Move origin handling into log_[i]rule_limit

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-01-27 14:24:56 -08:00
parent 57288086bf
commit 039fd6ddd8
3 changed files with 89 additions and 92 deletions

View File

@ -2426,7 +2426,7 @@ sub add_ijump_internal( $$$$$;@ ) {
my ( $target ) = split ' ', $to; my ( $target ) = split ' ', $to;
$toref = $chain_table{$fromref->{table}}{$target}; $toref = $chain_table{$fromref->{table}}{$target};
fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target}; fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target};
$origin ||= $fromref->{origin} if $config{TRACK_RULES} eq 'File'; $origin ||= $fromref->{origin} if $config{TRACK_RULES};
} }
# #
@ -2436,7 +2436,7 @@ sub add_ijump_internal( $$$$$;@ ) {
$toref->{referenced} = 1; $toref->{referenced} = 1;
add_reference $fromref, $toref; add_reference $fromref, $toref;
$jump = 'j' unless have_capability 'GOTO_TARGET'; $jump = 'j' unless have_capability 'GOTO_TARGET';
$origin ||= $toref->{origin} if $config{TRACK_RULES} eq 'File'; $origin ||= $toref->{origin} if $config{TRACK_RULES};
$ruleref = create_irule ($fromref, $jump => $to, @matches ); $ruleref = create_irule ($fromref, $jump => $to, @matches );
} else { } else {
$ruleref = create_irule( $fromref, 'j' => $to, @matches ); $ruleref = create_irule( $fromref, 'j' => $to, @matches );
@ -2752,7 +2752,7 @@ sub ensure_manual_chain($) {
$chainref; $chainref;
} }
sub log_irule_limit( $$$$$$$@ ); sub log_irule_limit( $$$$$$$$@ );
sub ensure_blacklog_chain( $$$$$ ) { sub ensure_blacklog_chain( $$$$$ ) {
my ( $target, $disposition, $level, $tag, $audit ) = @_; my ( $target, $disposition, $level, $tag, $audit ) = @_;
@ -2763,7 +2763,7 @@ sub ensure_blacklog_chain( $$$$$ ) {
$target =~ s/A_//; $target =~ s/A_//;
$target = 'reject' if $target eq 'REJECT'; $target = 'reject' if $target eq 'REJECT';
log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add' ); log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add', '' );
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit; add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
add_ijump( $logchainref, g => $target ); add_ijump( $logchainref, g => $target );
@ -2778,7 +2778,7 @@ sub ensure_audit_blacklog_chain( $$$ ) {
unless ( $filter_table->{A_blacklog} ) { unless ( $filter_table->{A_blacklog} ) {
my $logchainref = new_manual_chain 'A_blacklog'; my $logchainref = new_manual_chain 'A_blacklog';
log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' ); log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' , '' );
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ); add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target );
@ -4286,7 +4286,8 @@ sub logchain( $$$$$$ ) {
$disposition , $disposition ,
[] , [] ,
$logtag, $logtag,
'add' ); 'add',
'' );
add_jump( $logchainref, $target, 0, $exceptionrule ); add_jump( $logchainref, $target, 0, $exceptionrule );
} }
@ -6245,8 +6246,8 @@ sub do_ipsec($$) {
# #
# Generate a log message # Generate a log message
# #
sub log_rule_limit( $$$$$$$$ ) { sub log_rule_limit( $$$$$$$$;$ ) {
my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches ) = @_; my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_;
my $prefix = ''; my $prefix = '';
my $chain = get_action_chain_name || $chn; my $chain = get_action_chain_name || $chn;
@ -6339,11 +6340,13 @@ sub log_rule_limit( $$$$$$$$ ) {
$ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix ); $ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix );
} }
$ruleref->{origin} = $origin if $origin;
$ruleref; $ruleref;
} }
sub log_irule_limit( $$$$$$$@ ) { sub log_irule_limit( $$$$$$$$@ ) {
my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, @matches ) = @_; my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $origin, @matches ) = @_;
my $prefix = ''; my $prefix = '';
my %matches; my %matches;
@ -6431,7 +6434,7 @@ sub log_irule_limit( $$$$$$$@ ) {
} }
if ( $command eq 'add' ) { if ( $command eq 'add' ) {
add_ijump_internal ( $chainref, j => $prefix , $original_matches, '', @matches ); add_ijump_internal ( $chainref, j => $prefix , $original_matches, $origin, @matches );
} else { } else {
insert_ijump ( $chainref, j => $prefix, 0 , @matches ); insert_ijump ( $chainref, j => $prefix, 0 , @matches );
} }
@ -6446,7 +6449,7 @@ sub log_rule( $$$$ ) {
sub log_irule( $$$;@ ) { sub log_irule( $$$;@ ) {
my ( $level, $chainref, $disposition, @matches ) = @_; my ( $level, $chainref, $disposition, @matches ) = @_;
log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', @matches; log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
} }
# #
@ -7456,7 +7459,8 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ), $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
[] , [] ,
$logtag , $logtag ,
'add' ) 'add' ,
'' )
if $loglevel; if $loglevel;
# #
# Generate Final Rule # Generate Final Rule

View File

@ -673,17 +673,15 @@ sub add_common_rules ( $ ) {
# #
$chainref = new_standard_chain 'sfilter'; $chainref = new_standard_chain 'sfilter';
if ( $level ne '' ) { log_rule_limit( $level,
my $ruleref = log_rule_limit( $level, $chainref,
$chainref, $chainref->{name},
$chainref->{name}, $policy,
$policy, $globals{LOGLIMIT},
$globals{LOGLIMIT}, $tag,
$tag, 'add',
'add', '',
'' ); $origin{SFILTER_LOG_LEVEL} ) if $level ne '';
$ruleref->{origin} = $origin{SFILTER_LOG_LEVEL};
}
add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit; add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;
@ -704,17 +702,15 @@ sub add_common_rules ( $ ) {
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' ); add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
if ( $level ne '' ) { log_rule_limit( $level,
my $ruleref = log_rule_limit( $level, $chainref,
$chainref, $chainref->{name},
$chainref->{name}, $policy,
$policy, $globals{LOGLIMIT},
$globals{LOGLIMIT}, $tag,
$tag, 'add',
'add', '' ,
'' ); $origin ) if $level ne '';
$ruleref->{origin} = $origin;
}
add_ijump_extended( $chainref, j => 'AUDIT', $origin{SFILTER_DISPOSITION}, targetopts => '--type ' . lc $policy ) if $audit; add_ijump_extended( $chainref, j => 'AUDIT', $origin{SFILTER_DISPOSITION}, targetopts => '--type ' . lc $policy ) if $audit;
@ -791,17 +787,15 @@ sub add_common_rules ( $ ) {
# #
$chainref = ensure_mangle_chain 'rplog'; $chainref = ensure_mangle_chain 'rplog';
if ( $level ne '' ) { log_rule_limit( $level,
my $ruleref = log_rule_limit( $level, $chainref,
$chainref, $chainref->{name},
$chainref->{name}, $policy,
$policy, $globals{LOGLIMIT},
$globals{LOGLIMIT}, $tag,
$tag, 'add',
'add', '',
'' ); $origin{RPFILTER_LOG_LEVEL} );
$ruleref->{origin} = $origin{RPFILTER_LOG_LEVEL};
}
add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit; add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;
@ -860,15 +854,14 @@ sub add_common_rules ( $ ) {
if ( supplied $config{SMURF_LOG_LEVEL} ) { if ( supplied $config{SMURF_LOG_LEVEL} ) {
my $smurfref = new_chain( 'filter', 'smurflog' ); my $smurfref = new_chain( 'filter', 'smurflog' );
my $ruleref = log_irule_limit( $config{SMURF_LOG_LEVEL}, log_irule_limit( $config{SMURF_LOG_LEVEL},
$smurfref, $smurfref,
'smurfs' , 'smurfs' ,
'DROP', 'DROP',
$globals{LOGILIMIT}, $globals{LOGILIMIT},
$globals{SMURF_LOG_TAG}, $globals{SMURF_LOG_TAG},
'add' ); 'add',
$origin{SMURF_LOG_LEVEL} );
$ruleref->{origin} = $origin{SMURF_LOG_LEVEL};
add_ijump_extended( $smurfref, j => 'AUDIT', $origin, targetopts => '--type drop' ) if $smurfdest eq 'A_DROP'; add_ijump_extended( $smurfref, j => 'AUDIT', $origin, targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
@ -1015,16 +1008,15 @@ sub add_common_rules ( $ ) {
$globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options "; $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";
my $ruleref = log_rule_limit( $level, log_rule_limit( $level,
$logflagsref, $logflagsref,
'logflags', 'logflags',
$disposition, $disposition,
$globals{LOGLIMIT}, $globals{LOGLIMIT},
$tag, $tag,
'add', 'add',
'' ); '' ,
$origin{TCP_FLAGS_LOG_LEVEL} );
$ruleref->{origin} = $origin{TCP_FLAGS_LOG_LEVEL};
$globals{LOGPARMS} = $savelogparms; $globals{LOGPARMS} = $savelogparms;
@ -1301,7 +1293,7 @@ sub setup_mac_lists( $ ) {
run_user_exit2( 'maclog', $chainref ); run_user_exit2( 'maclog', $chainref );
log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add' if $level ne ''; log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
add_ijump $chainref, j => $target; add_ijump $chainref, j => $target;
} }
} }
@ -2280,15 +2272,15 @@ sub generate_matrix() {
for my $table ( qw/mangle nat filter/ ) { for my $table ( qw/mangle nat filter/ ) {
for my $chain ( @{$builtins{$table}} ) { for my $chain ( @{$builtins{$table}} ) {
my $ruleref = log_rule_limit( $config{LOGALLNEW} , log_rule_limit( $config{LOGALLNEW} ,
$chain_table{$table}{$chain} , $chain_table{$table}{$chain} ,
$table , $table ,
$chain , $chain ,
'' , '' ,
'' , '' ,
'insert' , 'insert' ,
state_match('NEW') ); state_match('NEW') ,
$ruleref->{origin} = $origin; $origin );
} }
} }
} }

View File

@ -975,7 +975,8 @@ sub setup_syn_flood_chains() {
'DROP', 'DROP',
@{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] , @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
'' , '' ,
'add' ) 'add',
'' )
if $level ne ''; if $level ne '';
add_ijump $synchainref, j => 'DROP'; add_ijump $synchainref, j => 'DROP';
} }
@ -1547,11 +1548,11 @@ sub dropBcast( $$$$ ) {
if ( have_capability( 'ADDRTYPE' ) ) { if ( have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) { if ( $level ne '' ) {
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', addrtype => '--dst-type BROADCAST' ); log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' ); log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' );
} else { } else {
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ); log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST );
} }
} }
@ -1564,17 +1565,17 @@ sub dropBcast( $$$$ ) {
} }
incr_cmd_level $chainref; incr_cmd_level $chainref;
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '$address' ) if $level ne ''; log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '$address' ) if $level ne '';
add_ijump $chainref, j => $target, d => '$address'; add_ijump $chainref, j => $target, d => '$address';
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
} }
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' if $level ne ''; log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
add_ijump $chainref, j => $target, d => '224.0.0.0/4'; add_ijump $chainref, j => $target, d => '224.0.0.0/4';
} else { } else {
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ) if $level ne ''; log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
add_ijump $chainref, j => $target, d => IPv6_MULTICAST; add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
} }
} }
@ -1586,8 +1587,8 @@ sub allowBcast( $$$$ ) {
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) { if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) { if ( $level ne '' ) {
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', addrtype => '--dst-type BROADCAST' ); log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' ); log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', ''. d => '224.0.0.0/4' );
} }
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST'; add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
@ -1599,17 +1600,17 @@ sub allowBcast( $$$$ ) {
} }
incr_cmd_level $chainref; incr_cmd_level $chainref;
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '$address' ) if $level ne ''; log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '$address' ) if $level ne '';
add_ijump $chainref, j => $target, d => '$address'; add_ijump $chainref, j => $target, d => '$address';
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
} }
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' ) if $level ne ''; log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
add_ijump $chainref, j => $target, d => '224.0.0.0/4'; add_ijump $chainref, j => $target, d => '224.0.0.0/4';
} else { } else {
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', d => IPv6_MULTICAST ) if $level ne ''; log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
add_ijump $chainref, j => $target, d => IPv6_MULTICAST; add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
} }
} }
@ -1619,7 +1620,7 @@ sub dropNotSyn ( $$$$ ) {
my $target = require_audit( 'DROP', $audit ); my $target = require_audit( 'DROP', $audit );
log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', p => '6 ! --syn' ) if $level ne ''; log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
add_ijump $chainref , j => $target, p => '6 ! --syn'; add_ijump $chainref , j => $target, p => '6 ! --syn';
} }
@ -1634,7 +1635,7 @@ sub rejNotSyn ( $$$$ ) {
$target = require_audit( 'REJECT' , $audit ); $target = require_audit( 'REJECT' , $audit );
} }
log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', p => '6 ! --syn' ) if $level ne ''; log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
add_ijump $chainref , j => $target, p => '6 ! --syn'; add_ijump $chainref , j => $target, p => '6 ! --syn';
} }
@ -1650,8 +1651,8 @@ sub allowinUPnP ( $$$$ ) {
my $target = require_audit( 'ACCEPT', $audit ); my $target = require_audit( 'ACCEPT', $audit );
if ( $level ne '' ) { if ( $level ne '' ) {
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '17 --dport 1900' ); log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '17 --dport 1900' );
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '6 --dport 49152' ); log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '6 --dport 49152' );
} }
add_ijump $chainref, j => $target, p => '17 --dport 1900'; add_ijump $chainref, j => $target, p => '17 --dport 1900';
@ -1688,7 +1689,7 @@ sub Limit( $$$$ ) {
if ( $level ne '' ) { if ( $level ne '' ) {
my $xchainref = new_chain 'filter' , "$chainref->{name}%"; my $xchainref = new_chain 'filter' , "$chainref->{name}%";
log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' ); log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' );
add_ijump $xchainref, j => 'DROP'; add_ijump $xchainref, j => 'DROP';
add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count"; add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
} else { } else {