forked from extern/shorewall_code
Compare commits
48 Commits
5.0.7-Beta
...
5.0.7-Base
| Author | SHA1 | Date | |
|---|---|---|---|
|
89adc3ea68 | ||
|
|
ad87d94e33 | ||
|
|
8a6941707a | ||
|
|
0b049a55e0 | ||
|
|
f86abf9552 | ||
|
|
9fe1a34412 | ||
|
|
abe533b6e3 | ||
|
|
1c3140789c | ||
|
|
0399a346d0 | ||
|
|
6ed3861d76 | ||
|
|
7a18847c14 | ||
|
|
273c89a753 | ||
|
|
2bebf1c95a | ||
|
|
18573037f9 | ||
|
|
818628138b | ||
|
|
2adec0eb65 | ||
|
|
6ae94767b7 | ||
|
|
9f26c010ac | ||
|
|
9ab2310dc8 | ||
|
|
0b5d59870b | ||
|
|
c9c5f0174c | ||
|
|
5fc391cb58 | ||
|
|
da0653cb2f | ||
|
|
65ce6ed226 | ||
|
|
eb9dd3e485 | ||
|
|
796f191d48 | ||
|
|
71c26beab4 | ||
|
|
6f04902963 | ||
|
|
bd2295c4c3 | ||
|
|
901c6d34f6 | ||
|
|
741da14789 | ||
|
|
34c3828b7c | ||
|
|
eed7692952 | ||
|
|
3c544b20e6 | ||
|
|
dd547c90a8 | ||
|
|
35fac8c2ea | ||
|
|
513b828788 | ||
|
|
28e0cb5335 | ||
|
|
c631173310 | ||
|
|
95da427ea8 | ||
|
|
2c14b7c9e3 | ||
|
|
8e7af2e95e | ||
|
|
6be4fd377f | ||
|
|
44c0bffcd3 | ||
|
|
2c3644a510 | ||
|
|
407bc8f8db | ||
|
|
2743a411ae | ||
|
|
1a23e840d7 |
@@ -922,23 +922,10 @@ show_events() {
|
||||
}
|
||||
|
||||
show_actions() {
|
||||
echo "A_ACCEPT # Audit and accept the connection"
|
||||
echo "A_DROP # Audit and drop the connection"
|
||||
echo "A_REJECT # Audit and reject the connection "
|
||||
echo "allowBcast # Silently Allow Broadcast/multicast"
|
||||
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
|
||||
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
|
||||
echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
|
||||
echo "dropBcast # Silently Drop Broadcast/multicast"
|
||||
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
|
||||
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
|
||||
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
|
||||
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
|
||||
|
||||
if [ -f ${g_confdir}/actions ]; then
|
||||
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
|
||||
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
|
||||
else
|
||||
grep -Ev '^\#|^$' ${g_sharedir}/actions.std
|
||||
grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@@ -647,7 +647,7 @@ our %ipset_exists;
|
||||
# => CMD_MODE if the rule contains a shell command or if it
|
||||
# part of a loop or conditional block. If it is a
|
||||
# shell command, the text of the command is in
|
||||
# the cmd
|
||||
# the cmd member
|
||||
# cmd => Shell command, if mode == CMD_MODE and cmdlevel == 0
|
||||
# cmdlevel => nesting level within loops and conditional blocks.
|
||||
# determines indentation
|
||||
@@ -2908,40 +2908,42 @@ sub initialize_chain_table($) {
|
||||
%targets = ('ACCEPT' => STANDARD,
|
||||
'ACCEPT+' => STANDARD + NONAT,
|
||||
'ACCEPT!' => STANDARD,
|
||||
'ADD' => STANDARD + SET,
|
||||
'AUDIT' => STANDARD + AUDIT + OPTIONS,
|
||||
'A_ACCEPT' => STANDARD + AUDIT,
|
||||
'A_ACCEPT+' => STANDARD + NONAT + AUDIT,
|
||||
'A_ACCEPT!' => STANDARD + AUDIT,
|
||||
'NONAT' => STANDARD + NONAT + NATONLY,
|
||||
'AUDIT' => STANDARD + AUDIT + OPTIONS,
|
||||
'DROP' => STANDARD,
|
||||
'DROP!' => STANDARD,
|
||||
'A_DROP' => STANDARD + AUDIT,
|
||||
'A_DROP!' => STANDARD + AUDIT,
|
||||
'REJECT' => STANDARD + OPTIONS,
|
||||
'REJECT!' => STANDARD + OPTIONS,
|
||||
'A_REJECT' => STANDARD + AUDIT,
|
||||
'A_REJECT!' => STANDARD + AUDIT,
|
||||
'DNAT' => NATRULE + OPTIONS,
|
||||
'DNAT-' => NATRULE + NATONLY,
|
||||
'REDIRECT' => NATRULE + REDIRECT + OPTIONS,
|
||||
'REDIRECT-' => NATRULE + REDIRECT + NATONLY,
|
||||
'LOG' => STANDARD + LOGRULE + OPTIONS,
|
||||
'NONAT' => STANDARD + NONAT + NATONLY,
|
||||
'CONNMARK' => STANDARD + OPTIONS,
|
||||
'CONTINUE' => STANDARD,
|
||||
'CONTINUE!' => STANDARD,
|
||||
'COUNT' => STANDARD,
|
||||
'QUEUE' => STANDARD + OPTIONS,
|
||||
'QUEUE!' => STANDARD,
|
||||
'NFLOG' => STANDARD + LOGRULE + NFLOG + OPTIONS,
|
||||
'NFQUEUE' => STANDARD + NFQ + OPTIONS,
|
||||
'NFQUEUE!' => STANDARD + NFQ,
|
||||
'ULOG' => STANDARD + LOGRULE + NFLOG + OPTIONS,
|
||||
'ADD' => STANDARD + SET,
|
||||
'DEL' => STANDARD + SET,
|
||||
'WHITELIST' => STANDARD,
|
||||
'DNAT' => NATRULE + OPTIONS,
|
||||
'DNAT-' => NATRULE + NATONLY,
|
||||
'DROP' => STANDARD,
|
||||
'DROP!' => STANDARD,
|
||||
'HELPER' => STANDARD + HELPER + NATONLY, #Actually RAWONLY
|
||||
'INLINE' => INLINERULE,
|
||||
'IPTABLES' => IPTABLES,
|
||||
'LOG' => STANDARD + LOGRULE + OPTIONS,
|
||||
'MARK' => STANDARD + OPTIONS,
|
||||
'NFLOG' => STANDARD + LOGRULE + NFLOG + OPTIONS,
|
||||
'NFQUEUE' => STANDARD + NFQ + OPTIONS,
|
||||
'NFQUEUE!' => STANDARD + NFQ,
|
||||
'QUEUE' => STANDARD + OPTIONS,
|
||||
'QUEUE!' => STANDARD,
|
||||
'REJECT' => STANDARD + OPTIONS,
|
||||
'REJECT!' => STANDARD + OPTIONS,
|
||||
'REDIRECT' => NATRULE + REDIRECT + OPTIONS,
|
||||
'REDIRECT-' => NATRULE + REDIRECT + NATONLY,
|
||||
'TARPIT' => STANDARD + TARPIT + OPTIONS,
|
||||
'ULOG' => STANDARD + LOGRULE + NFLOG + OPTIONS,
|
||||
'WHITELIST' => STANDARD,
|
||||
);
|
||||
|
||||
for my $chain ( qw(OUTPUT PREROUTING) ) {
|
||||
@@ -7537,7 +7539,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
|
||||
log_irule_limit( $loglevel ,
|
||||
$echainref ,
|
||||
$chain ,
|
||||
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
$actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
[] ,
|
||||
$logtag ,
|
||||
'add' ,
|
||||
@@ -7584,7 +7586,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
||||
|
||||
my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) =
|
||||
( '', '', '', '', '', '', '', '', '', '' );
|
||||
my $chain = $actparms{chain} || $chainref->{name};
|
||||
my $chain = $actparams{chain} || $chainref->{name};
|
||||
my $table = $chainref->{table};
|
||||
my ( $jump, $mac, $targetref, $basictarget );
|
||||
our @ends = ();
|
||||
@@ -7758,22 +7760,22 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
||||
$loglevel ,
|
||||
$chainref ,
|
||||
$chain,
|
||||
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
$actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
'' ,
|
||||
$logtag ,
|
||||
'add' ,
|
||||
$matches
|
||||
$prerule . $matches
|
||||
);
|
||||
} elsif ( $logname || $basictarget eq 'RETURN' ) {
|
||||
log_rule_limit(
|
||||
$loglevel ,
|
||||
$chainref ,
|
||||
$logname || $chain,
|
||||
$actparms{disposition} || $disposition,
|
||||
$actparams{disposition} || $disposition,
|
||||
'',
|
||||
$logtag,
|
||||
'add',
|
||||
$matches );
|
||||
$prerule . $matches );
|
||||
|
||||
if ( $targetref ) {
|
||||
add_expanded_jump( $chainref, $targetref, 0, $matches );
|
||||
@@ -7790,10 +7792,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
||||
$loglevel,
|
||||
$logtag,
|
||||
$exceptionrule,
|
||||
$actparms{disposition} || $disposition,
|
||||
$actparams{disposition} || $disposition,
|
||||
$target ),
|
||||
$terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
|
||||
$matches );
|
||||
$prerule . $matches );
|
||||
}
|
||||
|
||||
conditional_rule_end( $chainref ) if $cond3;
|
||||
@@ -8621,18 +8623,20 @@ sub preview_netfilter_load() {
|
||||
assert( $chainref->{cmdlevel} == 0 , $name );
|
||||
if ( $name =~ /^DOCKER/ ) {
|
||||
if ( $name eq 'DOCKER' ) {
|
||||
enter_cmd_mode;
|
||||
enter_cmd_mode1;
|
||||
print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
|
||||
enter_cat_mode;
|
||||
print "\n";
|
||||
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
||||
enter_cmd_mode;
|
||||
enter_cmd_mode1 unless $mode = CMD_MODE;
|
||||
print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
||||
enter_cat_mode;
|
||||
print "\n";
|
||||
enter_cat_mode1;
|
||||
} else {
|
||||
print( ":$name - [0:0]" );
|
||||
enter_cmd_mode1 unless $mode = CMD_MODE;
|
||||
print( ":$name - [0:0]\n" );
|
||||
}
|
||||
} else {
|
||||
print( ":$name - [0:0]" );
|
||||
print( ":$name - [0:0]\n" );
|
||||
}
|
||||
|
||||
push @chains, $chainref;
|
||||
|
||||
@@ -139,6 +139,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
push_action_params
|
||||
pop_action_params
|
||||
default_action_params
|
||||
setup_audit_action
|
||||
read_a_line
|
||||
which
|
||||
qt
|
||||
@@ -185,7 +186,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
%helpers_enabled
|
||||
%helpers_aliases
|
||||
|
||||
%actparms
|
||||
%actparams
|
||||
|
||||
PARMSMODIFIED
|
||||
USEDCALLER
|
||||
@@ -552,7 +553,7 @@ our %compiler_params;
|
||||
#
|
||||
# Action parameters
|
||||
#
|
||||
our %actparms;
|
||||
our %actparams;
|
||||
our $parmsmodified;
|
||||
our $usedcaller;
|
||||
our $inline_matches;
|
||||
@@ -670,6 +671,13 @@ our %variables; # Symbol table for expanding shell variables
|
||||
|
||||
our $section_function; #Function Reference for handling ?section
|
||||
|
||||
our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl().
