extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-02 16:05:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

A bit of cleanup

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-10-05 09:32:26 -07:00
parent 835a056eb8
commit 5d4a0172b7
3 changed files with 22 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -2708,6 +2708,11 @@ sub optimize_level8( $$$ ) {
replace_references $chainref1, $chainref->{name}, undef; replace_references $chainref1, $chainref->{name}, undef;
unless ( $chainref->{name} =~ /^~/ ) { unless ( $chainref->{name} =~ /^~/ ) {
#
# For simple use of the BLACKLIST section, we can end up with many identical
# chains. To distinguish them from other renamed chains, we keep track of
# these chains via the 'blacklistsection' member.
#
$rename{ $chainref->{name} } = $chainref->{blacklistsection} ? '~blacklist' : '~comb'; $rename{ $chainref->{name} } = $chainref->{blacklistsection} ? '~blacklist' : '~comb';
} }

19
Shorewall/action.DropSmurfs
View File

@ -14,6 +14,7 @@ FORMAT 2
DEFAULTS - DEFAULTS -
BEGIN PERL; BEGIN PERL;
use strict;
use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6); use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
use Shorewall::Chains; use Shorewall::Chains;
use Shorewall::Rules; use Shorewall::Rules;
@ -22,6 +23,7 @@ my ( $audit ) = get_action_params( 1 );
my $chainref = get_action_chain; my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging; my ( $level, $tag ) = get_action_logging;
my $target;
if ( $level ne '-' || $audit ne '-' ) { if ( $level ne '-' || $audit ne '-' ) {
my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0; my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
@ -29,7 +31,7 @@ if ( $level ne '-' || $audit ne '-' ) {
log_rule_limit( $level, log_rule_limit( $level,
$logchainref, $logchainref,
$chainref->{name}, $chainref->{name},
$disposition, 'DROP',
'', '',
$tag, $tag,
'add', 'add',
@ -38,13 +40,14 @@ if ( $level ne '-' || $audit ne '-' ) {
if ( supplied $audit ) { if ( supplied $audit ) {
fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit'; fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's'; require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's';
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition ); add_ijump( $logchainref, j => 'AUDIT --type DROP' );
} }
add_ijump( $logchainref, j => 'DROP' ); add_ijump( $logchainref, j => 'DROP' );
$smurfdest = $logchainref; $target = $logchainref;
} else {
$target = 'DROP';
} }
if ( have_capability( 'ADDRTYPE' ) ) { if ( have_capability( 'ADDRTYPE' ) ) {
@ -54,7 +57,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
add_ijump $chainref , j => 'RETURN', s => '::'; add_ijump $chainref , j => 'RETURN', s => '::';
} }
add_ijump( $chainref, g => $smurfdest, addrtype => '--src-type BROADCAST' ) ; add_ijump( $chainref, g => $target, addrtype => '--src-type BROADCAST' ) ;
} else { } else {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_commands $chainref, 'for address in $ALL_BCASTS; do'; add_commands $chainref, 'for address in $ALL_BCASTS; do';
@ -63,15 +66,15 @@ if ( have_capability( 'ADDRTYPE' ) ) {
} }
incr_cmd_level $chainref; incr_cmd_level $chainref;
add_ijump( $chainref, g => $smurfdest, s => '$address' ); add_ijump( $chainref, g => $target, s => '$address' );
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
} }
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_ijump( $chainref, g => $smurfdest, s => '224.0.0.0/4' ); add_ijump( $chainref, g => $target, s => '224.0.0.0/4' );
} else { } else {
add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST ); add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
} }
END PERL; END PERL;

14
Shorewall/action.TCPFlags
View File

@ -1,15 +1,12 @@
# #
# Shorewall version 4 - Action to handle bad TCP flag combinations # Shorewall version 4 - Drop Smurfs Action
# #
# /usr/share/shorewall/action.TCPFlags # /usr/share/shorewall/action.DropSmurfs
# #
# Accepts two optional parameters: # Accepts a single optional parameter:
# #
# Parameter 1: Disposition (default DROP).
# Must be ACCEPT, REJECT or DROP
# Parameter 2: Auditing
# - = Do not Audit # - = Do not Audit
# audit = Audit ACCEPT, REJECT or DROP. # audit = Audit dropped packets.
# #
################################################################################# #################################################################################
FORMAT 2 FORMAT 2
@ -17,6 +14,7 @@ FORMAT 2
DEFAULTS DROP,- DEFAULTS DROP,-
BEGIN PERL; BEGIN PERL;
use strict;
use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6); use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
use Shorewall::Chains; use Shorewall::Chains;
@ -41,7 +39,7 @@ if ( $level ne '-' || $audit ne '-' ) {
'' ) if $level; '' ) if $level;
if ( supplied $audit ) { if ( supplied $audit ) {
fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit'; fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's'; require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition ); add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
} }