forked from extern/shorewall_code
df41b69a04
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8367 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
905 lines
26 KiB
Perl
905 lines
26 KiB
Perl
#
|
|
# Shorewall-perl 4.1 -- /usr/share/shorewall-perl/Shorewall/Actions.pm
|
|
#
|
|
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
|
#
|
|
# (c) 2007 - Tom Eastep (teastep@shorewall.net)
|
|
#
|
|
# Complete documentation is available at http://shorewall.net
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of Version 2 of the GNU General Public License
|
|
# as published by the Free Software Foundation.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
#
|
|
# This module contains the code for dealing with actions (built-in,
|
|
# standard and user-defined) and Macros.
|
|
#
|
|
package Shorewall::Actions;
|
|
require Exporter;
|
|
use Shorewall::Config qw(:DEFAULT :internal);
|
|
use Shorewall::Zones;
|
|
use Shorewall::Chains qw(:DEFAULT :internal);
|
|
|
|
use strict;
|
|
|
|
our @ISA = qw(Exporter);
|
|
our @EXPORT = qw( merge_levels
|
|
isolate_basic_target
|
|
get_target_param
|
|
add_requiredby
|
|
createactionchain
|
|
find_logactionchain
|
|
process_actions1
|
|
process_actions2
|
|
process_actions3
|
|
|
|
find_macro
|
|
split_action
|
|
substitute_param
|
|
merge_macro_source_dest
|
|
merge_macro_column
|
|
|
|
%usedactions
|
|
%default_actions
|
|
%actions
|
|
|
|
%macros
|
|
);
|
|
our @EXPORT_OK = qw( initialize );
|
|
our $VERSION = 4.1.1;
|
|
|
|
#
|
|
# Used Actions. Each action that is actually used has an entry with value 1.
|
|
#
|
|
our %usedactions;
|
|
#
|
|
# Default actions for each policy.
|
|
#
|
|
our %default_actions;
|
|
|
|
# Action Table
|
|
#
|
|
# %actions{ <action1> => { requires => { <requisite1> = 1,
|
|
# <requisite2> = 1,
|
|
# ...
|
|
# } ,
|
|
# actchain => <action chain number> # Used for generating unique chain names for each <level>:<tag> pair.
|
|
#
|
|
our %actions;
|
|
#
|
|
# Contains an entry for each used <action>:<level>[:<tag>] that maps to the associated chain.
|
|
#
|
|
our %logactionchains;
|
|
|
|
our %macros;
|
|
|
|
#
|
|
# Initialize globals -- we take this novel approach to globals initialization to allow
|
|
# the compiler to run multiple times in the same process. The
|
|
# initialize() function does globals initialization for this
|
|
# module and is called from an INIT block below. The function is
|
|
# also called by Shorewall::Compiler::compiler at the beginning of
|
|
# the second and subsequent calls to that function.
|
|
#
|
|
|
|
sub initialize() {
|
|
%usedactions = ();
|
|
%default_actions = ( DROP => 'none' ,
|
|
REJECT => 'none' ,
|
|
ACCEPT => 'none' ,
|
|
QUEUE => 'none' );
|
|
%actions = ();
|
|
%logactionchains = ();
|
|
}
|
|
|
|
INIT {
|
|
initialize;
|
|
}
|
|
|
|
#
|
|
# This function determines the logging for a subordinate action or a rule within a superior action
|
|
#
|
|
sub merge_levels ($$) {
|
|
my ( $superior, $subordinate ) = @_;
|
|
|
|
my @supparts = split /:/, $superior;
|
|
my @subparts = split /:/, $subordinate;
|
|
|
|
my $subparts = @subparts;
|
|
|
|
my $target = $subparts[0];
|
|
|
|
push @subparts, '' while @subparts < 3; #Avoid undefined values
|
|
|
|
my $level = $supparts[1];
|
|
my $tag = $supparts[2];
|
|
|
|
if ( @supparts == 3 ) {
|
|
return "$target:none!:$tag" if $level eq 'none!';
|
|
return "$target:$level:$tag" if $level =~ /!$/;
|
|
return $subordinate if $subparts >= 2;
|
|
return "$target:$level:$tag";
|
|
}
|
|
|
|
if ( @supparts == 2 ) {
|
|
return "$target:none!" if $level eq 'none!';
|
|
return "$target:$level" if ($level =~ /!$/) || ($subparts < 2);
|
|
}
|
|
|
|
$subordinate;
