Implement INLINE action

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-04-08 17:30:00 -07:00
parent 183a0a75a1
commit 50494f667c
4 changed files with 55 additions and 11 deletions

View File

@ -63,6 +63,7 @@ our @EXPORT = qw(
get_action_logging get_action_logging
get_action_disposition get_action_disposition
set_action_param set_action_param
get_inline_matches
have_capability have_capability
require_capability require_capability
@ -154,6 +155,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
$debug $debug
$file_format $file_format
$comment $comment
%config %config
%globals %globals
%config_files %config_files
@ -495,6 +497,7 @@ our %compiler_params;
# #
our %actparms; our %actparms;
our $parmsmodified; our $parmsmodified;
our $inline_matches;
our $currentline; # Current config file line image our $currentline; # Current config file line image
our $currentfile; # File handle reference our $currentfile; # File handle reference
@ -1948,18 +1951,22 @@ sub split_line1( $$;$$ ) {
$pairs =~ s/^\s*//; $pairs =~ s/^\s*//;
$pairs =~ s/\s*$//; $pairs =~ s/\s*$//;
my @pairs = split( /,?\s+/, $pairs ); if ( $first eq 'INLINE') {
$inline_matches = $pairs;
} else {
my @pairs = split( /,?\s+/, $pairs );
for ( @pairs ) { for ( @pairs ) {
fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/; fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
my ( $column, $value ) = ( lc $1, $2 ); my ( $column, $value ) = ( lc $1, $2 );
fatal_error "Unknown column ($1)" unless exists $columnsref->{$column}; fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
$column = $columnsref->{$column}; $column = $columnsref->{$column};
fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/; fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
$value = $1 if $value =~ /^"([^"]+)"$/; $value = $1 if $value =~ /^"([^"]+)"$/;
fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/; fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/; fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
$line[$column] = $value; $line[$column] = $value;
}
} }
} }
@ -2827,6 +2834,13 @@ sub embedded_perl( $ ) {
} }
} }
#
# Return inline matches
#
sub get_inline_matches() {
$inline_matches;
}
# #
# Push/pop acton params # Push/pop acton params
# #

28
Shorewall/action.INLINE Normal file
View File

@ -0,0 +1,28 @@
#
# Shorewall version 4 - INLINE Action
#
# /usr/share/shorewall/action.INLINE
#
#################################################################################
?FORMAT 2
DEFAULTS -
?BEGIN PERL;
use strict;
use Shorewall::Chains;
use Shorewall::Rules;
my $chainref = get_action_chain;
my $rule = get_inline_matches;
add_rule( $chainref, $rule, '' );
allow_optimize( $chainref );
?END PERL;

View File

@ -33,6 +33,7 @@ Drop # Default Action for DROP policy
dropInvalid inline # Drops packets in the INVALID conntrack state dropInvalid inline # Drops packets in the INVALID conntrack state
DropSmurfs noinline # Drop smurf packets DropSmurfs noinline # Drop smurf packets
Established inline # Handles packets in the ESTABLISHED state Established inline # Handles packets in the ESTABLISHED state
INLINE nolog # Handles in-line rules
Invalid inline # Handles packets in the INVALID conntrack state Invalid inline # Handles packets in the INVALID conntrack state
New inline # Handles packets in the NEW conntrack state New inline # Handles packets in the NEW conntrack state
NotSyn inline # Handles TCP packets which do not have SYN=1 and ACK=0 NotSyn inline # Handles TCP packets which do not have SYN=1 and ACK=0

View File

@ -25,6 +25,7 @@ Drop # Default Action for DROP policy
dropInvalid inline # Drops packets in the INVALID conntrack state dropInvalid inline # Drops packets in the INVALID conntrack state
DropSmurfs noinline # Handles packets with a broadcast source address DropSmurfs noinline # Handles packets with a broadcast source address
Established inline # Handles packets in the ESTABLISHED state Established inline # Handles packets in the ESTABLISHED state
INLINE nolog # Handles in-line rules
Invalid inline # Handles packets in the INVALID conntrack state Invalid inline # Handles packets in the INVALID conntrack state
New inline # Handles packets in the NEW conntrack state New inline # Handles packets in the NEW conntrack state
NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0 NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0