mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-26 16:18:57 +01:00
Allow arbitrary actions for the various states.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
a3a90d8d2e
commit
aa609b87a9
@ -53,7 +53,7 @@ our @EXPORT = qw(
|
||||
verify_audit
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our @EXPORT_OK = qw( initialize process_rule1 );
|
||||
our $VERSION = 'MODULEVERSION';
|
||||
#
|
||||
# Globals are documented in the initialize() function
|
||||
@ -608,7 +608,7 @@ sub process_policies()
|
||||
#
|
||||
# Policy Rule application
|
||||
#
|
||||
sub process_inline ($$$$$$$$$$$$$$$$$$$$);
|
||||
sub process_inline ($$$$$$$$$$$$$$$$$$$$$);
|
||||
|
||||
sub policy_rules( $$$$$ ) {
|
||||
my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
|
||||
@ -627,6 +627,7 @@ sub policy_rules( $$$$$ ) {
|
||||
|
||||
process_inline( $action, #Inline
|
||||
$chainref, #Chain
|
||||
'', #Matches
|
||||
$loglevel, #Log Level and Tag
|
||||
$default, #Target
|
||||
$param || '', #Param
|
||||
@ -1734,8 +1735,8 @@ sub use_policy_action( $$ ) {
|
||||
#
|
||||
# Expand a macro rule from the rules file
|
||||
#
|
||||
sub process_macro ($$$$$$$$$$$$$$$$$$$) {
|
||||
my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
|
||||
sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
|
||||
my ($macro, $chainref, $matches, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
|
||||
|
||||
my $generated = 0;
|
||||
|
||||
@ -1823,7 +1824,7 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) {
|
||||
|
||||
$generated |= process_rule1(
|
||||
$chainref,
|
||||
'',
|
||||
$matches,
|
||||
$mtarget,
|
||||
$param,
|
||||
$msource,
|
||||
@ -1856,8 +1857,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) {
|
||||
#
|
||||
# Expand an inline action rule from the rules file
|
||||
#
|
||||
sub process_inline ($$$$$$$$$$$$$$$$$$$$) {
|
||||
my ($inline, $chainref, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
|
||||
sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
|
||||
my ($inline, $chainref, $matches, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
|
||||
|
||||
my $generated = 0;
|
||||
|
||||
@ -1941,7 +1942,7 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$) {
|
||||
|
||||
$generated |= process_rule1(
|
||||
$chainref,
|
||||
'',
|
||||
$matches,
|
||||
$mtarget,
|
||||
$param,
|
||||
$msource,
|
||||
@ -2023,6 +2024,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
my $normalized_target;
|
||||
my $normalized_action;
|
||||
my $blacklist = ( $section == BLACKLIST_SECTION );
|
||||
my $matches = $rule;
|
||||
|
||||
if ( $inchain = defined $chainref ) {
|
||||
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
|
||||
@ -2051,6 +2053,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
|
||||
my $generated = process_macro( $basictarget,
|
||||
$chainref,
|
||||
$rule,
|
||||
$target,
|
||||
$current_param,
|
||||
$source,
|
||||
@ -2397,6 +2400,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
|
||||
my $generated = process_inline( $basictarget,
|
||||
$chainref,
|
||||
$rule,
|
||||
$loglevel,
|
||||
$target,
|
||||
$current_param,
|
||||
@ -2428,38 +2432,38 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
# Either a DNAT, REDIRECT or ACCEPT+ rule or an Action with NAT;
|
||||
# don't apply rate limiting twice
|
||||
#
|
||||
$rule = join( '',
|
||||
do_proto($proto, $ports, $sports),
|
||||
do_user( $user ) ,
|
||||
do_test( $mark , $globals{TC_MASK} ) ,
|
||||
do_connlimit( $connlimit ),
|
||||
do_time( $time ) ,
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
);
|
||||
$rule .= join( '',
|
||||
do_proto($proto, $ports, $sports),
