Prepare for more parameterized actions

- Export add_commands, incr_cmd_level and decr_cmd_level by default
- Move ensure_audit_chain and require_audit from Rules.pm to Chains.pm
- Add get_action_logging() function
- Export require_capability and have_capability by default

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-07-03 06:22:51 -07:00
parent ad71faacaa
commit 7e3f97c154
3 changed files with 99 additions and 122 deletions

View File

@ -35,23 +35,29 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( our @EXPORT = qw(
add_rule add_rule
add_jump add_jump
insert_rule insert_rule
new_chain add_commands
new_manual_chain incr_cmd_level
ensure_manual_chain decr_cmd_level
log_rule_limit new_chain
dont_optimize new_manual_chain
dont_delete ensure_manual_chain
dont_move ensure_audit_chain
require_audit
log_rule_limit
dont_optimize
dont_delete
dont_move
get_action_logging
%chain_table %chain_table
$raw_table $raw_table
$nat_table $nat_table
$mangle_table $mangle_table
$filter_table $filter_table
); );
our %EXPORT_TAGS = ( our %EXPORT_TAGS = (
internal => [ qw( STANDARD internal => [ qw( STANDARD
@ -78,7 +84,6 @@ our %EXPORT_TAGS = (
NOT_RESTORE NOT_RESTORE
initialize_chain_table initialize_chain_table
add_commands
copy_rules copy_rules
move_rules move_rules
insert_rule1 insert_rule1
@ -90,8 +95,6 @@ our %EXPORT_TAGS = (
clear_comment clear_comment
push_comment push_comment
pop_comment pop_comment
incr_cmd_level
decr_cmd_level
forward_chain forward_chain
rules_chain rules_chain
zone_forward_chain zone_forward_chain
@ -1559,6 +1562,77 @@ sub ensure_manual_chain($) {
$chainref; $chainref;
} }
#
# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
#
sub ensure_audit_chain( $;$$ ) {
my ( $target, $action, $tgt ) = @_;
push_comment( '' );
my $ref = $filter_table->{$target};
unless ( $ref ) {
$ref = new_chain 'filter', $target;
unless ( $action ) {
$action = $target;
$action =~ s/^A_//;
}
$tgt ||= $action;
if ( $config{FAKE_AUDIT} ) {
add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' );
} else {
add_rule $ref, '-j AUDIT --type ' . lc $action;
}
if ( $tgt eq 'REJECT' ) {
add_jump $ref , 'reject', 1;
} else {
add_jump $ref , $tgt, 0;
}
}
pop_comment;
return $target;
}
#
# Return the appropriate target based on whether the second argument is 'audit'
#
sub require_audit($$;$) {
my ($action, $audit, $tgt ) = @_;
return $action unless supplied $audit;
my $target = 'A_' . $action;
fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
require_capability 'AUDIT_TARGET', 'audit', 's';
return ensure_audit_chain $target, $action, $tgt;
}
#
# Returns the Level and Tag for the current action chain
#
sub get_action_logging() {
my $chainref = get_action_chain;
my $wholeaction = $chainref->{action};
my ( undef, $level, $tag, undef ) = split ':', $wholeaction;
$level = '' if $level =~ /^none/;
( $level, $tag );
}
# #
# Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration. # Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
# The function also initializes the target table with the pre-defined targets available for the specfied address family. # The function also initializes the target table with the pre-defined targets available for the specfied address family.

View File

@ -47,14 +47,20 @@ our @EXPORT = qw(
warning_message warning_message
fatal_error fatal_error
assert assert
progress_message progress_message
progress_message_nocompress progress_message_nocompress
progress_message2 progress_message2
progress_message3 progress_message3
supplied supplied
get_action_params get_action_params
get_action_chain get_action_chain
set_action_param set_action_param
have_capability
require_capability
); );
our @EXPORT_OK = qw( $shorewall_dir initialize set_config_path shorewall); our @EXPORT_OK = qw( $shorewall_dir initialize set_config_path shorewall);
@ -113,8 +119,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
add_param add_param
export_params export_params
get_configuration get_configuration
require_capability
have_capability
report_capabilities report_capabilities
propagateconfig propagateconfig
append_file append_file

View File

@ -663,8 +663,6 @@ sub complete_standard_chain ( $$$$ ) {
policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0; policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
} }
sub require_audit($$;$);
# #
# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
# #
@ -1148,105 +1146,6 @@ sub map_old_actions( $ ) {
} }
} }
#
# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
sub ensure_audit_chain( $;$$ ) {
my ( $target, $action, $tgt ) = @_;
push_comment( '' );
my $ref = $filter_table->{$target};
unless ( $ref ) {
$ref = new_chain 'filter', $target;
unless ( $action ) {
$action = $target;
$action =~ s/^A_//;
}
$tgt ||= $action;
if ( $config{FAKE_AUDIT} ) {
add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' );
} else {
add_rule $ref, '-j AUDIT --type ' . lc $action;
}
if ( $tgt eq 'REJECT' ) {
add_jump $ref , 'reject', 1;
} else {
add_jump $ref , $tgt, 0;
}
}
pop_comment;
return $target;
}
#
# Return the appropriate target based on whether the second argument is 'audit'
#
sub require_audit($$;$) {
my ($action, $audit, $tgt ) = @_;
return $action unless supplied $audit;
my $target = 'A_' . $action;
fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
require_capability 'AUDIT_TARGET', 'audit', 's';
return ensure_audit_chain $target, $action, $tgt;
}
#
# The following small functions generate rules for the builtin actions of the same name
#
sub dropBcast( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_;
my $target = require_audit ( 'DROP', $audit );
if ( have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
if ( $family == F_IPV4 ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
} else {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
}
}
add_jump $chainref, $target, 0, "-m addrtype --dst-type BROADCAST ";
} else {
if ( $family == F_IPV4 ) {
add_commands $chainref, 'for address in $ALL_BCASTS; do';
} else {
add_commands $chainref, 'for address in $ALL_ACASTS; do';
}
incr_cmd_level $chainref;
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
add_jump $chainref, $target, 0, "-d \$address ";
decr_cmd_level $chainref;
add_commands $chainref, 'done';
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
}
if ( $family == F_IPV4 ) {
add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
} else {
add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
}
}
sub allowBcast( $$$$ ) { sub allowBcast( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_; my ($chainref, $level, $tag, $audit) = @_;