$(mac_chain $interface)
|
||||||
|
chain1=$(macrecent_target $interface)
|
||||||
|
|
||||||
blob=$(ip link show $interface 2> /dev/null)
|
blob=$(ip link show $interface 2> /dev/null)
|
||||||
|
|
||||||
@ -2076,11 +2093,11 @@ setup_mac_lists() {
|
|||||||
|
|
||||||
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
|
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
|
||||||
if [ -n "$broadcast" ]; then
|
if [ -n "$broadcast" ]; then
|
||||||
run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN
|
run_iptables -A $chain -s ${address%/*} -d $broadcast -j $chain1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
|
run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1
|
||||||
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN
|
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j $chain1
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
||||||
@ -5600,6 +5617,7 @@ determine_capabilities() {
|
|||||||
POLICY_MATCH=
|
POLICY_MATCH=
|
||||||
PHYSDEV_MATCH=
|
PHYSDEV_MATCH=
|
||||||
IPRANGE_MATCH=
|
IPRANGE_MATCH=
|
||||||
|
RECENT_MATCH=
|
||||||
|
|
||||||
qt $IPTABLES -N fooX1234
|
qt $IPTABLES -N fooX1234
|
||||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||||
@ -5608,7 +5626,7 @@ determine_capabilities() {
|
|||||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||||
|
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||||
|
|
||||||
if [ -n "$PKTTYPE" ]; then
|
if [ -n "$PKTTYPE" ]; then
|
||||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
||||||
@ -5638,6 +5656,7 @@ report_capabilities() {
|
|||||||
report_capability "Policy Match" $POLICY_MATCH
|
report_capability "Policy Match" $POLICY_MATCH
|
||||||
report_capability "Physdev Match" $PHYSDEV_MATCH
|
report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||||
report_capability "IP range Match" $IPRANGE_MATCH
|
report_capability "IP range Match" $IPRANGE_MATCH
|
||||||
|
report_capability "Recent Match" $RECENT_MATCH
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -7263,6 +7282,7 @@ do_initialize() {
|
|||||||
LOGALLNEW=
|
LOGALLNEW=
|
||||||
DROPINVALID=
|
DROPINVALID=
|
||||||
RFC1918_STRICT=
|
RFC1918_STRICT=
|
||||||
|
MACLIST_TTL=
|
||||||
|
|
||||||
RESTOREBASE=
|
RESTOREBASE=
|
||||||
TMP_DIR=
|
TMP_DIR=
|
||||||
@ -7459,6 +7479,12 @@ do_initialize() {
|
|||||||
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
||||||
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
||||||
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||||
|
|
||||||
|
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
|
||||||
|
|
||||||
|
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
|
||||||
|
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
||||||
|
fi
|
||||||
#
|
#
|
||||||
# Strip the files that we use often
|
# Strip the files that we use often
|
||||||
#
|
#
|
||||||
|
|||||||
@ -768,6 +768,29 @@ DROPINVALID=No
|
|||||||
|
|
||||||
RFC1918_STRICT=No
|
RFC1918_STRICT=No
|
||||||
|
|
||||||
|
#
|
||||||
|
# MACLIST caching
|
||||||
|
#
|
||||||
|
# If your iptables and kernel support the "Recent Match" (see the output of
|
||||||
|
# "shorewall check" near the top), you can cache the results of a 'maclist'
|
||||||
|
# file lookup and thus reduce the overhead associated with MAC Verification
|
||||||
|
# (/etc/shorewall/maclist).
|
||||||
|
#
|
||||||
|
# When a new connection arrives from a 'maclist' interface, the packet passes
|
||||||
|
# through then list of entries for that interface in /etc/shorewall/maclist. If
|
||||||
|
# there is a match then the source IP address is added to the 'Recent' set for
|
||||||
|
# that interface. Subsequent connection attempts from that IP address occuring
|
||||||
|
# within $MACLIST_TTL seconds will be accepted without having to scan all of
|
||||||
|
# the entries. After $MACLIST_TTL from the first accepted connection request,
|
||||||
|
# the next connection request from that IP address will be checked against
|
||||||
|
# the entire list.
|
||||||
|
#
|
||||||
|
# If MACLIST_TTL is not specified or is specified as empty (e.g,
|
||||||
|
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
|
||||||
|
# be cached.
|
||||||
|
|
||||||
|
MACLIST_TTL=
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
################################################################################
|
################################################################################
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user