diff --git a/Shorewall/Actions/action.AllowICMPs b/Shorewall/Actions/action.AllowICMPs
index 566436251..83115bd69 100644
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -12,7 +12,6 @@ DEFAULTS ACCEPT
@1 - - icmp fragmentation-needed {comment="Needed ICMP types"}
@1 - - icmp time-exceeded {comment="Needed ICMP types"}
?else
- CONTINUE - - !ipv6-icmp
?COMMENT Needed ICMP types (RFC4890)
@1 - - ipv6-icmp destination-unreachable
@1 - - ipv6-icmp packet-too-big
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 3d2dd0508..886fcdd0a 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -927,6 +927,28 @@ sub process_policies()
#
sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
+#
+# Determine the protocol to be used in the jump to the passed action
+#
+sub determine_action_protocol( $$ ) {
+ my ( $action, $proto ) = @_;
+
+ if ( my $actionproto = $actions{$action}{proto} ) {
+ if ( $proto eq '-' ) {
+ $proto = $actionproto;
+ } else {
+ if ( defined( my $protonum = resolve_proto( $proto ) ) ) {
+ fatal_error( "The $action action is only usable with " . proto_name( $actionproto ) ) unless $actionproto == $protonum;
+ $proto = $protonum;
+ } else {
+ fatal_error( "Unknown protocol ($proto)" );
+ }
+ }
+ }
+
+ $proto;
+}
+
sub add_policy_rules( $$$$$ ) {
my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
@@ -944,7 +966,11 @@ sub add_policy_rules( $$$$$ ) {
#
# Default action is a regular action -- jump to the action chain
#
- add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
+ if ( ( my $proto = determine_action_protocol( $action, '-' ) ) ne '-' ) {
+ add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
+ } else {
+ add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
+ }
} else {
#
# Default action is an inline
@@ -1417,13 +1443,13 @@ sub external_name( $ ) {
#
# Define an Action
#
-sub new_action( $$$$$ ) {
+sub new_action( $$$$$$ ) {
- my ( $action , $type, $options , $actionfile , $state ) = @_;
+ my ( $action , $type, $options , $actionfile , $state, $proto ) = @_;
fatal_error "Invalid action name($action)" if reserved_name( $action );
- $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state };
+ $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto };
$targets{$action} = $type;
}
@@ -2049,6 +2075,7 @@ sub process_actions() {
my $opts = $type == INLINE ? NOLOG_OPT : 0;
my $state = '';
+ my $proto = 0;
if ( $action =~ /:/ ) {
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -2065,6 +2092,8 @@ sub process_actions() {
} else {
fatal_error( q(The 'state' option is reserved for use in the actions.std file) );
}
+ } elsif ( /^proto=(.+)$/ ) {
+ fatal_error "Unknown Protocol ($1)" unless defined( $proto = resolve_proto( $1 ) );
} else {
fatal_error "Invalid option ($_)" unless $options{$_};
$opts |= $options{$_};
@@ -2097,6 +2126,8 @@ sub process_actions() {
}
if ( $opts & BUILTIN_OPT ) {
+ warning_message( "The 'proto' option has no effect when specified on a builtin action" ) if $proto;
+
my $actiontype = USERBUILTIN | OPTIONS;
$actiontype |= MANGLE_TABLE if $opts & MANGLE_OPT;
$actiontype |= RAW_TABLE if $opts & RAW_OPT;
@@ -2129,7 +2160,7 @@ sub process_actions() {
fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
- new_action ( $action, $type, $opts, $actionfile , $state );
+ new_action ( $action, $type, $opts, $actionfile , $state , $proto );
}
}
}
@@ -3012,6 +3043,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
my $actionchain; # Name of the action chain
if ( $actiontype & ACTION ) {
+ #
+ # Verify action 'proto', if any
+ #
+ $proto = determine_action_protocol( $basictarget, $proto );
#
# Save NAT-oriented column contents
#
@@ -4736,6 +4771,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
function => sub() {
fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE;
#
+ # Verify action 'proto', if any
+ #
+ $proto = determine_action_protocol( $cmd, $proto );
+ #
# Create the action:level:tag:param tuple.
#
my $normalized_target = normalize_action( $cmd, '', $params );
@@ -5694,6 +5733,10 @@ sub process_snat1( $$$$$$$$$$$$ ) {
if ( $actiontype & ACTION ) {
fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
#
+ # Verify action 'proto', if any
+ #
+ $proto = determine_action_protocol( $target, $proto );
+ #
# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
# the interface name in the log tag
#
diff --git a/Shorewall/actions.std b/Shorewall/actions.std
index a7648dad4..343e6cab1 100644
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -26,18 +26,19 @@ Broadcast inline,audit # Handles Broadcast/Anycast
?else
Broadcast noinline,audit # Handles Broadcast/Anycast
?endif
-DNSAmp # Matches one-question recursive DNS queries
+DNSAmp proto=17 # Matches one-question recursive DNS queries
Drop # Default Action for DROP policy (deprecated)
dropBcast inline # Silently Drop Broadcast
dropBcasts inline # Silently Drop Broadcast
dropInvalid inline # Drops packets in the INVALID conntrack state
dropMcast inline # Silently Drop Multicast
-dropNotSyn noinline # Silently Drop Non-syn TCP packets
-DropDNSrep inline # Drops DNS replies
+dropNotSyn noinline,proto=6 # Silently Drop Non-syn TCP packets
+DropDNSrep inline,proto=17 # Drops DNS replies
DropSmurfs noinline # Drop smurf packets
Established inline,\ # Handles packets in the ESTABLISHED state
state=ESTABLISHED #
-FIN inline,audit # Handles ACK,FIN,PSH packets
+FIN inline,audit,\ # Handles ACK,FIN,PSH packets
+ proto=6
forwardUPnP noinline # Allow traffic that upnpd has redirected from 'upnp' interfaces.
