sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-30 19:02:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added helpers:

Browse Source 
tos	- to set the TOS of packets
dscp	- to set the DSCP field of packets (both raw and class)


Added optional rule parameters:

tos	- to match the TOS of packets
mark	- to match the MARK ID of packets
dscp	- to match the DSCP field of packets (both raw and class)


Added the following actions to the rule() function:

dscp

The rule() function already had support for TOS and MARK.
This commit is contained in:
ktsaou 2004-10-31 02:21:02 +00:00
parent 25c21cdebb
commit 60969b571d
3 changed files with 610 additions and 274 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
doc/commands.html
View File

@ -50,6 +50,7 @@ automatically. FireHOL is extremely easy to understand, configure and audit.
<ul> <ul>
<li><a href="#blacklist">blacklist</a>, setup a unidirectional or bidirectional blacklist</li> <li><a href="#blacklist">blacklist</a>, setup a unidirectional or bidirectional blacklist</li>
<li><a href="#dnat">dnat</a>, setup a Destination NAT rule for routed traffic</li> <li><a href="#dnat">dnat</a>, setup a Destination NAT rule for routed traffic</li>
<li><a href="#dscp">dscp</a>, set the DSCP field in the packet header, to a raw value or a DiffServ class</li>
<li><a href="#iptables">iptables</a>, add some custom iptables commands to the firewall <li><a href="#iptables">iptables</a>, add some custom iptables commands to the firewall
<li><a href="#mac">mac</a>, setup a source mac address with IP match</li> <li><a href="#mac">mac</a>, setup a source mac address with IP match</li>
<li><a href="#mark">mark</a>, mark traffic for traffic shapping tools</li> <li><a href="#mark">mark</a>, mark traffic for traffic shapping tools</li>
@ -58,6 +59,7 @@ automatically. FireHOL is extremely easy to understand, configure and audit.
<li><a href="#redirect">redirect</a>, setup a port redirection rule</li> <li><a href="#redirect">redirect</a>, setup a port redirection rule</li>
<li><a href="#snat">snat</a>, setup a Source NAT rule for routed traffic</li> <li><a href="#snat">snat</a>, setup a Source NAT rule for routed traffic</li>
<li><a href="#tcpmss">tcpmss</a>, set the MSS of TCP SYN packets for routers</li> <li><a href="#tcpmss">tcpmss</a>, set the MSS of TCP SYN packets for routers</li>
<li><a href="#tos">tos</a>, set the Type of Service (TOS) field in the packet header</li>
<li><a href="#transparent_squid">transparent_squid</a>, setup a transparent squid proxy running on the firewall host</li> <li><a href="#transparent_squid">transparent_squid</a>, setup a transparent squid proxy running on the firewall host</li>
<li><a href="#version">version</a>, require a specific version of FireHOL <li><a href="#version">version</a>, require a specific version of FireHOL
</ul> </ul>
@ -77,26 +79,29 @@ automatically. FireHOL is extremely easy to understand, configure and audit.
