forked from extern/shorewall_code
Ignore 'inline' for certain actions.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
146402d9be
commit
8cbe26e32c
@ -1007,18 +1007,18 @@ show_command() {
|
||||
case $1 in
|
||||
actions)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "A_ACCEPT # Audit and accept the connection"
|
||||
echo "A_DROP # Audit and drop the connection"
|
||||
echo "A_REJECT # Audit and reject the connection "
|
||||
echo "allowBcast # Silently Allow Broadcast/multicast"
|
||||
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
|
||||
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
|
||||
echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
|
||||
echo "dropBcast # Silently Drop Broadcast/multicast"
|
||||
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
|
||||
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
|
||||
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
|
||||
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
|
||||
echo "A_ACCEPT # Audit and accept the connection"
|
||||
echo "A_DROP # Audit and drop the connection"
|
||||
echo "A_REJECT # Audit and reject the connection "
|
||||
echo "allowBcast # Silently Allow Broadcast/multicast"
|
||||
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
|
||||
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
|
||||
echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
|
||||
echo "dropBcast # Silently Drop Broadcast/multicast"
|
||||
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
|
||||
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
|
||||
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
|
||||
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
|
||||
|
||||
if [ -f ${g_confdir}/actions ]; then
|
||||
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
|
||||
|
@ -986,13 +986,13 @@ sub externalize( $ ) {
|
||||
#
|
||||
# Define an Action
|
||||
#
|
||||
sub new_action( $$ ) {
|
||||
sub new_action( $$$ ) {
|
||||
|
||||
my ( $action , $type ) = @_;
|
||||
my ( $action , $type, $noinline ) = @_;
|
||||
|
||||
fatal_error "Invalid action name($action)" if reserved_name( $action );
|
||||
|
||||
$actions{$action} = { actchain => '' } if $type & ACTION;
|
||||
$actions{$action} = { actchain => '' , noinline => $noinline } if $type & ACTION;
|
||||
|
||||
$targets{$action} = $type;
|
||||
}
|
||||
@ -1019,7 +1019,7 @@ sub createlogactionchain( $$$$$ ) {
|
||||
|
||||
validate_level $level;
|
||||
|
||||
$actionref = new_action( $action , ACTION ) unless $actionref;
|
||||
$actionref = new_action( $action , ACTION , 0 ) unless $actionref;
|
||||
|
||||
$chain = substr $chain, 0, 28 if ( length $chain ) > 28;
|
||||
|
||||
@ -1464,7 +1464,7 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
|
||||
# This function is called prior to processing of the policy file. It:
|
||||
#
|
||||
# - Adds the builtin actions to the target table
|
||||
# - Reads actions and actions.std (in that order) and for each entry:
|
||||
# - Reads actions.std and actions (in that order) and for each entry:
|
||||
# o Adds the action to the target table
|
||||
# o Verifies that the corresponding action file exists
|
||||
#
|
||||
@ -1475,15 +1475,16 @@ sub process_actions() {
|
||||
#
|
||||
# Add built-in actions to the target table and create those actions
|
||||
#
|
||||
$targets{$_} = new_action( $_ , ACTION + BUILTIN ) for @builtins;
|
||||
$targets{$_} = new_action( $_ , ACTION + BUILTIN, 1 ) for @builtins;
|
||||
|
||||
for my $file ( qw/actions actions.std/ ) {
|
||||
for my $file ( qw/actions.std actions/ ) {
|
||||
open_file $file;
|
||||
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
my ( $action, $options ) = split_line 'action file' , { action => 0, options => 1 };
|
||||
|
||||
my $type = ACTION;
|
||||
my $type = ACTION;
|
||||
my $noinline = 0;
|
||||
|
||||
if ( $action =~ /:/ ) {
|
||||
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
|
||||
@ -1492,20 +1493,34 @@ sub process_actions() {
|
||||
|
||||
fatal_error "Invalid Action Name ($action)" unless $action =~ /^[a-zA-Z][\w-]*$/;
|
||||
|
||||
if ( $targets{$action} ) {
|
||||
warning_message "Duplicate Action Name ($action) Ignored" unless $targets{$action} & ( ACTION | INLINE );
|
||||
next;
|
||||
}
|
||||
|
||||
if ( $options eq 'inline' ) {
|
||||
$type = INLINE;
|
||||
} elsif ( $options eq 'noinline' ) {
|
||||
$noinline = 1;
|
||||
} else {
|
||||
fatal_error "Invalid option($options)" unless $options eq '-';
|
||||
}
|
||||
|
||||
new_action $action, $type;
|
||||
my $actionfile;
|
||||
|
||||
my $actionfile = find_file "action.$action";
|
||||
if ( my $actiontype = $targets{$action} ) {
|
||||
if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
|
||||
if ( $actions{$action}->{noinline} ) {
|
||||
warning_message "'inline' option ignored on action $action -- that action may not be in-lined";
|
||||
next;
|
||||
}
|
||||
|
||||
delete $actions{$action};
|
||||
delete $targets{$action};
|
||||
} else {
|
||||
warning_message "Duplicate Action Name ($action) Ignored" unless $actiontype & ( ACTION | INLINE );
|
||||
next;
|
||||
}
|
||||
}
|
||||
|
||||
new_action $action, $type, $noinline;
|
||||
|
||||
$actionfile = find_file( "action.$action" ) unless $actionfile;
|
||||
|
||||
fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
|
||||
|
||||
|
@ -33,13 +33,13 @@
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION
|
||||
A_Drop # Audited Default Action for DROP policy
|
||||
A_Reject # Audited Default action for REJECT policy
|
||||
Broadcast # Handles Broadcast/Multicast/Anycast
|
||||
Drop # Default Action for DROP policy
|
||||
DropSmurfs # Drop smurf packets
|
||||
Invalid # Handles packets in the INVALID conntrack state
|
||||
NotSyn # Handles TCP packets which do not have SYN=1 and ACK=0
|
||||
Reject # Default Action for REJECT policy
|
||||
RST # Handle packets with RST set
|
||||
TCPFlags # Handle bad flag combinations.
