diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index d70cbb016..71c970239 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -2808,10 +2808,10 @@ sub embedded_perl( $ ) { } # -# Push/pop action params +# Push/pop acton params # -sub push_action_params( $$$$$ ) { - my ( $chainref, $parms, $loglevel, $logtag, $caller ) = @_; +sub push_action_params( $$$$$$ ) { + my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_; my @parms = ( undef , split_list3( $parms , 'parameter' ) ); $actparms{modified} = $parmsmodified; @@ -2829,6 +2829,7 @@ sub push_action_params( $$$$$ ) { } $actparms{0} = $chainref; + $actparms{action} = $action; $actparms{loglevel} = $loglevel; $actparms{logtag} = $logtag; $actparms{caller} = $caller; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 5198b8fd4..233e6345b 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -51,11 +51,10 @@ our @EXPORT = qw( process_actions process_rules verify_audit + perl_action_helper ); -our %EXPORT_TAGS = ( action => [ qw( process_rule1 is_inline ) ] ); - -our @EXPORT_OK = qw( initialize process_rule1 is_inline ); +our @EXPORT_OK = qw( initialize ); our $VERSION = 'MODULEVERSION'; # # Globals are documented in the initialize() function @@ -1248,17 +1247,6 @@ sub use_action( $ ) { } } -# -# Determine if an action is in-line -# -sub is_inline($) { - $actions{$_[0]}->{inline}; -} - -sub inline_columns() { - @columns; -} - # # This function determines the logging and params for a subordinate action or a rule within a superior action # @@ -1701,7 +1689,7 @@ sub process_action($$) { push_open $actionfile, 2, 1; - my $oldparms = push_action_params( $chainref, $param, $level, $tag, $caller ); + my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller ); my $nolog = $actions{$action}{nolog}; @@ -1915,7 +1903,8 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$) { my ( $level, $tag ) = split( ':', $loglevel, 2 ); - my $oldparms = push_action_params( $chainref, + my $oldparms = push_action_params( $inline, + $chainref, $param, supplied $level ? $level : 'none', defined $tag ? $tag : '' , @@ -2654,6 +2643,47 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) { return 1; } +# +# May be called by Perl code in action bodies (regular and inline) to generate a rule. +# +sub perl_action_helper($$) { + my ( $target, $matches ) = @_; + my $action = $actparms{action}; + my $chainref = $actparms{0}; + + assert( $chainref ); + + if ( $inlines{$action} ) { + &process_rule1( $chainref, + $matches, + $target, + '', + @columns ); + } else { + process_rule1( $chainref, + $matches, + $target, + '', # Current Param + '-', # Source + '-', # Dest + '-', # Proto + '-', # Port(s) + '-', # Source Port(s) + '-', # Original Dest + '-', # Rate Limit + '-', # User + '-', # Mark + '-', # Connlimit + '-', # Time + '-', # Headers, + '-', # condition, + '-', # helper, + 0, # Wildcard + ); + } +} + + # # Helper functions for process_rule(). That function deals with the ugliness of wildcard zones ('all' and 'any') and zone lists. # diff --git a/Shorewall/action.Established b/Shorewall/action.Established index 7518b0adf..d40963472 100644 --- a/Shorewall/action.Established +++ b/Shorewall/action.Established @@ -49,30 +49,12 @@ my ( $level, $tag ) = get_action_logging; $action = join( ':', $action, $level, $tag ) if "${level}${tag}"; -my $chainref = get_action_chain; +perl_action_helper( + $action, # Target + "$globals{STATEMATCH} INVALID ", # Matches + ); -process_rule1( $chainref, # Chainref - "$globals{STATEMATCH} ESTABLISHED ", # Rule - $action, # Target - '', # Current Param - '-', # Source - '-', # Dest - '-', # Proto - '-', # Port(s) - '-', # Source Port(s) - '-', # Original Dest - '-', # Rate Limit - '-', # User - '-', # Mark - '-', # Connlimit - '-', # Time - '-', # Headers, - '-', # condition, - '-', # helper, - 0, # Wildcard -); - -allow_optimize( $chainref ); +allow_optimize( get_action_chain ); 1; diff --git a/Shorewall/action.Invalid b/Shorewall/action.Invalid index