diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 6f1768bed..1e595e3cd 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -77,6 +77,7 @@ our %EXPORT_TAGS = ( NOT_RESTORE initialize_chain_table + lookup_shorewall_action add_commands move_rules insert_rule1 @@ -179,6 +180,19 @@ our %EXPORT_TAGS = ( $section %sections %targets + %shorewall_targets + TGT_ACCEPT + TGT_REJECT + TGT_DROP + TGT_NONAT + TGT_LOG + TGT_CONTINUE + TGT_COUNT + TGT_QUEUE + TGT_NFQUEUE + TGT_ADD + TGT_DEL + TGT_REDIRECT ) ], ); @@ -266,6 +280,38 @@ use constant { STANDARD => 1, #defined by Netfilter # Valid Targets -- value is a combination of one or more of the above # our %targets; + +# +# Shorewall-defined targets +# + +use constant { TGT_ACCEPT => 1, + TGT_REJECT => 2, + TGT_DROP => 3, + TGT_NONAT => 4, + TGT_LOG => 5, + TGT_CONTINUE => 6, + TGT_COUNT => 7, + TGT_QUEUE => 8, + TGT_NFQUEUE => 9, + TGT_ADD => 10, + TGT_DEL => 11, + TGT_REDIRECT => 12, + }; + +our %shorewall_targets = ( ACCEPT => TGT_ACCEPT, + REJECT => TGT_REJECT, + DROP => TGT_DROP, + NONAT => TGT_NONAT, + LOG => TGT_LOG, + CONTINUE => TGT_CONTINUE, + COUNT => TGT_COUNT, + QUEUE => TGT_QUEUE, + NFQUEUE => TGT_NFQUEUE, + ADD => TGT_ADD, + DEL => TGT_DEL, + REDIRECT => TGT_REDIRECT, + ); # # expand_rule() restrictions # @@ -404,6 +450,17 @@ sub initialize( $ ) { # } +# +# Lookup a standard action +# +sub lookup_shorewall_action( $ ) { + my $target = shift; + + $target =~ s/[-+!]$//; + + $shorewall_targets{ $target }; +} + # # Process a COMMENT line (in $currentline) # diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index c31a78f7f..48dd75915 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1020,31 +1020,33 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) { # my $log_action = $action; - if ( $actiontype & REDIRECT ) { - my $z = $actiontype & NATONLY ? '' : firewall_zone; - if ( $dest eq '-' ) { - $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports ); - } elsif ( $inaction ) { - $dest = ":$dest"; - } else { - $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/; - } - } elsif ( $action eq 'REJECT' ) { - $action = 'reject'; - } elsif ( $action eq 'CONTINUE' ) { - $action = 'RETURN'; - } elsif ( $action eq 'COUNT' ) { - $action = ''; - } elsif ( $actiontype & LOGRULE ) { - fatal_error 'LOG requires a log level' unless defined $loglevel and $loglevel ne ''; - } elsif ( $actiontype & SET ) { - my %xlate = ( ADD => 'add-set' , DEL => 'del-set' ); + if ( my $shorewall_target = lookup_shorewall_action( $basictarget ) ) { + if ( $shorewall_target == TGT_REDIRECT ) { + my $z = $actiontype & NATONLY ? '' : firewall_zone; + if ( $dest eq '-' ) { + $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports ); + } elsif ( $inaction ) { + $dest = ":$dest"; + } else { + $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/; + } + } elsif ( $shorewall_target == TGT_REJECT ) { + $action = 'reject'; + } elsif ( $shorewall_target == TGT_CONTINUE ) { + $action = 'RETURN'; + } elsif ( $shorewall_target == TGT_COUNT ) { + $action = ''; + } elsif ( $shorewall_target == TGT_LOG ) { + fatal_error 'LOG requires a log level' unless defined $loglevel and $loglevel ne ''; + } elsif ( $actiontype & SET ) { + my %xlate = ( ADD => 'add-set' , DEL => 'del-set' ); - my ( $setname, $flags, $rest ) = split ':', $param, 3; - fatal_error "Invalid ADD/DEL parameter ($param)" if $rest; - fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^[a-zA-Z]\w*$/; - fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/; - $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags ); + my ( $setname, $flags, $rest ) = split ':', $param, 3; + fatal_error "Invalid ADD/DEL parameter ($param)" if $rest; + fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^[a-zA-Z]\w*$/; + fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/; + $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags ); + } } # # Isolate and validate source and destination zones