|
|
}
|
|
|
|
#
|
|
# Try to find a macro file -- RETURNS false if the file doesn't exist or MACRO if it does.
|
|
# If the file exists, the macro is entered into the 'targets' table and the fully-qualified
|
|
# name of the file is stored in the 'macro' table.
|
|
#
|
|
sub find_macro( $ )
|
|
{
|
|
my $macro = $_[0];
|
|
my $macrofile = find_file "macro.$macro";
|
|
|
|
if ( -f $macrofile ) {
|
|
$macros{$macro} = $macrofile;
|
|
$targets{$macro} = MACRO;
|
|
} else {
|
|
0;
|
|
}
|
|
}
|
|
|
|
#
|
|
# Return ( action, level[:tag] ) from passed full action
|
|
#
|
|
sub split_action ( $ ) {
|
|
my $action = $_[0];
|
|
my @a = split( /:/ , $action, 4 );
|
|
fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
|
|
( shift @a, join ":", @a );
|
|
}
|
|
|
|
#
|
|
# This function substitutes the second argument for the first part of the first argument up to the first colon (":")
|
|
#
|
|
# Example:
|
|
#
|
|
# substitute_param DNAT PARAM:info:FTP
|
|
#
|
|
# produces "DNAT:info:FTP"
|
|
#
|
|
sub substitute_param( $$ ) {
|
|
my ( $param, $action ) = @_;
|
|
|
|
if ( $action =~ /:/ ) {
|
|
my $logpart = (split_action $action)[1];
|
|
$logpart =~ s!/$!!;
|
|
return "$param:$logpart";
|
|
}
|
|
|
|
$param;
|
|
}
|
|
|
|
#
|
|
# Combine fields from a macro body with one from the macro invocation
|
|
#
|
|
sub merge_macro_source_dest( $$ ) {
|
|
my ( $body, $invocation ) = @_;
|
|
|
|
if ( $invocation ) {
|
|
if ( $body ) {
|
|
return $body if $invocation eq '-';
|
|
return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/;
|
|
return "$invocation:$body";
|
|
}
|
|
|
|
return $invocation;
|
|
}
|
|
|
|
$body || '';
|
|
}
|
|
|
|
sub merge_macro_column( $$ ) {
|
|
my ( $body, $invocation ) = @_;
|
|
|
|
if ( defined $invocation && $invocation ne '' && $invocation ne '-' ) {
|
|
$invocation;
|
|
} else {
|
|
$body;
|
|
}
|
|
}
|
|
|
|
#
|
|
# Get Macro Name -- strips away trailing /* and :* from the first column in a rule, macro or action.
|
|
#
|
|
sub isolate_basic_target( $ ) {
|
|
my $target = ( split '[/:]', $_[0])[0];
|
|
|
|
$target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
|
|
}
|
|
|
|
#
|
|
# Split the passed target into the basic target and parameter
|
|
#
|
|
sub get_target_param( $ ) {
|
|
my ( $target, $param ) = split '/', $_[0];
|
|
|
|
unless ( defined $param ) {
|
|
( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
|
|
}
|
|
|
|
( $target, $param );
|
|
}
|
|
|
|
#
|
|
# Define an Action
|
|
#
|
|
sub new_action( $ ) {
|
|
|
|
my $action = $_[0];
|
|
|
|
$actions{$action} = { actchain => '', requires => {} };
