# # Shorewall version 4 - Drop TCPFlags Action # # /usr/share/shorewall/action.TCPFlags # # Accepts a single optional parameter: # # - = Do not Audit # audit = Audit dropped packets. # ################################################################################# FORMAT 2 DEFAULTS DROP,- ?BEGIN PERL; use strict; use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6); use Shorewall::Chains; my ( $disposition, $audit ) = get_action_params( 2 ); my $chainref = get_action_chain; fatal_error "The TCPFlags Action may not be invoked in-line" unless $chainref->{action}; my ( $level, $tag ) = get_action_logging; fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/; if ( $level ne '-' || $audit ne '-' ) { my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0; log_rule_limit( $level, $logchainref, $chainref->{name}, $disposition, '', $tag, 'add', '' ) if $level; if ( supplied $audit ) { fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit'; require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's'; add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition ); } add_ijump( $logchainref, g => $disposition ); $disposition = $logchainref; } add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH'; add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE'; add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST'; add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN'; add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0'; ?END PERL;