diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 79ac87943..9aad6a295 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2426,7 +2426,7 @@ sub add_ijump_internal( $$$$$;@ ) { my ( $target ) = split ' ', $to; $toref = $chain_table{$fromref->{table}}{$target}; fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target}; - $origin ||= $fromref->{origin} if $config{TRACK_RULES} eq 'File'; + $origin ||= $fromref->{origin} if $config{TRACK_RULES}; } # @@ -2436,7 +2436,7 @@ sub add_ijump_internal( $$$$$;@ ) { $toref->{referenced} = 1; add_reference $fromref, $toref; $jump = 'j' unless have_capability 'GOTO_TARGET'; - $origin ||= $toref->{origin} if $config{TRACK_RULES} eq 'File'; + $origin ||= $toref->{origin} if $config{TRACK_RULES}; $ruleref = create_irule ($fromref, $jump => $to, @matches ); } else { $ruleref = create_irule( $fromref, 'j' => $to, @matches ); @@ -2752,7 +2752,7 @@ sub ensure_manual_chain($) { $chainref; } -sub log_irule_limit( $$$$$$$@ ); +sub log_irule_limit( $$$$$$$$@ ); sub ensure_blacklog_chain( $$$$$ ) { my ( $target, $disposition, $level, $tag, $audit ) = @_; @@ -2763,7 +2763,7 @@ sub ensure_blacklog_chain( $$$$$ ) { $target =~ s/A_//; $target = 'reject' if $target eq 'REJECT'; - log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add' ); + log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add', '' ); add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit; add_ijump( $logchainref, g => $target ); @@ -2778,7 +2778,7 @@ sub ensure_audit_blacklog_chain( $$$ ) { unless ( $filter_table->{A_blacklog} ) { my $logchainref = new_manual_chain 'A_blacklog'; - log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' ); + log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' , '' ); add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ); @@ -4286,7 +4286,8 @@ sub logchain( $$$$$$ ) { $disposition , [] , $logtag, - 'add' ); + 'add', + '' ); add_jump( $logchainref, $target, 0, $exceptionrule ); } @@ -6245,8 +6246,8 @@ sub do_ipsec($$) { # # Generate a log message # -sub log_rule_limit( $$$$$$$$ ) { - my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches ) = @_; +sub log_rule_limit( $$$$$$$$;$ ) { + my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_; my $prefix = ''; my $chain = get_action_chain_name || $chn; @@ -6339,11 +6340,13 @@ sub log_rule_limit( $$$$$$$$ ) { $ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix ); } + $ruleref->{origin} = $origin if $origin; + $ruleref; } -sub log_irule_limit( $$$$$$$@ ) { - my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, @matches ) = @_; +sub log_irule_limit( $$$$$$$$@ ) { + my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $origin, @matches ) = @_; my $prefix = ''; my %matches; @@ -6431,7 +6434,7 @@ sub log_irule_limit( $$$$$$$@ ) { } if ( $command eq 'add' ) { - add_ijump_internal ( $chainref, j => $prefix , $original_matches, '', @matches ); + add_ijump_internal ( $chainref, j => $prefix , $original_matches, $origin, @matches ); } else { insert_ijump ( $chainref, j => $prefix, 0 , @matches ); } @@ -6446,7 +6449,7 @@ sub log_rule( $$$$ ) { sub log_irule( $$$;@ ) { my ( $level, $chainref, $disposition, @matches ) = @_; - log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', @matches; + log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches; } # @@ -7456,7 +7459,8 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) { $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ), [] , $logtag , - 'add' ) + 'add' , + '' ) if $loglevel; # # Generate Final Rule diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index c03c32e32..cfdcf9a3a 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -673,17 +673,15 @@ sub add_common_rules ( $ ) { # $chainref = new_standard_chain 'sfilter'; - if ( $level ne '' ) { - my $ruleref = log_rule_limit( $level, - $chainref, - $chainref->{name}, - $policy, - $globals{LOGLIMIT}, - $tag, - 