shorewall_code/Shorewall/action.TCPFlags

66 lines
1.8 KiB
Plaintext
Raw Normal View History

#
# Shorewall version 4 - Action to handle bad TCP flag combinations
#
# /usr/share/shorewall/action.TCPFlags
#
# Accepts two optional parameters:
#
# Parameter 1: Disposition (default DROP).
# Must be ACCEPT, REJECT or DROP
# Parameter 2: Auditing
# - = Do not Audit
# audit = Audit ACCEPT, REJECT or DROP.
#
#################################################################################
FORMAT 2
DEFAULTS DROP,-
BEGIN PERL;
use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
use Shorewall::Chains;
my ( $disposition, $audit ) = get_action_params( 2 );
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
if ( $level ne '-' || $audit ne '-' ) {
my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
log_rule_limit( $level,
$logchainref,
$chainref->{name},
$disposition,
'',
$tag,
'add',
'' ) if $level;
if ( supplied $audit ) {
fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
}
add_ijump( $logchainref, g => $disposition );
$disposition = $logchainref;
}
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
END PERL;