Make log action inheritence work

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1505 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-07-29 16:41:40 +00:00
parent 97ae6f3f5d
commit 9ef51b3ae7

View File

@ -2786,6 +2786,8 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
eval ${action}_chains=\"\$${action}_chains $level $CHAIN\"
echo " *** Action $1:$2 is $CHAIN ***"
}
#
@ -2819,6 +2821,13 @@ find_logactionchain() # $1 = Action, including log level and tag if any
{
local fullaction=$1 action=${1%%:*} level= chains=
case $action in
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE)
echo $fullaction
return
;;
esac
case $fullaction in
*:*)
level=${fullaction#*:}
@ -3056,12 +3065,13 @@ process_actions2() {
changed=
for xaction in $USEDACTIONS; do
eval required=\"\$requiredby_${xaction#*:}\"
eval required=\"\$requiredby_${xaction%%:*}\"
for action in $required; do
if ! list_search $action $USEDACTIONS; then
USEDACTIONS="$USEDACTIONS $action"
createactionchain $action
action1=$(evaluate_levels $xaction $action)
if ! list_search $action1 $USEDACTIONS; then
USEDACTIONS="$USEDACTIONS $action1"
createactionchain $action1
changed=Yes
fi
done
@ -3070,15 +3080,15 @@ process_actions2() {
#
# Now process the relevant action files -- they were already stripped in process_actions1() above.
#
for xaction in $USEDACTIONS; do
xchain=$(find_logactionchain $xaction)
for xaction1 in $USEDACTIONS; do
xchain=$(find_logactionchain $xaction1)
set -- $(split $xaction)
set -- $(split $xaction1)
xlevel=$2
xtag=$3
case ${xaction%%:*} in
case ${xaction1%%:*} in
dropBcast)
if [ "$COMMAND" != check ]; then
if [ -n "$PKTTYPE" ]; then
@ -3095,10 +3105,10 @@ process_actions2() {
run_iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP
fi
else
drop_broadcasts
fi
fi
;;
dropNonSyn)
@ -3106,7 +3116,7 @@ process_actions2() {
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -p tcp ! -- syn
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP
fi
@ -3115,14 +3125,14 @@ process_actions2() {
dropNotSyn)
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -p tcp ! -- syn
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -p tcp ! --syn
run_iptables -A dropNotSyn -p tcp ! --syn -j DROP
fi
;;
rejNotSyn)
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -p tcp ! -- syn
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -p tcp ! --syn
run_iptables -A rejectNotSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
fi
;;
@ -3134,13 +3144,16 @@ process_actions2() {
fi
;;
*)
f=action.${xaction%%:*}
f=action.${xaction1%%:*}
fn=$(find_file $f)
xaction=$(find_logactionchain $xaction1)
echo "Processing $fn..."
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
xtarget=$(evaluate_levels $xaction $xtarget)
xaction=$(find_logactionchain $xaction)
xtarget=$(evaluate_levels $xaction1 $xtarget)
xtarget=$(find_logactionchain $xtarget)
do_it
done < $TMP_DIR/$f
;;