mirror of
https://github.com/firehol/firehol.git
synced 2024-06-30 19:02:21 +00:00
Added helpers:
tos - to set the TOS of packets dscp - to set the DSCP field of packets (both raw and class) Added optional rule parameters: tos - to match the TOS of packets mark - to match the MARK ID of packets dscp - to match the DSCP field of packets (both raw and class) Added the following actions to the rule() function: dscp The rule() function already had support for TOS and MARK.
This commit is contained in:
parent
25c21cdebb
commit
60969b571d
@ -50,6 +50,7 @@ automatically. FireHOL is extremely easy to understand, configure and audit.
|
||||
<ul>
|
||||
<li><a href="#blacklist">blacklist</a>, setup a unidirectional or bidirectional blacklist</li>
|
||||
<li><a href="#dnat">dnat</a>, setup a Destination NAT rule for routed traffic</li>
|
||||
<li><a href="#dscp">dscp</a>, set the DSCP field in the packet header, to a raw value or a DiffServ class</li>
|
||||
<li><a href="#iptables">iptables</a>, add some custom iptables commands to the firewall
|
||||
<li><a href="#mac">mac</a>, setup a source mac address with IP match</li>
|
||||
<li><a href="#mark">mark</a>, mark traffic for traffic shapping tools</li>
|
||||
@ -58,6 +59,7 @@ automatically. FireHOL is extremely easy to understand, configure and audit.
|
||||
<li><a href="#redirect">redirect</a>, setup a port redirection rule</li>
|
||||
<li><a href="#snat">snat</a>, setup a Source NAT rule for routed traffic</li>
|
||||
<li><a href="#tcpmss">tcpmss</a>, set the MSS of TCP SYN packets for routers</li>
|
||||
<li><a href="#tos">tos</a>, set the Type of Service (TOS) field in the packet header</li>
|
||||
<li><a href="#transparent_squid">transparent_squid</a>, setup a transparent squid proxy running on the firewall host</li>
|
||||
<li><a href="#version">version</a>, require a specific version of FireHOL
|
||||
</ul>
|
||||
@ -77,26 +79,29 @@ automatically. FireHOL is extremely easy to understand, configure and audit.
|
||||
</li>
|
||||
<li><a href="#parameters">Optional Rule Parameters</a>
|
||||
<ul>
|
||||
<li><a href="#src">src</a>, set the source of traffic</li>
|
||||
<li><a href="#dst">dst</a>, set the destination of traffic</li>
|
||||
<li><a href="#inface">inface</a>, set the network interface traffic is received via</li>
|
||||
<li><a href="#outface">outface</a>, set the network interface traffic is send via</li>
|
||||
<li><a href="#physin">physin</a>, set the physical network interface (for bridges) traffic is received via</li>
|
||||
<li><a href="#physout">physout</a>, set the physical network interface (for bridges) traffic is send via</li>
|
||||
<li><a href="#custom">custom</a>, pass a few custom parameters to the generated iptables
|
||||
statements</li>
|
||||
<li><a href="#src">src</a>, match the source of traffic</li>
|
||||
<li><a href="#dst">dst</a>, match the destination of traffic</li>
|
||||
<li><a href="#inface">inface</a>, match the network interface traffic is received via</li>
|
||||
<li><a href="#outface">outface</a>, match the network interface traffic is send via</li>
|
||||
<li><a href="#physin">physin</a>, match the physical network interface (for bridges) traffic is received via</li>
|
||||
<li><a href="#physout">physout</a>, match the physical network interface (for bridges) traffic is send via</li>
|
||||
<li><a href="#custom">custom</a>, pass a few custom parameters to the generated iptables statements</li>
|
||||
<li><a href="#log">log</a>, write something to the syslog when traffic is matched</li>
|
||||
<li><a href="#loglimit">loglimit</a>, write (limited) something to the syslog when traffic is matched</li>
|
||||
<li><a href="#proto">proto</a>, match a specific protocol</li>
