holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow arbitrary actions for the various states.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-01-27 10:10:24 -08:00
parent a3a90d8d2e
commit aa609b87a9
4 changed files with 136 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -53,7 +53,7 @@ our @EXPORT = qw(
verify_audit verify_audit
); );
our @EXPORT_OK = qw( initialize ); our @EXPORT_OK = qw( initialize process_rule1 );
our $VERSION = 'MODULEVERSION'; our $VERSION = 'MODULEVERSION';
# #
# Globals are documented in the initialize() function # Globals are documented in the initialize() function
@ -608,7 +608,7 @@ sub process_policies()
# #
# Policy Rule application # Policy Rule application
# #
sub process_inline ($$$$$$$$$$$$$$$$$$$$); sub process_inline ($$$$$$$$$$$$$$$$$$$$$);
sub policy_rules( $$$$$ ) { sub policy_rules( $$$$$ ) {
my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_; my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
@ -627,6 +627,7 @@ sub policy_rules( $$$$$ ) {
process_inline( $action, #Inline process_inline( $action, #Inline
$chainref, #Chain $chainref, #Chain
'', #Matches
$loglevel, #Log Level and Tag $loglevel, #Log Level and Tag
$default, #Target $default, #Target
$param || '', #Param $param || '', #Param
@ -1734,8 +1735,8 @@ sub use_policy_action( $$ ) {
# #
# Expand a macro rule from the rules file # Expand a macro rule from the rules file
# #
sub process_macro ($$$$$$$$$$$$$$$$$$$) { sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_; my ($macro, $chainref, $matches, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
my $generated = 0; my $generated = 0;
@ -1823,7 +1824,7 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) {
$generated |= process_rule1( $generated |= process_rule1(
$chainref, $chainref,
'', $matches,
$mtarget, $mtarget,
$param, $param,
$msource, $msource,
@ -1856,8 +1857,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) {
# #
# Expand an inline action rule from the rules file # Expand an inline action rule from the rules file
# #
sub process_inline ($$$$$$$$$$$$$$$$$$$$) { sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
my ($inline, $chainref, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_; my ($inline, $chainref, $matches, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
my $generated = 0; my $generated = 0;
@ -1941,7 +1942,7 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$) {
$generated |= process_rule1( $generated |= process_rule1(
$chainref, $chainref,
'', $matches,
$mtarget, $mtarget,
$param, $param,
$msource, $msource,
@ -2023,6 +2024,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
my $normalized_target; my $normalized_target;
my $normalized_action; my $normalized_action;
my $blacklist = ( $section == BLACKLIST_SECTION ); my $blacklist = ( $section == BLACKLIST_SECTION );
my $matches = $rule;
if ( $inchain = defined $chainref ) { if ( $inchain = defined $chainref ) {
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action}; ( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@ -2051,6 +2053,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
my $generated = process_macro( $basictarget, my $generated = process_macro( $basictarget,
$chainref, $chainref,
$rule,
$target, $target,
$current_param, $current_param,
$source, $source,
@ -2397,6 +2400,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
my $generated = process_inline( $basictarget, my $generated = process_inline( $basictarget,
$chainref, $chainref,
$rule,
$loglevel, $loglevel,
$target, $target,
$current_param, $current_param,
@ -2428,38 +2432,38 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
# Either a DNAT, REDIRECT or ACCEPT+ rule or an Action with NAT; # Either a DNAT, REDIRECT or ACCEPT+ rule or an Action with NAT;
# don't apply rate limiting twice # don't apply rate limiting twice
# #
$rule = join( '', $rule .= join( '',
do_proto($proto, $ports, $sports), do_proto($proto, $ports, $sports),
do_user( $user ) , do_user( $user ) ,
do_test( $mark , $globals{TC_MASK} ) , do_test( $mark , $globals{TC_MASK} ) ,
do_connlimit( $connlimit ), do_connlimit( $connlimit ),
do_time( $time ) , do_time( $time ) ,
do_headers( $headers ) , do_headers( $headers ) ,
do_condition( $condition , $chain ) , do_condition( $condition , $chain ) ,
); );
} elsif ( $section & ( INVALID_SECTION | RELATED_SECTION | UNTRACKED_SECTION ) ) { } elsif ( $section & ( INVALID_SECTION | RELATED_SECTION | UNTRACKED_SECTION ) ) {
$rule = join( '', $rule .= join( '',
do_proto($proto, $ports, $sports), do_proto($proto, $ports, $sports),
do_ratelimit( $ratelimit, $basictarget ) , do_ratelimit( $ratelimit, $basictarget ) ,
do_user( $user ) , do_user( $user ) ,
do_test( $mark , $globals{TC_MASK} ) , do_test( $mark , $globals{TC_MASK} ) ,
do_connlimit( $connlimit ), do_connlimit( $connlimit ),
do_time( $time ) , do_time( $time ) ,
do_headers( $headers ) , do_headers( $headers ) ,
do_condition( $condition , $chain ) , do_condition( $condition , $chain ) ,
do_helper( $helper ) , do_helper( $helper ) ,
); );
} else { } else {
$rule = join( '', $rule .= join( '',
do_proto($proto, $ports, $sports), do_proto($proto, $ports, $sports),
do_ratelimit( $ratelimit, $basictarget ) , do_ratelimit( $ratelimit, $basictarget ) ,
do_user( $user ) , do_user( $user ) ,
do_test( $mark , $globals{TC_MASK} ) , do_test( $mark , $globals{TC_MASK} ) ,
do_connlimit( $connlimit ), do_connlimit( $connlimit ),
do_time( $time ) , do_time( $time ) ,
do_headers( $headers ) , do_headers( $headers ) ,
do_condition( $condition , $chain ) , do_condition( $condition , $chain ) ,
); );
} }
unless ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) || unless ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ||
@ -2526,6 +2530,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
# #
unless ( $actiontype & NATONLY ) { unless ( $actiontype & NATONLY ) {
$rule = join( '', $rule = join( '',
$matches,
do_proto( $proto, $ports, $sports ), do_proto( $proto, $ports, $sports ),
do_ratelimit( $ratelimit, 'ACCEPT' ), do_ratelimit( $ratelimit, 'ACCEPT' ),
do_user $user, do_user $user,