</li> </li>
<li><a href="#parameters">Optional Rule Parameters</a> <li><a href="#parameters">Optional Rule Parameters</a>
<ul> <ul>
<li><a href="#src">src</a>, set the source of traffic</li> <li><a href="#src">src</a>, match the source of traffic</li>
<li><a href="#dst">dst</a>, set the destination of traffic</li> <li><a href="#dst">dst</a>, match the destination of traffic</li>
<li><a href="#inface">inface</a>, set the network interface traffic is received via</li> <li><a href="#inface">inface</a>, match the network interface traffic is received via</li>
<li><a href="#outface">outface</a>, set the network interface traffic is send via</li> <li><a href="#outface">outface</a>, match the network interface traffic is send via</li>
<li><a href="#physin">physin</a>, set the physical network interface (for bridges) traffic is received via</li> <li><a href="#physin">physin</a>, match the physical network interface (for bridges) traffic is received via</li>
<li><a href="#physout">physout</a>, set the physical network interface (for bridges) traffic is send via</li> <li><a href="#physout">physout</a>, match the physical network interface (for bridges) traffic is send via</li>
<li><a href="#custom">custom</a>, pass a few custom parameters to the generated iptables <li><a href="#custom">custom</a>, pass a few custom parameters to the generated iptables statements</li>
statements</li>
<li><a href="#log">log</a>, write something to the syslog when traffic is matched</li> <li><a href="#log">log</a>, write something to the syslog when traffic is matched</li>
<li><a href="#loglimit">loglimit</a>, write (limited) something to the syslog when traffic is matched</li> <li><a href="#loglimit">loglimit</a>, write (limited) something to the syslog when traffic is matched</li>
<li><a href="#proto">proto</a>, match a specific protocol</li> <li><a href="#proto">proto</a>, match a specific protocol</li>
<li><a href="#limit">limit</a>, limit the frequency traffic is matched</li> <li><a href="#limit">limit</a>, limit the frequency traffic is matched</li>
<li><a href="#sport">sport</a>, set the source ports</li> <li><a href="#sport">sport</a>, match the source ports</li>
<li><a href="#dport">dport</a>, set the destination ports</li> <li><a href="#dport">dport</a>, match the destination ports</li>
<li><a href="#uid">uid, user</a>, set the users sending this traffic</li> <li><a href="#uid">uid, user</a>, match the users sending this traffic</li>
<li><a href="#gid">gid, group</a>, set the user groups sending this traffic</li> <li><a href="#gid">gid, group</a>, match the user groups sending this traffic</li>
<li><a href="#pid">pid, process</a>, set the process IDs sending this traffic</li> <li><a href="#pid">pid, process</a>, match the process IDs sending this traffic</li>
<li><a href="#sid">sid, session</a>, set the process session IDs sending this traffic</li> <li><a href="#sid">sid, session</a>, match the process session IDs sending this traffic</li>
<li><a href="#cmd">cmd, command</a>, set the command name sending this traffic</li> <li><a href="#cmd">cmd, command</a>, match the command name sending this traffic</li>
<li><a href="#mac_param">mac</a>, match the source MAC address of packets.</li> <li><a href="#mac_param">mac</a>, match the source MAC address of packets.</li>
<li><a href="#mark_param">mark</a>, match the MARK ID of packets.</li>
<li><a href="#tos_param">tos</a>, match the Type of Service (TOS) of packets.</li>
<li><a href="#dscp_param">dscp</a>, match the DSCP raw value or DiffServ class value of packets.</li>
</ul> </ul>
&nbsp; &nbsp;
</li> </li>
@ -407,6 +412,39 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
Example: <b>dnat to 1.1.1.1 inface eth0 src 2.2.2.2 dst 3.3.3.3</b> Example: <b>dnat to 1.1.1.1 inface eth0 src 2.2.2.2 dst 3.3.3.3</b>
<p> <p>
<hr noshade size=1 width="100%">
<a name="dscp"><h3><b>dscp</b> <font color="red">&lt;NUMBER&gt;</font> <font color="red">&lt;WHERE&gt;</font> [optional rule parameters]</h3>
<br><h3><b>dscp</b> class <font color="red">&lt;CLASSID&gt;</font> <font color="red">&lt;WHERE&gt;</font> [optional rule parameters]</h3></a>
The <b>dscp</b> helper sets the DSCP field in the header of the packets matching the optional rule parameters.
<H4>Parameters</H4>
<ul>
<li> <b>NUMBER</b> is a decimal or hex (0xNN) number to set the DSCP field to.
<br>&nbsp;
</li>
<li> <b>CLASSID</b> is any of the iptables supported DiffServ class values (EF, BE, CSxx, AFxx - check <b>iptables -j DSCP --help</b> for more information).
<br>&nbsp;
</li>
<li> <b>WHERE</b> tells FireHOL where to search for the specific traffic to be marked.
<br>Currently, WHERE can be one of the build-in iptables chains attached to table <b>mangle</b>.
(for example: INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING - case does matter here).
<br>&nbsp;
</li>
<li> <b>optional rule parameters</b> is a set of rules that allow further restriction of the traffic that
gets matched by this rule. See <a href="#parameters">Optional Rules Parameters</a> for more information.
<br>&nbsp;
</li>
</ul>
<br>Example 1: <b>dscp 32 OUTPUT</b>, will set the DSCP field to 32 of all packets sent by the local machine.
<br>Example 2: <b>dscp 0x20 FORWARD</b>, will set DCSP to 0x20 (32) of all packets passing through the local machine.
<br>Example 3: <b>dscp class EF FORWARD proto tcp dport 25 dst 1.1.1.1 src 2.2.2.2</b>, will set DSCP to DeffServ class EF
for all packets sent by 2.2.2.2, passing through the local machine and targeting port TCP/25 of host 1.1.1.1.
<p>
<hr noshade size=1 width="100%"> <hr noshade size=1 width="100%">
<a name="iptables"><h3><b>iptables</b> <font color="red">&lt;arguments&gt;</font></h3></a> <a name="iptables"><h3><b>iptables</b> <font color="red">&lt;arguments&gt;</font></h3></a>
@ -634,6 +672,35 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
<br>Example 2: <b>tcpmss 500</b> <br>Example 2: <b>tcpmss 500</b>
<p> <p>
<hr noshade size=1 width="100%">
<a name="tos"><h3><b>tos</b> <font color="red">&lt;NUMBER&gt;</font> <font color="red">&lt;WHERE&gt;</font> [optional rule parameters]</h3></a>
The <b>tos</b> helper sets the Type of Service (TOS) in packets.
<H4>Parameters</H4>
<ul>
<li> <b>NUMBER</b> is a number to set TOS to. FireHOL supports decimal numbers, hex numbers and the
descriptive values iptables supports. For more information see <b>iptables -j TOS --help</b>.
<br>&nbsp;
</li>
<li> <b>WHERE</b> tells FireHOL where to search for the specific traffic to be marked.
<br>Currently, WHERE can be one of the build-in iptables chains attached to table <b>mangle</b>.
(for example: INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING - case does matter here).
<br>&nbsp;
</li>
<li> <b>optional rule parameters</b> is a set of rules that allow further restriction of the traffic that
gets matched by this rule. See <a href="#parameters">Optional Rules Parameters</a> for more information.
<br>&nbsp;
</li>
</ul>
<br>Example 1: <b>tos 16 OUTPUT</b>, will set TOS to 16 for all packets sent by the local machine.
<br>Example 2: <b>tos 0x10 FORWARD</b>, will set TOS to 0x10 (16) for all packets passing through the local machine.
<br>Example 3: <b>tos Maximize-Throughput FORWARD proto tcp dport 25 dst 1.1.1.1 src 2.2.2.2</b>, will set TOS to Maximize-Throughput (8)
for all packets sent by 2.2.2.2, passing through the local machine and targeting port TCP/25 of host 1.1.1.1.
<p>
<hr noshade size=1 width="100%"> <hr noshade size=1 width="100%">
<a name="transparent_squid"><h3><b>transparent_squid</b> <font color="red">&lt;port&gt; &lt;user&gt;</font> [optional rule parameters]</h3></a> <a name="transparent_squid"><h3><b>transparent_squid</b> <font color="red">&lt;port&gt; &lt;user&gt;</font> [optional rule parameters]</h3></a>
@ -1199,6 +1266,34 @@ about optional rule parameters that should not be used in certain commands.
(either address should be matched), while negative expressions are ANDed (none of the addresses should be matched). (either address should be matched), while negative expressions are ANDed (none of the addresses should be matched).
<p> <p>
<hr noshade size=1 width="100%">
<a name="mark_param"><h3><b>mark</b> [not] <font color="red">&lt;ID&gt;</font></h3></a>
<H4>Description</H4>
<b>mark</b> matches the traffic against the given IDs. This command accepts anything iptables accepts as MARKs (see <b>iptables -m mark --help</b>).
<p>
More than one MARK IDs can be given if separated by spaces and enclosed in quotes as a single argument to the mark parameter.
<p>
<hr noshade size=1 width="100%">
<a name="tos_param"><h3><b>tos</b> [not] <font color="red">&lt;ID&gt;</font></h3></a>
<H4>Description</H4>
<b>tos</b> matches the traffic against the given IDs. This command accepts anything iptables accepts as TOS (see <b>iptables -m tos --help</b>).
<p>
More than one IDs can be given if separated by spaces and enclosed in quotes as a single argument to the tos parameter.
<p>
<hr noshade size=1 width="100%">
<a name="dscp_param"><h3><b>dscp</b> [not] <font color="red">&lt;ID&gt;</font></h3>
<br><h3><b>dscp</b> [not] class <font color="red">&lt;ID&gt;</font></h3></a>
<H4>Description</H4>
<b>dscp</b> matches the traffic against the given DSCP IDs. This command accepts anything iptables accepts as DSCP (see <b>iptables -m dscp --help</b>).
<p>
More than one IDs can be given if separated by spaces and enclosed in quotes as a single argument.
<p>
<table border=0 cellpadding=10 cellspacing=0 width="100%"><tr bgcolor="#777777"><td align=center><font color="white"><b><big><a name="control_variables">Variables that control FireHOL</a></td</tr></table> <table border=0 cellpadding=10 cellspacing=0 width="100%"><tr bgcolor="#777777"><td align=center><font color="white"><b><big><a name="control_variables">Variables that control FireHOL</a></td</tr></table>
<p> <p>
<a name="DEFAULT_INTERFACE_POLICY"><h3><b>DEFAULT_INTERFACE_POLICY</b></h3></a> <a name="DEFAULT_INTERFACE_POLICY"><h3><b>DEFAULT_INTERFACE_POLICY</b></h3></a>
@ -1437,7 +1532,7 @@ about optional rule parameters that should not be used in certain commands.
<tr><td align=center valign=middle> <tr><td align=center valign=middle>
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&amp;type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A> <A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&amp;type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
</td><td align=center valign=middle> </td><td align=center valign=middle>
<small>$Id: commands.html,v 1.53 2004/10/30 22:04:17 ktsaou Exp $</small> <small>$Id: commands.html,v 1.54 2004/10/31 02:21:02 ktsaou Exp $</small>
<p> <p>
<b>FireHOL</b>, a firewall for humans...<br> <b>FireHOL</b>, a firewall for humans...<br>
&copy; Copyright 2003 &copy; Copyright 2003

2
doc/services.html
View File

@ -2349,7 +2349,7 @@ All the services defined by name in FireHOL are known to resolve in <a href="htt
<tr><td align=center valign=middle> <tr><td align=center valign=middle>
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&amp;type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A> <A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&amp;type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
</td><td align=center valign=middle> </td><td align=center valign=middle>
<small>$Id: services.html,v 1.57 2004/10/30 23:03:58 ktsaou Exp $</small> <small>$Id: services.html,v 1.58 2004/10/31 02:21:02 ktsaou Exp $</small>
<p> <p>
<b>FireHOL</b>, a firewall for humans...<br> <b>FireHOL</b>, a firewall for humans...<br>
&copy; Copyright 2003 &copy; Copyright 2003

755
firehol.sh
View File

