mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-14 03:34:31 +01:00
Allow setting chain variables
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
b31c76cc50
commit
f403420926
@ -6439,7 +6439,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
|
||||
log_rule_limit( $loglevel ,
|
||||
$echainref ,
|
||||
$chain,
|
||||
$disposition eq 'reject' ? 'REJECT' : $disposition ,
|
||||
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
'' ,
|
||||
$logtag ,
|
||||
'add' ,
|
||||
@ -6484,7 +6484,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
|
||||
my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) =
|
||||
( '', '', '', '', '', '', '', '', '', '' );
|
||||
my $chain = $chainref->{name};
|
||||
my $chain = $actparms{chain} || $chainref->{name};
|
||||
my $table = $chainref->{table};
|
||||
my ( $jump, $mac, $targetref, $basictarget );
|
||||
our @ends = ();
|
||||
@ -6653,7 +6653,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
$loglevel ,
|
||||
$chainref ,
|
||||
$chain,
|
||||
$disposition eq 'reject' ? 'REJECT' : $disposition ,
|
||||
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
'' ,
|
||||
$logtag ,
|
||||
'add' ,
|
||||
@ -6664,7 +6664,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
$loglevel ,
|
||||
$chainref ,
|
||||
$logname || $chain,
|
||||
$disposition,
|
||||
$actparms{disposition} || $disposition,
|
||||
'',
|
||||
$logtag,
|
||||
'add',
|
||||
@ -6681,7 +6681,12 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
# and jump to the log chain if all of the rule's conditions are met
|
||||
#
|
||||
add_expanded_jump( $chainref,
|
||||
logchain( $chainref, $loglevel, $logtag, $exceptionrule , $disposition, $target ),
|
||||
logchain( $chainref,
|
||||
$loglevel,
|
||||
$logtag,
|
||||
$exceptionrule,
|
||||
$actparms{disposition} || $disposition,
|
||||
$target ),
|
||||
1,
|
||||
$matches );
|
||||
}
|
||||
|
||||
@ -59,7 +59,9 @@ our @EXPORT = qw(
|
||||
|
||||
get_action_params
|
||||
get_action_chain
|
||||
get_action_chain_name
|
||||
get_action_logging
|
||||
get_action_disposition
|
||||
set_action_param
|
||||
|
||||
have_capability
|
||||
@ -161,6 +163,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
%helpers_map
|
||||
%helpers_enabled
|
||||
%helpers_aliases
|
||||
|
||||
%actparms
|
||||
|
||||
F_IPV4
|
||||
F_IPV6
|
||||
@ -483,7 +487,7 @@ our %compiler_params;
|
||||
# Action parameters
|
||||
#
|
||||
our %actparms;
|
||||
our $paramsmodified;
|
||||
our $parmsmodified;
|
||||
|
||||
our $currentline; # Current config file line image
|
||||
our $currentfile; # File handle reference
|
||||
@ -638,7 +642,7 @@ sub initialize( $;$$) {
|
||||
EXPORT => 0,
|
||||
KLUDGEFREE => '',
|
||||
STATEMATCH => '-m state --state',
|
||||
VERSION => "4.5.12-Beta3",
|
||||
VERSION => "4.5.13-Beta1",
|
||||
CAPVERSION => 40512 ,
|
||||
);
|
||||
#
|
||||
@ -938,8 +942,8 @@ sub initialize( $;$$) {
|
||||
|
||||
%compiler_params = ();
|
||||
|
||||
%actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '' );
|
||||
$paramsmodified = 0;
|
||||
%actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '' );
|
||||
$parmsmodified = 0;
|
||||
|
||||
%helpers_enabled = (
|
||||
amanda => 1,
|
||||
@ -2156,6 +2160,7 @@ sub evaluate_expression( $$$ ) {
|
||||
# $1 $2 $3 - $4
|
||||
while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
|
||||
my ( $first, $var, $rest ) = ( $1, $3, $4);
|
||||
$var = numeric_value( $var ) if $var;
|
||||
$val = $var ? $actparms{$var} : $chain;
|
||||
$expression = join_parts( $first, $val, $rest );
|
||||
directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
|
||||
@ -2272,15 +2277,17 @@ sub process_compiler_directive( $$$$ ) {
|
||||
unless ( $omitting ) {
|
||||
directive_error( "Missing SET variable", $filename, $linenumber ) unless supplied $expression;
|
||||
( my $var , $expression ) = split ' ', $expression, 2;
|
||||
directive_error( "Invalid SET variable ($var)", $filename, $linenumber) unless $var =~ /^([$@])?([a-zA-Z]\w*)$/;
|
||||
directive_error( "Invalid SET variable ($var)", $filename, $linenumber) unless $var =~ /^(\$)?([a-zA-Z]\w*)$/ || $var =~ /^(@)(\d+|[a-zA-Z]\w*)/;
|
||||
directive_error( "Missing SET expression" , $filename, $linenumber) unless supplied $expression;
|
||||
|
||||
if ( ( $1 || '' ) eq '@' ) {
|
||||
directive_error( "Invalid SET variable", $filename, $linenumber ) unless exists $actparms{$2};
|
||||
$actparms{$2} = evaluate_expression ( $expression,
|
||||
$filename,
|
||||
$linenumber );
|
||||
$paramsmodified = 1;
|
||||
