|
 |
087194 |
From 8342a2b3fdea4f78e5c8f842550e87857ccaa277 Mon Sep 17 00:00:00 2001
|
|
|
087194 |
From: Eric Garver <eric@garver.life>
|
|
|
087194 |
Date: Sun, 19 Jan 2020 16:16:59 -0500
|
|
|
087194 |
Subject: [PATCH 32/35] feat: ipXtables: support AllowZoneDrifting=yes
|
|
|
087194 |
|
|
|
087194 |
(cherry picked from commit 1f7b5ffcd40daf2a7f2ef1ec0cccb95080e74fb6)
|
|
|
087194 |
(cherry picked from commit 0435bc024cf9ecf5aad7d3c37f7ef55396de73a4)
|
|
|
087194 |
---
|
|
|
087194 |
src/firewall/core/ipXtables.py | 93 +++++++++++++++++++---------------
|
|
|
087194 |
1 file changed, 51 insertions(+), 42 deletions(-)
|
|
|
087194 |
|
|
|
087194 |
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
|
|
|
087194 |
index 2f4ec46d8339..c9c1acc44a4c 100644
|
|
|
087194 |
--- a/src/firewall/core/ipXtables.py
|
|
|
087194 |
+++ b/src/firewall/core/ipXtables.py
|
|
|
087194 |
@@ -323,8 +323,11 @@ class ip4tables(object):
|
|
|
087194 |
|
|
|
087194 |
index = zone_source_index_cache.index(zone_source)
|
|
|
087194 |
else:
|
|
|
087194 |
- index = len(zone_source_index_cache)
|
|
|
087194 |
-
|
|
|
087194 |
+ if self._fw._allow_zone_drifting:
|
|
|
087194 |
+ index = 0
|
|
|
087194 |
+ else:
|
|
|
087194 |
+ index = len(zone_source_index_cache)
|
|
|
087194 |
+
|
|
|
087194 |
rule[0] = "-I"
|
|
|
087194 |
rule.insert(2, "%d" % (index + 1))
|
|
|
087194 |
|
|
|
087194 |
@@ -667,9 +670,10 @@ class ip4tables(object):
|
|
|
087194 |
self.our_chains["raw"].add("%s_direct" % chain)
|
|
|
087194 |
|
|
|
087194 |
if chain == "PREROUTING":
|
|
|
087194 |
- default_rules["raw"].append("-N %s_ZONES" % chain)
|
|
|
087194 |
- default_rules["raw"].append("-A %s -j %s_ZONES" % (chain, chain))
|
|
|
087194 |
- self.our_chains["raw"].update(set(["%s_ZONES" % chain]))
|
|
|
087194 |
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
|
087194 |
+ default_rules["raw"].append("-N %s_%s" % (chain, dispatch_suffix))
|
|
|
087194 |
+ default_rules["raw"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix))
|
|
|
087194 |
+ self.our_chains["raw"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
|
|
|
087194 |
|
|
|
087194 |
if self.get_available_tables("mangle"):
|
|
|
087194 |
default_rules["mangle"] = [ ]
|
|
|
087194 |
@@ -680,9 +684,10 @@ class ip4tables(object):
|
|
|
087194 |
self.our_chains["mangle"].add("%s_direct" % chain)
|
|
|
087194 |
|
|
|
087194 |
if chain == "PREROUTING":
|
|
|
087194 |
- default_rules["mangle"].append("-N %s_ZONES" % chain)
|
|
|
087194 |
- default_rules["mangle"].append("-A %s -j %s_ZONES" % (chain, chain))
|
|
|
087194 |
- self.our_chains["mangle"].update(set(["%s_ZONES" % chain]))
|
|
|
087194 |
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
|
087194 |
+ default_rules["mangle"].append("-N %s_%s" % (chain, dispatch_suffix))
|
|
|
087194 |
+ default_rules["mangle"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix))
|
|
|
087194 |
+ self.our_chains["mangle"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
|
|
|
087194 |
|
|
|
087194 |
if self.get_available_tables("nat"):
|
|
|
087194 |
default_rules["nat"] = [ ]
|
|
|
087194 |
@@ -693,19 +698,22 @@ class ip4tables(object):
