extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-26 09:33:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow arbitrary actions for the various states.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-01-27 10:10:24 -08:00
parent a3a90d8d2e
commit aa609b87a9
4 changed files with 136 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -53,7 +53,7 @@ our @EXPORT = qw(
verify_audit
);
our @EXPORT_OK = qw( initialize );
our @EXPORT_OK = qw( initialize process_rule1 );
our $VERSION = 'MODULEVERSION';
#
# Globals are documented in the initialize() function
@ -608,7 +608,7 @@ sub process_policies()
#
# Policy Rule application
#
sub process_inline ($$$$$$$$$$$$$$$$$$$$);
sub process_inline ($$$$$$$$$$$$$$$$$$$$$);
sub policy_rules( $$$$$ ) {
my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
@ -627,6 +627,7 @@ sub policy_rules( $$$$$ ) {
process_inline( $action, #Inline
$chainref, #Chain
'', #Matches
$loglevel, #Log Level and Tag
$default, #Target
$param || '', #Param
@ -1734,8 +1735,8 @@ sub use_policy_action( $$ ) {
#
# Expand a macro rule from the rules file
#
sub process_macro ($$$$$$$$$$$$$$$$$$$) {
my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
my ($macro, $chainref, $matches, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
my $generated = 0;
@ -1823,7 +1824,7 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) {
$generated |= process_rule1(
$chainref,
'',
$matches,
$mtarget,
$param,
$msource,
@ -1856,8 +1857,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) {
#
# Expand an inline action rule from the rules file
#
sub process_inline ($$$$$$$$$$$$$$$$$$$$) {
my ($inline, $chainref, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
my ($inline, $chainref, $matches, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
my $generated = 0;
@ -1941,7 +1942,7 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$) {
$generated |= process_rule1(
$chainref,
'',
$matches,
$mtarget,
$param,
$msource,
@ -2023,6 +2024,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
my $normalized_target;
my $normalized_action;
my $blacklist = ( $section == BLACKLIST_SECTION );
my $matches = $rule;
if ( $inchain = defined $chainref ) {
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@ -2051,6 +2053,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
my $generated = process_macro( $basictarget,
$chainref,
$rule,
$target,
$current_param,
$source,
@ -2397,6 +2400,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
my $generated = process_inline( $basictarget,
$chainref,
$rule,
$loglevel,
$target,
$current_param,
@ -2428,7 +2432,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
# Either a DNAT, REDIRECT or ACCEPT+ rule or an Action with NAT;
# don't apply rate limiting twice
#
$rule = join( '',
$rule .= join( '',
do_proto($proto, $ports, $sports),
do_user( $user ) ,
do_test( $mark , $globals{TC_MASK} ) ,
@ -2438,7 +2442,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
do_condition( $condition , $chain ) ,
);
} elsif ( $section & ( INVALID_SECTION | RELATED_SECTION | UNTRACKED_SECTION ) ) {
$rule = join( '',
$rule .= join( '',
do_proto($proto, $ports, $sports),
do_ratelimit( $ratelimit, $basictarget ) ,
do_user( $user ) ,
@ -2450,7 +2454,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
do_helper( $helper ) ,
);
} else {
$rule = join( '',
$rule .= join( '',
do_proto($proto, $ports, $sports),
do_ratelimit( $ratelimit, $basictarget ) ,
do_user( $user ) ,
@ -2526,6 +2530,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
#
unless ( $actiontype & NATONLY ) {
$rule = join( '',
$matches,
do_proto( $proto, $ports, $sports ),
do_ratelimit( $ratelimit, 'ACCEPT' ),
do_user $user,

38
Shorewall/action.Invalid
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Invalid[([<action>|-[,{audit|-}])]
# Invalid[([<action>])]
#
# Default action is DROP
#
@ -36,19 +36,41 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs;
use Shorewall::Config;
use Shorewall::Chains;
use Shorewall::Rules qw( process_rule1 );
my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Invalid parameter ($audit) to action Invalid" if supplied $audit && $audit ne 'audit';
fatal_error "Invalid parameter ($action) to action Invalid" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
if ( supplied $audit ) {
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
$action = "A_$action";
}
my ( $level, $tag ) = get_action_logging;
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
process_rule1( $chainref, # Chainref
"$globals{STATEMATCH} INVALID ", # Rule
$action, # Target
'', # Current Param
'-', # Source
'-', # Dest
'-', # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
allow_optimize( $chainref );

42
Shorewall/action.Related
View File

@ -1,11 +1,11 @@
#
# Shorewall 4 - Invalid Action
# Shorewall 4 - Related Action
#
# /usr/share/shorewall/action.Related
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2013 - Tom Eastep (teastep@shorewall.net)
# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Related[([<action>|-[,{audit|-}])]
# Related[([<action>])]
#
# Default action is DROP
#
@ -36,19 +36,41 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs;
use Shorewall::Config;
use Shorewall::Chains;
use Shorewall::Rules qw( process_rule1 );
my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Related parameter ($audit) to action Related" if supplied $audit && $audit ne 'audit';
fatal_error "Related parameter ($action) to action Related" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
if ( supplied $audit ) {
fatal_error "Related parameter ($audit) to action Related" if $audit ne 'audit';
$action = "A_$action";
}
my ( $level, $tag ) = get_action_logging;
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'Related' , $action, '', $tag, 'add', "$globals{STATEMATCH} RELATED " if $level ne '';
add_jump $chainref , $target, 0, "$globals{STATEMATCH} RELATED ";
process_rule1( $chainref, # Chainref
"$globals{STATEMATCH} RELATED ", # Rule
$action, # Target
'', # Current Param
'-', # Source
'-', # Dest
'-', # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
allow_optimize( $chainref );

40
Shorewall/action.Untracked
View File

@ -5,7 +5,7 @@
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2013 - Tom Eastep (teastep@shorewall.net)
# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Untracked[([<action>|-[,{audit|-}])]
# Untracked[([<action>])]
#
# Default action is DROP
#
@ -36,19 +36,41 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs;
use Shorewall::Config;
use Shorewall::Chains;
use Shorewall::Rules qw( process_rule1 );
my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Untracked parameter ($audit) to action Untracked" if supplied $audit && $audit ne 'audit';
fatal_error "Untracked parameter ($action) to action Untracked" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
if ( supplied $audit ) {
fatal_error "Untracked parameter ($audit) to action Untracked" if $audit ne 'audit';
$action = "A_$action";
}
my ( $level, $tag ) = get_action_logging;
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'Untracked' , $action, '', $tag, 'add', "$globals{STATEMATCH} UNTRACKED " if $level ne '';
add_jump $chainref , $target, 0, "$globals{STATEMATCH} UNTRACKED ";
process_rule1( $chainref, # Chainref
"$globals{STATEMATCH} UNTRACKED ", # Rule
$action, # Target
'', # Current Param
'-', # Source
'-', # Dest
'-', # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
allow_optimize( $chainref );