sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-28 18:02:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added helpers:

Browse Source 
tos	- to set the TOS of packets
dscp	- to set the DSCP field of packets (both raw and class)


Added optional rule parameters:

tos	- to match the TOS of packets
mark	- to match the MARK ID of packets
dscp	- to match the DSCP field of packets (both raw and class)


Added the following actions to the rule() function:

dscp

The rule() function already had support for TOS and MARK.
This commit is contained in:
ktsaou 2004-10-31 02:21:02 +00:00
parent 25c21cdebb
commit 60969b571d
3 changed files with 610 additions and 274 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
doc/commands.html
View File

@ -50,6 +50,7 @@ automatically. FireHOL is extremely easy to understand, configure and audit.
<ul>
<li><a href="#blacklist">blacklist</a>, setup a unidirectional or bidirectional blacklist</li>
<li><a href="#dnat">dnat</a>, setup a Destination NAT rule for routed traffic</li>
<li><a href="#dscp">dscp</a>, set the DSCP field in the packet header, to a raw value or a DiffServ class</li>
<li><a href="#iptables">iptables</a>, add some custom iptables commands to the firewall
<li><a href="#mac">mac</a>, setup a source mac address with IP match</li>
<li><a href="#mark">mark</a>, mark traffic for traffic shapping tools</li>
@ -58,6 +59,7 @@ automatically. FireHOL is extremely easy to understand, configure and audit.
<li><a href="#redirect">redirect</a>, setup a port redirection rule</li>
<li><a href="#snat">snat</a>, setup a Source NAT rule for routed traffic</li>
<li><a href="#tcpmss">tcpmss</a>, set the MSS of TCP SYN packets for routers</li>
<li><a href="#tos">tos</a>, set the Type of Service (TOS) field in the packet header</li>
<li><a href="#transparent_squid">transparent_squid</a>, setup a transparent squid proxy running on the firewall host</li>
<li><a href="#version">version</a>, require a specific version of FireHOL
</ul>
@ -77,26 +79,29 @@ automatically. FireHOL is extremely easy to understand, configure and audit.
</li>
<li><a href="#parameters">Optional Rule Parameters</a>
<ul>
<li><a href="#src">src</a>, set the source of traffic</li>
<li><a href="#dst">dst</a>, set the destination of traffic</li>
<li><a href="#inface">inface</a>, set the network interface traffic is received via</li>
<li><a href="#outface">outface</a>, set the network interface traffic is send via</li>
<li><a href="#physin">physin</a>, set the physical network interface (for bridges) traffic is received via</li>
<li><a href="#physout">physout</a>, set the physical network interface (for bridges) traffic is send via</li>
<li><a href="#custom">custom</a>, pass a few custom parameters to the generated iptables
statements</li>
<li><a href="#src">src</a>, match the source of traffic</li>
<li><a href="#dst">dst</a>, match the destination of traffic</li>
<li><a href="#inface">inface</a>, match the network interface traffic is received via</li>
<li><a href="#outface">outface</a>, match the network interface traffic is send via</li>
<li><a href="#physin">physin</a>, match the physical network interface (for bridges) traffic is received via</li>
<li><a href="#physout">physout</a>, match the physical network interface (for bridges) traffic is send via</li>
<li><a href="#custom">custom</a>, pass a few custom parameters to the generated iptables statements</li>
<li><a href="#log">log</a>, write something to the syslog when traffic is matched</li>
<li><a href="#loglimit">loglimit</a>, write (limited) something to the syslog when traffic is matched</li>
<li><a href="#proto">proto</a>, match a specific protocol</li>
<li><a href="#limit">limit</a>, limit the frequency traffic is matched</li>
<li><a href="#sport">sport</a>, set the source ports</li>
<li><a href="#dport">dport</a>, set the destination ports</li>
<li><a href="#uid">uid, user</a>, set the users sending this traffic</li>
