diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index c7295e437..9b8ddd398 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -63,6 +63,7 @@ our @EXPORT = qw( get_action_logging get_action_disposition set_action_param + get_inline_matches have_capability require_capability @@ -154,6 +155,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script $debug $file_format $comment + %config %globals %config_files @@ -495,6 +497,7 @@ our %compiler_params; # our %actparms; our $parmsmodified; +our $inline_matches; our $currentline; # Current config file line image our $currentfile; # File handle reference @@ -1948,18 +1951,22 @@ sub split_line1( $$;$$ ) { $pairs =~ s/^\s*//; $pairs =~ s/\s*$//; - my @pairs = split( /,?\s+/, $pairs ); + if ( $first eq 'INLINE') { + $inline_matches = $pairs; + } else { + my @pairs = split( /,?\s+/, $pairs ); - for ( @pairs ) { - fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/; - my ( $column, $value ) = ( lc $1, $2 ); - fatal_error "Unknown column ($1)" unless exists $columnsref->{$column}; - $column = $columnsref->{$column}; - fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/; - $value = $1 if $value =~ /^"([^"]+)"$/; - fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/; - fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/; - $line[$column] = $value; + for ( @pairs ) { + fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/; + my ( $column, $value ) = ( lc $1, $2 ); + fatal_error "Unknown column ($1)" unless exists $columnsref->{$column}; + $column = $columnsref->{$column}; + fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/; + $value = $1 if $value =~ /^"([^"]+)"$/; + fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/; + fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/; + $line[$column] = $value; + } } } @@ -2827,6 +2834,13 @@ sub embedded_perl( $ ) { } } +# +# Return inline matches +# +sub get_inline_matches() { + $inline_matches; +} + # # Push/pop acton params # diff --git a/Shorewall/action.INLINE b/Shorewall/action.INLINE new file mode 100644 index 000000000..943f2330f --- /dev/null +++ b/Shorewall/action.INLINE @@ -0,0 +1,28 @@ +# +# Shorewall version 4 - INLINE Action +# +# /usr/share/shorewall/action.INLINE +# +################################################################################# +?FORMAT 2 + +DEFAULTS - + +?BEGIN PERL; +use strict; +use Shorewall::Chains; +use Shorewall::Rules; + +my $chainref = get_action_chain; +my $rule = get_inline_matches; + +add_rule( $chainref, $rule, '' ); + +allow_optimize( $chainref ); + +?END PERL; + + + + + diff --git a/Shorewall/actions.std b/Shorewall/actions.std index c72eac69f..2b417c110 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -33,6 +33,7 @@ Drop # Default Action for DROP policy dropInvalid inline # Drops packets in the INVALID conntrack state DropSmurfs noinline # Drop smurf packets Established inline # Handles packets in the ESTABLISHED state +INLINE nolog # Handles in-line rules Invalid inline # Handles packets in the INVALID conntrack state New inline # Handles packets in the NEW conntrack state NotSyn inline # Handles TCP packets which do not have SYN=1 and ACK=0 diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std index 6ac30fa2e..b27a726f1 100644 --- a/Shorewall6/actions.std +++ b/Shorewall6/actions.std @@ -25,6 +25,7 @@ Drop # Default Action for DROP policy dropInvalid inline # Drops packets in the INVALID conntrack state DropSmurfs noinline # Handles packets with a broadcast source address Established inline # Handles packets in the ESTABLISHED state +INLINE nolog # Handles in-line rules Invalid inline # Handles packets in the INVALID conntrack state New inline # Handles packets in the NEW conntrack state NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0