X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/bfdc045deb6149808d309b4ac3c292d9c57a8b38..1a42af95515f1f6920f0ba2b45576278bbc2c8cf:/functions.m4 diff --git a/functions.m4 b/functions.m4 index 66a83f3..2267af6 100644 --- a/functions.m4 +++ b/functions.m4 @@ -1,4 +1,4 @@ -### -*-m4-*- +### -*-sh-*- ### ### Utility functions for firewall scripts ### @@ -50,10 +50,45 @@ defport () { eval port_$name=$number } -m4_divert(22)m4_dnl +## defproto NAME NUMBER +## +## Define $proto_NAME to be NUMBER. +defproto () { + name=$1 number=$2 + eval proto_$name=$number +} + +## addword VAR WORD +## +## Adds WORD to the value of the shell variable VAR, if it's not there +## already. Words are separated by a single space; no leading or trailing +## spaces are introduced. +addword () { + var=$1 word=$2 + eval val=\$$var + case " $val " in + *" $word "*) ;; + *) eval "$var=\${$var:+\$val }\$word" ;; + esac +} + +m4_divert(38)m4_dnl +###-------------------------------------------------------------------------- +### Utility chains (used by function definitions). + +m4_divert(20)m4_dnl ###-------------------------------------------------------------------------- ### Basic chain constructions. +## ip46tables ARGS ... +## +## Do the same thing for `iptables' and `ip6tables'. +ip46tables () { + set -e + iptables "$@" + ip6tables "$@" +} + ## clearchain CHAIN CHAIN ... ## ## Ensure that the named chains exist and are empty. @@ -64,10 +99,23 @@ clearchain () { *:*) table=${chain%:*} chain=${chain#*:} ;; *) table=filter ;; esac - run iptables -t $table -N $chain + run ip46tables -t $table -N $chain 2>/dev/null || : done } +## makeset SET TYPE [PARAMS] +## +## Ensure that the named ipset exists. Don't clear it. +makeset () { + set -e + name=$1; shift + if ipset -nL | grep -q "^Name: $name$"; then + : + else + ipset -N "$name" "$@" + fi +} + ## errorchain CHAIN ACTION ARGS ... ## ## Make a chain which logs a message and then invokes some other action, @@ -80,13 +128,15 @@ errorchain () { *) table=filter ;; esac clearchain $table:$chain - run iptables -t $table -A $chain -j LOG \ + run ip46tables -t $table -A $chain -j LOG \ -m limit --limit 3/minute --limit-burst 10 \ - --log-prefix "new fw: $chain " --log-level notice - run iptables -t $table -A $chain -j "$@" + --log-prefix "fw: $chain " --log-level notice + run ip46tables -t $table -A $chain -j "$@" \ + -m limit --limit 20/second --limit-burst 100 + run ip46tables -t $table -A $chain -j DROP } -m4_divert(24)m4_dnl +m4_divert(20)m4_dnl ###-------------------------------------------------------------------------- ### Basic option setting. @@ -95,23 +145,54 @@ m4_divert(24)m4_dnl ## Set an IP sysctl. setopt () { set -e - opt=$1; shift; val=$* - run sysctl -q net/ipv4/$opt="$val" + opt=$1 val=$2 + any=nil + for ver in ipv4 ipv6; do + if [ -f /proc/sys/net/$ver/$opt ]; then + run sysctl -q net/$ver/$opt="$val" + any=t + fi + done + case $any in + nil) echo >&2 "$0: unknown IP option $opt"; exit 1 ;; + esac } -## setdevopt OPTION VALUE +## setdevopt OPTION VALUE [INTERFACES ...] ## ## Set an IP interface-level sysctl. setdevopt () { set -e - opt=$1; shift; val=$* - for i in /proc/sys/net/ipv4/conf/*; do - [ -f $i/$opt ] && - run sysctl -q net/ipv4/conf/${i#/proc/sys/net/ipv4/conf/}/$opt="$val" + opt=$1 val=$2; shift 2 + case "$#,$1" in + 0, | 1,all) + set -- $( + seen=: + for ver in ipv4 ipv6; do + cd /proc/sys/net/$ver/conf + for i in *; do + [ -f $i/$opt ] || continue + case "$seen" in (*:$i:*) continue ;; esac + echo $i + done + done) + ;; + esac + for i in "$@"; do + any=nil + for ver in ipv4 ipv6; do + if [ -f /proc/sys/net/$ver/conf/$i/$opt ]; then + any=t + run sysctl -q net/ipv4/conf/$i/$opt="$val" + fi + done + case $any in + nil) echo >&2 "$0: unknown device option $opt"; exit 1 ;; + esac done } -m4_divert(26)m4_dnl +m4_divert(20)m4_dnl ###-------------------------------------------------------------------------- ### Packet filter construction. @@ -121,11 +202,38 @@ m4_divert(26)m4_dnl conntrack () { set -e