From 6240d41754b32012b2c82adb92b6d059341e9506 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 25 Dec 2010 07:41:18 -0800 Subject: [PATCH 01/19] Add new progress message --- Shorewall/Perl/Shorewall/Rules.pm | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 8639f8644..684eb29b2 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -377,9 +377,12 @@ sub process_actions2 () { progress_message2 'Generating Transitive Closure of Used-action List...'; my $changed = 1; + my $passes = 0; while ( $changed ) { $changed = 0; + $passes++; + for my $target (keys %usedactions) { my ( $action, $level, $tag, $param ) = split ':', $target; my $actionref = $actions{$action}; @@ -390,6 +393,8 @@ sub process_actions2 () { } } } + + progress_message2 "Transitive Closure generated in $passes passes"; } # From 1285b73d52babbd406e8843bbb06ae725d926d0f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 25 Dec 2010 08:10:23 -0800 Subject: [PATCH 02/19] Simplify detection of action self-invocation --- Shorewall/Perl/Shorewall/Rules.pm | 59 +++++++++++++------------------ 1 file changed, 25 insertions(+), 34 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 684eb29b2..aca250191 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -297,6 +297,8 @@ sub process_actions1() { new_action $action; + $targets{$action} = ACTION; + my $actionfile = find_file "action.$action"; fatal_error "Missing Action File ($actionfile)" unless -f $actionfile; @@ -304,12 +306,7 @@ sub process_actions1() { progress_message2 " Pre-processing $actionfile..."; push_open( $actionfile ); - # - # We defer assigning a type to the action until we've processed it's action file. - # This allows us to easily catch the case where an action invokes itself. - # - my $actiontype = 0; - + while ( read_a_line ) { my ($wholetarget, @rest ) = split_line1 1, 13, 'action file' , $rule_commands; @@ -318,32 +315,26 @@ sub process_actions1() { # deals with the target and the parameter. We pass undef for the rest so we'll # know if we try to use one of them. # - # process_rule_common() returns the NATONLY actiontype flag if the target - # of the rule includes NATRULE, NATONLY or NONAT. The flag is LORed into the - # action's type below. - # - $actiontype |= process_rule_common( $action , - $wholetarget , - '' , # Current Param - undef, # source - undef, # dest - undef, # proto - undef, # ports - undef, # sports - undef, # origdest - undef, # ratelimit - undef, # user - undef, # mark - undef, # connlimit - undef, # time - undef, # headers - undef # wildcard - ) unless $wholetarget eq 'FORMAT' || $wholetarget eq 'COMMENT'; + process_rule_common( $action , + $wholetarget , + '' , # Current Param + undef, # source + undef, # dest + undef, # proto + undef, # ports + undef, # sports + undef, # origdest + undef, # ratelimit + undef, # user + undef, # mark + undef, # connlimit + undef, # time + undef, # headers + undef # wildcard + ) unless $wholetarget eq 'FORMAT' || $wholetarget eq 'COMMENT'; } pop_open; - - $targets{$action} = ACTION | $actiontype; } } } @@ -839,6 +830,7 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ) { $normalized_target = normalize_action( $basictarget, $loglevel, $param ); if ( $inaction1 ) { + fatal_error "An action may not invoke itself" if $basictarget eq $inaction1; add_requiredby( $normalized_target , $inaction1 ); } else { if ( my $ref = use_action( $normalized_target ) ) { @@ -847,11 +839,10 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ) { } } - # - # Return the NATRULE flag to the caller who will eventually add it - # to $targets{$inaction1} - # - return ( $actiontype & ( NATRULE | NONAT | NATONLY ) ) ? NATRULE : 0 if $inaction1; + if ( $inaction1 ) { + $targets{$inaction1} |= NATRULE if $actiontype & (NATRULE | NONAT | NATONLY ); + return 1; + } # # Take care of irregular syntax and targets # From 39f4f03b60377dbcd43f694ab914f0fdaa4a8e93 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 25 Dec 2010 08:21:32 -0800 Subject: [PATCH 03/19] Segregate process_action1() from process_actions1() --- Shorewall/Perl/Shorewall/Rules.pm | 73 +++++++++++++++++-------------- 1 file changed, 41 insertions(+), 32 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index aca250191..9196a3d85 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -267,6 +267,46 @@ sub map_old_actions( $ ) { sub process_rule_common ( $$$$$$$$$$$$$$$$ ); +sub process_action1( $ ) { + my $action = shift; + my $actionfile = find_file "action.$action"; + + fatal_error "Missing Action File ($actionfile)" unless -f $actionfile; + + progress_message2 " Pre-processing $actionfile..."; + + push_open( $actionfile ); + + while ( read_a_line ) { + + my ($wholetarget, @rest ) = split_line1 1, 13, 'action file' , $rule_commands; + # + # When passed an action name in the first argument, process_rule_common() only + # deals with the target and the parameter. We pass undef for the rest so we'll + # know if we try to use one of them. + # + process_rule_common( $action , + $wholetarget , + '' , # Current Param + undef, # source + undef, # dest + undef, # proto + undef, # ports + undef, # sports + undef, # origdest + undef, # ratelimit + undef, # user + undef, # mark + undef, # connlimit + undef, # time + undef, # headers + undef # wildcard + ) unless $wholetarget eq 'FORMAT' || $wholetarget eq 'COMMENT'; + } + + pop_open; +} + sub process_actions1() { progress_message2 "Preprocessing Action Files..."; @@ -303,38 +343,7 @@ sub process_actions1() { fatal_error "Missing Action File ($actionfile)" unless -f $actionfile; - progress_message2 " Pre-processing $actionfile..."; - - push_open( $actionfile ); - - while ( read_a_line ) { - - my ($wholetarget, @rest ) = split_line1 1, 13, 'action file' , $rule_commands; - # - # When passed an action name in the first argument, process_rule_common() only - # deals with the target and the parameter. We pass undef for the rest so we'll - # know if we try to use one of them. - # - process_rule_common( $action , - $wholetarget , - '' , # Current Param - undef, # source - undef, # dest - undef, # proto - undef, # ports - undef, # sports - undef, # origdest - undef, # ratelimit - undef, # user - undef, # mark - undef, # connlimit - undef, # time - undef, # headers - undef # wildcard - ) unless $wholetarget eq 'FORMAT' || $wholetarget eq 'COMMENT'; - } - - pop_open; + process_action1( $action ); } } } From 8218cb3444eb74126595602e1b9c983e88f2d330 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 25 Dec 2010 10:15:08 -0800 Subject: [PATCH 04/19] Pass normalized action name to process_rule_common() --- Shorewall/Perl/Shorewall/Rules.pm | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 9196a3d85..4545e354d 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -268,8 +268,9 @@ sub map_old_actions( $ ) { sub process_rule_common ( $$$$$$$$$$$$$$$$ ); sub process_action1( $ ) { - my $action = shift; - my $actionfile = find_file "action.