extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-28 02:23:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add logic for parameterized actions

Browse Source
This commit is contained in:
Tom Eastep 2010-12-18 16:16:29 -08:00
parent 4573b5ba8e
commit 4b22bbd90d
3 changed files with 59 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
Shorewall/Perl/Shorewall/Actions.pm
View File

@ -170,15 +170,13 @@ sub normalize_action_name( $$$ ) {
# this function truncates the original chain name where necessary before # this function truncates the original chain name where necessary before
# it adds the leading "%" and trailing sequence number. # it adds the leading "%" and trailing sequence number.
# #
sub createlogactionchain( $$ ) { sub createlogactionchain( $$$$$ ) {
my ( $action, $level ) = @_; my ( $normalized, $action, $level, $tag, $param ) = @_;
my $chain = $action; my $chain = $action;
my $actionref = $actions{$action}; my $actionref = $actions{$action};
my $chainref; my $chainref;
my ($lev, $tag) = split ':', $level; validate_level $level;
validate_level $lev;
$actionref = new_action $action unless $actionref; $actionref = new_action $action unless $actionref;
@ -190,7 +188,7 @@ sub createlogactionchain( $$ ) {
$chain = substr( $chain, 0, 27 ), redo CHECKDUP if ( $actionref->{actchain} || 0 ) >= 10 and length $chain == 28; $chain = substr( $chain, 0, 27 ), redo CHECKDUP if ( $actionref->{actchain} || 0 ) >= 10 and length $chain == 28;
} }
$logactionchains{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++; $logactionchains{$normalized} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99; fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
@ -203,9 +201,7 @@ sub createlogactionchain( $$ ) {
if ( -f $file ) { if ( -f $file ) {
progress_message "Processing $file..."; progress_message "Processing $file...";
( $level, my $tag ) = split /:/, $level; my @params = split /,/, $param;
$tag = $tag || '';
unless ( my $return = eval `cat $file` ) { unless ( my $return = eval `cat $file` ) {
fatal_error "Couldn't parse $file: $@" if $@; fatal_error "Couldn't parse $file: $@" if $@;
@ -222,7 +218,7 @@ sub createsimpleactionchain( $ ) {
my $action = shift; my $action = shift;
my $chainref = new_standard_chain $action; my $chainref = new_standard_chain $action;
$logactionchains{"$action:none"} = $chainref; $logactionchains{"$action:none::"} = $chainref;
unless ( $targets{$action} & BUILTIN ) { unless ( $targets{$action} & BUILTIN ) {
@ -250,18 +246,18 @@ sub createsimpleactionchain( $ ) {
# Create an action chain and run its associated user exit # Create an action chain and run its associated user exit
# #
sub createactionchain( $ ) { sub createactionchain( $ ) {
my ( $action , $level ) = split_action $_[0]; my $normalized = shift;
my ( $target, $level, $tag, $param ) = split /:/, $normalized;
assert( defined $param );
my $chainref; my $chainref;
if ( defined $level && $level ne '' ) { if ( $level eq 'none' && $tag eq '' && $param eq '' ) {
if ( $level eq 'none' ) { createsimpleactionchain $target;
createsimpleactionchain $action;
} else { } else {
createlogactionchain $action , $level; createlogactionchain $normalized, $target , $level , $tag, $param;
}
} else {
createsimpleactionchain $action;
} }
} }

17
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -177,9 +177,10 @@ sub process_a_policy() {
my $defaulttype = $targets{$default} || 0; my $defaulttype = $targets{$default} || 0;
if ( $defaulttype & ACTION ) { if ( $defaulttype & ACTION ) {
unless ( $usedactions{$default} ) { my $normalized = "$default:none::";
$usedactions{$default} = 1; unless ( $usedactions{$normalized} ) {
createactionchain $default; $usedactions{$normalized} = 1;
createactionchain $normalized;
} }
} else { } else {
fatal_error "Unknown Default Action ($default)"; fatal_error "Unknown Default Action ($default)";
@ -310,7 +311,7 @@ sub validate_policy()
my $firewall = firewall_zone; my $firewall = firewall_zone;
our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' ); our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ { for my $option qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) {
my $action = $config{$option}; my $action = $config{$option};
next if $action eq 'none'; next if $action eq 'none';
my $actiontype = $targets{$action}; my $actiontype = $targets{$action};
@ -321,9 +322,11 @@ sub validate_policy()
fatal_error "Default Action $option=$action not found"; fatal_error "Default Action $option=$action not found";
} }
unless ( $usedactions{$action} ) { my $normalized = "$action:none::";
$usedactions{$action} = 1;
createactionchain $action; unless ( $usedactions{$normalized} ) {
$usedactions{$normalized} = 1;
createactionchain $normalized;
} }
$default_actions{$map{$option}} = $action; $default_actions{$map{$option}} = $action;