f3287c06c..6386df9e2 100644 --- a/Shorewall/action.Invalid +++ b/Shorewall/action.Invalid @@ -36,7 +36,7 @@ DEFAULTS DROP,- use Shorewall::IPAddrs; use Shorewall::Config; use Shorewall::Chains; -use Shorewall::Rules qw( process_rule1 ); +use Shorewall::Rules; my ( $action, $audit ) = get_action_params( 2 ); @@ -49,30 +49,12 @@ my ( $level, $tag ) = get_action_logging; $action = join( ':', $action, $level, $tag ) if "${level}${tag}"; -my $chainref = get_action_chain; +perl_action_helper( + $action, # Target + "$globals{STATEMATCH} INVALID ", # Matches + ); -process_rule1( $chainref, # Chainref - "$globals{STATEMATCH} INVALID ", # Rule - $action, # Target - '', # Current Param - '-', # Source - '-', # Dest - '-', # Proto - '-', # Port(s) - '-', # Source Port(s) - '-', # Original Dest - '-', # Rate Limit - '-', # User - '-', # Mark - '-', # Connlimit - '-', # Time - '-', # Headers, - '-', # condition, - '-', # helper, - 0, # Wildcard -); - -allow_optimize( $chainref ); +allow_optimize( get_action_chain); 1; diff --git a/Shorewall/action.Related b/Shorewall/action.Related index 55aa20197..5fcfcb1da 100644 --- a/Shorewall/action.Related +++ b/Shorewall/action.Related @@ -33,6 +33,7 @@ DEFAULTS DROP,- ?BEGIN PERL; +use strict; use Shorewall::IPAddrs; use Shorewall::Config; use Shorewall::Chains; @@ -49,30 +50,12 @@ my ( $level, $tag ) = get_action_logging; $action = join( ':', $action, $level, $tag ) if "${level}${tag}"; -my $chainref = get_action_chain; +perl_action_helper( + $action, # Target + "$globals{STATEMATCH} RELATED ", # Matches + ); -process_rule1( $chainref, # Chainref - "$globals{STATEMATCH} RELATED ", # Rule - $action, # Target - '', # Current Param - '-', # Source - '-', # Dest - '-', # Proto - '-', # Port(s) - '-', # Source Port(s) - '-', # Original Dest - '-', # Rate Limit - '-', # User - '-', # Mark - '-', # Connlimit - '-', # Time - '-', # Headers, - '-', # condition, - '-', # helper, - 0, # Wildcard -); - -allow_optimize( $chainref ); +allow_optimize( get_action_chain ); 1; diff --git a/Shorewall/action.Untracked b/Shorewall/action.Untracked index f592105e6..6f235433d 100644 --- a/Shorewall/action.Untracked +++ b/Shorewall/action.Untracked @@ -49,30 +49,13 @@ my ( $level, $tag ) = get_action_logging; $action = join( ':', $action, $level, $tag ) if "${level}${tag}"; -my $chainref = get_action_chain; +perl_action_helper( + $action, # Target + "$globals{STATEMATCH} UNTRACKED ", # Matches + ); -process_rule1( $chainref, # Chainref - "$globals{STATEMATCH} UNTRACKED ", # Rule - $action, # Target - '', # Current Param - '-', # Source - '-', # Dest - '-', # Proto - '-', # Port(s) - '-', # Source Port(s) - '-', # Original Dest - '-', # Rate Limit - '-', # User - '-', # Mark - '-', # Connlimit - '-', # Time - '-', # Headers, - '-', # condition, - '-', # helper, - 0, # Wildcard -); -allow_optimize( $chainref ); +allow_optimize( get_action_chain ); 1; diff --git a/Shorewall/actions.std b/Shorewall/actions.std index 9eb18fea5..5cde40398 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -38,11 +38,11 @@ A_Reject # Audited Default action for REJECT policy Broadcast noinline # Handles Broadcast/Multicast/Anycast Drop # Default Action for DROP policy DropSmurfs noinline # Drop smurf packets -Established noinline # Handles packets in the ESTABLISHED state -Invalid noinline # Handles packets in the INVALID conntrack state +Established inline # Handles packets in the ESTABLISHED state +Invalid inline # Handles packets in the INVALID conntrack state NotSyn noinline # Handles TCP packets which do not have SYN=1 and ACK=0 Reject # Default Action for REJECT policy -Related noinline # Handles packets in the RELATED conntrack state +Related inline # Handles packets in the RELATED conntrack state RST noinline # Handle packets with RST set TCPFlags noinline # Handle bad flag combinations. -Untracked noinline # Handles packets in the UNTRACKED conntrack state +Untracked inline # Handles packets in the UNTRACKED conntrack state