$action"; + my $wholeaction = shift; + my ( $action , $level, $tag, $param ) = split /:/, $wholeaction; + my $actionfile = find_file "action.$action"; fatal_error "Missing Action File ($actionfile)" unless -f $actionfile; @@ -285,7 +286,7 @@ sub process_action1( $ ) { # deals with the target and the parameter. We pass undef for the rest so we'll # know if we try to use one of them. # - process_rule_common( $action , + process_rule_common( $wholeaction , $wholetarget , '' , # Current Param undef, # source @@ -343,7 +344,7 @@ sub process_actions1() { fatal_error "Missing Action File ($actionfile)" unless -f $actionfile; - process_action1( $action ); + process_action1 normalize_action_name $action; } } } @@ -757,12 +758,13 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ) { my $inaction1; my $inaction3; my $normalized_target; + my $normalized_action; if ( defined $chainref ) { if ( reftype $chainref ) { $inaction3 = 1; } else { - $inaction1 = $chainref; + ( $inaction1, undef, undef, undef ) = split /:/, $normalized_action = $chainref; } } From bdc3ca16a40395fbaae073894fe7244ddc2ef039 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 25 Dec 2010 14:28:57 -0800 Subject: [PATCH 05/19] Finish revision of action processing --- Shorewall/Perl/Shorewall/Compiler.pm | 5 +- Shorewall/Perl/Shorewall/Rules.pm | 82 ++++++++++++---------------- 2 files changed, 39 insertions(+), 48 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 5a846153d..062a5546c 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -637,6 +637,10 @@ sub compiler { # validate_policy; # + # Process default actions + # + process_actions2; + # # N O T R A C K # (Produces no output to the compiled script) # @@ -761,7 +765,6 @@ sub compiler { # # Post-rules action processing. # - process_actions2; process_actions3; # # MACLIST Filtration again diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 4545e354d..56a9a31f5 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -42,7 +42,7 @@ our @EXPORT = qw( process_actions3 process_rules - ); + ); our @EXPORT_OK = qw( initialize ); our $VERSION = '4.4_16'; @@ -58,9 +58,10 @@ our @builtins; # our $rule_commands = { COMMENT => 0, FORMAT => 2 }; -use constant { MAX_MACRO_NEST_LEVEL => 5 }; +use constant { MAX_MACRO_NEST_LEVEL => 5 , MAX_ACTION_NEST_LEVEL => 5 }; our $macro_nest_level; +our $action_nest_level; # # Rather than initializing globals in an INIT block or during declaration, @@ -73,10 +74,10 @@ our $macro_nest_level; # able to re-initialize its dependent modules' state. # sub initialize( $ ) { - - $family = shift; - %macros = (); - $macro_nest_level = 0; + $family = shift; + %macros = (); + $macro_nest_level = 0; + $action_nest_level = 0; if ( $family == F_IPV4 ) { @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/; @@ -248,17 +249,15 @@ sub map_old_actions( $ ) { # to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and # ${CONFDIR}/actions are scanned (in that order). For each action: # -# a) The related action definition file is located and scanned. -# b) Forward and unresolved action references are trapped as errors. -# c) A dependency graph is created using the 'requires' field in the 'actions' table. +# a) The related action definition file is located. +# a) The action is added to the target table # -# As the rules file is scanned, each action[:level[:tag]] is merged onto the 'usedactions' hash. When an -# is merged into the hash, its action chain is created. Where logging is specified, a chain with the name -# %n is used where the name is truncated on the right where necessary to ensure that the total -# length of the chain name does not exceed 30 characters. +# The second phase (process_actions2) occurs after the policy file is scanned. Each default action's file +# is processed by process_action2(). That function recursively processes action files up the action +# invocation tree, adding to the %usedactions hash as each new action is discovered. # -# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of -# %usedactions is generated; again, as new actions are merged into the hash, their action chains are created. +# During rules file processing, process_action2() is called when a new action:level:tag:params is encountered. +# Again, each new such tupple is entered into the %usedactions hash. # # The final phase (process_actions3) traverses the keys of %usedactions populating each chain appropriately # by reading the related action definition file and creating rules. Note that a given action definition file is @@ -267,7 +266,7 @@ sub map_old_actions( $ ) { sub process_rule_common ( $$$$$$$$$$$$$$$$ ); -sub process_action1( $ ) { +sub process_action2( $ ) { my $wholeaction = shift; my ( $action , $level, $tag, $param ) = split /:/, $wholeaction; my $actionfile = find_file "action.$action"; @@ -276,8 +275,10 @@ sub process_action1( $ ) { progress_message2 " Pre-processing $actionfile..."; + fatal_error "Actions nested too deeply" if ++$action_nest_level > MAX_ACTION_NEST_LEVEL; + push_open( $actionfile ); - + while ( read_a_line ) { my ($wholetarget, @rest ) = split_line1 1, 13, 'action file' , $rule_commands; @@ -304,8 +305,10 @@ sub process_action1( $ ) { undef # wildcard ) unless $wholetarget eq 'FORMAT' || $wholetarget eq 'COMMENT'; } - + pop_open; + + --$action_nest_level; } sub process_actions1() { @@ -343,8 +346,6 @@ sub process_actions1() { my $actionfile = find_file "action.