forked from extern/shorewall_code
Add logic for parameterized actions
This commit is contained in:
parent
4573b5ba8e
commit
4b22bbd90d
@ -170,15 +170,13 @@ sub normalize_action_name( $$$ ) {
|
||||
# this function truncates the original chain name where necessary before
|
||||
# it adds the leading "%" and trailing sequence number.
|
||||
#
|
||||
sub createlogactionchain( $$ ) {
|
||||
my ( $action, $level ) = @_;
|
||||
sub createlogactionchain( $$$$$ ) {
|
||||
my ( $normalized, $action, $level, $tag, $param ) = @_;
|
||||
my $chain = $action;
|
||||
my $actionref = $actions{$action};
|
||||
my $chainref;
|
||||
|
||||
my ($lev, $tag) = split ':', $level;
|
||||
|
||||
validate_level $lev;
|
||||
validate_level $level;
|
||||
|
||||
$actionref = new_action $action unless $actionref;
|
||||
|
||||
@ -190,7 +188,7 @@ sub createlogactionchain( $$ ) {
|
||||
$chain = substr( $chain, 0, 27 ), redo CHECKDUP if ( $actionref->{actchain} || 0 ) >= 10 and length $chain == 28;
|
||||
}
|
||||
|
||||
$logactionchains{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
|
||||
$logactionchains{$normalized} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
|
||||
|
||||
fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
|
||||
|
||||
@ -203,9 +201,7 @@ sub createlogactionchain( $$ ) {
|
||||
if ( -f $file ) {
|
||||
progress_message "Processing $file...";
|
||||
|
||||
( $level, my $tag ) = split /:/, $level;
|
||||
|
||||
$tag = $tag || '';
|
||||
my @params = split /,/, $param;
|
||||
|
||||
unless ( my $return = eval `cat $file` ) {
|
||||
fatal_error "Couldn't parse $file: $@" if $@;
|
||||
@ -222,7 +218,7 @@ sub createsimpleactionchain( $ ) {
|
||||
my $action = shift;
|
||||
my $chainref = new_standard_chain $action;
|
||||
|
||||
$logactionchains{"$action:none"} = $chainref;
|
||||
$logactionchains{"$action:none::"} = $chainref;
|
||||
|
||||
unless ( $targets{$action} & BUILTIN ) {
|
||||
|
||||
@ -250,18 +246,18 @@ sub createsimpleactionchain( $ ) {
|
||||
# Create an action chain and run its associated user exit
|
||||
#
|
||||
sub createactionchain( $ ) {
|
||||
my ( $action , $level ) = split_action $_[0];
|
||||
my $normalized = shift;
|
||||
|
||||
my ( $target, $level, $tag, $param ) = split /:/, $normalized;
|
||||
|
||||
assert( defined $param );
|
||||
|
||||
my $chainref;
|
||||
|
||||
if ( defined $level && $level ne '' ) {
|
||||
if ( $level eq 'none' ) {
|
||||
createsimpleactionchain $action;
|
||||
if ( $level eq 'none' && $tag eq '' && $param eq '' ) {
|
||||
createsimpleactionchain $target;
|
||||
} else {
|
||||
createlogactionchain $action , $level;
|
||||
}
|
||||
} else {
|
||||
createsimpleactionchain $action;
|
||||
createlogactionchain $normalized, $target , $level , $tag, $param;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -177,9 +177,10 @@ sub process_a_policy() {
|
||||
my $defaulttype = $targets{$default} || 0;
|
||||
|
||||
if ( $defaulttype & ACTION ) {
|
||||
unless ( $usedactions{$default} ) {
|
||||
$usedactions{$default} = 1;
|
||||
createactionchain $default;
|
||||
my $normalized = "$default:none::";
|
||||
unless ( $usedactions{$normalized} ) {
|
||||
$usedactions{$normalized} = 1;
|
||||
createactionchain $normalized;
|
||||
}
|
||||
} else {
|
||||
fatal_error "Unknown Default Action ($default)";
|
||||
@ -310,7 +311,7 @@ sub validate_policy()
|
||||
my $firewall = firewall_zone;
|
||||
our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
|
||||
|
||||
for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
|
||||
for my $option qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) {
