mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Detect some state conflicts
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
cc1054be66
commit
8249831e6d
@ -53,6 +53,7 @@ our @EXPORT = qw(
|
|||||||
verify_audit
|
verify_audit
|
||||||
perl_action_helper
|
perl_action_helper
|
||||||
perl_action_tcp_helper
|
perl_action_tcp_helper
|
||||||
|
check_state
|
||||||
);
|
);
|
||||||
|
|
||||||
our @EXPORT_OK = qw( initialize process_rule );
|
our @EXPORT_OK = qw( initialize process_rule );
|
||||||
@ -2428,6 +2429,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
# First reference to this tuple
|
# First reference to this tuple
|
||||||
#
|
#
|
||||||
|
$actionresult = 0;
|
||||||
|
|
||||||
process_action( $ref, $chain );
|
process_action( $ref, $chain );
|
||||||
#
|
#
|
||||||
# Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
|
# Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
|
||||||
@ -2456,6 +2459,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
@columns = ( $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard );
|
@columns = ( $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard );
|
||||||
|
|
||||||
|
$actionresult = 0;
|
||||||
|
|
||||||
my $generated = process_inline( $basictarget,
|
my $generated = process_inline( $basictarget,
|
||||||
$chainref,
|
$chainref,
|
||||||
$rule,
|
$rule,
|
||||||
@ -2657,6 +2662,41 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Check the passed connection state for conflict with the current section
|
||||||
|
#
|
||||||
|
# Returns true of the state is compatible with the section
|
||||||
|
#
|
||||||
|
sub check_state( $ ) {
|
||||||
|
my $state = $_[0];
|
||||||
|
|
||||||
|
if ( $section == BLACKLIST_SECTION ) {
|
||||||
|
my $blacklist_states = $globals{BLACKLIST_STATES};
|
||||||
|
return 1 if $blacklist_states eq 'ALL';
|
||||||
|
return 2 if $blacklist_states eq $state;
|
||||||
|
for ( split ',', $blacklist_states ) {
|
||||||
|
return 1 if $_ eq $state;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if ( ( $state eq 'ESTABLISHED' ) ||
|
||||||
|
( $state =~ /^(?:INVALID|UNTRACKED|RELATED)$/ && $globals{"${state}_DISPOSITION"} ) ) {
|
||||||
|
my $sections = $actparms{0}->{sections};
|
||||||
|
|
||||||
|
if ( $sections ) {
|
||||||
|
my $sectionnumber = ( $section_map{$state} || 0 );
|
||||||
|
return 0 if $sectionnumber & $sections;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
|
||||||
|
return ( $state =~ /^(?:INVALID|UNTRACKED|NEW)$/ );
|
||||||
|
} else {
|
||||||
|
return 2 if $state eq $section_rmap{$section};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Helper for the perl_action_xxx functions
|
# Helper for the perl_action_xxx functions
|
||||||
#
|
#
|
||||||
|
@ -40,10 +40,9 @@ use Shorewall::Rules qw( process_rule1 );
|
|||||||
|
|
||||||
my ( $action ) = get_action_params( 1 );
|
my ( $action ) = get_action_params( 1 );
|
||||||
|
|
||||||
perl_action_helper(
|
if ( my $state = check_state( 'ESTABLISHED' ) ) {
|
||||||
$action, # Target
|
perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} ESTABLISHED" : '' );
|
||||||
"$globals{STATEMATCH} ESTABLISHED", # Matches
|
}
|
||||||
);
|
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
|
||||||
|
@ -43,12 +43,11 @@ my ( $action, $audit ) = get_action_params( 2 );
|
|||||||
if ( supplied $audit ) {
|
if ( supplied $audit ) {
|
||||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
||||||
$action = "A_$action";
|
$action = "A_$action";
|
||||||
}
|
}
|
||||||
|
|
||||||
perl_action_helper(
|
if ( my $check = check_state( 'INVALID' ) ) {
|
||||||
$action, # Target
|
perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} INVALID" : '' );
|
||||||
"$globals{STATEMATCH} INVALID", # Matches
|
}
|
||||||
);
|
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
|
||||||
|
@ -42,7 +42,7 @@ use Shorewall::Rules;
|
|||||||
my ( $action, $audit ) = get_action_params( 2 );
|
my ( $action, $audit ) = get_action_params( 2 );
|
||||||
|
|
||||||
if ( supplied $audit ) {
|
if ( supplied $audit ) {
|
||||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
|
||||||
$action = "A_$action";
|
$action = "A_$action";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -40,7 +40,7 @@ use Shorewall::Rules;
|
|||||||
my ( $action, $audit ) = get_action_params( 2 );
|
my ( $action, $audit ) = get_action_params( 2 );
|
||||||
|
|
||||||
if ( supplied $audit ) {
|
if ( supplied $audit ) {
|
||||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
|
||||||
$action = "A_$action";
|
$action = "A_$action";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -41,10 +41,9 @@ use Shorewall::Rules qw( process_rule1 );
|
|||||||
|
|
||||||
my ( $action ) = get_action_params( 1 );
|
my ( $action ) = get_action_params( 1 );
|
||||||
|
|
||||||
perl_action_helper(
|
if ( my $state = check_state( 'RELATED' ) ) {
|
||||||
$action, # Target
|
perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} RELATED" : '' );
|
||||||
"$globals{STATEMATCH} RELATED", # Matches
|
}
|
||||||
);
|
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
|
||||||
|
@ -24,7 +24,7 @@ my ( $action, $audit ) = get_action_params( 2 );
|
|||||||
my $chainref = get_action_chain;
|
my $chainref = get_action_chain;
|
||||||
|
|
||||||
if ( supplied $audit ) {
|
if ( supplied $audit ) {
|
||||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
|
||||||
$action = "A_$action";
|
$action = "A_$action";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -44,11 +44,9 @@ my ( $level, $tag ) = get_action_logging;
|
|||||||
|
|
||||||
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
|
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
|
||||||
|
|
||||||
perl_action_helper(
|
if ( my $check = check_state( 'UNTRACKED' ) {
|
||||||
$action, # Target
|
perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} UNTRACKED" : '' );
|
||||||
"$globals{STATEMATCH} UNTRACKED ", # Matches
|
}
|
||||||
);
|
|
||||||
|
|
||||||
|
|
||||||
allow_optimize( get_action_chain );
|
allow_optimize( get_action_chain );
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user