forked from extern/shorewall_code
Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
a8dc76638f | ||
|
|
9e0c97009c | ||
|
|
66b2e28e52 | ||
|
|
aca72cb4e6 |
@@ -922,10 +922,23 @@ show_events() {
|
||||
}
|
||||
|
||||
show_actions() {
|
||||
echo "A_ACCEPT # Audit and accept the connection"
|
||||
echo "A_DROP # Audit and drop the connection"
|
||||
echo "A_REJECT # Audit and reject the connection "
|
||||
echo "allowBcast # Silently Allow Broadcast/multicast"
|
||||
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
|
||||
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
|
||||
echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
|
||||
echo "dropBcast # Silently Drop Broadcast/multicast"
|
||||
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
|
||||
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
|
||||
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
|
||||
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
|
||||
|
||||
if [ -f ${g_confdir}/actions ]; then
|
||||
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
|
||||
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
|
||||
else
|
||||
grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
|
||||
grep -Ev '^\#|^$' ${g_sharedir}/actions.std
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@@ -59,21 +59,21 @@ our $acctable;
|
||||
#
|
||||
|
||||
use constant {
|
||||
LEGACY_SECTION => 0,
|
||||
PREROUTING_SECTION => 1,
|
||||
INPUT_SECTION => 2,
|
||||
OUTPUT_SECTION => 3,
|
||||
FORWARD_SECTION => 4,
|
||||
POSTROUTING_SECTION => 5
|
||||
LEGACY => 0,
|
||||
PREROUTING => 1,
|
||||
INPUT => 2,
|
||||
OUTPUT => 3,
|
||||
FORWARD => 4,
|
||||
POSTROUTING => 5
|
||||
};
|
||||
#
|
||||
# Map names to values
|
||||
#
|
||||
our %asections = ( PREROUTING => PREROUTING_SECTION,
|
||||
INPUT => INPUT_SECTION,
|
||||
FORWARD => FORWARD_SECTION,
|
||||
OUTPUT => OUTPUT_SECTION,
|
||||
POSTROUTING => POSTROUTING_SECTION
|
||||
our %asections = ( PREROUTING => PREROUTING,
|
||||
INPUT => INPUT,
|
||||
FORWARD => FORWARD,
|
||||
OUTPUT => OUTPUT,
|
||||
POSTROUTING => POSTROUTING
|
||||
);
|
||||
|
||||
#
|
||||
@@ -157,7 +157,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
|
||||
|
||||
$jumpchainref = 0;
|
||||
|
||||
$asection = LEGACY_SECTION if $asection < 0;
|
||||
$asection = LEGACY if $asection < 0;
|
||||
|
||||
our $disposition = '';
|
||||
|
||||
|
||||
@@ -138,17 +138,6 @@ our %EXPORT_TAGS = (
|
||||
ALL_COMMANDS
|
||||
NOT_RESTORE
|
||||
|
||||
PREROUTING
|
||||
INPUT
|
||||
FORWARD
|
||||
OUTPUT
|
||||
POSTROUTING
|
||||
ALLCHAINS
|
||||
STICKY
|
||||
STICKO
|
||||
REALPREROUTING
|
||||
ACTIONCHAIN
|
||||
|
||||
unreachable_warning
|
||||
state_match
|
||||
state_imatch
|
||||
@@ -199,7 +188,6 @@ our %EXPORT_TAGS = (
|
||||
ensure_raw_chain
|
||||
ensure_rawpost_chain
|
||||
new_standard_chain
|
||||
new_action_chain
|
||||
new_builtin_chain
|
||||
new_nat_chain
|
||||
optimize_chain
|
||||
@@ -337,10 +325,6 @@ our $VERSION = 'MODULEVERSION';
|
||||
# complete => The last rule in the chain is a -g or a simple -j to a terminating target
|
||||
# Suppresses adding additional rules to the chain end of the chain
|
||||
# sections => { <section> = 1, ... } - Records sections that have been completed.
|
||||
# chainnumber => Numeric enumeration of the builtin chains (mangle table only).
|
||||
# allowedchains
|
||||
# => Mangle action chains only -- specifies the set of builtin chains where
|
||||
# this action may be used.
|
||||
# } ,
|
||||
# <chain2> => ...
|
||||
# }
|
||||
@@ -472,22 +456,6 @@ use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i an
|
||||
ALL_RESTRICT => 12, # fw->fw rule - neither -i nor -o allowed
|
||||
DESTIFACE_DISALLOW => 32, # Don't allow dest interface. Similar to INPUT_RESTRICT but generates a more relevant error message
|
||||
};
|
||||
#
|
||||
# Mangle Table allowed chains enumeration
|
||||
#
|
||||
use constant {
|
||||
PREROUTING => 1, #Actually tcpre
|
||||
INPUT => 2, #Actually tcin
|
||||
FORWARD => 4, #Actually tcfor
|
||||
OUTPUT => 8, #Actually tcout
|
||||
POSTROUTING => 16, #Actually tcpost
|
||||
ALLCHAINS => 31,
|
||||
STICKY => 32,
|
||||
STICKO => 64,
|
||||
REALPREROUTING => 128,
|
||||
ACTIONCHAIN => 256,
|
||||
};
|
||||
|
||||
#
|
||||
# Possible IPSET options
|
||||
#
|
||||
@@ -647,7 +615,7 @@ our %ipset_exists;
|
||||
# => CMD_MODE if the rule contains a shell command or if it
|
||||
# part of a loop or conditional block. If it is a
|
||||
# shell command, the text of the command is in
|
||||
# the cmd member
|
||||
# the cmd
|
||||
# cmd => Shell command, if mode == CMD_MODE and cmdlevel == 0
|
||||
# cmdlevel => nesting level within loops and conditional blocks.
|
||||
# determines indentation
|
||||
@@ -936,7 +904,7 @@ sub set_rule_option( $$$ ) {
|
||||
#
|
||||
# Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
|
||||
# The first will have a modifier like '! --syn' while the second will not. We want to retain
|
||||
# the first one.
|
||||
# the first while
|
||||
if ( $option eq 'p' ) {
|
||||
my ( $proto ) = split( ' ', $ruleref->{p} );
|
||||
return if $proto eq $value;
|
||||
@@ -2357,7 +2325,6 @@ sub new_chain($$)
|
||||
filtered => 0,
|
||||
optflags => 0,
|
||||
origin => shortlineinfo( '' ),
|
||||
restriction => NO_RESTRICT,
|
||||
};
|
||||
|
||||
trace( $chainref, 'N', undef, '' ) if $debug;
|
||||
@@ -2771,13 +2738,6 @@ sub new_standard_chain($) {
|
||||
$chainref;
|
||||
}
|
||||
|
||||
sub new_action_chain($$) {
|
||||
my $chainref = &new_chain( @_ );
|
||||
$chainref->{referenced} = 1;
|
||||
$chainref->{allowedchains} = ALLCHAINS | REALPREROUTING | ACTIONCHAIN;
|
||||
$chainref;
|
||||
}
|
||||
|
||||
sub new_nat_chain($) {
|
||||
my $chainref = new_chain 'nat' ,$_[0];
|
||||
$chainref->{referenced} = 1;
|
||||
@@ -2908,42 +2868,40 @@ sub initialize_chain_table($) {
|
||||
%targets = ('ACCEPT' => STANDARD,
|
||||
'ACCEPT+' => STANDARD + NONAT,
|
||||
'ACCEPT!' => STANDARD,
|
||||
'ADD' => STANDARD + SET,
|
||||
'AUDIT' => STANDARD + AUDIT + OPTIONS,
|
||||
'A_ACCEPT' => STANDARD + AUDIT,
|
||||
'A_ACCEPT+' => STANDARD + NONAT + AUDIT,
|
||||
'A_ACCEPT!' => STANDARD + AUDIT,
|
||||
'NONAT' => STANDARD + NONAT + NATONLY,
|
||||
'AUDIT' => STANDARD + AUDIT + OPTIONS,
|
||||
'DROP' => STANDARD,
|
||||
'DROP!' => STANDARD,
|
||||
'A_DROP' => STANDARD + AUDIT,
|
||||
'A_DROP!' => STANDARD + AUDIT,
|
||||
'REJECT' => STANDARD + OPTIONS,
|
||||
'REJECT!' => STANDARD + OPTIONS,
|
||||
'A_REJECT' => STANDARD + AUDIT,
|
||||
'A_REJECT!' => STANDARD + AUDIT,
|
||||
'NONAT' => STANDARD + NONAT + NATONLY,
|
||||
'CONNMARK' => STANDARD + OPTIONS,
|
||||
'DNAT' => NATRULE + OPTIONS,
|
||||
'DNAT-' => NATRULE + NATONLY,
|
||||
'REDIRECT' => NATRULE + REDIRECT + OPTIONS,
|
||||
'REDIRECT-' => NATRULE + REDIRECT + NATONLY,
|
||||
'LOG' => STANDARD + LOGRULE + OPTIONS,
|
||||
'CONTINUE' => STANDARD,
|
||||
'CONTINUE!' => STANDARD,
|
||||
'COUNT' => STANDARD,
|
||||
'DEL' => STANDARD + SET,
|
||||
'DNAT' => NATRULE + OPTIONS,
|
||||
'DNAT-' => NATRULE + NATONLY,
|
||||
'DROP' => STANDARD,
|
||||
'DROP!' => STANDARD,
|
||||
'HELPER' => STANDARD + HELPER + NATONLY, #Actually RAWONLY
|
||||
'INLINE' => INLINERULE,
|
||||
'IPTABLES' => IPTABLES,
|
||||
'LOG' => STANDARD + LOGRULE + OPTIONS,
|
||||
'MARK' => STANDARD + OPTIONS,
|
||||
'QUEUE' => STANDARD + OPTIONS,
