From: Mark Wooding Date: Sat, 24 Mar 2012 17:07:36 +0000 (+0000) Subject: Merge remote-tracking branch 'origin' into emergency X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/b4d07df30bdd2132a03de9a22512560d585d918a?hp=-c Merge remote-tracking branch 'origin' into emergency * origin: local.m4: A new network for the SGO VPN. functions.m4, classify.m4: Handle negative address ranges. Make FW_NOACT work properly. Conflicts: local.m4 --- b4d07df30bdd2132a03de9a22512560d585d918a diff --combined bookends.m4 index a10608d,f451c8d..9757a38 --- a/bookends.m4 +++ b/bookends.m4 @@@ -38,6 -38,8 +38,8 @@@ preserve_chains="filter:fail2ban filter ## Take the various IP versions in turn. unref=nil for ip in ip ip6; do + if [ "$FW_NOACT" ]; then break; fi + for table in $(cat /proc/net/${ip}_tables_names); do ## Step 1: clear out the builtin chains. @@@ -106,17 -108,11 +108,17 @@@ m4_divert(32)m4_dn ## Set forwarding options. Apparently setting ip_forward clobbers other ## settings, so put this first. case $host_type_<::>FWHOST in - router) forward=1 ;; - *) forward=0 ;; + router) forward=1 host=0 ;; + server) forward=0 host=0 ;; + client) forward=0 host=1 ;; esac setopt ip_forward $forward setdevopt forwarding $forward +for i in \ + accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen +do + setdevopt $i $host +done case $forward in 0) inchains="INPUT" ;; 1) inchains="INPUT FORWARD" ;; @@@ -222,7 -218,7 +224,7 @@@ case $forward i run ip6tables -A check-fwd-multi -g bad-destination-address \ -d ff${x}2::/16 done - ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8 + run ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8 ;; esac diff --combined functions.m4 index 89715a4,16c07c8..c3609a5 --- a/functions.m4 +++ b/functions.m4 @@@ -183,7 -183,7 +183,7 @@@ setdevopt () for ver in ipv4 ipv6; do if [ -f /proc/sys/net/$ver/conf/$i/$opt ]; then any=t - run sysctl -q net/ipv4/conf/$i/$opt="$val" + run sysctl -q net/$ver/conf/$i/$opt="$val" fi done case $any in @@@ -513,19 -513,14 +513,19 @@@ host () defhost () { host=$1 addword allhosts $host - eval host_type_$host=endsys + eval host_type_$host=server } -## router +## hosttype TYPE ## -## Declare the host to be a router, so it should forward packets and so on. -router () { - eval host_type_$host=router +## Declare the host to have the given type. +hosttype () { + type=$1 + case $type in + router | server | client) ;; + *) echo >&2 "$0: bad host type \`$type'"; exit 1 ;; + esac + eval host_type_$host=$type } ## iface IFACE NET ... @@@ -539,6 -534,115 +539,115 @@@ iface () done } + ## Build rules which match a particular collection of networks. + ## Specifically, use the address-comparison operator OPT (typically `-s' or + ## `-d') to match the addresses of NOT, writing the rules to the chain + ## BASESUFFIX. If we find a match, dispatch to WIN-CLASS, where CLASS is + ## the class of the matching network. In order to deal with networks + ## containing negative address ranges, more chains may need to be + ## constructed; they will be named BASE#Q for sequence numbers Q starting + ## with NEXT. All of this happens on the `mangle' table, and there isn't + ## (currently) a way to tweak this. + ## + ## The FLAGS gather additional interesting information about the job, + ## separated by colons. The only flag currently is :default: which means + ## that the default network was listed. + ## + ## Finally, there is a hook PREPARE which is called just in advance of + ## processing the final network, passing it the argument FLAGS. (The PREPARE + ## string will be subjected to shell word-splitting, so it can provide some + ## arguments of its own if it wants.) It should set `mode' to indicate how + ## the chain should be finished. + ## + ## goto If no networks matched, then issue a final `goto' to the + ## chain named by the variable `fail'. + ## + ## call Run `$finish CHAIN' to write final rules to the named CHAIN + ## (which may be suffixed from the original BASE argument if + ## this was necessary). This function will arrange to call + ## these rules if no networks match. + ## + ## ret If no network matches then return (maybe by falling off the + ## end of the chain). + matchnets () { + local opt win flags prepare base suffix next net lose splitp + opt=$1 win=$2 flags=$3 prepare=$4 base=$5 suffix=$6 next=$7 net=$8 + shift 8 + + ## If this is the default network, then set the flag. + case "$net" in default) flags=${flags}default: ;; esac + + ## Do an initial pass over the addresses to see whether there are any + ## negative ranges. If so, we'll need to split. See also the standard + ## joke about soup. + splitp=nil + eval "addrs=\"\$net_inet_$net \$net_inet6_$net\"" + for a in $addrs; do case $a in !