|
||||
do_user( $user ) ,
|
||||
do_test( $mark , $globals{TC_MASK} ) ,
|
||||
do_connlimit( $connlimit ),
|
||||
do_time( $time ) ,
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
);
|
||||
} elsif ( $section & ( INVALID_SECTION | RELATED_SECTION | UNTRACKED_SECTION ) ) {
|
||||
$rule = join( '',
|
||||
do_proto($proto, $ports, $sports),
|
||||
do_ratelimit( $ratelimit, $basictarget ) ,
|
||||
do_user( $user ) ,
|
||||
do_test( $mark , $globals{TC_MASK} ) ,
|
||||
do_connlimit( $connlimit ),
|
||||
do_time( $time ) ,
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
do_helper( $helper ) ,
|
||||
);
|
||||
$rule .= join( '',
|
||||
do_proto($proto, $ports, $sports),
|
||||
do_ratelimit( $ratelimit, $basictarget ) ,
|
||||
do_user( $user ) ,
|
||||
do_test( $mark , $globals{TC_MASK} ) ,
|
||||
do_connlimit( $connlimit ),
|
||||
do_time( $time ) ,
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
do_helper( $helper ) ,
|
||||
);
|
||||
} else {
|
||||
$rule = join( '',
|
||||
do_proto($proto, $ports, $sports),
|
||||
do_ratelimit( $ratelimit, $basictarget ) ,
|
||||
do_user( $user ) ,
|
||||
do_test( $mark , $globals{TC_MASK} ) ,
|
||||
do_connlimit( $connlimit ),
|
||||
do_time( $time ) ,
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
);
|
||||
$rule .= join( '',
|
||||
do_proto($proto, $ports, $sports),
|
||||
do_ratelimit( $ratelimit, $basictarget ) ,
|
||||
do_user( $user ) ,
|
||||
do_test( $mark , $globals{TC_MASK} ) ,
|
||||
do_connlimit( $connlimit ),
|
||||
do_time( $time ) ,
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
);
|
||||
}
|
||||
|
||||
unless ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ||
|
||||
@ -2526,6 +2530,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
#
|
||||
unless ( $actiontype & NATONLY ) {
|
||||
$rule = join( '',
|
||||
$matches,
|
||||
do_proto( $proto, $ports, $sports ),
|
||||
do_ratelimit( $ratelimit, 'ACCEPT' ),
|
||||
do_user $user,
|
||||
|
@ -22,7 +22,7 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Invalid[([<action>|-[,{audit|-}])]
|
||||
# Invalid[([<action>])]
|
||||
#
|
||||
# Default action is DROP
|
||||
#
|
||||
@ -36,19 +36,41 @@ DEFAULTS DROP,-
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules qw( process_rule1 );
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
fatal_error "Invalid parameter ($audit) to action Invalid" if supplied $audit && $audit ne 'audit';
|
||||
fatal_error "Invalid parameter ($action) to action Invalid" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
my $chainref = get_action_chain;
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
my $target = require_audit ( $action , $audit );
|
||||
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
|
||||
|
||||
log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
|
||||
add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
|
||||
my $chainref = get_action_chain;
|
||||
|
||||
process_rule1( $chainref, # Chainref
|
||||
"$globals{STATEMATCH} INVALID ", # Rule
|
||||
$action, # Target
|
||||
'', # Current Param
|
||||
'-', # Source
|
||||
'-', # Dest
|
||||
'-', # Proto
|
||||
'-', # Port(s)
|
||||
'-', # Source Port(s)
|
||||
'-', # Original Dest
|
||||
'-', # Rate Limit
|
||||
'-', # User
|
||||
'-', # Mark
|
||||
'-', # Connlimit
|
||||
'-', # Time
|
||||
'-', # Headers,
|
||||
'-', # condition,
|
||||
'-', # helper,
|
||||
0, # Wildcard
|
||||
);
|
||||
|
||||
allow_optimize( $chainref );
|
||||
|
||||
|
@ -1,11 +1,11 @@
|
||||
#
|
||||
# Shorewall 4 - Invalid Action
|
||||
# Shorewall 4 - Related Action
|
||||
#
|
||||
