extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 22:30:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make ADD and DELETE work with any type of ipset.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-07-20 15:42:11 -07:00
parent c9423491f2
commit 1de257be19
3 changed files with 67 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
Shorewall/Perl/Shorewall/Actions.pm
View File

@ -179,9 +179,27 @@ sub find_macro( $ )
#
sub split_action ( $ ) {
my $action = $_[0];
my $target = '';
my $max = 3;
#
# The following rather grim RE, when matched, breaks the action into two parts:
#
# basicaction(param)
# logging part (may be empty)
#
# The param may contain one or more ':' characters
#
if ( $action =~ /^([^(:]+\(.*?\))(:(.*))$/ ) {
$target = $1;
$action = $2 ? $3 : '';
$max = 2;
}
my @a = split( /:/ , $action, 4 );
fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
( shift @a, join ":", @a );
fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
$target = shift @a unless $target;
( $target, join ":", @a );
}
#

9
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1083,14 +1083,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
} elsif ( $actiontype & LOGRULE ) {
fatal_error 'LOG requires a log level' unless defined $loglevel and $loglevel ne '';
} elsif ( $actiontype & SET ) {
my %xlate1 = ( ADD => 'add-set' , DEL => 'del-set' );
my %xlate2 = ( d => 'dst' , s => 'src' );
my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
my ( $setname, $direction, $rest ) = split ',', $param;
my ( $setname, $flags, $rest ) = split ':', $param, 3;
fatal_error "Invalid ADD/DEL parameter ($param)" if $rest;
fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^[a-zA-Z]\w*$/;
fatal_error "Invalid address designator ($direction)" unless defined $direction && $direction =~ /^[ds]$/;
$action = join( ' ', 'SET --' . $xlate1{$basictarget} , $setname , $xlate2{$direction} );
fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
$action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
}
#
# Isolate and validate source and destination zones

59
manpages/shorewall-rules.xml
View File

@ -403,31 +403,44 @@
<varlistentry>
<term><emphasis
role="bold">ADD(<replaceable>ipset</replaceable>,<replaceable>direction</replaceable>)</emphasis></term>
role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.12. Causes either the SOURCE or
DESTINATION address of the connection to be added to the named
<replaceable>ipset</replaceable>. If
<replaceable>direction</replaceable> is <option>d</option>
(e.g., ipset,d) then the DESTINATION address is added; if it
is <emphasis role="bold">s</emphasis>, then the SOURCE address
is added.</para>
<para>Added in Shorewall 4.4.12. Causes addresses and/or port
numbers to be added to the named
<replaceable>ipset</replaceable>. The
<replaceable>flags</replaceable> specify the address or tupple
to be added to the set and must match the type of ipset
involved. For example, for an iphash ipset, either the SOURCE
or DESTINATION address can be added using
<replaceable>flags</replaceable> <emphasis
role="bold">src</emphasis> or <emphasis
role="bold">dst</emphasis> respectively (see the -A command in
ipset (8)).</para>
<para>ADD is non-terminating. Even if a packet matches the
rule, it is passed on to the next rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">DEL(<replaceable>ipset</replaceable>,<replaceable>direction</replaceable>)</emphasis></term>
role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.12. Causes either the SOURCE or
DESTINATION address of the connection to be deleted from the
named <replaceable>ipset</replaceable>. If
<replaceable>direction</replaceable> is <option>d</option>
(e.g., ipset,d) then the DESTINATION address is added; if it
is <emphasis role="bold">s</emphasis>, then the SOURCE address
is deleteded.</para>
<para>Added in Shorewall 4.4.12. Causes an entry to be deleted
from the named <replaceable>ipset</replaceable>. The
<replaceable>flags</replaceable> specify the address or tupple
to be deleted from the set and must match the type of ipset
involved. For example, for an iphash ipset, either the SOURCE
or DESTINATION address can be deletec using
<replaceable>flags</replaceable> <emphasis
role="bold">src</emphasis> or <emphasis
role="bold">dst</emphasis> respectively (see the -D command in
ipset (8)).</para>
<para>DEL is non-terminating. Even if a packet matches the
rule, it is passed on to the next rule.</para>
</listitem>
</varlistentry>
</variablelist>
@ -1296,6 +1309,17 @@
that traffic.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 10:</term>
<listitem>
<para>Add the tupple (source IP, dest port, dest IP) of an incoming
SSH connection to the ipset S:</para>
<programlisting> ADD(S:dst,src,dst) net fw tcp 22</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -1308,6 +1332,9 @@
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),