mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-15 19:01:19 +01:00
314 lines
7.8 KiB
Plaintext
314 lines
7.8 KiB
Plaintext
|
#!/bin/sh
|
||
|
#
|
||
|
# Shorewall 3.2 -- /usr/share/shorewall/clib.macros
|
||
|
#
|
||
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||
|
#
|
||
|
# (c) 2005,2006 - Tom Eastep (teastep@shorewall.net)
|
||
|
#
|
||
|
# Complete documentation is available at http://shorewall.net
|
||
|
#
|
||
|
# This program is free software; you can redistribute it and/or modify
|
||
|
# it under the terms of Version 2 of the GNU General Public License
|
||
|
# as published by the Free Software Foundation.
|
||
|
#
|
||
|
# This program is distributed in the hope that it will be useful,
|
||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
# GNU General Public License for more details.
|
||
|
#
|
||
|
# You should have received a copy of the GNU General Public License
|
||
|
# along with this program; if not, write to the Free Software
|
||
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||
|
|
||
|
#
|
||
|
# This function maps old action names into their new macro equivalents
|
||
|
#
|
||
|
map_old_action() # $1 = Potential Old Action
|
||
|
{
|
||
|
local macro= aktion
|
||
|
|
||
|
if [ -n "$MAPOLDACTIONS" ]; then
|
||
|
case $1 in
|
||
|
*/*)
|
||
|
echo $1
|
||
|
return
|
||
|
;;
|
||
|
*)
|
||
|
if [ -f $(find_file $1) ]; then
|
||
|
echo $1
|
||
|
return
|
||
|
fi
|
||
|
|
||
|
case $1 in
|
||
|
Allow*)
|
||
|
macro=${1#*w}
|
||
|
aktion=ACCEPT
|
||
|
;;
|
||
|
Drop*)
|
||
|
macro=${1#*p}
|
||
|
aktion=DROP
|
||
|
;;
|
||
|
Reject*)
|
||
|
macro=${1#*t}
|
||
|
aktion=REJECT
|
||
|
;;
|
||
|
*)
|
||
|
echo $1
|
||
|
return
|
||
|
;;
|
||
|
esac
|
||
|
esac
|
||
|
|
||
|
if [ -f $(find_file macro.$macro) ]; then
|
||
|
echo $macro/$aktion
|
||
|
return
|
||
|
fi
|
||
|
fi
|
||
|
|
||
|
echo $1
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Combine a source/dest from the macro body with one from the macro invocation
|
||
|
#
|
||
|
merge_macro_source_dest() # $1 = source/dest from macro body, $2 = source/dest from invocation
|
||
|
{
|
||
|
case $2 in
|
||
|
-)
|
||
|
echo ${1}
|
||
|
;;
|
||
|
*.*.*|+*|~*|!~*)
|
||
|
#
|
||
|
# Value in the invocation is an address -- put it behind the value from the macro
|
||
|
#
|
||
|
echo ${1}:${2}
|
||
|
;;
|
||
|
*)
|
||
|
echo ${2}:${1}
|
||
|
;;
|
||
|
esac
|
||
|
}
|
||
|
|
||
|
verify_macro_from_action() {
|
||
|
temp=$(map_old_action $temp)
|
||
|
|
||
|
case $temp in
|
||
|
*/*)
|
||
|
param=${temp#*/}
|
||
|
case $param in
|
||
|
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE)
|
||
|
;;
|
||
|
*)
|
||
|
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec"
|
||
|
fatal_error "Invalid Macro Parameter in rule \"$rule\""
|
||
|
;;
|
||
|
esac
|
||
|
temp=${temp%%/*}
|
||
|
;;
|
||
|
esac
|
||
|
|
||
|
f1=macro.${temp}
|
||
|
fn=$(find_file $f1)
|
||
|
|
||
|
if [ ! -f $TMP_DIR/$f1 ]; then
|
||
|
#
|
||
|
# We must only verify macros once to ensure that they don't invoke any non-standard actions
|
||
|
#
|
||
|
if [ -f $fn ]; then
|
||
|
strip_file $f1 $fn
|
||
|
|
||
|
progress_message " ..Expanding Macro $fn..."
|
||
|
|
||
|
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
|
||
|
expandv mtarget
|
||
|
temp="${mtarget%%:*}"
|
||
|
case "$temp" in
|
||
|
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|PARAM)
|
||
|
;;
|
||
|
*)
|
||
|
rule="$mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec"
|
||
|
fatal_error "Invalid TARGET in rule \"$rule\""
|
||
|
esac
|
||
|
done < $TMP_DIR/$f1
|
||
|
|
||
|
progress_message " ..End Macro"
|
||
|
else
|
||
|
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec"
|
||
|
fatal_error "Invalid TARGET in rule \"$rule\""
|
||
|
fi
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
expand_macro_in_action() {
|
||
|
|
||
|
xtarget1=$(map_old_action $xtarget1)
|
||
|
|
||
|
case $xtarget1 in
|
||
|
*/*)
|
||
|
param=${xtarget1#*/}
|
||
|
xtarget1=${xtarget1%%/*}
|
||
|
;;
|
||
|
esac
|
||
|
|
||
|
progress_message "..Expanding Macro $(find_file macro.$xtarget1)..."
