extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow actions to be used in other actions

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@809 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-12-07 18:15:55 +00:00
parent f2040c16f2
commit 9763f0caf3
2 changed files with 61 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Shorewall/action.template
View File

@ -2,8 +2,8 @@
# Shorewall 1.4 /etc/shorewall/action.template # Shorewall 1.4 /etc/shorewall/action.template
# #
# This file is a template for files with names of the form # This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action-name> is an # /etc/shorewall/action.<action-name> where <action> is an
# TARGET defined in /etc/shorewall/actions. # ACTION defined in /etc/shorewall/actions.
# #
# To define a new action: # To define a new action:
# #
@ -14,7 +14,8 @@
# Columns are: # Columns are:
# #
# #
# TARGET ACCEPT, DROP, REJECT, LOG or QUEUE. # TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
# previously-defined <action>
# #
# ACCEPT -- allow the connection request # ACCEPT -- allow the connection request
# DROP -- ignore the request # DROP -- ignore the request
@ -23,6 +24,10 @@
# LOG -- Simply log the packet and continue. # LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space # QUEUE -- Queue the packet to a user-space
# application such as p2pwall. # application such as p2pwall.
# <action> -- An <action> defined in
# /etc/shorewall/actions. The <action>
# must appear in that file BEFORE the
# one being defined in this file.
# #
# The TARGET may optionally be followed # The TARGET may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or # by ":" and a syslog log level (e.g, REJECT:info or

82
Shorewall/firewall
View File

@ -2139,7 +2139,7 @@ refresh_tc() {
# port = Destination Port # port = Destination Port
# cport = Source Port # cport = Source Port
# multioption = String to invoke multiport match if appropriate # multioption = String to invoke multiport match if appropriate
# chain = The chain for this rule # action = The chain for this rule
# ratelimit = Optional rate limiting clause # ratelimit = Optional rate limiting clause
# #
add_an_action() add_an_action()
@ -2255,21 +2255,21 @@ add_an_action()
for serv1 in `separate_list $serv`; do for serv1 in `separate_list $serv`; do
for srv in `ip_range $serv1`; do for srv in `ip_range $serv1`; do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" \ log_rule_limit $loglevel $action $logtarget "$ratelimit" \
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports` `fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \ run_iptables2 -A $action $proto $multiport $state $cli $sports \
-d $srv $dports $ratelimit -j $target -d $srv $dports $ratelimit -j $target
done done
done done
else else
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" \ log_rule_limit $loglevel $action $logtarget "$ratelimit" \
`fix_bang $proto $sports $multiport $state $cli $dports` `fix_bang $proto $sports $multiport $state $cli $dports`
fi fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \ run_iptables2 -A $action $proto $multiport $state $cli $sports \
$dports $ratelimit -j $target $dports $ratelimit -j $target
fi fi
fi fi
@ -2278,7 +2278,8 @@ add_an_action()
# #
# Process a record from an action file for the 'start', 'restart' or 'check' commands # Process a record from an action file for the 'start', 'restart' or 'check' commands
# #
process_action() # $1 = target process_action() # $1 = action
# $1 = target
# $2 = clients # $2 = clients
# $3 = servers # $3 = servers
# $4 = protocol # $4 = protocol
@ -2286,13 +2287,14 @@ process_action() # $1 = target
# $6 = cports # $6 = cports
# $7 = ratelimit # $7 = ratelimit
{ {
local target="$1" local action="$1"
local clients="$2" local target="$2"
local servers="$3" local clients="$3"
local protocol="$4" local servers="$4"
local ports="$5" local protocol="$5"
local cports="$6" local ports="$6"
local ratelimit="$7" local cports="$7"
local ratelimit="$8"
local rule="`echo $target $clients $servers $protocol $ports $cports $ratelimit`" local rule="`echo $target $clients $servers $protocol $ports $cports $ratelimit`"
if [ -n "$ratelimit" ]; then if [ -n "$ratelimit" ]; then
@ -2319,7 +2321,6 @@ process_action() # $1 = target
expandv loglevel expandv loglevel
fi fi
chain="$action"
logtarget="$target" logtarget="$target"
case $target in case $target in
@ -2402,31 +2403,14 @@ process_actions() {
if [ "${ysourcezone}" != "${ydestzone}" ] ; then if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then if [ "$ypolicy" != NONE ] ; then
process_action $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit
fi fi
fi fi
done done
done done
} }
strip_file actions do_it() {
while read action rest; do
[ "x$rest" = x ] || fatal_error "Invalid Action: $action $rest"
[ "$command" = check ] || createchain $action No
ACTIONS="$ACTIONS $action"
done < $TMP_DIR/actions
for action in $ACTIONS; do
f=action.$action
fn=`find_file $f`
if [ -f $fn ]; then
strip_file $f $fn
while read xtarget xclients xservers xprotocol xports xcports xratelimit ; do
temp="${xtarget%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|LOG|QUEUE)
expandv xclients xservers xprotocol xports xcports xratelimit expandv xclients xservers xprotocol xports xcports xratelimit
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then
@ -2444,11 +2428,35 @@ process_actions() {
continue continue
fi fi
process_action $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit
}
strip_file actions
while read xaction rest; do
[ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest"
[ "$command" = check ] || createchain $xaction No
f=action.$xaction
fn=`find_file $f`
if [ -f $fn ]; then
echo "Processing $fn..."
strip_file $f $fn
while read xtarget xclients xservers xprotocol xports xcports xratelimit ; do
expandv xtarget
temp="${xtarget%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|LOG|QUEUE)
do_it
;; ;;
*) *)
if list_search $temp $ACTIONS; then
do_it
else
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit`" rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit`"
fatal_error "Invalid Action in rule \"$rule\"" fatal_error "Invalid TARGET in rule \"$rule\""
fi
;; ;;
esac esac
@ -2456,7 +2464,9 @@ process_actions() {
else else
fatal_error "Missing Action File: $f" fatal_error "Missing Action File: $f"
fi fi
done
ACTIONS="$ACTIONS $xaction"
done < $TMP_DIR/actions
} }
# #