Add A_REJECT action

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-01-10 23:58:14 +01:00 · 2016-04-05 16:38:39 -07:00 · 2016-04-05 16:38:39 -07:00 · 3ac3ae279f
commit 3ac3ae279f
parent 54843c617d
5 changed files with 96 additions and 10 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -2915,8 +2915,6 @@ sub initialize_chain_table($) {
 		    'A_ACCEPT!'       => STANDARD  + AUDIT,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
-		    'A_REJECT'        => STANDARD + AUDIT,
-		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'NONAT'           => STANDARD + NONAT  + NATONLY,
 		    'CONNMARK'        => STANDARD + OPTIONS,
 		    'CONTINUE'        => STANDARD,
@ -2987,8 +2985,6 @@ sub initialize_chain_table($) {
 		    'A_DROP!'         => STANDARD + AUDIT,
 		    'REJECT'          => STANDARD + OPTIONS,
 		    'REJECT!'         => STANDARD + OPTIONS,
-		    'A_REJECT'        => STANDARD + AUDIT,
-		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'DNAT'            => NATRULE  + OPTIONS,
 		    'DNAT-'           => NATRULE  + NATONLY,
 		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -230,6 +230,7 @@ use constant { INLINE_OPT           => 1 ,
 	       NAT_OPT              => 128 ,
 	       TERMINATING_OPT      => 256 ,
 	       AUDIT_OPT            => 512 ,
+	       LOGJUMP_OPT          => 1024 ,
 };

 our %options = ( inline      => INLINE_OPT ,
@ -242,6 +243,7 @@ our %options = ( inline      => INLINE_OPT ,
 		 nat         => NAT_OPT ,
 		 terminating => TERMINATING_OPT ,
 		 audit       => AUDIT_OPT ,
+		 logjump     => LOGJUMP_OPT ,
    );

 our %reject_options;
@ -1278,8 +1280,14 @@ sub normalize_action( $$$ ) {

    ( $level, my $tag ) = split ':', $level;

-    $level = 'none' unless supplied $level;
-    $tag   = ''     unless defined $tag;
+    if ( $actions{$action}{options} & LOGJUMP_OPT ) {
+	$level = 'none';
+	$tag   = '';
+    } else {
+	$level = 'none' unless supplied $level;
+	$tag   = ''     unless defined $tag;
+    }
+
    $param = ''     unless defined $param;
    $param = ''     if $param eq '-';

@ -1841,7 +1849,7 @@ sub process_action(\$\$$) {

    my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
    my $options = $actionref->{options};
-    my $nolog = $options & NOLOG_OPT;
+    my $nolog = $options & ( NOLOG_OPT | LOGJUMP_OPT );

    setup_audit_action( $action ) if $options & AUDIT_OPT;

@ -2084,7 +2092,7 @@ sub process_actions() {
 		$action =~ s/:.*$//;
 	    }

-	    fatal_error "Invalid Action Name ($action)" unless $action =~ /^[a-zA-Z][\w-]*$/;
+	    fatal_error "Invalid Action Name ($action)" unless $action =~ /^[a-zA-Z][\w-]*!?$/;

 	    if ( $options ne '-' ) {
 		for ( split_list( $options, 'option' ) ) {
@ -3253,7 +3261,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {

 	if ( $actiontype & ACTION ) {
 	    $action = $actionchain;
-	    $loglevel = '';
+
+	    if ( $actions{$basictarget}{options} & LOGJUMP_OPT ) {
+		$log_action = $basictarget;
+	    } else {
+		$loglevel = '';
+	    }
 	}

 	if ( $origdest ) {
@ -3754,6 +3767,11 @@ sub process_rules() {
 			RELATED_SECTION,     'RELATED',
 			INVALID_SECTION,     'INVALID',
 			UNTRACKED_SECTION,   'UNTRACKED' );
+
+    #
+    # If A_REJECT was specified in shorewall[6].conf, the A_REJECT chain will already exist.
+    #
+    $actions{normalize_action_name( 'A_REJECT' )} = 'A_REJECT' if $filter_table->{A_REJECT};
    #
    # Create zone-forwarding chains if required
    #
--- a/Shorewall/action.A_REJECT
+++ b/Shorewall/action.A_REJECT
@ -0,0 +1,41 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
+#
+# A_REJECT Action.
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+###############################################################################
+
+DEFAULTS -
+
+AUDIT(reject)
+
+?if passed @1
+    ?if @1 =~ /tcp-reset$/
+        ?set reject_proto 6
+    ?else
+        ?set reject_proto ''
+    ?endif
+REJECT(@1)	-	-	$reject_proto
+?else
+REJECT
+?endif
--- a/Shorewall/action.A_REJECT!
+++ b/Shorewall/action.A_REJECT!
@ -0,0 +1,30 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_REJECT!
+#
+# A_REJECT! Action.
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+###############################################################################
+
+DEFAULTS -
+
+A_REJECT(@1)
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@ -11,7 +11,6 @@
 ?if 0
 A_ACCEPT                        # Audits then accepts a connection request
 A_DROP                          # Audits then drops a connection request
-A_REJECT		        # Audits then drops a connection request
 allowBcast		        # Silently Allow Broadcast/multicast
 dropBcast		        # Silently Drop Broadcast/multicast
 dropNotSyn		        # Silently Drop Non-syn TCP packets
@ -23,6 +22,8 @@ Limit                           # Limit the rate of connections from each indivi
 ###############################################################################
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
+A_REJECT     noinline,logjump   # Audits then rejects a connection request
+A_REJECT!    inline             # Audits then rejects a connection request
 A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds