extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 06:10:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add documentation for parameterized actions

Browse Source
This commit is contained in:
Tom Eastep 2010-12-22 15:09:54 -08:00
parent c6e35be8bc
commit a51eac91b0
4 changed files with 36 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Actions.pm
View File

@ -192,7 +192,7 @@ sub createlogactionchain( $$$$$ ) {
fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
$chainref->{chain} = $chain;
$chainref->{action} = $action;
unless ( $targets{$action} & BUILTIN ) {
@ -222,7 +222,7 @@ sub createsimpleactionchain( $ ) {
$usedactions{"$action:none::"} = $chainref;
$chainref->{chain} = $chain;
$chainref->{action} = $action;
unless ( $targets{$action} & BUILTIN ) {

2
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -555,7 +555,7 @@ sub Limit( $$$ ) {
my @param = split /,/, $param ? $param : $tag;
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' unless @param == 3;
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
my $set = $param[0];

5
Shorewall/releasenotes.txt
View File

@ -120,6 +120,11 @@ Beta 1
and in macros invoked from Actions. Additionally, Macros used in
Actions are now free to invoke other actions.
4) There is now limited support for parameterized actions. Currently,
the parameters are only available to extensions scripts. See
http://www.shorewall.net/Actions.html#Extension for more
information.
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------

41
docs/Actions.xml
View File

@ -514,6 +514,11 @@ bar:debug</programlisting>
<listitem>
<para><emphasis role="bold">$tag</emphasis> is the log tag.</para>
</listitem>
<listitem>
<para><emphasis role="bold">@params</emphasis> is the list of
parameter values (Shorewall 4.4.16 and later).</para>
</listitem>
</itemizedlist>
<para>Example:</para>
@ -539,9 +544,11 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
<section id="Limit">
<title>Limiting Per-IP Connection Rate using the Limit Action</title>
<para>Shorewall supports a <quote>Limit</quote> built-in action. Limit is
invoked with a comma-separated list in place of a logging tag. The list
has three elements:</para>
<para>Shorewall supports a <quote>Limit</quote> built-in action. Prior to
Shorewall 4.4.16, Limit is invoked with a comma-separated list in place of
a logging tag. Beginning in Shorewall 4.4.16, it may also be invoked with
a list of three parameters enclosed in parentheses. The list has three
elements:</para>
<orderedlist>
<listitem>
@ -570,12 +577,21 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Limit:none:SSHA,3,60 net $FW tcp 22</programlisting>
<para>Using Shorewall 4.4.16 or later, you can also invoke the action this
way: </para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Limit(SSHA,3,60):none net $FW tcp 22</programlisting>
<para>If you want dropped connections to be logged at the info level, use
this rule instead:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Limit:info:SSHA,3,60 net $FW tcp 22</programlisting>
<para>Shorewall 4.4.16 and later:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Limit(SSH,3,60):info net $FW tcp 22</programlisting></para>
<para>To summarize, you pass four pieces of information to the Limit
action:</para>
@ -604,33 +620,32 @@ Limit:info:SSHA,3,60 net $FW tcp 22</programl
<section id="LimitImp">
<title>How Limit is Implemented</title>
<para>For those who are curious, the Limit action is implemented as
follows:</para>
<para>For those who are curious, the Limit action in Shorewall 4.4.16 is
implemented as follows:</para>
<programlisting>use Shorewall::Chains;
my @tag = split /,/, $tag;
@params = split /,/, $tag unless @params;
fatal_error 'Limit rules must include &lt;list name&gt;,&lt;max connections&gt;,&lt;interval&gt; as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
unless @tag == 3;
fatal_error 'Limit rules must include &lt;list name&gt;,&lt;max connections&gt;,&lt;interval&gt; as the log tag or params' unless @params == 3;
my $list = $tag[0];
for ( @tag[1,2] ) {
fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
fatal_error 'Max connections and interval in Limit rules must be numeric (' . $_ . ')' unless /^\d+$/
}
my $count = $tag[1] + 1;
my $count = $params[1] + 1;
add_rule $chainref, "-m recent --name $list --set";
if ( $level ) {
my $xchainref = new_chain 'filter' , "$chainref-&gt;{name}%";
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
log_rule_limit $level, $xchainref, $params[0], 'DROP', '', '', 'add', '';
add_rule $xchainref, '-j DROP';
add_rule $chainref, "-m recent --name $list --update --seconds $tag[2] --hitcount $count -j $xchainref-&gt;{name}";
add_rule $chainref, "-m recent --name $list --update --seconds $params[2] --hitcount $count -j $xchainref-&gt;{name}";
} else {
add_rule $chainref, "-m recent --update --name $list --seconds $tag[2] --hitcount $count -j DROP";
add_rule $chainref, "-m recent --update --name $list --seconds $params[2] --hitcount $count -j DROP";
}
add_rule $chainref, '-j ACCEPT';