$action"; fatal_error "Missing Action File ($actionfile)" unless -f $actionfile; - - process_action1 normalize_action_name $action; } } } @@ -375,27 +376,12 @@ sub merge_action_levels( $$ ) { } sub process_actions2 () { - progress_message2 'Generating Transitive Closure of Used-action List...'; + progress_message2 "Pre-processing default actions..."; - my $changed = 1; - my $passes = 0; - - while ( $changed ) { - $changed = 0; - $passes++; - - for my $target (keys %usedactions) { - my ( $action, $level, $tag, $param ) = split ':', $target; - my $actionref = $actions{$action}; - assert( $actionref ); - for my $action1 ( keys %{$actionref->{requires}} ) { - my $action2 = merge_action_levels( $target, $action1 ); - $changed = 1 if use_action( $action2 ); - } - } + for my $action ( keys %usedactions ) { + my ( $basic_action, undef, undef, undef ) = split /:/, $action; + process_action2( $action ) unless $targets{$basic_action} & BUILTIN; } - - progress_message2 "Transitive Closure generated in $passes passes"; } # @@ -603,6 +589,7 @@ sub process_actions3 () { 'Limit' => \&Limit, ); while ( my ( $wholeaction, $chainref ) = each %usedactions ) { + assert( $chainref->{name} ); my ( $action, $level, $tag, $param ) = split /:/, $wholeaction; if ( $targets{$action} & BUILTIN ) { @@ -734,7 +721,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) { # sub process_rule_common ( $$$$$$$$$$$$$$$$ ) { my ( $chainref, #reference to Action Chain if we are being called from process_action3() - # if defined, we are being called from process_action1() and this is the name of the action + # if defined, we are being called from process_action2() and this is the name of the action $target, $current_param, $source, @@ -755,7 +742,7 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ) { my ( $basictarget, $param ) = get_target_param $action; my $rule = ''; my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 1 ) : 0; - my $inaction1; + my $inaction1 = ''; my $inaction3; my $normalized_target; my $normalized_action; @@ -839,14 +826,15 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ) { # Create the action:level:tag:param tupple. # $normalized_target = normalize_action( $basictarget, $loglevel, $param ); - - if ( $inaction1 ) { - fatal_error "An action may not invoke itself" if $basictarget eq $inaction1; - add_requiredby( $normalized_target , $inaction1 ); - } else { + + if ( $inaction3 ) { if ( my $ref = use_action( $normalized_target ) ) { - new_nat_chain $ref->{name} if $actiontype & ( NATRULE | NONAT | NATONLY ); + new_nat_chain $ref->{name} if ( $actiontype = $targets{$basictarget} ) & NATRULE; } + } else { + fatal_error "An action may not invoke itself" if $basictarget eq $inaction1; + process_action2( $normalized_target ) if use_action( $normalized_target ) && ! ( $actiontype & BUILTIN ); + $actiontype = $targets{$basictarget}; } } From 758a50fa84214f3d2c6ce35e3b57286b37477069 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 25 Dec 2010 14:48:14 -0800 Subject: [PATCH 06/19] Extantiate params during module processing --- Shorewall/Perl/Shorewall/Config.pm | 32 +++++++++++++++++++++++++++++- Shorewall/Perl/Shorewall/Rules.pm | 8 ++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index fb91c2908..5065aba81 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -96,6 +96,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script close_file push_open pop_open + push_params + pop_params read_a_line validate_level which @@ -274,6 +276,10 @@ our @openstack; # From the params file # our %params; +# +# Action parameters +# +our %actparms; our $currentline; # Current config file line image our $currentfile; # File handle reference @@ -717,6 +723,8 @@ sub initialize( $ ) { command => '', files => '', destination => '' ); + + %actparms = (); } my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec ); @@ -1781,6 +1789,27 @@ sub embedded_perl( $ ) { } } +# +# Push/pop action params +# +sub push_params( $ ) { + my @params = split /,/, $_[0]; + my $oldparams = \%actparms; + + %actparms = (); + + for ( my $i = 1; $i <= @params; $i++ ) { + $actparms{$i} = $params[$i - 1]; + } + + $oldparams; +} + +sub pop_params( $ ) { + my $oldparms = shift; + %actparms = %$oldparms; +} + # # Read a line from the current include stack. # @@ -1866,7 +1895,8 @@ sub read_a_line(;$) { $params{$3} = $ENV{$3} if exists $ENV{$3}; } - my $val = $params{$3}; + + my $val = exists $params{$3} ? $params{$3} : $actparms{$3}; unless ( defined $val ) { fatal_error "Undefined shell variable (\$$3)" unless exists $params{$3} || exists $ENV{$3}; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 56a9a31f5..fc7015f5a 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -278,6 +278,8 @@ sub process_action2( $ ) { fatal_error "Actions nested too deeply" if ++$action_nest_level > MAX_ACTION_NEST_LEVEL; push_open( $actionfile ); + + my $oldparms = push_params( $param ); while ( read_a_line ) { @@ -309,6 +311,8 @@ sub process_action2( $ ) { pop_open; --$action_nest_level; + + pop_params( $oldparms ); } sub process_actions1() { @@ -398,6 +402,8 @@ sub process_action3( $$$$$$ ) { open_file $actionfile; + my $oldparms = push_params( $param ); + while ( read_a_line ) { my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers ); @@ -424,6 +430,8 @@ sub process_action3( $$$$$$ ) { } clear_comment; + + pop_params( $oldparms ); } # From 4fdec73808289a38183bdfcdeee434b7a93d60dc Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 26 Dec 2010 07:58:20 -0800 Subject: [PATCH 07/19] Fix target of --- Shorewall/Perl/Shorewall/Rules.pm | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index fc7015f5a..37bf884d6 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -835,15 +835,13 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ) { # $normalized_target = normalize_action( $basictarget, $loglevel, $param ); - if ( $inaction3 ) { - if ( my $ref = use_action( $normalized_target ) ) { - new_nat_chain $ref->{name} if ( $actiontype = $targets{$basictarget} ) & NATRULE; - } - } else { + unless ( $inaction3 ) { fatal_error "An action may not invoke itself" if $basictarget eq $inaction1; process_action2( $normalized_target ) if use_action( $normalized_target ) && ! ( $actiontype & BUILTIN ); $actiontype = $targets{$basictarget}; } + + $action = $basictarget; # Remove params, if any, from $action. } if ( $inaction1 ) { From 31bd00e42ec0d7401f3c1e0424a62b2ccbd590e5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 26 Dec 2010 08:59:31 -0800 Subject: [PATCH 08/19] Document parameterized actions --- Shorewall/changelog.txt | 4 ++++ Shorewall/releasenotes.txt | 13 ++++++++++--- docs/Actions.xml | 35 ++++++++++++++++++++++++++++++----- 3 files changed, 44 insertions(+), 8 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index da22e33e4..3ba24d497 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in Shorewall 4.4.16 RC 1 + +1) Complete parameterized actions. + Changes in Shorewall 4.4.16 Beta 6 1) Don't let root match wildcard. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 3ecedac53..126119184 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,6 +1,6 @@ ---------------------------------------------------------------------------- S H O R E W A L L 4 . 4 . 1 6 - R C 1 + B E T A 7 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,6 +14,10 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +Beta 7 + +None. + Beta 6 1) Previously, the root of a wildcard name erroneously matched that @@ -120,11 +124,14 @@ Beta 1 and in macros invoked from Actions. Additionally, Macros used in Actions are now free to invoke other actions. -4) There is now limited support for parameterized actions. Currently, - the parameters are only available to extensions scripts. See +4) There is now support for parameterized actions. The parameters are + available to extensions scripts. See http://www.shorewall.net/Actions.html#Extension for more information. + Within the action body, the parameter values are available in $1, + $2, etc. + ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S ---------------------------------------------------------------------------- diff --git a/docs/Actions.xml b/docs/Actions.xml index aae4e4176..77297f4dc 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -224,6 +224,31 @@ ACCEPT - - tcp 135,139,445 When using Shorewall 4.4.16 or later, there are no restrictions regarding which targets can be used within your action. + + Additionally, it is possible to pass parameters to an action, when + it is invoked in the rules file or in another action. + + Here's a trivial example: + + /etc/shorewall/action.A: + + #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL +# PORT(S) PORT(S) DEST +FORMAT 2 +$1 - - tcp 80 - 1.2.3.4 + + /etc/shorewall/rules: + + #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL +# PORT(S) PORT(S) DEST + +A(REDIRECT) net fw + + The above is equivalent to this rule: + + #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL +# PORT(S) PORT(S) DEST +REDIRECT net - tcp 80 - 1.2.3.4
@@ -578,7 +603,7 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP'; Limit:none:SSHA,3,60 net $FW tcp 22 Using Shorewall 4.4.16 or later, you can also invoke the action this - way: + way: #ACTION SOURCE DEST PROTO DEST PORT(S) Limit(SSHA,3,60):none net $FW tcp 22 @@ -625,13 +650,13 @@ Limit(SSH,3,60):info net $FW tcp 22use Shorewall::Chains; -@params = split /,/, $tag unless @params; +@params = split( /,/, $tag ), $tag='' unless @params; fatal_error 'Limit rules must include <list name>,<max connections>,<interval> as the log tag or params' unless @params == 3; -my $list = $tag[0]; +my $list = $params[0]; -for ( @tag[1,2] ) { +for ( @params[1,2] ) { fatal_error 'Max connections and interval in Limit rules must be numeric (' . $_ . ')' unless /^\d+$/ } @@ -641,7 +666,7 @@ add_rule $chainref, "-m recent --name $list --set"; if ( $level ) { my $xchainref = new_chain 'filter' , "$chainref->{name}%"; - log_rule_limit $level, $xchainref, $params[0], 'DROP', '', '', 'add', ''; + log_rule_limit $level, $xchainref, $params[0], 'DROP', $tag, '', 'add', ''; add_rule $xchainref, '-j DROP'; add_rule $chainref, "-m recent --name $list --update --seconds $params[2] --hitcount $count -j $xchainref->{name}"; } else { From d4d285af3913d3cf5fc5cafa20e639758e6f4fad Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 26 Dec 2010 09:01:15 -0800 Subject: [PATCH 09/19] Revert version to Beta 7 --- Shorewall-init/install.sh | 2 +- Shorewall-init/shorewall-init.spec | 6 +++--- Shorewall-init/uninstall.sh | 2 +- Shorewall-lite/install.sh | 2 +- Shorewall-lite/shorewall-lite.spec | 6 +++--- Shorewall-lite/uninstall.sh | 2 +- Shorewall/Perl/Shorewall/Config.pm | 2 +- Shorewall/install.sh | 2 +- Shorewall/known_problems.txt | 2 +- Shorewall/shorewall.spec | 6 +++--- Shorewall/uninstall.sh | 2 +- Shorewall6-lite/install.sh | 2 +- Shorewall6-lite/shorewall6-lite.spec | 6 +++--- Shorewall6-lite/uninstall.sh | 2 +- Shorewall6/install.sh | 2 +- Shorewall6/shorewall6.spec | 6 +++--- Shorewall6/uninstall.sh | 2 +- 17 files changed, 27 insertions(+), 27 deletions(-) diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh index 7607e97be..37180bc31 100755 --- a/Shorewall-init/install.sh +++ b/Shorewall-init/install.sh @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16-RC1 +VERSION=4.4.16-Beta7 usage() # $1 = exit status { diff --git a/Shorewall-init/shorewall-init.spec b/Shorewall-init/shorewall-init.spec index 4e6a192ec..2fcc223f3 100644 --- a/Shorewall-init/shorewall-init.spec +++ b/Shorewall-init/shorewall-init.spec @@ -1,6 +1,6 @@ %define name shorewall-init %define version 4.4.16 -%define release 0RC1 +%define release 0Beta7 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -119,8 +119,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog -* Wed Dec 22 2010 Tom Eastep tom@shorewall.net -- Updated to 4.4.16-0RC1 +* Sun Dec 26 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0Beta7 * Mon Dec 20 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta6 * Fri Dec 10 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall-init/uninstall.sh b/Shorewall-init/uninstall.sh index 2a4f82ce6..9efe01180 100755 --- a/Shorewall-init/uninstall.sh +++ b/Shorewall-init/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16-RC1 +VERSION=4.4.16-Beta7 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 8357c0827..0e430fa0c 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16-RC1 +VERSION=4.4.16-Beta7 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 009df0a85..97c4f4ac1 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,6 +1,6 @@ %define name shorewall-lite %define version 4.4.16 -%define release 0RC1 +%define release 0Beta7 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Name: %{name} @@ -102,8 +102,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog -* Wed Dec 22 2010 Tom Eastep tom@shorewall.net -- Updated to 4.4.16-0RC1 +* Sun Dec 26 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0Beta7 * Mon Dec 20 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta6 * Fri Dec 10 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index e8b204968..bfe796bd2 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16-RC1 +VERSION=4.4.16-Beta7 usage() # $1 = exit status { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 5065aba81..4903b7d16 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -359,7 +359,7 @@ sub initialize( $ ) { EXPORT => 0, STATEMATCH => '-m state --state', UNTRACKED => 0, - VERSION => "4.4.16-RC1", + VERSION => "4.4.16-Beta7", CAPVERSION => 40415 , ); diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 8eb2de1b1..72bcae126 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16-RC1 +VERSION=4.4.16-Beta7 usage() # $1 = exit status { diff --git a/Shorewall/known_problems.txt b/Shorewall/known_problems.txt index 77ed44685..41b449cd4 100644 --- a/Shorewall/known_problems.txt +++ b/Shorewall/known_problems.txt @@ -1 +1 @@ -There are no known problems in Shorewall 4.4.16-RC1 +There are no known problems in Shorewall 4.4.16-Beta7 diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 7a9f968f1..a36bcdd59 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 4.4.16 -%define release 0RC1 +%define release 0Beta7 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -109,8 +109,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog -* Wed Dec 22 2010 Tom Eastep tom@shorewall.net -- Updated to 4.4.16-0RC1 +* Sun Dec 26 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0Beta7 * Mon Dec 20 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta6 * Fri Dec 10 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 829360b43..f4f1c5fe4 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16-RC1 +VERSION=4.4.16-Beta7 usage() # $1 = exit status { diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index 5e7144706..12f29de39 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16-RC1 +VERSION=4.4.16-Beta7 usage() # $1 = exit status { diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index f43991f38..ba1d033d6 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,6 +1,6 @@ %define name shorewall6-lite %define version 4.4.16 -%define release 0RC1 +%define release 0Beta7 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -93,8 +93,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog -* Wed Dec 22 2010 Tom Eastep tom@shorewall.net -- Updated to 4.4.16-0RC1 +* Sun Dec 26 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0Beta7 * Mon Dec 20 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta6 * Fri Dec 10 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index 73d5ebcb0..dd0fa3b82 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16-RC1 +VERSION=4.4.16-Beta7 usage() # $1 = exit status { diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index acc4ab8e5..336444f6b 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16-RC1 +VERSION=4.4.16-Beta7 usage() # $1 = exit status { diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index 1c9a101b9..6a338e4d9 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,6 +1,6 @@ %define name shorewall6 %define version 4.4.16 -%define release 0RC1 +%define release 0Beta7 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -98,8 +98,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog -* Wed Dec 22 2010 Tom Eastep tom@shorewall.net -- Updated to 4.4.16-0RC1 +* Sun Dec 26 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0Beta7 * Mon Dec 20 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta6 * Fri Dec 10 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index 2dfa02843..7f20007a1 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16-RC1 +VERSION=4.4.16-Beta7 usage() # $1 = exit status { From 8f9d5a967bc4a2dfd30d27ec0e4a2376015aaf0f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 26 Dec 2010 11:07:00 -0800 Subject: [PATCH 10/19] Simplify variable substitution --- Shorewall/Perl/Shorewall/Config.pm | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 4903b7d16..a41d4c603 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1885,25 +1885,23 @@ sub read_a_line(;$) { # # Expand Shell Variables using %params and %ENV # - # $1 $2 $3 - $4 + # $1 $2 $3 - $4 while ( $currentline =~ m( ^(.*?) \$({)? (\w+) (?(2)}) (.*)$ )x ) { - unless ( exists $params{$3} ) { - # - # Given the way that getparams works, this should never help but better safe than sorry - # - $params{$3} = $ENV{$3} if exists $ENV{$3}; + my ( $first, $var, $rest ) = ( $1, $3, $4); + + my $val; + + if ( $var =~ /^\$\d+$/ ) { + fatal_error "Undefined parameter (\$$var)" unless exists $actparms{$var}; + $val = $actparms{$var}; + } else { + fatal_error "Undefined shell variable (\$$var)" unless exists $params{$var}; + $val = $params{$var}; } - - my $val = exists $params{$3} ? $params{$3} : $actparms{$3}; - - unless ( defined $val ) { - fatal_error "Undefined shell variable (\$$3)" unless exists $params{$3} || exists $ENV{$3}; - $val = ''; - } - - $currentline = join( '', $1 , $val , $4 ); + $val = '' unless defined $val; + $currentline = join( '', $first , $val , $rest ); fatal_error "Variable Expansion Loop" if ++$count > 100; } From 088480e5d91175b20e61c044a219d5e67ad6ea03 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 26 Dec 2010 11:34:58 -0800 Subject: [PATCH 11/19] Fix a couple of bugs --- Shorewall/Perl/Shorewall/Config.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index a41d4c603..3a0cb709b 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1892,7 +1892,7 @@ sub read_a_line(;$) { my $val; - if ( $var =~ /^\$\d+$/ ) { + if ( $var =~ /^\d+$/ ) { fatal_error "Undefined parameter (\$$var)" unless exists $actparms{$var}; $val = $actparms{$var}; } else { @@ -2739,7 +2739,7 @@ sub ensure_config_path() { open_file $f; - $ENV{CONFDIR} = $globals{CONFDIR}; + $params{CONFDIR} = $globals{CONFDIR}; while ( read_a_line ) { if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) { From d1d9518c421772874ae1c1f1d398be4fd46fef77 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 26 Dec 2010 11:44:15 -0800 Subject: [PATCH 12/19] Move process_action2() --- Shorewall/Perl/Shorewall/Rules.pm | 98 +++++++++++++++---------------- 1 file changed, 49 insertions(+), 49 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 37bf884d6..e519badc3 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -266,55 +266,6 @@ sub map_old_actions( $ ) { sub process_rule_common ( $$$$$$$$$$$$$$$$ ); -sub process_action2( $ ) { - my $wholeaction = shift; - my ( $action , $level, $tag, $param ) = split /:/, $wholeaction; - my $actionfile = find_file "action.