From 9763f0caf3523f04d3e44740bcf8f782a14439c7 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 7 Dec 2003 18:15:55 +0000 Subject: [PATCH] Allow actions to be used in other actions git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@809 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/action.template | 11 +++-- Shorewall/firewall | 96 +++++++++++++++++++++------------------ 2 files changed, 61 insertions(+), 46 deletions(-) diff --git a/Shorewall/action.template b/Shorewall/action.template index f56bbbe27..d3ff72736 100644 --- a/Shorewall/action.template +++ b/Shorewall/action.template @@ -2,8 +2,8 @@ # Shorewall 1.4 /etc/shorewall/action.template # # This file is a template for files with names of the form -# /etc/shorewall/action. where is an -# TARGET defined in /etc/shorewall/actions. +# /etc/shorewall/action. where is an +# ACTION defined in /etc/shorewall/actions. # # To define a new action: # @@ -14,7 +14,8 @@ # Columns are: # # -# TARGET ACCEPT, DROP, REJECT, LOG or QUEUE. +# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a +# previously-defined # # ACCEPT -- allow the connection request # DROP -- ignore the request @@ -23,6 +24,10 @@ # LOG -- Simply log the packet and continue. # QUEUE -- Queue the packet to a user-space # application such as p2pwall. +# -- An defined in +# /etc/shorewall/actions. The +# must appear in that file BEFORE the +# one being defined in this file. # # The TARGET may optionally be followed # by ":" and a syslog log level (e.g, REJECT:info or diff --git a/Shorewall/firewall b/Shorewall/firewall index e780a0ac2..d9e161d32 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -2139,7 +2139,7 @@ refresh_tc() { # port = Destination Port # cport = Source Port # multioption = String to invoke multiport match if appropriate -# chain = The chain for this rule +# action = The chain for this rule # ratelimit = Optional rate limiting clause # add_an_action() @@ -2255,21 +2255,21 @@ add_an_action() for serv1 in `separate_list $serv`; do for srv in `ip_range $serv1`; do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" \ + log_rule_limit $loglevel $action $logtarget "$ratelimit" \ `fix_bang $proto $sports $multiport $state $cli -d $srv $dports` fi - run_iptables2 -A $chain $proto $multiport $state $cli $sports \ + run_iptables2 -A $action $proto $multiport $state $cli $sports \ -d $srv $dports $ratelimit -j $target done done else if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" \ + log_rule_limit $loglevel $action $logtarget "$ratelimit" \ `fix_bang $proto $sports $multiport $state $cli $dports` fi - run_iptables2 -A $chain $proto $multiport $state $cli $sports \ + run_iptables2 -A $action $proto $multiport $state $cli $sports \ $dports $ratelimit -j $target fi fi @@ -2278,7 +2278,8 @@ add_an_action() # # Process a record from an action file for the 'start', 'restart' or 'check' commands # -process_action() # $1 = target +process_action() # $1 = action + # $1 = target # $2 = clients # $3 = servers # $4 = protocol @@ -2286,13 +2287,14 @@ process_action() # $1 = target # $6 = cports # $7 = ratelimit { - local target="$1" - local clients="$2" - local servers="$3" - local protocol="$4" - local ports="$5" - local cports="$6" - local ratelimit="$7" + local action="$1" + local target="$2" + local clients="$3" + local servers="$4" + local protocol="$5" + local ports="$6" + local cports="$7" + local ratelimit="$8" local rule="`echo $target $clients $servers $protocol $ports $cports $ratelimit`" if [ -n "$ratelimit" ]; then @@ -2319,7 +2321,6 @@ process_action() # $1 = target expandv loglevel fi - chain="$action" logtarget="$target" case $target in @@ -2402,53 +2403,60 @@ process_actions() { if [ "${ysourcezone}" != "${ydestzone}" ] ; then eval ypolicy=\$${ysourcezone}2${ydestzone}_policy if [ "$ypolicy" != NONE ] ; then - process_action $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit + process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit fi fi done done } + do_it() { + expandv xclients xservers xprotocol xports xcports xratelimit + + if [ "x$xclients" = xall ]; then + xclients="$zones $FW" + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + fi + process_wildcard_rule + continue + fi + + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + process_wildcard_rule + continue + fi + + process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit + } + strip_file actions - while read action rest; do - [ "x$rest" = x ] || fatal_error "Invalid Action: $action $rest" - [ "$command" = check ] || createchain $action No - ACTIONS="$ACTIONS $action" - done < $TMP_DIR/actions + while read xaction rest; do + [ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest" + [ "$command" = check ] || createchain $xaction No - for action in $ACTIONS; do - f=action.$action + f=action.$xaction fn=`find_file $f` if [ -f $fn ]; then + echo "Processing $fn..." strip_file $f $fn while read xtarget xclients xservers xprotocol xports xcports xratelimit ; do + expandv xtarget temp="${xtarget%:*}" case "${temp%<*}" in ACCEPT|DROP|REJECT|LOG|QUEUE) - expandv xclients xservers xprotocol xports xcports xratelimit - - if [ "x$xclients" = xall ]; then - xclients="$zones $FW" - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - fi - process_wildcard_rule - continue - fi - - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - process_wildcard_rule - continue - fi - - process_action $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit + do_it ;; *) - rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit`" - fatal_error "Invalid Action in rule \"$rule\"" + if list_search $temp $ACTIONS; then + do_it + else + rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit`" + fatal_error "Invalid TARGET in rule \"$rule\"" + fi ;; esac @@ -2456,7 +2464,9 @@ process_actions() { else fatal_error "Missing Action File: $f" fi - done + + ACTIONS="$ACTIONS $xaction" + done < $TMP_DIR/actions } #