extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 14:20:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Document parameterized actions

Browse Source
This commit is contained in:
Tom Eastep 2010-12-26 08:59:31 -08:00
parent 4fdec73808
commit 31bd00e42e
3 changed files with 44 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/changelog.txt
View File

@ -1,3 +1,7 @@
Changes in Shorewall 4.4.16 RC 1
1) Complete parameterized actions.
Changes in Shorewall 4.4.16 Beta 6 Changes in Shorewall 4.4.16 Beta 6
1) Don't let root match wildcard. 1) Don't let root match wildcard.

13
Shorewall/releasenotes.txt
View File

@ -1,6 +1,6 @@
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
S H O R E W A L L 4 . 4 . 1 6 S H O R E W A L L 4 . 4 . 1 6
R C 1 B E T A 7
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE I. PROBLEMS CORRECTED IN THIS RELEASE
@ -14,6 +14,10 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Beta 7
None.
Beta 6 Beta 6
1) Previously, the root of a wildcard name erroneously matched that 1) Previously, the root of a wildcard name erroneously matched that
@ -120,11 +124,14 @@ Beta 1
and in macros invoked from Actions. Additionally, Macros used in and in macros invoked from Actions. Additionally, Macros used in
Actions are now free to invoke other actions. Actions are now free to invoke other actions.
4) There is now limited support for parameterized actions. Currently, 4) There is now support for parameterized actions. The parameters are
the parameters are only available to extensions scripts. See available to extensions scripts. See
http://www.shorewall.net/Actions.html#Extension for more http://www.shorewall.net/Actions.html#Extension for more
information. information.
Within the action body, the parameter values are available in $1,
$2, etc.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S I V. R E L E A S E 4 . 4 H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

35
docs/Actions.xml
View File

@ -224,6 +224,31 @@ ACCEPT - - tcp 135,139,445
<para>When using Shorewall 4.4.16 or later, there are no restrictions <para>When using Shorewall 4.4.16 or later, there are no restrictions
regarding which targets can be used within your action.</para> regarding which targets can be used within your action.</para>
<para>Additionally, it is possible to pass parameters to an action, when
it is invoked in the rules file or in another action.</para>
<para>Here's a trivial example:</para>
<para>/etc/shorewall/action.A:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
FORMAT 2
$1 - - tcp 80 - 1.2.3.4</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
A(REDIRECT) net fw</programlisting>
<para>The above is equivalent to this rule:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
</section> </section>
<section> <section>
@ -578,7 +603,7 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
Limit:none:SSHA,3,60 net $FW tcp 22</programlisting> Limit:none:SSHA,3,60 net $FW tcp 22</programlisting>
<para>Using Shorewall 4.4.16 or later, you can also invoke the action this <para>Using Shorewall 4.4.16 or later, you can also invoke the action this
way: </para> way:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Limit(SSHA,3,60):none net $FW tcp 22</programlisting> Limit(SSHA,3,60):none net $FW tcp 22</programlisting>
@ -625,13 +650,13 @@ Limit(SSH,3,60):info net $FW tcp 22</programl
<programlisting>use Shorewall::Chains; <programlisting>use Shorewall::Chains;
@params = split /,/, $tag unless @params; @params = split( /,/, $tag ), $tag='' unless @params;
fatal_error 'Limit rules must include &lt;list name&gt;,&lt;max connections&gt;,&lt;interval&gt; as the log tag or params' unless @params == 3; fatal_error 'Limit rules must include &lt;list name&gt;,&lt;max connections&gt;,&lt;interval&gt; as the log tag or params' unless @params == 3;
my $list = $tag[0]; my $list = $params[0];
for ( @tag[1,2] ) { for ( @params[1,2] ) {
fatal_error 'Max connections and interval in Limit rules must be numeric (' . $_ . ')' unless /^\d+$/ fatal_error 'Max connections and interval in Limit rules must be numeric (' . $_ . ')' unless /^\d+$/
} }
@ -641,7 +666,7 @@ add_rule $chainref, "-m recent --name $list --set";
if ( $level ) { if ( $level ) {
my $xchainref = new_chain 'filter' , "$chainref-&gt;{name}%"; my $xchainref = new_chain 'filter' , "$chainref-&gt;{name}%";
log_rule_limit $level, $xchainref, $params[0], 'DROP', '', '', 'add', ''; log_rule_limit $level, $xchainref, $params[0], 'DROP', $tag, '', 'add', '';
add_rule $xchainref, '-j DROP'; add_rule $xchainref, '-j DROP';
add_rule $chainref, "-m recent --name $list --update --seconds $params[2] --hitcount $count -j $xchainref-&gt;{name}"; add_rule $chainref, "-m recent --name $list --update --seconds $params[2] --hitcount $count -j $xchainref-&gt;{name}";
} else { } else {