Fix IPv6 'nosmurfs'. Make 'nosmurfs' logging more efficient.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-02-03 15:03:15 -08:00 · 2010-02-03 15:03:15 -08:00 · f4e175f149
commit f4e175f149
parent 97f3e5b8de
5 changed files with 64 additions and 39 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -41,6 +41,7 @@ our @EXPORT = qw(
 		  new_chain
 		  new_manual_chain
 		  ensure_manual_chain
+		  newlogchain
 		  log_rule_limit
 		  dont_optimize
 		  dont_delete
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -451,29 +451,66 @@ sub add_common_rules() {

    $list = find_hosts_by_option 'nosmurfs';

-    $chainref = new_standard_chain 'smurfs';
+    if ( @$list ) {
+	progress_message2 'Adding Anti-smurf Rules';

-    if ( have_capability( 'ADDRTYPE' ) ) {
-	add_rule $chainref , '-s 0.0.0.0 -j RETURN';
-	add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
-    } else {
-	if ( $family == F_IPV4 ) {
-	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+	$chainref = new_standard_chain 'smurfs';
+    
+	my $smurfdest;
+
+	if ( defined $config{SMURF_LOG_LEVEL} && $config{SMURF_LOG_LEVEL} ne '' ) {
+	    my $smurfref = new_chain( 'filter', $smurfdest = newlogchain );
+	    
+	    log_rule_limit( $config{SMURF_LOG_LEVEL},
+			    $smurfref,
+			    'smurfs' ,
+			    'DROP',
+			    $globals{LOGLIMIT},
+			    '', 
+			    'add',
+			    '' );
+	    add_rule( $smurfref, '-j DROP' );
 	} else {
-	    add_commands $chainref, 'for address in $ALL_ACASTS; do';
+	    $smurfdest = 'DROP';
 	}

-	incr_cmd_level $chainref;
-	log_rule( $config{SMURF_LOG_LEVEL} , $chainref, 'DROP', '-s $address ' );
-	add_rule $chainref, '-s $address -j DROP';
-	decr_cmd_level $chainref;
-	add_commands $chainref, 'done';
-    }
+	if ( have_capability( 'ADDRTYPE' ) ) {
+	    add_rule $chainref , '-s 0.0.0.0 -j RETURN';
+	    add_jump( $chainref, $smurfdest, 1, '-m addrtype --src-type BROADCAST ' ) ;
+	} else {
+	    if ( $family == F_IPV4 ) {
+		add_commands $chainref, 'for address in $ALL_BCASTS; do';
+	    } else {
+		add_commands $chainref, 'for address in $ALL_ACASTS; do';
+	    }
+	    
+	    incr_cmd_level $chainref;
+	    add_jump( $chainref, $smurfdest, 1, '-s $address ' );
+	    decr_cmd_level $chainref;
+	    add_commands $chainref, 'done';
+	}

-    if ( $family == F_IPV4 ) {
-	add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL};
-    } else {
-	add_rule_pair $chainref, '-s ff00::/10 ', 'DROP', $config{SMURF_LOG_LEVEL} if $family == F_IPV4;
+	if ( $family == F_IPV4 ) {
+	    add_jump( $chainref, $smurfdest, 1, '-s 224.0.0.0/4 ' );
+	} else {
+	    add_jump( $chainref, $smurfdest, 1, '-s ff00::/10 ' );
+	}
+
+	my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
+
+	for my $hostref  ( @$list ) {
+	    $interface     = $hostref->[0];
+	    my $ipsec      = $hostref->[1];
+	    my $policy     = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
+	    my $target     = source_exclusion( $hostref->[3], $chainref );
+
+	    for $chain ( first_chains $interface ) {
+		add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ),  $policy );
+	    }
+
+	    set_interface_option $interface, 'use_input_chain', 1;
+	    set_interface_option $interface, 'use_forward_chain', 1;
+	}
    }

    if ( have_capability( 'ADDRTYPE' ) ) {
@ -497,26 +534,6 @@ sub add_common_rules() {
 	add_rule $rejectref , '-s ff00::/10 -j DROP';
    }

-    if ( @$list ) {
-	progress_message2 'Adding Anti-smurf Rules';
-
-	my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
-
-	for my $hostref  ( @$list ) {
-	    $interface     = $hostref->[0];
-	    my $ipsec      = $hostref->[1];
-	    my $policy     = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
-	    my $target     = source_exclusion( $hostref->[3], $chainref );
-
-	    for $chain ( first_chains $interface ) {
-		add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ),  $policy );
-	    }
-
-	    set_interface_option $interface, 'use_input_chain', 1;
-	    set_interface_option $interface, 'use_forward_chain', 1;
-	}
-    }
-
    add_rule $rejectref , '-p 2 -j DROP';
    add_rule $rejectref , '-p 6 -j REJECT --reject-with tcp-reset';

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -248,7 +248,7 @@ sub initialize( $ ) {
 				    dhcp        => SIMPLE_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
-				    nosmurfs    => SIMPLE_IF_OPTION,
+				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -18,6 +18,8 @@ Changes in Shorewall 4.4.7

 9)  Correct defects in generate_matrix().

+10) Fix and optimize 'nosmurfs'.
+
 Changes in Shorewall 4.4.6

 1)  Fix for rp_filter and kernel 2.6.31.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -204,6 +204,11 @@ Shorewall 4.4.7 RC 2

    then 'shorewall start' would fail.

+4)  Previously, the 'nosmurfs' option was ignored in IPv6
+    compilations. As part of this fix, 'nosmurfs' handling when
+    SMURF_LOG_LEVEL is specified has been improved for both IPv4 and
+    IPv6.
+
 ----------------------------------------------------------------------------
             K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------