Add maclog extension script

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4674 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-02-23 21:21:49 +01:00 · 2006-10-13 20:13:40 +00:00 · 2006-10-13 20:13:40 +00:00 · 5b68b5396d
commit 5b68b5396d
parent c133e2c246
6 changed files with 154 additions and 160 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -12,7 +12,7 @@ Changes in 3.3.3

 6)  Add macro.RDP.

-7)  Implement MACLIST_LOG_BROADCASTS.
+7)  Add maclog extension file.

 Changes in 3.3.1

--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@ -5196,8 +5196,8 @@ __EOF__
    maclist_hosts=$(find_hosts_by_option maclist)

    if [ -n "$maclist_hosts" ]; then
-	save_progress_message "Setting up MAC Filtration..."
-	setup_mac_lists
+	save_progress_message "Setting up MAC Filtration -- Phase 1..."
+	setup_mac_lists 1
    fi

    progress_message2 "$DOING $(find_file rules)..."
@ -5227,6 +5227,11 @@ __EOF__
 	process_actions3
    fi

+    if [ -n "$maclist_hosts" ]; then
+	save_progress_message "Setting up MAC Filtration -- Phase 2..."
+	setup_mac_lists 2
+    fi
+
    save_progress_message "Applying Policies..."

    progress_message2 "$DOING $(find_file policy)...";   apply_policy_rules
--- a/Shorewall/lib.maclist
+++ b/Shorewall/lib.maclist
@ -28,7 +28,8 @@
 #
 # Set up MAC Verification
 #
-setup_mac_lists() {
+setup_mac_lists() # $1 = Phase Number
+{
    local interface
    local mac
    local addresses
@ -85,50 +86,50 @@ setup_mac_lists() {
 	fi
    done

-    progress_message "$DOING MAC Verification on $maclist_interfaces..."
+    progress_message "$DOING MAC Verification on $maclist_interfaces -- Phase $1..."
    #
    # Create chains.
    #
-    for interface in $maclist_interfaces; do
-	chain=$(mac_chain $interface)
-	create_mac_chain $chain
-	#
-	# If we're using the mangle table and the interface is DHCP-enabled then we need to accept DHCP broadcasts from 0.0.0.0
-	#
-	if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then
-	    run_iptables -t mangle -A $chain -s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN
-	fi
+    if [ $1 -eq 1 ]; then
+	for interface in $maclist_interfaces; do
+	    chain=$(mac_chain $interface)
+		create_mac_chain $chain
+	        #
+	        # If we're using the mangle table and the interface is DHCP-enabled then we need to accept DHCP broadcasts from 0.0.0.0
+	        #
+		if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then
+		    run_iptables -t mangle -A $chain -s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN
+		fi
+		
+		if [ -n "$MACLIST_TTL" ]; then
+		    chain1=$(macrecent_target $interface)
+		    create_mac_chain $chain1
+		    run_iptables -A $chain  -t $MACLIST_TABLE -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
+		    run_iptables -A $chain  -t $MACLIST_TABLE                                                         -j $chain1
+		    run_iptables -A $chain  -t $MACLIST_TABLE -m recent --update                        --name $chain -j RETURN
+		    run_iptables -A $chain  -t $MACLIST_TABLE -m recent --set                           --name $chain
+		fi
+	done
+        #
+        # Process the maclist file producing the verification rules
+        #
+	while read disposition interface mac addresses; do
+	    expandv disposition interface mac addresses

