forked from extern/shorewall_code
Infrastructure for more powerful action handling
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
1b94c3651d
commit
cbbcfe355e
@ -53,7 +53,7 @@ our @EXPORT = qw(
|
||||
verify_audit
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our @EXPORT_OK = qw( initialize process_rule1 );
|
||||
our $VERSION = 'MODULEVERSION';
|
||||
#
|
||||
# Globals are documented in the initialize() function
|
||||
@ -608,7 +608,7 @@ sub process_policies()
|
||||
#
|
||||
# Policy Rule application
|
||||
#
|
||||
sub process_inline ($$$$$$$$$$$$$$$$$$$$);
|
||||
sub process_inline ($$$$$$$$$$$$$$$$$$$$$);
|
||||
|
||||
sub policy_rules( $$$$$ ) {
|
||||
my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
|
||||
@ -627,6 +627,7 @@ sub policy_rules( $$$$$ ) {
|
||||
|
||||
process_inline( $action, #Inline
|
||||
$chainref, #Chain
|
||||
'', #Matches
|
||||
$loglevel, #Log Level and Tag
|
||||
$default, #Target
|
||||
$param || '', #Param
|
||||
@ -1635,7 +1636,7 @@ sub process_actions() {
|
||||
|
||||
}
|
||||
|
||||
sub process_rule1 ( $$$$$$$$$$$$$$$$$$ );
|
||||
sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ );
|
||||
|
||||
#
|
||||
# Populate an action invocation chain. As new action tuples are encountered,
|
||||
@ -1690,6 +1691,7 @@ sub process_action($$) {
|
||||
}
|
||||
|
||||
process_rule1( $chainref,
|
||||
'',
|
||||
$nolog ? $target : merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $target ),
|
||||
'',
|
||||
$source,
|
||||
@ -1744,8 +1746,8 @@ sub use_policy_action( $$ ) {
|
||||
#
|
||||
# Expand a macro rule from the rules file
|
||||
#
|
||||
sub process_macro ($$$$$$$$$$$$$$$$$$$) {
|
||||
my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
|
||||
sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
|
||||
my ($macro, $chainref, $matches, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
|
||||
|
||||
my $generated = 0;
|
||||
|
||||
@ -1833,6 +1835,7 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) {
|
||||
|
||||
$generated |= process_rule1(
|
||||
$chainref,
|
||||
$matches,
|
||||
$mtarget,
|
||||
$param,
|
||||
$msource,
|
||||
@ -1865,8 +1868,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) {
|
||||
#
|
||||
# Expand an inline action rule from the rules file
|
||||
#
|
||||
sub process_inline ($$$$$$$$$$$$$$$$$$$$) {
|
||||
my ($inline, $chainref, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
|
||||
sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
|
||||
my ($inline, $chainref, $matches, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
|
||||
|
||||
my $generated = 0;
|
||||
|
||||
@ -1950,6 +1953,7 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$) {
|
||||
|
||||
$generated |= process_rule1(
|
||||
$chainref,
|
||||
$matches,
|
||||
$mtarget,
|
||||
$param,
|
||||
$msource,
|
||||
@ -2002,8 +2006,9 @@ sub verify_audit($;$$) {
|
||||
# reference is also passed when rules are being generated during processing of a macro used as a default action.
|
||||
#
|
||||
|
||||
sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
||||
sub process_rule1 ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
my ( $chainref, #reference to Action Chain if we are being called from process_action(); undef otherwise
|
||||
$rule, #Matches
|
||||
$target,
|
||||
$current_param,
|
||||
$source,
|
||||
@ -2024,13 +2029,13 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
||||
|
||||
my ( $action, $loglevel) = split_action $target;
|
||||
my ( $basictarget, $param ) = get_target_param $action;
|
||||
my $rule = '';
|
||||
my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 5 ) : 0;
|
||||
my $inaction = ''; # Set to true when we are process rules in an action file
|
||||
my $inchain = ''; # Set to true when a chain reference is passed.
