forked from extern/shorewall_code
Convert the state actions to use the 'state' action option
- Also avoid the CLI having to know about builtin actions Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
dd547c90a8
commit
3c544b20e6
@ -922,23 +922,10 @@ show_events() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
show_actions() {
|
show_actions() {
|
||||||
echo "A_ACCEPT # Audit and accept the connection"
|
|
||||||
echo "A_DROP # Audit and drop the connection"
|
|
||||||
echo "A_REJECT # Audit and reject the connection "
|
|
||||||
echo "allowBcast # Silently Allow Broadcast/multicast"
|
|
||||||
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
|
|
||||||
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
|
|
||||||
echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
|
|
||||||
echo "dropBcast # Silently Drop Broadcast/multicast"
|
|
||||||
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
|
|
||||||
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
|
|
||||||
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
|
|
||||||
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
|
|
||||||
|
|
||||||
if [ -f ${g_confdir}/actions ]; then
|
if [ -f ${g_confdir}/actions ]; then
|
||||||
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
|
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
|
||||||
else
|
else
|
||||||
grep -Ev '^\#|^$' ${g_sharedir}/actions.std
|
grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -30,19 +30,6 @@
|
|||||||
|
|
||||||
DEFAULTS ACCEPT
|
DEFAULTS ACCEPT
|
||||||
|
|
||||||
?begin perl;
|
#
|
||||||
|
# All logic for this action is supplied by the 'state' option in actions.std
|
||||||
use Shorewall::IPAddrs;
|
#
|
||||||
use Shorewall::Config;
|
|
||||||
use Shorewall::Chains;
|
|
||||||
use Shorewall::Rules;
|
|
||||||
|
|
||||||
my ( $action ) = get_action_params( 1 );
|
|
||||||
|
|
||||||
if ( my $check = check_state( 'ESTABLISHED' ) ) {
|
|
||||||
perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' );
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
||||||
|
|
||||||
?end perl;
|
|
||||||
|
@ -30,24 +30,6 @@
|
|||||||
|
|
||||||
DEFAULTS DROP,-
|
DEFAULTS DROP,-
|
||||||
|
|
||||||
?begin perl;
|
#
|
||||||
|
# All logic for this action is triggered by the 'audit' and 'state' options in actions.std
|
||||||
use Shorewall::IPAddrs;
|
#
|
||||||
use Shorewall::Config;
|
|
||||||
use Shorewall::Chains;
|
|
||||||
use Shorewall::Rules;
|
|
||||||
|
|
||||||
my ( $action, $audit ) = get_action_params( 2 );
|
|
||||||
|
|
||||||
if ( supplied $audit ) {
|
|
||||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
|
||||||
$action = "A_$action";
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( my $check = check_state( 'INVALID' ) ) {
|
|
||||||
perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' );
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
||||||
|
|
||||||
?end perl;
|
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# along with this program; if not, write to the Free Software
|
# along with this program; if not, write to the Free Software
|
||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
# Untracked[([<action>])]
|
# New[([<action>])]
|
||||||
#
|
#
|
||||||
# Default action is ACCEPT
|
# Default action is ACCEPT
|
||||||
#
|
#
|
||||||
@ -30,19 +30,6 @@
|
|||||||
|
|
||||||
DEFAULTS ACCEPT
|
DEFAULTS ACCEPT
|
||||||
|
|
||||||
?begin perl;
|
#
|
||||||
|
# All logic for this action is supplied by the 'state' option in actions.std
|
||||||
use Shorewall::IPAddrs;
|
#
|
||||||
use Shorewall::Config;
|
|
||||||
use Shorewall::Chains;
|
|
||||||
use Shorewall::Rules;
|
|
||||||
|
|
||||||
my ( $action ) = get_action_params( 1 );
|
|
||||||
|
|
||||||
if ( my $check = check_state( 'NEW' ) ) {
|
|
||||||
perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' );
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
||||||
|
|
||||||
?end perl;
|
|
||||||
|
@ -29,19 +29,6 @@
|
|||||||
##########################################################################################
|
##########################################################################################
