From aa609b87a94395ee312c3b9cade8f0a735a7dd0b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 27 Jan 2013 10:10:24 -0800 Subject: [PATCH] Allow arbitrary actions for the various states. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 81 ++++++++++++++++--------------- Shorewall/action.Invalid | 38 ++++++++++++--- Shorewall/action.Related | 42 ++++++++++++---- Shorewall/action.Untracked | 40 +++++++++++---- 4 files changed, 136 insertions(+), 65 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 2b018ee60..635a6f354 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -53,7 +53,7 @@ our @EXPORT = qw( verify_audit ); -our @EXPORT_OK = qw( initialize ); +our @EXPORT_OK = qw( initialize process_rule1 ); our $VERSION = 'MODULEVERSION'; # # Globals are documented in the initialize() function @@ -608,7 +608,7 @@ sub process_policies() # # Policy Rule application # -sub process_inline ($$$$$$$$$$$$$$$$$$$$); +sub process_inline ($$$$$$$$$$$$$$$$$$$$$); sub policy_rules( $$$$$ ) { my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_; @@ -627,6 +627,7 @@ sub policy_rules( $$$$$ ) { process_inline( $action, #Inline $chainref, #Chain + '', #Matches $loglevel, #Log Level and Tag $default, #Target $param || '', #Param @@ -1734,8 +1735,8 @@ sub use_policy_action( $$ ) { # # Expand a macro rule from the rules file # -sub process_macro ($$$$$$$$$$$$$$$$$$$) { - my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_; +sub process_macro ($$$$$$$$$$$$$$$$$$$$) { + my ($macro, $chainref, $matches, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_; my $generated = 0; @@ -1823,7 +1824,7 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) { $generated |= process_rule1( $chainref, - '', + $matches, $mtarget, $param, $msource, @@ -1856,8 +1857,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) { # # Expand an inline action rule from the rules file # -sub process_inline ($$$$$$$$$$$$$$$$$$$$) { - my ($inline, $chainref, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_; +sub process_inline ($$$$$$$$$$$$$$$$$$$$$) { + my ($inline, $chainref, $matches, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_; my $generated = 0; @@ -1941,7 +1942,7 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$) { $generated |= process_rule1( $chainref, - '', + $matches, $mtarget, $param, $msource, @@ -2023,6 +2024,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) { my $normalized_target; my $normalized_action; my $blacklist = ( $section == BLACKLIST_SECTION ); + my $matches = $rule; if ( $inchain = defined $chainref ) { ( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action}; @@ -2051,6 +2053,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) { my $generated = process_macro( $basictarget, $chainref, + $rule, $target, $current_param, $source, @@ -2397,6 +2400,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) { my $generated = process_inline( $basictarget, $chainref, + $rule, $loglevel, $target, $current_param, @@ -2428,38 +2432,38 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) { # Either a DNAT, REDIRECT or ACCEPT+ rule or an Action with NAT; # don't apply rate limiting twice # - $rule = join( '', - do_proto($proto, $ports, $sports), - do_user( $user ) , - do_test( $mark , $globals{TC_MASK} ) , - do_connlimit( $connlimit ), - do_time( $time ) , - do_headers( $headers ) , - do_condition( $condition , $chain ) , - ); + $rule .= join( '', + do_proto($proto, $ports, $sports), + do_user( $user ) , + do_test( $mark , $globals{TC_MASK} ) , + do_connlimit( $connlimit ), + do_time( $time ) , + do_headers( $headers ) , + do_condition( $condition , $chain ) , + ); } elsif ( $section & ( INVALID_SECTION | RELATED_SECTION | UNTRACKED_SECTION ) ) { - $rule = join( '', - do_proto($proto, $ports, $sports), - do_ratelimit( $ratelimit, $basictarget ) , - do_user( $user ) , - do_test( $mark , $globals{TC_MASK} ) , - do_connlimit( $connlimit ), - do_time( $time ) , - do_headers( $headers ) , - do_condition( $condition , $chain ) , - do_helper( $helper ) , - ); + $rule .= join( '', + do_proto($proto, $ports, $sports), + do_ratelimit( $ratelimit, $basictarget ) , + do_user( $user ) , + do_test( $mark , $globals{TC_MASK} ) , + do_connlimit( $connlimit ), + do_time( $time ) , + do_headers( $headers ) , + do_condition( $condition , $chain ) , + do_helper( $helper ) , + ); } else { - $rule = join( '', - do_proto($proto, $ports, $sports), - do_ratelimit( $ratelimit, $basictarget ) , - do_user( $user ) , - do_test( $mark , $globals{TC_MASK} ) , - do_connlimit( $connlimit ), - do_time( $time ) , - do_headers( $headers ) , - do_condition( $condition , $chain ) , - ); + $rule .