@ -10,7 +10,7 @@
# #
# config: /etc/firehol/firehol.conf # config: /etc/firehol/firehol.conf
# #
# $Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $ # $Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
# #
# Remember who you are. # Remember who you are.
@ -1925,6 +1925,63 @@ mark() {
return 0 return 0
} }
tos_count=0
tos() {
work_realcmd_helper $FUNCNAME "$@"
set_work_function -ne "Initializing $FUNCNAME"
require_work clear || ( error "$FUNCNAME cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
local num="${1}"; shift
local where="${1}"; shift
test -z "${where}" && where=OUTPUT
tos_count=$[tos_count + 1]
set_work_function "Setting up rules for TOS"
create_chain mangle "tos.${tos_count}" "${where}" "$@" || return 1
iptables -t mangle -A "tos.${tos_count}" -j TOS --set-tos ${num}
return 0
}
dscp_count=0
dscp() {
work_realcmd=($FUNCNAME "$@")
set_work_function -ne "Initializing $FUNCNAME"
require_work clear || ( error "$FUNCNAME cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
local value="${1}"; shift
local class=""
if [ "${value}" = "class" ]
then
local value=""
local class="${1}"; shift
fi
local where="${1}"; shift
test -z "${where}" && where=OUTPUT
dscp_count=$[dscp_count + 1]
set_work_function "Setting up rules for setting DSCP"
create_chain mangle "dscp.${dscp_count}" "${where}" "$@" || return 1
if [ ! -z "${class}" ]
then
iptables -t mangle -A "dscp.${dscp_count}" -j DSCP --set-dscp-class ${class}
else
iptables -t mangle -A "dscp.${dscp_count}" -j DSCP --set-dscp ${value}
fi
return 0
}
tcpmss() { tcpmss() {
work_realcmd_helper $FUNCNAME "$@" work_realcmd_helper $FUNCNAME "$@"
@ -2938,6 +2995,16 @@ rule() {
local cmd=any local cmd=any
local cmdnot= local cmdnot=
local mark=any
local marknot=
local dscp=any
local dscptype=
local despnot=
local tos=any
local tosnot=
local log= local log=
local logtxt= local logtxt=
local loglevel= local loglevel=
@ -3246,6 +3313,52 @@ rule() {
shift shift
;; ;;
mark|MARK)
shift
marknot=
if [ "${1}" = "not" -o "${1}" = "NOT" ]
then
shift
marknot="!"
fi
test ${softwarnings} -eq 1 -a ! "${mark}" = "any" && softwarning "Overwritting param: mark '${mark}' becomes '${1}'"
mark="${1}"
shift
;;
tos|TOS)
shift
tosnot=
if [ "${1}" = "not" -o "${1}" = "NOT" ]
then
shift
tosnot="!"
fi
test ${softwarnings} -eq 1 -a ! "${tos}" = "any" && softwarning "Overwritting param: tos '${tos}' becomes '${1}'"
tos="${1}"
shift
;;
dscp|DSCP)
shift
dscpnot=
if [ "${1}" = "not" -o "${1}" = "NOT" ]
then
shift
dscpnot="!"
fi
test ${softwarnings} -eq 1 -a ! "${dscp}" = "any" && softwarning "Overwritting param: dscp '${dscp}' becomes '${1}'"
dscp="${1}"
shift
if [ "${dscp}" = "class" ]
then
dscpclass="-class"
dscp="${1}"
shift
fi
;;
action|ACTION) action|ACTION)
test ${softwarnings} -eq 1 -a ! -z "${action}" && softwarning "Overwritting param: action '${action}' becomes '${2}'" test ${softwarnings} -eq 1 -a ! -z "${action}" && softwarning "Overwritting param: action '${action}' becomes '${2}'"
action="${2}" action="${2}"
@ -3405,6 +3518,29 @@ rule() {
fi fi
;; ;;
dscp|DSCP)
action="DSCP"
if [ "${1}" = "to" ]
then
if [ "${2}" = "class" ]
then
local -a action_param=("--set-dscp-class" "${2}")
shift
else
local -a action_param=("--set-dscp" "${2}")
fi
shift 2
else
error "${action} requires a 'to' argument"
return 1
fi
if [ ! "A${table}" = "A-t mangle" ]
then
error "${action} must on a the 'mangle' table."
return 1
fi
;;
*) *)
chain_exists "${action}" chain_exists "${action}"
local action_is_chain=$? local action_is_chain=$?
@ -3647,7 +3783,7 @@ rule() {
# ignore 'statenot' since it is negated in the positive rules # ignore 'statenot' since it is negated in the positive rules
if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}" ] if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}${marknot}${tosnot}${dscpnot}" ]
then then
if [ ${action_is_chain} -eq 1 ] if [ ${action_is_chain} -eq 1 ]
then then
@ -3864,6 +4000,40 @@ rule() {
cmd=any cmd=any
fi fi
if [ ! -z "${marknot}" ]
then
local tmark=
for tmark in ${mark}
do
iptables ${table} -A "${negative_chain}" -m mark --mark "${tmark}" -j RETURN
done
marknot=
mark=any
fi
if [ ! -z "${tosnot}" ]
then
local ttos=
for ttos in ${tos}
do
iptables ${table} -A "${negative_chain}" -m tos --tos "${ttos}" -j RETURN
done
tosnot=
tos=any
fi
if [ ! -z "${dscpnot}" ]
then
local tdscp=
for tdscp in ${dscp}
do
iptables ${table} -A "${negative_chain}" -m dscp --dscp${dscptype} "${tdscp}" -j RETURN
done
dscp=any
dscpnot=
fi
# in case this is temporary chain we created for the negative expression, # in case this is temporary chain we created for the negative expression,
# just make it have the final action of the rule. # just make it have the final action of the rule.
if [ ! -z "${negative_action}" ] if [ ! -z "${negative_action}" ]
@ -3892,6 +4062,7 @@ rule() {
# ---------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------
# Process the positive rules # Process the positive rules
# uid
local tuid= local tuid=
for tuid in ${uid} for tuid in ${uid}
do do
@ -3908,259 +4079,329 @@ rule() {
;; ;;
esac esac
local tgid= # gid
for tgid in ${gid} local tgid=
do for tgid in ${gid}
local -a gid_arg=() do
local -a gid_arg=()
case ${tgid} in
any|ANY)
;;
*)
local -a owner_arg=("-m" "owner")
local -a gid_arg=("--gid-owner" "${tgid}")
;;
esac
local tpid= case ${tgid} in
for tpid in ${pid} any|ANY)
do ;;
local -a pid_arg=()
case ${tpid} in
any|ANY)
;;
*)
local -a owner_arg=("-m" "owner")
local -a pid_arg=("--pid-owner" "${tpid}")
;;
esac
local tsid= *)
for tsid in ${sid} local -a owner_arg=("-m" "owner")
do local -a gid_arg=("--gid-owner" "${tgid}")
local -a sid_arg=() ;;
esac
case ${tsid} in
any|ANY) # pid
;; local tpid=
for tpid in ${pid}
*) do
local -a owner_arg=("-m" "owner") local -a pid_arg=()
local -a sid_arg=("--sid-owner" "${tsid}")
;; case ${tpid} in
esac any|ANY)
;;
local tcmd=
for tcmd in ${cmd} *)
do local -a owner_arg=("-m" "owner")
local -a cmd_arg=() local -a pid_arg=("--pid-owner" "${tpid}")
;;
case ${tcmd} in esac
any|ANY)
;; # sid
local tsid=
*) for tsid in ${sid}
local -a owner_arg=("-m" "owner") do
local -a cmd_arg=("--cmd-owner" "${tcmd}") local -a sid_arg=()
;;
esac case ${tsid} in
any|ANY)
local pr= ;;
for pr in ${proto}
do *)
local -a proto_arg=() local -a owner_arg=("-m" "owner")
local -a sid_arg=("--sid-owner" "${tsid}")
case ${pr} in ;;
any|ANY) esac
;;
# cmd
*) local tcmd=
local -a proto_arg=("-p" "${pr}") for tcmd in ${cmd}
;; do
esac local -a cmd_arg=()
local inf= case ${tcmd} in
for inf in ${inface} any|ANY)
do ;;
local -a inf_arg=()
case ${inf} in *)
any|ANY) local -a owner_arg=("-m" "owner")
;; local -a cmd_arg=("--cmd-owner" "${tcmd}")
;;
*) esac
local -a inf_arg=("-i" "${inf}")
;; # mark
esac local tmark=
for tmark in ${mark}
local outf= do
for outf in ${outface} local -a mark_arg=()
do
local -a outf_arg=() case ${tmark} in
case ${outf} in any|ANY)
any|ANY) ;;
;;
*)
*) local -a mark_arg=("-m" "mark" "--mark" "${tmark}")
local -a outf_arg=("-o" "${outf}") ;;
;; esac
esac
# tos
local inph= local ttos=
for inph in ${physin} for ttos in ${tos}
do do
local -a inph_arg=() local -a tos_arg=()
case ${inph} in
any|ANY) case ${ttos} in
;; any|ANY)
;;
*)
local -a physdev_arg=("-m" "physdev") *)
local -a inph_arg=("--physdev-in" "${inph}") local -a tos_arg=("-m" "tos" "--tos" "${ttos}")
;; ;;
esac esac
local outph= # dscp
for outph in ${physout} local tdscp=
do for tdscp in ${dscp}
local -a outph_arg=() do
case ${outph} in local -a dscp_arg=()
any|ANY)
;; case ${tdscp} in
any|ANY)
*) ;;
local -a physdev_arg=("-m" "physdev")
local -a outph_arg=("--physdev-out" "${outph}") *)
;; local -a dscp_arg=("-m" "dscp" "--dscp${dscptype}" "${tdscp}")
esac ;;
esac
local sp=
for sp in ${sport} # proto
do local pr=
local -a sp_arg=() for pr in ${proto}
case ${sp} in do
any|ANY) local -a proto_arg=()
;;
case ${pr} in
*) any|ANY)
local -a sp_arg=("--sport" "${sp}") ;;
;;
esac *)
local -a proto_arg=("-p" "${pr}")
local dp= ;;
for dp in ${dport} esac
do
local -a dp_arg=() # inface
case ${dp} in local inf=
any|ANY) for inf in ${inface}
;; do
local -a inf_arg=()
*) case ${inf} in
local -a dp_arg=("--dport" "${dp}") any|ANY)
;; ;;
esac
*)
local mc= local -a inf_arg=("-i" "${inf}")
for mc in ${mac} ;;
do esac
local -a mc_arg=()
case ${mc} in # outface
any|ANY) local outf=
;; for outf in ${outface}
do
*) local -a outf_arg=()
local -a mc_arg=("-m" "mac" "--mac-source" "${mc}") case ${outf} in
;; any|ANY)
esac ;;
local s= *)
for s in ${src} local -a outf_arg=("-o" "${outf}")
do ;;
local -a s_arg=() esac
case ${s} in
any|ANY) # physin
;; local inph=
for inph in ${physin}
*) do
local -a s_arg=("-s" "${s}") local -a inph_arg=()
;; case ${inph} in
esac any|ANY)
;;
local d=
for d in ${dst} *)
do local -a physdev_arg=("-m" "physdev")
local -a d_arg=() local -a inph_arg=("--physdev-in" "${inph}")
case ${d} in ;;
any|ANY) esac
;;
# physout
*) local outph=
local -a d_arg=("-d" "${d}") for outph in ${physout}
;; do
esac local -a outph_arg=()
case ${outph} in
local -a state_arg=() any|ANY)
if [ ! -z "${state}" ] ;;
then
local -a state_arg=("-m" "state" "${statenot}" "--state" "${state}") *)
fi local -a physdev_arg=("-m" "physdev")
local -a outph_arg=("--physdev-out" "${outph}")
local -a limit_arg=() ;;
if [ ! -z "${limit}" ] esac
then
local -a limit_arg=("-m" "limit" "--limit" "${limit}" "--limit-burst" "${burst}") # sport
fi local sp=
for sp in ${sport}
local -a iplimit_arg=() do
if [ ! -z "${iplimit}" ] local -a sp_arg=()
then case ${sp} in
local -a iplimit_arg=("-m" "iplimit" "--iplimit-above" "${iplimit}" "--iplimit-mask" "${iplimit_mask}") any|ANY)
fi ;;
declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}") *)
local -a sp_arg=("--sport" "${sp}")
local -a logopts_arg=() ;;
if [ "${FIREHOL_LOG_MODE}" = "ULOG" ] esac
then
local -a logopts_arg=("--ulog-prefix='${logtxt}:'") # dport
else local dp=
local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${logtxt}:'") for dp in ${dport}
fi do
local -a dp_arg=()
case "${log}" in case ${dp} in
'') any|ANY)
;; ;;
limit) *)
iptables ${table} -A "${chain}" "${basecmd[@]}" ${custom} -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}" local -a dp_arg=("--dport" "${dp}")
;; ;;
esac
normal)
iptables ${table} -A "${chain}" "${basecmd[@]}" ${custom} -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}" # mac
;; local mc=
for mc in ${mac}
*) do
error "Unknown log value '${log}'." local -a mc_arg=()
;; case ${mc} in
esac any|ANY)
;;
rule_action_param "${action}" "${pr}" "${statenot}" "${state}" "${table}" "${action_param[@]}" -- ${table} -A "${chain}" "${basecmd[@]}" ${custom}
done # dst *)
done # src local -a mc_arg=("-m" "mac" "--mac-source" "${mc}")
done # mac ;;
done # dport esac
done # sport
done # physout # src
done # physin local s=
done # outface for s in ${src}
done # inface do
done # proto local -a s_arg=()
done # cmd case ${s} in
done # sid any|ANY)
done # pid ;;
done # gid
*)
local -a s_arg=("-s" "${s}")
;;
esac
# dst
local d=
for d in ${dst}
do
local -a d_arg=()
case ${d} in
any|ANY)
;;
*)
local -a d_arg=("-d" "${d}")
;;
esac
# state
local -a state_arg=()
if [ ! -z "${state}" ]
then
local -a state_arg=("-m" "state" "${statenot}" "--state" "${state}")
fi
# limit
local -a limit_arg=()
if [ ! -z "${limit}" ]
then
local -a limit_arg=("-m" "limit" "--limit" "${limit}" "--limit-burst" "${burst}")
fi
# iplimit
local -a iplimit_arg=()
if [ ! -z "${iplimit}" ]
then
local -a iplimit_arg=("-m" "iplimit" "--iplimit-above" "${iplimit}" "--iplimit-mask" "${iplimit_mask}")
fi
# build the command
declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}")
# log mode selection
local -a logopts_arg=()
if [ "${FIREHOL_LOG_MODE}" = "ULOG" ]
then
local -a logopts_arg=("--ulog-prefix='${logtxt}:'")
else
local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${logtxt}:'")
fi
# log / loglimit
case "${log}" in
'')
;;
limit)
iptables ${table} -A "${chain}" "${basecmd[@]}" ${custom} -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}"
;;
normal)
iptables ${table} -A "${chain}" "${basecmd[@]}" ${custom} -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}"
;;
*)
error "Unknown log value '${log}'."
;;
esac
# do it!
rule_action_param "${action}" "${pr}" "${statenot}" "${state}" "${table}" "${action_param[@]}" -- ${table} -A "${chain}" "${basecmd[@]}" ${custom}
done # dst
done # src
done # mac
done # dport
done # sport
done # physout
done # physin
done # outface
done # inface
done # proto
done # dscp
done # tos
done # mark
done # cmd
done # sid
done # pid
done # gid
done # uid done # uid
test ${failed} -gt 0 && error "There are ${failed} failed commands." && return 1 test ${failed} -gt 0 && error "There are ${failed} failed commands." && return 1
@ -4707,7 +4948,7 @@ case "${arg}" in
else else
${CAT_CMD} <<EOF ${CAT_CMD} <<EOF
$Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $ $Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr> (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL. FireHOL is distributed under GPL.
@ -4893,7 +5134,7 @@ then
${CAT_CMD} <<EOF ${CAT_CMD} <<EOF
$Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $ $Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr> (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL. FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net Home Page: http://firehol.sourceforge.net
@ -5187,7 +5428,7 @@ then
${CAT_CMD} >&2 <<EOF ${CAT_CMD} >&2 <<EOF
$Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $ $Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr> (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL. FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net Home Page: http://firehol.sourceforge.net
@ -5270,7 +5511,7 @@ EOF
echo "# " echo "# "
${CAT_CMD} <<EOF ${CAT_CMD} <<EOF
# $Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $ # $Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
# (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr> # (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
# FireHOL is distributed under GPL. # FireHOL is distributed under GPL.
# Home Page: http://firehol.sourceforge.net # Home Page: http://firehol.sourceforge.net