|
||||
'QUEUE!' => STANDARD,
|
||||
'NFLOG' => STANDARD + LOGRULE + NFLOG + OPTIONS,
|
||||
'NFQUEUE' => STANDARD + NFQ + OPTIONS,
|
||||
'NFQUEUE!' => STANDARD + NFQ,
|
||||
'QUEUE' => STANDARD + OPTIONS,
|
||||
'QUEUE!' => STANDARD,
|
||||
'REJECT' => STANDARD + OPTIONS,
|
||||
'REJECT!' => STANDARD + OPTIONS,
|
||||
'REDIRECT' => NATRULE + REDIRECT + OPTIONS,
|
||||
'REDIRECT-' => NATRULE + REDIRECT + NATONLY,
|
||||
'TARPIT' => STANDARD + TARPIT + OPTIONS,
|
||||
'ULOG' => STANDARD + LOGRULE + NFLOG + OPTIONS,
|
||||
'ADD' => STANDARD + SET,
|
||||
'DEL' => STANDARD + SET,
|
||||
'WHITELIST' => STANDARD,
|
||||
'HELPER' => STANDARD + HELPER + NATONLY, #Actually RAWONLY
|
||||
'INLINE' => INLINERULE,
|
||||
'IPTABLES' => IPTABLES,
|
||||
'TARPIT' => STANDARD + TARPIT + OPTIONS,
|
||||
);
|
||||
|
||||
for my $chain ( qw(OUTPUT PREROUTING) ) {
|
||||
@@ -3043,12 +3001,6 @@ sub initialize_chain_table($) {
|
||||
$chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
|
||||
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||
}
|
||||
|
||||
$mangle_table->{PREROUTING}{chainnumber} = PREROUTING;
|
||||
$mangle_table->{INPUT}{chainnumber} = INPUT;
|
||||
$mangle_table->{OUTPUT}{chainnumber} = OUTPUT;
|
||||
$mangle_table->{FORWARD}{chainnumber} = FORWARD;
|
||||
$mangle_table->{POSTROUTING}{chainnumber} = POSTROUTING;
|
||||
}
|
||||
|
||||
if ( my $docker = $config{DOCKER} ) {
|
||||
@@ -4517,7 +4469,7 @@ sub clearrule() {
|
||||
sub state_match( $ ) {
|
||||
my $state = shift;
|
||||
|
||||
if ( $state eq 'ALL' || $state eq '-' ) {
|
||||
if ( $state eq 'ALL' ) {
|
||||
''
|
||||
} else {
|
||||
have_capability( 'CONNTRACK_MATCH' ) ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
|
||||
@@ -7539,7 +7491,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
|
||||
log_irule_limit( $loglevel ,
|
||||
$echainref ,
|
||||
$chain ,
|
||||
$actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
[] ,
|
||||
$logtag ,
|
||||
'add' ,
|
||||
@@ -7586,7 +7538,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
||||
|
||||
my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) =
|
||||
( '', '', '', '', '', '', '', '', '', '' );
|
||||
my $chain = $actparams{chain} || $chainref->{name};
|
||||
my $chain = $actparms{chain} || $chainref->{name};
|
||||
my $table = $chainref->{table};
|
||||
my ( $jump, $mac, $targetref, $basictarget );
|
||||
our @ends = ();
|
||||
@@ -7748,7 +7700,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
||||
# No logging or user-specified logging -- add the target rule with matches to the rule chain
|
||||
#
|
||||
if ( $targetref ) {
|
||||
add_expanded_jump( $chainref, $targetref , 0, $prerule . $matches );
|
||||
add_expanded_jump( $chainref, $targetref , 0, $matches );
|
||||
} else {
|
||||
add_rule( $chainref, $prerule . $matches . $jump , 1 );
|
||||
}
|
||||
@@ -7760,22 +7712,22 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
||||
$loglevel ,
|
||||
$chainref ,
|
||||
$chain,
|
||||
$actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
'' ,
|
||||
$logtag ,
|
||||
'add' ,
|
||||
$prerule . $matches
|
||||
$matches
|
||||
);
|
||||
} elsif ( $logname || $basictarget eq 'RETURN' ) {
|
||||
log_rule_limit(
|
||||
$loglevel ,
|
||||
$chainref ,
|
||||
$logname || $chain,
|
||||
$actparams{disposition} || $disposition,
|
||||
$actparms{disposition} || $disposition,
|
||||
'',
|
||||
$logtag,
|
||||
'add',
|
||||
$prerule . $matches );
|
||||
$matches );
|
||||
|
||||
if ( $targetref ) {
|
||||
add_expanded_jump( $chainref, $targetref, 0, $matches );
|
||||
@@ -7792,10 +7744,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
||||
$loglevel,
|
||||
$logtag,
|
||||
$exceptionrule,
|
||||
$actparams{disposition} || $disposition,
|
||||
$actparms{disposition} || $disposition,
|
||||
$target ),
|
||||
$terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
|
||||
$prerule . $matches );
|
||||
$matches );
|
||||
}
|
||||
|
||||
conditional_rule_end( $chainref ) if $cond3;
|
||||
@@ -8623,20 +8575,18 @@ sub preview_netfilter_load() {
|
||||
assert( $chainref->{cmdlevel} == 0 , $name );
|
||||
if ( $name =~ /^DOCKER/ ) {
|
||||
if ( $name eq 'DOCKER' ) {
|
||||
enter_cmd_mode1;
|
||||
enter_cmd_mode;
|
||||
print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
|
||||
print "\n";
|
||||
enter_cat_mode;
|
||||
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
||||
enter_cmd_mode1 unless $mode = CMD_MODE;
|
||||
enter_cmd_mode;
|
||||
print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
||||
print "\n";
|
||||
enter_cat_mode1;
|
||||
enter_cat_mode;
|
||||
} else {
|
||||
enter_cmd_mode1 unless $mode = CMD_MODE;
|
||||
print( ":$name - [0:0]\n" );
|
||||
print( ":$name - [0:0]" );
|
||||
}
|
||||
} else {
|
||||
print( ":$name - [0:0]\n" );
|
||||
print( ":$name - [0:0]" );
|
||||
}
|
||||
|
||||
push @chains, $chainref;
|
||||
|
||||
@@ -95,7 +95,7 @@ sub generate_script_1( $ ) {
|
||||
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
|
||||
|
||||
copy $globals{SHAREDIRPL} . '/lib.core', 0;
|
||||
copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
|
||||
copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -139,7 +139,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
push_action_params
|
||||
pop_action_params
|
||||
default_action_params
|
||||
setup_audit_action
|
||||
read_a_line
|
||||
which
|
||||
qt
|
||||
@@ -186,7 +185,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
%helpers_enabled
|
||||
%helpers_aliases
|
||||
|
||||
%actparams
|
||||
%actparms
|
||||
|
||||
PARMSMODIFIED
|
||||
USEDCALLER
|
||||
@@ -553,7 +552,7 @@ our %compiler_params;
|
||||
#
|
||||
# Action parameters
|
||||
#
|
||||
our %actparams;
|
||||
our %actparms;
|
||||
our $parmsmodified;
|
||||
our $usedcaller;
|
||||
our $inline_matches;
|
||||
@@ -671,13 +670,6 @@ our %variables; # Symbol table for expanding shell variables
|
||||
|
||||
our $section_function; #Function Reference for handling ?section
|
||||
|
||||
our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl().
|
||||
|
||||
#
|
||||
# Files located via find_file()
|
||||
#
|
||||
our %filecache;
|
||||
|
||||
sub process_shorewallrc($$);
|
||||
sub add_variables( \% );
|
||||
#
|
||||
@@ -1069,7 +1061,7 @@ sub initialize( $;$$) {
|
||||
|
||||
%compiler_params = ();
|
||||
|
||||
%actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => '' );
|
||||
%actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => '' );
|
||||
$parmsmodified = 0;
|
||||
$usedcaller = 0;
|
||||
|
||||
@@ -1477,9 +1469,9 @@ sub hex_value( $ ) {
|
||||
# Strip off superfluous leading zeros from a hex number
|
||||
#
|
||||
sub normalize_hex( $ ) {
|
||||
my $val = lc $_[0];
|
||||
my $val = lc shift;
|
||||
|
||||
$val =~ s/^0+/0/;
|
||||
$val =~ s/^0// while $val =~ /^0/ && length $val > 1;
|
||||
$val;
|
||||
}
|
||||
|
||||
@@ -1908,10 +1900,6 @@ sub find_file($)
|
||||
|
||||
return $filename if $filename =~ '/';
|
||||
|
||||
my $file = $filecache{$filename};
|
||||
|
||||
return $file if $file;
|
||||
|
||||
for my $directory ( @config_path ) {
|
||||
my $file = "$directory$filename";
|
||||
return $file if -f $file;
|
||||
@@ -2162,12 +2150,6 @@ sub supplied( $ ) {
|
||||
defined $val && $val ne '';
|
||||
}
|
||||
|
||||
sub passed( $ ) {
|
||||
my $val = shift;
|
||||
|
||||
defined $val && $val ne '' && $val ne '-';
