[firewall] / functions.m4

### -*-m4-*-
###
### Utility functions for firewall scripts
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

m4_divert(20)m4_dnl
###--------------------------------------------------------------------------
### Utility functions.

## doit COMMAND ARGS...
##
## If debugging, print the COMMAND and ARGS.  If serious, execute them.
run () {
  set -e
  if [ "$FW_DEBUG" ]; then echo "* $*"; fi
  if ! [ "$FW_NOACT" ]; then "$@"; fi
}

## trace MESSAGE...
##
## If debugging, print the MESSAGE.
trace () {
  set -e
  if [ "$FW_DEBUG" ]; then echo "$*"; fi
}

## defport NAME NUMBER
##
## Define $port_NAME to be NUMBER.
defport () {
  name=$1 number=$2
  eval port_$name=$number
}

m4_divert(22)m4_dnl
###--------------------------------------------------------------------------
### Basic chain constructions.

## clearchain CHAIN CHAIN ...
##
## Ensure that the named chains exist and are empty.
clearchain () {
  set -e
  for chain; do
    case $chain in
      *:*) table=${chain%:*} chain=${chain#*:} ;;
      *) table=filter ;;
    esac
    run iptables -t $table -N $chain
  done
}

## errorchain CHAIN ACTION ARGS ...
##
## Make a chain which logs a message and then invokes some other action,
## typically REJECT.  Log messages are prefixed by `fw: CHAIN'.
errorchain () {
  set -e
  chain=$1; shift
  case $chain in
    *:*) table=${chain%:*} chain=${chain#*:} ;;
    *) table=filter ;;
  esac
  clearchain $table:$chain
  run iptables -t $table -A $chain -j LOG \
	  -m limit --limit 3/minute --limit-burst 10 \
	  --log-prefix "fw: $chain " --log-level notice
  run iptables -t $table -A $chain -j "$@"
}

m4_divert(24)m4_dnl
###--------------------------------------------------------------------------
### Basic option setting.

## setopt OPTION VALUE
##
## Set an IP sysctl.
setopt () {
  set -e
  opt=$1; shift; val=$*
  run sysctl -q net/ipv4/$opt="$val"
}

## setdevopt OPTION VALUE
##
## Set an IP interface-level sysctl.
setdevopt () {
  set -e
  opt=$1; shift; val=$*
  for i in /proc/sys/net/ipv4/conf/*; do
    [ -f $i/$opt ] &&
      run sysctl -q net/ipv4/conf/${i#/proc/sys/net/ipv4/conf/}/$opt="$val"
  done
}

m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Packet filter construction.

## conntrack CHAIN
##
## Add connection tracking to CHAIN, and allow obvious stuff.
conntrack () {
  set -e
  chain=$1
  run iptables -A $chain -p tcp -m state \
	  --state ESTABLISHED,RELATED -j ACCEPT
  run iptables -A $chain -p tcp ! --syn -g bad-tcp
}

## commonrules CHAIN
##
## Add standard IP filtering rules to the CHAIN.
commonrules () {
  set -e
  chain=$1

  ## Pass fragments through, assuming that the eventual destination will sort
  ## things out properly.  Except for TCP, that is, which should never be
  ## fragmented.
  run iptables -A $chain -p tcp -f -g tcp-fragment
  run iptables -A $chain -f -j ACCEPT
}

## allowservices CHAIN PROTO SERVICE ...
##
## Add rules to allow the SERVICES on the CHAIN.
allowservices () {
  set -e
  chain=$1 proto=$2; shift 2
  count=0
  list=
  for svc; do
    case $svc in
      *:*)
        n=2
	left=${svc%:*} right=${svc#*:}
	case $left in *[!0-9]*) eval left=\$port_$left ;; esac
	case $right in *[!0-9]*) eval right=\$port_$right ;; esac
	svc=$left:$right
	;;
      *)
        n=1
	case $svc in *[!0-9]*) eval svc=\$port_$svc ;; esac
	;;
    esac
    case $svc in
      *: | :* | "" | *[!0-9:]*)
        echo >&2 "Bad service name"
	exit 1
	;;
    esac
    count=$(( $count + $n ))
    if [ $count -gt 15 ]; then
      run iptables -A $chain -p $proto -m multiport -j ACCEPT \
	     --destination-ports ${list#,}
      list= count=$n
    fi
    list=$list,$svc
  done
  case $list in
    "")
      ;;
    ,*,*)
      run iptables -A $chain -p $proto -m multiport -j ACCEPT \
	      --destination-ports ${list#,}
      ;;
    *) 
      run iptables -A $chain -p $proto -j ACCEPT \
	      --destination-port ${list#,}
      ;;
  esac
}