$action"; - - fatal_error "Missing Action File ($actionfile)" unless -f $actionfile; - - progress_message2 " Pre-processing $actionfile..."; - - fatal_error "Actions nested too deeply" if ++$action_nest_level > MAX_ACTION_NEST_LEVEL; - - push_open( $actionfile ); - - my $oldparms = push_params( $param ); - - while ( read_a_line ) { - - my ($wholetarget, @rest ) = split_line1 1, 13, 'action file' , $rule_commands; - # - # When passed an action name in the first argument, process_rule_common() only - # deals with the target and the parameter. We pass undef for the rest so we'll - # know if we try to use one of them. - # - process_rule_common( $wholeaction , - $wholetarget , - '' , # Current Param - undef, # source - undef, # dest - undef, # proto - undef, # ports - undef, # sports - undef, # origdest - undef, # ratelimit - undef, # user - undef, # mark - undef, # connlimit - undef, # time - undef, # headers - undef # wildcard - ) unless $wholetarget eq 'FORMAT' || $wholetarget eq 'COMMENT'; - } - - pop_open; - - --$action_nest_level; - - pop_params( $oldparms ); -} - sub process_actions1() { progress_message2 "Preprocessing Action Files..."; @@ -379,6 +330,55 @@ sub merge_action_levels( $$ ) { join ':', $action, $sublevel, $subtag, $subparam; } +sub process_action2( $ ) { + my $wholeaction = shift; + my ( $action , $level, $tag, $param ) = split /:/, $wholeaction; + my $actionfile = find_file "action.$action"; + + fatal_error "Missing Action File ($actionfile)" unless -f $actionfile; + + progress_message2 " Pre-processing $actionfile..."; + + fatal_error "Actions nested too deeply" if ++$action_nest_level > MAX_ACTION_NEST_LEVEL; + + push_open( $actionfile ); + + my $oldparms = push_params( $param ); + + while ( read_a_line ) { + + my ($wholetarget, @rest ) = split_line1 1, 13, 'action file' , $rule_commands; + # + # When passed an action name in the first argument, process_rule_common() only + # deals with the target and the parameter. We pass undef for the rest so we'll + # know if we try to use one of them. + # + process_rule_common( $wholeaction , + $wholetarget , + '' , # Current Param + undef, # source + undef, # dest + undef, # proto + undef, # ports + undef, # sports + undef, # origdest + undef, # ratelimit + undef, # user + undef, # mark + undef, # connlimit + undef, # time + undef, # headers + undef # wildcard + ) unless $wholetarget eq 'FORMAT' || $wholetarget eq 'COMMENT'; + } + + pop_open; + + --$action_nest_level; + + pop_params( $oldparms ); +} + sub process_actions2 () { progress_message2 "Pre-processing default actions..."; From d8bcbffb881f211a8b10b8770057f4badaa0a129 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 26 Dec 2010 12:08:10 -0800 Subject: [PATCH 13/19] Dead code removal --- Shorewall/Perl/Shorewall/Rules.pm | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index e519badc3..564cb8d19 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -203,15 +203,7 @@ sub new_action( $ ) { my $action = $_[0]; - $actions{$action} = { actchain => '', requires => {} }; -} - -# -# Record a 'requires' relationship between a pair of actions. -# -sub add_requiredby ( $$ ) { - my ($requiredby , $requires ) = @_; - $actions{$requires}{requires}{$requiredby} = 1; + $actions{$action} = { actchain => '' }; } # @@ -597,7 +589,6 @@ sub process_actions3 () { 'Limit' => \&Limit, ); while ( my ( $wholeaction, $chainref ) = each %usedactions ) { - assert( $chainref->{name} ); my ( $action, $level, $tag, $param ) = split /:/, $wholeaction; if ( $targets{$action} & BUILTIN ) { From 4111432a52a1fc017817058b7ec79ccddaaa8288 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 26 Dec 2010 16:13:53 -0800 Subject: [PATCH 14/19] Implement optional action parameters --- Shorewall/Perl/Shorewall/Config.pm | 3 ++- Shorewall/Perl/Shorewall/Rules.pm | 12 ++++++++++-- Shorewall/releasenotes.txt | 13 +++++++++---- docs/Actions.xml | 9 ++++++++- 4 files changed, 29 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 3a0cb709b..85bdc0bab 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1799,7 +1799,8 @@ sub push_params( $ ) { %actparms = (); for ( my $i = 1; $i <= @params; $i++ ) { - $actparms{$i} = $params[$i - 1]; + my $val = $params[$i - 1]; + $actparms{$i} = $val eq '-' ? '' : $val; } $oldparams; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 564cb8d19..8e977ffb0 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -260,7 +260,7 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ); sub process_actions1() { - progress_message2 "Preprocessing Action Files..."; + progress_message2 "Locating Action Files..."; # # Add built-in actions to the target table and create those actions # @@ -717,6 +717,14 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) { # # Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion. +# Rules in both the rules file and in action bodies are processed here. +# +# This function may be called in three different ways: +# +# 1) $chainref undefined -- Being called to process a record in the rules file. All arguments are passed. +# 2) $chainref is a chain name -- Pre-proessing the records in an action file. Only $target is passed. +# 3) $chainref is a chain reference -- Processing the records in an action file. The chain is where the generated +# rules are added. # sub process_rule_common ( $$$$$$$$$$$$$$$$ ) { my ( $chainref, #reference to Action Chain if we are being called from process_action3() @@ -765,7 +773,7 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ) { ( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || $param; } - fatal_error "Unknown action ($action)" unless $actiontype; + fatal_error "Unknown ACTION ($action)" unless $actiontype; if ( $actiontype == MACRO ) { # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 126119184..cc024fb21 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -125,13 +125,18 @@ Beta 1 Actions are now free to invoke other actions. 