GlusterFS inline # Handles GlusterFS
IfEvent noinline # Perform an action based on an event
@@ -50,14 +51,16 @@ Multicast inline,audit # Handles Multicast
Multicast noinline,audit # Handles Multicast
?endif
New inline,state=NEW # Handles packets in the NEW conntrack state
-NotSyn inline,audit # Handles TCP packets which do not have SYN=1 and ACK=0
-rejNotSyn noinline # Silently Reject Non-syn TCP packets
+NotSyn inline,audit,\ # Handles TCP packets which do not have SYN=1 and ACK=0
+ proto=6
+rejNotSyn noinline,proto=6 # Silently Reject Non-syn TCP packets
Reject # Default Action for REJECT policy (deprecated)
Related inline,\ # Handles packets in the RELATED conntrack state
state=RELATED #
ResetEvent inline # Reset an Event
-RST inline,audit # Handle packets with RST set
+RST inline,audit,\ # Handle packets with RST set
+ proto=6
SetEvent inline # Initialize an event
-TCPFlags # Handle bad flag combinations.
+TCPFlags proto=6 # Handle bad flag combinations.
Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
state=UNTRACKED #
diff --git a/Shorewall/manpages/shorewall-actions.xml b/Shorewall/manpages/shorewall-actions.xml
index d7b86c8d7..866478c79 100644
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -191,6 +191,27 @@
+
+ =protocol
+
+
+ Added in Shorewall 5.1.10. Specifies that the action is
+ only usable with the specified
+ protocol (name or number). When the
+ action is invoked with no protocol specified in the PROTO
+ column, or if the action is used as a Policy Action, the named
+ protocol will be assumed. If a
+ protocol is specified in the PROTO column of an invocation,
+ then it must match the named
+ protocol.
+
+ The option has no effect if the
+ or option is
+ specified. A warning is issued if is
+ specified along with .
+
+
+
diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std
index 922ee8de1..239aa113e 100644
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -8,42 +8,43 @@
#
###############################################################################
#ACTION
-A_Drop # Audited Default Action for DROP policy
-A_Reject # Audited Default Action for REJECT policy
-A_AllowICMPs # Audited Accept needed ICMP6 types
-AllowICMPs # Accept needed ICMP6 types
+A_Drop # Audited Default Action for DROP policy
+A_Reject # Audited Default Action for REJECT policy
+A_AllowICMPs proto=58 # Audited Accept needed ICMP6 types
+AllowICMPs proto=58 # Accept needed ICMP6 types
allowBcast inline # Silently Allow Broadcast
allowInvalid inline # Accepts packets in the INVALID conntrack state
allowMcast inline # Silently Allow Multicast
-AutoBL noinline # Auto-blacklist IPs that exceed thesholds
-AutoBLL noinline # Helper for AutoBL
+AutoBL noinline # Auto-blacklist IPs that exceed thesholds
+AutoBLL noinline # Helper for AutoBL
BLACKLIST logjump,section # Add sender to the dynamic blacklist
-Broadcast noinline # Handles Broadcast/Anycast
-Drop # Default Action for DROP policy (deprecated)
+Broadcast noinline # Handles Broadcast/Anycast
+Drop # Default Action for DROP policy (deprecated)
dropBcast inline # Silently Drop Broadcast
dropBcasts inline # Silently Drop Broadcast
dropInvalid inline # Drops packets in the INVALID conntrack state
dropMcast inline # Silently Drop Multicast
-dropNotSyn noinline # Silently Drop Non-syn TCP packets
-DropDNSrep inline # Drops DNS replies
-DropSmurfs noinline # Handles packets with a broadcast source address
+dropNotSyn noinline,proto=6 # Silently Drop Non-syn TCP packets
+DropDNSrep inline,proto=17 # Drops DNS replies
+DropSmurfs noinline # Handles packets with a broadcast source address
Established inline,\ # Handles packets in the ESTABLISHED state
state=ESTABLISHED
-FIN inline,audit # Handles ACK,FIN,PSH packets
+FIN inline,audit,\ # Handles ACK,FIN,PSH packets
+ proto=6
forwardUPnP noinline # Allow traffic that upnpd has redirected from 'upnp' interfaces.
-IfEvent noinline # Perform an action based on an event
-Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
- state=INVALID
-Multicast noinline # Handles Multicast
+IfEvent noinline # Perform an action based on an event
+Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
+ state=INVALID
+Multicast noinline # Handles Multicast
New inline,state=NEW # Handles packets in the NEW conntrack state
-NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0
-Reject # Default Action for REJECT policy (deprecated)
-rejNotSyn noinline # Silently Reject Non-syn TCP packets
-Related inline,\ # Handles packets in the RELATED conntrack state
- state=RELATED
+NotSyn inline,proto=6 # Handles TCP packets that do not have SYN=1 and ACK=0
+Reject # Default Action for REJECT policy (deprecated)
+rejNotSyn noinline,proto=6 # Silently Reject Non-syn TCP packets
+Related inline,\ # Handles packets in the RELATED conntrack state
+ state=RELATED
ResetEvent inline # Reset an Event
-RST inline # Handle packets with RST set
+RST inline,proto=6 # Handle packets with RST set
SetEvent inline # Initialize an event
-TCPFlags # Handles bad flags combinations
-Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
+TCPFlags proto=6 # Handles bad flags combinations
+Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
state=UNTRACKED