extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 06:10:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Inline the conntrack state actions.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-01-28 16:55:54 -08:00
parent de2cf6edf3
commit 5a2c1792cb
7 changed files with 76 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Shorewall/Perl/Shorewall/Config.pm
View File

@ -2808,10 +2808,10 @@ sub embedded_perl( $ ) {
} }
# #
# Push/pop action params # Push/pop acton params
# #
sub push_action_params( $$$$$ ) { sub push_action_params( $$$$$$ ) {
my ( $chainref, $parms, $loglevel, $logtag, $caller ) = @_; my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
my @parms = ( undef , split_list3( $parms , 'parameter' ) ); my @parms = ( undef , split_list3( $parms , 'parameter' ) );
$actparms{modified} = $parmsmodified; $actparms{modified} = $parmsmodified;
@ -2829,6 +2829,7 @@ sub push_action_params( $$$$$ ) {
} }
$actparms{0} = $chainref; $actparms{0} = $chainref;
$actparms{action} = $action;
$actparms{loglevel} = $loglevel; $actparms{loglevel} = $loglevel;
$actparms{logtag} = $logtag; $actparms{logtag} = $logtag;
$actparms{caller} = $caller; $actparms{caller} = $caller;

62
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -51,11 +51,10 @@ our @EXPORT = qw(
process_actions process_actions
process_rules process_rules
verify_audit verify_audit
perl_action_helper
); );
our %EXPORT_TAGS = ( action => [ qw( process_rule1 is_inline ) ] ); our @EXPORT_OK = qw( initialize );
our @EXPORT_OK = qw( initialize process_rule1 is_inline );
our $VERSION = 'MODULEVERSION'; our $VERSION = 'MODULEVERSION';
# #
# Globals are documented in the initialize() function # Globals are documented in the initialize() function
@ -1248,17 +1247,6 @@ sub use_action( $ ) {
} }
} }
#
# Determine if an action is in-line
#
sub is_inline($) {
$actions{$_[0]}->{inline};
}
sub inline_columns() {
@columns;
}
# #
# This function determines the logging and params for a subordinate action or a rule within a superior action # This function determines the logging and params for a subordinate action or a rule within a superior action
# #
@ -1701,7 +1689,7 @@ sub process_action($$) {
push_open $actionfile, 2, 1; push_open $actionfile, 2, 1;
my $oldparms = push_action_params( $chainref, $param, $level, $tag, $caller ); my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
my $nolog = $actions{$action}{nolog}; my $nolog = $actions{$action}{nolog};
@ -1915,7 +1903,8 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
my ( $level, $tag ) = split( ':', $loglevel, 2 ); my ( $level, $tag ) = split( ':', $loglevel, 2 );
my $oldparms = push_action_params( $chainref, my $oldparms = push_action_params( $inline,
$chainref,
$param, $param,
supplied $level ? $level : 'none', supplied $level ? $level : 'none',
defined $tag ? $tag : '' , defined $tag ? $tag : '' ,
@ -2654,6 +2643,47 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
return 1; return 1;
} }
#
# May be called by Perl code in action bodies (regular and inline) to generate a rule.
#
sub perl_action_helper($$) {
my ( $target, $matches ) = @_;
my $action = $actparms{action};
my $chainref = $actparms{0};
assert( $chainref );
if ( $inlines{$action} ) {
&process_rule1( $chainref,
$matches,
$target,
'',
@columns );
} else {
process_rule1( $chainref,
$matches,
$target,
'', # Current Param
'-', # Source
'-', # Dest
'-', # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
}
}
# #
# Helper functions for process_rule(). That function deals with the ugliness of wildcard zones ('all' and 'any') and zone lists. # Helper functions for process_rule(). That function deals with the ugliness of wildcard zones ('all' and 'any') and zone lists.
# #