|
||||
}
|
||||
|
||||
#
|
||||
# Pre-process a line from a configuration file.
|
||||
|
||||
@@ -2524,49 +2506,20 @@ sub join_parts( $$$ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Declare passed() in Shorewall::User
|
||||
# Evaluate an expression in an ?IF, ?ELSIF or ?SET directive
|
||||
#
|
||||
sub declare_passed() {
|
||||
my $result = ( eval q(package Shorewall::User;
|
||||
use strict;
|
||||
sub passed( $ ) {
|
||||
my $val = shift;
|
||||
defined $val && $val ne '' && $val ne '-';
|
||||
}
|
||||
|
||||
1;) );
|
||||
assert( $result, $@ );
|
||||
}
|
||||
|
||||
#
|
||||
# Evaluate an expression in an ?IF, ?ELSIF, ?SET or ?ERROR directive
|
||||
#
|
||||
sub evaluate_expression( $$$$ ) {
|
||||
my ( $expression , $filename , $linenumber, $just_expand ) = @_;
|
||||
sub evaluate_expression( $$$ ) {
|
||||
my ( $expression , $filename , $linenumber ) = @_;
|
||||
my $val;
|
||||
my $count = 0;
|
||||
my $chain = $actparams{chain};
|
||||
|
||||
# $1 $2
|
||||
if ( $expression =~ /^(!)?\s*passed\([\$@](\d+)\)$/ ) {
|
||||
my $val = passed($actparams{$2});
|
||||
|
||||
return $1 ? ! $val : $val unless $debug;
|
||||
|
||||
$val = $1 ? ! $val : $val;
|
||||
|
||||
print "EXPR=> '$val'\n" if $debug;
|
||||
|
||||
return $val;
|
||||
}
|
||||
|
||||
my $chain = $actparms{chain};
|
||||
# $1 $2 $3 - $4
|
||||
while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
|
||||
my ( $first, $var, $rest ) = ( $1, $3, $4);
|
||||
|
||||
if ( $var =~ /^\d+$/ ) {
|
||||
fatal_error "Action parameters (\$$var) may only be referenced within the body of an action" unless $chain;
|
||||
$val = $var ? $actparams{$var} : $actparams{0}->{name};
|
||||
$val = $var ? $actparms{$var} : $actparms{0}->{name};
|
||||
} else {
|
||||
$val = ( exists $variables{$var} ? $variables{$var} :
|
||||
exists $capdesc{$var} ? have_capability( $var ) : '' );
|
||||
@@ -2581,7 +2534,7 @@ sub evaluate_expression( $$$$ ) {
|
||||
while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
|
||||
my ( $first, $var, $rest ) = ( $1, $3, $4);
|
||||
$var = numeric_value( $var ) if $var =~ /^\d/;
|
||||
$val = $var ? $actparams{$var} : $chain;
|
||||
$val = $var ? $actparms{$var} : $chain;
|
||||
$usedcaller = USEDCALLER if $var eq 'caller';
|
||||
$expression = join_parts( $first, $val, $rest );
|
||||
directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
|
||||
@@ -2612,19 +2565,13 @@ sub evaluate_expression( $$$$ ) {
|
||||
|
||||
print "EXPR=> $expression\n" if $debug;
|
||||
|
||||
if ( $just_expand || $expression =~ /^\d+$/ ) {
|
||||
if ( $expression =~ /^\d+$/ ) {
|
||||
$val = $expression
|
||||
} else {
|
||||
#
|
||||
# Not a simple one-term expression -- compile it
|
||||
#
|
||||
|
||||
declare_passed unless $evals++;
|
||||
|
||||
$val = eval qq(package Shorewall::User;
|
||||
use strict;
|
||||
# line $linenumber "$filename"
|
||||
$expression);
|
||||
$val = eval qq(package Shorewall::User;\nuse strict;\n# line $linenumber "$filename"\n$expression);
|
||||
|
||||
unless ( $val ) {
|
||||
directive_error( "Couldn't parse expression ($expression): $@" , $filename, $linenumber ) if $@;
|
||||
@@ -2655,7 +2602,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
|
||||
print "CD===> $line\n" if $debug;
|
||||
|
||||
directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+)(.*)$/i;
|
||||
directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*)(.*)$/i;
|
||||
|
||||
my ($keyword, $expression) = ( uc $1, $2 );
|
||||
|
||||
@@ -2673,7 +2620,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
my %directives =
|
||||
( IF => sub() {
|
||||
directive_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
|
||||
my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber , 0 );
|
||||
my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
|
||||
push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
|
||||
$omitting = $nextomitting;
|
||||
} ,
|
||||
@@ -2685,7 +2632,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
#
|
||||
# We can only change to including if we were previously omitting
|
||||
#
|
||||
$omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber, 0 );
|
||||
$omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
|
||||
$included = ! $omitting;
|
||||
} else {
|
||||
#
|
||||
@@ -2721,17 +2668,15 @@ sub process_compiler_directive( $$$$ ) {
|
||||
$var = $2;
|
||||
$var = numeric_value( $var ) if $var =~ /^\d/;
|
||||
$var = $2 || 'chain';
|
||||
directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
|
||||
my $val = $actparams{$var} = evaluate_expression ( $expression,
|
||||
directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
|
||||
my $val = $actparms{$var} = evaluate_expression ( $expression,
|
||||
$filename,
|
||||
$linenumber,
|
||||
0 );
|
||||
$linenumber );
|
||||
$parmsmodified = PARMSMODIFIED;
|
||||
} else {
|
||||
$variables{$2} = evaluate_expression( $expression,
|
||||
$filename,
|
||||
$linenumber,
|
||||
0 );
|
||||
$linenumber );
|
||||
}
|
||||
}
|
||||
} ,
|
||||
@@ -2755,12 +2700,12 @@ sub process_compiler_directive( $$$$ ) {
|
||||
if ( ( $1 || '' ) eq '@' ) {
|
||||
$var = numeric_value( $var ) if $var =~ /^\d/;
|
||||
$var = $2 || 'chain';
|
||||
directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
|
||||
if ( exists $actparams{$var} ) {
|
||||
directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0};
|
||||
if ( exists $actparms{$var} ) {
|
||||
if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
|
||||
$actparams{$var} = '';
|
||||
$actparms{$var} = '';
|
||||
} else {
|
||||
delete $actparams{$var}
|
||||
delete $actparms{$var}
|
||||
}
|
||||
} else {
|
||||
directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
|
||||
@@ -2791,16 +2736,8 @@ sub process_compiler_directive( $$$$ ) {
|
||||
directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber );
|
||||
}
|
||||
}
|
||||
} ,
|
||||
|
||||
ERROR => sub() {
|
||||
directive_error( evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ) ,
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
}
|
||||
|
||||
);
|
||||
|
||||
if ( my $function = $directives{$keyword} ) {
|
||||
@@ -2856,11 +2793,6 @@ sub copy( $ ) {
|
||||
print $script $_;
|
||||
print $script "\n";
|
||||
$lastlineblank = 0;
|
||||
|
||||
if ( $debug ) {
|
||||
s/\n/\nGS-----> /g;
|
||||
print "GS-----> $_\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -3188,7 +3120,7 @@ sub embedded_shell( $ ) {
|
||||
sub embedded_perl( $ ) {
|
||||
my $multiline = shift;
|
||||
|
||||
my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
|
||||
my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
|
||||
|
||||
$directive_callback->( 'PERL', $currentline ) if $directive_callback;
|
||||
|
||||
@@ -3215,8 +3147,6 @@ sub embedded_perl( $ ) {
|
||||
|
||||
$embedded++;
|
||||
|
||||
declare_passed unless $evals++;
|
||||
|
||||
unless (my $return = eval $command ) {
|
||||
#
|
||||
# Perl found the script offensive or the script itself died
|
||||
@@ -3277,32 +3207,32 @@ sub push_action_params( $$$$$$ ) {
|
||||
my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
|
||||
my @parms = ( undef , split_list3( $parms , 'parameter' ) );
|
||||
|
||||
$actparams{modified} = $parmsmodified;
|
||||
$actparams{usedcaller} = $usedcaller;
|
||||
$actparms{modified} = $parmsmodified;
|
||||
$actparms{usedcaller} = $usedcaller;
|
||||
|
||||
my %oldparms = %actparams;
|
||||
my %oldparms = %actparms;
|
||||
|
||||
$parmsmodified = 0;
|
||||
$usedcaller = 0;
|
||||
|
||||
%actparams = ();
|
||||
%actparms = ();
|
||||
|
||||
for ( my $i = 1; $i < @parms; $i++ ) {
|
||||
my $val = $parms[$i];
|
||||
|
||||
$actparams{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
|
||||
$actparms{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
|
||||
}
|
||||
|
||||
$actparams{0} = $chainref;
|
||||
$actparams{action} = $action;
|
||||
$actparams{loglevel} = $loglevel;
|
||||
$actparams{logtag} = $logtag;
|
||||
$actparams{caller} = $caller;
|
||||
$actparams{disposition} = '' if $chainref->{action};
|
||||
$actparms{0} = $chainref;
|
||||
$actparms{action} = $action;
|
||||
$actparms{loglevel} = $loglevel;
|
||||
$actparms{logtag} = $logtag;
|
||||
$actparms{caller} = $caller;
|
||||
$actparms{disposition} = '' if $chainref->{action};
|
||||
#
|
||||
# The Shorewall variable '@chain' has the non-word charaters removed
|
||||
#
|
||||
( $actparams{chain} = $chainref->{name} ) =~ s/[^\w]//g;
|
||||
( $actparms{chain} = $chainref->{name} ) =~ s/[^\w]//g;
|
||||
|
||||
\%oldparms;
|
||||
}
|
||||
@@ -3315,10 +3245,10 @@ sub push_action_params( $$$$$$ ) {
|
||||
#
|
||||
sub pop_action_params( $ ) {
|
||||
my $oldparms = shift;
|
||||
%actparams = %$oldparms;
|
||||
%actparms = %$oldparms;
|
||||
my $return = $parmsmodified | $usedcaller;
|
||||
( $parmsmodified ) = delete $actparams{modified} || 0;
|
||||
( $usedcaller ) = delete $actparams{usedcaller} || 0;
|
||||
( $parmsmodified ) = delete $actparms{modified} || 0;
|
||||
( $usedcaller ) = delete $actparms{usedcaller} || 0;
|
||||
$return;
|
||||
}
|
||||
|
||||
@@ -3328,11 +3258,11 @@ sub default_action_params {
|
||||
|
||||
for ( $i = 1; 1; $i++ ) {
|
||||
last unless defined ( $val = shift );
|
||||
my $curval = $actparams{$i};
|
||||
$actparams{$i} = $val unless supplied( $curval );
|
||||
my $curval = $actparms{$i};
|
||||
$actparms{$i} = $val unless supplied( $curval );
|
||||
}
|
||||
|
||||
fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
|
||||
fatal_error "Too Many arguments to action $action" if defined $actparms{$i};
|
||||
}
|
||||
|
||||
sub get_action_params( $ ) {
|
||||
@@ -3343,65 +3273,53 @@ sub get_action_params( $ ) {
|
||||
my @return;
|
||||
|
||||
for ( my $i = 1; $i <= $num; $i++ ) {
|
||||
my $val = $actparams{$i};
|
||||
my $val = $actparms{$i};
|
||||
push @return, defined $val ? $val eq '-' ? '' : $val eq '--' ? '-' : $val : $val;
|
||||
}
|
||||
|
||||
@return;
|
||||
}
|
||||
|
||||
sub setup_audit_action( $ ) {
|
||||
my ( $action ) = @_;
|
||||
|
||||
my ( $target, $audit ) = get_action_params( 2 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action $action" if $audit ne 'audit';
|
||||
fatal_error "Only ACCEPT, DROP and REJECT may be audited" unless $target =~ /^(?:A_)?(?:ACCEPT|DROP|REJECT)\b/;
|
||||
$actparams{1} = "A_$target" unless $target =~ /^A_/;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Returns the Level and Tag for the current action chain
|
||||
#
|
||||
sub get_action_logging() {
|
||||
@actparams{ 'loglevel', 'logtag' };
|
||||
@actparms{ 'loglevel', 'logtag' };
|
||||
}
|
||||
|
||||
sub get_action_chain() {
|
||||
$actparams{0};
|
||||
$actparms{0};
|
||||
}
|
||||
|
||||
sub get_action_chain_name() {
|
||||
$actparams{chain};
|
||||
$actparms{chain};
|
||||
}
|
||||
|
||||
sub set_action_name_to_caller() {
|
||||
$actparams{chain} = $actparams{caller};
|
||||
$actparms{chain} = $actparms{caller};
|
||||
}
|
||||
|
||||
sub get_action_disposition() {
|
||||
$actparams{disposition};
|
||||
$actparms{disposition};
|
||||
}
|
||||
|
||||
sub set_action_disposition($) {
|
||||
$actparams{disposition} = $_[0];
|
||||
$actparms{disposition} = $_[0];
|
||||
}
|
||||
|
||||
sub set_action_param( $$ ) {
|
||||
my $i = shift;
|
||||
|
||||
fatal_error "Parameter numbers must be numeric" unless $i =~ /^\d+$/ && $i > 0;
|
||||
$actparams{$i} = shift;
|
||||
$actparms{$i} = shift;
|
||||
}
|
||||
|
||||
#
|
||||
# Expand Shell Variables in the passed buffer using %actparams, %params, %shorewallrc1 and %config,
|
||||
# Expand Shell Variables in the passed buffer using %actparms, %params, %shorewallrc1 and %config,
|
||||
#
|
||||
sub expand_variables( \$ ) {
|
||||
my ( $lineref, $count ) = ( $_[0], 0 );
|
||||
my $chain = $actparams{chain};
|
||||
my $chain = $actparms{chain};
|
||||
# $1 $2 $3 - $4
|
||||
while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
|
||||
|
||||
@@ -3415,16 +3333,16 @@ sub expand_variables( \$ ) {
|
||||
if ( $config{IGNOREUNKNOWNVARIABLES} ) {
|
||||
fatal_error "Invalid action parameter (\$$var)" if ( length( $var ) > 1 && $var =~ /^0/ );
|
||||
} else {
|
||||
fatal_error "Undefined parameter (\$$var)" unless ( defined $actparams{$var} &&
|
||||
fatal_error "Undefined parameter (\$$var)" unless ( defined $actparms{$var} &&
|
||||
( length( $var ) == 1 ||
|
||||
$var !~ /^0/ ) );
|
||||
}
|
||||
|
||||
$val = $var ? $actparams{$var} : $actparams{0}->{name};
|
||||
$val = $var ? $actparms{$var} : $actparms{0}->{name};
|
||||
} elsif ( exists $variables{$var} ) {
|
||||
$val = $variables{$var};
|
||||
} elsif ( exists $actparams{$var} ) {
|
||||
$val = $actparams{$var};
|
||||
} elsif ( exists $actparms{$var} ) {
|
||||
$val = $actparms{$var};
|
||||
$usedcaller = USEDCALLER if $var eq 'caller';
|
||||
} else {
|
||||
fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
|
||||
@@ -3443,7 +3361,7 @@ sub expand_variables( \$ ) {
|
||||
# $1 $2 $3 - $4
|
||||
while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
|
||||
my ( $first, $var, $rest ) = ( $1, $3, $4);
|
||||
my $val = $var ? $actparams{$var} : $actparams{chain};
|
||||
my $val = $var ? $actparms{$var} : $actparms{chain};
|
||||
$usedcaller = USEDCALLER if $var eq 'caller';
|
||||
$val = '' unless defined $val;
|
||||
$$lineref = join( '', $first , $val , $rest );
|
||||
@@ -3503,17 +3421,17 @@ sub handle_first_entry() {
|
||||
sub read_a_line($) {
|
||||
my $options = $_[0];
|
||||
|
||||
LINE:
|
||||
while ( $currentfile ) {
|
||||
|
||||
$currentline = '';
|
||||
$currentlinenumber = 0;
|
||||
|
||||
while ( <$currentfile> ) {
|
||||
chomp;
|
||||
#
|
||||
# Handle directives
|
||||
# Handle conditionals
|
||||
#
|
||||
if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR)/i ) {
|
||||
if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT)/i ) {
|
||||
$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
|
||||
next;
|
||||
}
|
||||
@@ -3527,7 +3445,7 @@ sub read_a_line($) {
|
||||
#
|
||||
# Suppress leading whitespace in certain continuation lines
|
||||
#
|
||||
s/^\s*// if $currentline && $options & CONFIG_CONTINUATION && $currentline =~ /[,:]$/;
|
||||
s/^\s*// if $currentline =~ /[,:]$/ && $options & CONFIG_CONTINUATION;
|
||||
#
|
||||
# If this is a continued line with a trailing comment, remove comment. Note that
|
||||
# the result will now end in '\'.
|
||||
@@ -3538,20 +3456,19 @@ sub read_a_line($) {
|
||||
#
|
||||
chop $currentline, next if ($currentline .= $_) =~ /\\$/;
|
||||
#
|
||||
# We now have a (possibly concatenated) line
|
||||
# Must check for shell/perl before doing variable expansion
|
||||
#
|
||||
if ( $options & EMBEDDED_ENABLED ) {
|
||||
if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?//i || $currentline =~ s/^\s*\??PERL\s*//i ) {
|
||||
handle_first_entry if $first_entry;
|
||||
embedded_perl( $1 );
|
||||
next LINE;
|
||||
}
|
||||
|
||||
if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
|
||||
handle_first_entry if $first_entry;
|
||||
embedded_shell( $1 );
|
||||
next LINE;
|
||||
next;
|
||||
}
|
||||
|
||||
if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?//i || $currentline =~ s/^\s*\??PERL\s*//i ) {
|
||||
handle_first_entry if $first_entry;
|
||||
embedded_perl( $1 );
|
||||
next;
|
||||
}
|
||||
}
|
||||
#
|
||||
@@ -3563,7 +3480,7 @@ sub read_a_line($) {
|
||||
#
|
||||
# Ignore (concatinated) blank lines
|
||||
#
|
||||
next LINE if $currentline =~ /^\s*$/;
|
||||
$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
|
||||
#
|
||||
# Eliminate trailing whitespace
|
||||
#
|
||||
@@ -3574,7 +3491,7 @@ sub read_a_line($) {
|
||||
#
|
||||
handle_first_entry if $first_entry;
|
||||
#
|
||||
# Expand Shell Variables using %params and %actparams
|
||||
# Expand Shell Variables using %params and %actparms
|
||||
#
|
||||
expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
|
||||
|
||||
@@ -3594,16 +3511,18 @@ sub read_a_line($) {
|
||||
push_include;
|
||||
$currentfile = undef;
|
||||
do_open_file $filename;
|
||||
} else {
|
||||
$currentlinenumber = 0;
|
||||
}
|
||||
|
||||
next LINE;
|
||||
} elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
|
||||
my $sectionname = $1;
|
||||
fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
|
||||
fatal_error "This file does not allow ?SECTION" unless $section_function;
|
||||
$section_function->($sectionname);
|
||||
$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
|
||||
next LINE;
|
||||
$currentline = '';
|
||||
} elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
|
||||
my $sectionname = $1;
|
||||
fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
|
||||
fatal_error "This file does not allow ?SECTION" unless $section_function;
|
||||
$section_function->($sectionname);
|
||||
$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
|
||||
$currentline = '';
|
||||
} else {
|
||||
fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
|
||||
print "IN===> $currentline\n" if $debug;
|
||||
@@ -6106,7 +6025,7 @@ sub get_configuration( $$$$ ) {
|
||||
|
||||
default_log_level 'SFILTER_LOG_LEVEL', 'info';
|
||||
|
||||
if ( supplied( $val = $config{SFILTER_DISPOSITION} ) ) {
|
||||
if ( $val = $config{SFILTER_DISPOSITION} ) {
|
||||
fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
|
||||
require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
|
||||
} else {
|
||||
@@ -6115,14 +6034,14 @@ sub get_configuration( $$$$ ) {
|
||||
|
||||
default_log_level 'RPFILTER_LOG_LEVEL', 'info';
|
||||
|
||||
if ( supplied ( $val = $config{RPFILTER_DISPOSITION} ) ) {
|
||||
if ( $val = $config{RPFILTER_DISPOSITION} ) {
|
||||
fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
|
||||
require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1;
|
||||
} else {
|
||||
$config{RPFILTER_DISPOSITION} = 'DROP';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{MACLIST_DISPOSITION} ) ) {
|
||||
if ( $val = $config{MACLIST_DISPOSITION} ) {
|
||||
if ( $val =~ /^(?:A_)?DROP$/ ) {
|
||||
$globals{MACLIST_TARGET} = $val;
|
||||
} elsif ( $val eq 'REJECT' ) {
|
||||
@@ -6141,7 +6060,7 @@ sub get_configuration( $$$$ ) {
|
||||
$globals{MACLIST_TARGET} = 'reject';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{RELATED_DISPOSITION} ) ) {
|
||||
if ( $val = $config{RELATED_DISPOSITION} ) {
|
||||
if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
|
||||
$globals{RELATED_TARGET} = $val;
|
||||
} elsif ( $val eq 'REJECT' ) {
|
||||
@@ -6160,7 +6079,7 @@ sub get_configuration( $$$$ ) {
|
||||
$globals{RELATED_TARGET} = 'ACCEPT';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{INVALID_DISPOSITION} ) ) {
|
||||
if ( $val = $config{INVALID_DISPOSITION} ) {
|
||||
if ( $val =~ /^(?:A_)?DROP$/ ) {
|
||||
$globals{INVALID_TARGET} = $val;
|
||||
} elsif ( $val eq 'REJECT' ) {
|
||||
@@ -6179,7 +6098,7 @@ sub get_configuration( $$$$ ) {
|
||||
$globals{INVALID_TARGET} = '';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{UNTRACKED_DISPOSITION} ) ) {
|
||||
if ( $val = $config{UNTRACKED_DISPOSITION} ) {
|
||||
if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
|
||||
$globals{UNTRACKED_TARGET} = $val;
|
||||
} elsif ( $val eq 'REJECT' ) {
|
||||
@@ -6198,7 +6117,7 @@ sub get_configuration( $$$$ ) {
|
||||
$globals{UNTRACKED_TARGET} = '';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{MACLIST_TABLE} ) ) {
|
||||
if ( $val = $config{MACLIST_TABLE} ) {
|
||||
if ( $val eq 'mangle' ) {
|
||||
fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
|
||||
} else {
|
||||
@@ -6208,7 +6127,7 @@ sub get_configuration( $$$$ ) {
|
||||
default 'MACLIST_TABLE' , 'filter';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{TCP_FLAGS_DISPOSITION} ) ) {
|
||||
if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
|
||||
fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:(A_)?(?:REJECT|DROP))|ACCEPT$/;
|
||||
require_capability 'AUDIT_TARGET' , "TCP_FLAGS_DISPOSITION=$val", 's' if $1;
|
||||
} else {
|
||||
@@ -6239,7 +6158,7 @@ sub get_configuration( $$$$ ) {
|
||||
require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
|
||||
if ( $val = $config{TC_PRIOMAP} ) {
|
||||
my @priomap = split ' ',$val;
|
||||
fatal_error "Invalid TC_PRIOMAP ($val)" unless @priomap == 16;
|
||||
for ( @priomap ) {
|
||||
@@ -6258,13 +6177,12 @@ sub get_configuration( $$$$ ) {
|
||||
default 'QUEUE_DEFAULT' , 'none';
|
||||
default 'NFQUEUE_DEFAULT' , 'none';
|
||||
default 'ACCEPT_DEFAULT' , 'none';
|
||||
default 'OPTIMIZE' , 0;
|
||||
|
||||
for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
|
||||
$config{$default} = 'none' if "\L$config{$default}" eq 'none';
|
||||
}
|
||||
|
||||
default 'OPTIMIZE' , 0;
|
||||
|
||||
if ( ( $val = $config{OPTIMIZE} ) =~ /^all$/i ) {
|
||||
$config{OPTIMIZE} = $val = OPTIMIZE_ALL;
|
||||
} elsif ( $val =~ /^none$/i ) {
|
||||
@@ -6599,7 +6517,6 @@ sub report_used_capabilities() {
|
||||
}
|
||||
|
||||
END {
|
||||
print "eval() called $evals times\n" if $debug;
|
||||
cleanup;
|
||||
}
|
||||
|
||||
|
||||
@@ -69,7 +69,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
|
||||
my $destnets = '';
|
||||
my $baserule = '';
|
||||
my $inlinematches = '';
|
||||
my $prerule = '';
|
||||
#
|
||||
# Leading '+'
|
||||
#
|
||||
@@ -84,13 +83,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
|
||||
$inlinematches = get_inline_matches(0);
|
||||
}
|
||||
#
|
||||
# Handle early matches
|
||||
#
|
||||
if ( $inlinematches =~ s/s*\+// ) {
|
||||
$prerule = $inlinematches;
|
||||
$inlinematches = '';
|
||||
}
|
||||
#
|
||||
# Parse the remaining part of the INTERFACE column
|
||||
#
|
||||
if ( $family == F_IPV4 ) {
|
||||
@@ -344,7 +336,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
|
||||
#
|
||||
expand_rule( $chainref ,
|
||||
POSTROUTE_RESTRICT ,
|
||||
$prerule ,
|
||||
'' ,
|
||||
$baserule . $inlinematches . $rule ,
|
||||
$networks ,
|
||||
$destnets ,
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -30,32 +30,44 @@
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
?if __ADDRTYPE
|
||||
@1 - - - ;; -m addrtype --dst-type BROADCAST
|
||||
@1 - - - ;; -m addrtype --dst-type MULTICAST
|
||||
@1 - - - ;; -m addrtype --dst-type ANYCAST
|
||||
?else
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
fatal_error "Invalid parameter ($audit) to action Broadcast" if supplied $audit && $audit ne 'audit';
|
||||
fatal_error "Invalid parameter ($action) to action Broadcast" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
|
||||
|
||||
my $chainref = get_action_chain;
|
||||
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
my $target = require_audit ( $action , $audit );
|
||||
|
||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
||||
incr_cmd_level $chainref;
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||
add_jump $chainref, $action, 0, "-d \$address ";
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
if ( $level ne '' ) {
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
|
||||
}
|
||||
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
|
||||
} else {
|
||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
||||
incr_cmd_level $chainref;
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||
add_jump $chainref, $target, 0, "-d \$address ";