'add', - '' ); - $ruleref->{origin} = $origin{SFILTER_LOG_LEVEL}; - } + log_rule_limit( $level, + $chainref, + $chainref->{name}, + $policy, + $globals{LOGLIMIT}, + $tag, + 'add', + '', + $origin{SFILTER_LOG_LEVEL} ) if $level ne ''; add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit; @@ -704,17 +702,15 @@ sub add_common_rules ( $ ) { add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' ); - if ( $level ne '' ) { - my $ruleref = log_rule_limit( $level, - $chainref, - $chainref->{name}, - $policy, - $globals{LOGLIMIT}, - $tag, - 'add', - '' ); - $ruleref->{origin} = $origin; - } + log_rule_limit( $level, + $chainref, + $chainref->{name}, + $policy, + $globals{LOGLIMIT}, + $tag, + 'add', + '' , + $origin ) if $level ne ''; add_ijump_extended( $chainref, j => 'AUDIT', $origin{SFILTER_DISPOSITION}, targetopts => '--type ' . lc $policy ) if $audit; @@ -791,17 +787,15 @@ sub add_common_rules ( $ ) { # $chainref = ensure_mangle_chain 'rplog'; - if ( $level ne '' ) { - my $ruleref = log_rule_limit( $level, - $chainref, - $chainref->{name}, - $policy, - $globals{LOGLIMIT}, - $tag, - 'add', - '' ); - $ruleref->{origin} = $origin{RPFILTER_LOG_LEVEL}; - } + log_rule_limit( $level, + $chainref, + $chainref->{name}, + $policy, + $globals{LOGLIMIT}, + $tag, + 'add', + '', + $origin{RPFILTER_LOG_LEVEL} ); add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit; @@ -860,15 +854,14 @@ sub add_common_rules ( $ ) { if ( supplied $config{SMURF_LOG_LEVEL} ) { my $smurfref = new_chain( 'filter', 'smurflog' ); - my $ruleref = log_irule_limit( $config{SMURF_LOG_LEVEL}, - $smurfref, - 'smurfs' , - 'DROP', - $globals{LOGILIMIT}, - $globals{SMURF_LOG_TAG}, - 'add' ); - - $ruleref->{origin} = $origin{SMURF_LOG_LEVEL}; + log_irule_limit( $config{SMURF_LOG_LEVEL}, + $smurfref, + 'smurfs' , + 'DROP', + $globals{LOGILIMIT}, + $globals{SMURF_LOG_TAG}, + 'add', + $origin{SMURF_LOG_LEVEL} ); add_ijump_extended( $smurfref, j => 'AUDIT', $origin, targetopts => '--type drop' ) if $smurfdest eq 'A_DROP'; @@ -1015,16 +1008,15 @@ sub add_common_rules ( $ ) { $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options "; - my $ruleref = log_rule_limit( $level, - $logflagsref, - 'logflags', - $disposition, - $globals{LOGLIMIT}, - $tag, - 'add', - '' ); - - $ruleref->{origin} = $origin{TCP_FLAGS_LOG_LEVEL}; + log_rule_limit( $level, + $logflagsref, + 'logflags', + $disposition, + $globals{LOGLIMIT}, + $tag, + 'add', + '' , + $origin{TCP_FLAGS_LOG_LEVEL} ); $globals{LOGPARMS} = $savelogparms; @@ -1301,7 +1293,7 @@ sub setup_mac_lists( $ ) { run_user_exit2( 'maclog', $chainref ); - log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add' if $level ne ''; + log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne ''; add_ijump $chainref, j => $target; } } @@ -2280,15 +2272,15 @@ sub generate_matrix() { for my $table ( qw/mangle nat filter/ ) { for my $chain ( @{$builtins{$table}} ) { - my $ruleref = log_rule_limit( $config{LOGALLNEW} , - $chain_table{$table}{$chain} , - $table , - $chain , - '' , - '' , - 'insert' , - state_match('NEW') ); - $ruleref->{origin} = $origin; + log_rule_limit( $config{LOGALLNEW} , + $chain_table{$table}{$chain} , + $table , + $chain , + '' , + '' , + 'insert' , + state_match('NEW') , + $origin ); } } } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 0f467e0f3..a38489ca0 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -975,7 +975,8 @@ sub setup_syn_flood_chains() { 'DROP', @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] , '' , - 'add' ) + 'add', + '' ) if $level ne ''; add_ijump $synchainref, j => 'DROP'; } @@ -1547,11 +1548,11 @@ sub dropBcast( $$$$ ) { if ( have_capability( 'ADDRTYPE' ) ) { if ( $level ne '' ) { - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', addrtype => '--dst-type BROADCAST' ); + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' ); if ( $family == F_IPV4 ) { - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' ); + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' ); } else { - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ); + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ); } } @@ -1564,17 +1565,17 @@ sub dropBcast( $$$$ ) { } incr_cmd_level $chainref; - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '$address' ) if $level ne ''; + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '$address' ) if $level ne ''; add_ijump $chainref, j => $target, d => '$address'; decr_cmd_level $chainref; add_commands $chainref, 'done'; } if ( $family == F_IPV4 ) { - log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' if $level ne ''; + log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne ''; add_ijump $chainref, j => $target, d => '224.0.0.0/4'; } else { - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ) if $level ne ''; + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne ''; add_ijump $chainref, j => $target, d => IPv6_MULTICAST; } } @@ -1586,8 +1587,8 @@ sub allowBcast( $$$$ ) { if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) { if ( $level ne '' ) { - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', addrtype => '--dst-type BROADCAST' ); - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' ); + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' ); + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', ''. d => '224.0.0.0/4' ); } add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST'; @@ -1599,17 +1600,17 @@ sub allowBcast( $$$$ ) { } incr_cmd_level $chainref; - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '$address' ) if $level ne ''; + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '$address' ) if $level ne ''; add_ijump $chainref, j => $target, d => '$address'; decr_cmd_level $chainref; add_commands $chainref, 'done'; } if ( $family == F_IPV4 ) { - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' ) if $level ne ''; + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne ''; add_ijump $chainref, j => $target, d => '224.0.0.0/4'; } else { - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', d => IPv6_MULTICAST ) if $level ne ''; + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne ''; add_ijump $chainref, j => $target, d => IPv6_MULTICAST; } } @@ -1619,7 +1620,7 @@ sub dropNotSyn ( $$$$ ) { my $target = require_audit( 'DROP', $audit ); - log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', p => '6 ! --syn' ) if $level ne ''; + log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne ''; add_ijump $chainref , j => $target, p => '6 ! --syn'; } @@ -1634,7 +1635,7 @@ sub rejNotSyn ( $$$$ ) { $target = require_audit( 'REJECT' , $audit ); } - log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', p => '6 ! --syn' ) if $level ne ''; + log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne ''; add_ijump $chainref , j => $target, p => '6 ! --syn'; } @@ -1650,8 +1651,8 @@ sub allowinUPnP ( $$$$ ) { my $target = require_audit( 'ACCEPT', $audit ); if ( $level ne '' ) { - log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '17 --dport 1900' ); - log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '6 --dport 49152' ); + log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '17 --dport 1900' ); + log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '6 --dport 49152' ); } add_ijump $chainref, j => $target, p => '17 --dport 1900'; @@ -1688,7 +1689,7 @@ sub Limit( $$$$ ) { if ( $level ne '' ) { my $xchainref = new_chain 'filter' , "$chainref->{name}%"; - log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' ); + log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' ); add_ijump $xchainref, j => 'DROP'; add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count"; } else {