|
||||
|
||||
#
|
||||
# Files located via find_file()
|
||||
#
|
||||
our %filecache;
|
||||
|
||||
sub process_shorewallrc($$);
|
||||
sub add_variables( \% );
|
||||
#
|
||||
@@ -1061,7 +1069,7 @@ sub initialize( $;$$) {
|
||||
|
||||
%compiler_params = ();
|
||||
|
||||
%actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => '' );
|
||||
%actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => '' );
|
||||
$parmsmodified = 0;
|
||||
$usedcaller = 0;
|
||||
|
||||
@@ -1469,9 +1477,9 @@ sub hex_value( $ ) {
|
||||
# Strip off superfluous leading zeros from a hex number
|
||||
#
|
||||
sub normalize_hex( $ ) {
|
||||
my $val = lc shift;
|
||||
my $val = lc $_[0];
|
||||
|
||||
$val =~ s/^0// while $val =~ /^0/ && length $val > 1;
|
||||
$val =~ s/^0+/0/;
|
||||
$val;
|
||||
}
|
||||
|
||||
@@ -1900,6 +1908,10 @@ sub find_file($)
|
||||
|
||||
return $filename if $filename =~ '/';
|
||||
|
||||
my $file = $filecache{$filename};
|
||||
|
||||
return $file if $file;
|
||||
|
||||
for my $directory ( @config_path ) {
|
||||
my $file = "$directory$filename";
|
||||
return $file if -f $file;
|
||||
@@ -2150,6 +2162,12 @@ sub supplied( $ ) {
|
||||
defined $val && $val ne '';
|
||||
}
|
||||
|
||||
sub passed( $ ) {
|
||||
my $val = shift;
|
||||
|
||||
defined $val && $val ne '' && $val ne '-';
|
||||
}
|
||||
|
||||
#
|
||||
# Pre-process a line from a configuration file.
|
||||
|
||||
@@ -2505,6 +2523,21 @@ sub join_parts( $$$ ) {
|
||||
join( '', $first, $val, $rest );
|
||||
}
|
||||
|
||||
#
|
||||
# Declare passed() in Shorewall::User
|
||||
#
|
||||
sub declare_passed() {
|
||||
my $result = ( eval q(package Shorewall::User;
|
||||
use strict;
|
||||
sub passed( $ ) {
|
||||
my $val = shift;
|
||||
defined $val && $val ne '' && $val ne '-';
|
||||
}
|
||||
|
||||
1;) );
|
||||
assert( $result, $@ );
|
||||
}
|
||||
|
||||
#
|
||||
# Evaluate an expression in an ?IF, ?ELSIF, ?SET or ?ERROR directive
|
||||
#
|
||||
@@ -2512,14 +2545,28 @@ sub evaluate_expression( $$$$ ) {
|
||||
my ( $expression , $filename , $linenumber, $just_expand ) = @_;
|
||||
my $val;
|
||||
my $count = 0;
|
||||
my $chain = $actparms{chain};
|
||||
my $chain = $actparams{chain};
|
||||
|
||||
# $1 $2
|
||||
if ( $expression =~ /^(!)?\s*passed\([\$@](\d+)\)$/ ) {
|
||||
my $val = passed($actparams{$2});
|
||||
|
||||
return $1 ? ! $val : $val unless $debug;
|
||||
|
||||
$val = $1 ? ! $val : $val;
|
||||
|
||||
print "EXPR=> '$val'\n" if $debug;
|
||||
|
||||
return $val;
|
||||
}
|
||||
|
||||
# $1 $2 $3 - $4
|
||||
while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
|
||||
my ( $first, $var, $rest ) = ( $1, $3, $4);
|
||||
|
||||
if ( $var =~ /^\d+$/ ) {
|
||||
fatal_error "Action parameters (\$$var) may only be referenced within the body of an action" unless $chain;
|
||||
$val = $var ? $actparms{$var} : $actparms{0}->{name};
|
||||
$val = $var ? $actparams{$var} : $actparams{0}->{name};
|
||||
} else {
|
||||
$val = ( exists $variables{$var} ? $variables{$var} :
|
||||
exists $capdesc{$var} ? have_capability( $var ) : '' );
|
||||
@@ -2534,7 +2581,7 @@ sub evaluate_expression( $$$$ ) {
|
||||
while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
|
||||
my ( $first, $var, $rest ) = ( $1, $3, $4);
|
||||
$var = numeric_value( $var ) if $var =~ /^\d/;
|
||||
$val = $var ? $actparms{$var} : $chain;
|
||||
$val = $var ? $actparams{$var} : $chain;
|
||||
$usedcaller = USEDCALLER if $var eq 'caller';
|
||||
$expression = join_parts( $first, $val, $rest );
|
||||
directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
|
||||
@@ -2571,7 +2618,13 @@ sub evaluate_expression( $$$$ ) {
|
||||
#
|
||||
# Not a simple one-term expression -- compile it
|
||||
#
|
||||
$val = eval qq(package Shorewall::User;\nuse strict;\n# line $linenumber "$filename"\n$expression);
|
||||
|
||||
declare_passed unless $evals++;
|
||||
|
||||
$val = eval qq(package Shorewall::User;
|
||||
use strict;
|
||||
# line $linenumber "$filename"
|
||||
$expression);
|
||||
|
||||
unless ( $val ) {
|
||||
directive_error( "Couldn't parse expression ($expression): $@" , $filename, $linenumber ) if $@;
|
||||
@@ -2668,8 +2721,8 @@ sub process_compiler_directive( $$$$ ) {
|
||||
$var = $2;
|
||||
$var = numeric_value( $var ) if $var =~ /^\d/;
|
||||
$var = $2 || 'chain';
|
||||
directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
|
||||
my $val = $actparms{$var} = evaluate_expression ( $expression,
|
||||
directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
|
||||
my $val = $actparams{$var} = evaluate_expression ( $expression,
|
||||
$filename,
|
||||
$linenumber,
|
||||
0 );
|
||||
@@ -2702,12 +2755,12 @@ sub process_compiler_directive( $$$$ ) {
|
||||
if ( ( $1 || '' ) eq '@' ) {
|
||||
$var = numeric_value( $var ) if $var =~ /^\d/;
|
||||
$var = $2 || 'chain';
|
||||
directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0};
|
||||
if ( exists $actparms{$var} ) {
|
||||
directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
|
||||
if ( exists $actparams{$var} ) {
|
||||
if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
|
||||
$actparms{$var} = '';
|
||||
$actparams{$var} = '';
|
||||
} else {
|
||||
delete $actparms{$var}
|
||||
delete $actparams{$var}
|
||||
}
|
||||
} else {
|
||||
directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
|
||||
@@ -3135,7 +3188,7 @@ sub embedded_shell( $ ) {
|
||||
sub embedded_perl( $ ) {
|
||||
my $multiline = shift;
|
||||
|
||||
my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
|
||||
my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
|
||||
|
||||
$directive_callback->( 'PERL', $currentline ) if $directive_callback;
|
||||
|
||||
@@ -3162,6 +3215,8 @@ sub embedded_perl( $ ) {
|
||||
|
||||
$embedded++;
|
||||
|
||||
declare_passed unless $evals++;
|
||||
|
||||
unless (my $return = eval $command ) {
|
||||
#
|
||||
# Perl found the script offensive or the script itself died
|
||||
@@ -3222,32 +3277,32 @@ sub push_action_params( $$$$$$ ) {
|
||||
my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
|
||||
my @parms = ( undef , split_list3( $parms , 'parameter' ) );
|
||||
|
||||
$actparms{modified} = $parmsmodified;
|
||||
$actparms{usedcaller} = $usedcaller;
|
||||
$actparams{modified} = $parmsmodified;
|
||||
$actparams{usedcaller} = $usedcaller;
|
||||
|
||||
my %oldparms = %actparms;
|
||||
my %oldparms = %actparams;
|
||||
|
||||
$parmsmodified = 0;
|
||||
$usedcaller = 0;
|
||||
|
||||
%actparms = ();
|
||||
%actparams = ();
|
||||
|
||||
for ( my $i = 1; $i < @parms; $i++ ) {
|
||||
my $val = $parms[$i];
|
||||
|
||||
$actparms{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
|
||||
$actparams{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
|
||||
}
|
||||
|
||||
$actparms{0} = $chainref;
|
||||
$actparms{action} = $action;
|
||||
$actparms{loglevel} = $loglevel;
|
||||
$actparms{logtag} = $logtag;
|
||||
$actparms{caller} = $caller;
|
||||
$actparms{disposition} = '' if $chainref->{action};
|
||||
$actparams{0} = $chainref;
|
||||
$actparams{action} = $action;
|
||||
$actparams{loglevel} = $loglevel;
|
||||
$actparams{logtag} = $logtag;
|
||||
$actparams{caller} = $caller;
|
||||
$actparams{disposition} = '' if $chainref->{action};
|
||||
#
|
||||
# The Shorewall variable '@chain' has the non-word charaters removed
|
||||
#
|
||||
( $actparms{chain} = $chainref->{name} ) =~ s/[^\w]//g;
|
||||
( $actparams{chain} = $chainref->{name} ) =~ s/[^\w]//g;
|
||||
|
||||
\%oldparms;
|
||||
}
|
||||
@@ -3260,10 +3315,10 @@ sub push_action_params( $$$$$$ ) {
|
||||
#
|
||||
sub pop_action_params( $ ) {
|
||||
my $oldparms = shift;
|
||||
%actparms = %$oldparms;
|
||||
%actparams = %$oldparms;
|
||||
my $return = $parmsmodified | $usedcaller;
|
||||
( $parmsmodified ) = delete $actparms{modified} || 0;
|
||||
( $usedcaller ) = delete $actparms{usedcaller} || 0;
|
||||
( $parmsmodified ) = delete $actparams{modified} || 0;
|
||||
( $usedcaller ) = delete $actparams{usedcaller} || 0;
|
||||
$return;
|
||||
}
|
||||
|
||||
@@ -3273,11 +3328,11 @@ sub default_action_params {
|
||||
|
||||
for ( $i = 1; 1; $i++ ) {
|
||||
last unless defined ( $val = shift );
|
||||
my $curval = $actparms{$i};
|
||||
$actparms{$i} = $val unless supplied( $curval );
|
||||
my $curval = $actparams{$i};
|
||||
$actparams{$i} = $val unless supplied( $curval );
|
||||
}
|
||||
|
||||
fatal_error "Too Many arguments to action $action" if defined $actparms{$i};
|
||||
fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
|
||||
}
|
||||
|
||||
sub get_action_params( $ ) {
|
||||
@@ -3288,53 +3343,65 @@ sub get_action_params( $ ) {
|
||||
my @return;
|
||||
|
||||
for ( my $i = 1; $i <= $num; $i++ ) {
|
||||
my $val = $actparms{$i};
|
||||
my $val = $actparams{$i};
|
||||
push @return, defined $val ? $val eq '-' ? '' : $val eq '--' ? '-' : $val : $val;
|
||||
}
|
||||
|
||||
@return;
|
||||
}
|
||||
|
||||
sub setup_audit_action( $ ) {
|
||||
my ( $action ) = @_;
|
||||
|
||||
my ( $target, $audit ) = get_action_params( 2 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action $action" if $audit ne 'audit';
|
||||
fatal_error "Only ACCEPT, DROP and REJECT may be audited" unless $target =~ /^(?:A_)?(?:ACCEPT|DROP|REJECT)\b/;
|
||||
$actparams{1} = "A_$target" unless $target =~ /^A_/;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Returns the Level and Tag for the current action chain
|
||||
#
|
||||
sub get_action_logging() {
|
||||
@actparms{ 'loglevel', 'logtag' };
|
||||
@actparams{ 'loglevel', 'logtag' };
|
||||
}
|
||||
|
||||
sub get_action_chain() {
|
||||
$actparms{0};
|
||||
$actparams{0};
|
||||
}
|
||||
|
||||
sub get_action_chain_name() {
|
||||
$actparms{chain};
|
||||
$actparams{chain};
|
||||
}
|
||||
|
||||
sub set_action_name_to_caller() {
|
||||
$actparms{chain} = $actparms{caller};
|
||||
$actparams{chain} = $actparams{caller};
|
||||
}
|
||||
|
||||
sub get_action_disposition() {
|
||||
$actparms{disposition};
|
||||
$actparams{disposition};
|
||||
}
|
||||
|
||||
sub set_action_disposition($) {
|
||||
$actparms{disposition} = $_[0];
|
||||
$actparams{disposition} = $_[0];
|
||||
}
|
||||
|
||||
sub set_action_param( $$ ) {
|
||||
my $i = shift;
|
||||
|
||||
fatal_error "Parameter numbers must be numeric" unless $i =~ /^\d+$/ && $i > 0;
|
||||
$actparms{$i} = shift;
|
||||
$actparams{$i} = shift;
|
||||
}
|
||||
|
||||
#
|
||||
# Expand Shell Variables in the passed buffer using %actparms, %params, %shorewallrc1 and %config,
|
||||
# Expand Shell Variables in the passed buffer using %actparams, %params, %shorewallrc1 and %config,
|
||||
#
|
||||
sub expand_variables( \$ ) {
|
||||
my ( $lineref, $count ) = ( $_[0], 0 );
|
||||
my $chain = $actparms{chain};
|
||||
my $chain = $actparams{chain};
|
||||
# $1 $2 $3 - $4
|
||||
while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
|
||||
|
||||
@@ -3348,16 +3415,16 @@ sub expand_variables( \$ ) {
|
||||
if ( $config{IGNOREUNKNOWNVARIABLES} ) {
|
||||
fatal_error "Invalid action parameter (\$$var)" if ( length( $var ) > 1 && $var =~ /^0/ );
|
||||
} else {
|
||||
fatal_error "Undefined parameter (\$$var)" unless ( defined $actparms{$var} &&
|
||||
fatal_error "Undefined parameter (\$$var)" unless ( defined $actparams{$var} &&
|
||||
( length( $var ) == 1 ||
|
||||
$var !~ /^0/ ) );
|
||||
}
|
||||
|
||||
$val = $var ? $actparms{$var} : $actparms{0}->{name};
|
||||
$val = $var ? $actparams{$var} : $actparams{0}->{name};
|
||||
} elsif ( exists $variables{$var} ) {
|
||||
$val = $variables{$var};
|
||||
} elsif ( exists $actparms{$var} ) {
|
||||
$val = $actparms{$var};
|
||||
} elsif ( exists $actparams{$var} ) {
|
||||
$val = $actparams{$var};
|
||||
$usedcaller = USEDCALLER if $var eq 'caller';
|
||||
} else {
|
||||
fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
|
||||
@@ -3376,7 +3443,7 @@ sub expand_variables( \$ ) {
|
||||
# $1 $2 $3 - $4
|
||||
while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
|
||||
my ( $first, $var, $rest ) = ( $1, $3, $4);
|
||||
my $val = $var ? $actparms{$var} : $actparms{chain};
|
||||
my $val = $var ? $actparams{$var} : $actparams{chain};
|
||||
$usedcaller = USEDCALLER if $var eq 'caller';
|
||||
$val = '' unless defined $val;
|
||||
$$lineref = join( '', $first , $val , $rest );
|
||||
@@ -3507,7 +3574,7 @@ sub read_a_line($) {
|
||||
#
|
||||
handle_first_entry if $first_entry;
|
||||
#
|
||||
# Expand Shell Variables using %params and %actparms
|
||||
# Expand Shell Variables using %params and %actparams
|
||||
#
|
||||
expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
|
||||
|
||||
@@ -6039,7 +6106,7 @@ sub get_configuration( $$$$ ) {
|
||||
|
||||
default_log_level 'SFILTER_LOG_LEVEL', 'info';
|
||||
|
||||
if ( $val = $config{SFILTER_DISPOSITION} ) {
|
||||
if ( supplied( $val = $config{SFILTER_DISPOSITION} ) ) {
|
||||
fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
|
||||
require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
|
||||
} else {
|
||||
@@ -6048,14 +6115,14 @@ sub get_configuration( $$$$ ) {
|
||||
|
||||
default_log_level 'RPFILTER_LOG_LEVEL', 'info';
|
||||
|
||||
if ( $val = $config{RPFILTER_DISPOSITION} ) {
|
||||
if ( supplied ( $val = $config{RPFILTER_DISPOSITION} ) ) {
|
||||
fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
|
||||
require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1;
|
||||
} else {
|
||||
$config{RPFILTER_DISPOSITION} = 'DROP';
|
||||
}
|
||||
|
||||
if ( $val = $config{MACLIST_DISPOSITION} ) {
|
||||
if ( supplied( $val = $config{MACLIST_DISPOSITION} ) ) {
|
||||
if ( $val =~ /^(?:A_)?DROP$/ ) {
|
||||
$globals{MACLIST_TARGET} = $val;
|
||||
} elsif ( $val eq 'REJECT' ) {
|
||||
@@ -6074,7 +6141,7 @@ sub get_configuration( $$$$ ) {
|
||||
$globals{MACLIST_TARGET} = 'reject';
|
||||
}
|
||||
|
||||
if ( $val = $config{RELATED_DISPOSITION} ) {
|
||||
if ( supplied( $val = $config{RELATED_DISPOSITION} ) ) {
|
||||
if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
|
||||
$globals{RELATED_TARGET} = $val;
|
||||
} elsif ( $val eq 'REJECT' ) {
|
||||
@@ -6093,7 +6160,7 @@ sub get_configuration( $$$$ ) {
|
||||
$globals{RELATED_TARGET} = 'ACCEPT';
|
||||
}
|
||||
|
||||
if ( $val = $config{INVALID_DISPOSITION} ) {
|
||||
if ( supplied( $val = $config{INVALID_DISPOSITION} ) ) {
|
||||
if ( $val =~ /^(?:A_)?DROP$/ ) {
|
||||
$globals{INVALID_TARGET} = $val;
|
||||
} elsif ( $val eq 'REJECT' ) {
|
||||
@@ -6112,7 +6179,7 @@ sub get_configuration( $$$$ ) {
|
||||
$globals{INVALID_TARGET} = '';
|
||||
}
|
||||
|
||||
if ( $val = $config{UNTRACKED_DISPOSITION} ) {
|
||||
if ( supplied( $val = $config{UNTRACKED_DISPOSITION} ) ) {
|
||||
if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
|
||||
$globals{UNTRACKED_TARGET} = $val;
|
||||
} elsif ( $val eq 'REJECT' ) {
|
||||
@@ -6131,7 +6198,7 @@ sub get_configuration( $$$$ ) {
|
||||
$globals{UNTRACKED_TARGET} = '';
|
||||
}
|
||||
|
||||
if ( $val = $config{MACLIST_TABLE} ) {
|
||||
if ( supplied( $val = $config{MACLIST_TABLE} ) ) {
|
||||
if ( $val eq 'mangle' ) {
|
||||
fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
|
||||
} else {
|
||||
@@ -6141,7 +6208,7 @@ sub get_configuration( $$$$ ) {
|
||||
default 'MACLIST_TABLE' , 'filter';
|
||||
}
|
||||
|
||||
if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
|
||||
if ( supplied( $val = $config{TCP_FLAGS_DISPOSITION} ) ) {
|
||||
fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:(A_)?(?:REJECT|DROP))|ACCEPT$/;
|
||||
require_capability 'AUDIT_TARGET' , "TCP_FLAGS_DISPOSITION=$val", 's' if $1;
|
||||
} else {
|
||||
@@ -6172,7 +6239,7 @@ sub get_configuration( $$$$ ) {
|
||||
require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
|
||||
}
|
||||
|
||||
if ( $val = $config{TC_PRIOMAP} ) {
|
||||
if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
|
||||
my @priomap = split ' ',$val;
|
||||
fatal_error "Invalid TC_PRIOMAP ($val)" unless @priomap == 16;
|
||||
for ( @priomap ) {
|
||||
@@ -6191,12 +6258,13 @@ sub get_configuration( $$$$ ) {
|
||||
default 'QUEUE_DEFAULT' , 'none';
|
||||
default 'NFQUEUE_DEFAULT' , 'none';
|
||||
default 'ACCEPT_DEFAULT' , 'none';
|
||||
default 'OPTIMIZE' , 0;
|
||||
|
||||
for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
|
||||
$config{$default} = 'none' if "\L$config{$default}" eq 'none';
|
||||
}
|
||||
|
||||
default 'OPTIMIZE' , 0;
|
||||
|
||||
if ( ( $val = $config{OPTIMIZE} ) =~ /^all$/i ) {
|
||||
$config{OPTIMIZE} = $val = OPTIMIZE_ALL;
|
||||
} elsif ( $val =~ /^none$/i ) {
|
||||
@@ -6531,6 +6599,7 @@ sub report_used_capabilities() {
|
||||
}
|
||||
|
||||
END {
|
||||
print "eval() called $evals times\n" if $debug;
|
||||
cleanup;
|
||||
}
|
||||
|
||||
|
||||
@@ -641,6 +641,7 @@ sub create_docker_rules() {
|
||||
add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
|
||||
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
|
||||
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
|
||||
add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
|
||||
decr_cmd_level( $chainref );
|
||||
add_commands( $chainref, 'fi' );
|
||||
}
|
||||
|
||||
@@ -186,10 +186,6 @@ our %active;
|
||||
#
|
||||
our %actions;
|
||||
#
|
||||
# Inline Action Table
|
||||
#
|
||||
our %inlines;
|
||||
#
|
||||
# Contains an entry for each used <action>:<level>:[<tag>]:[<calling chain>]:[<params>] that maps to the associated chain.