|
||||
<li><a href="#limit">limit</a>, limit the frequency traffic is matched</li>
|
||||
<li><a href="#sport">sport</a>, set the source ports</li>
|
||||
<li><a href="#dport">dport</a>, set the destination ports</li>
|
||||
<li><a href="#uid">uid, user</a>, set the users sending this traffic</li>
|
||||
<li><a href="#gid">gid, group</a>, set the user groups sending this traffic</li>
|
||||
<li><a href="#pid">pid, process</a>, set the process IDs sending this traffic</li>
|
||||
<li><a href="#sid">sid, session</a>, set the process session IDs sending this traffic</li>
|
||||
<li><a href="#cmd">cmd, command</a>, set the command name sending this traffic</li>
|
||||
<li><a href="#sport">sport</a>, match the source ports</li>
|
||||
<li><a href="#dport">dport</a>, match the destination ports</li>
|
||||
<li><a href="#uid">uid, user</a>, match the users sending this traffic</li>
|
||||
<li><a href="#gid">gid, group</a>, match the user groups sending this traffic</li>
|
||||
<li><a href="#pid">pid, process</a>, match the process IDs sending this traffic</li>
|
||||
<li><a href="#sid">sid, session</a>, match the process session IDs sending this traffic</li>
|
||||
<li><a href="#cmd">cmd, command</a>, match the command name sending this traffic</li>
|
||||
<li><a href="#mac_param">mac</a>, match the source MAC address of packets.</li>
|
||||
<li><a href="#mark_param">mark</a>, match the MARK ID of packets.</li>
|
||||
<li><a href="#tos_param">tos</a>, match the Type of Service (TOS) of packets.</li>
|
||||
<li><a href="#dscp_param">dscp</a>, match the DSCP raw value or DiffServ class value of packets.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
</li>
|
||||
@ -407,6 +412,39 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
|
||||
Example: <b>dnat to 1.1.1.1 inface eth0 src 2.2.2.2 dst 3.3.3.3</b>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="dscp"><h3><b>dscp</b> <font color="red"><NUMBER></font> <font color="red"><WHERE></font> [optional rule parameters]</h3>
|
||||
<br><h3><b>dscp</b> class <font color="red"><CLASSID></font> <font color="red"><WHERE></font> [optional rule parameters]</h3></a>
|
||||
The <b>dscp</b> helper sets the DSCP field in the header of the packets matching the optional rule parameters.
|
||||
|
||||
<H4>Parameters</H4>
|
||||
<ul>
|
||||
<li> <b>NUMBER</b> is a decimal or hex (0xNN) number to set the DSCP field to.
|
||||
<br>
|
||||
</li>
|
||||
|
||||
<li> <b>CLASSID</b> is any of the iptables supported DiffServ class values (EF, BE, CSxx, AFxx - check <b>iptables -j DSCP --help</b> for more information).
|
||||
<br>
|
||||
</li>
|
||||
|
||||
<li> <b>WHERE</b> tells FireHOL where to search for the specific traffic to be marked.
|
||||
<br>Currently, WHERE can be one of the build-in iptables chains attached to table <b>mangle</b>.
|
||||
(for example: INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING - case does matter here).
|
||||
<br>
|
||||
</li>
|
||||
|
||||
<li> <b>optional rule parameters</b> is a set of rules that allow further restriction of the traffic that
|
||||
gets matched by this rule. See <a href="#parameters">Optional Rules Parameters</a> for more information.
|
||||
<br>
|
||||
</li>
|
||||
</ul>
|
||||
<br>Example 1: <b>dscp 32 OUTPUT</b>, will set the DSCP field to 32 of all packets sent by the local machine.
|
||||
<br>Example 2: <b>dscp 0x20 FORWARD</b>, will set DCSP to 0x20 (32) of all packets passing through the local machine.
|
||||
<br>Example 3: <b>dscp class EF FORWARD proto tcp dport 25 dst 1.1.1.1 src 2.2.2.2</b>, will set DSCP to DeffServ class EF
|
||||
for all packets sent by 2.2.2.2, passing through the local machine and targeting port TCP/25 of host 1.1.1.1.