$var = numeric_value( $var ) if $var =~ /^\d/;
|
||||
$var = $2 || 'chain';
|
||||
directive_error( "Action variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
|
||||
my $val = $actparms{$var} = evaluate_expression ( $expression,
|
||||
$filename,
|
||||
$linenumber );
|
||||
$parmsmodified = 1;
|
||||
} else {
|
||||
$variables{$1} = evaluate_expression( $expression,
|
||||
$filename,
|
||||
@ -2774,30 +2781,32 @@ sub embedded_perl( $ ) {
|
||||
# Push/pop action params
|
||||
#
|
||||
sub push_action_params( $$$$$ ) {
|
||||
my @params = ( undef , split_list3( $_[1], 'parameter' ) );
|
||||
my ( $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
|
||||
my @parms = ( undef , split_list3( $parms , 'parameter' ) );
|
||||
|
||||
$actparms{modified} = $paramsmodified;
|
||||
$actparms{modified} = $parmsmodified;
|
||||
|
||||
my %oldparms = %actparms;
|
||||
|
||||
$paramsmodified = 0;
|
||||
$parmsmodified = 0;
|
||||
|
||||
%actparms = ();
|
||||
|
||||
for ( my $i = 1; $i < @params; $i++ ) {
|
||||
my $val = $params[$i];
|
||||
for ( my $i = 1; $i < @parms; $i++ ) {
|
||||
my $val = $parms[$i];
|
||||
|
||||
$actparms{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
|
||||
}
|
||||
|
||||
$actparms{0} = $_[0];
|
||||
$actparms{loglevel} = $_[2];
|
||||
$actparms{logtag} = $_[3];
|
||||
$actparms{caller} = $_[4];
|
||||
$actparms{0} = $chainref;
|
||||
$actparms{loglevel} = $loglevel;
|
||||
$actparms{logtag} = $logtag;
|
||||
$actparms{caller} = $caller;
|
||||
$actparms{disposition} = '' if $chainref->{action};
|
||||
#
|
||||
# The Shorewall variable '@chain' has the non-word charaters removed
|
||||
#
|
||||
( $actparms{chain} = $_[0]->{name} ) =~ s/[^\w]//g;
|
||||
( $actparms{chain} = $chainref->{name} ) =~ s/[^\w]//g;
|
||||
|
||||
\%oldparms;
|
||||
}
|
||||
@ -2807,10 +2816,10 @@ sub push_action_params( $$$$$ ) {
|
||||
# Return true of the popped parameters were modified
|
||||
#
|
||||
sub pop_action_params( $ ) {
|
||||
my $oldparms = shift;
|
||||
%actparms = %$oldparms;
|
||||
my $return = $paramsmodified;
|
||||
( $paramsmodified ) = delete $actparms{modified};
|
||||
my $oldparms = shift;
|
||||
%actparms = %$oldparms;
|
||||
my $return = $parmsmodified;
|
||||
( $parmsmodified ) = delete $actparms{modified};
|
||||
$return;
|
||||
}
|
||||
|
||||
@ -2853,6 +2862,14 @@ sub get_action_chain() {
|
||||
$actparms{0};
|
||||
}
|
||||
|
||||
sub get_action_chain_name() {
|
||||
$actparms{chain};
|
||||
}
|
||||
|
||||
sub get_action_disposition() {
|
||||
$actparms{disposition};
|
||||
}
|
||||
|
||||
sub set_action_param( $$ ) {
|
||||
my $i = shift;
|
||||
|
||||
|
||||
@ -1623,7 +1623,7 @@ sub process_action($$) {
|
||||
}
|
||||
|
||||
process_rule1( $chainref,
|
||||
$nolog ? $target : merge_levels( "$action:$level:$tag", $target ),
|
||||
$nolog ? $target : merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $target ),
|
||||
'',
|
||||
$source,
|
||||
$dest,
|
||||
@ -1839,7 +1839,7 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$) {
|
||||
next;
|
||||
}
|
||||
|
||||
$mtarget = merge_levels( $target, $mtarget ) unless $nolog;
|
||||
$mtarget = merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $mtarget ) unless $nolog;
|
||||
|
||||
my $action = isolate_basic_target $mtarget;
|
||||
|
||||
|
||||
@ -1802,6 +1802,10 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true</programlisting
|
||||
alias @chain), Shorewall variables may only be used within an action
|
||||
body.</para>
|
||||
|
||||
<para>Prior to Shorewall 4.5.13, Shorewall variables are read-only.
|
||||
Beginning with Shorewall 4.5.13, their values may be altered using the
|
||||
?SET directive.</para>
|
||||
|
||||
<para>The Shorewall variables are:</para>
|
||||
|
||||
<variablelist>
|
||||
@ -1842,7 +1846,22 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true</programlisting
|
||||
invoked.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>@disposition (@{disposition})</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. When a non-inlined action is
|
||||
entered, this variable is set to the empty value. When an inline
|
||||
action is entered, the variable's value is unchanged.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.13, the values of @chain and
|
||||
@disposition are used to generated the --log-prefix in logging rules. When
|
||||
either is empty, the historical value is used to generate the
|
||||
--log-prefix. </para>
|
||||
</section>
|
||||
|
||||
<section id="Conditional">
|
||||
|
||||
Loading…
Reference in New Issue
Block a user