diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index a22bfa38f..5af80ba50 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2655,6 +2655,15 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) { return 1; } +# +# Helper for the perl_action_xxx functions +# +sub merge_target( $$ ) { + my ( $ref, $target ) = @_; + + $ref->{inline} ? $target : merge_levels( join( ':', @actparms{'chain','loglevel','logtag'}), $target ); +} + # # May be called by Perl code in action bodies (regular and inline) to generate a rule. # @@ -2668,18 +2677,18 @@ sub perl_action_helper($$;$) { $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/; - if ( $inlines{$action} ) { + if ( my $ref = $inlines{$action} ) { $result = &process_rule( $chainref, $matches, $actiontype || 0, - $target, + merge_target( $ref, $target ), '', # CurrentParam @columns ); } else { $result = process_rule( $chainref, $matches, $actiontype || 0, - $target, + merge_target( $actions{$action}, $target ), '', # Current Param '-', # Source '-', # Dest @@ -2697,6 +2706,7 @@ sub perl_action_helper($$;$) { '-', # helper, 0, # Wildcard ); + allow_optimize( $chainref ); } # # Record that we generated a rule to avoid bogus warning @@ -2722,11 +2732,11 @@ sub perl_action_tcp_helper($$) { # # For other protos, a 'no rule generated' warning will be issued # - if ( $inlines{$action} ) { + if ( my $ref = $inlines{$action} ) { $result = &process_rule( $chainref, $proto, 0, - $target, + merge_target( $ref, $target ), '', @columns[0,1], '-', @@ -2736,7 +2746,7 @@ sub perl_action_tcp_helper($$) { $result = process_rule( $chainref, '', 0, - $target, + merge_target( $actions{$action}, $target ), '', # Current Param '-', # Source '-', # Dest @@ -2754,6 +2764,7 @@ sub perl_action_tcp_helper($$) { '-', # helper, 0, # Wildcard ); + allow_optimize( $chainref ); } # # Record that we generated a rule to avoid bogus warning diff --git a/Shorewall/action.Established b/Shorewall/action.Established index f35798318..3e8d2deec 100644 --- a/Shorewall/action.Established +++ b/Shorewall/action.Established @@ -40,17 +40,11 @@ use Shorewall::Rules qw( process_rule1 ); my ( $action ) = get_action_params( 1 ); -my ( $level, $tag ) = get_action_logging; - -$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; - perl_action_helper( $action, # Target "$globals{STATEMATCH} ESTABLISHED", # Matches ); -allow_optimize( get_action_chain ); - 1; ?END PERL; diff --git a/Shorewall/action.Invalid b/Shorewall/action.Invalid index 8e0093398..3cde88f01 100644 --- a/Shorewall/action.Invalid +++ b/Shorewall/action.Invalid @@ -45,17 +45,11 @@ if ( supplied $audit ) { $action = "A_$action"; } -my ( $level, $tag ) = get_action_logging; - -$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; - perl_action_helper( $action, # Target "$globals{STATEMATCH} INVALID", # Matches ); -allow_optimize( get_action_chain); - 1; ?END PERL; diff --git a/Shorewall/action.NotSyn b/Shorewall/action.NotSyn index 6a1b64fc0..8def649e2 100644 --- a/Shorewall/action.NotSyn +++ b/Shorewall/action.NotSyn @@ -33,6 +33,7 @@ DEFAULTS DROP,- ?BEGIN PERL; +use strict; use Shorewall::IPAddrs; use Shorewall::Config; use Shorewall::Chains; @@ -45,16 +46,7 @@ if ( supplied $audit ) { $action = "A_$action"; } -my ( $level, $tag ) = get_action_logging; - -$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; - -perl_action_tcp_helper( - $action, - '-p 6 ! --syn' - ); - -allow_optimize( get_action_chain ); +perl_action_tcp_helper( $action, '-p 6 ! --syn' ); 1; diff --git a/Shorewall/action.RST b/Shorewall/action.RST index 366943e9f..b2463321a 100644 --- a/Shorewall/action.RST +++ b/Shorewall/action.RST @@ -44,16 +44,7 @@ if ( supplied $audit ) { $action = "A_$action"; } -my ( $level, $tag ) = get_action_logging; - -$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; - -perl_action_tcp_helper( - $action, - '-p 6 --tcp-flags RST RST' - ); - -allow_optimize( get_action_chain ); +perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' ); 1; diff --git a/Shorewall/action.Related b/Shorewall/action.Related index b5683dee3..8366c4045 100644 --- a/Shorewall/action.Related +++ b/Shorewall/action.Related @@ -41,17 +41,11 @@ use Shorewall::Rules qw( process_rule1 ); my ( $action ) = get_action_params( 1 ); -my ( $level, $tag ) = get_action_logging; - -$action = join( ':', $action, $level, $tag ) if "${level}${tag}"; - perl_action_helper( $action, # Target "$globals{STATEMATCH} RELATED", # Matches ); -allow_optimize( get_action_chain ); - 1; ?END PERL; diff --git a/Shorewall/action.TCPFlags b/Shorewall/action.TCPFlags index 8e302c269..8ba79c2a8 100644 --- a/Shorewall/action.TCPFlags +++ b/Shorewall/action.TCPFlags @@ -17,43 +17,21 @@ DEFAULTS DROP,- use strict; use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6); use Shorewall::Chains; +use Shorewall::Rules; -my ( $disposition, $audit ) = get_action_params( 2 ); +my ( $action, $audit ) = get_action_params( 2 ); my $chainref = get_action_chain; -my ( $level, $tag ) = get_action_logging; +if ( supplied $audit ) { + fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit'; + $action = "A_$action"; +} -fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/; - -if ( $level ne '-' || $audit ne '-' ) { - my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0; - - log_rule_limit( $level, - $logchainref, - $chainref->{name}, - $disposition, - '', - $tag, - 'add', - '' ) if $level; - - if ( supplied $audit ) { - fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit'; - require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's'; - add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition ); - } - - add_ijump( $logchainref, g => $disposition ); - - $disposition = $logchainref; -} - -add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH'; -add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE'; -add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST'; -add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN'; -add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0'; +perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' ); +perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' ); +perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' ); +perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' ); ?END PERL; diff --git a/Shorewall/actions.std b/Shorewall/actions.std index 4d1842a0e..b62690e37 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -44,5 +44,5 @@ NotSyn inline # Handles TCP packets which do not have SYN=1 an Reject # Default Action for REJECT policy Related inline # Handles packets in the RELATED conntrack state RST inline # Handle packets with RST set -TCPFlags noinline # Handle bad flag combinations. +TCPFlags # Handle bad flag combinations. Untracked inline # Handles packets in the UNTRACKED conntrack state diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std index 5c284b6a0..3601a390a 100644 --- a/Shorewall6/actions.std +++ b/Shorewall6/actions.std @@ -32,5 +32,5 @@ NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0 Reject # Default Action for REJECT policy Related inline # Handles packets in the RELATED conntrack state RST inline # Handle packets with RST set -TCPFlags noinline # Handles bad flags combinations +TCPFlags # Handles bad flags combinations Untracked inline # Handles packets in the UNTRACKED conntrack state