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="iptables"><h3><b>iptables</b> <font color="red"><arguments></font></h3></a>
|
||||
@ -634,6 +672,35 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
|
||||
<br>Example 2: <b>tcpmss 500</b>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="tos"><h3><b>tos</b> <font color="red"><NUMBER></font> <font color="red"><WHERE></font> [optional rule parameters]</h3></a>
|
||||
The <b>tos</b> helper sets the Type of Service (TOS) in packets.
|
||||
|
||||
<H4>Parameters</H4>
|
||||
<ul>
|
||||
<li> <b>NUMBER</b> is a number to set TOS to. FireHOL supports decimal numbers, hex numbers and the
|
||||
descriptive values iptables supports. For more information see <b>iptables -j TOS --help</b>.
|
||||
<br>
|
||||
</li>
|
||||
|
||||
<li> <b>WHERE</b> tells FireHOL where to search for the specific traffic to be marked.
|
||||
<br>Currently, WHERE can be one of the build-in iptables chains attached to table <b>mangle</b>.
|
||||
(for example: INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING - case does matter here).
|
||||
<br>
|
||||
</li>
|
||||
|
||||
<li> <b>optional rule parameters</b> is a set of rules that allow further restriction of the traffic that
|
||||
gets matched by this rule. See <a href="#parameters">Optional Rules Parameters</a> for more information.
|
||||
<br>
|
||||
</li>
|
||||
</ul>
|
||||
<br>Example 1: <b>tos 16 OUTPUT</b>, will set TOS to 16 for all packets sent by the local machine.
|
||||
<br>Example 2: <b>tos 0x10 FORWARD</b>, will set TOS to 0x10 (16) for all packets passing through the local machine.
|
||||
<br>Example 3: <b>tos Maximize-Throughput FORWARD proto tcp dport 25 dst 1.1.1.1 src 2.2.2.2</b>, will set TOS to Maximize-Throughput (8)
|
||||
for all packets sent by 2.2.2.2, passing through the local machine and targeting port TCP/25 of host 1.1.1.1.
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="transparent_squid"><h3><b>transparent_squid</b> <font color="red"><port> <user></font> [optional rule parameters]</h3></a>
|
||||
@ -1199,6 +1266,34 @@ about optional rule parameters that should not be used in certain commands.
|
||||
(either address should be matched), while negative expressions are ANDed (none of the addresses should be matched).
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="mark_param"><h3><b>mark</b> [not] <font color="red"><ID></font></h3></a>
|
||||
<H4>Description</H4>
|
||||
<b>mark</b> matches the traffic against the given IDs. This command accepts anything iptables accepts as MARKs (see <b>iptables -m mark --help</b>).
|
||||
<p>
|
||||
More than one MARK IDs can be given if separated by spaces and enclosed in quotes as a single argument to the mark parameter.
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="tos_param"><h3><b>tos</b> [not] <font color="red"><ID></font></h3></a>
|
||||
<H4>Description</H4>
|
||||
<b>tos</b> matches the traffic against the given IDs. This command accepts anything iptables accepts as TOS (see <b>iptables -m tos --help</b>).
|
||||
<p>
|
||||
More than one IDs can be given if separated by spaces and enclosed in quotes as a single argument to the tos parameter.
