Allow actions to be used in other actions

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@809 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-12-07 18:15:55 +00:00
parent f2040c16f2
commit 9763f0caf3
2 changed files with 61 additions and 46 deletions

View File

@ -2,8 +2,8 @@
# Shorewall 1.4 /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action-name> is an
# TARGET defined in /etc/shorewall/actions.
# /etc/shorewall/action.<action-name> where <action> is an
# ACTION defined in /etc/shorewall/actions.
#
# To define a new action:
#
@ -14,7 +14,8 @@
# Columns are:
#
#
# TARGET ACCEPT, DROP, REJECT, LOG or QUEUE.
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
# previously-defined <action>
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
@ -23,6 +24,10 @@
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
# <action> -- An <action> defined in
# /etc/shorewall/actions. The <action>
# must appear in that file BEFORE the
# one being defined in this file.
#
# The TARGET may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or

View File

@ -2139,7 +2139,7 @@ refresh_tc() {
# port = Destination Port
# cport = Source Port
# multioption = String to invoke multiport match if appropriate
# chain = The chain for this rule
# action = The chain for this rule
# ratelimit = Optional rate limiting clause
#
add_an_action()
@ -2255,21 +2255,21 @@ add_an_action()
for serv1 in `separate_list $serv`; do
for srv in `ip_range $serv1`; do
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" \
log_rule_limit $loglevel $action $logtarget "$ratelimit" \
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
run_iptables2 -A $action $proto $multiport $state $cli $sports \
-d $srv $dports $ratelimit -j $target
done
done
else
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" \
log_rule_limit $loglevel $action $logtarget "$ratelimit" \
`fix_bang $proto $sports $multiport $state $cli $dports`
fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
run_iptables2 -A $action $proto $multiport $state $cli $sports \
$dports $ratelimit -j $target
fi
fi
@ -2278,7 +2278,8 @@ add_an_action()
#
# Process a record from an action file for the 'start', 'restart' or 'check' commands
#
process_action() # $1 = target
process_action() # $1 = action
# $1 = target
# $2 = clients
# $3 = servers
# $4 = protocol
@ -2286,13 +2287,14 @@ process_action() # $1 = target
# $6 = cports
# $7 = ratelimit
{
local target="$1"
local clients="$2"
local servers="$3"
local protocol="$4"
local ports="$5"
local cports="$6"
local ratelimit="$7"
local action="$1"
local target="$2"
local clients="$3"
local servers="$4"
local protocol="$5"
local ports="$6"
local cports="$7"
local ratelimit="$8"
local rule="`echo $target $clients $servers $protocol $ports $cports $ratelimit`"
if [ -n "$ratelimit" ]; then
@ -2319,7 +2321,6 @@ process_action() # $1 = target
expandv loglevel
fi
chain="$action"
logtarget="$target"
case $target in
@ -2402,53 +2403,60 @@ process_actions() {
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then
process_action $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit
process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit
fi
fi
done
done
}
do_it() {
expandv xclients xservers xprotocol xports xcports xratelimit
if [ "x$xclients" = xall ]; then
xclients="$zones $FW"
if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
fi
process_wildcard_rule
continue
fi
if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
process_wildcard_rule
continue
fi
process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit
}
strip_file actions
while read action rest; do
[ "x$rest" = x ] || fatal_error "Invalid Action: $action $rest"
[ "$command" = check ] || createchain $action No
ACTIONS="$ACTIONS $action"
done < $TMP_DIR/actions
while read xaction rest; do
[ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest"
[ "$command" = check ] || createchain $xaction No
for action in $ACTIONS; do
f=action.$action
f=action.$xaction
fn=`find_file $f`
if [ -f $fn ]; then
echo "Processing $fn..."
strip_file $f $fn
while read xtarget xclients xservers xprotocol xports xcports xratelimit ; do
expandv xtarget
temp="${xtarget%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|LOG|QUEUE)
expandv xclients xservers xprotocol xports xcports xratelimit
if [ "x$xclients" = xall ]; then
xclients="$zones $FW"
if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
fi
process_wildcard_rule
continue
fi
if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
process_wildcard_rule
continue
fi
process_action $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit
do_it
;;
*)
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit`"
fatal_error "Invalid Action in rule \"$rule\""
if list_search $temp $ACTIONS; then
do_it
else
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit`"
fatal_error "Invalid TARGET in rule \"$rule\""
fi
;;
esac
@ -2456,7 +2464,9 @@ process_actions() {
else
fatal_error "Missing Action File: $f"
fi
done
ACTIONS="$ACTIONS $xaction"
done < $TMP_DIR/actions
}
#