removed from iptrap the functionality to create actions; now the action helper can create a list of action with logic in them; updated docs

2024-06-28 18:02:33 +00:00 · 2015-02-08 14:42:35 +02:00 · 2015-02-08 14:42:35 +02:00 · cf8b510095
commit cf8b510095
parent a58365d6f5
3 changed files with 183 additions and 62 deletions
--- a/doc/firehol/firehol-action.5.md
+++ b/doc/firehol/firehol-action.5.md
@ -4,17 +4,56 @@

 # NAME

-firehol-action - set up custom filter actions
+firehol-action - set up custom filtering actions

 # SYNOPSIS

-action chain *name* *action*
+action *name* [table *table_name*] *type* *type_params* [ next [ type *type_params* [ next ... ] ] ]

 # DESCRIPTION


-The `action` helper command creates an iptables(8) chain which can be used
-to control the action of other firewall rules once the firewall is
+The `action` helper creates custom actions that can be used everywhere
+in FireHOL, like this:
+
+~~~~
+action ACT1 chain accept
+
+interface any world
+    server smtp ACT1
+
+router myrouter
+	policy ACT1
+~~~~
+
+The `action` helper allows linking multiple actions together and having
+some logic to select which action to execute, like this:
+
+~~~~
+action ACT1 \
+	     rule src 192.168.0.0/16 action reject \
+	next rule dst 192.168.0.0/16 action reject \
+	next rule inface eth2 action drop \
+	next rule outface eth2 action drop \
+	next action accept
+
+interface any world
+    server smtp ACT1
+
+router myrouter
+	policy ACT1
+~~~~
+
+There is no limit on the number of actions that can be linked together.
+
+`type` can be `chain` or `action` (`chain` and `action` are aliases),
+`rule` or `ipset`.
+
+
+## Chain type actions
+
+This is the simpler action. It creates an iptables(8) chain which can be
+used to control the action of other firewall rules once the firewall is
 running.

 For example, you can setup the custom action ACT1, which by default is
@ -32,20 +71,16 @@ The *action* can be any of those supported by FireHOL (see
 [firehol-actions(5)][]). Only ACCEPT, REJECT, DROP,
 RETURN have any meaning in this instance.

-# EXAMPLES
-
-To create a custom chain and have some rules use it:
+Once the firewall is running you can dynamically modify the behaviour of
+the chain from the Linux command-line, as detailed below:

 ~~~~
-action chain ACT1 accept
+action ACT1 chain accept

 interface any world
    server smtp ACT1
    client smtp ACT1
 ~~~~
-        
-Once the firewall is running you can dynamically modify the behaviour of
-the chain from the Linux command-line, as detailed below:

 To insert a DROP action at the start of the chain to override the
 default action (ACCEPT):
@ -63,14 +98,81 @@ default action:
 > RETURN, in which case the behaviour will be as if any rules with the
 > action were not present in the configuration file.

-You can also create multiple chains simultaneously. To create 3 ACCEPT
-and 3 DROP chains you can do the following:
+
+## Rule type actions
+
+`rule` type actions define a few conditions that will lead to an action.
+
+All optional rule parameters FireHOL supports can be used here (see
+[firehol-params(5)][]).
+

 ~~~~
-action chain "ACT1 ACT2 ACT3" accept
-action chain "ACT4 ACT5 ACT6" drop
+action ACT1 \
+	rule inface eth0 action accept
+	next rule outface eth0 action accept
+	next action reject
+
+interface any world
+    server smtp ACT1
 ~~~~

+In the above example the smtp server can only be accessed from eth0.
+
+It is important to remember that actions will be applied for all the
+traffic, both requests and replies. The type of traffic can be filtered
+with the `state` optional rule parameter, like this:
+
+~~~~
+action ACT1 \
+	rule inface eth0 state NEW action reject
+	next action accept
+
+interface any world
+    server smtp ACT1
+    client smtp ACT1
+~~~~
+
+In the above example, the smtp server will not accept NEW connections
+from eth0, but the smtp client will be able to connect to servers on eth0
+(and everywhere else).
+
+
+## iptrap type actions
+
+`iptrap` (see [firehol-iptrap(5)][]) is a helper than copies (traps)
+an IP to an ipset (see [firehol-ipset(5)][]). It does not perform any
+action on the traffic.
+
+Using the `iptrap` action, the `iptrap` helper can be linked to filtering
+actions, like this:
+
+
+~~~~
+action TRAP_AND_REJECT \
+	rule iptrap src policytrap 30 inface wan0 \
+		src not "${UNROUTABLE_IPS} ipset:whitelist" \
+		state NEW log "POLICY TRAP" \
+	next action reject
+
+interface any world
+	policy TRAP_AND_REJECT
+    server smtp accept
+~~~~
+
+Since we used the action TRAP_AND_REJECT as an interface policy, it will
+get all the traffic not accepted, rejected, or droped by the server and
+client statements.
+
+For all these packets, the action TRAP_AND_REJECT will first check that
+they are coming in from wan0, that their src IP is not in `UNROUTABLE_IPS`
+list and in the `whitelist` ipset, that they are NEW connections, and if
+all these conditions are met, it will log with the tag `POLICY TRAP` and
+add the src IP of the packets in the `policytrap` ipset for 30 seconds.
+
+All traffic not matched by the above, will be just rejected.
+
+
 # SEE ALSO

 * [firehol(1)][] - FireHOL program
--- a/doc/firehol/firehol-iptrap.5.md
+++ b/doc/firehol/firehol-iptrap.5.md
@ -34,6 +34,12 @@ time expires. The user may monitor the remaining time for each IP, by running
 `ipset list NAME` (where `NAME` is the `ipset` parameter given in the `iptrap`
 command).