42
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -247,11 +247,8 @@ sub map_old_actions( $ ) {
# #
sub find_logactionchain( $ ) { sub find_logactionchain( $ ) {
my $fullaction = $_[0]; my $fullaction = $_[0];
my ( $action, $level ) = split_action $fullaction;
$level = 'none' unless $level; fatal_error "Fatal error in find_logactionchain" unless $logactionchains{$fullaction};
fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"};
} }
# #
@ -352,6 +349,31 @@ sub process_actions1() {
} }
} }
sub merge_action_levels( $$ ) {
my $superior = shift;
my $subordinate = shift;
my ( $unused, $suplevel, $suptag, $supparam ) = split /:/, $superior;
my ( $action, $sublevel, $subtag, $subparam ) = split /:/, $subordinate;
assert defined $supparam;
if ( $suplevel =~ /!$/ ) {
( $sublevel, $subtag ) = ( $suplevel, $subtag );
} else {
$sublevel = 'none' unless defined $sublevel && $sublevel ne '';
if ( $sublevel =~ /^none~/ ) {
$subtag = '';
} else {
$subtag = '' unless defined $subtag;
}
}
$subparam = $supparam unless defined $subparam && $subparam ne '';
join ':', $action, $sublevel, $subtag, $subparam;
}
sub process_actions2 () { sub process_actions2 () {
progress_message2 'Generating Transitive Closure of Used-action List...'; progress_message2 'Generating Transitive Closure of Used-action List...';
@ -360,11 +382,11 @@ sub process_actions2 () {
while ( $changed ) { while ( $changed ) {
$changed = 0; $changed = 0;
for my $target (keys %usedactions) { for my $target (keys %usedactions) {
my ( $action, $level, $tag, $param ) = split_action $target; my ( $action, $level, $tag, $param ) = split ':', $target;
my $actionref = $actions{$action}; my $actionref = $actions{$action};
assert( $actionref ); assert( $actionref );
for my $action1 ( keys %{$actionref->{requires}} ) { for my $action1 ( keys %{$actionref->{requires}} ) {
my $action2 = merge_levels $target, $action1; my $action2 = merge_action_levels $target, $action1;
unless ( $usedactions{ $action2 } ) { unless ( $usedactions{ $action2 } ) {
$usedactions{ $action2 } = 1; $usedactions{ $action2 } = 1;
createactionchain $action2; createactionchain $action2;
@ -813,9 +835,9 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ) {
if ( $inaction1 ) { if ( $inaction1 ) {
add_requiredby( $target , $inaction1 ); add_requiredby( $target , $inaction1 );
} else { } else {
unless ( $usedactions{$target} ) { unless ( $usedactions{$normalized_target} ) {
$usedactions{$target} = 1; $usedactions{$normalized_target} = 1;
my $ref = createactionchain $target; my $ref = createactionchain $normalized_target;
new_nat_chain $ref->{name} if $actiontype & ( NATRULE | NONAT ); new_nat_chain $ref->{name} if $actiontype & ( NATRULE | NONAT );
} }
} }
@ -1253,7 +1275,7 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ) {
unless ( $actiontype & NATONLY ) { unless ( $actiontype & NATONLY ) {
if ( $actiontype & ACTION ) { if ( $actiontype & ACTION ) {
$action = (find_logactionchain $target)->{name}; $action = (find_logactionchain $normalized_target)->{name};
$loglevel = ''; $loglevel = '';
} }