chain=$1 - run iptables -A $chain -p tcp -m state \ + run ip46tables -A $chain -p tcp -m state \ --state ESTABLISHED,RELATED -j ACCEPT - run iptables -A $chain -p tcp ! --syn -g bad-tcp + run ip46tables -A $chain -p tcp ! --syn -g bad-tcp +} + +## commonrules CHAIN +## +## Add standard IP filtering rules to the CHAIN. +commonrules () { + set -e + chain=$1 + + ## Pass fragments through, assuming that the eventual destination will sort + ## things out properly. Except for TCP, that is, which should never be + ## fragmented. This is an extra pain for ip6tables, which doesn't provide + ## a pleasant way to detect non-initial fragments. + run iptables -A $chain -p tcp -f -g tcp-fragment + run iptables -A $chain -f -j ACCEPT + run ip6tables -A $chain -p tcp -g tcp-fragment \ + -m ipv6header --soft --header frag + run ip6tables -A $chain -j accept-non-init-frag } +m4_divert(38)m4_dnl +## Accept a non-initial fragment. This is only needed by IPv6, to work +## around a deficiency in the option parser. +run ip6tables -N accept-non-init-frag +run ip6tables -A accept-non-init-frag -j RETURN \ + -m frag --fragfirst +run ip6tables -A accept-non-init-frag -j ACCEPT + +m4_divert(20)m4_dnl ## allowservices CHAIN PROTO SERVICE ... ## ## Add rules to allow the SERVICES on the CHAIN. @@ -137,26 +245,26 @@ allowservices () { for svc; do case $svc in *:*) - n=2 + n=2 left=${svc%:*} right=${svc#*:} case $left in *[!0-9]*) eval left=\$port_$left ;; esac case $right in *[!0-9]*) eval right=\$port_$right ;; esac svc=$left:$right ;; *) - n=1 + n=1 case $svc in *[!0-9]*) eval svc=\$port_$svc ;; esac ;; esac case $svc in *: | :* | "" | *[!0-9:]*) - echo >&2 "Bad service name" + echo >&2 "Bad service name" exit 1 ;; esac count=$(( $count + $n )) if [ $count -gt 15 ]; then - run iptables -A $chain -p $proto -m multiport -j ACCEPT \ + run ip46tables -A $chain -p $proto -m multiport -j ACCEPT \ --destination-ports ${list#,} list= count=$n fi @@ -166,11 +274,11 @@ allowservices () { "") ;; ,*,*) - run iptables -A $chain -p $proto -m multiport -j ACCEPT \ + run ip46tables -A $chain -p $proto -m multiport -j ACCEPT \ --destination-ports ${list#,} ;; - *) - run iptables -A $chain -p $proto -j ACCEPT \ + *) + run ip46tables -A $chain -p $proto -j ACCEPT \ --destination-port ${list#,} ;; esac @@ -181,11 +289,12 @@ allowservices () { ## Add rules to CHAIN to allow NTP with NTPSERVERs. ntpclient () { set -e - chain=$1; shift - for ntp; do - run iptables -A $chain -s $ntp -j ACCEPT \ - -p udp --source-port 123 --destination-port 123 - done + ntpchain=$1; shift + + clearchain ntp-servers + for ntp; do run iptables -A ntp-servers -j ACCEPT -s $ntp; done + run iptables -A $ntpchain -j ntp-servers \ + -p udp --source-port 123 --destination-port 123 } ## dnsresolver CHAIN @@ -195,7 +304,7 @@ dnsresolver () { set -e chain=$1 for p in tcp udp; do - run iptables -A $chain -j ACCEPT \ + run ip46tables -A $chain -j ACCEPT \ -m state --state ESTABLISHED \ -p $p --source-port 53 done @@ -208,13 +317,34 @@ openports () { set -e chain=$1; shift [ $# -eq 0 ] && set -- $open_port_min $open_port_max - run iptables -A $chain -p tcp -g interesting --destination-port $1:$2 - run iptables -A $chain -p udp -g interesting --destination-port $1:$2 + run ip46tables -A $chain -p tcp -g interesting --destination-port $1:$2 + run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2 } -m4_divert(28)m4_dnl +m4_divert(20)m4_dnl ###-------------------------------------------------------------------------- ### Packet classification. +### +### See `classify.m4' for an explanation of how the firewall machinery for +### packet classification works. +### +### A list of all network names is kept in `allnets'. For each network NET, +### shell variables are defined describing their properties. +### +### net_class_NET The class of the network, as defined by +### `defnetclass'. +### net_inet_NET List of IPv4 address ranges in the network. +### net_inet6_NET List of IPv6 address ranges in the network. +### net_fwd_NET List