|
|
}
|
|
|
|
#
|
|
# Record a 'requires' relationship between a pair of actions.
|
|
#
|
|
sub add_requiredby ( $$ ) {
|
|
my ($requiredby , $requires ) = @_;
|
|
$actions{$requires}{requires}{$requiredby} = 1;
|
|
}
|
|
|
|
#
|
|
# Create and record a log action chain -- Log action chains have names
|
|
# that are formed from the action name by prepending a "%" and appending
|
|
# a 1- or 2-digit sequence number. In the functions that follow,
|
|
# the CHAIN, LEVEL and TAG variable serves as arguments to the user's
|
|
# exit. We call the exit corresponding to the name of the action but we
|
|
# set CHAIN to the name of the iptables chain where rules are to be added.
|
|
# Similarly, LEVEL and TAG contain the log level and log tag respectively.
|
|
#
|
|
# The maximum length of a chain name is 30 characters -- since the log
|
|
# action chain name is 2-3 characters longer than the base chain name,
|
|
# this function truncates the original chain name where necessary before
|
|
# it adds the leading "%" and trailing sequence number.
|
|
#
|
|
sub createlogactionchain( $$ ) {
|
|
my ( $action, $level ) = @_;
|
|
my $chain = $action;
|
|
my $actionref = $actions{$action};
|
|
my $chainref;
|
|
|
|
my ($lev, $tag) = split ':', $level;
|
|
|
|
validate_level $lev;
|
|
|
|
$actionref = new_action $action unless $actionref;
|
|
|
|
$chain = substr $chain, 0, 28 if ( length $chain ) > 28;
|
|
|
|
CHECKDUP:
|
|
{
|
|
$actionref->{actchain}++ while $chain_table{filter}{'%' . $chain . $actionref->{actchain}};
|
|
$chain = substr( $chain, 0, 27 ), redo CHECKDUP if ( $actionref->{actchain} || 0 ) >= 10 and length $chain == 28;
|
|
}
|
|
|
|
$logactionchains{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
|
|
|
|
fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
|
|
|
|
unless ( $targets{$action} & STANDARD ) {
|
|
|
|
my $file = find_file $chain;
|
|
|
|
if ( -f $file ) {
|
|
progress_message "Processing $file...";
|
|
|
|
( $level, my $tag ) = split /:/, $level;
|
|
|
|
$tag = $tag || '';
|
|
|
|
unless ( my $return = eval `cat $file` ) {
|
|
fatal_error "Couldn't parse $file: $@" if $@;
|
|
fatal_error "Couldn't do $file: $!" unless defined $return;
|
|
fatal_error "Couldn't run $file" unless $return;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
sub createsimpleactionchain( $ ) {
|
|
my $action = shift;
|
|
my $chainref = new_standard_chain $action;
|
|
|
|
$logactionchains{"$action:none"} = $chainref;
|
|
|
|
unless ( $targets{$action} & STANDARD ) {
|
|
|
|
my $file = find_file $action;
|
|
|
|
if ( -f $file ) {
|
|
progress_message "Processing $file...";
|
|
|
|
my ( $level, $tag ) = ( '', '' );
|
|
|
|
unless ( my $return = eval `cat $file` ) {
|
|
fatal_error "Couldn't parse $file: $@" if $@;
|
|
fatal_error "Couldn't do $file: $!" unless defined $return;
|
|
fatal_error "Couldn't run $file" unless $return;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
#
|
|
# Create an action chain and run it's associated user exit
|
|
#
|
|
sub createactionchain( $ ) {
|
|
my ( $action , $level ) = split_action $_[0];
|
|
|
|
my $chainref;
|
|
|
|
if ( defined $level && $level ne '' ) {
|
|
if ( $level eq 'none' ) {
|
|
createsimpleactionchain $action;
|
|
} else {
|
|
createlogactionchain $action , $level;
|
|
}
|
|
} else {
|
|
createsimpleactionchain $action;