|
||||||
DEFAULTS DROP
|
DEFAULTS DROP
|
||||||
|
|
||||||
?begin perl;
|
#
|
||||||
|
# All logic for this action is supplied by the 'state' option in actions.std
|
||||||
use Shorewall::IPAddrs;
|
#
|
||||||
use Shorewall::Config;
|
|
||||||
use Shorewall::Chains;
|
|
||||||
use Shorewall::Rules;
|
|
||||||
|
|
||||||
my ( $action ) = get_action_params( 1 );
|
|
||||||
|
|
||||||
if ( my $check = check_state( 'UNTRACKED' ) ) {
|
|
||||||
perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' );
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
||||||
|
|
||||||
?end perl;
|
|
||||||
|
@ -8,21 +8,18 @@
|
|||||||
#
|
#
|
||||||
# Builtin Actions are:
|
# Builtin Actions are:
|
||||||
#
|
#
|
||||||
# A_ACCEPT # Audits then accepts a connection request
|
?if 0
|
||||||
# A_DROP # Audits then drops a connection request
|
A_ACCEPT # Audits then accepts a connection request
|
||||||
# A_REJECT # Audits then drops a connection request
|
A_DROP # Audits then drops a connection request
|
||||||
# allowBcast # Silently Allow Broadcast/multicast
|
A_REJECT # Audits then drops a connection request
|
||||||
# dropBcast # Silently Drop Broadcast/multicast
|
allowBcast # Silently Allow Broadcast/multicast
|
||||||
# dropNotSyn # Silently Drop Non-syn TCP packets
|
dropBcast # Silently Drop Broadcast/multicast
|
||||||
# rejNotSyn # Silently Reject Non-syn TCP packets
|
dropNotSyn # Silently Drop Non-syn TCP packets
|
||||||
# allowoutUPnP # Allow traffic from local command 'upnpd' (does not
|
rejNotSyn # Silently Reject Non-syn TCP packets
|
||||||
# # work with kernel 2.6.14 and later).
|
allowinUPnP # Allow UPnP inbound (to firewall) traffic
|
||||||
# allowinUPnP # Allow UPnP inbound (to firewall) traffic
|
forwardUPnP # Allow traffic that upnpd has redirected from 'upnp' interfaces.
|
||||||
# forwardUPnP # Allow traffic that upnpd has redirected from
|
Limit # Limit the rate of connections from each individual IP address
|
||||||
# # 'upnp' interfaces.
|
?endif
|
||||||
# Limit # Limit the rate of connections from each individual
|
|
||||||
# # IP address
|
|
||||||
#
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#ACTION
|
#ACTION
|
||||||
A_Drop # Audited Default Action for DROP policy
|
A_Drop # Audited Default Action for DROP policy
|
||||||
@ -35,16 +32,20 @@ DNSAmp # Matches one-question recursive DNS queries
|
|||||||
Drop # Default Action for DROP policy
|
Drop # Default Action for DROP policy
|
||||||
dropInvalid inline # Drops packets in the INVALID conntrack state
|
dropInvalid inline # Drops packets in the INVALID conntrack state
|
||||||
DropSmurfs noinline # Drop smurf packets
|
DropSmurfs noinline # Drop smurf packets
|
||||||
Established inline # Handles packets in the ESTABLISHED state
|
Established inline,\ # Handles packets in the ESTABLISHED state
|
||||||
|
state=ESTABLISHED #
|
||||||
GlusterFS inline # Handles GlusterFS
|
GlusterFS inline # Handles GlusterFS
|
||||||
IfEvent noinline # Perform an action based on an event
|
IfEvent noinline # Perform an action based on an event
|
||||||
Invalid inline # Handles packets in the INVALID conntrack state
|
Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
|
||||||
New inline # Handles packets in the NEW conntrack state
|
state=INVALID #
|
||||||
|
New inline,state=NEW # Handles packets in the NEW conntrack state
|
||||||
NotSyn inline,audit # Handles TCP packets which do not have SYN=1 and ACK=0
|
NotSyn inline,audit # Handles TCP packets which do not have SYN=1 and ACK=0
|
||||||
Reject # Default Action for REJECT policy
|
Reject # Default Action for REJECT policy
|
||||||
Related inline # Handles packets in the RELATED conntrack state
|
Related inline,\ # Handles packets in the RELATED conntrack state
|
||||||
|
state=RELATED #
|
||||||
ResetEvent inline # Reset an Event
|
ResetEvent inline # Reset an Event
|
||||||
RST inline,audit # Handle packets with RST set
|
RST inline,audit # Handle packets with RST set
|
||||||
SetEvent inline # Initialize an event
|
SetEvent inline # Initialize an event
|
||||||
TCPFlags # Handle bad flag combinations.