|
||||
# See normalize_action().
|
||||
#
|
||||
@@ -209,10 +205,6 @@ our %auditpolicies = ( ACCEPT => 1,
|
||||
#
|
||||
our @columns;
|
||||
#
|
||||
# Used to handle recursive inline invocations.
|
||||
#
|
||||
our @columnstack;
|
||||
#
|
||||
# Hidden return from perl_action_[tcp_]helper that indicates that a rule was generated
|
||||
#
|
||||
our $actionresult;
|
||||
@@ -224,6 +216,33 @@ our %statetable;
|
||||
# Tracks which of the state match actions (action.Invalid, etc.) that is currently being expanded
|
||||
#
|
||||
our $statematch;
|
||||
|
||||
#
|
||||
# Action/Inline options
|
||||
#
|
||||
use constant { INLINE_OPT => 1 ,
|
||||
NOINLINE_OPT => 2 ,
|
||||
NOLOG_OPT => 4 ,
|
||||
BUILTIN_OPT => 8 ,
|
||||
RAW_OPT => 16 ,
|
||||
MANGLE_OPT => 32 ,
|
||||
FILTER_OPT => 64 ,
|
||||
NAT_OPT => 128 ,
|
||||
TERMINATING_OPT => 256 ,
|
||||
AUDIT_OPT => 512 ,
|
||||
};
|
||||
|
||||
our %options = ( inline => INLINE_OPT ,
|
||||
noinline => NOINLINE_OPT ,
|
||||
nolog => NOLOG_OPT ,
|
||||
builtin => BUILTIN_OPT ,
|
||||
raw => RAW_OPT ,
|
||||
mangle => MANGLE_OPT ,
|
||||
filter => FILTER_OPT ,
|
||||
nat => NAT_OPT ,
|
||||
terminating => TERMINATING_OPT ,
|
||||
audit => AUDIT_OPT ,
|
||||
);
|
||||
################################################################################
|
||||
# Declarations moved from the Tc module in 5.0.7 #
|
||||
################################################################################
|
||||
@@ -326,16 +345,11 @@ sub initialize( $ ) {
|
||||
#
|
||||
%actions = ();
|
||||
#
|
||||
# Inline Actions -- value is file.
|
||||
#
|
||||
%inlines = ();
|
||||
#
|
||||
# Action variants actually used. Key is <action>:<loglevel>:<tag>:<params>; value is corresponding chain name
|
||||
#
|
||||
%usedactions = ();
|
||||
|
||||
@columns = ( ( '-' ) x LAST_COLUMN, 0 );
|
||||
@columnstack = ();
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
|
||||
@@ -509,20 +523,20 @@ sub process_default_action( $$$$ ) {
|
||||
}
|
||||
|
||||
$default = 'none';
|
||||
} elsif ( $actions{$def} ) {
|
||||
} elsif ( ( $targets{$def} || 0 ) == ACTION ) {
|
||||
$default = supplied $param ? normalize_action( $def, $level, $param ) :
|
||||
$level eq 'none' ? normalize_action_name $def :
|
||||
normalize_action( $def, $level, '' );
|
||||
} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
|
||||
$default = $def;
|
||||
$default = "$def($param)" if supplied $param;
|
||||
$default = join( ':', $default, $level ) if $level ne 'none';
|
||||
} elsif ( $default_option ) {
|
||||
fatal_error "Unknown Action ($default) in $policy setting";
|
||||
} else {
|
||||
fatal_error "Unknown Default Action ($default)";
|
||||
}
|
||||
|
||||
$default = join( ':', $default, $level ) if $level ne 'none';
|
||||
} else {
|
||||
$default = $default_actions{$policy} || 'none';
|
||||
}
|
||||
@@ -1294,13 +1308,13 @@ sub external_name( $ ) {
|
||||
#
|
||||
# Define an Action
|
||||
#
|
||||
sub new_action( $$$$ ) {
|
||||
sub new_action( $$$$$ ) {
|
||||
|
||||
my ( $action , $type, $noinline, $nolog ) = @_;
|
||||
my ( $action , $type, $options , $actionfile , $state ) = @_;
|
||||
|
||||
fatal_error "Invalid action name($action)" if reserved_name( $action );
|
||||
|
||||
$actions{$action} = { actchain => '' , noinline => $noinline, nolog => $nolog } if $type & ACTION;
|
||||
$actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state };
|
||||
|
||||
$targets{$action} = $type;
|
||||
}
|
||||
@@ -1768,6 +1782,7 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
|
||||
|
||||
sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
|
||||
sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ );
|
||||
sub perl_action_helper( $$;$$ );
|
||||
|
||||
#
|
||||
# Populate an action invocation chain. As new action tuples are encountered,
|
||||
@@ -1782,6 +1797,7 @@ sub process_action(\$\$$) {
|
||||
my $chainref = ${$chainrefref};
|
||||
my ( $action, $level, $tag, undef, $param ) = split /:/, $wholeaction, ACTION_TUPLE_ELEMENTS;
|
||||
my $type = $targets{$action};
|
||||
my $actionref = $actions{$action};
|
||||
|
||||
if ( $type & BUILTIN ) {
|
||||
$level = '' if $level =~ /none!?/;
|
||||
@@ -1795,17 +1811,17 @@ sub process_action(\$\$$) {
|
||||
fatal_error "Action $action may not be used in the mangle file" if $chainref->{table} eq 'mangle';
|
||||
}
|
||||
|
||||
my $actionfile = find_file "action.$action";
|
||||
|
||||
fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
|
||||
my $actionfile = $actionref->{file};
|
||||
|
||||
progress_message2 "$doing $actionfile for chain $chainref->{name}...";
|
||||
|
||||
push_open $actionfile, 2, 1, undef, 2;
|
||||
|
||||
my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
|
||||
my $options = $actionref->{options};
|
||||
my $nolog = $options & NOLOG_OPT;
|
||||
|
||||
my $nolog = $actions{$action}{nolog};
|
||||
setup_audit_action( $action ) if $options & AUDIT_OPT;
|
||||
|
||||
$active{$action}++;
|
||||
push @actionstack, $wholeaction;
|
||||
@@ -1912,14 +1928,23 @@ sub process_action(\$\$$) {
|
||||
fatal_error 'TARGET must be specified' if $target eq '-';
|
||||
|
||||
if ( $target eq 'DEFAULTS' ) {
|
||||
default_action_params( $action, split_list $source, 'defaults' ), next if $file_format == 2;
|
||||
fatal_error 'DEFAULTS only allowed in FORMAT-2 actions';
|
||||
default_action_params( $action, split_list $source, 'defaults' );
|
||||
|
||||
if ( my $state = $actionref->{state} ) {
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
if ( my $check = check_state( $state ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match( $state ) : '' , $state );
|
||||
}
|
||||
}
|
||||
|
||||
next;
|
||||
}
|
||||
|
||||
process_rule( $chainref,
|
||||
'',
|
||||
'',
|
||||
$nolog ? $target : merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $target ),
|
||||
$nolog ? $target : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $target ),
|
||||
'',
|
||||
$source,
|
||||
$dest,
|
||||
@@ -2007,7 +2032,7 @@ sub process_actions() {
|
||||
#
|
||||
# Add built-in actions to the target table and create those actions
|
||||
#
|
||||
$targets{$_} = new_action( $_ , ACTION + BUILTIN, 1, 0 ) for @builtins;
|
||||
$targets{$_} = new_action( $_ , ACTION + BUILTIN, NOINLINE_OPT, '' , '' ) for @builtins;
|
||||
|
||||
for my $file ( qw/actions.std actions/ ) {
|
||||
open_file( $file, 2 );
|
||||
@@ -2021,30 +2046,10 @@ sub process_actions() {
|
||||
|
||||
my $type = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
|
||||
|
||||
use constant { INLINE_OPT => 1 ,
|
||||
NOINLINE_OPT => 2 ,
|
||||
NOLOG_OPT => 4 ,
|
||||
BUILTIN_OPT => 8 ,
|
||||
RAW_OPT => 16 ,
|
||||
MANGLE_OPT => 32 ,
|
||||
FILTER_OPT => 64 ,
|
||||
NAT_OPT => 128 ,
|
||||
TERMINATING_OPT => 256 ,
|
||||
};
|
||||
|
||||
my %options = ( inline => INLINE_OPT ,
|
||||
noinline => NOINLINE_OPT ,
|
||||
nolog => NOLOG_OPT ,
|
||||
builtin => BUILTIN_OPT ,
|
||||
raw => RAW_OPT ,
|
||||
mangle => MANGLE_OPT ,
|
||||
filter => FILTER_OPT ,
|
||||
nat => NAT_OPT ,
|
||||
terminating => TERMINATING_OPT ,
|
||||
);
|
||||
|
||||
my $opts = $type == INLINE ? NOLOG_OPT : 0;
|
||||
|
||||
my $state = '';
|
||||
|
||||
if ( $action =~ /:/ ) {
|
||||
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
|
||||
$action =~ s/:.*$//;
|
||||
@@ -2054,8 +2059,16 @@ sub process_actions() {
|
||||
|
||||
if ( $options ne '-' ) {
|
||||
for ( split_list( $options, 'option' ) ) {
|
||||
fatal_error "Invalid option ($_)" unless $options{$_};
|
||||
$opts |= $options{$_};
|
||||
if ( /^state=(NEW|ESTABLISHED|RELATED|INVALID|UNTRACKED)$/ ) {
|
||||
if ( $file eq 'actions.std' ) {
|
||||
$state = $1;
|
||||
} else {
|
||||
fatal_error( q(The 'state' option is reserved for use in the actions.std file) );
|
||||
}
|
||||
} else {
|
||||
fatal_error "Invalid option ($_)" unless $options{$_};
|
||||
$opts |= $options{$_};
|
||||
}
|
||||
}
|
||||
|
||||
unless ( $type & INLINE ) {
|
||||
@@ -2067,11 +2080,11 @@ sub process_actions() {
|
||||
|
||||
if ( my $actiontype = $targets{$action} ) {
|
||||
if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
|
||||
if ( $actions{$action}->{noinline} ) {
|
||||
if ( $actions{$action}{options} & NOINLINE_OPT ) {
|
||||
warning_message "'inline' option ignored on action $action -- that action may not be in-lined";
|
||||
next;
|
||||
}
|
||||
|
||||
|
||||
delete $actions{$action};
|
||||
delete $targets{$action};
|
||||
} else {
|
||||
@@ -2104,13 +2117,11 @@ sub process_actions() {
|
||||
|
||||
$type |= MANGLE_TABLE if $opts & MANGLE_OPT;
|
||||
|
||||
new_action $action, $type, ( $opts & NOINLINE_OPT ) != 0 , ( $opts & NOLOG_OPT ) != 0;
|
||||
|
||||
my $actionfile = find_file( "action.$action" );
|
||||
|
||||
fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
|
||||
|
||||
$inlines{$action} = { file => $actionfile, nolog => $opts & NOLOG_OPT } if $type & INLINE;
|
||||
new_action ( $action, $type, $opts, $actionfile , $state );
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -2322,8 +2333,12 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
|
||||
$chainref->{name} ,
|
||||
);
|
||||
|
||||
my $inlinefile = $inlines{$inline}{file};
|
||||
my $nolog = $inlines{$inline}{nolog};
|
||||
my $actionref = $actions{$inline};
|
||||
my $inlinefile = $actionref->{file};
|
||||
my $options = $actionref->{options};
|
||||
my $nolog = $options & NOLOG_OPT;
|
||||
|
||||
setup_audit_action( $inline ) if $options & AUDIT_OPT;
|
||||
|
||||
progress_message "..Expanding inline action $inlinefile...";
|
||||
|
||||
@@ -2357,10 +2372,19 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
|
||||
|
||||
if ( $mtarget eq 'DEFAULTS' ) {
|
||||
default_action_params( $chainref, split_list( $msource, 'defaults' ) );
|
||||
|
||||
if ( my $state = $actionref->{state} ) {
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
if ( my $check = check_state( $state ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match( $state ) : '' , $state );
|
||||
}
|
||||
}
|
||||
|
||||
next;
|
||||
}
|
||||
|
||||
$mtarget = merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $mtarget ) unless $nolog;
|
||||
$mtarget = merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $mtarget ) unless $nolog;
|
||||
|
||||
my $action = isolate_basic_target $mtarget;
|
||||
|
||||
@@ -2488,6 +2512,44 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
my $exceptionrule = '';
|
||||
my $usergenerated;
|
||||
my $prerule = '';