|
|
}
|
|
}
|
|
|
|
#
|
|
# Find the chain that handles the passed action. If the chain cannot be found,
|
|
# a fatal error is generated and the function does not return.
|
|
#
|
|
sub find_logactionchain( $ ) {
|
|
my $fullaction = $_[0];
|
|
my ( $action, $level ) = split_action $fullaction;
|
|
|
|
$level = 'none' unless $level;
|
|
|
|
fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"};
|
|
}
|
|
|
|
#
|
|
# The functions process_actions1-3() implement the three phases of action processing.
|
|
#
|
|
# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
|
|
# and ${CONFDIR}/actions are scanned (in that order) and for each action:
|
|
#
|
|
# a) The related action definition file is located and scanned.
|
|
# b) Forward and unresolved action references are trapped as errors.
|
|
# c) A dependency graph is created using the 'requires' field in the 'actions' table.
|
|
#
|
|
# As the rules file is scanned, each action[:level[:tag]] is merged onto the 'usedactions' hash. When an <action>
|
|
# is merged into the hash, its action chain is created. Where logging is specified, a chain with the name
|
|
# %<action>n is used where the <action> name is truncated on the right where necessary to ensure that the total
|
|
# length of the chain name does not exceed 30 characters.
|
|
#
|
|
# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of
|
|
# %usedactions is generated; again, as new actions are merged into the hash, their action chains are created.
|
|
#
|
|
# The final phase (process_actions3) is to traverse the keys of %usedactions populating each chain appropriately
|
|
# by reading the action definition files and creating rules. Note that a given action definition file is
|
|
# processed once for each unique [:level[:tag]] applied to an invocation of the action.
|
|
#
|
|
|
|
sub process_macro1 ( $$ ) {
|
|
my ( $action, $macrofile ) = @_;
|
|
|
|
progress_message " ..Expanding Macro $macrofile...";
|
|
|
|
push_open( $macrofile );
|
|
|
|
while ( read_a_line ) {
|
|
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file';
|
|
|
|
next if $mtarget eq 'COMMENT';
|
|
|
|
$mtarget =~ s/:.*$//;
|
|
|
|
$mtarget = (split '/' , $mtarget)[0];
|
|
|
|
my $targettype = $targets{$mtarget};
|
|
|
|
$targettype = 0 unless defined $targettype;
|
|
|
|
fatal_error "Invalid target ($mtarget)"
|
|
unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ | CHAIN ) );
|
|
}
|
|
|
|
progress_message " ..End Macro $macrofile";
|
|
|
|
pop_open;
|
|
}
|
|
|
|
sub process_action1 ( $$ ) {
|
|
my ( $action, $wholetarget ) = @_;
|
|
|
|
my ( $target, $level ) = split_action $wholetarget;
|
|
|
|
$level = 'none' unless $level;
|
|
|
|
my $targettype = $targets{$target};
|
|
|
|
if ( defined $targettype ) {
|
|
return if ( $targettype == STANDARD ) || ( $targettype & ( MACRO | LOGRULE | NFQ | CHAIN ) );
|
|
|
|
fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD;
|
|
|
|
fatal_error "An action may not invoke itself" if $target eq $action;
|
|
|
|
add_requiredby $wholetarget, $action if $targettype & ACTION;
|
|
} elsif ( $target eq 'COMMENT' ) {
|
|
fatal_error "Invalid TARGET ($wholetarget)" unless $wholetarget eq $target;
|
|
} else {
