holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement the 'terminating' action option

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-09-01 08:16:42 -07:00
parent 20c68dddf2
commit 7481514a97
4 changed files with 41 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -73,6 +73,7 @@ our @EXPORT = ( qw(
allow_optimize allow_optimize
allow_delete allow_delete
allow_move allow_move
make_terminating
set_optflags set_optflags
reset_optflags reset_optflags
has_return has_return
@ -104,7 +105,6 @@ our @EXPORT = ( qw(
AUDIT AUDIT
HELPER HELPER
INLINE INLINE
TERMINATING
STATEMATCH STATEMATCH
USERBUILTIN USERBUILTIN
INLINERULE INLINERULE
@ -793,6 +793,13 @@ sub decr_cmd_level( $ ) {
assert( --$_[0]->{cmdlevel} >= 0, $_[0] ); assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
} }
#
# Mark an action as terminating
#
sub make_terminating( $ ) {
$terminating{$_[0]} = 1;
}
# #
# Transform the passed iptables rule into an internal-form hash reference. # Transform the passed iptables rule into an internal-form hash reference.
# Most of the compiler has been converted to use the new form natively. # Most of the compiler has been converted to use the new form natively.

21
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1748,14 +1748,15 @@ sub process_actions() {
undef, #Columns undef, #Columns
1 ); #Allow inline matches 1 ); #Allow inline matches
my $type = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION ); my $type = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
my $noinline = 0; my $noinline = 0;
my $nolog = ( $type == INLINE ) || 0; my $nolog = ( $type == INLINE ) || 0;
my $builtin = 0; my $builtin = 0;
my $raw = 0; my $raw = 0;
my $mangle = 0; my $mangle = 0;
my $filter = 0; my $filter = 0;
my $nat = 0; my $nat = 0;
my $terminating = 0;
if ( $action =~ /:/ ) { if ( $action =~ /:/ ) {
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf'; warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@ -1774,6 +1775,8 @@ sub process_actions() {
$nolog = 1; $nolog = 1;
} elsif ( $_ eq 'builtin' ) { } elsif ( $_ eq 'builtin' ) {
$builtin = 1; $builtin = 1;
} elsif ( $_ eq 'terminating' ) {
$terminating = 1;
} elsif ( $_ eq 'mangle' ) { } elsif ( $_ eq 'mangle' ) {
$mangle = 1; $mangle = 1;
} elsif ( $_ eq 'raw' ) { } elsif ( $_ eq 'raw' ) {
@ -1822,6 +1825,8 @@ sub process_actions() {
} }
$targets{$action} = $actiontype; $targets{$action} = $actiontype;
make_terminating( $action ) if $terminating;
} else { } else {
fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter; fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
new_action $action, $type, $noinline, $nolog; new_action $action, $type, $noinline, $nolog;

11
Shorewall/manpages/shorewall-actions.xml
View File

@ -71,10 +71,17 @@
role="bold">raw</emphasis>. If no table name(s) are given, role="bold">raw</emphasis>. If no table name(s) are given,
then <emphasis role="bold">filter</emphasis> is assumed. The then <emphasis role="bold">filter</emphasis> is assumed. The
table names follow <emphasis role="bold">builtin</emphasis> table names follow <emphasis role="bold">builtin</emphasis>
and are separated by commas; for example, and are separated by commas; for example, "FOOBAR
"FOOBAR,filter,mangle" would specify FOOBAR as a builtin builtin,filter,mangle" would specify FOOBAR as a builtin
target that can be used in the filter and mangle target that can be used in the filter and mangle
tables.</para> tables.</para>
<para>Beginning with Shorewall 4.6.4, you may specify the
<emphasis role="bold">terminating</emphasis> option with
<emphasis role="bold">builtin</emphasis> to indicate to the
Shorewall optimizer that the action is terminating (the
current packet will not be passed to the next rule in the
chain).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

14
Shorewall6/manpages/shorewall6-actions.xml
View File

@ -71,10 +71,18 @@
role="bold">mangle</emphasis> and <emphasis role="bold">mangle</emphasis> and <emphasis
role="bold">raw</emphasis>. If no table name(s) are given, role="bold">raw</emphasis>. If no table name(s) are given,
then <emphasis role="bold">filter</emphasis> is assumed. The then <emphasis role="bold">filter</emphasis> is assumed. The
table names follow builtin and are separated by commas; for table names follow <emphasis role="bold">builtin</emphasis>
example, "FOOBAR,filter,mangle" would specify FOOBAR as a and are separated by commas; for example, "FOOBAR
builtin target that can be used in the filter and mangle builtin,filter,mangle" would specify FOOBAR as a builtin
target that can be used in the filter and mangle
tables.</para> tables.</para>
<para>Beginning with Shorewall 4.6.4, you may specify the
<emphasis role="bold">terminating</emphasis> option with
<emphasis role="bold">builtin</emphasis> to indicate to the
Shorewall optimizer that the action is terminating (the
current packet will not be passed to the next rule in the
chain).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>