of other networks that this one forwards to. +### net_hosts_NET List of hosts known to be in the network. +### host_inet_HOST IPv4 address of the named HOST. +### host_inet6_HOST IPv6 address of the named HOST. +### +### Similarly, a list of hosts is kept in `allhosts', and for each host HOST, +### a shell variables are defined: +### +### host_ifaces_HOST List of interfaces for this host and the networks +### they attach to, in the form IFACE=NET. ## defbitfield NAME WIDTH ## @@ -260,6 +390,7 @@ defnetclass () { ## Pass 1. Establish the from_NAME and to_NAME constants, and the ## netclass's mask bit. + trace "netclass $name = $netclassindex" eval from_$name=$(( $netclassindex << $BIT_FROM )) eval to_$name=$(( $netclassindex << $BIT_TO )) eval _mask_$name=$(( 1 << ($netclassindex + $BIT_MASK) )) @@ -277,84 +408,200 @@ defnetclass () { from=$(( $from + $bit )) done to=$(( ($netclassindex << $BIT_TO) + \ - (0xf << $BIT_FROM) + \ + (0xf << $BIT_FROM) + \ (1 << ($netclassindex + $BIT_MASK)) )) trace "from $name --> set $(printf %x $from)" trace " to $name --> and $(printf %x $from)" ## Now establish the mark-from-NAME and mark-to-NAME chains. clearchain mangle:mark-from-$name mangle:mark-to-$name - run iptables -t mangle -A mark-from-$name -j MARK --set-mark $from - run iptables -t mangle -A mark-to-$name -j MARK --and-mark $to + run ip46tables -t mangle -A mark-from-$name -j MARK --set-mark $from + run ip46tables -t mangle -A mark-to-$name -j MARK --and-mark $to ;; esac netclassindex=$(( $netclassindex + 1 )) } -## defiface NAME NETCLASS:NETWORK/MASK... -## -## Declares a network interface NAME and associates with it a number of -## reachable networks. During source classification, a packet arriving on -## interface NAME from an address in NETWORK/MASK is classified as coming -## from to NETCLASS. During destination classification, all packets going to -## NETWORK/MASK are classified as going to NETCLASS, regardless of interface -## (which is good, because the outgoing interface hasn't been determined -## yet). -## -## As a special case, the NETWORK/MASK can be the string `default', which -## indicates that all addresses not matched elsewhere should be considered. -ifaces=: -defaultiface=none -allnets= -defiface () { - set -e +## defnet NET CLASS +## +## Define a network. Follow by calls to `addr', `forwards', etc. to define +## properties of the network. Networks are processed in order, so if their +## addresses overlap then the more specific addresses should be defined +## earlier. +defnet () { + net=$1 class=$2 + addword allnets $net + eval net_class_$1=\$class +} + +## addr ADDRESS/LEN ... +## +## Define addresses for the network being defined. ADDRESSes are in +## colon-separated IPv6 or dotted-quad IPv4 form. +addr () { + for i in "$@"; do + case "$i" in + *:*) addword net_inet6_$net $i ;; + *) addword net_inet_$net $i ;; + esac + done +} + +## forwards NET ... +## +## Declare that packets from this network are forwarded to the other NETs. +forwards () { + eval "net_fwd_$net=\"$*\"" +} + +## noxit NET ... +## +## Declare that packets from this network must not be forwarded to the other +## NETs. +noxit () { + eval "net_noxit_$net=\"$*\"" +} + +## host HOST ADDR ... +## +## Define the address of an individual host on the current network. The +## ADDRs may be full IPv4 or IPv6 addresses, or offsets from the containing +## network address, which is a simple number for IPv4, or a suffix beginning +## with `::' for IPv6. If an IPv6 base address is provided for the network +## but not for the host then the host's IPv4 address is used as a suffix. +host () { name=$1; shift - case $ifaces in - *:"$name":*) ;; - *) - clearchain mangle:in-$name - run iptables -t mangle -A in-classify -i $name -g in-$name - ;; + + ## Work out which addresses we've actually been given. + unset a6 + for i in "$@"; do + case "$i" in ::*) a6=$i ;; *) a=$i ;; esac + done + case "${a+t}" in + t) ;; + *) echo >&2 "$0: no address for $name"; exit 1 ;; esac - ifaces=$ifaces$name: - for item; do - netclass=${item%:*} addr=${item#*:} - case $addr in - default) - defaultiface=$name - defaultclass=$netclass - run iptables -t mangle -A out-classify -g mark-to-$netclass - ;; - *) - run iptables -t mangle -A in-$name -s $addr -g mark-from-$netclass - run iptables -t mangle -A out-classify -d $addr -g mark-to-$netclass - allnets="$allnets $name:$addr" - ;; - esac + case "${a6+t}" in t) ;; *) a6=::$a ;; esac + + ## Work out the IPv4 address. + eval nn=\$net_inet_$net + for n in $nn; do + addr=${n%/*} + base=${addr%.