holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Fix parameterization of standard default actions.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-06-22 07:51:42 -07:00
parent b43bee2c62
commit 62a75cb98d
7 changed files with 33 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Shorewall/Macros/macro.AllowICMPs
View File

@ -11,5 +11,6 @@
COMMENT Needed ICMP types COMMENT Needed ICMP types
ACCEPT - - icmp fragmentation-needed DEFAULT ACCEPT
ACCEPT - - icmp time-exceeded PARAM - - icmp fragmentation-needed
PARAM - - icmp time-exceeded

3
Shorewall/Macros/macro.DropDNSrep
View File

@ -11,4 +11,5 @@
COMMENT Late DNS Replies COMMENT Late DNS Replies
DROP - - udp - 53 DEFAULT DROP
PARAM - - udp - 53

3
Shorewall/Macros/macro.DropUPnP
View File

@ -11,4 +11,5 @@
COMMENT UPnP COMMENT UPnP
DROP - - udp 1900 DEFAULT DROP
PARAM - - udp 1900

6
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -75,6 +75,7 @@ my @builtins;
# #
my $rule_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2 }; my $rule_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2 };
my $action_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULTS => 2 }; my $action_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULTS => 2 };
my $macro_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULT => 2 };
use constant { MAX_MACRO_NEST_LEVEL => 5 }; use constant { MAX_MACRO_NEST_LEVEL => 5 };
@ -1580,6 +1581,11 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
next; next;
} }
if ( $mtarget eq 'DEFAULT' ) {
$param = $msource unless supplied $param;
next;
}
$mtarget = merge_levels $target, $mtarget; $mtarget = merge_levels $target, $mtarget;
if ( $mtarget =~ /^PARAM(:.*)?$/ ) { if ( $mtarget =~ /^PARAM(:.*)?$/ ) {

12
Shorewall/action.Drop
View File

@ -35,18 +35,20 @@ FORMAT 2
BEGIN PERL BEGIN PERL
use Shorewall::Config; use Shorewall::Config;
my ($p1, $p2, $p3 ) = get_action_params(1, 2, 3); my ($p1, $p2, $p3 ) = get_action_params(1, 2, 3, 4, 5);
if ( defined $p1 && $p1 eq 'audit' ) { if ( defined $p1 && $p1 eq 'audit' ) {
set_action_param( 2, 'A_REJECT') unless defined $p2; set_action_param( 2, 'A_REJECT') unless defined $p2;
set_action_param( 3, 'A_DROP') unless defined $p3; set_action_param( 3, 'A_DROP') unless defined $p3;
set_action_param( 4, 'A_ACCEPT' ) unless defined $p4;
set_action_param( 5, 'A_DROP' ) unless defined $p5;
}; };
1; 1;
END PERL END PERL
DEFAULTS -,REJECT,DROP DEFAULTS -,REJECT,DROP,ACCEPT,DROP
#TARGET SOURCE DEST PROTO DPORT SPORT #TARGET SOURCE DEST PROTO DPORT SPORT
# #
@ -64,7 +66,7 @@ dropBcast($1)
# #
# ACCEPT critical ICMP types # ACCEPT critical ICMP types
# #
AllowICMPs($1) - - icmp AllowICMPs($4) - - icmp
# #
# Drop packets that are in the INVALID state -- these are usually ICMP packets # Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log. # and just confuse people when they appear in the log.
@ -74,7 +76,7 @@ dropInvalid($1)
# Drop Microsoft noise so that it doesn't clutter up the log. # Drop Microsoft noise so that it doesn't clutter up the log.
# #
SMB($3) SMB($3)
DropUPnP($1) DropUPnP($5)
# #
# Drop 'newnotsyn' traffic so that it doesn't get logged. # Drop 'newnotsyn' traffic so that it doesn't get logged.
# #
@ -83,4 +85,4 @@ dropNotSyn($1) - - tcp
# Drop late-arriving DNS replies. These are just a nuisance and clutter up # Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log. # the log.
# #
DropDNSrep($1) DropDNSrep($5)

16
Shorewall/action.Reject
View File

@ -31,18 +31,20 @@ FORMAT 2
BEGIN PERL BEGIN PERL
use Shorewall::Config; use Shorewall::Config;
my ( $p1, $p2, $p3 ) = get_action_params(1, 2, 3); my ( $p1, $p2, $p3 ) = get_action_params(1, 2, 3, 4, 5);
if ( defined $p1 && $p1 eq 'audit' ) { if ( defined $p1 && $p1 eq 'audit' ) {
set_action_param( 2, 'A_REJECT') unless defined $p2; set_action_param( 2, 'A_REJECT') unless defined $p2;
set_action_param( 3, 'A_REJECT') unless defined $p3; set_action_param( 3, 'A_REJECT') unless defined $p3;
set_action_param( 4, 'A_ACCEPT' ) unless defined $p5;
set_action_param( 5, 'A_DROP' ) unless defined $p5;
}; };
1; 1;
END PERL END PERL
DEFAULTS -,REJECT,REJECT DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
#TARGET SOURCE DEST PROTO #TARGET SOURCE DEST PROTO
# #
@ -61,7 +63,7 @@ dropBcast($1)
# #
# ACCEPT critical ICMP types # ACCEPT critical ICMP types
# #
AllowICMPs($1) - - icmp AllowICMPs($4) - - icmp
# #
# Drop packets that are in the INVALID state -- these are usually ICMP packets # Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be # and just confuse people when they appear in the log (these ICMPs cannot be
@ -72,7 +74,7 @@ dropInvalid($1)
# Reject Microsoft noise so that it doesn't clutter up the log. # Reject Microsoft noise so that it doesn't clutter up the log.
# #
SMB($3) SMB($3)
DropUPnP($1) DropUPnP($5)
# #
# Drop 'newnotsyn' traffic so that it doesn't get logged. # Drop 'newnotsyn' traffic so that it doesn't get logged.
# #
@ -81,4 +83,4 @@ dropNotSyn($1) - - tcp
# Drop late-arriving DNS replies. These are just a nuisance and clutter up # Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log. # the log.
# #
DropDNSrep($1) DropDNSrep($5)

4
Shorewall/changelog.txt
View File

@ -2,6 +2,10 @@ Changes in Shorewall 4.4.21 Beta 3
1) Shorewall-init can now save/restore ipsets. 1) Shorewall-init can now save/restore ipsets.
2) Correct handling of DEFAULTS in non-action contexts.
3) Rename read_action_param and change signature.
Changes in Shorewall 4.4.21 Beta 2 Changes in Shorewall 4.4.21 Beta 2
1) Implement the 'update' command. 1) Implement the 'update' command.