holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Merge branch 'master' into 4.5.13

Browse Source 
Conflicts:
	Shorewall/Perl/Shorewall/Rules.pm
	Shorewall/action.Established
	Shorewall/actions.std
This commit is contained in:
Tom Eastep 2013-01-29 07:30:52 -08:00
commit 316b67473e
9 changed files with 223 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall/Perl/Shorewall/Config.pm
View File

@ -2808,10 +2808,10 @@ sub embedded_perl( $ ) {
}
#
# Push/pop action params
# Push/pop acton params
#
sub push_action_params( $$$$$ ) {
my ( $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
sub push_action_params( $$$$$$ ) {
my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
my @parms = ( undef , split_list3( $parms , 'parameter' ) );
$actparms{modified} = $parmsmodified;
@ -2829,6 +2829,7 @@ sub push_action_params( $$$$$ ) {
}
$actparms{0} = $chainref;
$actparms{action} = $action;
$actparms{loglevel} = $loglevel;
$actparms{logtag} = $logtag;
$actparms{caller} = $caller;
@ -5358,7 +5359,6 @@ sub get_configuration( $$$$ ) {
$val = $config{TCP_FLAGS_DISPOSITION} = 'DROP';
}
default 'TC_ENABLED' , $family == F_IPV4 ? 'Internal' : 'no';
$val = "\L$config{TC_ENABLED}";

152
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -51,6 +51,8 @@ our @EXPORT = qw(
process_actions
process_rules
verify_audit
perl_action_helper
perl_action_tcp_helper
);
our @EXPORT_OK = qw( initialize process_rule1 );
@ -153,6 +155,11 @@ our %auditpolicies = ( ACCEPT => 1,
DROP => 1,
REJECT => 1
);
our @columns;
our @columnstack;
our $actionresult;
#
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
@ -221,6 +228,9 @@ sub initialize( $ ) {
#
%usedactions = ();
@columns = ();
@columnstack = ();
if ( $family == F_IPV4 ) {
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
} else {
@ -1681,7 +1691,7 @@ sub process_action($$) {
push_open $actionfile, 2, 1;
my $oldparms = push_action_params( $chainref, $param, $level, $tag, $caller );
my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
my $nolog = $actions{$action}{nolog};
@ -1895,7 +1905,8 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
my ( $level, $tag ) = split( ':', $loglevel, 2 );
my $oldparms = push_action_params( $chainref,
my $oldparms = push_action_params( $inline,
$chainref,
$param,
supplied $level ? $level : 'none',
defined $tag ? $tag : '' ,
@ -2429,6 +2440,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
$current_param = $param unless $param eq '' || $param eq 'PARAM';
push @columnstack, [ ( @columns ) ];
@columns = ( $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard );
my $generated = process_inline( $basictarget,
$chainref,
$rule,
@ -2451,9 +2466,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
$helper,
$wildcard );
@columns = @{pop @columnstack};
$macro_nest_level--;
return $generated;
return $generated || $actionresult;
}
#
# Generate Fixed part of the rule
@ -2628,6 +2645,95 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
return 1;
}
#
# May be called by Perl code in action bodies (regular and inline) to generate a rule.
#
sub perl_action_helper($$) {
my ( $target, $matches ) = @_;
my $action = $actparms{action};
my $chainref = $actparms{0};
my $result;
assert( $chainref );
if ( $inlines{$action} ) {
&process_rule1( $chainref,
$matches,
$target,
'',
@columns );
} else {
$result = process_rule1( $chainref,
$matches,
$target,
'', # Current Param
'-', # Source
'-', # Dest
'-', # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
}
$actionresult ||= $result;
}
#
# May be called by Perl code in action bodies (regular and inline) to generate a rule.
#
sub perl_action_tcp_helper($$) {
my ( $target, $proto ) = @_;
my $action = $actparms{action};
my $chainref = $actparms{0};
my $result;
assert( $chainref );
if ( $inlines{$action} ) {
$result = &process_rule1( $chainref,
$proto,
$target,
'',
@columns[0,1],
'-',
@columns[3..14]
);
} else {
$result = process_rule1( $chainref,
$proto,
$target,
'', # Current Param
'-', # Source
'-', # Dest
"-", # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
}
$actionresult ||= $result;
}
#
# Helper functions for process_rule(). That function deals with the ugliness of wildcard zones ('all' and 'any') and zone lists.
#
@ -2773,25 +2879,27 @@ sub process_rule ( ) {
if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
for my $proto ( @protos ) {
for my $user ( @users ) {
$generated |= process_rule1( undef,
'',
$target,
'',
$source,
$dest,
$proto,
$ports,
$sports,
$origdest,
$ratelimit,
$user,
$mark,
$connlimit,
$time,
$headers,
$condition,
$helper,
$wild );
if ( process_rule1( undef,
'',
$target,
'',
$source,
$dest,
$proto,
$ports,
$sports,
$origdest,
$ratelimit,
$user,
$mark,
$connlimit,
$time,
$headers,
$condition,
$helper,
$wild ) ) {
$generated = 1;
}
}
}
}