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
?endif
|
||||
|
||||
@@ -30,4 +30,4 @@
|
||||
|
||||
DEFAULTS DROP
|
||||
|
||||
@1 - - udp 53 ;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
|
||||
IPTABLES(@1) - - udp 53 ; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
|
||||
|
||||
@@ -28,16 +28,30 @@
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
#
|
||||
###############################################################################
|
||||
#
|
||||
# The following magic provides different defaults for @2 thru @5, when @1 is
|
||||
# 'audit'.
|
||||
#
|
||||
?begin perl;
|
||||
use Shorewall::Config;
|
||||
|
||||
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
||||
|
||||
if ( defined $p1 ) {
|
||||
if ( $p1 eq 'audit' ) {
|
||||
set_action_param( 3, 'A_DROP') unless supplied $p3;
|
||||
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
|
||||
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
|
||||
} else {
|
||||
fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP
|
||||
?else
|
||||
?error The first parameter to Drop must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
DEFAULTS -,-,DROP,ACCEPT,DROP
|
||||
?endif
|
||||
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
@@ -47,7 +61,7 @@ COUNT
|
||||
#
|
||||
# Special Handling for Auth
|
||||
#
|
||||
?if passed(@2)
|
||||
?if @2 ne '-'
|
||||
Auth(@2)
|
||||
?endif
|
||||
#
|
||||
|
||||
@@ -30,6 +30,19 @@
|
||||
|
||||
DEFAULTS ACCEPT
|
||||
|
||||
#
|
||||
# All logic for this action is supplied by the 'state' option in actions.std
|
||||
#
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
if ( my $check = check_state( 'ESTABLISHED' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -11,11 +11,20 @@
|
||||
|
||||
DEFAULTS 2,0
|
||||
|
||||
?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
|
||||
?error Invalid value for Bricks (@1)
|
||||
?elsif @2 !~ /^[01]$/
|
||||
?error Invalid value for IB (@2)
|
||||
?endif
|
||||
?begin perl
|
||||
|
||||
use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
use strict;
|
||||
|
||||
my ( $bricks, $ib ) = get_action_params( 2 );
|
||||
|
||||
fatal_error "Invalid value for Bricks ( $bricks )" unless $bricks =~ /^\d+$/ && $bricks > 1 && $bricks < 1024;
|
||||
fatal_error "Invalid value for IB ( $ib )" unless $ib =~ /^[01]$/;
|
||||
|
||||
?end perl
|
||||
|
||||
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
||||
@@ -30,6 +30,24 @@
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
#
|
||||
# All logic for this action is triggered by the 'audit' and 'state' options in actions.std
|
||||
#
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
if ( my $check = check_state( 'INVALID' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# New[([<action>])]
|
||||
# Untracked[([<action>])]
|
||||
#
|
||||
# Default action is ACCEPT
|
||||
#
|
||||
@@ -30,6 +30,19 @@
|
||||
|
||||
DEFAULTS ACCEPT
|
||||
|
||||
#
|
||||
# All logic for this action is supplied by the 'state' option in actions.std
|
||||
#
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
if ( my $check = check_state( 'NEW' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -30,4 +30,23 @@
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
@1 - - ;;+ -p 6 ! --syn
|
||||
?begin perl;
|
||||
|
||||
use strict;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
perl_action_tcp_helper( $action, '-p 6 ! --syn' );
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -30,4 +30,21 @@
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
@1 - - ;;+ -p 6 --tcp-flags RST RST
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -27,16 +27,30 @@
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
###############################################################################
|
||||
#
|
||||
# The following magic provides different defaults for @2 thru @5, when @1 is
|
||||
# 'audit'.
|
||||
#
|
||||
?begin perl;
|
||||
use Shorewall::Config;
|
||||
|
||||
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
||||
|
||||
if ( defined $p1 ) {
|
||||
if ( $p1 eq 'audit' ) {
|
||||
set_action_param( 3, 'A_REJECT') unless supplied $p3;
|
||||
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
|
||||
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
|
||||
} else {
|
||||
fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP
|
||||
?else
|
||||
?error The first parameter to Reject must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
DEFAULTS -,-,REJECT,ACCEPT,DROP
|
||||
?endif
|
||||
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
@@ -46,7 +60,7 @@ COUNT
|
||||
#
|
||||
# Special handling for Auth
|
||||
#
|
||||
?if passed(@2)
|
||||
?if @2 ne '-'
|
||||
Auth(@2)
|
||||
?endif
|
||||
#
|
||||
|
||||
@@ -30,6 +30,20 @@
|
||||
|
||||
DEFAULTS DROP
|
||||
|
||||
#
|
||||
# All logic for this action is supplied by the 'state' option in actions.std
|
||||
#
|
||||
?begin perl;
|
||||
|
||||
use strict;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
if ( my $check = check_state( 'RELATED' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match( 'RELATED' ) : '', 'RELATED' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -12,6 +12,11 @@
|
||||
#
|
||||
# For additional information, see http://www.shorewall.net/Events.html
|
||||
#
|
||||
#######################################################################################################
|
||||
# DO NOT REMOVE THE FOLLOWING LINE
|
||||
#################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
||||
DEFAULTS -,ACCEPT,src
|
||||
|
||||
|
||||
@@ -12,18 +12,30 @@
|
||||
|
||||
DEFAULTS -
|
||||
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
?set tcpflags_action 'A_DROP'
|
||||
?else
|
||||
?error The parameter to TCPFlags must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
?set tcpflags_action 'DROP'
|
||||
?endif
|
||||
?begin perl;
|
||||
use strict;
|
||||
use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my $action = 'DROP';
|
||||
|
||||
my ( $audit ) = get_action_params( 1 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
|
||||
$action = "A_DROP";
|
||||
}
|
||||
|
||||
perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
|
||||
perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
|
||||
perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
|
||||
perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
|
||||
perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
|
||||
|
||||
?end perl;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
$tcpflags_action - - ;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
|
||||
$tcpflags_action - - ;;+ -p 6 --tcp-flags ALL NONE
|
||||
$tcpflags_action - - ;;+ -p 6 --tcp-flags SYN,RST SYN,RST
|
||||
$tcpflags_action - - ;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
|
||||
$tcpflags_action - - ;;+ -p tcp --syn --sport 0
|
||||
|
||||
@@ -29,6 +29,19 @@
|
||||
##########################################################################################
|
||||
DEFAULTS DROP
|
||||
|
||||
#
|
||||
# All logic for this action is supplied by the 'state' option in actions.std
|
||||
#
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
if ( my $check = check_state( 'UNTRACKED' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -28,12 +28,25 @@
|
||||
|
||||
DEFAULTS -
|
||||
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
Invalid(A_ACCEPT)
|
||||
?else
|
||||
?error The first parameter to allowInvalid must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
Invalid(ACCEPT)
|
||||
?endif
|
||||
?begin perl;
|
||||
|
||||
use strict;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my $action = 'ACCEPT';
|
||||
|
||||
my ( $audit ) = get_action_params( 1 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
|
||||
$action = "A_ACCEPT";
|
||||
}
|
||||
|
||||
perl_action_helper( "Invalid($action)", '' );
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -28,14 +28,25 @@
|
||||
|
||||
DEFAULTS -
|
||||
|
||||
DEFAULTS -
|
||||
?begin perl;
|
||||
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
Invalid(A_DROP)
|
||||
?else
|
||||
?error The first parameter to dropInvalid must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
Invalid(DROP)
|
||||
?endif
|
||||
use strict;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my $action = 'DROP';
|
||||
|
||||
my ( $audit ) = get_action_params( 1 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
|
||||
$action = "A_DROP";
|
||||
}
|
||||
|
||||
perl_action_helper( "Invalid($action)", '' );
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -1,22 +0,0 @@
|
||||
#
|
||||
# Shorewall version 5 - Mangle Action Template
|
||||
#
|
||||
# /etc/shorewall/action.mangletemplate
|
||||
#
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
# ACTION defined with the mangle option in /etc/shorewall/actions.
|
||||
#
|
||||
# To define a new action:
|
||||
#
|
||||
# 1. Add the <action name> to /etc/shorewall/actions with the mangle option
|
||||
# 2. Copy this file to /etc/shorewall/action.<action name>
|
||||
# 3. Add the desired rules to that file.
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional
|
||||
# information.
|
||||
#
|
||||
# Columns are the same as in /etc/shorewall/mangle.
|
||||
#
|
||||
####################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
|
||||
@@ -8,18 +8,21 @@
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
?if 0
|
||||
A_ACCEPT # Audits then accepts a connection request
|
||||
A_DROP # Audits then drops a connection request
|
||||
A_REJECT # Audits then drops a connection request
|
||||
allowBcast # Silently Allow Broadcast/multicast
|
||||
dropBcast # Silently Drop Broadcast/multicast
|
||||
dropNotSyn # Silently Drop Non-syn TCP packets
|
||||
rejNotSyn # Silently Reject Non-syn TCP packets
|
||||
allowinUPnP # Allow UPnP inbound (to firewall) traffic
|
||||
forwardUPnP # Allow traffic that upnpd has redirected from 'upnp' interfaces.
