Allow overriding 'inline' on some standard actions.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2012-11-28 15:03:08 -08:00 · 2012-11-28 15:03:08 -08:00 · bff91cd325
commit bff91cd325
parent 8006d150f1
9 changed files with 140 additions and 19 deletions
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1464,7 +1464,7 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,
 # This function is called prior to processing of the policy file. It:
 #
 # - Adds the builtin actions to the target table
-# - Reads actions.std and actions (in that order) and for each entry:
+# - Reads actions and actions.std (in that order) and for each entry:
 #   o Adds the action to the target table
 #   o Verifies that the corresponding action file exists
 #
@ -1477,7 +1477,7 @@ sub process_actions() {
    #
    $targets{$_} = new_action( $_ , ACTION + BUILTIN ) for @builtins;

-    for my $file ( qw/actions.std actions/ ) {
+    for my $file ( qw/actions actions.std/ ) {
 	open_file $file;

 	while ( read_a_line( NORMAL_READ ) ) {
@ -1513,8 +1513,6 @@ sub process_actions() {
 	}
    }

-    my $ref;
-
 }

 sub process_rule1 ( $$$$$$$$$$$$$$$$$$ );
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@ -43,6 +43,9 @@ fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audi
 fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;

 my $chainref           = get_action_chain;
+
+fatal_error "The Broadcast Action may not be invoked in-line" unless $chainref->{action};
+
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );

--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@ -22,6 +22,9 @@ use Shorewall::Rules;
 my ( $audit ) = get_action_params( 1 );

 my $chainref        = get_action_chain;
+
+fatal_error "The DropSmurfs Action may not be invoked in-line" unless $chainref->{action};
+
 my ( $level, $tag ) = get_action_logging;
 my $target;

--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@ -43,6 +43,9 @@ fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit
 fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;

 my $chainref         = get_action_chain;
+
+fatal_error "The Invalid Action may not be invoked in-line" unless $chainref->{action};
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );

--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@ -43,6 +43,9 @@ fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit &
 fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;

 my $chainref         = get_action_chain;
+
+fatal_error "The NotSyn Action may not be invoked in-line" unless $chainref->{action};
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );

--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@ -42,6 +42,9 @@ fatal_error "Invalid parameter ($audit) to action RST"   if supplied $audit && $
 fatal_error "Invalid parameter ($action) to action RST"  unless $action =~ /^(?:ACCEPT|DROP)$/;

 my $chainref         = get_action_chain;
+
+fatal_error "The RST Action may not be invoked in-line" unless $chainref->{action};
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );

--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@ -21,6 +21,9 @@ use Shorewall::Chains;
 my ( $disposition, $audit ) = get_action_params( 2 );

 my $chainref        = get_action_chain;
+
+fatal_error "The TCPFlags Action may not be invoked in-line" unless $chainref->{action};
+
 my ( $level, $tag ) = get_action_logging;

 fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@ -28,11 +28,63 @@
    the iptables rules to be performed in an ACTION in
    /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>

-    <para>ACTION names should begin with an upper-case letter to distinguish
-    them from Shorewall-generated chain names and be composed of letters,
-    digits or numbers. If you intend to log from the action then the name must
-    be no longer than 11 characters in length if you use the standard
-    LOGFORMAT.</para>
+    <para>Columns are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>NAME</term>
+
+        <listitem>
+          <para>The name of the action. ACTION names should begin with an
+          upper-case letter to distinguish them from Shorewall-generated chain
+          names and be composed of letters, digits or numbers. If you intend
+          to log from the action then the name must be no longer than 11
+          characters in length if you use the standard LOGFORMAT.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>OPTIONS</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.10. Available actions are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>inline</term>
+
+              <listitem>
+                <para>Causes the action body (defined in
+                action.<replaceable>action-name</replaceable>) to be expanded
+                in-line like a macro rather than in its own chain. You can
+                list Shorewall Standard Actions in this file to specify the
+                <option>inline</option> option.</para>
+
+                <caution>
+                  <para>Some of the Shorewall standard actions cannot be used
+                  in-line and will generate a compiler error if you try to use
+                  them that way:</para>
+
+                  <simplelist>
+                    <member>Broadcast</member>
+
+                    <member>DropSmurfs</member>
+
+                    <member>Invalid</member>
+
+                    <member>NotSyn</member>
+
+                    <member>RST</member>
+
+                    <member>TCPFlags</member>
+                  </simplelist>
+                </caution>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+    </variablelist>
  </refsect1>

  <refsect1>
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@ -28,11 +28,63 @@
    the ip6tables rules to be performed in an ACTION in
    /etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>

-    <para>ACTION names should begin with an upper-case letter to distinguish
-    them from Shorewall-generated chain names and be composed of letters,
-    digits or numbers. If you intend to log from the action then the name must
-    be no longer than 11 characters in length if you use the standard
-    LOGFORMAT.</para>
+    <para>Columns are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>NAME</term>
+
+        <listitem>
+          <para>The name of the action. ACTION names should begin with an
+          upper-case letter to distinguish them from Shorewall-generated chain
+          names and be composed of letters, digits or numbers. If you intend
+          to log from the action then the name must be no longer than 11
+          characters in length if you use the standard LOGFORMAT.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>OPTIONS</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.10. Available actions are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>inline</term>
+
+              <listitem>
+                <para>Causes the action body (defined in
+                action.<replaceable>action-name</replaceable>) to be expanded
+                in-line like a macro rather than in its own chain. You can
+                list Shorewall Standard Actions in this file to specify the
+                <option>inline</option> option.</para>
+
+                <caution>
+                  <para>Some of the Shorewall standard actions cannot be used
+                  in-line and will generate a compiler error if you try to use
+                  them that way:</para>
+
+                  <simplelist>
+                    <member>Broadcast</member>
+
+                    <member>DropSmurfs</member>
+
+                    <member>Invalid</member>
+
+                    <member>NotSyn</member>
+
+                    <member>RST</member>
+
+                    <member>TCPFlags</member>
+                  </simplelist>
+                </caution>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+    </variablelist>
  </refsect1>

  <refsect1>
@ -49,10 +101,11 @@

    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
-    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-rtrules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>