22
Shorewall/action.Established
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Established[([<action>|-[,{audit|-}])]
# Established[([<action>])]
#
# Default action is DROP
#
@ -36,21 +36,25 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs;
use Shorewall::Config;
use Shorewall::Chains;
use Shorewall::Rules qw( process_rule1 );
my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Established parameter ($audit) to action Established" if supplied $audit && $audit ne 'audit';
fatal_error "Established parameter ($action) to action Established" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
if ( supplied $audit ) {
fatal_error "Established parameter ($audit) to action Established" if $audit ne 'audit';
$action = "A_$action";
}
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
log_rule_limit $level, $chainref, 'Established' , $action, '', $tag, 'add', "$globals{STATEMATCH} ESTABLISHED " if $level ne '';
add_jump $chainref , $target, 0, "$globals{STATEMATCH} ESTABLISHED ";
perl_action_helper(
$action, # Target
"$globals{STATEMATCH} INVALID ", # Matches
);
allow_optimize( $chainref );
allow_optimize( get_action_chain );
1;

22
Shorewall/action.Invalid
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Invalid[([<action>|-[,{audit|-}])]
# Invalid[([<action>])]
#
# Default action is DROP
#
@ -36,21 +36,25 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs;
use Shorewall::Config;
use Shorewall::Chains;
use Shorewall::Rules;
my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Invalid parameter ($audit) to action Invalid" if supplied $audit && $audit ne 'audit';
fatal_error "Invalid parameter ($action) to action Invalid" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
if ( supplied $audit ) {
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
$action = "A_$action";
}
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
perl_action_helper(
$action, # Target
"$globals{STATEMATCH} INVALID ", # Matches
);
allow_optimize( $chainref );
allow_optimize( get_action_chain);
1;

22
Shorewall/action.NotSyn
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# NotSyn[([<action>|-[,{audit|-}])]
# NotSyn[([<action>])]
#
# Default action is DROP
#
@ -36,21 +36,25 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs;
use Shorewall::Config;
use Shorewall::Chains;
use Shorewall::Rules;
my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Invalid parameter ($audit) to action NotSyn" if supplied $audit && $audit ne 'audit';
fatal_error "Invalid parameter ($action) to action NotSyn" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
my $chainref = get_action_chain;
if ( supplied $audit ) {
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
$action = "A_$action";
}
my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
add_jump $chainref , $target, 0, '-p 6 ! --syn ';
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
allow_optimize( $chainref );
perl_action_tcp_helper(
$action,
'-p 6 ! --syn '
);
allow_optimize( get_action_chain );
1;

22
Shorewall/action.RST
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# RST[([<action>|-[,{audit|-}])]
# RST[([<action>])]
#
# Default action is DROP
#
@ -35,21 +35,25 @@ DEFAULTS DROP,-
use Shorewall::Config;
use Shorewall::Chains;
use Shorewall::Rules;
my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Invalid parameter ($audit) to action RST" if supplied $audit && $audit ne 'audit';
fatal_error "Invalid parameter ($action) to action RST" unless $action =~ /^(?:ACCEPT|DROP)$/;
my $chainref = get_action_chain;
if ( supplied $audit ) {
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
$action = "A_$action";
}
my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST ';
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
allow_optimize( $chainref );
perl_action_tcp_helper(
$action,
'-p 6 --tcp-flags RST RST '
);
allow_optimize( get_action_chain );
1;

