From a2f1c5724660f3937da0e010cdf88ea70fb6d1e8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 3 Aug 2014 15:11:25 -0700 Subject: [PATCH] Add DNSAmp action - Allow escaping '@' allowing u32 in action body - Allow inline matches in actions Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Compiler.pm | 44 ++++++++++++++-------------- Shorewall/Perl/Shorewall/Config.pm | 6 ++++ Shorewall/Perl/Shorewall/Rules.pm | 6 ++-- Shorewall/action.DNSAmp | 34 +++++++++++++++++++++ Shorewall/actions.std | 1 + 5 files changed, 67 insertions(+), 24 deletions(-) create mode 100644 Shorewall/action.DNSAmp diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index f0b96abe3..a0ce20821 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -280,42 +280,42 @@ sub generate_script_2() { if ( $global_variables ) { - emit( 'case $COMMAND in' ); - - push_indent; - if ( $global_variables & NOT_RESTORE ) { - emit( 'start|restart|refresh|disable|enable|run)' ); - } else { - emit( 'start|restart|refresh|disable|enable|restore|run)' ); - } - push_indent; + emit( 'case $COMMAND in' ); - set_global_variables(1); - - handle_optional_interfaces(0); - - emit ';;'; - - if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) { - pop_indent; + push_indent; emit 'restore)'; push_indent; - set_global_variables(0); + if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) { - handle_optional_interfaces(0); + set_global_variables(0); + + handle_optional_interfaces(0); + } emit ';;'; + + pop_indent; + + emit '*)'; + + push_indent; } - pop_indent; - pop_indent; + set_global_variables(1); - emit ( 'esac' ) , + handle_optional_interfaces(0); + + if ( $global_variables & NOT_RESTORE ) { + emit ';;'; + pop_indent; + pop_indent; + emit ( 'esac' ); + } } else { emit( 'true' ) unless handle_optional_interfaces(1); } diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 6ded5b838..029afc813 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -3260,6 +3260,10 @@ sub expand_variables( \$ ) { } if ( $actparms{0} ) { + # + # Allow escaping at signs (@) for u32 + # + $$lineref =~ s/\\@/??/g; # $1 $2 $3 - $4 while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) { my ( $first, $var, $rest ) = ( $1, $3, $4); @@ -3268,6 +3272,8 @@ sub expand_variables( \$ ) { $$lineref = join( '', $first , $val , $rest ); fatal_error "Variable Expansion Loop" if ++$count > 100; } + + $$lineref =~ s/??/@/g; } } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index e00c94a5d..59b624fae 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1673,9 +1673,11 @@ sub process_action($$) { $origdest = $connlimit = $time = $headers = $condition = $helper = '-'; } else { ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper ) - = split_line1( 'action file', + = split_line2( 'action file', \%rulecolumns, - $action_commands ); + $action_commands, + undef, + 1 ); } fatal_error 'TARGET must be specified' if $target eq '-'; diff --git a/Shorewall/action.DNSAmp b/Shorewall/action.DNSAmp new file mode 100644 index 000000000..f0b795c80 --- /dev/null +++ b/Shorewall/action.DNSAmp @@ -0,0 +1,34 @@ +# +# Shorewall 4 - DNS Amplification Action +# +# /usr/share/shorewall/action.DNSAmp +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# DNSAmp[([])] +# +# Default action is DROP +# +########################################################################################## +?format 2 + +DEFAULTS DROP + +IPTABLES(@1) - - udp 53 ; -m u32 --u32 "0>>22&0x3C\@8&0x0100=0x0100 && 0>>22&0x3C\@12>>16=1" diff --git a/Shorewall/actions.std b/Shorewall/actions.std index 41b5f779d..0926e6d95 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -31,6 +31,7 @@ allowInvalid inline # Accepts packets in the INVALID conntrack state AutoBL noinline # Auto-blacklist IPs that exceed thesholds AutoBLL noinline # Helper for AutoBL Broadcast noinline # Handles Broadcast/Multicast/Anycast +DNSAmp # Matches one-question recursive DNS queries Drop # Default Action for DROP policy dropInvalid inline # Drops packets in the INVALID conntrack state DropSmurfs noinline # Drop smurf packets