|
|
( $target, my $param ) = get_target_param $target;
|
|
|
|
return if $target eq 'NFQUEUE';
|
|
|
|
if ( defined $param ) {
|
|
my $paramtype = $targets{$param} || 0;
|
|
|
|
fatal_error "Parameter value not allowed in action files ($param)" if $paramtype & NATRULE;
|
|
}
|
|
|
|
fatal_error "Invalid or missing ACTION ($wholetarget)" unless defined $target;
|
|
|
|
if ( find_macro $target ) {
|
|
process_macro1( $action, $macros{$target} );
|
|
} else {
|
|
fatal_error "Invalid TARGET ($target)";
|
|
}
|
|
}
|
|
}
|
|
|
|
sub process_actions1() {
|
|
|
|
progress_message2 "Preprocessing Action Files...";
|
|
|
|
for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
|
|
new_action $act;
|
|
}
|
|
|
|
for my $file ( qw/actions.std actions/ ) {
|
|
open_file $file;
|
|
|
|
while ( read_a_line ) {
|
|
my ( $action ) = split_line 1, 1, 'action file';
|
|
|
|
if ( $action =~ /:/ ) {
|
|
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
|
|
$action =~ s/:.*$//;
|
|
}
|
|
|
|
next unless $action;
|
|
|
|
if ( $targets{$action} ) {
|
|
warning_message "Duplicate Action Name ($action) Ignored" unless $targets{$action} & ACTION;
|
|
next;
|
|
}
|
|
|
|
$targets{$action} = ACTION;
|
|
|
|
fatal_error "Invalid Action Name ($action)" unless "\L$action" =~ /^[a-z]\w*$/;
|
|
|
|
new_action $action;
|
|
|
|
my $actionfile = find_file "action.$action";
|
|
|
|
fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
|
|
|
|
progress_message2 " Pre-processing $actionfile...";
|
|
|
|
push_open( $actionfile );
|
|
|
|
while ( read_a_line ) {
|
|
|
|
my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 1, 8, 'action file';
|
|
|
|
process_action1( $action, $wholetarget );
|
|
|
|
}
|
|
|
|
pop_open;
|
|
}
|
|
}
|
|
}
|
|
|
|
sub process_actions2 () {
|
|
progress_message2 'Generating Transitive Closure of Used-action List...';
|
|
|
|
my $changed = 1;
|
|
|
|
while ( $changed ) {
|
|
$changed = 0;
|
|
for my $target (keys %usedactions) {
|
|
my ($action, $level) = split_action $target;
|
|
my $actionref = $actions{$action};
|
|
fatal_error "Null Action Reference in process_actions2" unless $actionref;
|
|
for my $action1 ( keys %{$actionref->{requires}} ) {
|
|
my $action2 = merge_levels $target, $action1;
|
|
unless ( $usedactions{ $action2 } ) {
|
|
$usedactions{ $action2 } = 1;
|
|
createactionchain $action2;
|
|
$changed = 1;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
#
|
|
# This function is called to process each rule generated from an action file.
|
|
#
|
|
sub process_action( $$$$$$$$$$ ) {
|
|
my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
|
|
|
|
my ( $action , $level ) = split_action $target;
|
|
|
|
if ( $action eq 'REJECT' ) {
|
|
$action = 'reject';
|
|
} elsif ( $action eq 'CONTINUE' ) {
|
|
$action = 'RETURN';
|
|
} elsif ( $action =~ /^NFQUEUE/ ) {
|
|
( $action, my $param ) = get_target_param $action;
|
|
$param = 1 unless defined $param;
|
|
$action = "NFQUEUE --queue-num $param";
|
|
}
|
|
|
|
expand_rule ( $chainref ,
|
|
NO_RESTRICT ,
|
|
do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
|
|
$source ,
|
|
$dest ,
|
|
'', #Original Dest
|
|
"-j $action" ,
|
|
$level ,
|
|
$action ,
|
|
'' );
