Simplify Perl from actions even further.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-01-03 03:59:16 +01:00 · 2013-02-01 15:55:39 -08:00 · 2013-02-01 15:55:39 -08:00 · c68d4c6e27
commit c68d4c6e27
parent 752e960f2f
9 changed files with 32 additions and 78 deletions
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -2655,6 +2655,15 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    return 1;
 }
 #
 # Helper for the perl_action_xxx functions
 #
 sub merge_target( $$ ) {
    my ( $ref, $target ) = @_;
    $ref->{inline} ? $target : merge_levels( join( ':', @actparms{'chain','loglevel','logtag'}), $target );
 }
 #
 # May be called by Perl code in action bodies (regular and inline) to generate a rule.
 #
@ -2668,18 +2677,18 @@ sub perl_action_helper($$;$) {
    $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;
-    if ( $inlines{$action} ) {
+    if ( my $ref = $inlines{$action} ) {
 	$result = &process_rule( $chainref,
 				 $matches,
 				 $actiontype || 0,
-				 $target,
+				 merge_target( $ref, $target ),
 				 '',                              # CurrentParam
 				 @columns );
    } else {
 	$result = process_rule( $chainref,
 				$matches,
 				$actiontype || 0,
-				$target,
+				merge_target( $actions{$action}, $target ),
 				'',                               # Current Param
 				'-',                              # Source
 				'-',                              # Dest
@ -2697,6 +2706,7 @@ sub perl_action_helper($$;$) {
 				'-',                              # helper,
 				0,                                # Wildcard
 			      );
 	allow_optimize( $chainref );
    }
    #
    # Record that we generated a rule to avoid bogus warning
@ -2722,11 +2732,11 @@ sub perl_action_tcp_helper($$) {
 	#
 	# For other protos, a 'no rule generated' warning will be issued
 	#
-	if ( $inlines{$action} ) {
+	if ( my $ref = $inlines{$action} ) {
 	    $result = &process_rule( $chainref,
 				     $proto,
 				     0,
-				     $target,
+				     merge_target( $ref, $target ),
 				     '',
 				     @columns[0,1],
 				     '-',
@ -2736,7 +2746,7 @@ sub perl_action_tcp_helper($$) {
 	    $result = process_rule( $chainref,
 				    '',
 				    0,
-				    $target,
+				    merge_target( $actions{$action}, $target ),
 				    '',                               # Current Param
 				    '-',                              # Source
 				    '-',                              # Dest
@ -2754,6 +2764,7 @@ sub perl_action_tcp_helper($$) {
 				    '-',                              # helper,
 				    0,                                # Wildcard
 				  );
 	    allow_optimize( $chainref );
 	}
 	#
 	# Record that we generated a rule to avoid bogus warning
--- a/Shorewall/action.Established
+++ b/Shorewall/action.Established
@ -40,17 +40,11 @@ use Shorewall::Rules qw( process_rule1 );
 my ( $action ) = get_action_params( 1 );
 my ( $level, $tag ) = get_action_logging;
 $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
 perl_action_helper(
 		   $action,                             # Target
 		   "$globals{STATEMATCH} ESTABLISHED",  # Matches
 		  );
 allow_optimize( get_action_chain );
 1;
 ?END PERL;
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@ -45,17 +45,11 @@ if ( supplied $audit ) {
     $action = "A_$action";
 }    
 my ( $level, $tag ) = get_action_logging;
 $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
 perl_action_helper(
 		   $action,                         # Target
 		   "$globals{STATEMATCH} INVALID",  # Matches
 		  );
 allow_optimize( get_action_chain);
 1;
 ?END PERL;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@ -33,6 +33,7 @@ DEFAULTS DROP,-
 ?BEGIN PERL;
 use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
@ -45,16 +46,7 @@ if ( supplied $audit ) {
     $action = "A_$action";
 }    
-my ( $level, $tag )  = get_action_logging;
+perl_action_tcp_helper( $action, '-p 6 ! --syn' );
 $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
 perl_action_tcp_helper(
 		       $action,
 		       '-p 6 ! --syn'
 		      );
 allow_optimize( get_action_chain );
 1;
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@ -44,16 +44,7 @@ if ( supplied $audit ) {
     $action = "A_$action";
 }    
-my ( $level, $tag )  = get_action_logging;
+perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
 $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
 perl_action_tcp_helper(
 		       $action,
 		       '-p 6 --tcp-flags RST RST'
 		      );
 allow_optimize( get_action_chain );
 1;
--- a/Shorewall/action.Related
+++ b/Shorewall/action.Related
@ -41,17 +41,11 @@ use Shorewall::Rules qw( process_rule1 );
 my ( $action ) = get_action_params( 1 );
 my ( $level, $tag ) = get_action_logging;
 $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
 perl_action_helper( 
 		   $action,                         # Target
 		   "$globals{STATEMATCH} RELATED",  # Matches
 		  );
 allow_optimize( get_action_chain );
 1;
 ?END PERL;
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@ -17,43 +17,21 @@ DEFAULTS DROP,-
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
 use Shorewall::Rules;
-my ( $disposition, $audit ) = get_action_params( 2 );
+my ( $action, $audit ) = get_action_params( 2 );
 my $chainref        = get_action_chain;
-my ( $level, $tag ) = get_action_logging;
+if ( supplied $audit ) {
-
+     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
-fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
+     $action = "A_$action";
 if ( $level ne '-' || $audit ne '-' ) {
    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
    log_rule_limit( $level,
 		    $logchainref,
 		    $chainref->{name},
 		    $disposition,
 		    '',
 		    $tag,
 		    'add',
 		    '' ) if $level;
    if ( supplied $audit ) {
 	fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
 	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
 	add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
    }
    add_ijump( $logchainref, g => $disposition );
    $disposition = $logchainref;
 }    
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
+perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
 add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
 ?END PERL;
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@ -44,5 +44,5 @@ NotSyn      inline              # Handles TCP packets which do not have SYN=1 an
 Reject                          # Default Action for REJECT policy
 Related     inline              # Handles packets in the RELATED conntrack state
 RST	    inline              # Handle packets with RST set
-TCPFlags    noinline            # Handle bad flag combinations.
+TCPFlags    			# Handle bad flag combinations.
 Untracked   inline              # Handles packets in the UNTRACKED conntrack state
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@ -32,5 +32,5 @@ NotSyn	    inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy
 Related     inline              # Handles packets in the RELATED conntrack state
 RST	    inline              # Handle packets with RST set
-TCPFlags    noinline		# Handles bad flags combinations
+TCPFlags    			# Handles bad flags combinations
 Untracked   inline              # Handles packets in the UNTRACKED conntrack state