|
||||
#
|
||||
# Subroutine for handling MARK and CONNMARK.
|
||||
#
|
||||
sub handle_mark( $$$ ) {
|
||||
my ( $target, $param, $marktype ) = @_;
|
||||
my $and_or = $param =~ s/^([|&])// ? $1 : '';
|
||||
|
||||
require_capability( 'MARK_ANYWHERE', "The $target action", 's' );
|
||||
|
||||
fatal_error "Mark Ranges are not supported in the rules file" if $param =~ /-/;
|
||||
#
|
||||
# A Single Mark
|
||||
#
|
||||
my $mark = $param;
|
||||
my $val;
|
||||
|
||||
if ( supplied $mark ) {
|
||||
if ( $marktype == SMALLMARK ) {
|
||||
$val = verify_small_mark( $mark );
|
||||
} else {
|
||||
$val = validate_mark( $mark );
|
||||
}
|
||||
} else {
|
||||
$val = numeric_value( $mark = $globals{TC_MASK} );
|
||||
}
|
||||
|
||||
$target = join( ' ', $target, $and_or eq '|' ? '--or-mark' : $and_or ? '--and-mark' : '--set-mark' );
|
||||
|
||||
( $mark, my $mask ) = split '/', $mark;
|
||||
|
||||
if ( supplied $mask ) {
|
||||
$target = join( ' ', $target , join( '/', $mark , $mask ) );
|
||||
} else {
|
||||
$target = join( ' ', $target , $mark );
|
||||
}
|
||||
|
||||
$target;
|
||||
};
|
||||
|
||||
if ( $inchain = defined $chainref ) {
|
||||
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
|
||||
@@ -2573,7 +2635,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
$action = 'LOG';
|
||||
} elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
|
||||
fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
|
||||
fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
|
||||
fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '' || $actiontype & OPTIONS;
|
||||
}
|
||||
}
|
||||
#
|
||||
@@ -2619,6 +2681,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
$action = "AUDIT --type $param";
|
||||
} ,
|
||||
|
||||
CONNMARK => sub() {
|
||||
$action = handle_mark( 'CONNMARK', $param, HIGHMARK );
|
||||
} ,
|
||||
|
||||
REDIRECT => sub () {
|
||||
my $z = $actiontype & NATONLY ? '' : firewall_zone;
|
||||
if ( $dest eq '-' ) {
|
||||
@@ -2686,6 +2752,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
}
|
||||
},
|
||||
|
||||
MARK => sub() {
|
||||
$action = handle_mark( 'MARK', $param, HIGHMARK );
|
||||
} ,
|
||||
|
||||
TARPIT => sub {
|
||||
require_capability 'TARPIT_TARGET', 'TARPIT', 's';
|
||||
|
||||
@@ -2935,13 +3005,13 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
$action = $basictarget; # Remove params, if any, from $action.
|
||||
} elsif ( $actiontype & INLINE ) {
|
||||
#
|
||||
# process_inline() will call process_rule() recursively for each rule in the macro body
|
||||
# process_inline() will call process_rule() recursively for each rule in the action body
|
||||
#
|
||||
fatal_error "Macro/Inline invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;
|
||||
#
|
||||
# Push the current column array onto the column stack
|
||||
#
|
||||
push @columnstack, [ ( $actionresult, @columns ) ];
|
||||
my $savecolumns = [ ( $actionresult, @columns ) ];
|
||||
#
|
||||
# And store the (modified) columns into the columns array for use by perl_action[_tcp]_helper
|
||||
#
|
||||
@@ -2951,7 +3021,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
|
||||
my $generated = process_inline( $basictarget,
|
||||
$chainref,
|
||||
$rule . $raw_matches,
|
||||
$prerule . $rule . $raw_matches,
|
||||
$matches1,
|
||||
$loglevel,
|
||||
$target,
|
||||
@@ -2972,7 +3042,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
$helper,
|
||||
$wildcard ) || $actionresult;
|
||||
|
||||
( $actionresult, @columns ) = @{pop @columnstack};
|
||||
( $actionresult, @columns ) = @$savecolumns;;
|
||||
|
||||
$macro_nest_level--;
|
||||
|
||||
@@ -3184,7 +3254,7 @@ sub check_state( $ ) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
my $chainref = $actparms{0};
|
||||
my $chainref = $actparams{0};
|
||||
my $name = $chainref->{name};
|
||||
my $statechainref;
|
||||
|
||||
@@ -3257,7 +3327,7 @@ sub check_state( $ ) {
|
||||
sub merge_target( $$ ) {
|
||||
my ( $ref, $target ) = @_;
|
||||
|
||||
$ref->{inline} ? $target : merge_levels( join( ':', @actparms{'chain','loglevel','logtag'}), $target );
|
||||
merge_levels( join( ':', @actparams{'chain','loglevel','logtag'}), $target );
|
||||
}
|
||||
|
||||
#
|
||||
@@ -3265,8 +3335,8 @@ sub merge_target( $$ ) {
|
||||
#
|
||||
sub perl_action_helper($$;$$) {
|
||||
my ( $target, $matches, $isstatematch , $matches1 ) = @_;
|
||||
my $action = $actparms{action};
|
||||
my $chainref = $actparms{0};
|
||||
my $action = $actparams{action};
|
||||
my $chainref = $actparams{0};
|
||||
my $result;
|
||||
|
||||
assert( $chainref );
|
||||
@@ -3299,7 +3369,11 @@ sub perl_action_helper($$;$$) {
|
||||
}
|
||||
}
|
||||
|
||||
if ( my $ref = $inlines{$action} ) {
|
||||
my $ref = $actions{$action};
|
||||
|
||||
assert( $ref, $action );
|
||||
|
||||
if ( $ref->{type} & INLINE ) {
|
||||
$result = &process_rule( $chainref,
|
||||
$matches,
|
||||
$matches1,
|
||||
@@ -3307,8 +3381,6 @@ sub perl_action_helper($$;$$) {
|
||||
'', # CurrentParam
|
||||
@columns );
|
||||
} else {
|
||||
assert $actions{$action};
|
||||
|
||||
$result = process_rule( $chainref,
|
||||
$matches,
|
||||
$matches1,
|
||||
@@ -3345,8 +3417,8 @@ sub perl_action_helper($$;$$) {
|
||||
#
|
||||
sub perl_action_tcp_helper($$) {
|
||||
my ( $target, $proto ) = @_;
|
||||
my $action = $actparms{action};
|
||||
my $chainref = $actparms{0};
|
||||
my $action = $actparams{action};
|
||||
my $chainref = $actparams{0};
|
||||
my $result;
|
||||
my $passedproto = $columns[2];
|
||||
|
||||
@@ -3360,7 +3432,11 @@ sub perl_action_tcp_helper($$) {
|
||||
#
|
||||
# For other protos, a 'no rule generated' warning will be issued
|
||||
#
|
||||
if ( my $ref = $inlines{$action} ) {
|
||||
my $ref = $actions{$action};
|
||||
|
||||
assert( $ref, $action );
|
||||
|
||||
if ( $ref->{type} & INLINE ) {
|
||||
$result = &process_rule( $chainref,
|
||||
$proto,
|
||||
'',
|
||||
@@ -3710,7 +3786,7 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
'' ,
|
||||
$chainref->{name} );
|
||||
|
||||
my $inlinefile = $inlines{$inline}{file};
|
||||
my $inlinefile = $actions{$inline}{file};
|
||||
|
||||
progress_message "..Expanding inline action $inlinefile...";
|
||||
|
||||
@@ -4063,7 +4139,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
maxparams => 1,
|
||||
function => sub () {
|
||||
$target = 'CONNMARK';
|
||||
$handle_mark_param->('--set-mark' , HIGHMARK );
|
||||
$handle_mark_param->('' , HIGHMARK );
|
||||
},
|
||||
},
|
||||
|
||||
@@ -4463,14 +4539,14 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
#
|
||||
# Capture the name of the action chain
|
||||
#
|
||||
$target = $ref->{name};
|
||||
} else {
|
||||
#
|
||||
# We've seen this tuple before
|
||||
#
|
||||
$target = $usedactions{$normalized_target}->{name};
|
||||
$ref = $usedactions{$normalized_target};
|
||||
}
|
||||
|
||||
$target = $ref->{name};
|
||||
$commandref->{allowedchains} = $ref->{allowedchains};
|
||||
}
|
||||
};
|
||||
@@ -4526,7 +4602,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
# Function Body
|
||||
#
|
||||
if ( $inchain ) {
|
||||
( $inaction, undef, undef, undef ) = split /:/, $chainref->{action}, 4 if $chainref->{action};
|
||||
( $inaction ) = split /:/, $chainref->{action} if $chainref->{action};
|
||||
#
|
||||
# Set chain type
|
||||
#
|
||||
|
||||
@@ -213,23 +213,23 @@ sub process_in_bandwidth( $ ) {
|
||||
[ $in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ];
|
||||
}
|
||||
|
||||
sub handle_in_bandwidth( $$ ) {
|
||||
my ($physical, $arrayref ) = @_;
|
||||
sub handle_in_bandwidth( $$$ ) {
|
||||
my ($physical, $stab, $arrayref ) = @_;
|
||||
|
||||
return 1 unless $arrayref;
|
||||
|
||||
my ($in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ) = @$arrayref;
|
||||
|
||||
emit ( "run_tc qdisc add dev $physical handle ffff: ingress" );
|
||||
emit ( "run_tc qdisc add dev $physical handle ffff: ${stab}ingress" );
|
||||
|
||||
if ( have_capability 'BASIC_FILTER' ) {
|
||||
if ( $in_rate ) {
|
||||
emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
|
||||
" police mpu 64 rate ${in_rate}kbit burst $in_burst action drop\n" );
|
||||
" police mpu 64 drop rate ${in_rate}kbit burst $in_burst\n" );
|
||||
} else {
|
||||
emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
|
||||
" estimator $in_interval $in_decay basic \\",
|
||||
" police avrate ${in_avrate}kbit action drop\n" );
|
||||
" police drop avrate ${in_avrate}kbit\n" );
|
||||
}
|
||||
} else {
|
||||
emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,
|
||||
@@ -302,7 +302,7 @@ sub process_simple_device() {
|
||||
"qt \$TC qdisc del dev $physical ingress\n"
|
||||
);
|
||||
|
||||
handle_in_bandwidth( $physical, $in_rate );
|
||||
handle_in_bandwidth( $physical, '', $in_rate );