+The timeout value `default` will not set any timeout. The ipset default will be
+used.
+
+A timeout of `0` (zero), writes to the ipset permanently (this is a feature of
+the ipset command, not the ipset FireHOL helper).
+
 The *rule-params* define a set of rule parameters to restrict
 the traffic that is matched to this helper. See
 [firehol-params(5)][] for more details.
--- a/sbin/firehol.in
+++ b/sbin/firehol.in
@ -3213,6 +3213,9 @@ ecn_shame() {
 }

 # define custom actions
+action4() { ipv4 action "${@}"; }
+action6() { ipv6 action "${@}"; }
+action46() { both action "${@}"; }
 action() {
 	work_realcmd_helper ${FUNCNAME} "${@}"
 	
@ -3220,40 +3223,65 @@ action() {
 	
 	require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
 	
+	local name="${1}" type= tables="filter" t=
+	local -a args=()
+	shift
+
+	if [ "${1}" = "table" -o "${1}" = "tables" ]
+	then
+		tables="${2}"
+		shift 2
+	fi
+
+	create_chain filter ${name} || return 1
+
 	while [ ! -z "${1}" ]
 	do
-		local what="${1}"; shift
-		
-		case "${what}" in
-			chain)	local name="${1}"; shift
-				local act="${1}"; shift
-				
-				if [ -z "${name}" ]
-				then
-					error "Cannot create an action chain without a name."
-					return 1
-				fi
-				
-				if [ -z "${act}" ]
-				then
-					error "Cannot create the action chain(s) '$name' without a default action."
-					return 1
-				fi
-				
-				local nm=
-				for nm in $name
+		type="${1}"
+		shift
+
+		args=()
+		while [ ! -z "${1}" -a ! "${1}" = "next" ]
+		do
+			args=( "${args[@]}" "${1}" )
+			shift
+		done
+		[ "${1}" = "next" ] && shift
+
+		case "${type}" in
+			chain|action)
+				for t in ${tables//,/ }
 				do
-					create_chain filter ${nm}
-					rule table filter chain ${nm} action "${act}"
+					set_work_function "${FUNCNAME}: rules for type ${type} under table ${t}: ${args[@]}"
+					rule table ${t} chain "${name}" action "${args[0]}" || return 1
 				done
 				;;
-				
-			*)	error "Cannot understand ${FUNCNAME} '${what}'."
+
+			rule)
+				for t in ${tables//,/ }
+				do
+					set_work_function "${FUNCNAME}: rules for type ${type} under table ${t}: ${args[@]}"
+					rule table ${t} chain "${name}" "${args[@]}" || return 1
+				done
+				;;
+
+			iptrap)
+				local ipt1="${args[0]}" ipt2="${args[1]}" ipt3="${args[2]}"
+				unset args[0] args[1] args[2]
+				for t in ${tables//,/ }
+				do
+					set_work_function "${FUNCNAME}: rules for type ${type} under table ${t}: ${args[@]}"
+					iptrap "${ipt1}" "${ipt2}" "${ipt3}" chain "${name}" table ${t} "${args[@]}" || return 1
+				done
+				;;
+
+			*)
+				error "${FUNCNAME}: Unknown action type '${type}'. Format is: ${FUNCNAME} name type type_parameters"
 				return 1
 				;;
 		esac
 	done
-	
+
 	return 0
 }

@ -3785,7 +3813,7 @@ iptrap() {
 	require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
 	running_both       && error "${FUNCNAME} cannot be used in both IPv4 and IPv6. Please give use either iptrap4 or iptrap6." && return 1

-	local type= ipset= timeout= chain= tables="mangle" undo=0 action="RETURN" define_action= t=
+	local type= ipset= timeout= chain= tables="mangle" undo=0 action="RETURN" t= link_to="PREROUTING"
 	local -a args=() logopts_arg=()

 	if [ "$1" = "undo" ]
@ -3811,8 +3839,8 @@ iptrap() {
 	while [ ! -z "${1}" ]
 	do
 		case "${1}" in
-			define_action)
-				define_action="${2}"
+			chain)
+				link_to="${2}"
 				shift
 				;;

@ -3856,13 +3884,8 @@ iptrap() {
 		fi
 	fi

-	if [ ! -z "${define_action}" ]
-	then
-		chain="${define_action}"
-	else
-		FIREHOL_IPTRAP_COUNTER=$[ FIREHOL_IPTRAP_COUNTER + 1 ]
-		chain="IPTRAP.${FIREHOL_IPTRAP_COUNTER}"
-	fi
+	FIREHOL_IPTRAP_COUNTER=$[ FIREHOL_IPTRAP_COUNTER + 1 ]
+	chain="IPTRAP.${FIREHOL_IPTRAP_COUNTER}"

 	for t in ${tables//,/ }
 	do
@ -3894,18 +3917,8 @@ iptrap() {

 		# ---

-		if [ ! -z "${define_action}" ]
-		then
-			if [ ! -z "${args[*]}" ]
-			then
-				error "${FUNCNAME}: there cannot be link parameters when creating just an action. Link params given found: ${args[*]}"
-				return 1
-			fi
-		else
-			set_work_function "Generating iptrap matching rules in table ${t} PREROUTING"
-
-			rule table ${t} chain PREROUTING in "${args[@]}" action "${chain}" || return 1
-		fi
+		set_work_function "Generating iptrap matching rules in table ${t} chain ${link_to}"
+		rule table ${t} chain ${link_to} in "${args[@]}" action "${chain}" || return 1
 	done

 	return 0