|
TCPFlags # Handle bad flag combinations.
|
||||||
Untracked inline # Handles packets in the UNTRACKED conntrack state
|
Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
|
||||||
|
state=UNTRACKED #
|
||||||
|
@ -8,11 +8,12 @@
|
|||||||
#
|
#
|
||||||
# Builtin Actions are:
|
# Builtin Actions are:
|
||||||
#
|
#
|
||||||
# allowBcasts # Accept multicast and anycast packets
|
?if 0
|
||||||
# dropBcasts # Silently Drop multicast and anycast packets
|
allowBcasts # Accept multicast and anycast packets
|
||||||
# dropNotSyn # Silently Drop Non-syn TCP packets
|
dropBcasts # Silently Drop multicast and anycast packets
|
||||||
# rejNotSyn # Silently Reject Non-syn TCP packets
|
dropNotSyn # Silently Drop Non-syn TCP packets
|
||||||
#
|
rejNotSyn # Silently Reject Non-syn TCP packets
|
||||||
|
?endif
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#ACTION
|
#ACTION
|
||||||
A_Drop # Audited Default Action for DROP policy
|
A_Drop # Audited Default Action for DROP policy
|
||||||
@ -26,15 +27,19 @@ Broadcast noinline # Handles Broadcast/Multicast/Anycast
|
|||||||
Drop # Default Action for DROP policy
|
Drop # Default Action for DROP policy
|
||||||
dropInvalid inline # Drops packets in the INVALID conntrack state
|
dropInvalid inline # Drops packets in the INVALID conntrack state
|
||||||
DropSmurfs noinline # Handles packets with a broadcast source address
|
DropSmurfs noinline # Handles packets with a broadcast source address
|
||||||
Established inline # Handles packets in the ESTABLISHED state
|
Established inline,\ # Handles packets in the ESTABLISHED state
|
||||||
|
state=ESTABLISHED
|
||||||
IfEvent noinline # Perform an action based on an event
|
IfEvent noinline # Perform an action based on an event
|
||||||
Invalid inline # Handles packets in the INVALID conntrack state
|
Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
|
||||||
New inline # Handles packets in the NEW conntrack state
|
state=INVALID
|
||||||
|
New inline,state=NEW # Handles packets in the NEW conntrack state
|
||||||
NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0
|
NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0
|
||||||
Reject # Default Action for REJECT policy
|
Reject # Default Action for REJECT policy
|
||||||
Related inline # Handles packets in the RELATED conntrack state
|
Related inline,\ # Handles packets in the RELATED conntrack state
|
||||||
|
state=RELATED
|
||||||
ResetEvent inline # Reset an Event
|
ResetEvent inline # Reset an Event
|
||||||
RST inline # Handle packets with RST set
|
RST inline # Handle packets with RST set
|
||||||
SetEvent inline # Initialize an event
|
SetEvent inline # Initialize an event
|
||||||
TCPFlags # Handles bad flags combinations
|
TCPFlags # Handles bad flags combinations
|
||||||
Untracked inline # Handles packets in the UNTRACKED conntrack state
|
Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
|
||||||
|
state=UNTRACKED
|
||||||
|
Loading…
Reference in New Issue
Block a user