## ntpclient CHAIN NTPSERVER ...
##
## Add rules to CHAIN to allow NTP with NTPSERVERs.
ntpclient () {
  set -e
  chain=$1; shift
  for ntp; do
    run iptables -A $chain -s $ntp -j ACCEPT \
	    -p udp --source-port 123 --destination-port 123
  done
}

## dnsresolver CHAIN
##
## Add rules to allow CHAIN to be a DNS resolver.
dnsresolver () {
  set -e
  chain=$1
  for p in tcp udp; do
    run iptables -A $chain -j ACCEPT \
	     -m state --state ESTABLISHED \
	     -p $p --source-port 53
  done
}

## openports CHAIN [MIN MAX]
##
## Add rules to CHAIN to allow the open ports.
openports () {
  set -e
  chain=$1; shift
  [ $# -eq 0 ] && set -- $open_port_min $open_port_max
  run iptables -A $chain -p tcp -g interesting --destination-port $1:$2
  run iptables -A $chain -p udp -g interesting --destination-port $1:$2
}

m4_divert(28)m4_dnl
###--------------------------------------------------------------------------
### Packet classification.

## defbitfield NAME WIDTH
##
## Defines MASK_NAME and BIT_NAME symbolic constants for dealing with
## bitfields: x << BIT_NAME yields the value x in the correct position, and
## ff & MASK_NAME extracts the corresponding value.
defbitfield () {
  set -e
  name=$1 width=$2
  eval MASK_$name=$(( (1 << $width) - 1 << $bitindex ))
  eval BIT_$name=$bitindex
  bitindex=$(( $bitindex + $width ))
}

## Define the layout of the bitfield.
bitindex=0
defbitfield MASK 16
defbitfield FROM 4
defbitfield TO 4

## defnetclass NAME FORWARD-TO...
##
## Defines a netclass called NAME, which is allowed to forward to the
## FORWARD-TO netclasses.
##
## For each netclass, constants from_NAME and to_NAME are defined as the
## appropriate values in the FROM and TO fields (i.e., not including any mask
## bits).
##
## This function also establishes mangle chains mark-from-NAME and
## mark-to-NAME for applying the appropriate mark bits to the packet.
##
## Because it needs to resolve forward references, netclasses must be defined
## in a two-pass manner, using a loop of the form
##
##   for pass in 1 2; do netclassindex=0; ...; done
netclassess=
defnetclass () {
  set -e
  name=$1; shift
  case $pass in
    1)

      ## Pass 1.  Establish the from_NAME and to_NAME constants, and the
      ## netclass's mask bit.
      eval from_$name=$(( $netclassindex << $BIT_FROM ))
      eval to_$name=$(( $netclassindex << $BIT_TO ))
      eval _mask_$name=$(( 1 << ($netclassindex + $BIT_MASK) ))
      nets="$nets $name"
      ;;
    2)

      ## Pass 2.  Compute the actual from and to values.  We're a little bit
      ## clever during source classification, and set the TO field to
      ## all-bits-one, so that destination classification needs only a single
      ## AND operation.
      from=$(( ($netclassindex << $BIT_FROM) + (0xf << $BIT_TO) ))
      for net; do
	eval bit=\$_mask_$net
	from=$(( $from + $bit ))
      done
      to=$(( ($netclassindex << $BIT_TO) + \
      	     (0xf << $BIT_FROM) + \
	     (1 << ($netclassindex + $BIT_MASK)) ))
      trace "from $name --> set $(printf %x $from)"
      trace "  to $name --> and $(printf %x $from)"

      ## Now establish the mark-from-NAME and mark-to-NAME chains.
      clearchain mangle:mark-from-$name mangle:mark-to-$name
      run iptables -t mangle -A mark-from-$name -j MARK --set-mark $from
      run iptables -t mangle -A mark-to-$name -j MARK --and-mark $to
      ;;
  esac
  netclassindex=$(( $netclassindex + 1 ))
}