<li><a href="#gid">gid, group</a>, set the user groups sending this traffic</li>
<li><a href="#pid">pid, process</a>, set the process IDs sending this traffic</li>
<li><a href="#sid">sid, session</a>, set the process session IDs sending this traffic</li>
<li><a href="#cmd">cmd, command</a>, set the command name sending this traffic</li>
<li><a href="#sport">sport</a>, match the source ports</li>
<li><a href="#dport">dport</a>, match the destination ports</li>
<li><a href="#uid">uid, user</a>, match the users sending this traffic</li>
<li><a href="#gid">gid, group</a>, match the user groups sending this traffic</li>
<li><a href="#pid">pid, process</a>, match the process IDs sending this traffic</li>
<li><a href="#sid">sid, session</a>, match the process session IDs sending this traffic</li>
<li><a href="#cmd">cmd, command</a>, match the command name sending this traffic</li>
<li><a href="#mac_param">mac</a>, match the source MAC address of packets.</li>
<li><a href="#mark_param">mark</a>, match the MARK ID of packets.</li>
<li><a href="#tos_param">tos</a>, match the Type of Service (TOS) of packets.</li>
<li><a href="#dscp_param">dscp</a>, match the DSCP raw value or DiffServ class value of packets.</li>
</ul>
&nbsp;
</li>
@ -407,6 +412,39 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
Example: <b>dnat to 1.1.1.1 inface eth0 src 2.2.2.2 dst 3.3.3.3</b>
<p>
<hr noshade size=1 width="100%">
<a name="dscp"><h3><b>dscp</b> <font color="red">&lt;NUMBER&gt;</font> <font color="red">&lt;WHERE&gt;</font> [optional rule parameters]</h3>
<br><h3><b>dscp</b> class <font color="red">&lt;CLASSID&gt;</font> <font color="red">&lt;WHERE&gt;</font> [optional rule parameters]</h3></a>
The <b>dscp</b> helper sets the DSCP field in the header of the packets matching the optional rule parameters.
<H4>Parameters</H4>
<ul>
<li> <b>NUMBER</b> is a decimal or hex (0xNN) number to set the DSCP field to.
<br>&nbsp;
</li>
<li> <b>CLASSID</b> is any of the iptables supported DiffServ class values (EF, BE, CSxx, AFxx - check <b>iptables -j DSCP --help</b> for more information).
<br>&nbsp;
</li>
<li> <b>WHERE</b> tells FireHOL where to search for the specific traffic to be marked.
<br>Currently, WHERE can be one of the build-in iptables chains attached to table <b>mangle</b>.
(for example: INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING - case does matter here).
<br>&nbsp;
</li>
<li> <b>optional rule parameters</b> is a set of rules that allow further restriction of the traffic that
gets matched by this rule. See <a href="#parameters">Optional Rules Parameters</a> for more information.
<br>&nbsp;
</li>
</ul>
<br>Example 1: <b>dscp 32 OUTPUT</b>, will set the DSCP field to 32 of all packets sent by the local machine.
<br>Example 2: <b>dscp 0x20 FORWARD</b>, will set DCSP to 0x20 (32) of all packets passing through the local machine.
<br>Example 3: <b>dscp class EF FORWARD proto tcp dport 25 dst 1.1.1.1 src 2.2.2.2</b>, will set DSCP to DeffServ class EF
for all packets sent by 2.2.2.2, passing through the local machine and targeting port TCP/25 of host 1.1.1.1.
<p>
<hr noshade size=1 width="100%">
<a name="iptables"><h3><b>iptables</b> <font color="red">&lt;arguments&gt;</font></h3></a>
@ -634,6 +672,35 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
<br>Example 2: <b>tcpmss 500</b>
<p>
<hr noshade size=1 width="100%">
<a name="tos"><h3><b>tos</b> <font color="red">&lt;NUMBER&gt;</font> <font color="red">&lt;WHERE&gt;</font> [optional rule parameters]</h3></a>
The <b>tos</b> helper sets the Type of Service (TOS) in packets.
<H4>Parameters</H4>
<ul>
<li> <b>NUMBER</b> is a number to set TOS to. FireHOL supports decimal numbers, hex numbers and the
descriptive values iptables supports. For more information see <b>iptables -j TOS --help</b>.
<br>&nbsp;
</li>
<li> <b>WHERE</b> tells FireHOL where to search for the specific traffic to be marked.
<br>Currently, WHERE can be one of the build-in iptables chains attached to table <b>mangle</b>.
(for example: INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING - case does matter here).
<br>&nbsp;
</li>
<li> <b>optional rule parameters</b> is a set of rules that allow further restriction of the traffic that
gets matched by this rule. See <a href="#parameters">Optional Rules Parameters</a> for more information.
<br>&nbsp;
</li>
</ul>
<br>Example 1: <b>tos 16 OUTPUT</b>, will set TOS to 16 for all packets sent by the local machine.
<br>Example 2: <b>tos 0x10 FORWARD</b>, will set TOS to 0x10 (16) for all packets passing through the local machine.
<br>Example 3: <b>tos Maximize-Throughput FORWARD proto tcp dport 25 dst 1.1.1.1 src 2.2.2.2</b>, will set TOS to Maximize-Throughput (8)
for all packets sent by 2.2.2.2, passing through the local machine and targeting port TCP/25 of host 1.1.1.1.
<p>
<hr noshade size=1 width="100%">
<a name="transparent_squid"><h3><b>transparent_squid</b> <font color="red">&lt;port&gt; &lt;user&gt;</font> [optional rule parameters]</h3></a>
@ -1199,6 +1266,34 @@ about optional rule parameters that should not be used in certain commands.
(either address should be matched), while negative expressions are ANDed (none of the addresses should be matched).
<p>
<hr noshade size=1 width="100%">
<a name="mark_param"><h3><b>mark</b> [not] <font color="red">&lt;ID&gt;</font></h3></a>
<H4>Description</H4>
<b>mark</b> matches the traffic against the given IDs. This command accepts anything iptables accepts as MARKs (see <b>iptables -m mark --help</b>).
<p>
More than one MARK IDs can be given if separated by spaces and enclosed in quotes as a single argument to the mark parameter.
<p>
<hr noshade size=1 width="100%">
<a name="tos_param"><h3><b>tos</b> [not] <font color="red">&lt;ID&gt;</font></h3></a>
<H4>Description</H4>
<b>tos</b> matches the traffic against the given IDs. This command accepts anything iptables accepts as TOS (see <b>iptables -m tos --help</b>).
<p>
More than one IDs can be given if separated by spaces and enclosed in quotes as a single argument to the tos parameter.
<p>
<hr noshade size=1 width="100%">
<a name="dscp_param"><h3><b>dscp</b> [not] <font color="red">&lt;ID&gt;</font></h3>
<br><h3><b>dscp</b> [not] class <font color="red">&lt;ID&gt;</font></h3></a>
<H4>Description</H4>
<b>dscp</b> matches the traffic against the given DSCP IDs. This command accepts anything iptables accepts as DSCP (see <b>iptables -m dscp --help</b>).
<p>
More than one IDs can be given if separated by spaces and enclosed in quotes as a single argument.
<p>
<table border=0 cellpadding=10 cellspacing=0 width="100%"><tr bgcolor="#777777"><td align=center><font color="white"><b><big><a name="control_variables">Variables that control FireHOL</a></td</tr></table>
<p>
<a name="DEFAULT_INTERFACE_POLICY"><h3><b>DEFAULT_INTERFACE_POLICY</b></h3></a>
@ -1437,7 +1532,7 @@ about optional rule parameters that should not be used in certain commands.
<tr><td align=center valign=middle>
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&amp;type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
</td><td align=center valign=middle>
<small>$Id: commands.html,v 1.53 2004/10/30 22:04:17 ktsaou Exp $</small>
<small>$Id: commands.html,v 1.54 2004/10/31 02:21:02 ktsaou Exp $</small>
<p>
<b>FireHOL</b>, a firewall for humans...<br>
&copy; Copyright 2003

2
doc/services.html
View File

@ -2349,7 +2349,7 @@ All the services defined by name in FireHOL are known to resolve in <a href="htt
<tr><td align=center valign=middle>
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&amp;type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
</td><td align=center valign=middle>
<small>$Id: services.html,v 1.57 2004/10/30 23:03:58 ktsaou Exp $</small>
<small>$Id: services.html,v 1.58 2004/10/31 02:21:02 ktsaou Exp $</small>
<p>
<b>FireHOL</b>, a firewall for humans...<br>
&copy; Copyright 2003

755
firehol.sh
View File

