Add DNSAmp action

- Allow escaping '@' allowing u32 in action body - Allow inline matches in actions Signed-off-by: Tom Eastep <teastep@shorewall.net>
2014-08-03 15:11:25 -07:00 · 2014-08-03 15:11:25 -07:00 · a2f1c57246
commit a2f1c57246
parent fd42fa9f74
5 changed files with 67 additions and 24 deletions
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@ -280,42 +280,42 @@ sub generate_script_2() {

    if ( $global_variables ) {

-	emit( 'case $COMMAND in' );
-
-	push_indent;
-
 	if ( $global_variables & NOT_RESTORE ) {
-	    emit( 'start|restart|refresh|disable|enable|run)' );
-	} else {
-	    emit( 'start|restart|refresh|disable|enable|restore|run)' );
-	}

-	push_indent;
+	    emit( 'case $COMMAND in' );

-	set_global_variables(1);
-
-	handle_optional_interfaces(0);
-
-	emit ';;';
-
-	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-	    pop_indent;
+	    push_indent;

 	    emit 'restore)';

 	    push_indent;

-	    set_global_variables(0);
+	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {

-	    handle_optional_interfaces(0);
+		set_global_variables(0);
+
+		handle_optional_interfaces(0);
+	    }

 	    emit ';;';
+
+	    pop_indent;
+
+	    emit '*)';
+
+	    push_indent;
 	}

-	pop_indent;
-	pop_indent;
+	set_global_variables(1);

-	emit ( 'esac' ) ,
+	handle_optional_interfaces(0);
+
+	if ( $global_variables & NOT_RESTORE ) {
+	    emit ';;';
+	    pop_indent;
+	    pop_indent;
+	    emit ( 'esac' );
+	}
    } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
    }
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -3260,6 +3260,10 @@ sub expand_variables( \$ ) {
    }

    if ( $actparms{0} ) {
+	#
+	# Allow escaping at signs (@) for u32
+	#
+	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
 	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
@ -3268,6 +3272,8 @@ sub expand_variables( \$ ) {
 	    $$lineref = join( '', $first , $val , $rest );
 	    fatal_error "Variable Expansion Loop" if ++$count > 100;
 	}
+
+	$$lineref =~ s/??/@/g;
    }
 }

--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1673,9 +1673,11 @@ sub process_action($$) {
 	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	} else {
 	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-		= split_line1( 'action file',
+		= split_line2( 'action file',
 			       \%rulecolumns,
-			       $action_commands );
+			       $action_commands,
+			       undef,
+			       1 );
 	}

 	fatal_error 'TARGET must be specified' if $target eq '-';
--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@ -0,0 +1,34 @@
+#
+# Shorewall 4 - DNS Amplification Action
+#
+#    /usr/share/shorewall/action.DNSAmp
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   DNSAmp[([<action>])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+?format 2
+
+DEFAULTS DROP
+
+IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0x0100=0x0100 && 0>>22&0x3C\@12>>16=1"
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@ -31,6 +31,7 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
 Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
+DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets