diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index f2256a5aa..243d30fd4 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2708,6 +2708,11 @@ sub optimize_level8( $$$ ) { replace_references $chainref1, $chainref->{name}, undef; unless ( $chainref->{name} =~ /^~/ ) { + # + # For simple use of the BLACKLIST section, we can end up with many identical + # chains. To distinguish them from other renamed chains, we keep track of + # these chains via the 'blacklistsection' member. + # $rename{ $chainref->{name} } = $chainref->{blacklistsection} ? '~blacklist' : '~comb'; } diff --git a/Shorewall/action.DropSmurfs b/Shorewall/action.DropSmurfs index 5b818d4e5..068c05939 100644 --- a/Shorewall/action.DropSmurfs +++ b/Shorewall/action.DropSmurfs @@ -14,6 +14,7 @@ FORMAT 2 DEFAULTS - BEGIN PERL; +use strict; use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6); use Shorewall::Chains; use Shorewall::Rules; @@ -22,6 +23,7 @@ my ( $audit ) = get_action_params( 1 ); my $chainref = get_action_chain; my ( $level, $tag ) = get_action_logging; +my $target; if ( $level ne '-' || $audit ne '-' ) { my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0; @@ -29,7 +31,7 @@ if ( $level ne '-' || $audit ne '-' ) { log_rule_limit( $level, $logchainref, $chainref->{name}, - $disposition, + 'DROP', '', $tag, 'add', @@ -38,13 +40,14 @@ if ( $level ne '-' || $audit ne '-' ) { if ( supplied $audit ) { fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit'; require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's'; - add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition ); + add_ijump( $logchainref, j => 'AUDIT --type DROP' ); } - add_ijump( $logchainref, j => 'DROP' ); - $smurfdest = $logchainref; + $target = $logchainref; +} else { + $target = 'DROP'; } if ( have_capability( 'ADDRTYPE' ) ) { @@ -54,7 +57,7 @@ if ( have_capability( 'ADDRTYPE' ) ) { add_ijump $chainref , j => 'RETURN', s => '::'; } - add_ijump( $chainref, g => $smurfdest, addrtype => '--src-type BROADCAST' ) ; + add_ijump( $chainref, g => $target, addrtype => '--src-type BROADCAST' ) ; } else { if ( $family == F_IPV4 ) { add_commands $chainref, 'for address in $ALL_BCASTS; do'; @@ -63,15 +66,15 @@ if ( have_capability( 'ADDRTYPE' ) ) { } incr_cmd_level $chainref; - add_ijump( $chainref, g => $smurfdest, s => '$address' ); + add_ijump( $chainref, g => $target, s => '$address' ); decr_cmd_level $chainref; add_commands $chainref, 'done'; } if ( $family == F_IPV4 ) { - add_ijump( $chainref, g => $smurfdest, s => '224.0.0.0/4' ); + add_ijump( $chainref, g => $target, s => '224.0.0.0/4' ); } else { - add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST ); + add_ijump( $chainref, g => $target, s => IPv6_MULTICAST ); } END PERL; diff --git a/Shorewall/action.TCPFlags b/Shorewall/action.TCPFlags index 7ca5328fc..2c4e74bda 100644 --- a/Shorewall/action.TCPFlags +++ b/Shorewall/action.TCPFlags @@ -1,15 +1,12 @@ # -# Shorewall version 4 - Action to handle bad TCP flag combinations +# Shorewall version 4 - Drop Smurfs Action # -# /usr/share/shorewall/action.TCPFlags +# /usr/share/shorewall/action.DropSmurfs # -# Accepts two optional parameters: +# Accepts a single optional parameter: # -# Parameter 1: Disposition (default DROP). -# Must be ACCEPT, REJECT or DROP -# Parameter 2: Auditing # - = Do not Audit -# audit = Audit ACCEPT, REJECT or DROP. +# audit = Audit dropped packets. # ################################################################################# FORMAT 2 @@ -17,6 +14,7 @@ FORMAT 2 DEFAULTS DROP,- BEGIN PERL; +use strict; use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6); use Shorewall::Chains; @@ -41,7 +39,7 @@ if ( $level ne '-' || $audit ne '-' ) { '' ) if $level; if ( supplied $audit ) { - fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit'; + fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit'; require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's'; add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition ); }