diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index b12610d56..87e1379a7 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -53,6 +53,7 @@ our @EXPORT = qw( verify_audit perl_action_helper perl_action_tcp_helper + check_state ); our @EXPORT_OK = qw( initialize process_rule ); @@ -2428,6 +2429,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) { # # First reference to this tuple # + $actionresult = 0; + process_action( $ref, $chain ); # # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so: @@ -2456,6 +2459,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) { # @columns = ( $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ); + $actionresult = 0; + my $generated = process_inline( $basictarget, $chainref, $rule, @@ -2657,6 +2662,41 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) { return 1; } + +# +# Check the passed connection state for conflict with the current section +# +# Returns true of the state is compatible with the section +# +sub check_state( $ ) { + my $state = $_[0]; + + if ( $section == BLACKLIST_SECTION ) { + my $blacklist_states = $globals{BLACKLIST_STATES}; + return 1 if $blacklist_states eq 'ALL'; + return 2 if $blacklist_states eq $state; + for ( split ',', $blacklist_states ) { + return 1 if $_ eq $state; + } + } else { + if ( ( $state eq 'ESTABLISHED' ) || + ( $state =~ /^(?:INVALID|UNTRACKED|RELATED)$/ && $globals{"${state}_DISPOSITION"} ) ) { + my $sections = $actparms{0}->{sections}; + + if ( $sections ) { + my $sectionnumber = ( $section_map{$state} || 0 ); + return 0 if $sectionnumber & $sections; + } + } + + if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) { + return ( $state =~ /^(?:INVALID|UNTRACKED|NEW)$/ ); + } else { + return 2 if $state eq $section_rmap{$section}; + } + } +} + # # Helper for the perl_action_xxx functions # diff --git a/Shorewall/action.Established b/Shorewall/action.Established index 3e8d2deec..80482250a 100644 --- a/Shorewall/action.Established +++ b/Shorewall/action.Established @@ -40,10 +40,9 @@ use Shorewall::Rules qw( process_rule1 ); my ( $action ) = get_action_params( 1 ); -perl_action_helper( - $action, # Target - "$globals{STATEMATCH} ESTABLISHED", # Matches - ); +if ( my $state = check_state( 'ESTABLISHED' ) ) { + perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} ESTABLISHED" : '' ); +} 1; diff --git a/Shorewall/action.Invalid b/Shorewall/action.Invalid index 3cde88f01..e7b35fa75 100644 --- a/Shorewall/action.Invalid +++ b/Shorewall/action.Invalid @@ -43,12 +43,11 @@ my ( $action, $audit ) = get_action_params( 2 ); if ( supplied $audit ) { fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit'; $action = "A_$action"; -} +} -perl_action_helper( - $action, # Target - "$globals{STATEMATCH} INVALID", # Matches - ); +if ( my $check = check_state( 'INVALID' ) ) { + perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} INVALID" : '' ); +} 1; diff --git a/Shorewall/action.NotSyn b/Shorewall/action.NotSyn index 8def649e2..b7a1f2634 100644 --- a/Shorewall/action.NotSyn +++ b/Shorewall/action.NotSyn @@ -42,7 +42,7 @@ use Shorewall::Rules; my ( $action, $audit ) = get_action_params( 2 ); if ( supplied $audit ) { - fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit'; + fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit'; $action = "A_$action"; } diff --git a/Shorewall/action.RST b/Shorewall/action.RST index b2463321a..499859b19 100644 --- a/Shorewall/action.RST +++ b/Shorewall/action.RST @@ -40,7 +40,7 @@ use Shorewall::Rules; my ( $action, $audit ) = get_action_params( 2 ); if ( supplied $audit ) { - fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit'; + fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit'; $action = "A_$action"; } diff --git a/Shorewall/action.Related b/Shorewall/action.Related index 8366c4045..e864018cc 100644 --- a/Shorewall/action.Related +++ b/Shorewall/action.Related @@ -41,10 +41,9 @@ use Shorewall::Rules qw( process_rule1 ); my ( $action ) = get_action_params( 1 ); -perl_action_helper( - $action, # Target - "$globals{STATEMATCH} RELATED", # Matches - ); +if ( my $state = check_state( 'RELATED' ) ) { + perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} RELATED" : '' ); +} 1; diff --git a/Shorewall/action.TCPFlags b/Shorewall/action.TCPFlags index 8ba79c2a8..ff2dbd4ed 100644 --- a/Shorewall/action.TCPFlags +++ b/Shorewall/action.TCPFlags @@ -24,7 +24,7 @@ my ( $action, $audit ) = get_action_params( 2 ); my $chainref = get_action_chain; if ( supplied $audit ) { - fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit'; + fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit'; $action = "A_$action"; } diff --git a/Shorewall/action.Untracked b/Shorewall/action.Untracked index 28e7e56c9..2a6e1e2c3 100644 --- a/Shorewall/action.Untracked +++ b/Shorewall/action.Untracked @@ -44,11 +44,9 @@ my ( $level, $tag ) = get_action_logging; $action = join( ':', $action, $level, $tag ) if "${level}${tag}"; -perl_action_helper( - $action, # Target - "$globals{STATEMATCH} UNTRACKED ", # Matches - ); - +if ( my $check = check_state( 'UNTRACKED' ) { + perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} UNTRACKED" : '' ); +} allow_optimize( get_action_chain );