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="dscp_param"><h3><b>dscp</b> [not] <font color="red"><ID></font></h3>
|
||||
<br><h3><b>dscp</b> [not] class <font color="red"><ID></font></h3></a>
|
||||
<H4>Description</H4>
|
||||
<b>dscp</b> matches the traffic against the given DSCP IDs. This command accepts anything iptables accepts as DSCP (see <b>iptables -m dscp --help</b>).
|
||||
<p>
|
||||
More than one IDs can be given if separated by spaces and enclosed in quotes as a single argument.
|
||||
<p>
|
||||
|
||||
<table border=0 cellpadding=10 cellspacing=0 width="100%"><tr bgcolor="#777777"><td align=center><font color="white"><b><big><a name="control_variables">Variables that control FireHOL</a></td</tr></table>
|
||||
<p>
|
||||
<a name="DEFAULT_INTERFACE_POLICY"><h3><b>DEFAULT_INTERFACE_POLICY</b></h3></a>
|
||||
@ -1437,7 +1532,7 @@ about optional rule parameters that should not be used in certain commands.
|
||||
<tr><td align=center valign=middle>
|
||||
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
|
||||
</td><td align=center valign=middle>
|
||||
<small>$Id: commands.html,v 1.53 2004/10/30 22:04:17 ktsaou Exp $</small>
|
||||
<small>$Id: commands.html,v 1.54 2004/10/31 02:21:02 ktsaou Exp $</small>
|
||||
<p>
|
||||
<b>FireHOL</b>, a firewall for humans...<br>
|
||||
© Copyright 2003
|
||||
|
@ -2349,7 +2349,7 @@ All the services defined by name in FireHOL are known to resolve in <a href="htt
|
||||
<tr><td align=center valign=middle>
|
||||
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
|
||||
</td><td align=center valign=middle>
|
||||
<small>$Id: services.html,v 1.57 2004/10/30 23:03:58 ktsaou Exp $</small>
|
||||
<small>$Id: services.html,v 1.58 2004/10/31 02:21:02 ktsaou Exp $</small>
|
||||
<p>
|
||||
<b>FireHOL</b>, a firewall for humans...<br>
|
||||
© Copyright 2003
|
||||
|
255
firehol.sh
255
firehol.sh
@ -10,7 +10,7 @@
|
||||
#
|
||||
# config: /etc/firehol/firehol.conf
|
||||
#
|
||||
# $Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
|
||||
#
|
||||
|
||||
# Remember who you are.
|
||||
@ -1925,6 +1925,63 @@ mark() {
|
||||
return 0
|
||||
}
|
||||
|
||||
tos_count=0
|
||||
tos() {
|
||||
work_realcmd_helper $FUNCNAME "$@"
|
||||
|
||||
set_work_function -ne "Initializing $FUNCNAME"
|
||||
|
||||
require_work clear || ( error "$FUNCNAME cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
|
||||
|
||||
local num="${1}"; shift
|
||||
local where="${1}"; shift
|
||||
test -z "${where}" && where=OUTPUT
|
||||
|
||||
tos_count=$[tos_count + 1]
|
||||
|
||||
set_work_function "Setting up rules for TOS"
|
||||
|
||||
create_chain mangle "tos.${tos_count}" "${where}" "$@" || return 1
|
||||
iptables -t mangle -A "tos.${tos_count}" -j TOS --set-tos ${num}
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
dscp_count=0
|
||||
dscp() {
|
||||
work_realcmd=($FUNCNAME "$@")
|
||||
|
||||
set_work_function -ne "Initializing $FUNCNAME"
|
||||
|
||||
require_work clear || ( error "$FUNCNAME cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
|
||||
|
||||
local value="${1}"; shift
|
||||
local class=""
|
||||
|
||||
if [ "${value}" = "class" ]
|
||||
then
|
||||
local value=""
|
||||
local class="${1}"; shift
|
||||
fi
|
||||
|
||||
local where="${1}"; shift
|
||||
test -z "${where}" && where=OUTPUT
|
||||
|
||||
dscp_count=$[dscp_count + 1]
|
||||
|
||||
set_work_function "Setting up rules for setting DSCP"
|
||||
|
||||
create_chain mangle "dscp.${dscp_count}" "${where}" "$@" || return 1
|
||||
|
||||
if [ ! -z "${class}" ]
|
||||
then
|
||||
iptables -t mangle -A "dscp.${dscp_count}" -j DSCP --set-dscp-class ${class}
|
||||
else
|
||||
iptables -t mangle -A "dscp.${dscp_count}" -j DSCP --set-dscp ${value}
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
tcpmss() {
|
||||
work_realcmd_helper $FUNCNAME "$@"
|
||||
@ -2938,6 +2995,16 @@ rule() {
|
||||
local cmd=any
|
||||
local cmdnot=
|
||||
|
||||
local mark=any
|
||||
local marknot=
|
||||
|
||||
local dscp=any
|
||||
local dscptype=
|
||||
local despnot=
|
||||
|
||||
local tos=any
|
||||
local tosnot=
|
||||
|
||||
local log=
|
||||
local logtxt=
|
||||
local loglevel=
|
||||
@ -3246,6 +3313,52 @@ rule() {
|
||||
shift
|
||||
;;
|
||||
|
||||
mark|MARK)
|
||||
shift
|
||||
marknot=
|
||||
if [ "${1}" = "not" -o "${1}" = "NOT" ]
|
||||
then
|
||||
shift
|
||||
marknot="!"
|
||||
fi
|
||||
test ${softwarnings} -eq 1 -a ! "${mark}" = "any" && softwarning "Overwritting param: mark '${mark}' becomes '${1}'"
|
||||
mark="${1}"
|
||||
shift
|
||||
;;
|
||||
|
||||
tos|TOS)
|
||||
shift
|
||||
tosnot=
|
||||
if [ "${1}" = "not" -o "${1}" = "NOT" ]
|
||||
then
|
||||
shift
|
||||
tosnot="!"
|
||||
fi
|
||||
test ${softwarnings} -eq 1 -a ! "${tos}" = "any" && softwarning "Overwritting param: tos '${tos}' becomes '${1}'"
|
||||
tos="${1}"
|
||||
shift
|
||||
;;
|
||||
|
||||
dscp|DSCP)
|
||||
shift
|
||||
dscpnot=
|
||||
if [ "${1}" = "not" -o "${1}" = "NOT" ]
|
||||
then
|
||||
shift
|
||||
dscpnot="!"
|
||||
fi
|
||||
test ${softwarnings} -eq 1 -a ! "${dscp}" = "any" && softwarning "Overwritting param: dscp '${dscp}' becomes '${1}'"
|
||||
dscp="${1}"
|
||||
shift
|
||||
|
||||
if [ "${dscp}" = "class" ]
|
||||
then
|
||||
dscpclass="-class"
|
||||
dscp="${1}"
|
||||
shift
|
||||
fi
|
||||
;;
|
||||
|
||||
action|ACTION)
|
||||
test ${softwarnings} -eq 1 -a ! -z "${action}" && softwarning "Overwritting param: action '${action}' becomes '${2}'"
|
||||
action="${2}"
|
||||
@ -3405,6 +3518,29 @@ rule() {
|
||||
fi
|
||||
;;
|
||||
|
||||
dscp|DSCP)
|
||||
action="DSCP"
|
||||
if [ "${1}" = "to" ]
|
||||
then
|
||||
if [ "${2}" = "class" ]
|
||||
then
|
||||
local -a action_param=("--set-dscp-class" "${2}")
|
||||
shift
|
||||
else
|
||||
local -a action_param=("--set-dscp" "${2}")
|
||||
fi
|
||||
shift 2
|
||||
else
|
||||
error "${action} requires a 'to' argument"
|
||||
return 1
|
||||
fi
|
||||
if [ ! "A${table}" = "A-t mangle" ]
|
||||
then
|
||||
error "${action} must on a the 'mangle' table."
|
||||
return 1
|
||||
fi
|
||||
;;
|
||||
|
||||
*)
|
||||
chain_exists "${action}"
|
||||
local action_is_chain=$?
|
||||
@ -3647,7 +3783,7 @@ rule() {
|
||||
|
||||
|
||||
# ignore 'statenot' since it is negated in the positive rules
|
||||
if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}" ]
|
||||
if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}${marknot}${tosnot}${dscpnot}" ]
|
||||
then
|
||||
if [ ${action_is_chain} -eq 1 ]
|
||||
then
|
||||
@ -3864,6 +4000,40 @@ rule() {
|
||||
cmd=any
|
||||
fi
|
||||
|
||||
if [ ! -z "${marknot}" ]
|
||||
then
|
||||
local tmark=
|
||||
for tmark in ${mark}
|
||||
do
|
||||
iptables ${table} -A "${negative_chain}" -m mark --mark "${tmark}" -j RETURN
|
||||
done
|
||||
marknot=
|
||||
mark=any
|
||||
fi
|
||||
|
||||
if [ ! -z "${tosnot}" ]
|
||||
then
|
||||
local ttos=
|
||||
for ttos in ${tos}
|
||||
do
|
||||
iptables ${table} -A "${negative_chain}" -m tos --tos "${ttos}" -j RETURN
|
||||
done
|
||||
tosnot=
|
||||
tos=any
|
||||
fi
|
||||
|
||||
if [ ! -z "${dscpnot}" ]
|
||||
then
|
||||
local tdscp=
|
||||
for tdscp in ${dscp}
|
||||
do
|
||||
iptables ${table} -A "${negative_chain}" -m dscp --dscp${dscptype} "${tdscp}" -j RETURN
|
||||
done
|
||||
dscp=any
|
||||
dscpnot=
|
||||
fi
|
||||
|
||||
|
||||
# in case this is temporary chain we created for the negative expression,
|
||||
# just make it have the final action of the rule.
|
||||
if [ ! -z "${negative_action}" ]
|
||||
@ -3892,6 +4062,7 @@ rule() {
|
||||
# ----------------------------------------------------------------------------------
|
||||
# Process the positive rules
|
||||
|
||||
# uid
|
||||
local tuid=
|
||||
for tuid in ${uid}
|
||||
do
|
||||
@ -3908,6 +4079,7 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# gid
|
||||
local tgid=
|
||||
for tgid in ${gid}
|
||||
do
|
||||
@ -3923,6 +4095,7 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# pid
|
||||
local tpid=
|
||||
for tpid in ${pid}
|
||||
do
|
||||
@ -3938,6 +4111,7 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# sid
|
||||
local tsid=
|
||||
for tsid in ${sid}
|
||||
do
|
||||
@ -3953,6 +4127,7 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# cmd
|
||||
local tcmd=
|
||||
for tcmd in ${cmd}
|
||||
do
|
||||
@ -3968,6 +4143,52 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# mark
|
||||
local tmark=
|
||||
for tmark in ${mark}
|
||||
do
|
||||
local -a mark_arg=()
|
||||
|
||||
case ${tmark} in
|
||||
any|ANY)
|
||||
;;
|
||||
|
||||
*)
|
||||
local -a mark_arg=("-m" "mark" "--mark" "${tmark}")
|
||||
;;
|
||||
esac
|
||||
|
||||
# tos
|
||||
local ttos=
|
||||
for ttos in ${tos}
|
||||
do
|
||||
local -a tos_arg=()
|
||||
|
||||
case ${ttos} in
|
||||
any|ANY)
|
||||
;;
|
||||
|
||||
*)
|
||||
local -a tos_arg=("-m" "tos" "--tos" "${ttos}")
|
||||
;;
|
||||
esac
|
||||
|
||||
# dscp
|
||||
local tdscp=
|
||||
for tdscp in ${dscp}
|
||||
do
|
||||
local -a dscp_arg=()
|
||||
|
||||
case ${tdscp} in
|
||||
any|ANY)
|
||||
;;
|
||||
|
||||
*)
|
||||
local -a dscp_arg=("-m" "dscp" "--dscp${dscptype}" "${tdscp}")
|
||||
;;
|
||||
esac
|
||||
|
||||
# proto
|
||||
local pr=
|
||||
for pr in ${proto}
|
||||
do
|
||||
@ -3982,6 +4203,7 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# inface
|
||||
local inf=
|
||||
for inf in ${inface}
|
||||
do
|
||||
@ -3995,6 +4217,7 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# outface
|
||||
local outf=
|
||||
for outf in ${outface}
|
||||
do
|
||||
@ -4008,6 +4231,7 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# physin
|
||||
local inph=
|
||||
for inph in ${physin}
|
||||
do
|
||||
@ -4022,6 +4246,7 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# physout
|
||||
local outph=
|
||||
for outph in ${physout}
|
||||
do
|
||||
@ -4036,6 +4261,7 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# sport
|
||||
local sp=
|
||||
for sp in ${sport}
|
||||
do
|
||||
@ -4049,6 +4275,7 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# dport
|
||||
local dp=
|
||||
for dp in ${dport}
|
||||
do
|
||||
@ -4062,6 +4289,7 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# mac
|
||||
local mc=
|
||||
for mc in ${mac}
|
||||
do
|
||||
@ -4075,6 +4303,7 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# src
|
||||
local s=
|
||||
for s in ${src}
|
||||
do
|
||||
@ -4088,6 +4317,7 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# dst
|
||||
local d=
|
||||
for d in ${dst}
|
||||
do
|
||||
@ -4101,26 +4331,31 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# state
|
||||
local -a state_arg=()
|
||||
if [ ! -z "${state}" ]
|
||||
then
|
||||
local -a state_arg=("-m" "state" "${statenot}" "--state" "${state}")
|
||||
fi
|
||||
|
||||
# limit
|
||||
local -a limit_arg=()
|
||||
if [ ! -z "${limit}" ]
|
||||
then
|
||||
local -a limit_arg=("-m" "limit" "--limit" "${limit}" "--limit-burst" "${burst}")
|
||||
fi
|
||||
|
||||
# iplimit
|
||||
local -a iplimit_arg=()
|
||||
if [ ! -z "${iplimit}" ]
|
||||
then
|
||||
local -a iplimit_arg=("-m" "iplimit" "--iplimit-above" "${iplimit}" "--iplimit-mask" "${iplimit_mask}")
|
||||
fi
|
||||
|
||||
declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}")
|
||||
# build the command
|
||||
declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}")
|
||||
|
||||
# log mode selection
|
||||
local -a logopts_arg=()
|
||||
if [ "${FIREHOL_LOG_MODE}" = "ULOG" ]
|
||||
then
|
||||
@ -4129,6 +4364,7 @@ rule() {
|
||||
local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${logtxt}:'")
|
||||
fi
|
||||
|
||||
# log / loglimit
|
||||
case "${log}" in
|
||||
'')
|
||||
;;
|
||||
@ -4146,7 +4382,9 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# do it!
|
||||
rule_action_param "${action}" "${pr}" "${statenot}" "${state}" "${table}" "${action_param[@]}" -- ${table} -A "${chain}" "${basecmd[@]}" ${custom}
|
||||
|
||||
done # dst
|
||||
done # src
|
||||
done # mac
|
||||
@ -4157,6 +4395,9 @@ rule() {
|
||||
done # outface
|
||||
done # inface
|
||||
done # proto
|
||||
done # dscp
|
||||
done # tos
|
||||
done # mark
|
||||
done # cmd
|
||||
done # sid
|
||||
done # pid
|
||||
@ -4707,7 +4948,7 @@ case "${arg}" in
|
||||
else
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
$Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
|
||||
@ -4893,7 +5134,7 @@ then
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
|
||||
$Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
@ -5187,7 +5428,7 @@ then
|
||||
|
||||
${CAT_CMD} >&2 <<EOF
|
||||
|
||||
$Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
@ -5270,7 +5511,7 @@ EOF
|
||||
echo "# "
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
# $Id: firehol.sh,v 1.211 2004/10/30 23:03:57 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.212 2004/10/31 02:21:02 ktsaou Exp $
|
||||
# (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
# FireHOL is distributed under GPL.
|
||||
# Home Page: http://firehol.sourceforge.net
|
||||
|
Loading…
Reference in New Issue
Block a user