Allow parameters to be specified to Default Actions in the policy file

and in shorewall.conf. Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-08 08:44:05 +01:00 · 2011-06-11 14:58:54 -07:00 · 2011-06-11 14:58:54 -07:00 · a60fe6e665
commit a60fe6e665
parent 68bf99ec69
5 changed files with 98 additions and 24 deletions
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -283,6 +283,9 @@ sub print_policy($$$$) {
 }

 sub use_policy_action( $ );
+sub normalize_action( $$$ );
+sub normalize_action_name( $ );
+
 #
 # Process an entry in the policy file.
 #
@ -324,15 +327,18 @@ sub process_a_policy() {
    }

    if ( $default ) {
+	my ( $def, $param ) = get_target_param( $default );
+
 	if ( "\L$default" eq 'none' ) {
 	    $default = 'none';
-	} elsif ( $actions{$default} ) {
+	} elsif ( $actions{$def} ) {
+	    $default = defined $param && $param ne '' ? normalize_action( $def, 'none', $param  ) : normalize_action_name $default;
 	    use_policy_action( $default );
 	} else {
 	    fatal_error "Unknown Default Action ($default)";
 	}
    } else {
-	$default = $default_actions{$policy} || '';
+	$default = $default_actions{$policy} || 'none';
    }

    if ( defined $queue ) {
@ -390,7 +396,9 @@ sub process_a_policy() {
 	$chainref->{synchain}  = $chain
    }

-    $chainref->{default} = $default if $default;
+    assert( $default );
+    my $chainref1 = $usedactions{$default};
+    $chainref->{default} = $chainref1 ? $chainref1->{name} : $default;

    if ( $clientwild ) {
 	if ( $serverwild ) {
@ -462,16 +470,21 @@ sub process_policies()

    for my $option qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) {
 	my $action = $config{$option};
-	next if $action eq 'none';
-	my $actiontype = $targets{$action};
-												 
-	if ( defined $actiontype ) {
-	    fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION;
-	} else {
-	    fatal_error "Default Action $option=$action not found";
-	}
+	
+	unless ( $action eq 'none' ) {
+	    my ( $act, $param ) = get_target_param( $action );

-	use_policy_action( $action );
+	    if ( "\L$action" eq 'none' ) {
+		$action = 'none';
+	    } elsif ( $actions{$act} ) {
+		$action = defined $param && $param ne '' ? normalize_action( $act, 'none', $param  ) : normalize_action_name $action;
+		use_policy_action( $action );
+	    } elsif ( $targets{$act} ) {
+		fatal_error "Invalid setting ($action) for $option";
+	    } else {
+		fatal_error "Default Action $option=$action not found";
+	    }
+	}

 	$default_actions{$map{$option}} = $action;
    }
@ -1515,7 +1528,7 @@ sub process_action( $) {
 # Create a policy action if it doesn't already exist
 #
 sub use_policy_action( $ ) {
-    my $ref = use_action( normalize_action_name $_[0] );
+    my $ref = use_action( $_[0] );
    
    process_action( $ref ) if $ref;
 }
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@ -15,11 +15,23 @@
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
+#  The action accepts three optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#           depending on the setting of the first parameter.
+#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 FORMAT 2
-
+#
+# The following magic provides different defaults for $2 and $3, when $1 is 
+# 'audit'.
+#
 BEGIN PERL
 use Shorewall::Config;

@ -28,15 +40,15 @@ my $p1 = read_action_param(1);
 if ( defined $p1 && $p1 eq 'audit' ) {
   my ( $p2, $p3 ) = ( read_action_param(2) , read_action_param(3) );

-   set_action_param( 2, 'A_DROP')     unless defined $p2;
-   set_action_param( 3, 'A_REJECT')   unless defined $p3;
+   set_action_param( 2, 'A_REJECT')   unless defined $p2;
+   set_action_param( 3, 'A_DROP')     unless defined $p3;
 };

 1;

 END PERL

-DEFAULTS -,DROP,REJECT
+DEFAULTS -,REJECT,DROP

 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
@ -46,7 +58,7 @@ COUNT
 #
 # Reject 'auth'
 #
-Auth($3)
+Auth($2)
 #
 # Don't log broadcasts
 #
@ -63,7 +75,7 @@ dropInvalid($1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($2)
+SMB($3)
 DropUPnP($1)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@ -12,10 +12,22 @@
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
+#  The action accepts three optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 FORMAT 2
-
+#
+# The following magic provides different defaults for $2 and $3, when $1 is 
+# 'audit'.
+#
 BEGIN PERL
 use Shorewall::Config;

@ -24,8 +36,8 @@ my $p1 = read_action_param(1);
 if ( defined $p1 && $p1 eq 'audit' ) {
   my ( $p2, $p3 ) = ( read_action_param(2) , read_action_param(3) );

-   set_action_param( 2, 'A_DROP')     unless defined $p2;
-   set_action_param( 3, 'A_REJECT')   unless defined $p3;
+   set_action_param( 2, 'A_REJECT') unless defined $p2;
+   set_action_param( 3, 'A_REJECT') unless defined $p3;
 };

 1;
@ -42,7 +54,7 @@ COUNT
 #
 # Don't log 'auth' -- REJECT
 #
-Auth($3)
+Auth($2)
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
@ -61,7 +73,7 @@ dropInvalid($1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($2)
+SMB($3)
 DropUPnP($1)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -6,6 +6,8 @@ Changes in Shorewall 4.4.21 Beta 1

 3)  Default values for action parameters.

+4)  Parameterize Drop and Reject actions.
+
 Changes in Shorewall 4.4.20.1

 1)  Corrected FSF address.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -41,6 +41,41 @@ None.
    is the default value for the second parameter and so on. To specify
    an empty default, use '-'.

+4)  The standard Drop and Reject actions are now parameterized. Each 
+    has three parameters:
+
+    1) Pass 'audit' if you want all ACCEPTs, DROPs and REJECTs audited.
+       Pass '-' otherwise.
+
+    2) The action to be applied to Auth requests 
+
+       	      FIRST PARAMETER           DEFAULT
+  
+  	      -				REJECT
+	      audit			A_REJECT
+
+    3) The action to be applied to SMB traffic. The default depends on
+       the first parameter:
+
+              ACTION	 FIRST PARAMETER		DEFAULT
+
+	      Reject	 -				REJECT
+	      Drop	 -				DROP
+	      Reject	 audit				A_REJECT
+	      Drop	 audit				A_DROP
+
+    The parameters can be passed in the POLICY column of the policy
+    file.
+
+    Examples:
+
+	SOURCE	DEST	POLICY
+	net	all	DROP:Drop(audit):audit  #Same as 
+						#DROP:A_DROP:audit
+
+	SOURCE	DEST	POLICY
+	net	all	DROP:Drop(-,DROP) #DROP rather than REJECT Auth
+
 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------