Make a couple of the user-defined actions builtins

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1121 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/DropBcast

@@ -1,17 +0,0 @@
-#!/bin/sh
-#
-# Shorewall 2.0 /etc/shorewall/DropBcast
-#
-# System-provided user exit for adding rules to the DropBcast chain
-# created by the DropBcast action (action.DropBcast)
-
-qt iptables -A DropBcast -m pkttype --pkt-type broadcast -j DROP
-
-if ! qt iptables -A DropBcast -m pkttype --pkt-type multicast -j DROP; then
-    #
-    # No pkttype support -- do it the hard way
-    #
-    for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
-	run_iptables -A DropBcast -d $address -j DROP
-    done
-fi

Shorewall2/DropNonSyn

@@ -1,7 +0,0 @@
-#
-# Shorewall 2.0 /etc/shorewall/DropNonSyn
-#
-# System-provided user exit for adding rules to the DropNonSyn chain
-# created by the DropNonSyn action (action.DropNonSyn)
-
-run_iptables -A DropNonSyn -p tcp ! --syn -j DROP

Shorewall2/action.Drop

@@ -7,9 +7,9 @@
 #TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 RejectAuth
-DropBcast
+dropBcast
 DropSMB
 DropUPnP
-DropNonSyn
+dropNonSyn
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall2/action.DropBcast

@@ -1,10 +0,0 @@
-#
-# Shorewall 2.0 /etc/shorewall/action.DropBcast
-#
-#	This action silently drops Broadcast Traffic. The Chain is
-#	built by the extensions script /etc/shorewall/DropBcast 
-#
-######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall2/action.DropNonSyn

@@ -1,10 +0,0 @@
-#
-# Shorewall 2.0 /etc/shorewall/action.DropNotSyn
-#
-#	This action silently drops Non-Syn Packets. The file
-#	/etc/shorewall/DropNotSyn implements this action.
-#
-######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall2/action.Reject

@@ -7,9 +7,9 @@
 #TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 RejectAuth
-DropBcast
+dropBcast
 RejectSMB
 DropUPnP
-DropNonSyn
+dropNonSyn
 DropDNSRep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall2/actions.std

@@ -2,11 +2,16 @@
 # Shorewall 2.0 /etc/shorewall/actions.std
 #
 #
-DropBcast	#Silently Drops Broadcast Traffic
+# Builtin Actions are:
+#
+#    dropBcast          #Silently Drop Broadcast/multicast
+#    dropNonSyn         #Silently Drop Non-syn TCP packets
+#
+#ACTION
+
 DropSMB		#Silently Drops Microsoft SMB Traffic
 RejectSMB	#Silently Reject Microsoft SMB Traffic
 DropUPnP	#Silently Drop UPnP Probes
-DropNonSyn	#Silently Drop Non-syn TCP packets
 RejectAuth	#Silently Reject Auth
 DropPing	#Silently Drop Ping
 DropDNSrep	#Silently Drop DNS Replies
@@ -30,6 +35,6 @@ AllowNNTP	#Allow network news (Usenet).
 AllowTrcrt	#Allows Traceroute (20 hops)
 AllowSNMP	#Allows SNMP (including traps)
 
-Drop:DROP	#Common rules for DROP policy
-Reject:REJECT   #Common Action for Reject policy
+Drop:DROP	#Common Action for DROP policy
+Reject:REJECT   #Common Action for REJECT policy
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall2/changelog.txt

@@ -29,3 +29,6 @@ Changes since 1.4.10
 14) Add action.AllowSNMP
 
 15) Move some code from firewall to functions
+
+16) Removed the DropBcast and DropNonSyn actions and replaced them with
+    builtin actions dropBcast and dropNonSyn.

Shorewall2/firewall

@@ -2325,6 +2325,31 @@ process_action() # $1 = action
 #
 
 process_actions() {
+    #
+    # Add the builtin actions
+    #
+    add_builtin_actions() {
+	
+	if [ "$command" != check ]; then
+	    createchain dropBcast no
+	    qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
+	    if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
+                #
+                # No pkttype support -- do it the hard way
+                #
+		for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
+		    run_iptables -A dropBcast -d $address -j DROP
+		done
+	    fi
+
+	    createchain dropNonSyn no
+	    run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
+	fi
+
+	ACTIONS="dropBcast dropNonSyn"
+	
+    }
+	
     #
     # Process a rule where the source or destination is "all"
     #
@@ -2366,6 +2391,8 @@ process_actions() {
 	process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
     }
 
+    add_builtin_actions
+
     strip_file actions
 
     while read xaction rest; do
@@ -2613,7 +2640,7 @@ add_nat_rule() {
 # Add one Filter Rule -- Helper function for the rules file processor
 #
 # The caller has established the following variables:
-#    check       = current command. If 'check', we're executing a 'check'
+#    command     = current command. If 'check', we're executing a 'check'
 #                  which only goes through the motions.
 #    client	 = SOURCE IP or MAC
 #    server	 = DESTINATION IP or interface

Shorewall2/interfaces

@@ -24,6 +24,9 @@
 #			want to make an entry that applies to all PPP
 #			interfaces, use 'ppp+'.
 #
+#			There is no need to define the loopback	interface (lo)
+#			in this file. 
+#
 #	BROADCAST	The broadcast address for the subnetwork to which the
 #			interface belongs. For P-T-P interfaces, this
 #			column is left black.If the interface has multiple

Shorewall2/releasenotes.txt

@@ -42,8 +42,8 @@ Issues when migrating from Shorewall to Shorewall2:
 
 1) The 'dropunclean' and 'logunclean' interface options are no longer
    supported. If either option is specified in
-   /etc/shorewall2/interfaces, an error message will be generated and
-   Shorewall2 will fail to start.
+   /etc/shorewall2/interfaces, an threatening message will be
+   generated.
 
 2) The NAT_BEFORE_RULES option has been removed from
    shorewall.conf. The behavior of Shorewall2 is as if
@@ -114,6 +114,7 @@ Issues when migrating from Shorewall to Shorewall2:
       AllowRdate      #Allow remote time (rdate).
       AllowNNTP       #Allow network news (Usenet).
       AllowTrcrt      #Allows Traceroute (20 hops)
+      AllowSNMP	      #Allows SNMP (including traps)
 
       Drop:DROP       #Common rules for DROP policy
       Reject:REJECT   #Common Action for Reject policy
@@ -146,7 +147,7 @@ Issues when migrating from Shorewall to Shorewall2:
    like in the rules file (see below). It is thus possible to create
    actions that control traffic from a list of users and/or groups.
 
-   The last column in /etc/shorewall2/rules is now labeled /USER/GROUP
+   The last column in /etc/shorewall2/rules is now labeled USER/GROUP
    and may contain:
 
        [!]<user id>[:]

Shorewall2/shorewall.conf

@@ -168,8 +168,9 @@ RFC1918_LOG_LEVEL=info
 #
 # SMURF Log Level
 #
-# Specifies the logging level for smurf packets. If set to the empty
-# value ( SMURF_LOG_LEVEL="" ) then smurfs are not logged.
+# Specifies the logging level for smurf packets dropped by the
+#'nosmurfs' interface option in /etc/shorewall/interfaces. If set to the empty
+# value ( SMURF_LOG_LEVEL="" ) then dropped smurfs are not logged. 
 
 SMURF_LOG_LEVEL=info