4) There is now support for parameterized actions. The parameters are - available to extensions scripts. See + a comma-separated list enclosed in parentheses following the + action name (e.g., ACT(REDIRECT,192.168.1.4)). Within the action + body, the parameter values are available in $1, $2, etc. + + You can 'omit' a parameter in the list by using '-' (e,g, + REDIRECT,-.info) would omit the second parameter (within the action + body, $2 would expand to nothing). + + Parameter values are also available to extensions scripts. See http://www.shorewall.net/Actions.html#Extension for more information. - Within the action body, the parameter values are available in $1, - $2, etc. - ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S ---------------------------------------------------------------------------- diff --git a/docs/Actions.xml b/docs/Actions.xml index 77297f4dc..f8eb5ee76 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -249,6 +249,12 @@ A(REDIRECT) net fw #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT(S) PORT(S) DEST REDIRECT net - tcp 80 - 1.2.3.4 + + You can 'omit' parameters by using '-'. + + Example: ACTION(REDIRECT,-,info) + + In the above example, $2 would expand to nothing.
@@ -542,7 +548,8 @@ bar:debug @params is the list of - parameter values (Shorewall 4.4.16 and later). + parameter values (Shorewall 4.4.16 and later). 'Omitted' parameters + contain '-'. From 79cbfd012674b786b6a28b51e2828d6011d6c6c0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 26 Dec 2010 17:03:05 -0800 Subject: [PATCH 15/19] Allow '--' to specify '-' as an action parameter --- Shorewall/Perl/Shorewall/Config.pm | 3 ++- Shorewall/releasenotes.txt | 3 ++- docs/Actions.xml | 5 ++++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 85bdc0bab..31b5e2766 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1800,7 +1800,8 @@ sub push_params( $ ) { for ( my $i = 1; $i <= @params; $i++ ) { my $val = $params[$i - 1]; - $actparms{$i} = $val eq '-' ? '' : $val; + + $actparms{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val; } $oldparams; diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index cc024fb21..b2099bbcf 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -131,7 +131,8 @@ Beta 1 You can 'omit' a parameter in the list by using '-' (e,g, REDIRECT,-.info) would omit the second parameter (within the action - body, $2 would expand to nothing). + body, $2 would expand to nothing). If you want to specify '-' as an + parameter value, use '--'. Parameter values are also available to extensions scripts. See http://www.shorewall.net/Actions.html#Extension for more diff --git a/docs/Actions.xml b/docs/Actions.xml index f8eb5ee76..c0e303ce4 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -252,9 +252,12 @@ REDIRECT net - tcp 80 - 1.2.3.4 You can 'omit' parameters by using '-'. - Example: ACTION(REDIRECT,-,info) + Example: ACTION(REDIRECT,-,info) In the above example, $2 would expand to nothing. + + If you want to make '-' a parameter value, use '--' (e.g., + ACTION(REDIRECT,--.info)).
From 311797e0bf1d9773653931215b2cd6405b67db4f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 27 Dec 2010 07:47:16 -0800 Subject: [PATCH 16/19] Create nat chain during pre-processing of nat action --- Shorewall/Perl/Shorewall/Rules.pm | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 8e977ffb0..27ea41e93 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -836,8 +836,10 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ) { unless ( $inaction3 ) { fatal_error "An action may not invoke itself" if $basictarget eq $inaction1; - process_action2( $normalized_target ) if use_action( $normalized_target ) && ! ( $actiontype & BUILTIN ); - $actiontype = $targets{$basictarget}; + if ( my $ref = use_action( $normalized_target ) ) { + process_action2( $normalized_target ) unless $actiontype & BUILTIN; + ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE; + } } $action = $basictarget; # Remove params, if any, from $action. From d5ac12a8ff1ae4b755b9019de1ec1307cf6cc19b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 27 Dec 2010 07:49:52 -0800 Subject: [PATCH 17/19] Bump version to RC 1 --- Shorewall-init/install.sh | 2 +- Shorewall-init/shorewall-init.spec | 4 +++- Shorewall-init/uninstall.sh | 2 +- Shorewall-lite/install.sh | 2 +- Shorewall-lite/shorewall-lite.spec | 4 +++- Shorewall-lite/uninstall.sh | 2 +- Shorewall/Perl/Shorewall/Config.pm | 2 +- Shorewall/install.sh | 2 +- Shorewall/known_problems.txt | 2 +- Shorewall/releasenotes.txt | 2 +- Shorewall/shorewall.spec | 4 +++- Shorewall/uninstall.sh | 2 +- Shorewall6-lite/install.sh | 2 +- Shorewall6-lite/shorewall6-lite.spec | 4 +++- Shorewall6-lite/uninstall.sh | 2 +- Shorewall6/install.sh | 2 +- Shorewall6/shorewall6.spec | 4 +++- Shorewall6/uninstall.sh | 2 +- 18 files changed, 28 insertions(+), 18 deletions(-) diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh index 37180bc31..7607e97be 100755 --- a/Shorewall-init/install.sh +++ b/Shorewall-init/install.sh @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16-Beta7 +VERSION=4.4.16-RC1 usage() # $1 = exit status { diff --git a/Shorewall-init/shorewall-init.spec b/Shorewall-init/shorewall-init.spec index 2fcc223f3..335fb1687 100644 --- a/Shorewall-init/shorewall-init.spec +++ b/Shorewall-init/shorewall-init.spec @@ -1,6 +1,6 @@ %define name shorewall-init %define version 4.4.16 -%define release 0Beta7 +%define release 0RC1 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -120,6 +120,8 @@ fi %changelog * Sun Dec 26 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0RC1 +* Sun Dec 26 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta7 * Mon Dec 20 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta6 diff --git a/Shorewall-init/uninstall.sh b/Shorewall-init/uninstall.sh index 9efe01180..2a4f82ce6 100755 --- a/Shorewall-init/uninstall.sh +++ b/Shorewall-init/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16-Beta7 +VERSION=4.4.16-RC1 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 0e430fa0c..8357c0827 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16-Beta7 +VERSION=4.4.16-RC1 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 97c4f4ac1..28b113679 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,6 +1,6 @@ %define name shorewall-lite %define version 4.4.16 -%define release 0Beta7 +%define release 0RC1 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Name: %{name} @@ -103,6 +103,8 @@ fi %changelog * Sun Dec 26 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0RC1 +* Sun Dec 26 