@ -10,7 +10,7 @@
#
# config: /etc/firehol/firehol.conf
#
# $Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $
# $Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
#
# Remember who you are.
@ -1925,6 +1925,63 @@ mark() {
return 0
}
tos_count=0
tos() {
work_realcmd_helper $FUNCNAME "$@"
set_work_function -ne "Initializing $FUNCNAME"
require_work clear || ( error "$FUNCNAME cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
local num="${1}"; shift
local where="${1}"; shift
test -z "${where}" && where=OUTPUT
tos_count=$[tos_count + 1]
set_work_function "Setting up rules for TOS"
create_chain mangle "tos.${tos_count}" "${where}" "$@" || return 1
iptables -t mangle -A "tos.${tos_count}" -j TOS --set-tos ${num}
return 0
}
dscp_count=0
dscp() {
work_realcmd=($FUNCNAME "$@")
set_work_function -ne "Initializing $FUNCNAME"
require_work clear || ( error "$FUNCNAME cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
local value="${1}"; shift
local class=""
if [ "${value}" = "class" ]
then
local value=""
local class="${1}"; shift
fi
local where="${1}"; shift
test -z "${where}" && where=OUTPUT
dscp_count=$[dscp_count + 1]
set_work_function "Setting up rules for setting DSCP"
create_chain mangle "dscp.${dscp_count}" "${where}" "$@" || return 1
if [ ! -z "${class}" ]
then
iptables -t mangle -A "dscp.${dscp_count}" -j DSCP --set-dscp-class ${class}
else
iptables -t mangle -A "dscp.${dscp_count}" -j DSCP --set-dscp ${value}
fi
return 0
}
tcpmss() {
work_realcmd_helper $FUNCNAME "$@"
@ -2938,6 +2995,16 @@ rule() {
local cmd=any
local cmdnot=
local mark=any
local marknot=
local dscp=any
local dscptype=
local despnot=
local tos=any
local tosnot=
local log=
local logtxt=
local loglevel=
@ -3246,6 +3313,52 @@ rule() {
shift
;;
mark|MARK)
shift
marknot=
if [ "${1}" = "not" -o "${1}" = "NOT" ]
then
shift
marknot="!"
fi
test ${softwarnings} -eq 1 -a ! "${mark}" = "any" && softwarning "Overwritting param: mark '${mark}' becomes '${1}'"
mark="${1}"
shift
;;
tos|TOS)
shift
tosnot=
if [ "${1}" = "not" -o "${1}" = "NOT" ]
then
shift
tosnot="!"
fi
test ${softwarnings} -eq 1 -a ! "${tos}" = "any" && softwarning "Overwritting param: tos '${tos}' becomes '${1}'"
tos="${1}"
shift
;;
dscp|DSCP)
shift
dscpnot=
if [ "${1}" = "not" -o "${1}" = "NOT" ]
then
shift
dscpnot="!"
fi
test ${softwarnings} -eq 1 -a ! "${dscp}" = "any" && softwarning "Overwritting param: dscp '${dscp}' becomes '${1}'"
dscp="${1}"
shift
if [ "${dscp}" = "class" ]
then
dscpclass="-class"
dscp="${1}"
shift
fi
;;
action|ACTION)
test ${softwarnings} -eq 1 -a ! -z "${action}" && softwarning "Overwritting param: action '${action}' becomes '${2}'"
action="${2}"
@ -3405,6 +3518,29 @@ rule() {
fi
;;
dscp|DSCP)
action="DSCP"
if [ "${1}" = "to" ]
then
if [ "${2}" = "class" ]
then
local -a action_param=("--set-dscp-class" "${2}")
shift
else
local -a action_param=("--set-dscp" "${2}")
fi
shift 2
else
error "${action} requires a 'to' argument"
return 1
fi
if [ ! "A${table}" = "A-t mangle" ]
then
error "${action} must on a the 'mangle' table."
return 1
fi
;;
*)
chain_exists "${action}"
local action_is_chain=$?