|
||||
A_Drop # Audited Default Action for DROP policy
|
||||
A_Reject # Audited Default action for REJECT policy
|
||||
Broadcast noinline # Handles Broadcast/Multicast/Anycast
|
||||
Drop # Default Action for DROP policy
|
||||
DropSmurfs noinline # Drop smurf packets
|
||||
Invalid noinline # Handles packets in the INVALID conntrack state
|
||||
NotSyn noinline # Handles TCP packets which do not have SYN=1 and ACK=0
|
||||
Reject # Default Action for REJECT policy
|
||||
RST noinline # Handle packets with RST set
|
||||
TCPFlags noinline # Handle bad flag combinations.
|
||||
|
@ -8,5 +8,5 @@
|
||||
# Please see http://shorewall.net/Actions.html for additional information.
|
||||
#
|
||||
####################################################################################
|
||||
#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
|
||||
# v a comment describing the action)
|
||||
#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
|
||||
# v a comment describing the action)
|
||||
|
@ -62,8 +62,9 @@
|
||||
|
||||
<caution>
|
||||
<para>Some of the Shorewall standard actions cannot be used
|
||||
in-line and will generate a compiler error if you try to use
|
||||
them that way:</para>
|
||||
in-line and will generate a warning and the compiler will
|
||||
ignore <option>inline</option> if you try to use them that
|
||||
way:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>Broadcast</member>
|
||||
@ -81,6 +82,15 @@
|
||||
</caution>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>noinline</term>
|
||||
|
||||
<listitem>
|
||||
<para>Reverses the effect of any previous
|
||||
<option>inline</option> option for the same action.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -19,15 +19,15 @@
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION
|
||||
A_Drop # Audited Default Action for DROP policy
|
||||
A_Reject # Audited Default Action for REJECT policy
|
||||
A_AllowICMPs # Audited Accept needed ICMP6 types
|
||||
AllowICMPs # Accept needed ICMP6 types
|
||||
Broadcast # Handles Broadcast/Multicast/Anycast
|
||||
Drop # Default Action for DROP policy
|
||||
DropSmurfs # Handles packets with a broadcast source address
|
||||
Invalid # Handles packets in the INVALID conntrack state
|
||||
NotSyn # Handles TCP packets that do not have SYN=1 and ACK=0
|
||||
Reject # Default Action for REJECT policy
|
||||
TCPFlags # Handles bad flags combinations
|
||||
A_Drop # Audited Default Action for DROP policy
|
||||
A_Reject # Audited Default Action for REJECT policy
|
||||
A_AllowICMPs # Audited Accept needed ICMP6 types
|
||||
AllowICMPs # Accept needed ICMP6 types
|
||||
Broadcast noinline # Handles Broadcast/Multicast/Anycast
|
||||
Drop # Default Action for DROP policy
|
||||
DropSmurfs noinline # Handles packets with a broadcast source address
|
||||
Invalid noinline # Handles packets in the INVALID conntrack state
|
||||
NotSyn noinline # Handles TCP packets that do not have SYN=1 and ACK=0
|
||||
Reject # Default Action for REJECT policy
|
||||
TCPFlags noinline # Handles bad flags combinations
|
||||
|
||||
|
@ -9,5 +9,5 @@
|
||||
#
|
||||
###############################################################################
|
||||
####################################################################################
|
||||
#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
|
||||
# v a comment describing the action)
|
||||
#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
|
||||
# v a comment describing the action)
|
||||
|
@ -62,8 +62,9 @@
|
||||
|
||||
<caution>
|
||||
<para>Some of the Shorewall standard actions cannot be used
|
||||
in-line and will generate a compiler error if you try to use
|
||||
them that way:</para>
|
||||
in-line and will generate a warning and the compiler will
|
||||
ignore <option>inline</option> if you try to use them that
|
||||
way:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>Broadcast</member>
|
||||
@ -81,6 +82,15 @@
|
||||
</caution>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>noinline</term>
|
||||
|
||||
<listitem>
|
||||
<para>Reverses the effect of any previous
|
||||
<option>inline</option> option for the same action.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
Loading…
Reference in New Issue
Block a user