extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 09:03:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Ignore 'inline' for certain actions.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-12-01 07:54:42 -08:00
parent 146402d9be
commit 8cbe26e32c
8 changed files with 91 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Shorewall-core/lib.cli
View File

@ -1007,18 +1007,18 @@ show_command() {
case $1 in
actions)
[ $# -gt 1 ] && usage 1
echo "A_ACCEPT # Audit and accept the connection"
echo "A_DROP # Audit and drop the connection"
echo "A_REJECT # Audit and reject the connection "
echo "allowBcast # Silently Allow Broadcast/multicast"
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
echo "dropBcast # Silently Drop Broadcast/multicast"
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
echo "A_ACCEPT # Audit and accept the connection"
echo "A_DROP # Audit and drop the connection"
echo "A_REJECT # Audit and reject the connection "
echo "allowBcast # Silently Allow Broadcast/multicast"
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
echo "dropBcast # Silently Drop Broadcast/multicast"
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
if [ -f ${g_confdir}/actions ]; then
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'

45
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -986,13 +986,13 @@ sub externalize( $ ) {
#
# Define an Action
#
sub new_action( $$ ) {
sub new_action( $$$ ) {
my ( $action , $type ) = @_;
my ( $action , $type, $noinline ) = @_;
fatal_error "Invalid action name($action)" if reserved_name( $action );
$actions{$action} = { actchain => '' } if $type & ACTION;
$actions{$action} = { actchain => '' , noinline => $noinline } if $type & ACTION;
$targets{$action} = $type;
}
@ -1019,7 +1019,7 @@ sub createlogactionchain( $$$$$ ) {
validate_level $level;
$actionref = new_action( $action , ACTION ) unless $actionref;
$actionref = new_action( $action , ACTION , 0 ) unless $actionref;
$chain = substr $chain, 0, 28 if ( length $chain ) > 28;
@ -1464,7 +1464,7 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
# This function is called prior to processing of the policy file. It:
#
# - Adds the builtin actions to the target table
# - Reads actions and actions.std (in that order) and for each entry:
# - Reads actions.std and actions (in that order) and for each entry:
# o Adds the action to the target table
# o Verifies that the corresponding action file exists
#
@ -1475,15 +1475,16 @@ sub process_actions() {
#
# Add built-in actions to the target table and create those actions
#
$targets{$_} = new_action( $_ , ACTION + BUILTIN ) for @builtins;
$targets{$_} = new_action( $_ , ACTION + BUILTIN, 1 ) for @builtins;
for my $file ( qw/actions actions.std/ ) {
for my $file ( qw/actions.std actions/ ) {
open_file $file;
while ( read_a_line( NORMAL_READ ) ) {
my ( $action, $options ) = split_line 'action file' , { action => 0, options => 1 };
my $type = ACTION;
my $type = ACTION;
my $noinline = 0;
if ( $action =~ /:/ ) {
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@ -1492,20 +1493,34 @@ sub process_actions() {
fatal_error "Invalid Action Name ($action)" unless $action =~ /^[a-zA-Z][\w-]*$/;
if ( $targets{$action} ) {
warning_message "Duplicate Action Name ($action) Ignored" unless $targets{$action} & ( ACTION | INLINE );
next;
}
if ( $options eq 'inline' ) {
$type = INLINE;
} elsif ( $options eq 'noinline' ) {
$noinline = 1;
} else {
fatal_error "Invalid option($options)" unless $options eq '-';
}
new_action $action, $type;
my $actionfile;
my $actionfile = find_file "action.$action";
if ( my $actiontype = $targets{$action} ) {
if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
if ( $actions{$action}->{noinline} ) {
warning_message "'inline' option ignored on action $action -- that action may not be in-lined";
next;
}
delete $actions{$action};
delete $targets{$action};
} else {
warning_message "Duplicate Action Name ($action) Ignored" unless $actiontype & ( ACTION | INLINE );
next;
}
}
new_action $action, $type, $noinline;
$actionfile = find_file( "action.$action" ) unless $actionfile;
fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;

20
Shorewall/actions.std
View File

@ -33,13 +33,13 @@
#
###############################################################################
#ACTION
A_Drop # Audited Default Action for DROP policy
A_Reject # Audited Default action for REJECT policy
Broadcast # Handles Broadcast/Multicast/Anycast
Drop # Default Action for DROP policy
DropSmurfs # Drop smurf packets
Invalid # Handles packets in the INVALID conntrack state
NotSyn # Handles TCP packets which do not have SYN=1 and ACK=0
Reject # Default Action for REJECT policy
RST # Handle packets with RST set
TCPFlags # Handle bad flag combinations.
A_Drop # Audited Default Action for DROP policy
A_Reject # Audited Default action for REJECT policy
Broadcast noinline # Handles Broadcast/Multicast/Anycast
Drop # Default Action for DROP policy
DropSmurfs noinline # Drop smurf packets
Invalid noinline # Handles packets in the INVALID conntrack state
NotSyn noinline # Handles TCP packets which do not have SYN=1 and ACK=0
Reject # Default Action for REJECT policy
RST noinline # Handle packets with RST set
TCPFlags noinline # Handle bad flag combinations.

4
Shorewall/configfiles/actions
View File

@ -8,5 +8,5 @@
# Please see http://shorewall.net/Actions.html for additional information.
#
####################################################################################
#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
# v a comment describing the action)
#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
# v a comment describing the action)

14
Shorewall/manpages/shorewall-actions.xml
View File

@ -62,8 +62,9 @@
<caution>
<para>Some of the Shorewall standard actions cannot be used
in-line and will generate a compiler error if you try to use
them that way:</para>
in-line and will generate a warning and the compiler will
ignore <option>inline</option> if you try to use them that
way:</para>
<simplelist>
<member>Broadcast</member>
@ -81,6 +82,15 @@
</caution>
</listitem>
</varlistentry>
<varlistentry>
<term>noinline</term>
<listitem>
<para>Reverses the effect of any previous
<option>inline</option> option for the same action.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>

22
Shorewall6/actions.std
View File

@ -19,15 +19,15 @@
#
###############################################################################
#ACTION
A_Drop # Audited Default Action for DROP policy
A_Reject # Audited Default Action for REJECT policy
A_AllowICMPs # Audited Accept needed ICMP6 types
AllowICMPs # Accept needed ICMP6 types
Broadcast # Handles Broadcast/Multicast/Anycast
Drop # Default Action for DROP policy
DropSmurfs # Handles packets with a broadcast source address
Invalid # Handles packets in the INVALID conntrack state
NotSyn # Handles TCP packets that do not have SYN=1 and ACK=0
Reject # Default Action for REJECT policy
TCPFlags # Handles bad flags combinations
A_Drop # Audited Default Action for DROP policy
A_Reject # Audited Default Action for REJECT policy
A_AllowICMPs # Audited Accept needed ICMP6 types
AllowICMPs # Accept needed ICMP6 types
Broadcast noinline # Handles Broadcast/Multicast/Anycast
Drop # Default Action for DROP policy
DropSmurfs noinline # Handles packets with a broadcast source address
Invalid noinline # Handles packets in the INVALID conntrack state
NotSyn noinline # Handles TCP packets that do not have SYN=1 and ACK=0
Reject # Default Action for REJECT policy
TCPFlags noinline # Handles bad flags combinations

4
Shorewall6/configfiles/actions
View File

@ -9,5 +9,5 @@
#
###############################################################################
####################################################################################
#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
# v a comment describing the action)
#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
# v a comment describing the action)

14
Shorewall6/manpages/shorewall6-actions.xml
View File

@ -62,8 +62,9 @@
<caution>
<para>Some of the Shorewall standard actions cannot be used
in-line and will generate a compiler error if you try to use
them that way:</para>
in-line and will generate a warning and the compiler will
ignore <option>inline</option> if you try to use them that
way:</para>
<simplelist>
<member>Broadcast</member>
@ -81,6 +82,15 @@
</caution>
</listitem>
</varlistentry>
<varlistentry>
<term>noinline</term>
<listitem>
<para>Reverses the effect of any previous
<option>inline</option> option for the same action.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>