|
||||
|
||||
if ( $out_part ne '-' ) {
|
||||
my ( $out_bandwidth, $burst, $latency, $peak, $minburst ) = split ':', $out_part;
|
||||
@@ -1856,7 +1856,7 @@ sub process_traffic_shaping() {
|
||||
qq(fi) );
|
||||
}
|
||||
|
||||
handle_in_bandwidth( $device, $devref->{in_bandwidth} );
|
||||
handle_in_bandwidth( $device, $stab, $devref->{in_bandwidth} );
|
||||
|
||||
for my $rdev ( @{$devref->{redirected}} ) {
|
||||
my $phyrdev = physical_name( $rdev );
|
||||
|
||||
@@ -30,44 +30,32 @@
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
?if __ADDRTYPE
|
||||
@1 - - - ;; -m addrtype --dst-type BROADCAST
|
||||
@1 - - - ;; -m addrtype --dst-type MULTICAST
|
||||
@1 - - - ;; -m addrtype --dst-type ANYCAST
|
||||
?else
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
fatal_error "Invalid parameter ($audit) to action Broadcast" if supplied $audit && $audit ne 'audit';
|
||||
fatal_error "Invalid parameter ($action) to action Broadcast" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
my $chainref = get_action_chain;
|
||||
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
my $target = require_audit ( $action , $audit );
|
||||
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
if ( $level ne '' ) {
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
|
||||
}
|
||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
||||
incr_cmd_level $chainref;
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||
add_jump $chainref, $action, 0, "-d \$address ";
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
|
||||
} else {
|
||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
||||
incr_cmd_level $chainref;
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||
add_jump $chainref, $target, 0, "-d \$address ";
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
|
||||
}
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
?endif
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
?if @1 ne '' && @1 ne '-'
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP
|
||||
?else
|
||||
@@ -47,7 +47,7 @@ COUNT
|
||||
#
|
||||
# Special Handling for Auth
|
||||
#
|
||||
?if @2 ne '-'
|
||||
?if passed(@2)
|
||||
Auth(@2)
|
||||
?endif
|
||||
#
|
||||
|
||||
@@ -30,19 +30,6 @@
|
||||
|
||||
DEFAULTS ACCEPT
|
||||
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
if ( my $check = check_state( 'ESTABLISHED' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
#
|
||||
# All logic for this action is supplied by the 'state' option in actions.std
|
||||
#
|
||||
|
||||
@@ -12,9 +12,9 @@
|
||||
DEFAULTS 2,0
|
||||
|
||||
?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
|
||||
?error Invalid value for Bricks (@1)
|
||||
?error Invalid value for Bricks (@1)
|
||||
?elsif @2 !~ /^[01]$/
|
||||
?error Invalid value for IB (@2)
|
||||
?error Invalid value for IB (@2)
|
||||
?endif
|
||||
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
|
||||
@@ -30,24 +30,6 @@
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
if ( my $check = check_state( 'INVALID' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
#
|
||||
# All logic for this action is triggered by the 'audit' and 'state' options in actions.std
|
||||
#
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Untracked[([<action>])]
|
||||
# New[([<action>])]
|
||||
#
|
||||
# Default action is ACCEPT
|
||||
#
|
||||
@@ -30,19 +30,6 @@
|
||||
|
||||
DEFAULTS ACCEPT
|
||||
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
if ( my $check = check_state( 'NEW' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
#
|
||||
# All logic for this action is supplied by the 'state' option in actions.std
|
||||
#
|
||||
|
||||
@@ -30,23 +30,4 @@
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
?begin perl;
|
||||
|
||||
use strict;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
perl_action_tcp_helper( $action, '-p 6 ! --syn' );
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
@1 - - ;;+ -p 6 ! --syn
|
||||
|
||||
@@ -30,21 +30,4 @@
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
@1 - - ;;+ -p 6 --tcp-flags RST RST
|
||||
|
||||
@@ -28,7 +28,7 @@
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
###############################################################################
|
||||
|
||||
?if @1 ne '' && @1 ne '-'
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP
|
||||
?else
|
||||
@@ -46,7 +46,7 @@ COUNT
|
||||
#
|
||||
# Special handling for Auth
|
||||
#
|
||||
?if @2 ne '-'
|
||||
?if passed(@2)
|
||||
Auth(@2)
|
||||
?endif
|
||||
#
|
||||
@@ -72,7 +72,7 @@ DropUPnP(@5)
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
NotSyn(-,@1) - - tcp
|
||||
NotSyn(DROP,@1) - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
|
||||
# the log.
|
||||
|
||||
@@ -30,20 +30,6 @@
|
||||
|
||||
DEFAULTS DROP
|
||||
|
||||
?begin perl;
|
||||
|
||||
use strict;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
if ( my $check = check_state( 'RELATED' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match( 'RELATED' ) : '', 'RELATED' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
#
|
||||
# All logic for this action is supplied by the 'state' option in actions.std
|
||||
#
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
|
||||
DEFAULTS -
|
||||
|
||||
?if @1 ne '' && @1 ne '-'
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
?set tcpflags_action 'A_DROP'
|
||||
?else
|
||||
@@ -27,8 +27,3 @@ $tcpflags_action - - ;;+ -p 6 --tcp-flags ALL NONE
|
||||
$tcpflags_action - - ;;+ -p 6 --tcp-flags SYN,RST SYN,RST
|
||||
$tcpflags_action - - ;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
|
||||
$tcpflags_action - - ;;+ -p tcp --syn --sport 0
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -29,19 +29,6 @@
|
||||
##########################################################################################
|
||||
DEFAULTS DROP
|
||||
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
if ( my $check = check_state( 'UNTRACKED' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
#
|
||||
# All logic for this action is supplied by the 'state' option in actions.std
|
||||
#
|
||||
|
||||
@@ -28,25 +28,12 @@
|
||||
|
||||
DEFAULTS -
|
||||
|
||||
?begin perl;
|
||||
|
||||
use strict;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my $action = 'ACCEPT';
|
||||
|
||||
my ( $audit ) = get_action_params( 1 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
|
||||
$action = "A_ACCEPT";
|
||||
}
|
||||
|
||||
perl_action_helper( "Invalid($action)", '' );
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
Invalid(A_ACCEPT)
|
||||
?else
|
||||
?error The first parameter to allowInvalid must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
Invalid(ACCEPT)
|
||||
?endif
|
||||
|
||||
@@ -28,25 +28,14 @@
|
||||
|
||||
DEFAULTS -
|
||||
|
||||
?begin perl;
|
||||
DEFAULTS -
|
||||
|
||||
use strict;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my $action = 'DROP';
|
||||
|
||||
my ( $audit ) = get_action_params( 1 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
|
||||
$action = "A_DROP";
|
||||
}
|
||||
|
||||
perl_action_helper( "Invalid($action)", '' );
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
Invalid(A_DROP)
|
||||
?else
|
||||
?error The first parameter to dropInvalid must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
Invalid(DROP)
|
||||
?endif
|
||||
|
||||
@@ -8,21 +8,18 @@
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
# A_ACCEPT # Audits then accepts a connection request
|
||||
# A_DROP # Audits then drops a connection request
|
||||
# A_REJECT # Audits then drops a connection request
|
||||
# allowBcast # Silently Allow Broadcast/multicast
|
||||
# dropBcast # Silently Drop Broadcast/multicast
|
||||
# dropNotSyn # Silently Drop Non-syn TCP packets
|
||||
# rejNotSyn # Silently Reject Non-syn TCP packets
|
||||
# allowoutUPnP # Allow traffic from local command 'upnpd' (does not
|
||||
# # work with kernel 2.6.14 and later).
|
||||
# allowinUPnP # Allow UPnP inbound (to firewall) traffic
|
||||
# forwardUPnP # Allow traffic that upnpd has redirected from
|
||||
# # 'upnp' interfaces.
|
||||
# Limit # Limit the rate of connections from each individual
|
||||
# # IP address
|
||||
#
|
||||
?if 0
|
||||
A_ACCEPT # Audits then accepts a connection request
|
||||
A_DROP # Audits then drops a connection request
|
||||
A_REJECT # Audits then drops a connection request
|
||||
allowBcast # Silently Allow Broadcast/multicast
|
||||
dropBcast # Silently Drop Broadcast/multicast
|
||||
dropNotSyn # Silently Drop Non-syn TCP packets
|
||||
rejNotSyn # Silently Reject Non-syn TCP packets
|
||||
allowinUPnP # Allow UPnP inbound (to firewall) traffic
|
||||
forwardUPnP # Allow traffic that upnpd has redirected from 'upnp' interfaces.
|
||||
Limit # Limit the rate of connections from each individual IP address
|
||||
?endif
|
||||
###############################################################################
|
||||
#ACTION
|
||||
A_Drop # Audited Default Action for DROP policy
|
||||
@@ -30,21 +27,25 @@ A_Reject # Audited Default action for REJECT policy
|
||||
allowInvalid inline # Accepts packets in the INVALID conntrack state
|
||||
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
|
||||
AutoBLL noinline # Helper for AutoBL
|
||||
Broadcast noinline # Handles Broadcast/Multicast/Anycast
|
||||
Broadcast noinline,audit # Handles Broadcast/Multicast/Anycast
|
||||
DNSAmp # Matches one-question recursive DNS queries
|
||||
Drop # Default Action for DROP policy
|
||||
dropInvalid inline # Drops packets in the INVALID conntrack state
|
||||
DropSmurfs noinline # Drop smurf packets
|
||||
Established inline # Handles packets in the ESTABLISHED state
|
||||
Established inline,\ # Handles packets in the ESTABLISHED state
|
||||
state=ESTABLISHED #
|
||||
GlusterFS inline # Handles GlusterFS
|
||||
IfEvent noinline # Perform an action based on an event
|
||||
Invalid inline # Handles packets in the INVALID conntrack state
|
||||
New inline # Handles packets in the NEW conntrack state
|
||||
NotSyn inline # Handles TCP packets which do not have SYN=1 and ACK=0
|
||||
Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
|
||||
state=INVALID #
|
||||
New inline,state=NEW # Handles packets in the NEW conntrack state
|
||||
NotSyn inline,audit # Handles TCP packets which do not have SYN=1 and ACK=0
|
||||
Reject # Default Action for REJECT policy
|
||||
Related inline # Handles packets in the RELATED conntrack state
|
||||
Related inline,\ # Handles packets in the RELATED conntrack state
|
||||
state=RELATED #
|
||||
ResetEvent inline # Reset an Event
|
||||
RST inline # Handle packets with RST set
|
||||
RST inline,audit # Handle packets with RST set
|
||||
SetEvent inline # Initialize an event
|
||||
TCPFlags # Handle bad flag combinations.
|
||||
Untracked inline # Handles packets in the UNTRACKED conntrack state
|
||||
Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
|
||||
state=UNTRACKED #
|
||||
|
||||
@@ -53,7 +53,19 @@
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>builtin</term>
|
||||
<term><option>audit</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. When this option is specified,
|
||||
the action is expected to have at least two parameters; the
|
||||
first is a target and the second is either 'audit' or omitted.
|
||||
If the second is 'audit', then the first must be an auditable
|
||||
target (ACCEPT, DROP or REJECT).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>builtin</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.16. Defines the action as a rule
|
||||
@@ -86,7 +98,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>inline</term>
|
||||
<term><option>inline</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes the action body (defined in
|
||||
@@ -102,10 +114,10 @@
|
||||
way:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>Broadcast</member>
|
||||
|
||||
<member>DropSmurfs</member>
|
||||
|
||||
<member>IfEvent</member>
|
||||
|
||||
<member>Invalid (Prior to Shorewall 4.5.13)</member>
|
||||
|
||||
<member>NotSyn (Prior to Shorewall 4.5.13)</member>
|
||||
@@ -119,7 +131,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>mangle</term>
|
||||
<term><option>mangle</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. Specifies that this action is
|
||||
@@ -131,7 +143,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>noinline</term>
|
||||
<term><option>noinline</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes any later <option>inline</option> option for the
|
||||
@@ -140,7 +152,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>nolog</term>
|
||||
<term><option>nolog</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.11. When this option is
|
||||
@@ -154,7 +166,16 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>terminating</term>
|
||||
<term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
|
||||
in <filename>actions.std</filename>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>terminating</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.4. When used with
|
||||
|
||||
@@ -328,6 +328,18 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
|
||||
with the exception that the mark is assigned to connection to
|
||||
which the packet belongs is marked rather than to the packet
|
||||
itself.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CONTINUE</emphasis></term>
|
||||
|
||||
@@ -546,6 +558,35 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>where <replaceable>mark</replaceable> is a packet mark
|
||||
value.</para>
|
||||
|
||||
<para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
|
||||
table" support in your kernel and iptables.</para>
|
||||
|
||||
<para>Normally will set the mark value of the current packet.
|
||||
If preceded by a vertical bar ("|"), the mark value will be
|
||||
logically ORed with the current mark value to produce a new
|
||||
mark value. If preceded by an ampersand ("&"), will be
|
||||
logically ANDed with the current mark value to produce a new
|
||||
mark value.</para>
|
||||
|
||||
<para>Both "|" and "&" require Extended MARK Target
|
||||
support in your kernel and iptables.</para>
|
||||
|
||||
<para>The mark value may be optionally followed by "/" and a
|
||||
mask value (used to determine those bits of the connection
|
||||
mark to actually be set). When a mask is specified, the result
|
||||
of logically ANDing the mark value with the mask must be the
|
||||
same as the mark value.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
|
||||
|
||||
@@ -31,37 +31,24 @@
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
#
|
||||
###############################################################################
|
||||
#
|
||||
# The following magic provides different defaults for $2 thru $5, when $1 is
|
||||
# 'audit'.
|
||||
#
|
||||
?begin perl;
|
||||
use Shorewall::Config;
|
||||
|
||||
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
||||
|
||||
if ( defined $p1 ) {
|
||||
if ( $p1 eq 'audit' ) {
|
||||
set_action_param( 2, 'A_REJECT') unless supplied $p2;
|
||||
set_action_param( 3, 'A_DROP') unless supplied $p3;
|
||||
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
|
||||
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
|
||||
} else {
|
||||
fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
?if passed($1)
|
||||
?if $1 eq 'audit'
|
||||
DEFAULTS -,A_REJECT,A_DROP,A_ACCEPT,A_DROP
|
||||
?else
|
||||
?error The first parameter to Drop must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
DEFAULTS -,REJECT,DROP,ACCEPT,DROP
|
||||
?endif
|
||||
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# Reject 'auth'
|
||||
#
|
||||
?if passed($2)
|
||||
Auth($2)
|
||||
?endif
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
|
||||
@@ -27,37 +27,24 @@
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
###############################################################################
|
||||
#
|
||||
# The following magic provides different defaults for $2 thru $5, when $1 is
|
||||
# 'audit'.
|
||||
#
|
||||
?begin perl;
|
||||
use Shorewall::Config;
|
||||
|
||||
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
||||
|
||||
if ( defined $p1 ) {
|
||||
if ( $p1 eq 'audit' ) {
|
||||
set_action_param( 2, 'A_REJECT') unless supplied $p2;
|
||||
set_action_param( 3, 'A_REJECT') unless supplied $p3;
|
||||
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
|
||||
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
|
||||
} else {
|
||||
fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
DEFAULTS -,A_REJECT,A_REJECT,A_ACCEPT,A_DROP
|
||||
?else
|
||||
?error The first parameter to Reject must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
|
||||
?endif
|
||||
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Don't log 'auth' -- REJECT
|
||||
#
|
||||
?if passed($2)
|
||||
Auth($2)
|
||||
?endif
|
||||
#
|
||||
# Drop Multicasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
|
||||
@@ -8,11 +8,12 @@
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
# allowBcasts # Accept multicast and anycast packets
|
||||
# dropBcasts # Silently Drop multicast and anycast packets
|
||||
# dropNotSyn # Silently Drop Non-syn TCP packets
|
||||
# rejNotSyn # Silently Reject Non-syn TCP packets
|
||||
#
|
||||
?if 0
|
||||
allowBcasts # Accept multicast and anycast packets
|
||||
dropBcasts # Silently Drop multicast and anycast packets
|
||||
dropNotSyn # Silently Drop Non-syn TCP packets
|
||||
rejNotSyn # Silently Reject Non-syn TCP packets
|
||||
?endif
|
||||
###############################################################################
|
||||
#ACTION
|
||||
A_Drop # Audited Default Action for DROP policy
|
||||
@@ -26,15 +27,19 @@ Broadcast noinline # Handles Broadcast/Multicast/Anycast
|
||||
Drop # Default Action for DROP policy
|
||||
dropInvalid inline # Drops packets in the INVALID conntrack state
|
||||
DropSmurfs noinline # Handles packets with a broadcast source address
|
||||
Established inline # Handles packets in the ESTABLISHED state
|
||||
Established inline,\ # Handles packets in the ESTABLISHED state
|
||||
state=ESTABLISHED
|
||||
IfEvent noinline # Perform an action based on an event
|
||||
Invalid inline # Handles packets in the INVALID conntrack state
|
||||
New inline # Handles packets in the NEW conntrack state
|
||||
Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
|
||||
state=INVALID
|
||||
New inline,state=NEW # Handles packets in the NEW conntrack state
|
||||
NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0
|
||||
Reject # Default Action for REJECT policy
|
||||
Related inline # Handles packets in the RELATED conntrack state
|
||||
Related inline,\ # Handles packets in the RELATED conntrack state
|
||||
state=RELATED
|
||||
ResetEvent inline # Reset an Event
|
||||
RST inline # Handle packets with RST set
|
||||
SetEvent inline # Initialize an event
|
||||
TCPFlags # Handles bad flags combinations
|
||||
Untracked inline # Handles packets in the UNTRACKED conntrack state
|
||||
Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
|
||||
state=UNTRACKED
|
||||
|
||||
@@ -53,6 +53,18 @@
|
||||
<para>Added in Shorewall 4.5.10. Available options are:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>audit</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. When this option is specified,
|
||||
the action is expected to have at least two parameters; the
|
||||
first is a target and the second is either 'audit' or omitted.
|
||||
If the second is 'audit', then the first must be an auditable
|
||||
target (ACCEPT, DROP or REJECT).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>builtin</term>
|
||||
|
||||
@@ -87,7 +99,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>inline</term>
|
||||
<term><option>inline</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes the action body (defined in
|
||||
@@ -103,10 +115,10 @@
|
||||
way:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>Broadcast</member>
|
||||
|
||||
<member>DropSmurfs</member>
|
||||
|
||||
<member>IfEvent</member>
|
||||
|
||||
<member>Invalid (Prior to Shorewall 4.5.13)</member>
|
||||
|
||||
<member>NotSyn (Prior to Shorewall 4.5.13)</member>
|
||||
@@ -120,7 +132,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>mangle</term>
|
||||
<term><option>mangle</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. Specifies that this action is
|
||||
@@ -132,7 +144,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>noinline</term>
|
||||
<term><option>noinline</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes any later <option>inline</option> option for the
|
||||
@@ -141,7 +153,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>nolog</term>
|
||||
<term><option>nolog</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.11. When this option is
|
||||
@@ -155,7 +167,16 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>terminating</term>
|
||||
<term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
|
||||
in <filename>actions.std</filename>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>terminating</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.4. When used with
|
||||
|
||||
@@ -303,6 +303,18 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
|
||||
with the exception that the mark is assigned to connection to
|
||||
which the packet belongs is marked rather than to the packet
|
||||
itself.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CONTINUE</emphasis></term>
|
||||
|
||||
@@ -523,6 +535,35 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>where <replaceable>mark</replaceable> is a packet mark
|
||||
value.</para>
|
||||
|
||||
<para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
|
||||
table" support in your kernel and iptables.</para>
|
||||
|
||||
<para>Normally will set the mark value of the current packet.