|
||
|
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
|
||
|
expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
|
||
|
|
||
|
mtarget=$(merge_levels $xaction2 $mtarget)
|
||
|
|
||
|
case $mtarget in
|
||
|
PARAM|PARAM:*)
|
||
|
[ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation"
|
||
|
;;
|
||
|
esac
|
||
|
|
||
|
if [ -n "$mclients" ]; then
|
||
|
case $mclients in
|
||
|
-|SOURCE)
|
||
|
mclients=${xclients}
|
||
|
;;
|
||
|
DEST)
|
||
|
mclients=${xservers}
|
||
|
;;
|
||
|
*)
|
||
|
mclients=$(merge_macro_source_dest $mclients $xclients)
|
||
|
;;
|
||
|
esac
|
||
|
else
|
||
|
mclients=${xclients}
|
||
|
fi
|
||
|
|
||
|
if [ -n "$mservers" ]; then
|
||
|
case $mservers in
|
||
|
-|DEST)
|
||
|
mservers=${xservers}
|
||
|
;;
|
||
|
SOURCE)
|
||
|
mservers=${xclients}
|
||
|
;;
|
||
|
*)
|
||
|
mservers=$(merge_macro_source_dest $mservers $xservers)
|
||
|
;;
|
||
|
esac
|
||
|
else
|
||
|
mservers=${xserverss}
|
||
|
fi
|
||
|
|
||
|
[ -n "$xprotocol" ] && [ "x${xprotocol}" != x- ] && mprotocol=$xprotocol
|
||
|
[ -n "$xports" ] && [ "x${xports}" != x- ] && mports=$xports
|
||
|
[ -n "$xcports" ] && [ "x${xcports}" != x- ] && mcports=$xcports
|
||
|
[ -n "$xratelimit" ] && [ "x${xratelimit}" != x- ] && mratelimit=$xratelimit
|
||
|
[ -n "$xuserspec" ] && [ "x${xuserspec}" != x- ] && muserspec=$xuserspec
|
||
|
|
||
|
rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-}"
|
||
|
process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec
|
||
|
done < $TMP_DIR/macro.$xtarget1
|
||
|
progress_message "..End Macro"
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Process a macro invocation in the rules file
|
||
|
#
|
||
|
|
||
|
process_macro() # $1 = target
|
||
|
# $2 = param
|
||
|
# $2 = clients
|
||
|
# $3 = servers
|
||
|
# $4 = protocol
|
||
|
# $5 = ports
|
||
|
# $6 = cports
|
||
|
# $7 = address
|
||
|
# $8 = ratelimit
|
||
|
# $9 = userspec
|
||
|
{
|
||
|
local itarget="$1"
|
||
|
local param="$2"
|
||
|
local iclients="$3"
|
||
|
local iservers="$4"
|
||
|
local iprotocol="$5"
|
||
|
local iports="$6"
|
||
|
local icports="$7"
|
||
|
local iaddress="$8"
|
||
|
local iratelimit="$9"
|
||
|
local iuserspec="${10}"
|
||
|
|
||
|
progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
|
||
|
|
||
|
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
|
||
|
expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
|
||
|
|
||
|
mtarget=$(merge_levels $itarget $mtarget)
|
||
|
|
||
|
case $mtarget in
|
||
|
PARAM|PARAM:*)
|
||
|
[ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation"
|
||
|
;;
|
||
|
esac
|
||
|
|
||
|
case ${mtarget%%:*} in
|
||
|
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
|
||
|
;;
|
||
|
*)
|
||
|
if list_search ${mtarget%%:*} $ACTIONS; then
|
||
|
if ! list_search $mtarget $USEDACTIONS; then
|
||
|
createactionchain $mtarget
|
||
|
USEDACTIONS="$USEDACTIONS $mtarget"
|
||
|
fi
|
||
|
|
||
|
mtarget=$(find_logactionchain $mtarget)
|
||
|
else
|
||
|
fatal_error "Invalid Action in rule \"$mtarget ${mclients:--} ${mservers:--} ${mprotocol:--} ${mports:--} ${mcports:--} ${xaddress:--} ${mratelimit:--} ${muserspec:--}\""
|
||
|
fi
|
||
|
;;
|
||
|
esac
|
||
|
|
||
|
if [ -n "$mclients" ]; then
|
||
|
case $mclients in
|
||
|
-|SOURCE)
|
||
|
mclients=${iclients}
|
||
|
;;
|
||
|
DEST)
|
||
|
mclients=${iservers}
|
||
|
;;
|
||
|
*)
|
||
|
mclients=$(merge_macro_source_dest $mclients $iclients)
|
||
|
;;
|
||
|
esac
|
||
|
else
|
||
|
mclients=${iclients}
|
||
|
fi
|
||
|
|
||
|
if [ -n "$mservers" ]; then
|
||
|
case $mservers in
|
||
|
-|DEST)
|
||
|
mservers=${iservers}
|
||
|
;;
|
||
|
SOURCE)
|
||
|
mservers=${iclients}
|
||
|
;;
|
||
|
*)
|
||
|
mservers=$(merge_macro_source_dest $mservers $iservers)
|
||
|
;;
|
||
|
esac
|
||
|
else
|
||
|
mservers=${iservers}
|
||
|
fi
|
||
|
|
||
|
[ -n "$iprotocol" ] && [ "x${iprotocol}" != x- ] && mprotocol=$iprotocol
|
||
|
[ -n "$iports" ] && [ "x${iports}" != x- ] && mports=$iports
|
||
|
[ -n "$icports" ] && [ "x${icports}" != x- ] && mcports=$icports
|
||
|
[ -n "$iratelimit" ] && [ "x${iratelimit}" != x- ] && mratelimit=$iratelimit
|
||
|
[ -n "$iuserspec" ] && [ "x${iuserspec}" != x- ] && muserspec=$iuserspec
|
||
|
|
||
|
rule="$mtarget ${mclients=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${xaddress:=-} ${mratelimit:=-} ${muserspec:=-}"
|
||
|
process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec
|
||
|
|
||
|
done < $TMP_DIR/macro.${itarget%%:*}
|
||
|
|
||
|
progress_message "..End Macro"
|
||
|
|
||
|
}
|
||
|
|
||
|
CLIB_MACROS_LOADED=Yes
|