## defiface NAME NETCLASS:NETWORK/MASK...
##
## Declares a network interface NAME and associates with it a number of
## reachable networks.  During source classification, a packet arriving on
## interface NAME from an address in NETWORK/MASK is classified as coming
## from to NETCLASS.  During destination classification, all packets going to
## NETWORK/MASK are classified as going to NETCLASS, regardless of interface
## (which is good, because the outgoing interface hasn't been determined
## yet).
##
## As a special case, the NETWORK/MASK can be the string `default', which
## indicates that all addresses not matched elsewhere should be considered.
ifaces=:
defaultiface=none
allnets=
defiface () {
  set -e
  name=$1; shift
  case $ifaces in
    *:"$name":*) ;;
    *)
      clearchain mangle:in-$name
      run iptables -t mangle -A in-classify -i $name -g in-$name
      ;;
  esac
  ifaces=$ifaces$name:
  for item; do
    netclass=${item%:*} addr=${item#*:}
    case $addr in
      default)
	defaultiface=$name
	defaultclass=$netclass
	run iptables -t mangle -A out-classify -g mark-to-$netclass
	;;
      *)
	run iptables -t mangle -A in-$name -s $addr -g mark-from-$netclass
	run iptables -t mangle -A out-classify -d $addr -g mark-to-$netclass
	allnets="$allnets $name:$addr"
	;;
    esac
  done
}

## defvpn IFACE CLASS NET HOST:ADDR ...
##
## Defines a VPN interface.  If the interface has the form `ROOT+' (i.e., a
## netfilter wildcard) then define a separate interface ROOTHOST routing to
## ADDR; otherwise just write a blanket rule allowing the whole NET.  All
## addresses concerned are put in the named CLASS.
defvpn () {
  set -e
  iface=$1 class=$2 net=$3; shift 3
  case $iface in
    *-+)
      root=${iface%+}
      for host; do
	name=${host%:*} addr=${host#*:}
	defiface $root$name $class:$addr
      done
      ;;
    *)
      defiface $iface $class:$net
      ;;
  esac
}

