shorewall_code/Shorewall/action.DropSmurfs

86 lines
1.9 KiB
Plaintext
Raw Normal View History

#
# Shorewall version 4 - Drop Smurfs Action
#
# /usr/share/shorewall/action.DropSmurfs
#
# Accepts a single optional parameter:
#
# - = Do not Audit
# audit = Audit dropped packets.
#
#################################################################################
FORMAT 2
DEFAULTS -
BEGIN PERL;
use strict;
use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
use Shorewall::Chains;
use Shorewall::Rules;
my ( $audit ) = get_action_params( 1 );
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
my $target;
if ( $level ne '-' || $audit ne '-' ) {
my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
log_rule_limit( $level,
$logchainref,
$chainref->{name},
'DROP',
'',
$tag,
'add',
'' );
if ( supplied $audit ) {
fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's';
add_ijump( $logchainref, j => 'AUDIT --type DROP' );
}
add_ijump( $logchainref, j => 'DROP' );
$target = $logchainref;
} else {
$target = 'DROP';
}
?IF __ADDRTYPE
?IF __IPV4
add_ijump $chainref , j => 'RETURN', s => '0.0.0.0'; ;
?ELSE
add_ijump $chainref , j => 'RETURN', s => '::';
?END
add_ijump( $chainref, g => $target, addrtype => '--src-type BROADCAST' ) ;
?ELSE # Begin no Addrtype support
?IF __IPV4
add_commands $chainref, 'for address in $ALL_BCASTS; do';
?ELSE
add_commands $chainref, 'for address in $ALL_ACASTS; do';
?END
incr_cmd_level $chainref;
add_ijump( $chainref, g => $target, s => '$address' );
decr_cmd_level $chainref;
add_commands $chainref, 'done';
?END # No Addrtype support
?IF __IPV4
add_ijump( $chainref, g => $target, s => '224.0.0.0/4' );
?ELSE
add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
?END
END PERL;