= join( '', + do_proto($proto, $ports, $sports), + do_ratelimit( $ratelimit, $basictarget ) , + do_user( $user ) , + do_test( $mark , $globals{TC_MASK} ) , + do_connlimit( $connlimit ), + do_time( $time ) , + do_headers( $headers ) , + do_condition( $condition , $chain ) , + ); } unless ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) || @@ -2526,6 +2530,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) { # unless ( $actiontype & NATONLY ) { $rule = join( '', + $matches, do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user, diff --git a/Shorewall/action.Invalid b/Shorewall/action.Invalid index 725e1a412..f3287c06c 100644 --- a/Shorewall/action.Invalid +++ b/Shorewall/action.Invalid @@ -22,7 +22,7 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# Invalid[([|-[,{audit|-}])] +# Invalid[([])] # # Default action is DROP # @@ -36,19 +36,41 @@ DEFAULTS DROP,- use Shorewall::IPAddrs; use Shorewall::Config; use Shorewall::Chains; +use Shorewall::Rules qw( process_rule1 ); my ( $action, $audit ) = get_action_params( 2 ); -fatal_error "Invalid parameter ($audit) to action Invalid" if supplied $audit && $audit ne 'audit'; -fatal_error "Invalid parameter ($action) to action Invalid" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/; +if ( supplied $audit ) { + fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit'; + $action = "A_$action"; +} -my $chainref = get_action_chain; +my ( $level, $tag ) = get_action_logging; -my ( $level, $tag ) = get_action_logging; -my $target = require_audit ( $action , $audit ); +$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; -log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne ''; -add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID "; +my $chainref = get_action_chain; + +process_rule1( $chainref, # Chainref + "$globals{STATEMATCH} INVALID ", # Rule + $action, # Target + '', # Current Param + '-', # Source + '-', # Dest + '-', # Proto + '-', # Port(s) + '-', # Source Port(s) + '-', # Original Dest + '-', # Rate Limit + '-', # User + '-', # Mark + '-', # Connlimit + '-', # Time + '-', # Headers, + '-', # condition, + '-', # helper, + 0, # Wildcard +); allow_optimize( $chainref ); diff --git a/Shorewall/action.Related b/Shorewall/action.Related index 779d10bd6..55aa20197 100644 --- a/Shorewall/action.Related +++ b/Shorewall/action.Related @@ -1,11 +1,11 @@ # -# Shorewall 4 - Invalid Action +# Shorewall 4 - Related Action # # /usr/share/shorewall/action.Related # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2013 - Tom Eastep (teastep@shorewall.net) +# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # @@ -22,7 +22,7 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# Related[([|-[,{audit|-}])] +# Related[([])] # # Default action is DROP # @@ -36,19 +36,41 @@ DEFAULTS DROP,- use Shorewall::IPAddrs; use Shorewall::Config; use Shorewall::Chains; +use Shorewall::Rules qw( process_rule1 ); my ( $action, $audit ) = get_action_params( 2 ); -fatal_error "Related parameter ($audit) to action Related" if supplied $audit && $audit ne 'audit'; -fatal_error "Related parameter ($action) to action Related" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/; +if ( supplied $audit ) { + fatal_error "Related parameter ($audit) to action Related" if $audit ne 'audit'; + $action = "A_$action"; +} -my $chainref = get_action_chain; +my ( $level, $tag ) = get_action_logging; -my ( $level, $tag ) = get_action_logging; -my $target = require_audit ( $action , $audit ); +$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; -log_rule_limit $level, $chainref, 'Related' , $action, '', $tag, 'add', "$globals{STATEMATCH} RELATED " if $level ne ''; -add_jump $chainref , $target, 0, "$globals{STATEMATCH} RELATED "; +my $chainref = get_action_chain; + +process_rule1( $chainref, # Chainref + "$globals{STATEMATCH} RELATED ", # Rule + $action, # Target + '', # Current Param + '-', # Source + '-', # Dest + '-', # Proto + '-', # Port(s) + '-', # Source Port(s) + '-', # Original Dest + '-', # Rate Limit + '-', # User + '-', # Mark + '-', # Connlimit + '-', # Time + '-', # Headers, + '-', # condition, + '-', # helper, + 0, # Wildcard +); allow_optimize( $chainref ); diff --git a/Shorewall/action.Untracked b/Shorewall/action.Untracked index 1c538ecb9..f592105e6 100644 --- a/Shorewall/action.Untracked +++ b/Shorewall/action.Untracked @@ -5,7 +5,7 @@ # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2013 - Tom Eastep (teastep@shorewall.net) +# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # @@ -22,7 +22,7 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# Untracked[([|-[,{audit|-}])] +# Untracked[([])] # # Default action is DROP # @@ -36,19 +36,41 @@ DEFAULTS DROP,- use Shorewall::IPAddrs; use Shorewall::Config; use Shorewall::Chains; +use Shorewall::Rules qw( process_rule1 ); my ( $action, $audit ) = get_action_params( 2 ); -fatal_error "Untracked parameter ($audit) to action Untracked" if supplied $audit && $audit ne 'audit'; -fatal_error "Untracked parameter ($action) to action Untracked" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/; +if ( supplied $audit ) { + fatal_error "Untracked parameter ($audit) to action Untracked" if $audit ne 'audit'; + $action = "A_$action"; +} -my $chainref = get_action_chain; +my ( $level, $tag ) = get_action_logging; -my ( $level, $tag ) = get_action_logging; -my $target = require_audit ( $action , $audit ); +$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; -log_rule_limit $level, $chainref, 'Untracked' , $action, '', $tag, 'add', "$globals{STATEMATCH} UNTRACKED " if $level ne ''; -add_jump $chainref , $target, 0, "$globals{STATEMATCH} UNTRACKED "; +my $chainref = get_action_chain; + +process_rule1( $chainref, # Chainref + "$globals{STATEMATCH} UNTRACKED ", # Rule + $action, # Target + '', # Current Param + '-', # Source + '-', # Dest + '-', # Proto + '-', # Port(s) + '-', # Source Port(s) + '-', # Original Dest + '-', # Rate Limit + '-', # User + '-', # Mark + '-', # Connlimit + '-', # Time + '-', # Headers, + '-', # condition, + '-', # helper, + 0, # Wildcard +); allow_optimize( $chainref );