From 3c544b20e639ca2262eca2b8b8729691a498b12d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 14 Mar 2016 14:54:09 -0700 Subject: [PATCH] Convert the state actions to use the 'state' action option - Also avoid the CLI having to know about builtin actions Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 17 ++------------- Shorewall/action.Established | 19 +++-------------- Shorewall/action.Invalid | 24 +++------------------ Shorewall/action.New | 21 ++++-------------- Shorewall/action.Untracked | 19 +++-------------- Shorewall/actions.std | 41 ++++++++++++++++++------------------ Shorewall6/actions.std | 25 +++++++++++++--------- 7 files changed, 51 insertions(+), 115 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 5029f298d..07670f35d 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -922,23 +922,10 @@ show_events() { } show_actions() { - echo "A_ACCEPT # Audit and accept the connection" - echo "A_DROP # Audit and drop the connection" - echo "A_REJECT # Audit and reject the connection " - echo "allowBcast # Silently Allow Broadcast/multicast" - echo "allowInvalid # Accept packets that are in the INVALID conntrack state." - echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" - echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)" - echo "dropBcast # Silently Drop Broadcast/multicast" - echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" - echo "dropNotSyn # Silently Drop Non-syn TCP packets" - echo "forwardUPnP # Allow traffic that upnpd has redirected from" - echo "rejNotSyn # Silently Reject Non-syn TCP packets" - if [ -f ${g_confdir}/actions ]; then - cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$' + cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$' else - grep -Ev '^\#|^$' ${g_sharedir}/actions.std + grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std fi } diff --git a/Shorewall/action.Established b/Shorewall/action.Established index 834cb7042..2c40e33fc 100644 --- a/Shorewall/action.Established +++ b/Shorewall/action.Established @@ -30,19 +30,6 @@ DEFAULTS ACCEPT -?begin perl; - -use Shorewall::IPAddrs; -use Shorewall::Config; -use Shorewall::Chains; -use Shorewall::Rules; - -my ( $action ) = get_action_params( 1 ); - -if ( my $check = check_state( 'ESTABLISHED' ) ) { - perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' ); -} - -1; - -?end perl; +# +# All logic for this action is supplied by the 'state' option in actions.std +# diff --git a/Shorewall/action.Invalid b/Shorewall/action.Invalid index 8ca118d92..c31e91a81 100644 --- a/Shorewall/action.Invalid +++ b/Shorewall/action.Invalid @@ -30,24 +30,6 @@ DEFAULTS DROP,- -?begin perl; - -use Shorewall::IPAddrs; -use Shorewall::Config; -use Shorewall::Chains; -use Shorewall::Rules; - -my ( $action, $audit ) = get_action_params( 2 ); - -if ( supplied $audit ) { - fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit'; - $action = "A_$action"; -} - -if ( my $check = check_state( 'INVALID' ) ) { - perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' ); -} - -1; - -?end perl; +# +# All logic for this action is triggered by the 'audit' and 'state' options in actions.std +# diff --git a/Shorewall/action.New b/Shorewall/action.New index a7201aaf2..bbe7402c8 100644 --- a/Shorewall/action.New +++ b/Shorewall/action.New @@ -22,7 +22,7 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# Untracked[([])] +# New[([])] # # Default action is ACCEPT # @@ -30,19 +30,6 @@ DEFAULTS ACCEPT -?begin perl; - -use Shorewall::IPAddrs; -use Shorewall::Config; -use Shorewall::Chains; -use Shorewall::Rules; - -my ( $action ) = get_action_params( 1 ); - -if ( my $check = check_state( 'NEW' ) ) { - perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' ); -} - -1; - -?end perl; +# +# All logic for this action is supplied by the 'state' option in actions.std +# diff --git a/Shorewall/action.Untracked b/Shorewall/action.Untracked index 7e7f383dd..b02dc4c28 100644 --- a/Shorewall/action.Untracked +++ b/Shorewall/action.Untracked @@ -29,19 +29,6 @@ ########################################################################################## DEFAULTS DROP -?begin perl; - -use Shorewall::IPAddrs; -use Shorewall::Config; -use Shorewall::Chains; -use Shorewall::Rules; - -my ( $action ) = get_action_params( 1 ); - -if ( my $check = check_state( 'UNTRACKED' ) ) { - perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' ); -} - -1; - -?end perl; +# +# All logic for this action is supplied by the 'state' option in actions.std +# diff --git a/Shorewall/actions.std b/Shorewall/actions.std index cf90e049d..84c18f160 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -8,21 +8,18 @@ # # Builtin Actions are: # -# A_ACCEPT # Audits then accepts a connection request -# A_DROP # Audits then drops a connection request -# A_REJECT # Audits then drops a connection request -# allowBcast # Silently Allow Broadcast/multicast -# dropBcast # Silently Drop Broadcast/multicast -# dropNotSyn # Silently Drop Non-syn TCP packets -# rejNotSyn # Silently Reject Non-syn TCP packets -# allowoutUPnP # Allow traffic from local command 'upnpd' (does not -# # work with kernel 2.6.14 and later). -# allowinUPnP # Allow UPnP inbound (to firewall) traffic -# forwardUPnP # Allow traffic that upnpd has redirected from -# # 'upnp' interfaces. -# Limit # Limit the rate of connections from each individual -# # IP address -# +?if 0 +A_ACCEPT # Audits then accepts a connection request +A_DROP # Audits then drops a connection request +A_REJECT # Audits then drops a connection request +allowBcast # Silently Allow Broadcast/multicast +dropBcast # Silently Drop Broadcast/multicast +dropNotSyn # Silently Drop Non-syn TCP packets +rejNotSyn # Silently Reject Non-syn TCP packets +allowinUPnP # Allow UPnP inbound (to firewall) traffic +forwardUPnP # Allow traffic that upnpd has redirected from 'upnp' interfaces. +Limit # Limit the rate of connections from each individual IP address +?endif ############################################################################### #ACTION A_Drop # Audited Default Action for DROP policy @@ -35,16 +32,20 @@ DNSAmp # Matches one-question recursive DNS queries Drop # Default Action for DROP policy dropInvalid inline # Drops packets in the INVALID conntrack state DropSmurfs noinline # Drop smurf packets -Established inline # Handles packets in the ESTABLISHED state +Established inline,\ # Handles packets in the ESTABLISHED state + state=ESTABLISHED # GlusterFS inline # Handles GlusterFS IfEvent noinline # Perform an action based on an event -Invalid inline # Handles packets in the INVALID conntrack state -New inline # Handles packets in the NEW conntrack state +Invalid inline,audit,\ # Handles packets in the INVALID conntrack state + state=INVALID # +New inline,state=NEW # Handles packets in the NEW conntrack state NotSyn inline,audit # Handles TCP packets which do not have SYN=1 and ACK=0 Reject # Default Action for REJECT policy -Related inline # Handles packets in the RELATED conntrack state +Related inline,\ # Handles packets in the RELATED conntrack state + state=RELATED # ResetEvent inline # Reset an Event RST inline,audit # Handle packets with RST set SetEvent inline # Initialize an event TCPFlags # Handle bad flag combinations. -Untracked inline # Handles packets in the UNTRACKED conntrack state +Untracked inline,\ # Handles packets in the UNTRACKED conntrack state + state=UNTRACKED # diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std index 45b504ba2..96404a848 100644 --- a/Shorewall6/actions.std +++ b/Shorewall6/actions.std @@ -8,11 +8,12 @@ # # Builtin Actions are: # -# allowBcasts # Accept multicast and anycast packets -# dropBcasts # Silently Drop multicast and anycast packets -# dropNotSyn # Silently Drop Non-syn TCP packets -# rejNotSyn # Silently Reject Non-syn TCP packets -# +?if 0 +allowBcasts # Accept multicast and anycast packets +dropBcasts # Silently Drop multicast and anycast packets +dropNotSyn # Silently Drop Non-syn TCP packets +rejNotSyn # Silently Reject Non-syn TCP packets +?endif ############################################################################### #ACTION A_Drop # Audited Default Action for DROP policy @@ -26,15 +27,19 @@ Broadcast noinline # Handles Broadcast/Multicast/Anycast Drop # Default Action for DROP policy dropInvalid inline # Drops packets in the INVALID conntrack state DropSmurfs noinline # Handles packets with a broadcast source address -Established inline # Handles packets in the ESTABLISHED state +Established inline,\ # Handles packets in the ESTABLISHED state + state=ESTABLISHED IfEvent noinline # Perform an action based on an event -Invalid inline # Handles packets in the INVALID conntrack state -New inline # Handles packets in the NEW conntrack state +Invalid inline,audit,\ # Handles packets in the INVALID conntrack state + state=INVALID +New inline,state=NEW # Handles packets in the NEW conntrack state NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0 Reject # Default Action for REJECT policy -Related inline # Handles packets in the RELATED conntrack state +Related inline,\ # Handles packets in the RELATED conntrack state + state=RELATED ResetEvent inline # Reset an Event RST inline # Handle packets with RST set SetEvent inline # Initialize an event TCPFlags # Handles bad flags combinations -Untracked inline # Handles packets in the UNTRACKED conntrack state +Untracked inline,\ # Handles packets in the UNTRACKED conntrack state + state=UNTRACKED