extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-03 03:59:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make the TCP standard actions inline

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-01-28 18:01:08 -08:00
parent 5a2c1792cb
commit 49166efdca
4 changed files with 71 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -52,6 +52,7 @@ our @EXPORT = qw(
process_rules process_rules
verify_audit verify_audit
perl_action_helper perl_action_helper
perl_action_tcp_helper
); );
our @EXPORT_OK = qw( initialize ); our @EXPORT_OK = qw( initialize );
@ -2683,6 +2684,48 @@ sub perl_action_helper($$) {
} }
} }
#
# May be called by Perl code in action bodies (regular and inline) to generate a rule.
#
sub perl_action_tcp_helper($$) {
my ( $target, $proto ) = @_;
my $action = $actparms{action};
my $chainref = $actparms{0};
assert( $chainref );
if ( $inlines{$action} ) {
&process_rule1( $chainref,
$proto,
$target,
'',
@columns[0,1],
'-',
@columns[3..14]
);
} else {
process_rule1( $chainref,
$proto,
$target,
'', # Current Param
'-', # Source
'-', # Dest
"-", # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
}
}
# #
# Helper functions for process_rule(). That function deals with the ugliness of wildcard zones ('all' and 'any') and zone lists. # Helper functions for process_rule(). That function deals with the ugliness of wildcard zones ('all' and 'any') and zone lists.

22
Shorewall/action.NotSyn
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# NotSyn[([<action>|-[,{audit|-}])] # NotSyn[([<action>])]
# #
# Default action is DROP # Default action is DROP
# #
@ -36,21 +36,25 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs; use Shorewall::IPAddrs;
use Shorewall::Config; use Shorewall::Config;
use Shorewall::Chains; use Shorewall::Chains;
use Shorewall::Rules;
my ( $action, $audit ) = get_action_params( 2 ); my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Invalid parameter ($audit) to action NotSyn" if supplied $audit && $audit ne 'audit'; if ( supplied $audit ) {
fatal_error "Invalid parameter ($action) to action NotSyn" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/; fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
$action = "A_$action";
my $chainref = get_action_chain; }
my ( $level, $tag ) = get_action_logging; my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne ''; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
add_jump $chainref , $target, 0, '-p 6 ! --syn ';
allow_optimize( $chainref ); perl_action_tcp_helper(
$action,
'-p 6 ! --syn '
);
allow_optimize( get_action_chain );
1; 1;

22
Shorewall/action.RST
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# RST[([<action>|-[,{audit|-}])] # RST[([<action>])]
# #
# Default action is DROP # Default action is DROP
# #
@ -35,21 +35,25 @@ DEFAULTS DROP,-
use Shorewall::Config; use Shorewall::Config;
use Shorewall::Chains; use Shorewall::Chains;
use Shorewall::Rules;
my ( $action, $audit ) = get_action_params( 2 ); my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Invalid parameter ($audit) to action RST" if supplied $audit && $audit ne 'audit'; if ( supplied $audit ) {
fatal_error "Invalid parameter ($action) to action RST" unless $action =~ /^(?:ACCEPT|DROP)$/; fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
$action = "A_$action";
my $chainref = get_action_chain; }
my ( $level, $tag ) = get_action_logging; my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne ''; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST ';
allow_optimize( $chainref ); perl_action_tcp_helper(
$action,
'-p 6 --tcp-flags RST RST '
);
allow_optimize( get_action_chain );
1; 1;

4
Shorewall/actions.std
View File

@ -40,9 +40,9 @@ Drop # Default Action for DROP policy
DropSmurfs noinline # Drop smurf packets DropSmurfs noinline # Drop smurf packets
Established inline # Handles packets in the ESTABLISHED state Established inline # Handles packets in the ESTABLISHED state
Invalid inline # Handles packets in the INVALID conntrack state Invalid inline # Handles packets in the INVALID conntrack state
NotSyn noinline # Handles TCP packets which do not have SYN=1 and ACK=0 NotSyn inline # Handles TCP packets which do not have SYN=1 and ACK=0
Reject # Default Action for REJECT policy Reject # Default Action for REJECT policy
Related inline # Handles packets in the RELATED conntrack state Related inline # Handles packets in the RELATED conntrack state
RST noinline # Handle packets with RST set RST inline # Handle packets with RST set
TCPFlags noinline # Handle bad flag combinations. TCPFlags noinline # Handle bad flag combinations.
Untracked inline # Handles packets in the UNTRACKED conntrack state Untracked inline # Handles packets in the UNTRACKED conntrack state