|
|
|
087194 |
self.our_chains["nat"].add("%s_direct" % chain)
|
|
|
087194 |
|
|
|
087194 |
if chain in [ "PREROUTING", "POSTROUTING" ]:
|
|
|
087194 |
- default_rules["nat"].append("-N %s_ZONES" % chain)
|
|
|
087194 |
- default_rules["nat"].append("-A %s -j %s_ZONES" % (chain, chain))
|
|
|
087194 |
- self.our_chains["nat"].update(set(["%s_ZONES" % chain]))
|
|
|
087194 |
-
|
|
|
087194 |
- default_rules["filter"] = [
|
|
|
087194 |
- "-N INPUT_direct",
|
|
|
087194 |
- "-N INPUT_ZONES",
|
|
|
087194 |
-
|
|
|
087194 |
- "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT",
|
|
|
087194 |
- "-A INPUT -i lo -j ACCEPT",
|
|
|
087194 |
- "-A INPUT -j INPUT_direct",
|
|
|
087194 |
- "-A INPUT -j INPUT_ZONES",
|
|
|
087194 |
- ]
|
|
|
087194 |
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
|
087194 |
+ default_rules["nat"].append("-N %s_%s" % (chain, dispatch_suffix))
|
|
|
087194 |
+ default_rules["nat"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix))
|
|
|
087194 |
+ self.our_chains["nat"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
|
|
|
087194 |
+
|
|
|
087194 |
+ default_rules["filter"] = []
|
|
|
087194 |
+ self.our_chains["filter"] = set()
|
|
|
087194 |
+ default_rules["filter"].append("-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT")
|
|
|
087194 |
+ default_rules["filter"].append("-A INPUT -i lo -j ACCEPT")
|
|
|
087194 |
+ default_rules["filter"].append("-N INPUT_direct")
|
|
|
087194 |
+ default_rules["filter"].append("-A INPUT -j INPUT_direct")
|
|
|
087194 |
+ self.our_chains["filter"].update(set("INPUT_direct"))
|
|
|
087194 |
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
|
087194 |
+ default_rules["filter"].append("-N INPUT_%s" % (dispatch_suffix))
|
|
|
087194 |
+ default_rules["filter"].append("-A INPUT -j INPUT_%s" % (dispatch_suffix))
|
|
|
087194 |
+ self.our_chains["filter"].update(set("INPUT_%s" % (dispatch_suffix)))
|
|
|
087194 |
if log_denied != "off":
|
|
|
087194 |
default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
|
|
|
087194 |
default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID -j DROP")
|
|
|
087194 |
@@ -713,17 +721,16 @@ class ip4tables(object):
|
|
|
087194 |
default_rules["filter"].append("-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: '")
|
|
|
087194 |
default_rules["filter"].append("-A INPUT -j %%REJECT%%")
|
|
|
087194 |
|
|
|
087194 |
- default_rules["filter"] += [
|
|
|
087194 |
- "-N FORWARD_direct",
|
|
|
087194 |
- "-N FORWARD_IN_ZONES",
|
|
|
087194 |
- "-N FORWARD_OUT_ZONES",
|
|
|
087194 |
-
|
|
|
087194 |
- "-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT",
|
|
|
087194 |
- "-A FORWARD -i lo -j ACCEPT",
|
|
|
087194 |
- "-A FORWARD -j FORWARD_direct",
|
|
|
087194 |
- "-A FORWARD -j FORWARD_IN_ZONES",
|
|
|
087194 |
- "-A FORWARD -j FORWARD_OUT_ZONES",
|
|
|
087194 |
- ]
|
|
|
087194 |
+ default_rules["filter"].append("-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT")
|
|
|
087194 |
+ default_rules["filter"].append("-A FORWARD -i lo -j ACCEPT")
|
|
|
087194 |
+ default_rules["filter"].append("-N FORWARD_direct")
|
|
|
087194 |