|
||||
my $normalized_target;
|
||||
my $normalized_action;
|
||||
my $blacklist = ( $section == BLACKLIST_SECTION );
|
||||
my $matches = $rule;
|
||||
|
||||
if ( $inchain = defined $chainref ) {
|
||||
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
|
||||
@ -2059,6 +2064,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
||||
|
||||
my $generated = process_macro( $basictarget,
|
||||
$chainref,
|
||||
$rule,
|
||||
$target,
|
||||
$current_param,
|
||||
$source,
|
||||
@ -2405,6 +2411,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
||||
|
||||
my $generated = process_inline( $basictarget,
|
||||
$chainref,
|
||||
$rule,
|
||||
$loglevel,
|
||||
$target,
|
||||
$current_param,
|
||||
@ -2436,38 +2443,38 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
||||
# Either a DNAT, REDIRECT or ACCEPT+ rule or an Action with NAT;
|
||||
# don't apply rate limiting twice
|
||||
#
|
||||
$rule = join( '',
|
||||
do_proto($proto, $ports, $sports),
|
||||
do_user( $user ) ,
|
||||
do_test( $mark , $globals{TC_MASK} ) ,
|
||||
do_connlimit( $connlimit ),
|
||||
do_time( $time ) ,
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
);
|
||||
$rule .= join( '',
|
||||
do_proto($proto, $ports, $sports),
|
||||
do_user( $user ) ,
|
||||
do_test( $mark , $globals{TC_MASK} ) ,
|
||||
do_connlimit( $connlimit ),
|
||||
do_time( $time ) ,
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
);
|
||||
} elsif ( $section & ( INVALID_SECTION | RELATED_SECTION | UNTRACKED_SECTION ) ) {
|
||||
$rule = join( '',
|
||||
do_proto($proto, $ports, $sports),
|
||||
do_ratelimit( $ratelimit, $basictarget ) ,
|
||||
do_user( $user ) ,
|
||||
do_test( $mark , $globals{TC_MASK} ) ,
|
||||
do_connlimit( $connlimit ),
|
||||
do_time( $time ) ,
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
do_helper( $helper ) ,
|
||||
);
|
||||
$rule .= join( '',
|
||||
do_proto($proto, $ports, $sports),
|
||||
do_ratelimit( $ratelimit, $basictarget ) ,
|
||||
do_user( $user ) ,
|
||||
do_test( $mark , $globals{TC_MASK} ) ,
|
||||
do_connlimit( $connlimit ),
|
||||
do_time( $time ) ,
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
do_helper( $helper ) ,
|
||||
);
|
||||
} else {
|
||||
$rule = join( '',
|
||||
do_proto($proto, $ports, $sports),
|
||||
do_ratelimit( $ratelimit, $basictarget ) ,
|
||||
do_user( $user ) ,
|
||||
do_test( $mark , $globals{TC_MASK} ) ,
|
||||
do_connlimit( $connlimit ),
|
||||
do_time( $time ) ,
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
);
|
||||
$rule .= join( '',
|
||||
do_proto($proto, $ports, $sports),
|
||||
do_ratelimit( $ratelimit, $basictarget ) ,
|
||||
do_user( $user ) ,
|
||||
do_test( $mark , $globals{TC_MASK} ) ,
|
||||
do_connlimit( $connlimit ),
|
||||
do_time( $time ) ,
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
);
|
||||
}
|
||||
|
||||
unless ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ||
|
||||
@ -2534,6 +2541,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
||||
#
|
||||
unless ( $actiontype & NATONLY ) {
|
||||
$rule = join( '',
|
||||
$matches,
|
||||
do_proto( $proto, $ports, $sports ),
|
||||
do_ratelimit( $ratelimit, 'ACCEPT' ),
|
||||
do_user $user,
|
||||
@ -2745,6 +2753,7 @@ sub process_rule ( ) {
|
||||
for my $proto ( @protos ) {
|
||||
for my $user ( @users ) {
|
||||
$generated |= process_rule1( undef,
|
||||
'',
|
||||
$target,
|
||||
'',
|
||||
$source,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user