#
# Shorewall version 4 - Drop Smurfs Action
#
# /usr/share/shorewall/action.DropSmurfs
#
#   Accepts a single optional parameter:
#
#          -     = Do not Audit
#          audit = Audit dropped packets.
#
#################################################################################
FORMAT 2

DEFAULTS DROP,-

?BEGIN PERL;
use strict;
use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
use Shorewall::Chains;

my ( $disposition, $audit ) = get_action_params( 2 );

my $chainref        = get_action_chain;
my ( $level, $tag ) = get_action_logging;

fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;

if ( $level ne '-' || $audit ne '-' ) {
    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;

    log_rule_limit( $level,
		    $logchainref,
		    $chainref->{name},
		    $disposition,
		    '',
		    $tag,
		    'add',
		    '' ) if $level;

    if ( supplied $audit ) {
	fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
	add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
    }

    add_ijump( $logchainref, g => $disposition );

    $disposition = $logchainref;
}

add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';

?END PERL;