|
||||
Limit # Limit the rate of connections from each individual IP address
|
||||
?endif
|
||||
# A_ACCEPT # Audits then accepts a connection request
|
||||
# A_DROP # Audits then drops a connection request
|
||||
# A_REJECT # Audits then drops a connection request
|
||||
# allowBcast # Silently Allow Broadcast/multicast
|
||||
# dropBcast # Silently Drop Broadcast/multicast
|
||||
# dropNotSyn # Silently Drop Non-syn TCP packets
|
||||
# rejNotSyn # Silently Reject Non-syn TCP packets
|
||||
# allowoutUPnP # Allow traffic from local command 'upnpd' (does not
|
||||
# # work with kernel 2.6.14 and later).
|
||||
# allowinUPnP # Allow UPnP inbound (to firewall) traffic
|
||||
# forwardUPnP # Allow traffic that upnpd has redirected from
|
||||
# # 'upnp' interfaces.
|
||||
# Limit # Limit the rate of connections from each individual
|
||||
# # IP address
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION
|
||||
A_Drop # Audited Default Action for DROP policy
|
||||
@@ -27,25 +30,21 @@ A_Reject # Audited Default action for REJECT policy
|
||||
allowInvalid inline # Accepts packets in the INVALID conntrack state
|
||||
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
|
||||
AutoBLL noinline # Helper for AutoBL
|
||||
Broadcast noinline,audit # Handles Broadcast/Multicast/Anycast
|
||||
Broadcast noinline # Handles Broadcast/Multicast/Anycast
|
||||
DNSAmp # Matches one-question recursive DNS queries
|
||||
Drop # Default Action for DROP policy
|
||||
dropInvalid inline # Drops packets in the INVALID conntrack state
|
||||
DropSmurfs noinline # Drop smurf packets
|
||||
Established inline,\ # Handles packets in the ESTABLISHED state
|
||||
state=ESTABLISHED #
|
||||
Established inline # Handles packets in the ESTABLISHED state
|
||||
GlusterFS inline # Handles GlusterFS
|
||||
IfEvent noinline # Perform an action based on an event
|
||||
Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
|
||||
state=INVALID #
|
||||
New inline,state=NEW # Handles packets in the NEW conntrack state
|
||||
NotSyn inline,audit # Handles TCP packets which do not have SYN=1 and ACK=0
|
||||
Invalid inline # Handles packets in the INVALID conntrack state
|
||||
New inline # Handles packets in the NEW conntrack state
|
||||
NotSyn inline # Handles TCP packets which do not have SYN=1 and ACK=0
|
||||
Reject # Default Action for REJECT policy
|
||||
Related inline,\ # Handles packets in the RELATED conntrack state
|
||||
state=RELATED #
|
||||
Related inline # Handles packets in the RELATED conntrack state
|
||||
ResetEvent inline # Reset an Event
|
||||
RST inline,audit # Handle packets with RST set
|
||||
RST inline # Handle packets with RST set
|
||||
SetEvent inline # Initialize an event
|
||||
TCPFlags # Handle bad flag combinations.
|
||||
Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
|
||||
state=UNTRACKED #
|
||||
Untracked inline # Handles packets in the UNTRACKED conntrack state
|
||||
|
||||
@@ -470,15 +470,11 @@ compiler() {
|
||||
[ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
|
||||
;;
|
||||
esac
|
||||
#
|
||||
# Only use the pager if 'trace' or -r was specified and -d was not
|
||||
#
|
||||
[ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
|
||||
|
||||
if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
|
||||
eval $PERL $debugflags $pc $options $@ $g_pager
|
||||
$PERL $debugflags $pc $options $@
|
||||
else
|
||||
eval PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@ $g_pager
|
||||
PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@
|
||||
fi
|
||||
|
||||
status=$?
|
||||
|
||||
@@ -53,19 +53,7 @@
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>audit</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. When this option is specified,
|
||||
the action is expected to have at least two parameters; the
|
||||
first is a target and the second is either 'audit' or omitted.
|
||||
If the second is 'audit', then the first must be an auditable
|
||||
target (ACCEPT, DROP or REJECT).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>builtin</option></term>
|
||||
<term>builtin</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.16. Defines the action as a rule
|
||||
@@ -98,7 +86,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>inline</option></term>
|
||||
<term>inline</term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes the action body (defined in
|
||||
@@ -114,9 +102,9 @@
|
||||
way:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>DropSmurfs</member>
|
||||
<member>Broadcast</member>
|
||||
|
||||
<member>IfEvent</member>
|
||||
<member>DropSmurfs</member>
|
||||
|
||||
<member>Invalid (Prior to Shorewall 4.5.13)</member>
|
||||
|
||||
@@ -131,19 +119,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>mangle</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. Specifies that this action is
|
||||
to be used in <ulink
|
||||
url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
|
||||
than <ulink
|
||||
url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>noinline</option></term>
|
||||
<term>noinline</term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes any later <option>inline</option> option for the
|
||||
@@ -152,7 +128,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>nolog</option></term>
|
||||
<term>nolog</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.11. When this option is
|
||||
@@ -166,16 +142,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
|
||||
in <filename>actions.std</filename>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>terminating</option></term>
|
||||
<term>terminating</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.4. When used with
|
||||
|
||||
@@ -68,9 +68,8 @@
|
||||
<replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>The <replaceable>chain-designator </replaceable>indicates the
|
||||
Netfilter chain that the entry applies to and may be one of the
|
||||
following:</para>
|
||||
<para>The chain-specifier indicates the Netfilter chain that the
|
||||
entry applies to and may be one of the following:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@@ -112,14 +111,10 @@
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and
|
||||
FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
|
||||
|
||||
<para>A <replaceable>chain-designator</replaceable> may not be
|
||||
specified if the SOURCE or DEST columns begin with '$FW'. When the
|
||||
SOURCE is $FW, the generated rule is always placed in the OUTPUT
|
||||
chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
|
||||
Additionally, a <replaceable>chain-designator</replaceable> may not
|
||||
be specified in an action body unless the action is declared as
|
||||
<option>inline</option> in <ulink
|
||||
url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
|
||||
<para>A chain-designator may not be specified if the SOURCE or DEST
|
||||
columns begin with '$FW'. When the SOURCE is $FW, the generated rule
|
||||
is always placed in the OUTPUT chain. If DEST is '$FW', then the
|
||||
rule is placed in the INPUT chain.</para>
|
||||
|
||||
<para>Where a command takes parameters, those parameters are
|
||||
enclosed in parentheses ("(....)") and separated by commas.</para>
|
||||
@@ -128,21 +123,6 @@
|
||||
following.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7.
|
||||
<replaceable>action</replaceable> must be an action declared
|
||||
with the <option>mangle</option> option in <ulink
|
||||
url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
|
||||
If the action accepts paramaters, they are specified as a
|
||||
comma-separated list within parentheses following the
|
||||
<replaceable>action</replaceable> name.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
|
||||
@@ -740,6 +720,33 @@ Normal-Service => 0x00</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<orderedlist numeration="arabic">
|
||||
<listitem>
|
||||
<para><emphasis role="bold">TTL</emphasis>([<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
|
||||
|
||||
<para>Added in Shorewall 4.4.24.</para>
|
||||
|
||||
<para>Prior to Shorewall 4.5.7.2, may be optionally followed by
|
||||
<emphasis role="bold">:F</emphasis> but the resulting rule is
|
||||
always added to the FORWARD chain. Beginning with Shorewall
|
||||
4.5.7.s, it may be optionally followed by <emphasis
|
||||
role="bold">:P</emphasis>, in which case the rule is added to
|
||||
the PREROUTING chain.</para>
|
||||
|
||||
<para>If <emphasis role="bold">+</emphasis> is included, packets
|
||||
matching the rule will have their TTL incremented by
|
||||
<replaceable>number</replaceable>. Similarly, if <emphasis
|
||||
role="bold">-</emphasis> is included, matching packets have
|
||||
their TTL decremented by <replaceable>number</replaceable>. If
|
||||
neither <emphasis role="bold">+</emphasis> nor <emphasis
|
||||
role="bold">-</emphasis> is given, the TTL of matching packets
|
||||
is set to <replaceable>number</replaceable>. The valid range of
|
||||
values for <replaceable>number</replaceable> is 1-255.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -328,18 +328,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
|
||||
with the exception that the mark is assigned to connection to
|
||||
which the packet belongs is marked rather than to the packet
|
||||
itself.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CONTINUE</emphasis></term>
|
||||
|
||||
@@ -558,35 +546,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>where <replaceable>mark</replaceable> is a packet mark
|
||||
value.</para>
|
||||
|
||||
<para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
|
||||
table" support in your kernel and iptables.</para>
|
||||
|
||||
<para>Normally will set the mark value of the current packet.
