forked from extern/shorewall_code
Add two new actions
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
0a5d5821ec
commit
57650e8dd9
@ -52,9 +52,11 @@ our @EXPORT = qw(
|
||||
decr_cmd_level
|
||||
new_chain
|
||||
new_manual_chain
|
||||
ensure_filter_chain
|
||||
ensure_manual_chain
|
||||
ensure_audit_chain
|
||||
require_audit
|
||||
newlogchain
|
||||
log_rule_limit
|
||||
dont_optimize
|
||||
dont_delete
|
||||
@ -139,7 +141,6 @@ our %EXPORT_TAGS = (
|
||||
new_standard_chain
|
||||
new_builtin_chain
|
||||
new_nat_chain
|
||||
ensure_filter_chain
|
||||
optimize_chain
|
||||
check_optimization
|
||||
optimize_ruleset
|
||||
|
||||
82
Shorewall/action.DropSmurfs
Normal file
82
Shorewall/action.DropSmurfs
Normal file
@ -0,0 +1,82 @@
|
||||
#
|
||||
# Shorewall version 4 - Drop Smurfs Action
|
||||
#
|
||||
# /usr/share/shorewall/action.DropSmurfs
|
||||
#
|
||||
# Accepts a single optional parameter:
|
||||
#
|
||||
# - = Do not Audit
|
||||
# audit = Audit dropped packets.
|
||||
#
|
||||
#################################################################################
|
||||
FORMAT 2
|
||||
|
||||
DEFAULTS -
|
||||
|
||||
BEGIN PERL;
|
||||
use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $audit ) = get_action_params( 1 );
|
||||
|
||||
my $chainref = get_action_chain;
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
|
||||
if ( $level ne '-' || $audit ne '-' ) {
|
||||
my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
|
||||
|
||||
log_rule_limit( $level,
|
||||
$logchainref,
|
||||
$chainref->{name},
|
||||
$disposition,
|
||||
'',
|
||||
$tag,
|
||||
'add',
|
||||
'' );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
|
||||
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's';
|
||||
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
|
||||
}
|
||||
|
||||
|
||||
add_ijump( $logchainref, j => 'DROP' );
|
||||
|
||||
$smurfdest = $logchainref;
|
||||
}
|
||||
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_ijump $chainref , j => 'RETURN', s => '0.0.0.0'; ;
|
||||
} else {
|
||||
add_ijump $chainref , j => 'RETURN', s => '::';
|
||||
}
|
||||
|
||||
add_ijump( $chainref, g => $smurfdest, addrtype => '--src-type BROADCAST' ) ;
|
||||
} else {
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
||||
} else {
|
||||
add_commands $chainref, 'for address in $ALL_ACASTS; do';
|
||||
}
|
||||
|
||||
incr_cmd_level $chainref;
|
||||
add_ijump( $chainref, g => $smurfdest, s => '$address' );
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
}
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_ijump( $chainref, g => $smurfdest, s => '224.0.0.0/4' );
|
||||
} else {
|
||||
add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST );
|
||||
}
|
||||
|
||||
END PERL;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
65
Shorewall/action.TCPFlags
Normal file
65
Shorewall/action.TCPFlags
Normal file
@ -0,0 +1,65 @@
|
||||
#
|
||||
# Shorewall version 4 - Drop Smurfs Action
|
||||
#
|
||||
# /usr/share/shorewall/action.TCPFlags
|
||||
#
|
||||
# Accepts two optional parameters:
|
||||
#
|
||||
# Parameter 1: Disposition (default DROP).
|
||||
# Must be ACCEPT, REJECT or DROP
|
||||
# Parameter 2: Auditing
|
||||
# - = Do not Audit
|
||||
# audit = Audit ACCEPT, REJECT or DROP.
|
||||
#
|
||||
#################################################################################
|
||||
FORMAT 2
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
BEGIN PERL;
|
||||
use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
|
||||
use Shorewall::Chains;
|
||||
|
||||
|
||||
my ( $disposition, $audit ) = get_action_params( 2 );
|
||||
|
||||
my $chainref = get_action_chain;
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
|
||||
fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
|
||||
|
||||
if ( $level ne '-' || $audit ne '-' ) {
|
||||
my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
|
||||
|
||||
log_rule_limit( $level,
|
||||
$logchainref,
|
||||
$chainref->{name},
|
||||
$disposition,
|
||||
'',
|
||||
$tag,
|
||||
'add',
|
||||
'' ) if $level;
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
|
||||
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
|
||||
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
|
||||
}
|
||||
|
||||
add_ijump( $logchainref, g => $disposition );
|
||||
|
||||
$disposition = $logchainref;
|
||||
}
|
||||
|
||||
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
|
||||
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
|
||||
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
|
||||
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
|
||||
add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
|
||||
|
||||
END PERL;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -37,6 +37,8 @@ A_Drop # Audited Default Action for DROP policy
|
||||
A_Reject # Audited Default action for REJECT policy
|
||||
Broadcast # Handles Broadcast/Multicast/Anycast
|
||||
Drop # Default Action for DROP policy
|
||||
DropSmurfs # Drop smurf packets
|
||||
Invalid # Handles packets in the INVALID conntrack state
|
||||
NotSyn # Handles TCP packets which do not have SYN=1 and ACK=0
|
||||
Reject # Default Action for REJECT policy
|
||||
TCPFlags # Handle bad flag combinations.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user