m4_divert(-1)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
bfdc045d MW	1	### --m4--
	2	###
	3	### Utility functions for firewall scripts
	4	###
	5	### (c) 2008 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	m4_divert(20)m4_dnl
	25	###--------------------------------------------------------------------------
	26	### Utility functions.
	27
	28	## doit COMMAND ARGS...
	29	##
	30	## If debugging, print the COMMAND and ARGS. If serious, execute them.
	31	run () {
	32	set -e
	33	if [ "$FW_DEBUG" ]; then echo "* $*"; fi
	34	if ! [ "$FW_NOACT" ]; then "$@"; fi
	35	}
	36
	37	## trace MESSAGE...
	38	##
	39	## If debugging, print the MESSAGE.
	40	trace () {
	41	set -e
	42	if [ "$FW_DEBUG" ]; then echo "$*"; fi
	43	}
	44
	45	## defport NAME NUMBER
	46	##
	47	## Define $port_NAME to be NUMBER.
	48	defport () {
	49	name=$1 number=$2
	50	eval port_$name=$number
	51	}
	52
	53	m4_divert(22)m4_dnl
	54	###--------------------------------------------------------------------------
	55	### Basic chain constructions.
	56
	57	## clearchain CHAIN CHAIN ...
	58	##
	59	## Ensure that the named chains exist and are empty.
	60	clearchain () {
	61	set -e
	62	for chain; do
	63	case $chain in
	64	:) table=${chain%:} chain=${chain#:} ;;
65	*) table=filter ;;
66	esac
67	run iptables -t $table -N $chain
68	done
69	}
70
71	## errorchain CHAIN ACTION ARGS ...
72	##
73	## Make a chain which logs a message and then invokes some other action,
74	## typically REJECT. Log messages are prefixed by `fw: CHAIN'.
75	errorchain () {
76	set -e
77	chain=$1; shift
78	case $chain in
79	:) table=${chain%:} chain=${chain#:} ;;
80	*) table=filter ;;
81	esac
82	clearchain $table:$chain
83	run iptables -t $table -A $chain -j LOG \
84	-m limit --limit 3/minute --limit-burst 10 \
fc10e52b	85	--log-prefix "fw: $chain " --log-level notice
bfdc045d MW	86	run iptables -t $table -A $chain -j "$@"
	87	}
	88
	89	m4_divert(24)m4_dnl
	90	###--------------------------------------------------------------------------
	91	### Basic option setting.
	92
	93	## setopt OPTION VALUE
	94	##
	95	## Set an IP sysctl.
	96	setopt () {
	97	set -e
	98	opt=$1; shift; val=$*
	99	run sysctl -q net/ipv4/$opt="$val"
	100	}
	101
	102	## setdevopt OPTION VALUE
	103	##
	104	## Set an IP interface-level sysctl.
	105	setdevopt () {
	106	set -e
	107	opt=$1; shift; val=$*
	108	for i in /proc/sys/net/ipv4/conf/*; do
	109	[ -f $i/$opt ] &&
	110	run sysctl -q net/ipv4/conf/${i#/proc/sys/net/ipv4/conf/}/$opt="$val"
	111	done
	112	}
	113
	114	m4_divert(26)m4_dnl
	115	###--------------------------------------------------------------------------
	116	### Packet filter construction.
	117
	118	## conntrack CHAIN
	119	##
	120	## Add connection tracking to CHAIN, and allow obvious stuff.
	121	conntrack () {
	122	set -e
	123	chain=$1
	124	run iptables -A $chain -p tcp -m state \
	125	--state ESTABLISHED,RELATED -j ACCEPT
	126	run iptables -A $chain -p tcp ! --syn -g bad-tcp
	127	}
	128
ecdca131 MW	129	## commonrules CHAIN
	130	##
	131	## Add standard IP filtering rules to the CHAIN.
	132	commonrules () {
	133	set -e
	134	chain=$1
	135
	136	## Pass fragments through, assuming that the eventual destination will sort
	137	## things out properly. Except for TCP, that is, which should never be
	138	## fragmented.
	139	run iptables -A $chain -p tcp -f -g tcp-fragment
	140	run iptables -A $chain -f -j ACCEPT
	141	}
	142
bfdc045d MW	143	## allowservices CHAIN PROTO SERVICE ...
	144	##
	145	## Add rules to allow the SERVICES on the CHAIN.
	146	allowservices () {
	147	set -e
	148	chain=$1 proto=$2; shift 2
	149	count=0
	150	list=
	151	for svc; do
	152	case $svc in
	153	:)
	154	n=2
	155	left=${svc%:} right=${svc#:}
	156	case $left in [!0-9]) eval left=\$port_$left ;; esac
	157	case $right in [!0-9]) eval right=\$port_$right ;; esac
	158	svc=$left:$right
	159	;;
	160	*)
	161	n=1
	162	case $svc in [!0-9]) eval svc=\$port_$svc ;; esac
	163	;;
	164	esac
	165	case $svc in
	166	: \| : \| "" \| [!0-9:])
	167	echo >&2 "Bad service name"
	168	exit 1
	169	;;
	170	esac
	171	count=$(( $count + $n ))
	172	if [ $count -gt 15 ]; then
	173	run iptables -A $chain -p $proto -m multiport -j ACCEPT \
	174	--destination-ports ${list#,}
	175	list= count=$n
	176	fi
	177	list=$list,$svc
	178	done
	179	case $list in
	180	"")
	181	;;
	182	,,)
	183	run iptables -A $chain -p $proto -m multiport -j ACCEPT \
	184	--destination-ports ${list#,}
	185	;;
	186	*)
	187	run iptables -A $chain -p $proto -j ACCEPT \
	188	--destination-port ${list#,}
	189	;;
	190	esac
	191	}
	192
	193	## ntpclient CHAIN NTPSERVER ...
	194	##
	195	## Add rules to CHAIN to allow NTP with NTPSERVERs.
	196	ntpclient () {
	197	set -e
	198	chain=$1; shift
	199	for ntp; do
	200	run iptables -A $chain -s $ntp -j ACCEPT \
	201	-p udp --source-port 123 --destination-port 123
	202	done
	203	}
	204
	205	## dnsresolver CHAIN
	206	##
207	## Add rules to allow CHAIN to be a DNS resolver.
208	dnsresolver () {
209	set -e
210	chain=$1
211	for p in tcp udp; do
212	run iptables -A $chain -j ACCEPT \
213	-m state --state ESTABLISHED \
214	-p $p --source-port 53
215	done
216	}
217
218	## openports CHAIN [MIN MAX]
219	##