|
||||
If preceded by a vertical bar ("|"), the mark value will be
|
||||
logically ORed with the current mark value to produce a new
|
||||
mark value. If preceded by an ampersand ("&"), will be
|
||||
logically ANDed with the current mark value to produce a new
|
||||
mark value.</para>
|
||||
|
||||
<para>Both "|" and "&" require Extended MARK Target
|
||||
support in your kernel and iptables.</para>
|
||||
|
||||
<para>The mark value may be optionally followed by "/" and a
|
||||
mask value (used to determine those bits of the connection
|
||||
mark to actually be set). When a mask is specified, the result
|
||||
of logically ANDing the mark value with the mask must be the
|
||||
same as the mark value.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
|
||||
|
||||
@@ -31,24 +31,37 @@
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
#
|
||||
###############################################################################
|
||||
#
|
||||
# The following magic provides different defaults for $2 thru $5, when $1 is
|
||||
# 'audit'.
|
||||
#
|
||||
?begin perl;
|
||||
use Shorewall::Config;
|
||||
|
||||
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
||||
|
||||
if ( defined $p1 ) {
|
||||
if ( $p1 eq 'audit' ) {
|
||||
set_action_param( 2, 'A_REJECT') unless supplied $p2;
|
||||
set_action_param( 3, 'A_DROP') unless supplied $p3;
|
||||
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
|
||||
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
|
||||
} else {
|
||||
fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
?if passed($1)
|
||||
?if $1 eq 'audit'
|
||||
DEFAULTS -,A_REJECT,A_DROP,A_ACCEPT,A_DROP
|
||||
?else
|
||||
?error The first parameter to Drop must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
DEFAULTS -,REJECT,DROP,ACCEPT,DROP
|
||||
?endif
|
||||
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# Reject 'auth'
|
||||
#
|
||||
?if passed($2)
|
||||
Auth($2)
|
||||
?endif
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
|
||||
@@ -27,24 +27,37 @@
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
###############################################################################
|
||||
#
|
||||
# The following magic provides different defaults for $2 thru $5, when $1 is
|
||||
# 'audit'.
|
||||
#
|
||||
?begin perl;
|
||||
use Shorewall::Config;
|
||||
|
||||
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
||||
|
||||
if ( defined $p1 ) {
|
||||
if ( $p1 eq 'audit' ) {
|
||||
set_action_param( 2, 'A_REJECT') unless supplied $p2;
|
||||
set_action_param( 3, 'A_REJECT') unless supplied $p3;
|
||||
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
|
||||
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
|
||||
} else {
|
||||
fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
DEFAULTS -,A_REJECT,A_REJECT,A_ACCEPT,A_DROP
|
||||
?else
|
||||
?error The first parameter to Reject must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
|
||||
?endif
|
||||
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Don't log 'auth' -- REJECT
|
||||
#
|
||||
?if passed($2)
|
||||
Auth($2)
|
||||
?endif
|
||||
#
|
||||
# Drop Multicasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
|
||||
@@ -1,22 +0,0 @@
|
||||
#
|
||||
# Shorewall version 5 - Mangle Action Template
|
||||
#
|
||||
# /etc/shorewall6/action.mangletemplate
|
||||
#
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
# ACTION defined with the mangle option in /etc/shorewall/actions.
|
||||
#
|
||||
# To define a new action:
|
||||
#
|
||||
# 1. Add the <action name> to /etc/shorewall6/actions with the mangle option
|
||||
# 2. Copy this file to /etc/shorewall6/action.<action name>
|
||||
# 3. Add the desired rules to that file.
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional
|
||||
# information.
|
||||
#
|
||||
# Columns are the same as in /etc/shorewall6/mangle.
|
||||
#
|
||||
############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
|
||||
@@ -8,12 +8,11 @@
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
?if 0
|
||||
allowBcasts # Accept multicast and anycast packets
|
||||
dropBcasts # Silently Drop multicast and anycast packets
|
||||
dropNotSyn # Silently Drop Non-syn TCP packets
|
||||
rejNotSyn # Silently Reject Non-syn TCP packets
|
||||
?endif
|
||||
# allowBcasts # Accept multicast and anycast packets
|
||||
# dropBcasts # Silently Drop multicast and anycast packets
|
||||
# dropNotSyn # Silently Drop Non-syn TCP packets
|
||||
# rejNotSyn # Silently Reject Non-syn TCP packets
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION
|
||||
A_Drop # Audited Default Action for DROP policy
|
||||
@@ -27,19 +26,15 @@ Broadcast noinline # Handles Broadcast/Multicast/Anycast
|
||||
Drop # Default Action for DROP policy
|
||||
dropInvalid inline # Drops packets in the INVALID conntrack state
|
||||
DropSmurfs noinline # Handles packets with a broadcast source address
|
||||
Established inline,\ # Handles packets in the ESTABLISHED state
|
||||
state=ESTABLISHED
|
||||
Established inline # Handles packets in the ESTABLISHED state
|
||||
IfEvent noinline # Perform an action based on an event
|
||||
Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
|
||||
state=INVALID
|
||||
New inline,state=NEW # Handles packets in the NEW conntrack state
|
||||
Invalid inline # Handles packets in the INVALID conntrack state
|
||||
New inline # Handles packets in the NEW conntrack state
|
||||
NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0
|
||||
Reject # Default Action for REJECT policy
|
||||
Related inline,\ # Handles packets in the RELATED conntrack state
|
||||
state=RELATED
|
||||
Related inline # Handles packets in the RELATED conntrack state
|
||||
ResetEvent inline # Reset an Event
|
||||
RST inline # Handle packets with RST set
|
||||
SetEvent inline # Initialize an event
|
||||
TCPFlags # Handles bad flags combinations
|
||||
Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
|
||||
state=UNTRACKED
|
||||
Untracked inline # Handles packets in the UNTRACKED conntrack state
|
||||
|
||||
@@ -53,18 +53,6 @@
|
||||
<para>Added in Shorewall 4.5.10. Available options are:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>audit</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. When this option is specified,
|
||||
the action is expected to have at least two parameters; the
|
||||
first is a target and the second is either 'audit' or omitted.
|
||||
If the second is 'audit', then the first must be an auditable
|
||||
target (ACCEPT, DROP or REJECT).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>builtin</term>
|
||||
|
||||
@@ -99,7 +87,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>inline</option></term>
|
||||
<term>inline</term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes the action body (defined in
|
||||
@@ -115,9 +103,9 @@
|
||||
way:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>DropSmurfs</member>
|
||||
<member>Broadcast</member>
|
||||
|
||||
<member>IfEvent</member>
|
||||
<member>DropSmurfs</member>
|
||||
|
||||
<member>Invalid (Prior to Shorewall 4.5.13)</member>
|
||||
|
||||
@@ -132,19 +120,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>mangle</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. Specifies that this action is
|
||||
to be used in <ulink
|
||||
url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
|
||||
rather than <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>noinline</option></term>
|
||||
<term>noinline</term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes any later <option>inline</option> option for the
|
||||
@@ -153,7 +129,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>nolog</option></term>
|
||||
<term>nolog</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.11. When this option is
|
||||
@@ -167,16 +143,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
|
||||
in <filename>actions.std</filename>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>terminating</option></term>
|
||||
<term>terminating</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.4. When used with
|
||||
|
||||
@@ -69,9 +69,8 @@
|
||||
<replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>The <replaceable>chain-designator</replaceable> indicates the
|
||||
Netfilter chain that the entry applies to and may be one of the
|
||||
following:</para>
|
||||
<para>The chain-specifier indicates the Netfilter chain that the
|
||||
entry applies to and may be one of the following:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@@ -113,14 +112,10 @@
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>,
|
||||
and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
|
||||
|
||||
<para>A <replaceable>chain-designator</replaceable> may not be
|
||||
specified if the SOURCE or DEST columns begin with '$FW'. When the
|
||||
SOURCE is $FW, the generated rule is always placed in the OUTPUT
|
||||
chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
|
||||
Additionally, a <replaceable>chain-designator</replaceable> may not
|
||||
be specified in an action body unless the action is declared as
|
||||
<option>inline</option> in <ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
||||
<para>A chain-designator may not be specified if the SOURCE or DEST
|
||||
columns begin with '$FW'. When the SOURCE is $FW, the generated rule
|
||||
is always placed in the OUTPUT chain. If DEST is '$FW', then the
|
||||
rule is placed in the INPUT chain.</para>
|
||||
|
||||
<para>Where a command takes parameters, those parameters are
|
||||
enclosed in parentheses ("(....)") and separated by commas.</para>
|
||||
@@ -129,21 +124,6 @@
|
||||
following.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7.
|
||||
<replaceable>action</replaceable> must be an action declared
|
||||
with the <option>mangle</option> option in <ulink
|
||||
url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
|
||||
If the action accepts paramaters, they are specified as a
|
||||
comma-separated list within parentheses following the
|
||||
<replaceable>action</replaceable> name.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
|
||||
|
||||
@@ -303,18 +303,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
|
||||
with the exception that the mark is assigned to connection to
|
||||
which the packet belongs is marked rather than to the packet
|
||||
itself.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CONTINUE</emphasis></term>
|
||||
|
||||
@@ -535,35 +523,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>where <replaceable>mark</replaceable> is a packet mark
|
||||
value.</para>
|
||||
|
||||
<para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
|
||||
table" support in your kernel and iptables.</para>
|
||||
|
||||
<para>Normally will set the mark value of the current packet.
|
||||
If preceded by a vertical bar ("|"), the mark value will be
|
||||
logically ORed with the current mark value to produce a new
|
||||
mark value. If preceded by an ampersand ("&"), will be
|
||||
logically ANDed with the current mark value to produce a new
|
||||
mark value.</para>
|
||||
|
||||
<para>Both "|" and "&" require Extended MARK Target
|
||||
support in your kernel and iptables.</para>
|
||||
|
||||
<para>The mark value may be optionally followed by "/" and a
|
||||
mask value (used to determine those bits of the connection
|
||||
mark to actually be set). When a mask is specified, the result
|
||||
of logically ANDing the mark value with the mask must be the
|
||||
same as the mark value.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
|
||||
|
||||
@@ -32,8 +32,6 @@
|
||||
|
||||
<year>2013</year>
|
||||
|
||||
<year>2015-2016</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@@ -399,27 +397,6 @@ REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
|
||||
url="configuration_file_basics.htm#ActionVariables">Action Variables
|
||||
section</ulink> of the Configuration Basics article.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Mangle Actions</title>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.7, actions may be used in <ulink
|
||||
url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> and
|
||||
<ulink
|
||||
url="manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.
|
||||
Because the rules and mangle files have different column layouts,
|
||||
actions can be defined to be used in one file or the other but not in
|
||||
both. To designate an action to be used in the mangle file, specify the
|
||||
<option>mangle</option> option in the action's entry in <ulink
|
||||
url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
|
||||
<ulink
|
||||
url="manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
||||
|
||||
<para>To create a mangle action, follow the steps in the preceding
|
||||
section, but use the
|
||||
<filename>/usr/share/shorewall/action.mangletemplate</filename> file.