28
Shorewall/action.Established
View File

@ -49,30 +49,12 @@ my ( $level, $tag ) = get_action_logging;
$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
my $chainref = get_action_chain; perl_action_helper(
$action, # Target
"$globals{STATEMATCH} INVALID ", # Matches
);
process_rule1( $chainref, # Chainref allow_optimize( get_action_chain );
"$globals{STATEMATCH} ESTABLISHED ", # Rule
$action, # Target
'', # Current Param
'-', # Source
'-', # Dest
'-', # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
allow_optimize( $chainref );
1; 1;

30
Shorewall/action.Invalid
View File

@ -36,7 +36,7 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs; use Shorewall::IPAddrs;
use Shorewall::Config; use Shorewall::Config;
use Shorewall::Chains; use Shorewall::Chains;
use Shorewall::Rules qw( process_rule1 ); use Shorewall::Rules;
my ( $action, $audit ) = get_action_params( 2 ); my ( $action, $audit ) = get_action_params( 2 );
@ -49,30 +49,12 @@ my ( $level, $tag ) = get_action_logging;
$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
my $chainref = get_action_chain; perl_action_helper(
$action, # Target
"$globals{STATEMATCH} INVALID ", # Matches
);
process_rule1( $chainref, # Chainref allow_optimize( get_action_chain);
"$globals{STATEMATCH} INVALID ", # Rule
$action, # Target
'', # Current Param
'-', # Source
'-', # Dest
'-', # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
allow_optimize( $chainref );
1; 1;

29
Shorewall/action.Related
View File

@ -33,6 +33,7 @@ DEFAULTS DROP,-
?BEGIN PERL; ?BEGIN PERL;
use strict;
use Shorewall::IPAddrs; use Shorewall::IPAddrs;
use Shorewall::Config; use Shorewall::Config;
use Shorewall::Chains; use Shorewall::Chains;
@ -49,30 +50,12 @@ my ( $level, $tag ) = get_action_logging;
$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
my $chainref = get_action_chain; perl_action_helper(
$action, # Target
"$globals{STATEMATCH} RELATED ", # Matches
);
process_rule1( $chainref, # Chainref allow_optimize( get_action_chain );
"$globals{STATEMATCH} RELATED ", # Rule
$action, # Target
'', # Current Param
'-', # Source
'-', # Dest
'-', # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
allow_optimize( $chainref );
1; 1;

27
Shorewall/action.Untracked
View File

@ -49,30 +49,13 @@ my ( $level, $tag ) = get_action_logging;
$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
my $chainref = get_action_chain; perl_action_helper(
$action, # Target
"$globals{STATEMATCH} UNTRACKED ", # Matches
);
process_rule1( $chainref, # Chainref
"$globals{STATEMATCH} UNTRACKED ", # Rule
$action, # Target
'', # Current Param
'-', # Source
'-', # Dest
'-', # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
allow_optimize( $chainref ); allow_optimize( get_action_chain );
1; 1;

8
Shorewall/actions.std
View File

@ -38,11 +38,11 @@ A_Reject # Audited Default action for REJECT policy
Broadcast noinline # Handles Broadcast/Multicast/Anycast Broadcast noinline # Handles Broadcast/Multicast/Anycast
Drop # Default Action for DROP policy Drop # Default Action for DROP policy
DropSmurfs noinline # Drop smurf packets DropSmurfs noinline # Drop smurf packets
Established noinline # Handles packets in the ESTABLISHED state Established inline # Handles packets in the ESTABLISHED state
Invalid noinline # Handles packets in the INVALID conntrack state Invalid inline # Handles packets in the INVALID conntrack state
NotSyn noinline # Handles TCP packets which do not have SYN=1 and ACK=0 NotSyn noinline # Handles TCP packets which do not have SYN=1 and ACK=0
Reject # Default Action for REJECT policy Reject # Default Action for REJECT policy
Related noinline # Handles packets in the RELATED conntrack state Related inline # Handles packets in the RELATED conntrack state
RST noinline # Handle packets with RST set RST noinline # Handle packets with RST set
TCPFlags noinline # Handle bad flag combinations. TCPFlags noinline # Handle bad flag combinations.
Untracked noinline # Handles packets in the UNTRACKED conntrack state Untracked inline # Handles packets in the UNTRACKED conntrack state