holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

A bit of cleanup

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-10-05 09:32:26 -07:00
parent 835a056eb8
commit 5d4a0172b7
3 changed files with 22 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -2708,6 +2708,11 @@ sub optimize_level8( $$$ ) {
replace_references $chainref1, $chainref->{name}, undef;
unless ( $chainref->{name} =~ /^~/ ) {
#
# For simple use of the BLACKLIST section, we can end up with many identical
# chains. To distinguish them from other renamed chains, we keep track of
# these chains via the 'blacklistsection' member.
#
$rename{ $chainref->{name} } = $chainref->{blacklistsection} ? '~blacklist' : '~comb';
}

19
Shorewall/action.DropSmurfs
View File

@ -14,6 +14,7 @@ FORMAT 2
DEFAULTS -
BEGIN PERL;
use strict;
use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
use Shorewall::Chains;
use Shorewall::Rules;
@ -22,6 +23,7 @@ my ( $audit ) = get_action_params( 1 );
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
my $target;
if ( $level ne '-' || $audit ne '-' ) {
my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
@ -29,7 +31,7 @@ if ( $level ne '-' || $audit ne '-' ) {
log_rule_limit( $level,
$logchainref,
$chainref->{name},
$disposition,
'DROP',
'',
$tag,
'add',
@ -38,13 +40,14 @@ if ( $level ne '-' || $audit ne '-' ) {
if ( supplied $audit ) {
fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's';
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
add_ijump( $logchainref, j => 'AUDIT --type DROP' );
}
add_ijump( $logchainref, j => 'DROP' );
$smurfdest = $logchainref;
$target = $logchainref;
} else {
$target = 'DROP';
}
if ( have_capability( 'ADDRTYPE' ) ) {
@ -54,7 +57,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
add_ijump $chainref , j => 'RETURN', s => '::';
}
add_ijump( $chainref, g => $smurfdest, addrtype => '--src-type BROADCAST' ) ;
add_ijump( $chainref, g => $target, addrtype => '--src-type BROADCAST' ) ;
} else {
if ( $family == F_IPV4 ) {
add_commands $chainref, 'for address in $ALL_BCASTS; do';
@ -63,15 +66,15 @@ if ( have_capability( 'ADDRTYPE' ) ) {
}
incr_cmd_level $chainref;
add_ijump( $chainref, g => $smurfdest, s => '$address' );
add_ijump( $chainref, g => $target, s => '$address' );
decr_cmd_level $chainref;
add_commands $chainref, 'done';
}
if ( $family == F_IPV4 ) {
add_ijump( $chainref, g => $smurfdest, s => '224.0.0.0/4' );
add_ijump( $chainref, g => $target, s => '224.0.0.0/4' );
} else {
add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST );
add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
}
END PERL;

14
Shorewall/action.TCPFlags
View File

@ -1,15 +1,12 @@
#
# Shorewall version 4 - Action to handle bad TCP flag combinations
# Shorewall version 4 - Drop Smurfs Action
#
# /usr/share/shorewall/action.TCPFlags
# /usr/share/shorewall/action.DropSmurfs
#
# Accepts two optional parameters:
# Accepts a single optional parameter:
#
# Parameter 1: Disposition (default DROP).
# Must be ACCEPT, REJECT or DROP
# Parameter 2: Auditing
# - = Do not Audit
# audit = Audit ACCEPT, REJECT or DROP.
# audit = Audit dropped packets.
#
#################################################################################
FORMAT 2
@ -17,6 +14,7 @@ FORMAT 2
DEFAULTS DROP,-
BEGIN PERL;
use strict;
use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
use Shorewall::Chains;
@ -41,7 +39,7 @@ if ( $level ne '-' || $audit ne '-' ) {
'' ) if $level;
if ( supplied $audit ) {
fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
}