38
Shorewall/action.Invalid
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# Invalid[([<action>|-[,{audit|-}])] # Invalid[([<action>])]
# #
# Default action is DROP # Default action is DROP
# #
@ -36,19 +36,41 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs; use Shorewall::IPAddrs;
use Shorewall::Config; use Shorewall::Config;
use Shorewall::Chains; use Shorewall::Chains;
use Shorewall::Rules qw( process_rule1 );
my ( $action, $audit ) = get_action_params( 2 ); my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Invalid parameter ($audit) to action Invalid" if supplied $audit && $audit ne 'audit'; if ( supplied $audit ) {
fatal_error "Invalid parameter ($action) to action Invalid" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/; fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
$action = "A_$action";
}
my $chainref = get_action_chain; my ( $level, $tag ) = get_action_logging;
my ( $level, $tag ) = get_action_logging; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne ''; my $chainref = get_action_chain;
add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
process_rule1( $chainref, # Chainref
"$globals{STATEMATCH} INVALID ", # Rule
$action, # Target
'', # Current Param
'-', # Source
'-', # Dest
'-', # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
allow_optimize( $chainref ); allow_optimize( $chainref );

42
Shorewall/action.Related
View File

@ -1,11 +1,11 @@
# #
# Shorewall 4 - Invalid Action # Shorewall 4 - Related Action
# #
# /usr/share/shorewall/action.Related # /usr/share/shorewall/action.Related
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2013 - Tom Eastep (teastep@shorewall.net) # (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #
@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# Related[([<action>|-[,{audit|-}])] # Related[([<action>])]
# #
# Default action is DROP # Default action is DROP
# #
@ -36,19 +36,41 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs; use Shorewall::IPAddrs;
use Shorewall::Config; use Shorewall::Config;
use Shorewall::Chains; use Shorewall::Chains;
use Shorewall::Rules qw( process_rule1 );
my ( $action, $audit ) = get_action_params( 2 ); my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Related parameter ($audit) to action Related" if supplied $audit && $audit ne 'audit'; if ( supplied $audit ) {
fatal_error "Related parameter ($action) to action Related" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/; fatal_error "Related parameter ($audit) to action Related" if $audit ne 'audit';
$action = "A_$action";
}
my $chainref = get_action_chain; my ( $level, $tag ) = get_action_logging;
my ( $level, $tag ) = get_action_logging; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'Related' , $action, '', $tag, 'add', "$globals{STATEMATCH} RELATED " if $level ne ''; my $chainref = get_action_chain;
add_jump $chainref , $target, 0, "$globals{STATEMATCH} RELATED ";
process_rule1( $chainref, # Chainref
"$globals{STATEMATCH} RELATED ", # Rule
$action, # Target
'', # Current Param
'-', # Source
'-', # Dest
'-', # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
allow_optimize( $chainref ); allow_optimize( $chainref );

40
Shorewall/action.Untracked
View File

@ -5,7 +5,7 @@
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2013 - Tom Eastep (teastep@shorewall.net) # (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #
@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# Untracked[([<action>|-[,{audit|-}])] # Untracked[([<action>])]
# #
# Default action is DROP # Default action is DROP
# #
@ -36,19 +36,41 @@ DEFAULTS DROP,-
use Shorewall::IPAddrs; use Shorewall::IPAddrs;
use Shorewall::Config; use Shorewall::Config;
use Shorewall::Chains; use Shorewall::Chains;
use Shorewall::Rules qw( process_rule1 );
my ( $action, $audit ) = get_action_params( 2 ); my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Untracked parameter ($audit) to action Untracked" if supplied $audit && $audit ne 'audit'; if ( supplied $audit ) {
fatal_error "Untracked parameter ($action) to action Untracked" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/; fatal_error "Untracked parameter ($audit) to action Untracked" if $audit ne 'audit';
$action = "A_$action";
}
my $chainref = get_action_chain; my ( $level, $tag ) = get_action_logging;
my ( $level, $tag ) = get_action_logging; $action = join( ':', $action, $level, $tag ) if "${level}${tag}";
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'Untracked' , $action, '', $tag, 'add', "$globals{STATEMATCH} UNTRACKED " if $level ne ''; my $chainref = get_action_chain;
add_jump $chainref , $target, 0, "$globals{STATEMATCH} UNTRACKED ";
process_rule1( $chainref, # Chainref
"$globals{STATEMATCH} UNTRACKED ", # Rule
$action, # Target
'', # Current Param
'-', # Source
'-', # Dest
'-', # Proto
'-', # Port(s)
'-', # Source Port(s)
'-', # Original Dest
'-', # Rate Limit
'-', # User
'-', # Mark
'-', # Connlimit
'-', # Time
'-', # Headers,
'-', # condition,
'-', # helper,
0, # Wildcard
);
allow_optimize( $chainref ); allow_optimize( $chainref );