diff --git a/Shorewall/Perl/Shorewall/Actions.pm b/Shorewall/Perl/Shorewall/Actions.pm index c84d1d3af..467396e31 100644 --- a/Shorewall/Perl/Shorewall/Actions.pm +++ b/Shorewall/Perl/Shorewall/Actions.pm @@ -192,7 +192,7 @@ sub createlogactionchain( $$$$$ ) { fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99; - $chainref->{chain} = $chain; + $chainref->{action} = $action; unless ( $targets{$action} & BUILTIN ) { @@ -222,7 +222,7 @@ sub createsimpleactionchain( $ ) { $usedactions{"$action:none::"} = $chainref; - $chainref->{chain} = $chain; + $chainref->{action} = $action; unless ( $targets{$action} & BUILTIN ) { diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index e28982bb7..2a1631e5e 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -555,7 +555,7 @@ sub Limit( $$$ ) { my @param = split /,/, $param ? $param : $tag; - fatal_error 'Limit rules must include ,, as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' unless @param == 3; + fatal_error 'Limit rules must include ,, as the log tag or as parameters' unless @param == 3; my $set = $param[0]; diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index bd826848c..3ecedac53 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -120,6 +120,11 @@ Beta 1 and in macros invoked from Actions. Additionally, Macros used in Actions are now free to invoke other actions. +4) There is now limited support for parameterized actions. Currently, + the parameters are only available to extensions scripts. See + http://www.shorewall.net/Actions.html#Extension for more + information. + ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S ---------------------------------------------------------------------------- diff --git a/docs/Actions.xml b/docs/Actions.xml index d0c35c279..aae4e4176 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -514,6 +514,11 @@ bar:debug $tag is the log tag. + + + @params is the list of + parameter values (Shorewall 4.4.16 and later). + Example: @@ -539,9 +544,11 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
Limiting Per-IP Connection Rate using the Limit Action - Shorewall supports a Limit built-in action. Limit is - invoked with a comma-separated list in place of a logging tag. The list - has three elements: + Shorewall supports a Limit built-in action. Prior to + Shorewall 4.4.16, Limit is invoked with a comma-separated list in place of + a logging tag. Beginning in Shorewall 4.4.16, it may also be invoked with + a list of three parameters enclosed in parentheses. The list has three + elements: @@ -570,12 +577,21 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP'; #ACTION SOURCE DEST PROTO DEST PORT(S) Limit:none:SSHA,3,60 net $FW tcp 22 + Using Shorewall 4.4.16 or later, you can also invoke the action this + way: + + #ACTION SOURCE DEST PROTO DEST PORT(S) +Limit(SSHA,3,60):none net $FW tcp 22 + If you want dropped connections to be logged at the info level, use this rule instead: #ACTION SOURCE DEST PROTO DEST PORT(S) Limit:info:SSHA,3,60 net $FW tcp 22 + Shorewall 4.4.16 and later:#ACTION SOURCE DEST PROTO DEST PORT(S) +Limit(SSH,3,60):info net $FW tcp 22 + To summarize, you pass four pieces of information to the Limit action: @@ -604,33 +620,32 @@ Limit:info:SSHA,3,60 net $FW tcp 22 How Limit is Implemented - For those who are curious, the Limit action is implemented as - follows: + For those who are curious, the Limit action in Shorewall 4.4.16 is + implemented as follows: use Shorewall::Chains; -my @tag = split /,/, $tag; +@params = split /,/, $tag unless @params; -fatal_error 'Limit rules must include <list name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' - unless @tag == 3; +fatal_error 'Limit rules must include <list name>,<max connections>,<interval> as the log tag or params' unless @params == 3; my $list = $tag[0]; for ( @tag[1,2] ) { - fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/ + fatal_error 'Max connections and interval in Limit rules must be numeric (' . $_ . ')' unless /^\d+$/ } -my $count = $tag[1] + 1; +my $count = $params[1] + 1; add_rule $chainref, "-m recent --name $list --set"; if ( $level ) { my $xchainref = new_chain 'filter' , "$chainref->{name}%"; - log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', ''; + log_rule_limit $level, $xchainref, $params[0], 'DROP', '', '', 'add', ''; add_rule $xchainref, '-j DROP'; - add_rule $chainref, "-m recent --name $list --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}"; + add_rule $chainref, "-m recent --name $list --update --seconds $params[2] --hitcount $count -j $xchainref->{name}"; } else { - add_rule $chainref, "-m recent --update --name $list --seconds $tag[2] --hitcount $count -j DROP"; + add_rule $chainref, "-m recent --update --name $list --seconds $params[2] --hitcount $count -j DROP"; } add_rule $chainref, '-j ACCEPT';