mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
Detect some state conflicts
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
cc1054be66
commit
8249831e6d
@ -53,6 +53,7 @@ our @EXPORT = qw(
|
||||
verify_audit
|
||||
perl_action_helper
|
||||
perl_action_tcp_helper
|
||||
check_state
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize process_rule );
|
||||
@ -2428,6 +2429,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
#
|
||||
# First reference to this tuple
|
||||
#
|
||||
$actionresult = 0;
|
||||
|
||||
process_action( $ref, $chain );
|
||||
#
|
||||
# Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
|
||||
@ -2456,6 +2459,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
#
|
||||
@columns = ( $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard );
|
||||
|
||||
$actionresult = 0;
|
||||
|
||||
my $generated = process_inline( $basictarget,
|
||||
$chainref,
|
||||
$rule,
|
||||
@ -2657,6 +2662,41 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Check the passed connection state for conflict with the current section
|
||||
#
|
||||
# Returns true of the state is compatible with the section
|
||||
#
|
||||
sub check_state( $ ) {
|
||||
my $state = $_[0];
|
||||
|
||||
if ( $section == BLACKLIST_SECTION ) {
|
||||
my $blacklist_states = $globals{BLACKLIST_STATES};
|
||||
return 1 if $blacklist_states eq 'ALL';
|
||||
return 2 if $blacklist_states eq $state;
|
||||
for ( split ',', $blacklist_states ) {
|
||||
return 1 if $_ eq $state;
|
||||
}
|
||||
} else {
|
||||
if ( ( $state eq 'ESTABLISHED' ) ||
|
||||
( $state =~ /^(?:INVALID|UNTRACKED|RELATED)$/ && $globals{"${state}_DISPOSITION"} ) ) {
|
||||
my $sections = $actparms{0}->{sections};
|
||||
|
||||
if ( $sections ) {
|
||||
my $sectionnumber = ( $section_map{$state} || 0 );
|
||||
return 0 if $sectionnumber & $sections;
|
||||
}
|
||||
}
|
||||
|
||||
if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
|
||||
return ( $state =~ /^(?:INVALID|UNTRACKED|NEW)$/ );
|
||||
} else {
|
||||
return 2 if $state eq $section_rmap{$section};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Helper for the perl_action_xxx functions
|
||||
#
|
||||
|
||||
@ -40,10 +40,9 @@ use Shorewall::Rules qw( process_rule1 );
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
perl_action_helper(
|
||||
$action, # Target
|
||||
"$globals{STATEMATCH} ESTABLISHED", # Matches
|
||||
);
|
||||
if ( my $state = check_state( 'ESTABLISHED' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} ESTABLISHED" : '' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
|
||||
@ -43,12 +43,11 @@ my ( $action, $audit ) = get_action_params( 2 );
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
}
|
||||
|
||||
perl_action_helper(
|
||||
$action, # Target
|
||||
"$globals{STATEMATCH} INVALID", # Matches
|
||||
);
|
||||
if ( my $check = check_state( 'INVALID' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} INVALID" : '' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
|
||||
@ -42,7 +42,7 @@ use Shorewall::Rules;
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
||||
fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
|
||||
@ -40,7 +40,7 @@ use Shorewall::Rules;
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
||||
fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
|
||||
@ -41,10 +41,9 @@ use Shorewall::Rules qw( process_rule1 );
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
perl_action_helper(
|
||||
$action, # Target
|
||||
"$globals{STATEMATCH} RELATED", # Matches
|
||||
);
|
||||
if ( my $state = check_state( 'RELATED' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} RELATED" : '' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
|
||||
@ -24,7 +24,7 @@ my ( $action, $audit ) = get_action_params( 2 );
|
||||
my $chainref = get_action_chain;
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
||||
fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
|
||||
@ -44,11 +44,9 @@ my ( $level, $tag ) = get_action_logging;
|
||||
|
||||
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
|
||||
|
||||
perl_action_helper(
|
||||
$action, # Target
|
||||
"$globals{STATEMATCH} UNTRACKED ", # Matches
|
||||
);
|
||||
|
||||
if ( my $check = check_state( 'UNTRACKED' ) {
|
||||
perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} UNTRACKED" : '' );
|
||||
}
|
||||
|
||||
allow_optimize( get_action_chain );
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user