From beec4a188fd1c526a435510405a87b33bf35b2b6 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 11 Apr 2013 09:15:59 -0700 Subject: [PATCH] Implement INLINE action (again). Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 4 ++++ Shorewall/Perl/Shorewall/Rules.pm | 14 ++++++++++++++ Shorewall/action.INLINE | 28 ---------------------------- Shorewall/actions.std | 1 - Shorewall6/actions.std | 1 - 5 files changed, 18 insertions(+), 30 deletions(-) delete mode 100644 Shorewall/action.INLINE diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index f7458bad7..25d0bda56 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -97,6 +97,7 @@ our @EXPORT = ( qw( TERMINATING STATEMATCH USERBUILTIN + INLINERULE %chain_table %targets @@ -404,6 +405,7 @@ use constant { STANDARD => 0x1, #defined by Netfilter INLINE => 0x8000, #Inline action STATEMATCH => 0x10000, #action.Invalid, action.Related, etc. USERBUILTIN => 0x20000, #Builtin action from user's actions file. + INLINERULE => 0x40000, #INLINE }; # # Valid Targets -- value is a combination of one or more of the above @@ -2624,6 +2626,7 @@ sub initialize_chain_table($) { 'DEL' => STANDARD + SET, 'WHITELIST' => STANDARD, 'HELPER' => STANDARD + HELPER + NATONLY, #Actually RAWONLY + 'INLINE' => INLINERULE, ); for my $chain ( qw(OUTPUT PREROUTING) ) { @@ -2686,6 +2689,7 @@ sub initialize_chain_table($) { 'DEL' => STANDARD + SET, 'WHITELIST' => STANDARD, 'HELPER' => STANDARD + HELPER + NATONLY, #Actually RAWONLY + 'INLINE' => INLINERULE, ); for my $chain ( qw(OUTPUT PREROUTING) ) { diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 0f1af7d7d..2e8d433b4 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2238,6 +2238,20 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { fatal_error "HELPER requires require that the helper be specified in the HELPER column" if $helper eq '-'; fatal_error "HELPER rules may only appear in the NEW section" unless $section == NEW_SECTION; $action = ''; } , + + INLINE => sub { + my $inline_matches = get_inline_matches; + + if ( $inline_matches =~ /^(.*\s+)-j\s+(.+)$/ ) { + $matches .= $1; + $action = $2; + } else { + $matches .= "$inline_matches "; + $action = ''; + } + + $rule = $matches; + } , ); my $function = $functions{ $bt }; diff --git a/Shorewall/action.INLINE b/Shorewall/action.INLINE deleted file mode 100644 index 943f2330f..000000000 --- a/Shorewall/action.INLINE +++ /dev/null @@ -1,28 +0,0 @@ -# -# Shorewall version 4 - INLINE Action -# -# /usr/share/shorewall/action.INLINE -# -################################################################################# -?FORMAT 2 - -DEFAULTS - - -?BEGIN PERL; -use strict; -use Shorewall::Chains; -use Shorewall::Rules; - -my $chainref = get_action_chain; -my $rule = get_inline_matches; - -add_rule( $chainref, $rule, '' ); - -allow_optimize( $chainref ); - -?END PERL; - - - - - diff --git a/Shorewall/actions.std b/Shorewall/actions.std index 2b417c110..c72eac69f 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -33,7 +33,6 @@ Drop # Default Action for DROP policy dropInvalid inline # Drops packets in the INVALID conntrack state DropSmurfs noinline # Drop smurf packets Established inline # Handles packets in the ESTABLISHED state -INLINE nolog # Handles in-line rules Invalid inline # Handles packets in the INVALID conntrack state New inline # Handles packets in the NEW conntrack state NotSyn inline # Handles TCP packets which do not have SYN=1 and ACK=0 diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std index b27a726f1..6ac30fa2e 100644 --- a/Shorewall6/actions.std +++ b/Shorewall6/actions.std @@ -25,7 +25,6 @@ Drop # Default Action for DROP policy dropInvalid inline # Drops packets in the INVALID conntrack state DropSmurfs noinline # Handles packets with a broadcast source address Established inline # Handles packets in the ESTABLISHED state -INLINE nolog # Handles in-line rules Invalid inline # Handles packets in the INVALID conntrack state New inline # Handles packets in the NEW conntrack state NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0