*} + offset=${addr##*.} + case $a in *.*) aa=$a ;; *) aa=$base.$(( $offset + $a )) ;; esac + eval host_inet_$name=$aa done + + ## Work out the IPv6 address. + eval nn=\$net_inet6_$net + for n in $nn; do + addr=${n%/*} + base=${addr%::*} + case $a in ::*) aa=$addr$a ;; *) aa=$a ;; esac + eval host_inet6_$name=$aa + done + + ## Remember the host in the list. + addword net_hosts_$net $name } -## defvpn IFACE CLASS NET HOST:ADDR ... +## defhost NAME ## -## Defines a VPN interface. If the interface has the form `ROOT+' (i.e., a -## netfilter wildcard) then define a separate interface ROOTHOST routing to -## ADDR; otherwise just write a blanket rule allowing the whole NET. All -## addresses concerned are put in the named CLASS. -defvpn () { - set -e - iface=$1 class=$2 net=$3; shift 3 - case $iface in - *-+) - root=${iface%+} - for host; do - name=${host%:*} addr=${host#*:} - defiface $root$name $class:$addr +## Define a new host. Follow by calls to `iface' to define the host's +## interfaces. +defhost () { + host=$1 + addword allhosts $host + eval host_type_$host=endsys +} + +## router +## +## Declare the host to be a router, so it should forward packets and so on. +router () { + eval host_type_$host=router +} + +## iface IFACE NET ... +## +## Define a host's interfaces. Specifically, declares that the host has an +## interface IFACE attached to the listed NETs. +iface () { + name=$1; shift + for net in "$@"; do + addword host_ifaces_$host $name=$net + done +} + +## net_interfaces HOST NET +## +## Determine the interfaces on which packets may plausibly arrive from the +## named NET. Returns `-' if no such interface exists. +## +## This algorithm is not very clever. It's just about barely good enough to +## deduce transitivity through a simple routed network; with complicated +## networks, it will undoubtedly give wrong answers. Check the results +## carefully, and, if necessary, list the connectivity explicitly; use the +## special interface `-' for networks you know shouldn't send packets to a +## host. +net_interfaces () { + host=$1 startnet=$2 + + ## Determine the locally attached networks. + targets=: + eval ii=\$host_ifaces_$host + for i in $ii; do targets=$targets$i:; done + + ## Determine the transitivity. + seen=: + nets=$startnet + while :; do + + ## First pass. Determine whether any of the networks we're considering + ## are in the target set. If they are, then return the corresponding + ## interfaces. + found="" + for net in $nets; do + tg=$targets + while :; do + any=nil + case $tg in + *"=$net:"*) + n=${tg%=$net:*}; tg=${n%:*}:; n=${n##*:} + addword found $n + any=t + ;; + esac + case $any in nil) break ;; esac done - ;; - *) - defiface $iface $class:$net - ;; - esac + done + case "$found" in ?*) echo $found; return ;; esac + + ## No joy. Determine the set of networks which (a) these ones can + ## forward to, and (b) that we've not considered already. These are the + ## nets we'll consider next time around. + nextnets="" + any=nil + for net in $nets; do + eval fwd=\$net_fwd_$net + for n in $fwd; do + case $seen in *":$n:"*) continue ;; esac + seen=$seen$n: + eval noxit=\$net_noxit_$n + case " $noxit " in *" $startnet "*) continue ;; esac + case " $nextnets " in + *" $n "*) ;; + *) addword nextnets $n; any=t ;; + esac + done + done + + ## If we've run out of networks then there's no reachability. Return a + ## failure. + case $any in nil) echo -; return ;; esac + nets=$nextnets + done } m4_divert(-1)