Detect some state conflicts

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-02-02 09:32:57 -08:00
parent cc1054be66
commit 8249831e6d
8 changed files with 56 additions and 21 deletions

View File

@ -53,6 +53,7 @@ our @EXPORT = qw(
verify_audit
perl_action_helper
perl_action_tcp_helper
check_state
);
our @EXPORT_OK = qw( initialize process_rule );
@ -2428,6 +2429,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
#
# First reference to this tuple
#
$actionresult = 0;
process_action( $ref, $chain );
#
# Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
@ -2456,6 +2459,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
#
@columns = ( $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard );
$actionresult = 0;
my $generated = process_inline( $basictarget,
$chainref,
$rule,
@ -2657,6 +2662,41 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
return 1;
}
#
# Check the passed connection state for conflict with the current section
#
# Returns true of the state is compatible with the section
#
sub check_state( $ ) {
my $state = $_[0];
if ( $section == BLACKLIST_SECTION ) {
my $blacklist_states = $globals{BLACKLIST_STATES};
return 1 if $blacklist_states eq 'ALL';
return 2 if $blacklist_states eq $state;
for ( split ',', $blacklist_states ) {
return 1 if $_ eq $state;
}
} else {
if ( ( $state eq 'ESTABLISHED' ) ||
( $state =~ /^(?:INVALID|UNTRACKED|RELATED)$/ && $globals{"${state}_DISPOSITION"} ) ) {
my $sections = $actparms{0}->{sections};
if ( $sections ) {
my $sectionnumber = ( $section_map{$state} || 0 );
return 0 if $sectionnumber & $sections;
}
}
if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
return ( $state =~ /^(?:INVALID|UNTRACKED|NEW)$/ );
} else {
return 2 if $state eq $section_rmap{$section};
}
}
}
#
# Helper for the perl_action_xxx functions
#

View File

@ -40,10 +40,9 @@ use Shorewall::Rules qw( process_rule1 );
my ( $action ) = get_action_params( 1 );
perl_action_helper(
$action, # Target
"$globals{STATEMATCH} ESTABLISHED", # Matches
);
if ( my $state = check_state( 'ESTABLISHED' ) ) {
perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} ESTABLISHED" : '' );
}
1;

View File

@ -45,10 +45,9 @@ if ( supplied $audit ) {
$action = "A_$action";
}
perl_action_helper(
$action, # Target
"$globals{STATEMATCH} INVALID", # Matches
);
if ( my $check = check_state( 'INVALID' ) ) {
perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} INVALID" : '' );
}
1;

View File

@ -42,7 +42,7 @@ use Shorewall::Rules;
my ( $action, $audit ) = get_action_params( 2 );
if ( supplied $audit ) {
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
$action = "A_$action";
}

View File

@ -40,7 +40,7 @@ use Shorewall::Rules;
my ( $action, $audit ) = get_action_params( 2 );
if ( supplied $audit ) {
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
$action = "A_$action";
}

View File

@ -41,10 +41,9 @@ use Shorewall::Rules qw( process_rule1 );
my ( $action ) = get_action_params( 1 );
perl_action_helper(
$action, # Target
"$globals{STATEMATCH} RELATED", # Matches
);
if ( my $state = check_state( 'RELATED' ) ) {
perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} RELATED" : '' );
}
1;

View File

@ -24,7 +24,7 @@ my ( $action, $audit ) = get_action_params( 2 );
my $chainref = get_action_chain;
if ( supplied $audit ) {
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
$action = "A_$action";
}

View File

@ -44,11 +44,9 @@ my ( $level, $tag ) = get_action_logging;
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
perl_action_helper(
$action, # Target
"$globals{STATEMATCH} UNTRACKED ", # Matches
);
if ( my $check = check_state( 'UNTRACKED' ) {
perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} UNTRACKED" : '' );
}
allow_optimize( get_action_chain );