220	## Add rules to CHAIN to allow the open ports.
221	openports () {
222	set -e
223	chain=$1; shift
224	[ $# -eq 0 ] && set -- $open_port_min $open_port_max
225	run iptables -A $chain -p tcp -g interesting --destination-port $1:$2
226	run iptables -A $chain -p udp -g interesting --destination-port $1:$2
227	}
228
229	m4_divert(28)m4_dnl
230	###--------------------------------------------------------------------------
231	### Packet classification.
232
233	## defbitfield NAME WIDTH
234	##
235	## Defines MASK_NAME and BIT_NAME symbolic constants for dealing with
236	## bitfields: x << BIT_NAME yields the value x in the correct position, and
237	## ff & MASK_NAME extracts the corresponding value.
238	defbitfield () {
239	set -e
240	name=$1 width=$2
241	eval MASK_$name=$(( (1 << $width) - 1 << $bitindex ))
242	eval BIT_$name=$bitindex
243	bitindex=$(( $bitindex + $width ))
244	}
245
246	## Define the layout of the bitfield.
247	bitindex=0
248	defbitfield MASK 16
249	defbitfield FROM 4
250	defbitfield TO 4
251
252	## defnetclass NAME FORWARD-TO...
253	##
254	## Defines a netclass called NAME, which is allowed to forward to the
255	## FORWARD-TO netclasses.
256	##
257	## For each netclass, constants from_NAME and to_NAME are defined as the
258	## appropriate values in the FROM and TO fields (i.e., not including any mask
259	## bits).
260	##
261	## This function also establishes mangle chains mark-from-NAME and
262	## mark-to-NAME for applying the appropriate mark bits to the packet.
263	##
264	## Because it needs to resolve forward references, netclasses must be defined
265	## in a two-pass manner, using a loop of the form
266	##
267	## for pass in 1 2; do netclassindex=0; ...; done
268	netclassess=
269	defnetclass () {
270	set -e
271	name=$1; shift
272	case $pass in
273	1)
274
275	## Pass 1. Establish the from_NAME and to_NAME constants, and the
276	## netclass's mask bit.
277	eval from_$name=$(( $netclassindex << $BIT_FROM ))
278	eval to_$name=$(( $netclassindex << $BIT_TO ))
279	eval _mask_$name=$(( 1 << ($netclassindex + $BIT_MASK) ))
280	nets="$nets $name"
281	;;
282	2)
283
284	## Pass 2. Compute the actual from and to values. We're a little bit
285	## clever during source classification, and set the TO field to
286	## all-bits-one, so that destination classification needs only a single
287	## AND operation.
288	from=$(( ($netclassindex << $BIT_FROM) + (0xf << $BIT_TO) ))
289	for net; do
290	eval bit=\$_mask_$net
291	from=$(( $from + $bit ))
292	done
293	to=$(( ($netclassindex << $BIT_TO) + \
294	(0xf << $BIT_FROM) + \
295	(1 << ($netclassindex + $BIT_MASK)) ))
296	trace "from $name --> set $(printf %x $from)"
297	trace " to $name --> and $(printf %x $from)"
298
299	## Now establish the mark-from-NAME and mark-to-NAME chains.
300	clearchain mangle:mark-from-$name mangle:mark-to-$name
301	run iptables -t mangle -A mark-from-$name -j MARK --set-mark $from
302	run iptables -t mangle -A mark-to-$name -j MARK --and-mark $to
303	;;
304	esac
305	netclassindex=$(( $netclassindex + 1 ))
306	}
307
308	## defiface NAME NETCLASS:NETWORK/MASK...
309	##
310	## Declares a network interface NAME and associates with it a number of
311	## reachable networks. During source classification, a packet arriving on
312	## interface NAME from an address in NETWORK/MASK is classified as coming
313	## from to NETCLASS. During destination classification, all packets going to
314	## NETWORK/MASK are classified as going to NETCLASS, regardless of interface
315	## (which is good, because the outgoing interface hasn't been determined
316	## yet).
317	##
318	## As a special case, the NETWORK/MASK can be the string `default', which
319	## indicates that all addresses not matched elsewhere should be considered.
320	ifaces=:
321	defaultiface=none
322	allnets=
323	defiface () {
324	set -e
325	name=$1; shift
326	case $ifaces in
327	:"$name":) ;;
328	*)
329	clearchain mangle:in-$name
330	run iptables -t mangle -A in-classify -i $name -g in-$name
331	;;
332	esac
333	ifaces=$ifaces$name:
334	for item; do
335	netclass=${item%:} addr=${item#:}
336	case $addr in
337	default)
338	defaultiface=$name
339	defaultclass=$netclass
340	run iptables -t mangle -A out-classify -g mark-to-$netclass
341	;;
342	*)
343	run iptables -t mangle -A in-$name -s $addr -g mark-from-$netclass
344	run iptables -t mangle -A out-classify -d $addr -g mark-to-$netclass
345	allnets="$allnets $name:$addr"
346	;;
347	esac
348	done
349	}
350
351	## defvpn IFACE CLASS NET HOST:ADDR ...
352	##
353	## Defines a VPN interface. If the interface has the form `ROOT+' (i.e., a
354	## netfilter wildcard) then define a separate interface ROOTHOST routing to
355	## ADDR; otherwise just write a blanket rule allowing the whole NET. All
356	## addresses concerned are put in the named CLASS.
357	defvpn () {
358	set -e
359	iface=$1 class=$2 net=$3; shift 3
360	case $iface in
361	*-+)
362	root=${iface%+}
363	for host; do
364	name=${host%:} addr=${host#:}
365	defiface $root$name $class:$addr
366	done
367	;;
368	*)
369	defiface $iface $class:$net
370	;;
371	esac
372	}
373
374	m4_divert(-1)
375	###----- That's all, folks --------------------------------------------------