|
|
}
|
|
|
|
#
|
|
# Expand Macro in action files.
|
|
#
|
|
sub process_macro3( $$$$$$$$$$$ ) {
|
|
my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
|
|
|
|
my $nocomment = no_comment;
|
|
|
|
macro_comment $macro;
|
|
|
|
my $fn = $macros{$macro};
|
|
|
|
progress_message "..Expanding Macro $fn...";
|
|
|
|
push_open $fn;
|
|
|
|
while ( read_a_line ) {
|
|
|
|
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file';
|
|
|
|
if ( $mtarget eq 'COMMENT' ) {
|
|
process_comment unless $nocomment;
|
|
next;
|
|
}
|
|
|
|
if ( $mtarget =~ /^PARAM:?/ ) {
|
|
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
|
|
$mtarget = substitute_param $param, $mtarget;
|
|
}
|
|
|
|
if ( $msource ) {
|
|
if ( ( $msource eq '-' ) || ( $msource eq 'SOURCE' ) ) {
|
|
$msource = $source || '';
|
|
} elsif ( $msource eq 'DEST' ) {
|
|
$msource = $dest || '';
|
|
} else {
|
|
$msource = merge_macro_source_dest $msource, $source;
|
|
}
|
|
} else {
|
|
$msource = '';
|
|
}
|
|
|
|
$msource = '' if $msource eq '-';
|
|
|
|
if ( $mdest ) {
|
|
if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
|
|
$mdest = $dest || '';
|
|
} elsif ( $mdest eq 'SOURCE' ) {
|
|
$mdest = $source || '';
|
|
} else {
|
|
$mdest = merge_macro_source_dest $mdest, $dest;
|
|
}
|
|
} else {
|
|
$mdest = '';
|
|
}
|
|
|
|
$mdest = '' if $mdest eq '-';
|
|
|
|
$mproto = merge_macro_column $mproto, $proto;
|
|
$mports = merge_macro_column $mports, $ports;
|
|
$msports = merge_macro_column $msports, $sports;
|
|
$mrate = merge_macro_column $mrate, $rate;
|
|
$muser = merge_macro_column $muser, $user;
|
|
|
|
process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
|
|
}
|
|
|
|
pop_open;
|
|
|
|
progress_message '..End Macro';
|
|
|
|
clear_comment unless $nocomment;
|
|
}
|
|
|
|
#
|
|
# Generate chain for non-builtin action invocation
|
|
#
|
|
sub process_action3( $$$$$ ) {
|
|
my ( $chainref, $wholeaction, $action, $level, $tag ) = @_;
|
|
my $actionfile = find_file "action.$action";
|
|
|
|
fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
|
|
|
|
progress_message2 "Processing $actionfile for chain $chainref->{name}...";
|
|
|
|
open_file $actionfile;
|
|
|
|
while ( read_a_line ) {
|
|
|
|
my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file';
|
|
|
|
if ( $target eq 'COMMENT' ) {
|
|
process_comment;
|
|
next;
|
|
}
|
|
|
|
my $target2 = merge_levels $wholeaction, $target;
|
|
|
|
my ( $action2 , $level2 ) = split_action $target2;
|
|
|
|
( $action2 , my $param ) = get_target_param $action2;
|
|
|
|
my $action2type = $targets{$action2} || 0;
|
|
|
|
unless ( $action2type == STANDARD ) {
|
|
if ( $action2type & ACTION ) {
|
|
$target2 = (find_logactionchain ( $target = $target2 ))->{name};
|
|
} else {
|
|
fatal_error "Internal Error" unless $action2type & ( MACRO | LOGRULE | NFQ | CHAIN );
|
|
}
|
|
}
|
|
|
|
if ( $action2type == MACRO ) {
|
|
process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
|
|
} else {
|
|
process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
|
|
}
|
|
}
|
|
|
|
clear_comment;
|
|
}
|
|
|
|
sub process_actions3 () {
|
|
#
|
|
# The following small functions generate rules for the builtin actions of the same name
|
|
#
|
|
sub dropBcast( $$$ ) {
|
|
my ($chainref, $level, $tag) = @_;
|
|
|
|
if ( $capabilities{ADDRTYPE} ) {
|
|
