forked from extern/shorewall_code
Make the TCP standard actions inline
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
5a2c1792cb
commit
49166efdca
@ -52,6 +52,7 @@ our @EXPORT = qw(
|
||||
process_rules
|
||||
verify_audit
|
||||
perl_action_helper
|
||||
perl_action_tcp_helper
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
@ -2683,6 +2684,48 @@ sub perl_action_helper($$) {
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# May be called by Perl code in action bodies (regular and inline) to generate a rule.
|
||||
#
|
||||
sub perl_action_tcp_helper($$) {
|
||||
my ( $target, $proto ) = @_;
|
||||
my $action = $actparms{action};
|
||||
my $chainref = $actparms{0};
|
||||
|
||||
assert( $chainref );
|
||||
|
||||
if ( $inlines{$action} ) {
|
||||
&process_rule1( $chainref,
|
||||
$proto,
|
||||
$target,
|
||||
'',
|
||||
@columns[0,1],
|
||||
'-',
|
||||
@columns[3..14]
|
||||
);
|
||||
} else {
|
||||
process_rule1( $chainref,
|
||||
$proto,
|
||||
$target,
|
||||
'', # Current Param
|
||||
'-', # Source
|
||||
'-', # Dest
|
||||
"-", # Proto
|
||||
'-', # Port(s)
|
||||
'-', # Source Port(s)
|
||||
'-', # Original Dest
|
||||
'-', # Rate Limit
|
||||
'-', # User
|
||||
'-', # Mark
|
||||
'-', # Connlimit
|
||||
'-', # Time
|
||||
'-', # Headers,
|
||||
'-', # condition,
|
||||
'-', # helper,
|
||||
0, # Wildcard
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Helper functions for process_rule(). That function deals with the ugliness of wildcard zones ('all' and 'any') and zone lists.
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# NotSyn[([<action>|-[,{audit|-}])]
|
||||
# NotSyn[([<action>])]
|
||||
#
|
||||
# Default action is DROP
|
||||
#
|
||||
@ -36,21 +36,25 @@ DEFAULTS DROP,-
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
fatal_error "Invalid parameter ($audit) to action NotSyn" if supplied $audit && $audit ne 'audit';
|
||||
fatal_error "Invalid parameter ($action) to action NotSyn" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
|
||||
|
||||
my $chainref = get_action_chain;
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
my $target = require_audit ( $action , $audit );
|
||||
|
||||
log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
|
||||
add_jump $chainref , $target, 0, '-p 6 ! --syn ';
|
||||
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
|
||||
|
||||
allow_optimize( $chainref );
|
||||
perl_action_tcp_helper(
|
||||
$action,
|
||||
'-p 6 ! --syn '
|
||||
);
|
||||
|
||||
allow_optimize( get_action_chain );
|
||||
|
||||
1;
|
||||
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# RST[([<action>|-[,{audit|-}])]
|
||||
# RST[([<action>])]
|
||||
#
|
||||
# Default action is DROP
|
||||
#
|
||||
@ -35,21 +35,25 @@ DEFAULTS DROP,-
|
||||
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
fatal_error "Invalid parameter ($audit) to action RST" if supplied $audit && $audit ne 'audit';
|
||||
fatal_error "Invalid parameter ($action) to action RST" unless $action =~ /^(?:ACCEPT|DROP)$/;
|
||||
|
||||
my $chainref = get_action_chain;
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
my $target = require_audit ( $action , $audit );
|
||||
|
||||
log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
|
||||
add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST ';
|
||||
$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
|
||||
|
||||
allow_optimize( $chainref );
|
||||
perl_action_tcp_helper(
|
||||
$action,
|
||||
'-p 6 --tcp-flags RST RST '
|
||||
);
|
||||
|
||||
allow_optimize( get_action_chain );
|
||||
|
||||
1;
|
||||
|
||||
|
||||
@ -40,9 +40,9 @@ Drop # Default Action for DROP policy
|
||||
DropSmurfs noinline # Drop smurf packets
|
||||
Established inline # Handles packets in the ESTABLISHED state
|
||||
Invalid inline # Handles packets in the INVALID conntrack state
|
||||
NotSyn noinline # Handles TCP packets which do not have SYN=1 and ACK=0
|
||||
NotSyn inline # Handles TCP packets which do not have SYN=1 and ACK=0
|
||||
Reject # Default Action for REJECT policy
|
||||
Related inline # Handles packets in the RELATED conntrack state
|
||||
RST noinline # Handle packets with RST set
|
||||
RST inline # Handle packets with RST set
|
||||
TCPFlags noinline # Handle bad flag combinations.
|
||||
Untracked inline # Handles packets in the UNTRACKED conntrack state
|
||||
|
||||
Loading…
Reference in New Issue
Block a user