From 49166efdca2bc6d6afbbcd05ff1e47494e2f130a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 28 Jan 2013 18:01:08 -0800 Subject: [PATCH] Make the TCP standard actions inline Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 43 +++++++++++++++++++++++++++++++ Shorewall/action.NotSyn | 22 +++++++++------- Shorewall/action.RST | 22 +++++++++------- Shorewall/actions.std | 4 +-- 4 files changed, 71 insertions(+), 20 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 233e6345b..5af157893 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -52,6 +52,7 @@ our @EXPORT = qw( process_rules verify_audit perl_action_helper + perl_action_tcp_helper ); our @EXPORT_OK = qw( initialize ); @@ -2683,6 +2684,48 @@ sub perl_action_helper($$) { } } +# +# May be called by Perl code in action bodies (regular and inline) to generate a rule. +# +sub perl_action_tcp_helper($$) { + my ( $target, $proto ) = @_; + my $action = $actparms{action}; + my $chainref = $actparms{0}; + + assert( $chainref ); + + if ( $inlines{$action} ) { + &process_rule1( $chainref, + $proto, + $target, + '', + @columns[0,1], + '-', + @columns[3..14] + ); + } else { + process_rule1( $chainref, + $proto, + $target, + '', # Current Param + '-', # Source + '-', # Dest + "-", # Proto + '-', # Port(s) + '-', # Source Port(s) + '-', # Original Dest + '-', # Rate Limit + '-', # User + '-', # Mark + '-', # Connlimit + '-', # Time + '-', # Headers, + '-', # condition, + '-', # helper, + 0, # Wildcard + ); + } +} # # Helper functions for process_rule(). That function deals with the ugliness of wildcard zones ('all' and 'any') and zone lists. diff --git a/Shorewall/action.NotSyn b/Shorewall/action.NotSyn index 448f6bbd0..fbb67104e 100644 --- a/Shorewall/action.NotSyn +++ b/Shorewall/action.NotSyn @@ -22,7 +22,7 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# NotSyn[([|-[,{audit|-}])] +# NotSyn[([])] # # Default action is DROP # @@ -36,21 +36,25 @@ DEFAULTS DROP,- use Shorewall::IPAddrs; use Shorewall::Config; use Shorewall::Chains; +use Shorewall::Rules; my ( $action, $audit ) = get_action_params( 2 ); -fatal_error "Invalid parameter ($audit) to action NotSyn" if supplied $audit && $audit ne 'audit'; -fatal_error "Invalid parameter ($action) to action NotSyn" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/; - -my $chainref = get_action_chain; +if ( supplied $audit ) { + fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit'; + $action = "A_$action"; +} my ( $level, $tag ) = get_action_logging; -my $target = require_audit ( $action , $audit ); -log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne ''; -add_jump $chainref , $target, 0, '-p 6 ! --syn '; +$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; -allow_optimize( $chainref ); +perl_action_tcp_helper( + $action, + '-p 6 ! --syn ' + ); + +allow_optimize( get_action_chain ); 1; diff --git a/Shorewall/action.RST b/Shorewall/action.RST index aab2535ff..eb26c8ef7 100644 --- a/Shorewall/action.RST +++ b/Shorewall/action.RST @@ -22,7 +22,7 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# RST[([|-[,{audit|-}])] +# RST[([])] # # Default action is DROP # @@ -35,21 +35,25 @@ DEFAULTS DROP,- use Shorewall::Config; use Shorewall::Chains; +use Shorewall::Rules; my ( $action, $audit ) = get_action_params( 2 ); -fatal_error "Invalid parameter ($audit) to action RST" if supplied $audit && $audit ne 'audit'; -fatal_error "Invalid parameter ($action) to action RST" unless $action =~ /^(?:ACCEPT|DROP)$/; - -my $chainref = get_action_chain; +if ( supplied $audit ) { + fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit'; + $action = "A_$action"; +} my ( $level, $tag ) = get_action_logging; -my $target = require_audit ( $action , $audit ); -log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne ''; -add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST '; +$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; -allow_optimize( $chainref ); +perl_action_tcp_helper( + $action, + '-p 6 --tcp-flags RST RST ' + ); + +allow_optimize( get_action_chain ); 1; diff --git a/Shorewall/actions.std b/Shorewall/actions.std index 5cde40398..4d1842a0e 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -40,9 +40,9 @@ Drop # Default Action for DROP policy DropSmurfs noinline # Drop smurf packets Established inline # Handles packets in the ESTABLISHED state Invalid inline # Handles packets in the INVALID conntrack state -NotSyn noinline # Handles TCP packets which do not have SYN=1 and ACK=0 +NotSyn inline # Handles TCP packets which do not have SYN=1 and ACK=0 Reject # Default Action for REJECT policy Related inline # Handles packets in the RELATED conntrack state -RST noinline # Handle packets with RST set +RST inline # Handle packets with RST set TCPFlags noinline # Handle bad flag combinations. Untracked inline # Handles packets in the UNTRACKED conntrack state