@ -3647,7 +3783,7 @@ rule() {
# ignore 'statenot' since it is negated in the positive rules
if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}" ]
if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}${marknot}${tosnot}${dscpnot}" ]
then
if [ ${action_is_chain} -eq 1 ]
then
@ -3864,6 +4000,40 @@ rule() {
cmd=any
fi
if [ ! -z "${marknot}" ]
then
local tmark=
for tmark in ${mark}
do
iptables ${table} -A "${negative_chain}" -m mark --mark "${tmark}" -j RETURN
done
marknot=
mark=any
fi
if [ ! -z "${tosnot}" ]
then
local ttos=
for ttos in ${tos}
do
iptables ${table} -A "${negative_chain}" -m tos --tos "${ttos}" -j RETURN
done
tosnot=
tos=any
fi
if [ ! -z "${dscpnot}" ]
then
local tdscp=
for tdscp in ${dscp}
do
iptables ${table} -A "${negative_chain}" -m dscp --dscp${dscptype} "${tdscp}" -j RETURN
done
dscp=any
dscpnot=
fi
# in case this is temporary chain we created for the negative expression,
# just make it have the final action of the rule.
if [ ! -z "${negative_action}" ]
@ -3892,6 +4062,7 @@ rule() {
# ----------------------------------------------------------------------------------
# Process the positive rules
# uid
local tuid=
for tuid in ${uid}
do
@ -3908,259 +4079,329 @@ rule() {
;;
esac
local tgid=
for tgid in ${gid}
do
local -a gid_arg=()
case ${tgid} in
any|ANY)
;;
*)
local -a owner_arg=("-m" "owner")
local -a gid_arg=("--gid-owner" "${tgid}")
;;
esac
# gid
local tgid=
for tgid in ${gid}
do
local -a gid_arg=()
local tpid=
for tpid in ${pid}
do
local -a pid_arg=()
case ${tpid} in
any|ANY)
;;
*)
local -a owner_arg=("-m" "owner")
local -a pid_arg=("--pid-owner" "${tpid}")
;;
esac
case ${tgid} in
any|ANY)
;;
local tsid=
for tsid in ${sid}
do
local -a sid_arg=()
case ${tsid} in
any|ANY)
;;
*)
local -a owner_arg=("-m" "owner")
local -a sid_arg=("--sid-owner" "${tsid}")
;;
esac
local tcmd=
for tcmd in ${cmd}
do
local -a cmd_arg=()
case ${tcmd} in
any|ANY)
;;
*)
local -a owner_arg=("-m" "owner")
local -a cmd_arg=("--cmd-owner" "${tcmd}")
;;
esac
local pr=
for pr in ${proto}
do
local -a proto_arg=()
case ${pr} in
any|ANY)
;;
*)
local -a proto_arg=("-p" "${pr}")
;;
esac
local inf=
for inf in ${inface}
do
local -a inf_arg=()
case ${inf} in
any|ANY)
;;
*)
local -a inf_arg=("-i" "${inf}")
;;
esac
local outf=
for outf in ${outface}
do
local -a outf_arg=()
case ${outf} in
any|ANY)
;;
*)
local -a outf_arg=("-o" "${outf}")
;;
esac
local inph=
for inph in ${physin}
do
local -a inph_arg=()
case ${inph} in
any|ANY)
;;
*)
local -a physdev_arg=("-m" "physdev")
local -a inph_arg=("--physdev-in" "${inph}")
;;
esac
local outph=
for outph in ${physout}
do
local -a outph_arg=()
case ${outph} in
any|ANY)
;;
*)
local -a physdev_arg=("-m" "physdev")
local -a outph_arg=("--physdev-out" "${outph}")
;;
esac
local sp=
for sp in ${sport}
do
local -a sp_arg=()
case ${sp} in
any|ANY)
;;
*)
local -a sp_arg=("--sport" "${sp}")
;;
esac
local dp=
for dp in ${dport}
do
local -a dp_arg=()
case ${dp} in
any|ANY)
;;
*)
local -a dp_arg=("--dport" "${dp}")
;;
esac
local mc=
for mc in ${mac}
do
local -a mc_arg=()
case ${mc} in
any|ANY)
;;
*)
local -a mc_arg=("-m" "mac" "--mac-source" "${mc}")
;;
esac
local s=
for s in ${src}
do
local -a s_arg=()