|
||||
</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="Logging">
|
||||
|
||||
@@ -175,23 +175,20 @@
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/init</filename> - commands that you
|
||||
wish to execute at the beginning of a <quote>shorewall
|
||||
start</quote>, "shorewall reload" or <quote>shorewall
|
||||
restart</quote>.</para>
|
||||
wish to execute at the beginning of a <quote>shorewall start</quote>
|
||||
or <quote>shorewall restart</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/start</filename> - commands that you
|
||||
wish to execute near the completion of a <quote>shorewall
|
||||
start</quote>, "shorewall reload" or <quote>shorewall
|
||||
restart</quote></para>
|
||||
start</quote> or <quote>shorewall restart</quote></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/started</filename> - commands that
|
||||
you wish to execute after the completion of a <quote>shorewall
|
||||
start</quote>, "shorewall reload" or <quote>shorewall
|
||||
restart</quote></para>
|
||||
start</quote> or <quote>shorewall restart</quote></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -1782,10 +1779,6 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
<para><ulink url="Macros.html">Macro</ulink> files</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Actions.html">Action</ulink> files</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
|
||||
@@ -1992,33 +1985,6 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
@disposition are used to generated the --log-prefix in logging rules. When
|
||||
either is empty, the historical value is used to generate the
|
||||
--log-prefix.</para>
|
||||
|
||||
<para>Within an action body, if a parameter is omitted in a DEFAULTS
|
||||
statement, then the value of the corresponding action and Shorewall
|
||||
variables is '-', while if the parameter is specified as '-' in the
|
||||
parameter list, the value of the action/Shorewall variable is '', if it is
|
||||
expanded before the DEFAULTS statement.</para>
|
||||
|
||||
<para>Additionally, when an expression is evaluated, the value 0 evaluates
|
||||
as false, so '?IF @n' and '?IF $n' fail if the nth parameter is passed
|
||||
with value zero. To make testing of the presense of parameters more
|
||||
efficient and uniform, an new function has been added in Shorewall 5.0.7
|
||||
for use in ?IF and ?ELSEIF:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>?IF [!] passed(<variable>)</member>
|
||||
</simplelist>
|
||||
|
||||
<para>where <variable> is an action or Shorewall variable.</para>
|
||||
|
||||
<para>'passed(@n)' and 'passed($n)' evaluate to true if the nth parameter
|
||||
is not empty and its contents are other than '-'. If '!' is present, the
|
||||
result is inverted.</para>
|
||||
|
||||
<para>In this simple form, the expression is evaluated by the compiler
|
||||
without having to invoke the (expensive) Perl exec() function. The
|
||||
'passed' function may also be used in more complex expressions, but exec()
|
||||
will be invoked to evaluate those expressions.</para>
|
||||
</section>
|
||||
|
||||
<section id="Conditional">
|
||||
@@ -2202,31 +2168,6 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
<lines to be included if all three expressions evaluate to false.
|
||||
|
||||
?ENDIF</programlisting>
|
||||
|
||||
<para>Beginning in Shorewall 5.0.7, an error can be raised using the
|
||||
?ERROR directive:</para>
|
||||
|
||||
<programlisting>?ERROR <replaceable>message</replaceable></programlisting>
|
||||
|
||||
<para>Variables in the message are evaluated and the result appears in a
|
||||
standard Shorewall ERROR: message.</para>
|
||||
|
||||
<para>Example from the 5.0.7 action.GlusterFS:</para>
|
||||
|
||||
<programlisting>?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
|
||||
?error Invalid value for Bricks (@1)
|
||||
?elsif @2 !~ /^[01]$/
|
||||
?error Invalid value for IB (@2)
|
||||
?endif
|
||||
</programlisting>
|
||||
|
||||
<para>The above code insures that the first action paramater is a non-zero
|
||||
number <= 1024 and that the second parameter is either 0 or 1. If 2000
|
||||
is passed for the first parameter, the following error message is
|
||||
generated:</para>
|
||||
|
||||
<programlisting> ERROR: Invalid value for Bricks (2000) /usr/share/shorewall/action.GlusterFS (line 15)
|
||||
from /etc/shorewall/rules (line 45)</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="Embedded">
|
||||
@@ -2577,44 +2518,6 @@ Shorewall has detected the following iptables/netfilter capabilities:
|
||||
"!tcp").</para>
|
||||
</section>
|
||||
|
||||
<section id="Ranges">
|
||||
<title>Port Ranges</title>
|
||||
|
||||
<para>If you need to specify a range of ports, the proper syntax is
|
||||
<low port number>:<high port number>. For example, if you want
|
||||
to forward the range of tcp ports 4000 through 4100 to local host
|
||||
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting>
|
||||
|
||||
<para>If you omit the low port number, a value of zero is assumed; if you
|
||||
omit the high port number, a value of 65535 is assumed.</para>
|
||||
|
||||
<para>Also, unless otherwise documented, a port range can be preceded by
|
||||
'!' to specify "All ports except those in this range" (e.g.,
|
||||
"!4000:4100").</para>
|
||||
</section>
|
||||
|
||||
<section id="Portlists">
|
||||
<title>Port Lists</title>
|
||||
|
||||
<para>In most cases where a port or port range may appear, a
|
||||
comma-separated list of ports or port ranges may also be entered.
|
||||
Shorewall requires the Netfilter <emphasis
|
||||
role="bold">multiport</emphasis> match capability if ports lists are used
|
||||
(see the output of "<emphasis role="bold">shorewall show
|
||||
capabilities</emphasis>").</para>
|
||||
|
||||
<para>Also, unless otherwise documented, a port list can be preceded by
|
||||
'!' to specify "All ports except these" (e.g., "!80,443").</para>
|
||||
|
||||
<para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
|
||||
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
|
||||
(5) file may specify no more than 15 ports; port ranges appearing in a
|
||||
list count as two ports each.</para>
|
||||
</section>
|
||||
|
||||
<section id="ICMP">
|
||||
<title>ICMP and ICMP6 Types and Codes</title>
|
||||
|
||||
@@ -2691,6 +2594,44 @@ redirect => 137</programlisting>
|
||||
Shorewall 4.4.19.</para>
|
||||
</section>
|
||||
|
||||
<section id="Ranges">
|
||||
<title>Port Ranges</title>
|
||||
|
||||
<para>If you need to specify a range of ports, the proper syntax is
|
||||
<low port number>:<high port number>. For example, if you want
|
||||
to forward the range of tcp ports 4000 through 4100 to local host
|
||||
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting>
|
||||
|
||||
<para>If you omit the low port number, a value of zero is assumed; if you
|
||||
omit the high port number, a value of 65535 is assumed.</para>
|
||||
|
||||
<para>Also, unless otherwise documented, a port range can be preceded by
|
||||
'!' to specify "All ports except those in this range" (e.g.,
|
||||
"!4000:4100").</para>
|
||||
</section>
|
||||
|
||||
<section id="Portlists">
|
||||
<title>Port Lists</title>
|
||||
|
||||
<para>In most cases where a port or port range may appear, a
|
||||
comma-separated list of ports or port ranges may also be entered.
|
||||
Shorewall requires the Netfilter <emphasis
|
||||
role="bold">multiport</emphasis> match capability if ports lists are used
|
||||
(see the output of "<emphasis role="bold">shorewall show
|
||||
capabilities</emphasis>").</para>
|
||||
|
||||
<para>Also, unless otherwise documented, a port list can be preceded by
|
||||
'!' to specify "All ports except these" (e.g., "!80,443").</para>
|
||||
|
||||
<para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
|
||||
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
|
||||
(5) file may specify no more than 15 ports; port ranges appearing in a
|
||||
list count as two ports each.</para>
|
||||
</section>
|
||||
|
||||
<section id="MAC">
|
||||
<title>Using MAC Addresses</title>
|
||||
|
||||
@@ -2743,7 +2684,9 @@ redirect => 137</programlisting>
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
|
||||
|
||||
<simplelist>
|
||||
<member>LOGLIMIT=10/minute:5</member>
|
||||
<member>LOGRATE=10/minute</member>
|
||||
|
||||
<member>LOGBURST=5</member>
|
||||
</simplelist>
|
||||
|
||||
<para>For each logging rule, the first time the rule is reached, the
|
||||
@@ -2755,6 +2698,11 @@ redirect => 137</programlisting>
|
||||
30 seconds, the burst will be fully recharged; back where we
|
||||
started.</para>
|
||||
|
||||
<note>
|
||||
<para>The LOGRATE and LOGBURST options are deprecated in favor of
|
||||
LOGLIMIT.</para>
|
||||
</note>
|
||||
|
||||
<para>Shorewall also supports per-IP rate limiting.</para>
|
||||
|
||||
<para>Another example from <ulink
|
||||
@@ -2788,7 +2736,8 @@ redirect => 137</programlisting>
|
||||
<firstterm>Condition Match Support</firstterm> and you must be running
|
||||
Shorewall 4.4.24 or later. See the output of <command>shorewall show
|
||||
capabilities</command> and <command>shorewall version</command> to
|
||||
determine if you can use this feature.</para>
|
||||
determine if you can use this feature. As of this writing, Condition Match
|
||||
Support requires that you install xtables-addons.</para>
|
||||
|
||||
<para>The SWITCH column contains the name of a
|
||||
<firstterm>switch.</firstterm> Each switch is initially in the <emphasis
|
||||
@@ -2952,8 +2901,8 @@ Comcast 2 0x20000 main <emphasis role="bold">COM_IF</emphasis>
|
||||
<para>If <emphasis role="bold">detect</emphasis> is specified in the
|
||||
ADDRESS column of an entry in <ulink
|
||||
url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) then the
|
||||
firewall still startS if the optional interface in the INTERFACE
|
||||
column does not have an IP address.</para>
|
||||
firewall still start if the optional interface in the INTERFACE column
|
||||
does not have an IP address.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@@ -2971,8 +2920,7 @@ Comcast 2 0x20000 main <emphasis role="bold">COM_IF</emphasis>
|
||||
|
||||
<para>Shorewall allows you to have configuration directories other than
|
||||
<filename class="directory">/etc/shorewall</filename>. The shorewall
|
||||
<command>check</command>, <command>start</command> and
|
||||
<command>restart</command> commands allow you to specify an alternate
|
||||
check, start and restart commands allow you to specify an alternate
|
||||
configuration directory and Shorewall will use the files in the alternate
|
||||
directory rather than the corresponding files in /etc/shorewall. The
|
||||
alternate directory need not contain a complete configuration; those files
|
||||
|
||||
@@ -854,16 +854,22 @@ DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
|
||||
with:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><external IP></emphasis></programlisting>If
|
||||
you have a dynamic IP then you must ensure that your external
|
||||
interface is up before starting Shorewall and you must code the
|
||||
rule as follows (assume that your external interface is <filename
|
||||
class="devicefile">eth0</filename>):</para>
|
||||
interface is up before starting Shorewall and you must take steps
|
||||
as follows (assume that your external interface is <filename
|
||||
class="devicefile">eth0</filename>):<orderedlist>
|
||||
<listitem>
|
||||
<para>Include the following in /etc/shorewall/params:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT loc dmz:10.10.11.2 tcp 80 - &eth0</programlisting>
|
||||
<para><command>ETH0_IP=$(find_interface_address
|
||||
eth0)</command></para>
|
||||
</listitem>
|
||||
|
||||
<para>'&eth0' expands to the IP address of eth0 (see <ulink
|
||||
url="configuration_file_basics.htm#AddressVariables">this
|
||||
article</ulink>).</para>
|
||||
<listitem>
|
||||
<para>Make your <literal>loc->dmz</literal> rule:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</programlisting></para>
|
||||
</listitem>
|
||||
</orderedlist></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
Reference in New Issue
Block a user