|
||||
If preceded by a vertical bar ("|"), the mark value will be
|
||||
logically ORed with the current mark value to produce a new
|
||||
mark value. If preceded by an ampersand ("&"), will be
|
||||
logically ANDed with the current mark value to produce a new
|
||||
mark value.</para>
|
||||
|
||||
<para>Both "|" and "&" require Extended MARK Target
|
||||
support in your kernel and iptables.</para>
|
||||
|
||||
<para>The mark value may be optionally followed by "/" and a
|
||||
mask value (used to determine those bits of the connection
|
||||
mark to actually be set). When a mask is specified, the result
|
||||
of logically ANDing the mark value with the mask must be the
|
||||
same as the mark value.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
|
||||
|
||||
@@ -175,20 +175,23 @@
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/init</filename> - commands that you
|
||||
wish to execute at the beginning of a <quote>shorewall start</quote>
|
||||
or <quote>shorewall restart</quote>.</para>
|
||||
wish to execute at the beginning of a <quote>shorewall
|
||||
start</quote>, "shorewall reload" or <quote>shorewall
|
||||
restart</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/start</filename> - commands that you
|
||||
wish to execute near the completion of a <quote>shorewall
|
||||
start</quote> or <quote>shorewall restart</quote></para>
|
||||
start</quote>, "shorewall reload" or <quote>shorewall
|
||||
restart</quote></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/started</filename> - commands that
|
||||
you wish to execute after the completion of a <quote>shorewall
|
||||
start</quote> or <quote>shorewall restart</quote></para>
|
||||
start</quote>, "shorewall reload" or <quote>shorewall
|
||||
restart</quote></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -1779,6 +1782,10 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
<para><ulink url="Macros.html">Macro</ulink> files</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Actions.html">Action</ulink> files</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
|
||||
@@ -1985,6 +1992,33 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
@disposition are used to generated the --log-prefix in logging rules. When
|
||||
either is empty, the historical value is used to generate the
|
||||
--log-prefix.</para>
|
||||
|
||||
<para>Within an action body, if a parameter is omitted in a DEFAULTS
|
||||
statement, then the value of the corresponding action and Shorewall
|
||||
variables is '-', while if the parameter is specified as '-' in the
|
||||
parameter list, the value of the action/Shorewall variable is '', if it is
|
||||
expanded before the DEFAULTS statement.</para>
|
||||
|
||||
<para>Additionally, when an expression is evaluated, the value 0 evaluates
|
||||
as false, so '?IF @n' and '?IF $n' fail if the nth parameter is passed
|
||||
with value zero. To make testing of the presense of parameters more
|
||||
efficient and uniform, an new function has been added in Shorewall 5.0.7
|
||||
for use in ?IF and ?ELSEIF:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>?IF [!] passed(<variable>)</member>
|
||||
</simplelist>
|
||||
|
||||
<para>where <variable> is an action or Shorewall variable.</para>
|
||||
|
||||
<para>'passed(@n)' and 'passed($n)' evaluate to true if the nth parameter
|
||||
is not empty and its contents are other than '-'. If '!' is present, the
|
||||
result is inverted.</para>
|
||||
|
||||
<para>In this simple form, the expression is evaluated by the compiler
|
||||
without having to invoke the (expensive) Perl exec() function. The
|
||||
'passed' function may also be used in more complex expressions, but exec()
|
||||
will be invoked to evaluate those expressions.</para>
|
||||
</section>
|
||||
|
||||
<section id="Conditional">
|
||||
@@ -2175,7 +2209,7 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
<programlisting>?ERROR <replaceable>message</replaceable></programlisting>
|
||||
|
||||
<para>Variables in the message are evaluated and the result appears in a
|
||||
standard Shorewall ERROR: message. </para>
|
||||
standard Shorewall ERROR: message.</para>
|
||||
|
||||
<para>Example from the 5.0.7 action.GlusterFS:</para>
|
||||
|
||||
@@ -2543,6 +2577,44 @@ Shorewall has detected the following iptables/netfilter capabilities:
|
||||
"!tcp").</para>
|
||||
</section>
|
||||
|
||||
<section id="Ranges">
|
||||
<title>Port Ranges</title>
|
||||
|
||||
<para>If you need to specify a range of ports, the proper syntax is
|
||||
<low port number>:<high port number>. For example, if you want
|
||||
to forward the range of tcp ports 4000 through 4100 to local host
|
||||
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting>
|
||||
|
||||
<para>If you omit the low port number, a value of zero is assumed; if you
|
||||
omit the high port number, a value of 65535 is assumed.</para>
|
||||
|
||||
<para>Also, unless otherwise documented, a port range can be preceded by
|
||||
'!' to specify "All ports except those in this range" (e.g.,
|
||||
"!4000:4100").</para>
|
||||
</section>
|
||||
|
||||
<section id="Portlists">
|
||||
<title>Port Lists</title>
|
||||
|
||||
<para>In most cases where a port or port range may appear, a
|
||||
comma-separated list of ports or port ranges may also be entered.
|
||||
Shorewall requires the Netfilter <emphasis
|
||||
role="bold">multiport</emphasis> match capability if ports lists are used
|
||||
(see the output of "<emphasis role="bold">shorewall show
|
||||
capabilities</emphasis>").</para>
|
||||
|
||||
<para>Also, unless otherwise documented, a port list can be preceded by
|
||||
'!' to specify "All ports except these" (e.g., "!80,443").</para>
|
||||
|
||||
<para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
|
||||
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
|
||||
(5) file may specify no more than 15 ports; port ranges appearing in a
|
||||
list count as two ports each.</para>
|
||||
</section>
|
||||
|
||||
<section id="ICMP">
|
||||
<title>ICMP and ICMP6 Types and Codes</title>
|
||||
|
||||
@@ -2619,44 +2691,6 @@ redirect => 137</programlisting>
|
||||
Shorewall 4.4.19.</para>
|
||||
</section>
|
||||
|
||||
<section id="Ranges">
|
||||
<title>Port Ranges</title>
|
||||
|
||||
<para>If you need to specify a range of ports, the proper syntax is
|
||||
<low port number>:<high port number>. For example, if you want
|
||||
to forward the range of tcp ports 4000 through 4100 to local host
|
||||
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting>
|
||||
|
||||
<para>If you omit the low port number, a value of zero is assumed; if you
|
||||
omit the high port number, a value of 65535 is assumed.</para>
|
||||
|
||||
<para>Also, unless otherwise documented, a port range can be preceded by
|
||||
'!' to specify "All ports except those in this range" (e.g.,
|
||||
"!4000:4100").</para>
|
||||
</section>
|
||||
|
||||
<section id="Portlists">
|
||||
<title>Port Lists</title>
|
||||
|
||||
<para>In most cases where a port or port range may appear, a
|
||||
comma-separated list of ports or port ranges may also be entered.
|
||||
Shorewall requires the Netfilter <emphasis
|
||||
role="bold">multiport</emphasis> match capability if ports lists are used
|
||||
(see the output of "<emphasis role="bold">shorewall show
|
||||
capabilities</emphasis>").</para>
|
||||
|
||||
<para>Also, unless otherwise documented, a port list can be preceded by
|
||||
'!' to specify "All ports except these" (e.g., "!80,443").</para>
|
||||
|
||||
<para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
|
||||
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
|
||||
(5) file may specify no more than 15 ports; port ranges appearing in a
|
||||
list count as two ports each.</para>
|
||||
</section>
|
||||
|
||||
<section id="MAC">
|
||||
<title>Using MAC Addresses</title>
|
||||
|
||||
@@ -2709,9 +2743,7 @@ DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100<
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
|
||||
|
||||
<simplelist>
|
||||
<member>LOGRATE=10/minute</member>
|
||||
|
||||
<member>LOGBURST=5</member>
|
||||
<member>LOGLIMIT=10/minute:5</member>
|
||||
</simplelist>
|
||||
|
||||
<para>For each logging rule, the first time the rule is reached, the
|
||||
@@ -2723,11 +2755,6 @@ DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100<
|
||||
30 seconds, the burst will be fully recharged; back where we
|
||||
started.</para>
|
||||
|
||||
<note>
|
||||
<para>The LOGRATE and LOGBURST options are deprecated in favor of
|
||||
LOGLIMIT.</para>
|
||||
</note>
|
||||
|
||||
<para>Shorewall also supports per-IP rate limiting.</para>
|
||||
|
||||
<para>Another example from <ulink
|
||||
@@ -2761,8 +2788,7 @@ DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100<
|
||||
<firstterm>Condition Match Support</firstterm> and you must be running
|
||||
Shorewall 4.4.24 or later. See the output of <command>shorewall show
|
||||
capabilities</command> and <command>shorewall version</command> to
|
||||
determine if you can use this feature. As of this writing, Condition Match
|
||||
Support requires that you install xtables-addons.</para>
|
||||
determine if you can use this feature.</para>
|
||||
|
||||
<para>The SWITCH column contains the name of a
|
||||
<firstterm>switch.</firstterm> Each switch is initially in the <emphasis
|
||||
@@ -2926,8 +2952,8 @@ Comcast 2 0x20000 main <emphasis role="bold">COM_IF</emphasis>
|
||||
<para>If <emphasis role="bold">detect</emphasis> is specified in the
|
||||
ADDRESS column of an entry in <ulink
|
||||
url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) then the
|
||||
firewall still start if the optional interface in the INTERFACE column
|
||||
does not have an IP address.</para>
|
||||
firewall still startS if the optional interface in the INTERFACE
|
||||
column does not have an IP address.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@@ -2945,7 +2971,8 @@ Comcast 2 0x20000 main <emphasis role="bold">COM_IF</emphasis>
|
||||
|
||||
<para>Shorewall allows you to have configuration directories other than
|
||||
<filename class="directory">/etc/shorewall</filename>. The shorewall
|
||||
check, start and restart commands allow you to specify an alternate
|
||||
<command>check</command>, <command>start</command> and
|
||||
<command>restart</command> commands allow you to specify an alternate
|
||||
configuration directory and Shorewall will use the files in the alternate
|
||||
directory rather than the corresponding files in /etc/shorewall. The
|
||||
alternate directory need not contain a complete configuration; those files
|
||||
|
||||
@@ -854,22 +854,16 @@ DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
|
||||
with:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><external IP></emphasis></programlisting>If
|
||||
you have a dynamic IP then you must ensure that your external
|
||||
interface is up before starting Shorewall and you must take steps
|
||||
as follows (assume that your external interface is <filename
|
||||
class="devicefile">eth0</filename>):<orderedlist>
|
||||
<listitem>
|
||||
<para>Include the following in /etc/shorewall/params:</para>
|
||||
interface is up before starting Shorewall and you must code the
|
||||
rule as follows (assume that your external interface is <filename
|
||||
class="devicefile">eth0</filename>):</para>
|
||||
|
||||
<para><command>ETH0_IP=$(find_interface_address
|
||||
eth0)</command></para>
|
||||
</listitem>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT loc dmz:10.10.11.2 tcp 80 - &eth0</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>Make your <literal>loc->dmz</literal> rule:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</programlisting></para>
|
||||
</listitem>
|
||||
</orderedlist></para>
|
||||
<para>'&eth0' expands to the IP address of eth0 (see <ulink
|
||||
url="configuration_file_basics.htm#AddressVariables">this
|
||||
article</ulink>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
Reference in New Issue
Block a user