case ${s} in
any|ANY)
;;
*)
local -a s_arg=("-s" "${s}")
;;
esac
local d=
for d in ${dst}
do
local -a d_arg=()
case ${d} in
any|ANY)
;;
*)
local -a d_arg=("-d" "${d}")
;;
esac
local -a state_arg=()
if [ ! -z "${state}" ]
then
local -a state_arg=("-m" "state" "${statenot}" "--state" "${state}")
fi
local -a limit_arg=()
if [ ! -z "${limit}" ]
then
local -a limit_arg=("-m" "limit" "--limit" "${limit}" "--limit-burst" "${burst}")
fi
local -a iplimit_arg=()
if [ ! -z "${iplimit}" ]
then
local -a iplimit_arg=("-m" "iplimit" "--iplimit-above" "${iplimit}" "--iplimit-mask" "${iplimit_mask}")
fi
declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}")
local -a logopts_arg=()
if [ "${FIREHOL_LOG_MODE}" = "ULOG" ]
then
local -a logopts_arg=("--ulog-prefix='${logtxt}:'")
else
local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${logtxt}:'")
fi
case "${log}" in
'')
;;
limit)
iptables ${table} -A "${chain}" "${basecmd[@]}" ${custom} -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}"
;;
normal)
iptables ${table} -A "${chain}" "${basecmd[@]}" ${custom} -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}"
;;
*)
error "Unknown log value '${log}'."
;;
esac
rule_action_param "${action}" "${pr}" "${statenot}" "${state}" "${table}" "${action_param[@]}" -- ${table} -A "${chain}" "${basecmd[@]}" ${custom}
done # dst
done # src
done # mac
done # dport
done # sport
done # physout
done # physin
done # outface
done # inface
done # proto
done # cmd
done # sid
done # pid
done # gid
*)
local -a owner_arg=("-m" "owner")
local -a gid_arg=("--gid-owner" "${tgid}")
;;
esac
# pid
local tpid=
for tpid in ${pid}
do
local -a pid_arg=()
case ${tpid} in
any|ANY)
;;
*)
local -a owner_arg=("-m" "owner")
local -a pid_arg=("--pid-owner" "${tpid}")
;;
esac
# sid
local tsid=
for tsid in ${sid}
do
local -a sid_arg=()
case ${tsid} in
any|ANY)
;;
*)
local -a owner_arg=("-m" "owner")
local -a sid_arg=("--sid-owner" "${tsid}")
;;
esac
# cmd
local tcmd=
for tcmd in ${cmd}
do
local -a cmd_arg=()
case ${tcmd} in
any|ANY)
;;
*)
local -a owner_arg=("-m" "owner")
local -a cmd_arg=("--cmd-owner" "${tcmd}")
;;
esac
# mark
local tmark=
for tmark in ${mark}
do
local -a mark_arg=()
case ${tmark} in
any|ANY)
;;
*)
local -a mark_arg=("-m" "mark" "--mark" "${tmark}")
;;
esac
# tos
local ttos=
for ttos in ${tos}
do
local -a tos_arg=()
case ${ttos} in
any|ANY)
;;
*)
local -a tos_arg=("-m" "tos" "--tos" "${ttos}")
;;
esac
# dscp
local tdscp=
for tdscp in ${dscp}
do
local -a dscp_arg=()
case ${tdscp} in
any|ANY)
;;
*)
local -a dscp_arg=("-m" "dscp" "--dscp${dscptype}" "${tdscp}")
;;
esac
# proto
local pr=
for pr in ${proto}
do
local -a proto_arg=()
case ${pr} in
any|ANY)
;;
*)
local -a proto_arg=("-p" "${pr}")
;;
esac
# inface
local inf=
for inf in ${inface}
do
local -a inf_arg=()
case ${inf} in
any|ANY)
;;
*)
local -a inf_arg=("-i" "${inf}")
;;
esac
# outface
local outf=
for outf in ${outface}
do
local -a outf_arg=()
case ${outf} in
any|ANY)
;;
*)
local -a outf_arg=("-o" "${outf}")
;;
esac
# physin
local inph=
for inph in ${physin}
do
local -a inph_arg=()
case ${inph} in
any|ANY)
;;
*)
local -a physdev_arg=("-m" "physdev")
local -a inph_arg=("--physdev-in" "${inph}")
;;