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta7 * Mon Dec 20 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta6 diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index bfe796bd2..e8b204968 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16-Beta7 +VERSION=4.4.16-RC1 usage() # $1 = exit status { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 31b5e2766..19be2d1f2 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -359,7 +359,7 @@ sub initialize( $ ) { EXPORT => 0, STATEMATCH => '-m state --state', UNTRACKED => 0, - VERSION => "4.4.16-Beta7", + VERSION => "4.4.16-RC1", CAPVERSION => 40415 , ); diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 72bcae126..8eb2de1b1 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16-Beta7 +VERSION=4.4.16-RC1 usage() # $1 = exit status { diff --git a/Shorewall/known_problems.txt b/Shorewall/known_problems.txt index 41b449cd4..77ed44685 100644 --- a/Shorewall/known_problems.txt +++ b/Shorewall/known_problems.txt @@ -1 +1 @@ -There are no known problems in Shorewall 4.4.16-Beta7 +There are no known problems in Shorewall 4.4.16-RC1 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index b2099bbcf..d1c260755 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,6 +1,6 @@ ---------------------------------------------------------------------------- S H O R E W A L L 4 . 4 . 1 6 - B E T A 7 + R C I ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index a36bcdd59..63438da0b 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 4.4.16 -%define release 0Beta7 +%define release 0RC1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -110,6 +110,8 @@ fi %changelog * Sun Dec 26 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0RC1 +* Sun Dec 26 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta7 * Mon Dec 20 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta6 diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index f4f1c5fe4..829360b43 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16-Beta7 +VERSION=4.4.16-RC1 usage() # $1 = exit status { diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index 12f29de39..5e7144706 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16-Beta7 +VERSION=4.4.16-RC1 usage() # $1 = exit status { diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index ba1d033d6..8422d5dd3 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,6 +1,6 @@ %define name shorewall6-lite %define version 4.4.16 -%define release 0Beta7 +%define release 0RC1 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -94,6 +94,8 @@ fi %changelog * Sun Dec 26 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0RC1 +* Sun Dec 26 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta7 * Mon Dec 20 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta6 diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index dd0fa3b82..73d5ebcb0 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16-Beta7 +VERSION=4.4.16-RC1 usage() # $1 = exit status { diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index 336444f6b..acc4ab8e5 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.16-Beta7 +VERSION=4.4.16-RC1 usage() # $1 = exit status { diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index 6a338e4d9..f95d967ca 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,6 +1,6 @@ %define name shorewall6 %define version 4.4.16 -%define release 0Beta7 +%define release 0RC1 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -99,6 +99,8 @@ fi %changelog * Sun Dec 26 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.16-0RC1 +* Sun Dec 26 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta7 * Mon Dec 20 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.16-0Beta6 diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index 7f20007a1..2dfa02843 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.16-Beta7 +VERSION=4.4.16-RC1 usage() # $1 = exit status { From 215c05d12b1af9121acbbdb7ffdc85d33c65bad0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 27 Dec 2010 09:05:44 -0800 Subject: [PATCH 18/19] Add some comments -- fix logging with NAT actions --- Shorewall/Perl/Shorewall/Rules.pm | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 27ea41e93..bef5995a5 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -837,8 +837,22 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ) { unless ( $inaction3 ) { fatal_error "An action may not invoke itself" if $basictarget eq $inaction1; if ( my $ref = use_action( $normalized_target ) ) { - process_action2( $normalized_target ) unless $actiontype & BUILTIN; - ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE; + # + # First reference to this tupple + # + unless ( $actiontype & BUILTIN ) { + # + # Not a built-in - do preprocessing + # + process_action2( $normalized_target ); + # + # Preprocessing may determine that the chain or one of it's dependents does NAT. If so: + # + # - Refresh $actiontype + # - Create the associate nat table chain if appropriate. + # + ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE; + } } } @@ -1105,7 +1119,7 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ) { } } } elsif ( $actiontype & ACTION ) { - $target = $action; + $target = $usedactions{$normalized_target}->{name}; } else { if ( $server eq '' ) { fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport; From 6a1487d628d601645e58d27f8e0a64d8ec180e42 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 27 Dec 2010 12:31:34 -0800 Subject: [PATCH 19/19] Correct existing optimization issue --- Shorewall/Perl/Shorewall/Chains.pm | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 28d2ece30..978a3d591 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2040,8 +2040,7 @@ sub logchain( $$$$$$ ) { $logtag, 'add', '' ); - - add_rule( $logchainref, $exceptionrule . $target ); + add_jump( $logchainref, $target, 0, $exceptionrule ); } $logchainref; @@ -3849,9 +3848,11 @@ sub expand_rule( $$$$$$$$$$;$ ) # # Find/Create a chain that both logs and applies the target action # and jump to the log chain if all of the rule's conditions are met - # + # + assert( $target ); + add_jump( $chainref, - logchain( $chainref, $loglevel, $logtag, $exceptionrule , $disposition, $jump ), + logchain( $chainref, $loglevel, $logtag, $exceptionrule , $disposition, $target ), $builtin_target{$disposition}, $matches, 1 );