# /usr/share/shorewall/action.Related
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2013 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
@ -22,7 +22,7 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Related[([<action>|-[,{audit|-}])]
|
||||
# Related[([<action>])]
|
||||
#
|
||||
# Default action is DROP
|
||||
#
|
||||
@ -36,19 +36,41 @@ DEFAULTS DROP,-
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules qw( process_rule1 );
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
fatal_error "Related parameter ($audit) to action Related" if supplied $audit && $audit ne 'audit';
|
||||
fatal_error "Related parameter ($action) to action Related" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Related parameter ($audit) to action Related" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
my $chainref = get_action_chain;
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
my $target = require_audit ( $action , $audit );
|
||||
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
|
||||
|
||||
log_rule_limit $level, $chainref, 'Related' , $action, '', $tag, 'add', "$globals{STATEMATCH} RELATED " if $level ne '';
|
||||
add_jump $chainref , $target, 0, "$globals{STATEMATCH} RELATED ";
|
||||
my $chainref = get_action_chain;
|
||||
|
||||
process_rule1( $chainref, # Chainref
|
||||
"$globals{STATEMATCH} RELATED ", # Rule
|
||||
$action, # Target
|
||||
'', # Current Param
|
||||
'-', # Source
|
||||
'-', # Dest
|
||||
'-', # Proto
|
||||
'-', # Port(s)
|
||||
'-', # Source Port(s)
|
||||
'-', # Original Dest
|
||||
'-', # Rate Limit
|
||||
'-', # User
|
||||
'-', # Mark
|
||||
'-', # Connlimit
|
||||
'-', # Time
|
||||
'-', # Headers,
|
||||
'-', # condition,
|
||||
'-', # helper,
|
||||
0, # Wildcard
|
||||
);
|
||||
|
||||
allow_optimize( $chainref );
|
||||
|
||||
|
@ -5,7 +5,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2013 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
@ -22,7 +22,7 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Untracked[([<action>|-[,{audit|-}])]
|
||||
# Untracked[([<action>])]
|
||||
#
|
||||
# Default action is DROP
|
||||
#
|
||||
@ -36,19 +36,41 @@ DEFAULTS DROP,-
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules qw( process_rule1 );
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
fatal_error "Untracked parameter ($audit) to action Untracked" if supplied $audit && $audit ne 'audit';
|
||||
fatal_error "Untracked parameter ($action) to action Untracked" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Untracked parameter ($audit) to action Untracked" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
my $chainref = get_action_chain;
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
my $target = require_audit ( $action , $audit );
|
||||
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
|
||||
|
||||
log_rule_limit $level, $chainref, 'Untracked' , $action, '', $tag, 'add', "$globals{STATEMATCH} UNTRACKED " if $level ne '';
|
||||
add_jump $chainref , $target, 0, "$globals{STATEMATCH} UNTRACKED ";
|
||||
my $chainref = get_action_chain;
|
||||
|
||||
process_rule1( $chainref, # Chainref
|
||||
"$globals{STATEMATCH} UNTRACKED ", # Rule
|
||||
$action, # Target
|
||||
'', # Current Param
|
||||
'-', # Source
|
||||
'-', # Dest
|
||||
'-', # Proto
|
||||
'-', # Port(s)
|
||||
'-', # Source Port(s)
|
||||
'-', # Original Dest
|
||||
'-', # Rate Limit
|
||||
'-', # User
|
||||
'-', # Mark
|
||||
'-', # Connlimit
|
||||
'-', # Time
|
||||
'-', # Headers,
|
||||
'-', # condition,
|
||||
'-', # helper,
|
||||
0, # Wildcard
|
||||
);
|
||||
|
||||
allow_optimize( $chainref );
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user