Detect some state conflicts

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-02-02 09:32:57 -08:00
parent cc1054be66
commit 8249831e6d
8 changed files with 56 additions and 21 deletions

View File

@ -53,6 +53,7 @@ our @EXPORT = qw(
verify_audit verify_audit
perl_action_helper perl_action_helper
perl_action_tcp_helper perl_action_tcp_helper
check_state
); );
our @EXPORT_OK = qw( initialize process_rule ); our @EXPORT_OK = qw( initialize process_rule );
@ -2428,6 +2429,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
# #
# First reference to this tuple # First reference to this tuple
# #
$actionresult = 0;
process_action( $ref, $chain ); process_action( $ref, $chain );
# #
# Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so: # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
@ -2456,6 +2459,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
# #
@columns = ( $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ); @columns = ( $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard );
$actionresult = 0;
my $generated = process_inline( $basictarget, my $generated = process_inline( $basictarget,
$chainref, $chainref,
$rule, $rule,
@ -2657,6 +2662,41 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
return 1; return 1;
} }
#
# Check the passed connection state for conflict with the current section
#
# Returns true of the state is compatible with the section
#
sub check_state( $ ) {
my $state = $_[0];
if ( $section == BLACKLIST_SECTION ) {
my $blacklist_states = $globals{BLACKLIST_STATES};
return 1 if $blacklist_states eq 'ALL';
return 2 if $blacklist_states eq $state;
for ( split ',', $blacklist_states ) {
return 1 if $_ eq $state;
}
} else {
if ( ( $state eq 'ESTABLISHED' ) ||
( $state =~ /^(?:INVALID|UNTRACKED|RELATED)$/ && $globals{"${state}_DISPOSITION"} ) ) {
my $sections = $actparms{0}->{sections};
if ( $sections ) {
my $sectionnumber = ( $section_map{$state} || 0 );
return 0 if $sectionnumber & $sections;
}
}
if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
return ( $state =~ /^(?:INVALID|UNTRACKED|NEW)$/ );
} else {
return 2 if $state eq $section_rmap{$section};
}
}
}
# #
# Helper for the perl_action_xxx functions # Helper for the perl_action_xxx functions
# #

View File

@ -40,10 +40,9 @@ use Shorewall::Rules qw( process_rule1 );
my ( $action ) = get_action_params( 1 ); my ( $action ) = get_action_params( 1 );
perl_action_helper( if ( my $state = check_state( 'ESTABLISHED' ) ) {
$action, # Target perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} ESTABLISHED" : '' );
"$globals{STATEMATCH} ESTABLISHED", # Matches }
);
1; 1;

View File

@ -43,12 +43,11 @@ my ( $action, $audit ) = get_action_params( 2 );
if ( supplied $audit ) { if ( supplied $audit ) {
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit'; fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
$action = "A_$action"; $action = "A_$action";
} }
perl_action_helper( if ( my $check = check_state( 'INVALID' ) ) {
$action, # Target perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} INVALID" : '' );
"$globals{STATEMATCH} INVALID", # Matches }
);
1; 1;

View File

@ -42,7 +42,7 @@ use Shorewall::Rules;
my ( $action, $audit ) = get_action_params( 2 ); my ( $action, $audit ) = get_action_params( 2 );
if ( supplied $audit ) { if ( supplied $audit ) {
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit'; fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
$action = "A_$action"; $action = "A_$action";
} }

View File

@ -40,7 +40,7 @@ use Shorewall::Rules;
my ( $action, $audit ) = get_action_params( 2 ); my ( $action, $audit ) = get_action_params( 2 );
if ( supplied $audit ) { if ( supplied $audit ) {
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit'; fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
$action = "A_$action"; $action = "A_$action";
} }

View File

@ -41,10 +41,9 @@ use Shorewall::Rules qw( process_rule1 );
my ( $action ) = get_action_params( 1 ); my ( $action ) = get_action_params( 1 );
perl_action_helper( if ( my $state = check_state( 'RELATED' ) ) {
$action, # Target perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} RELATED" : '' );
"$globals{STATEMATCH} RELATED", # Matches }
);
1; 1;

View File

@ -24,7 +24,7 @@ my ( $action, $audit ) = get_action_params( 2 );
my $chainref = get_action_chain; my $chainref = get_action_chain;
if ( supplied $audit ) { if ( supplied $audit ) {
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit'; fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
$action = "A_$action"; $action = "A_$action";
} }

View File

@ -44,11 +44,9 @@ my ( $level, $tag ) = get_action_logging;
$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
perl_action_helper( if ( my $check = check_state( 'UNTRACKED' ) {
$action, # Target perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} UNTRACKED" : '' );
"$globals{STATEMATCH} UNTRACKED ", # Matches }
);
allow_optimize( get_action_chain ); allow_optimize( get_action_chain );