if ( $level ne '' ) {
|
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
|
}
|
|
|
|
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
|
|
} else {
|
|
add_command $chainref, 'for address in $ALL_BCASTS; do';
|
|
incr_cmd_level $chainref;
|
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
|
|
add_rule $chainref, '-d $address -j DROP';
|
|
decr_cmd_level $chainref;
|
|
add_command $chainref, 'done';
|
|
|
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
|
}
|
|
|
|
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
|
|
}
|
|
|
|
sub allowBcast( $$$ ) {
|
|
my ($chainref, $level, $tag) = @_;
|
|
|
|
if ( $capabilities{ADDRTYPE} ) {
|
|
if ( $level ne '' ) {
|
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
|
}
|
|
|
|
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
|
|
} else {
|
|
add_command $chainref, 'for address in $ALL_BCASTS; do';
|
|
incr_cmd_level $chainref;
|
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
|
|
add_rule $chainref, '-d $address -j ACCEPT';
|
|
decr_cmd_level $chainref;
|
|
add_command $chainref, 'done';
|
|
|
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
|
}
|
|
add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
|
|
}
|
|
|
|
sub dropNotSyn ( $$$ ) {
|
|
my ($chainref, $level, $tag) = @_;
|
|
|
|
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
|
|
add_rule $chainref , '-p tcp ! --syn -j DROP';
|
|
}
|
|
|
|
sub rejNotSyn ( $$$ ) {
|
|
my ($chainref, $level, $tag) = @_;
|
|
|
|
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
|
|
add_rule $chainref , '-p tcp ! --syn -j REJECT --reject-with tcp-reset';
|
|
}
|
|
|
|
sub dropInvalid ( $$$ ) {
|
|
my ($chainref, $level, $tag) = @_;
|
|
|
|
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
|
|
add_rule $chainref , '-m state --state INVALID -j DROP';
|
|
}
|
|
|
|
sub allowInvalid ( $$$ ) {
|
|
my ($chainref, $level, $tag) = @_;
|
|
|
|
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
|
|
add_rule $chainref , '-m state --state INVALID -j ACCEPT';
|
|
}
|
|
|
|
sub forwardUPnP ( $$$ ) {
|
|
}
|
|
|
|
sub allowinUPnP ( $$$ ) {
|
|
my ($chainref, $level, $tag) = @_;
|
|
|
|
if ( $level ne '' ) {
|
|
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
|
|
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
|
|
}
|
|
|
|
add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
|
|
add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
|
|
}
|
|
|
|
sub Limit( $$$ ) {
|
|
my ($chainref, $level, $tag) = @_;
|
|
|
|
my @tag = split /,/, $tag;
|
|
|
|
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' unless @tag == 3;
|
|
|
|
my $set = $tag[0];
|
|
|
|
for ( @tag[1,2] ) {
|
|
fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
|
|
}
|
|
|
|
my $count = $tag[1] + 1;
|
|
|
|
require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
|
|
|
|
add_rule $chainref, "-m recent --name $set --set";
|
|
|
|
if ( $level ne '' ) {
|
|
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
|
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
|
|
add_rule $xchainref, '-j DROP';
|
|
add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
|
|
} else {
|
|
add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
|
|
}
|
|
|
|
add_rule $chainref, '-j ACCEPT';
|
|
}
|
|
|
|
sub drop1918src( $$$ ) {
|
|
my ($chainref, $level, $tag) = @_;
