holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Avoid embedded Perl in the Broadcast action when ADDRTYPE is available

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-03-14 15:57:32 -07:00
parent 901c6d34f6
commit bd2295c4c3
2 changed files with 16 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
Shorewall/action.Broadcast
View File

@ -30,44 +30,32 @@
DEFAULTS DROP,-
?if __ADDRTYPE
@1 - - - ;; -m addrtype --dst-type BROADCAST
@1 - - - ;; -m addrtype --dst-type MULTICAST
@1 - - - ;; -m addrtype --dst-type ANYCAST
?else
?begin perl;
use Shorewall::IPAddrs;
use Shorewall::Config;
use Shorewall::Chains;
my ( $action, $audit ) = get_action_params( 2 );
fatal_error "Invalid parameter ($audit) to action Broadcast" if supplied $audit && $audit ne 'audit';
fatal_error "Invalid parameter ($action) to action Broadcast" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
my ( $action ) = get_action_params( 1 );
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
if ( have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
}
add_commands $chainref, 'for address in $ALL_BCASTS; do';
incr_cmd_level $chainref;
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
add_jump $chainref, $action, 0, "-d \$address ";
decr_cmd_level $chainref;
add_commands $chainref, 'done';
add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
} else {
add_commands $chainref, 'for address in $ALL_BCASTS; do';
incr_cmd_level $chainref;
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
add_jump $chainref, $target, 0, "-d \$address ";
decr_cmd_level $chainref;
add_commands $chainref, 'done';
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
}
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
1;
?end perl;
?endif

2
Shorewall/actions.std
View File

@ -27,7 +27,7 @@ A_Reject # Audited Default action for REJECT policy
allowInvalid inline # Accepts packets in the INVALID conntrack state
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
AutoBLL noinline # Helper for AutoBL
Broadcast noinline # Handles Broadcast/Multicast/Anycast
Broadcast noinline,audit # Handles Broadcast/Multicast/Anycast
DNSAmp # Matches one-question recursive DNS queries
Drop # Default Action for DROP policy
dropInvalid inline # Drops packets in the INVALID conntrack state