On 11/19/2012 11:41 AM, Tom Eastep wrote:
On 11/19/12 7:47 AM, Mr Dash Four wrote:
This might not sound like a big deal, but when I wish to use a single
macro in various policy statements for different directions ($FW->net,
net->$FW etc), when I get a packet logged, I won't know which chain this
packet originated from, or, at the very least, I have to scratch my head
to find out. If I were able to deploy macros in the "policy" instead,
this problem goes away as the macro will be included "inline" with the
appropriate labels and comments to boot.
I'll take a look at this. But in the mean time, you can achieve the same
goal by simply placing your logging rules at the end of the rules file
with SOURCE and DEST set to 'all'.
Attached is a lightly-tested patch that allows a macro to be used as a
default action. Please try it and provide feedback.
Thanks,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 117fef8..e58bb76 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -360,6 +360,9 @@ sub process_a_policy() {
} elsif ( $actions{$def} ) {
$default = supplied $param ? normalize_action( $def, 'none', $param ) : normalize_action_name $def;
use_policy_action( $default );
+ } elsif ( find_macro( $def ) ) {
+ fatal_error "Default Action Macros may not have parameters" if supplied $param;
+ $default = join( '.', 'macro', $def ) unless $default =~ /^macro./;
} else {
fatal_error "Unknown Default Action ($default)";
}
@@ -505,6 +508,9 @@ sub process_policies()
} elsif ( $actions{$act} ) {
$action = supplied $param ? normalize_action( $act, 'none', $param ) : normalize_action_name $act;
use_policy_action( $action );
+ } elsif ( find_macro( $act ) ) {
+ fatal_error "Default Action Macros may not have parameters" if supplied $param;
+ $action = join( '.', 'macro', $act ) unless $action =~ /^macro\./;
} elsif ( $targets{$act} ) {
fatal_error "Invalid setting ($action) for $option";
} else {
@@ -553,7 +559,34 @@ sub policy_rules( $$$$$ ) {
unless ( $target eq 'NONE' ) {
add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
- add_ijump $chainref, j => $default if $default && $default ne 'none';
+
+ if ( $default && $default ne 'none' ) {
+ if ( $default =~ s/^macro\.// ) {
+ process_macro( $default, #Macro
+ $chainref, #Chain
+ $default, #Target
+ '', #Param
+ '-', #Source
+ '-', #Dest
+ '-', #Proto
+ '-', #Ports
+ '-', #Sports
+ '-', #Original Dest
+ '-', #Rate
+ '-', #User
+ '-', #Mark
+ '-', #ConnLimit
+ '-', #Time
+ '-', #Headers
+ '-', #Condition
+ '-', #Helper
+ 0, #Wildcard
+ );
+ } else {
+ add_ijump $chainref, j => $default;
+ }
+ }
+
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
fatal_error "Null target in policy_rules()" unless $target;
@@ -589,6 +622,7 @@ sub default_policy( $$$ ) {
} else {
add_ijump $chainref, g => $policyref;
$chainref = $policyref;
+ policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
}
} elsif ( $policy eq 'CONTINUE' ) {
report_syn_flood_protection if $synparams;
@@ -747,7 +781,7 @@ sub ensure_rules_chain( $ )
$chainref = new_chain( 'filter', $chain ) unless $chainref;
unless ( $chainref->{referenced} ) {
- if ( $section =~/^(NEW|DONE)$/ ) {
+ if ( $section =~/^(NEW|DEFAULTACTION)$/ ) {
finish_chain_section $chainref , 'ESTABLISHED,RELATED';
} elsif ( $section eq 'RELATED' ) {
finish_chain_section $chainref , 'ESTABLISHED';
@@ -796,7 +830,7 @@ sub finish_chain_section ($$) {
if ( $chainref->{is_policy} ) {
if ( $chainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
- if ( $section eq 'DONE' ) {
+ if ( $section eq 'DEFAULTACTION' ) {
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
add_ijump $chainref, j => $synchainref, p => 'tcp --syn';
}
@@ -1095,7 +1129,7 @@ sub merge_levels ($$) {
sub find_macro( $ )
{
my $macro = $_[0];
- my $macrofile = find_file "macro.$macro";
+ my $macrofile = find_file $macro =~ /^macro\./ ? $macro : "macro.$macro";
if ( -f $macrofile ) {
$macros{$macro} = $macrofile;
@@ -1704,12 +1738,16 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
my ( $basictarget, $param ) = get_target_param $action;
my $rule = '';
my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 5 ) : 0;
- my $inaction = '';
+ my $inaction = '';
+ my $inchain = '';
my $normalized_target;
my $normalized_action;
my $blacklist = ( $section eq 'BLACKLIST' );
- ( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref;
+ if ( defined $chainref ) {
+ $inchain = 1;
+ ( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
+ }
$param = '' unless defined $param;
@@ -1848,8 +1886,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
REDIRECT => sub () {
my $z = $actiontype & NATONLY ? '' : firewall_zone;
if ( $dest eq '-' ) {
- $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
- } elsif ( $inaction ) {
+ $dest = ( $inchain ) ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
+ } elsif ( $inchain ) {
$dest = ":$dest";
} else {
$dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
@@ -1900,7 +1938,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
my $destref;
my $origdstports;
- unless ( $inaction ) {
+ unless ( $inchain ) {
if ( $source =~ /^(.+?):(.*)/ ) {
fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq '';
$sourcezone = $1;
@@ -1941,7 +1979,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
}
}
} else {
- unless ( $inaction ) {
+ unless ( $inchain ) {
fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
}
@@ -1949,7 +1987,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
my $restriction = NO_RESTRICT;
- unless ( $inaction ) {
+ unless ( $inchain ) {
if ( $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) ) ) {
$restriction = $destref && ( $destref->{type} & ( FIREWALL | VSERVER ) ) ? ALL_RESTRICT : OUTPUT_RESTRICT;
} else {
@@ -1967,9 +2005,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
#
my $chain;
- if ( $inaction ) {
+ if ( $inchain ) {
#
- # We are generating rules in an action chain -- the chain name is the name of that action chain
+ # We are generating rules in a chain -- get its name
#
$chain = $chainref->{name};
} else {
@@ -2072,7 +2110,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
);
}
- unless ( $section eq 'NEW' || $inaction ) {
+ unless ( $section eq 'NEW' || $inchain ) {
if ( $config{FASTACCEPT} ) {
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
$section eq 'BLACKLIST' ||
@@ -2094,7 +2132,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
$sports,
$sourceref,
( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
- $inaction ? $chain : '' ,
+ $inchain ? $chain : '' ,
$user ,
$rule ,
);
@@ -2506,7 +2544,7 @@ sub process_rules( $ ) {
clear_comment;
}
- $section = 'DONE';
+ $section = 'DEFAULTACTION';
}
1;
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
