extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-25 20:22:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add two new actions

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-10-02 18:41:58 -07:00
parent 0a5d5821ec
commit 57650e8dd9
4 changed files with 151 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -52,9 +52,11 @@ our @EXPORT = qw(
decr_cmd_level decr_cmd_level
new_chain new_chain
new_manual_chain new_manual_chain
ensure_filter_chain
ensure_manual_chain ensure_manual_chain
ensure_audit_chain ensure_audit_chain
require_audit require_audit
newlogchain
log_rule_limit log_rule_limit
dont_optimize dont_optimize
dont_delete dont_delete
@ -139,7 +141,6 @@ our %EXPORT_TAGS = (
new_standard_chain new_standard_chain
new_builtin_chain new_builtin_chain
new_nat_chain new_nat_chain
ensure_filter_chain
optimize_chain optimize_chain
check_optimization check_optimization
optimize_ruleset optimize_ruleset

82
Shorewall/action.DropSmurfs Normal file
View File

@ -0,0 +1,82 @@
#
# Shorewall version 4 - Drop Smurfs Action
#
# /usr/share/shorewall/action.DropSmurfs
#
# Accepts a single optional parameter:
#
# - = Do not Audit
# audit = Audit dropped packets.
#
#################################################################################
FORMAT 2
DEFAULTS -
BEGIN PERL;
use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
use Shorewall::Chains;
use Shorewall::Rules;
my ( $audit ) = get_action_params( 1 );
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
if ( $level ne '-' || $audit ne '-' ) {
my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
log_rule_limit( $level,
$logchainref,
$chainref->{name},
$disposition,
'',
$tag,
'add',
'' );
if ( supplied $audit ) {
fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's';
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
}
add_ijump( $logchainref, j => 'DROP' );
$smurfdest = $logchainref;
}
if ( have_capability( 'ADDRTYPE' ) ) {
if ( $family == F_IPV4 ) {
add_ijump $chainref , j => 'RETURN', s => '0.0.0.0'; ;
} else {
add_ijump $chainref , j => 'RETURN', s => '::';
}
add_ijump( $chainref, g => $smurfdest, addrtype => '--src-type BROADCAST' ) ;
} else {
if ( $family == F_IPV4 ) {
add_commands $chainref, 'for address in $ALL_BCASTS; do';
} else {
add_commands $chainref, 'for address in $ALL_ACASTS; do';
}
incr_cmd_level $chainref;
add_ijump( $chainref, g => $smurfdest, s => '$address' );
decr_cmd_level $chainref;
add_commands $chainref, 'done';
}
if ( $family == F_IPV4 ) {
add_ijump( $chainref, g => $smurfdest, s => '224.0.0.0/4' );
} else {
add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST );
}
END PERL;

65
Shorewall/action.TCPFlags Normal file
View File

@ -0,0 +1,65 @@
#
# Shorewall version 4 - Drop Smurfs Action
#
# /usr/share/shorewall/action.TCPFlags
#
# Accepts two optional parameters:
#
# Parameter 1: Disposition (default DROP).
# Must be ACCEPT, REJECT or DROP
# Parameter 2: Auditing
# - = Do not Audit
# audit = Audit ACCEPT, REJECT or DROP.
#
#################################################################################
FORMAT 2
DEFAULTS DROP,-
BEGIN PERL;
use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
use Shorewall::Chains;
my ( $disposition, $audit ) = get_action_params( 2 );
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
if ( $level ne '-' || $audit ne '-' ) {
my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
log_rule_limit( $level,
$logchainref,
$chainref->{name},
$disposition,
'',
$tag,
'add',
'' ) if $level;
if ( supplied $audit ) {
fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
}
add_ijump( $logchainref, g => $disposition );
$disposition = $logchainref;
}
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
END PERL;

2
Shorewall/actions.std
View File

@ -37,6 +37,8 @@ A_Drop # Audited Default Action for DROP policy
A_Reject # Audited Default action for REJECT policy A_Reject # Audited Default action for REJECT policy
Broadcast # Handles Broadcast/Multicast/Anycast Broadcast # Handles Broadcast/Multicast/Anycast
Drop # Default Action for DROP policy Drop # Default Action for DROP policy
DropSmurfs # Drop smurf packets
Invalid # Handles packets in the INVALID conntrack state Invalid # Handles packets in the INVALID conntrack state
NotSyn # Handles TCP packets which do not have SYN=1 and ACK=0 NotSyn # Handles TCP packets which do not have SYN=1 and ACK=0
Reject # Default Action for REJECT policy Reject # Default Action for REJECT policy
TCPFlags # Handle bad flag combinations.