27
Shorewall/action.Related
View File

@ -1,11 +1,11 @@
#
# Shorewall 4 - Invalid Action
# Shorewall 4 - Related Action
#
# /usr/share/shorewall/action.Related
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2013 - Tom Eastep (teastep@shorewall.net)
# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Related[([<action>|-[,{audit|-}])]
# Related[([<action>])]
#
# Default action is DROP
#
@ -33,24 +33,29 @@ DEFAULTS DROP,-
?BEGIN PERL;
use strict;
use Shorewall::IPAddrs;
use Shorewall::Config;
use Shorewall::Chains;
use Shorewall::Rules qw( process_rule1 );
my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Related parameter ($audit) to action Related" if supplied $audit && $audit ne 'audit';
fatal_error "Related parameter ($action) to action Related" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
if ( supplied $audit ) {
fatal_error "Related parameter ($audit) to action Related" if $audit ne 'audit';
$action = "A_$action";
}
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
log_rule_limit $level, $chainref, 'Related' , $action, '', $tag, 'add', "$globals{STATEMATCH} RELATED " if $level ne '';
add_jump $chainref , $target, 0, "$globals{STATEMATCH} RELATED ";
perl_action_helper(
$action, # Target
"$globals{STATEMATCH} RELATED ", # Matches
);
allow_optimize( $chainref );
allow_optimize( get_action_chain );
1;

25
Shorewall/action.Untracked
View File

@ -5,7 +5,7 @@
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2013 - Tom Eastep (teastep@shorewall.net)
# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Untracked[([<action>|-[,{audit|-}])]
# Untracked[([<action>])]
#
# Default action is DROP
#
@ -36,21 +36,26 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs;
use Shorewall::Config;
use Shorewall::Chains;
use Shorewall::Rules qw( process_rule1 );
my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Untracked parameter ($audit) to action Untracked" if supplied $audit && $audit ne 'audit';
fatal_error "Untracked parameter ($action) to action Untracked" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
if ( supplied $audit ) {
fatal_error "Untracked parameter ($audit) to action Untracked" if $audit ne 'audit';
$action = "A_$action";
}
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
log_rule_limit $level, $chainref, 'Untracked' , $action, '', $tag, 'add', "$globals{STATEMATCH} UNTRACKED " if $level ne '';
add_jump $chainref , $target, 0, "$globals{STATEMATCH} UNTRACKED ";
perl_action_helper(
$action, # Target
"$globals{STATEMATCH} UNTRACKED ", # Matches
);
allow_optimize( $chainref );
allow_optimize( get_action_chain );
1;

12
Shorewall/actions.std
View File

@ -38,11 +38,11 @@ A_Reject # Audited Default action for REJECT policy
Broadcast noinline # Handles Broadcast/Multicast/Anycast
Drop # Default Action for DROP policy
DropSmurfs noinline # Drop smurf packets
Established noinline # Handles packets in the ESTABLISHED state
Invalid noinline # Handles packets in the INVALID conntrack state
NotSyn noinline # Handles TCP packets which do not have SYN=1 and ACK=0
Established inline # Handles packets in the ESTABLISHED state
Invalid inline # Handles packets in the INVALID conntrack state
NotSyn inline # Handles TCP packets which do not have SYN=1 and ACK=0
Reject # Default Action for REJECT policy
Related noinline # Handles packets in the RELATED conntrack state
RST noinline # Handle packets with RST set
Related inline # Handles packets in the RELATED conntrack state
RST inline # Handle packets with RST set
TCPFlags noinline # Handle bad flag combinations.
Untracked noinline # Handles packets in the UNTRACKED conntrack state
Untracked inline # Handles packets in the UNTRACKED conntrack state