|
||||
my $action = $config{$option};
|
||||
next if $action eq 'none';
|
||||
my $actiontype = $targets{$action};
|
||||
@ -321,9 +322,11 @@ sub validate_policy()
|
||||
fatal_error "Default Action $option=$action not found";
|
||||
}
|
||||
|
||||
unless ( $usedactions{$action} ) {
|
||||
$usedactions{$action} = 1;
|
||||
createactionchain $action;
|
||||
my $normalized = "$action:none::";
|
||||
|
||||
unless ( $usedactions{$normalized} ) {
|
||||
$usedactions{$normalized} = 1;
|
||||
createactionchain $normalized;
|
||||
}
|
||||
|
||||
$default_actions{$map{$option}} = $action;
|
||||
|
@ -247,11 +247,8 @@ sub map_old_actions( $ ) {
|
||||
#
|
||||
sub find_logactionchain( $ ) {
|
||||
my $fullaction = $_[0];
|
||||
my ( $action, $level ) = split_action $fullaction;
|
||||
|
||||
$level = 'none' unless $level;
|
||||
|
||||
fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"};
|
||||
fatal_error "Fatal error in find_logactionchain" unless $logactionchains{$fullaction};
|
||||
}
|
||||
|
||||
#
|
||||
@ -352,6 +349,31 @@ sub process_actions1() {
|
||||
}
|
||||
}
|
||||
|
||||
sub merge_action_levels( $$ ) {
|
||||
my $superior = shift;
|
||||
my $subordinate = shift;
|
||||
|
||||
my ( $unused, $suplevel, $suptag, $supparam ) = split /:/, $superior;
|
||||
my ( $action, $sublevel, $subtag, $subparam ) = split /:/, $subordinate;
|
||||
|
||||
assert defined $supparam;
|
||||
|
||||
if ( $suplevel =~ /!$/ ) {
|
||||
( $sublevel, $subtag ) = ( $suplevel, $subtag );
|
||||
} else {
|
||||
$sublevel = 'none' unless defined $sublevel && $sublevel ne '';
|
||||
if ( $sublevel =~ /^none~/ ) {
|
||||
$subtag = '';
|
||||
} else {
|
||||
$subtag = '' unless defined $subtag;
|
||||
}
|
||||
}
|
||||
|
||||
$subparam = $supparam unless defined $subparam && $subparam ne '';
|
||||
|
||||
join ':', $action, $sublevel, $subtag, $subparam;
|
||||
}
|
||||
|
||||
sub process_actions2 () {
|
||||
progress_message2 'Generating Transitive Closure of Used-action List...';
|
||||
|
||||
@ -360,11 +382,11 @@ sub process_actions2 () {
|
||||
while ( $changed ) {
|
||||
$changed = 0;
|
||||
for my $target (keys %usedactions) {
|
||||
my ( $action, $level, $tag, $param ) = split_action $target;
|
||||
my ( $action, $level, $tag, $param ) = split ':', $target;
|
||||
my $actionref = $actions{$action};
|
||||
assert( $actionref );
|
||||
for my $action1 ( keys %{$actionref->{requires}} ) {
|
||||
my $action2 = merge_levels $target, $action1;
|
||||
my $action2 = merge_action_levels $target, $action1;
|
||||
unless ( $usedactions{ $action2 } ) {
|
||||
$usedactions{ $action2 } = 1;
|
||||
createactionchain $action2;
|
||||
@ -813,9 +835,9 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ) {
|
||||
if ( $inaction1 ) {
|
||||
add_requiredby( $target , $inaction1 );
|
||||
} else {
|
||||
unless ( $usedactions{$target} ) {
|
||||
$usedactions{$target} = 1;
|
||||
my $ref = createactionchain $target;
|
||||
unless ( $usedactions{$normalized_target} ) {
|
||||
$usedactions{$normalized_target} = 1;
|
||||
my $ref = createactionchain $normalized_target;
|
||||
new_nat_chain $ref->{name} if $actiontype & ( NATRULE | NONAT );
|
||||
}
|
||||
}
|
||||
@ -1253,7 +1275,7 @@ sub process_rule_common ( $$$$$$$$$$$$$$$$ ) {
|
||||
unless ( $actiontype & NATONLY ) {
|
||||
|
||||
if ( $actiontype & ACTION ) {
|
||||
$action = (find_logactionchain $target)->{name};
|
||||
$action = (find_logactionchain $normalized_target)->{name};
|
||||
$loglevel = '';
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user