*) splitp=t; break ;; esac; done + + trace "MATCHNETS [splitp $splitp] $opt $win $flags [$prepare] $base $suffix $next : $net $*" + + ## Work out how to handle matches against negative address ranges. If this + ## is the last network, invoke the PREPARE hook to find out. Otherwise, if + ## we have to split the chain, recursively build the target here. + case $splitp,$# in + t,0 | nil,0) + $prepare $flags + case $splitp,$mode in + *,goto) + lose="-g $fail" + ;; + *,ret) + lose="-j RETURN" + ;; + t,call) + clearchain mangle:$base#$next + lose="-g $base#$next" + ;; + nil,call) + ;; + esac + ;; + t,*) + clearchain mangle:$base#$next + matchnets $opt $win $flags "$prepare" \ + $base \#$next $(( $next + 1 )) "$@" + lose="-g $base#$next" mode=goto + ;; + *) + mode=continue + ;; + esac + + ## Populate the chain with rules to match the necessary networks. + eval addr=\$net_inet_$net addr6=\$net_inet6_$net class=\$net_class_$net + for a in $addr; do + case $a in + !*) run iptables -t mangle -A $base$suffix $lose $opt ${a#!} ;; + *) run iptables -t mangle -A $base$suffix -g $win-$class $opt $a ;; + esac + done + for a in $addr6; do + case $a in + !*) run ip6tables -t mangle -A $base$suffix $lose $opt ${a#!} ;; + *) run ip6tables -t mangle -A $base$suffix -g $win-$class $opt $a ;; + esac + done + + ## Wrap up the chain appropriately. If we didn't split and there are more + ## networks to handle then append the necessary rules now. (If we did + ## split, then we already wrote the rules for them above.) If there are no + ## more networks then consult the `mode' setting to find out what to do. + case $splitp,$#,$mode in + *,0,ret) ;; + *,*,goto) run ip46tables -t mangle -A $base$suffix $lose ;; + t,0,call) $finish $base#$next ;; + nil,0,call) $finish $base$suffix ;; + nil,*,*) + matchnets $opt $win $flags "$prepare" $base "$suffix" $next "$@" + ;; + esac + } + ## net_interfaces HOST NET ## ## Determine the interfaces on which packets may plausibly arrive from the diff --combined local.m4 index 3a52c1b,357043b..ba09c39 --- a/local.m4 +++ b/local.m4 @@@ -71,7 -71,7 +71,7 @@@ defnet housebdry virtua ## House hosts. defhost radius - router + hosttype router iface eth0 dmz unsafe safe iface eth1 dmz unsafe safe iface eth2 safe @@@ -86,21 -86,20 +86,21 @@@ defhost artis iface eth0 dmz unsafe iface eth1 dmz unsafe defhost vampire - router - iface eth0.0 dmz unsafe safe - iface eth0.1 dmz unsafe safe + hosttype router + iface eth0.0 dmz unsafe safe default + iface eth0.1 dmz unsafe safe default iface eth0.2 safe - iface eth0.3 untrusted + iface eth0.3 untrusted default - iface dns0 dns - iface vpn-+ vpn + iface dns0 iodine iface vpn-precision colobdry vpn - iface t6-he default + iface vpn-chiark sgo + iface vpn-+ vpn defhost ibanez iface br-dmz dmz unsafe iface br-unsafe unsafe defhost gibson + hosttype client iface eth0 unsafe ## Colocated networks. @@@ -121,11 -120,12 +121,12 @@@ defhost fende iface br-jump jump colo iface br-colo jump colo defhost precision - router + hosttype router iface eth0 jump colo iface eth1 jump colo - iface vpn-+ vpn iface vpn-vampire housebdry vpn + iface vpn-chiark sgo + iface vpn-+ vpn defhost telecaster iface eth0 jump colo iface eth1 jump colo @@@ -139,6 -139,12 +140,12 @@@ defhost jaz ## Other networks. defnet hub virtual forwards housebdry colobdry + defnet sgo noloop + addr !172.29.198.0/23 + addr 10.0.0.0/8 + addr 172.16.0.0/12 + addr 192.168.0.0/16 + forwards househub colohub defnet vpn safe addr 172.29.199.128/27 2001:ba8:1d9:6000::/64 forwards househub colohub