+ default_rules["filter"].append("-A FORWARD -j FORWARD_direct")
|
|
|
087194 |
+ self.our_chains["filter"].update(set("FORWARD_direct"))
|
|
|
087194 |
+ for direction in ["IN", "OUT"]:
|
|
|
087194 |
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
|
087194 |
+ default_rules["filter"].append("-N FORWARD_%s_%s" % (direction, dispatch_suffix))
|
|
|
087194 |
+ default_rules["filter"].append("-A FORWARD -j FORWARD_%s_%s" % (direction, dispatch_suffix))
|
|
|
087194 |
+ self.our_chains["filter"].update(set("FORWARD_%s_%s" % (direction, dispatch_suffix)))
|
|
|
087194 |
if log_denied != "off":
|
|
|
087194 |
default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
|
|
|
087194 |
default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID -j DROP")
|
|
|
087194 |
@@ -737,10 +744,7 @@ class ip4tables(object):
|
|
|
087194 |
"-A OUTPUT -o lo -j ACCEPT",
|
|
|
087194 |
"-A OUTPUT -j OUTPUT_direct",
|
|
|
087194 |
]
|
|
|
087194 |
-
|
|
|
087194 |
- self.our_chains["filter"] = set(["INPUT_direct", "INPUT_ZONES",
|
|
|
087194 |
- "FORWARD_direct", "FORWARD_IN_ZONES",
|
|
|
087194 |
- "FORWARD_OUT_ZONES", "OUTPUT_direct"])
|
|
|
087194 |
+ self.our_chains["filter"].update(set("OUTPUT_direct"))
|
|
|
087194 |
|
|
|
087194 |
final_default_rules = []
|
|
|
087194 |
for table in default_rules:
|
|
|
087194 |
@@ -806,6 +810,11 @@ class ip4tables(object):
|
|
|
087194 |
"OUTPUT": "-d",
|
|
|
087194 |
}[chain]
|
|
|
087194 |
|
|
|
087194 |
+ if self._fw._allow_zone_drifting:
|
|
|
087194 |
+ zone_dispatch_chain = "%s_ZONES_SOURCE" % (chain)
|
|
|
087194 |
+ else:
|
|
|
087194 |
+ zone_dispatch_chain = "%s_ZONES" % (chain)
|
|
|
087194 |
+
|
|
|
087194 |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
|
|
|
087194 |
action = "-g"
|
|
|
087194 |
|
|
|
087194 |
@@ -816,8 +825,8 @@ class ip4tables(object):
|
|
|
087194 |
else:
|
|
|
087194 |
opt = "src"
|
|
|
087194 |
flags = ",".join([opt] * self._fw.ipset.get_dimension(name))
|
|
|
087194 |
- rule = [ add_del,
|
|
|
087194 |
- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,
|
|
|
087194 |
+ rule = [ add_del, zone_dispatch_chain,
|
|
|
087194 |
+ "%%ZONE_SOURCE%%", zone,
|
|
|
087194 |
"-t", table,
|
|
|
087194 |
"-m", "set", "--match-set", name,
|
|
|
087194 |
flags, action, target ]
|
|
|
087194 |
@@ -826,14 +835,14 @@ class ip4tables(object):
|
|
|
087194 |
# outgoing can not be set
|
|
|
087194 |
if opt == "-d":
|
|
|
087194 |
return ""
|
|
|
087194 |
- rule = [ add_del,
|
|
|
087194 |
- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,
|
|
|
087194 |
+ rule = [ add_del, zone_dispatch_chain,
|
|
|
087194 |
+ "%%ZONE_SOURCE%%", zone,
|
|
|
087194 |
"-t", table,
|
|
|
087194 |
"-m", "mac", "--mac-source", address.upper(),
|
|
|
087194 |
action, target ]
|
|
|
087194 |
else:
|
|
|
087194 |
- rule = [ add_del,
|
|
|
087194 |
- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,
|
|
|
087194 |
+ rule = [ add_del, zone_dispatch_chain,
|
|
|
087194 |
+ "%%ZONE_SOURCE%%", zone,
|
|
|
087194 |
"-t", table,
|
|
|
087194 |
opt, address, action, target ]
|
|
|
087194 |
return [rule]
|
|
|
087194 |
--
|
|
|
087194 |
2.23.0
|
|
|
087194 |
|