Implement RELATED_DISPOSITION and RELATED_LOG_LEVEL

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-12-05 16:08:17 -08:00
parent 320cc822fe
commit 439af55312
4 changed files with 52 additions and 3 deletions

View File

@ -471,6 +471,7 @@ sub initialize( $ ) {
LOGBURST => undef,
LOGALLNEW => undef,
BLACKLIST_LOGLEVEL => undef,
RELATED_LOG_LEVEL => undef,
RFC1918_LOG_LEVEL => undef,
MACLIST_LOG_LEVEL => undef,
TCP_FLAGS_LOG_LEVEL => undef,
@ -576,6 +577,7 @@ sub initialize( $ ) {
BLACKLIST_DISPOSITION => undef,
SMURF_DISPOSITION => undef,
SFILTER_DISPOSITION => undef,
RELATED_DISPOSITION => undef,
#
# Mark Geometry
#
@ -3797,6 +3799,7 @@ sub get_configuration( $$$ ) {
default_log_level 'MACLIST_LOG_LEVEL', '';
default_log_level 'TCP_FLAGS_LOG_LEVEL', '';
default_log_level 'RFC1918_LOG_LEVEL', '';
default_log_level 'RELATED_LOG_LEVEL', '';
warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
@ -3831,6 +3834,23 @@ sub get_configuration( $$$ ) {
$globals{MACLIST_TARGET} = 'reject';
}
if ( $val = $config{RELATED_DISPOSITION} ) {
if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
$globals{RELATED_TARGET} = $val;
} elsif ( $val eq 'REJECT' ) {
$globals{RELATED_TARGET} = 'reject';
} elsif ( $val eq 'A_REJECT' ) {
$globals{RELATED_TARGET} = $val;
} else {
fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
}
require_capability 'AUDIT_TARGET' , "MACLIST_DISPOSITION=$val", 's' if $val =~ /^A_/;
} else {
$config{RELATED_DISPOSITION} =
$globals{RELATED_TARGET} = 'ACCEPT';
}
if ( $val = $config{MACLIST_TABLE} ) {
if ( $val eq 'mangle' ) {
fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;

View File

@ -704,7 +704,10 @@ sub add_common_rules ( $ ) {
setup_mss;
add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ) if ( $config{FASTACCEPT} );
if ( $config{FASTACCEPT} ) {
my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch $faststate )
}
my $policy = $config{SFILTER_DISPOSITION};
$level = $config{SFILTER_LOG_LEVEL};

View File

@ -764,11 +764,33 @@ sub ensure_rules_chain( $ )
#
sub finish_chain_section ($$) {
my ($chainref, $state ) = @_;
my $chain = $chainref->{name};
my $chain = $chainref->{name};
my $related_level = $config{RELATED_LOG_LEVEL};
my $related_target = $globals{RELATED_TARGET};
push_comment(''); #These rules should not have comments
add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
if ( $state =~ /RELATED/ && ( $related_level || $related_target ne 'ACCEPT' ) ) {
if ( $related_level ) {
my $relatedref = new_chain( 'filter', "+$chainref->{name}" );
log_rule( $related_level,
$relatedref,
$config{RELATED_DISPOSITION},
'' );
add_ijump( $relatedref, g => $related_target );
$related_target = $relatedref->{name};
}
add_ijump $chainref, g => $related_target, state_imatch 'RELATED';
$state =~ s/,?RELATED//;
}
if ( $state ) {
add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
}
if ($sections{NEW} ) {
if ( $chainref->{is_policy} ) {

View File

@ -39,6 +39,8 @@ LOGLIMIT=
MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
@ -196,6 +198,8 @@ BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP