From 33343aaf1756b37d84b9708c9355d5997e554bae Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 12 Mar 2016 17:01:52 -0800 Subject: [PATCH] Modify TCP-specific actions to use + in inline_matches Signed-off-by: Tom Eastep --- Shorewall/action.NotSyn | 50 +++++++++------------------------------ Shorewall/action.RST | 27 ++++++++------------- Shorewall/action.TCPFlags | 35 +++++++++++---------------- 3 files changed, 35 insertions(+), 77 deletions(-) diff --git a/Shorewall/action.NotSyn b/Shorewall/action.NotSyn index 2de26f534..740757455 100644 --- a/Shorewall/action.NotSyn +++ b/Shorewall/action.NotSyn @@ -1,27 +1,8 @@ # -# Shorewall 4 - NotSyn Action +# Shorewall - NotSyn Action # # /usr/share/shorewall/action.NotSyn # -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2011 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# # NotSyn[([])] # # Default action is DROP @@ -30,23 +11,14 @@ DEFAULTS DROP,- -?begin perl; +?if @2 ne '' && @2 ne '-' + ?if @2 eq 'audit' +DEFAULTS A_DROP,- + ?else + ?error The second parameter to NotSyn must be 'audit' or '-' + ?endif +?else +DEFAULTS DROP,- +?endif -use strict; -use Shorewall::IPAddrs; -use Shorewall::Config; -use Shorewall::Chains; -use Shorewall::Rules; - -my ( $action, $audit ) = get_action_params( 2 ); - -if ( supplied $audit ) { - fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit'; - $action = "A_$action"; -} - -perl_action_tcp_helper( $action, '-p 6 ! --syn' ); - -1; - -?end perl; +@1 - - ;;+ -p 6 ! --syn diff --git a/Shorewall/action.RST b/Shorewall/action.RST index 6e50d1f1a..5357f6c67 100644 --- a/Shorewall/action.RST +++ b/Shorewall/action.RST @@ -30,21 +30,14 @@ DEFAULTS DROP,- -?begin perl; +?if @2 ne '' && @2 ne '-' + ?if @2 eq 'audit' +DEFAULTS A_DROP,- + ?else + ?error The second parameter to NotSyn must be 'audit' or '-' + ?endif +?else +DEFAULTS DROP,- +?endif -use Shorewall::Config; -use Shorewall::Chains; -use Shorewall::Rules; - -my ( $action, $audit ) = get_action_params( 2 ); - -if ( supplied $audit ) { - fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit'; - $action = "A_$action"; -} - -perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' ); - -1; - -?end perl; +@1 - - - ;;+ -p 6 --tcp-flags RST RST diff --git a/Shorewall/action.TCPFlags b/Shorewall/action.TCPFlags index 4200882d5..6500ba91d 100644 --- a/Shorewall/action.TCPFlags +++ b/Shorewall/action.TCPFlags @@ -12,28 +12,21 @@ DEFAULTS - -?begin perl; -use strict; -use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6); -use Shorewall::Chains; -use Shorewall::Rules; +?if @1 ne '' && @1 ne '-' + ?if @1 eq 'audit' + ?set tcpflags_action A_DROP + ?else + ?error The parameter to TCPFlags must be 'audit' or '-' + ?endif +?else + ?set tcpflags_action DROP +?endif -my $action = 'DROP'; - -my ( $audit ) = get_action_params( 1 ); - -if ( supplied $audit ) { - fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit'; - $action = "A_DROP"; -} - -perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' ); -perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' ); -perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' ); -perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' ); -perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' ); - -?end perl; +$tcpflags_action - - ;;+ -p 6 --tcp-flags ALL FIN,URG,PSH +$tcpflags_action - - ;;+ -p 6 --tcp-flags ALL NONE +$tcpflags_action - - ;;+ -p 6 --tcp-flags SYN,RST SYN,RST +$tcpflags_action - - ;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN +$tcpflags_action - - ;;+ -p tcp --syn --sport 0