|
|
|
|
if ( $level ne '' ) {
|
|
log_rule_limit $level, $chainref, 'dropRFC1918src', 'DROP', '', $tag, 'add', '-s 10.0.0.0/8 ';
|
|
log_rule_limit $level, $chainref, 'dropRFC1918src', 'DROP', '', $tag, 'add', '-s 172.16.0.0/12 ';
|
|
log_rule_limit $level, $chainref, 'dropRFC1918src', 'DROP', '', $tag, 'add', '-s 192.168.0.0/16 ';
|
|
}
|
|
|
|
add_rule $chainref, '-s 10.0.0.0/8 -j DROP';
|
|
add_rule $chainref, '-s 172.16.0.0/12 -j DROP';
|
|
add_rule $chainref, '-s 192.168.0.0/16 -j DROP';
|
|
}
|
|
|
|
sub drop1918dst( $$$ ) {
|
|
my ($chainref, $level, $tag) = @_;
|
|
|
|
if ( $level ne '' ) {
|
|
log_rule_limit $level, $chainref, 'drop1918src', 'DROP', '', $tag, 'add', '-m conntrack --ctorigdst 10.0.0.0/8 ';
|
|
log_rule_limit $level, $chainref, 'drop1918src', 'DROP', '', $tag, 'add', '-m conntrack --ctorigdst 172.16.0.0/12 ';
|
|
log_rule_limit $level, $chainref, 'drop1918src', 'DROP', '', $tag, 'add', '-m conntrack --ctorigdst 192.168.0.0/16 ';
|
|
}
|
|
|
|
add_rule $chainref, '-m conntrack --ctorigdst 10.0.0.0/8 -j DROP';
|
|
add_rule $chainref, '-m conntrack --ctorigdst 172.16.0.0/12 -j DROP';
|
|
add_rule $chainref, '-m conntrack --ctorigdst 192.168.0.0/16 -j DROP';
|
|
}
|
|
|
|
sub rej1918src( $$$ ) {
|
|
my ($chainref, $level, $tag) = @_;
|
|
|
|
if ( $level ne '' ) {
|
|
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-s 10.0.0.0/8 ';
|
|
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-s 172.16.0.0/12 ';
|
|
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-s 192.168.0.0/16 ';
|
|
}
|
|
|
|
add_rule $chainref, '-s 10.0.0.0/8 -j reject';
|
|
add_rule $chainref, '-s 172.16.0.0/12 -j reject';
|
|
add_rule $chainref, '-s 192.168.0.0/16 -j reject';
|
|
}
|
|
|
|
sub rej1918dst( $$$ ) {
|
|
my ($chainref, $level, $tag) = @_;
|
|
|
|
if ( $level ne '' ) {
|
|
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-m conntrack --ctorigdst 10.0.0.0/8 ';
|
|
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-m conntrack --ctorigdst 172.16.0.0/12 ';
|
|
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-m conntrack --ctorigdst 192.168.0.0/16 ';
|
|
}
|
|
|
|
add_rule $chainref, '-m conntrack --ctorigdst 10.0.0.0/8 -j reject';
|
|
add_rule $chainref, '-m conntrack --ctorigdst 172.16.0.0/12 -j reject';
|
|
add_rule $chainref, '-m conntrack --ctorigdst 192.168.0.0/16 -j reject';
|
|
}
|
|
|
|
my %builtinops = ( 'dropBcast' => \&dropBcast,
|
|
'allowBcast' => \&allowBcast,
|
|
'dropNotSyn' => \&dropNotSyn,
|
|
'rejNotSyn' => \&rejNotSyn,
|
|
'dropInvalid' => \&dropInvalid,
|
|
'allowInvalid' => \&allowInvalid,
|
|
'allowinUPnP' => \&allowinUPnP,
|
|
'forwardUPnP' => \&forwardUPnP,
|
|
'drop1918src' => \&drop1918src,
|
|
'drop1918dst' => \&drop1918dst,
|
|
'rej1918src' => \&drop1918src,
|
|
'rej1918dst' => \&drop1918dst,
|
|
'Limit' => \&Limit, );
|
|
|
|
for my $wholeaction ( keys %usedactions ) {
|
|
my $chainref = find_logactionchain $wholeaction;
|
|
my ( $action, $level, $tag ) = split /:/, $wholeaction;
|
|
|
|
$level = '' unless defined $level;
|
|
$tag = '' unless defined $tag;
|
|
|
|
if ( $targets{$action} & BUILTIN ) {
|
|
$level = '' if $level =~ /none!?/;
|
|
$builtinops{$action}->($chainref, $level, $tag);
|
|
} else {
|
|
process_action3 $chainref, $wholeaction, $action, $level, $tag;
|
|
}
|
|
}
|
|
}
|
|
|
|
1;
|