esac
# physout
local outph=
for outph in ${physout}
do
local -a outph_arg=()
case ${outph} in
any|ANY)
;;
*)
local -a physdev_arg=("-m" "physdev")
local -a outph_arg=("--physdev-out" "${outph}")
;;
esac
# sport
local sp=
for sp in ${sport}
do
local -a sp_arg=()
case ${sp} in
any|ANY)
;;
*)
local -a sp_arg=("--sport" "${sp}")
;;
esac
# dport
local dp=
for dp in ${dport}
do
local -a dp_arg=()
case ${dp} in
any|ANY)
;;
*)
local -a dp_arg=("--dport" "${dp}")
;;
esac
# mac
local mc=
for mc in ${mac}
do
local -a mc_arg=()
case ${mc} in
any|ANY)
;;
*)
local -a mc_arg=("-m" "mac" "--mac-source" "${mc}")
;;
esac
# src
local s=
for s in ${src}
do
local -a s_arg=()
case ${s} in
any|ANY)
;;
*)
local -a s_arg=("-s" "${s}")
;;
esac
# dst
local d=
for d in ${dst}
do
local -a d_arg=()
case ${d} in
any|ANY)
;;
*)
local -a d_arg=("-d" "${d}")
;;
esac
# state
local -a state_arg=()
if [ ! -z "${state}" ]
then
local -a state_arg=("-m" "state" "${statenot}" "--state" "${state}")
fi
# limit
local -a limit_arg=()
if [ ! -z "${limit}" ]
then
local -a limit_arg=("-m" "limit" "--limit" "${limit}" "--limit-burst" "${burst}")
fi
# iplimit
local -a iplimit_arg=()
if [ ! -z "${iplimit}" ]
then
local -a iplimit_arg=("-m" "iplimit" "--iplimit-above" "${iplimit}" "--iplimit-mask" "${iplimit_mask}")
fi
# build the command
declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}")
# log mode selection
local -a logopts_arg=()
if [ "${FIREHOL_LOG_MODE}" = "ULOG" ]
then
local -a logopts_arg=("--ulog-prefix='${logtxt}:'")
else
local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${logtxt}:'")
fi
# log / loglimit
case "${log}" in
'')
;;
limit)
iptables ${table} -A "${chain}" "${basecmd[@]}" ${custom} -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}"
;;
normal)
iptables ${table} -A "${chain}" "${basecmd[@]}" ${custom} -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}"
;;
*)
error "Unknown log value '${log}'."
;;
esac
# do it!
rule_action_param "${action}" "${pr}" "${statenot}" "${state}" "${table}" "${action_param[@]}" -- ${table} -A "${chain}" "${basecmd[@]}" ${custom}
done # dst
done # src
done # mac
done # dport
done # sport
done # physout
done # physin
done # outface
done # inface
done # proto
done # dscp
done # tos
done # mark
done # cmd
done # sid
done # pid
done # gid
done # uid
test ${failed} -gt 0 && error "There are ${failed} failed commands." && return 1
@ -4707,7 +4948,7 @@ case "${arg}" in
else
${CAT_CMD} <<EOF
$Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $
$Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
@ -4893,7 +5134,7 @@ then
${CAT_CMD} <<EOF
$Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $
$Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net
@ -5187,7 +5428,7 @@ then
${CAT_CMD} >&2 <<EOF
$Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $
$Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net
@ -5270,7 +5511,7 @@ EOF
echo "# "
${CAT_CMD} <<EOF
# $Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $
# $Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
# (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
# FireHOL is distributed under GPL.
# Home Page: http://firehol.sourceforge.net