-	if [ -n "$MACLIST_TTL" ]; then
-	    chain1=$(macrecent_target $interface)
-	    create_mac_chain $chain1
-	    run_iptables -A $chain  -t $MACLIST_TABLE -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
-	    run_iptables -A $chain  -t $MACLIST_TABLE                                                         -j $chain1
-	    run_iptables -A $chain  -t $MACLIST_TABLE -m recent --update                        --name $chain -j RETURN
-	    run_iptables -A $chain  -t $MACLIST_TABLE -m recent --set                           --name $chain
-	fi
-    done
-
-    #
-    # Process the maclist file producing the verification rules
-    #
-    while read disposition interface mac addresses; do
-	expandv disposition interface mac addresses
-
-	level=
-
-	case $disposition in
-	    ACCEPT:*)
-		level=${disposition#*:}
-		disposition=ACCEPT
-		target=RETURN
-		;;
-	    ACCEPT)
-		target=RETURN
-		;;
-	    REJECT:*)
-		[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
-		target=reject
+	    level=
+	    
+	    case $disposition in
+		ACCEPT:*)
+		    level=${disposition#*:}
+		    disposition=ACCEPT
+		    target=RETURN
+		    ;;
+		ACCEPT)
+		    target=RETURN
+		    ;;
+		REJECT:*)
+		    [ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
+		    target=reject
 		disposition=REJECT
 		;;
 	    REJECT)
@ -150,57 +151,81 @@ setup_mac_lists() {
 		disposition=ACCEPT
 		target=RETURN
 		;;
-	esac
+	    esac

-	physdev_part=
+	    physdev_part=

-	if [ -n "$BRIDGING" ]; then
-	    case $interface in
-		*:*)
-		    physdev_part="-m physdev --physdev-in ${interface#*:}"
-		    interface=${interface%:*}
+	    if [ -n "$BRIDGING" ]; then
+		case $interface in
+		    *:*)
+			physdev_part="-m physdev --physdev-in ${interface#*:}"
+			interface=${interface%:*}
+		    ;;
+		esac
+	    fi
+
+	    [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
+		
+		if ! have_mac_chain $chain ; then
+		    fatal_error "No hosts on $interface have the maclist option specified"
+		fi
+		
+		if [ x${mac:=-} = x- ]; then
+		    if [ -z "$addresses" ]; then
+			fatal_error "You must specify a MAC address or an IP address"
+		    else
+			macpart=
+		    fi
+		else
+		    macpart=$(mac_match $mac)
+		fi
+
+		if [ -z "$addresses" ]; then
+		    [ -n "$level" ] && \
+			log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part
+			run_iptables -A $chain -t $MACLIST_TABLE $macpart $physdev_part -j $target
+		else
+		    for address in $(separate_list $addresses) ; do
+			[ -n "$level" ] && \
+			    log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart -s $address $physdev_part
+			    run_iptables2 -A $chain -t $MACLIST_TABLE $macpart -s $address $physdev_part -j $target
+		    done
+		fi
+	done < $TMP_DIR/maclist
+        #
+        # Generate jumps from the input and forward chains
+        #
+        [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
+    
+        for hosts in $maclist_hosts; do
+	    ipsec=${hosts%^*}
+	    hosts=${hosts#*^}
+	    interface=${hosts%%:*}
+	    hosts=${hosts#*:}
+	    case $MACLIST_TABLE in
+		filter)
+		    for chain in $(first_chains $interface) ; do
+			run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
+			    $policy -j $(mac_chain $interface)
+		    done
+		    ;;
+		*)
+		    run_iptables -t mangle -A PREROUTING -i $interface $(match_source_hosts $hosts) -m state --state NEW \
+			$policy -j $(mac_chain $interface)
 		    ;;
 	    esac
-	fi
+	done
+    else
+        #
+        # Must take care of our own broadcasts and multicasts then terminate the verification
+        # chains
+        #
+	for interface in $maclist_interfaces; do

-	[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
-
-	if ! have_mac_chain $chain ; then
-	    fatal_error "No hosts on $interface have the maclist option specified"
-	fi
-
-	if [ x${mac:=-} = x- ]; then
-	    if [ -z "$addresses" ]; then
-		fatal_error "You must specify a MAC address or an IP address"
-	    else
-		macpart=
-	    fi
-	else
-	    macpart=$(mac_match $mac)
-	fi
-
-	if [ -z "$addresses" ]; then
-	    [ -n "$level" ] && \
-		log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part
-	    run_iptables -A $chain -t $MACLIST_TABLE $macpart $physdev_part -j $target
-	else
-	    for address in $(separate_list $addresses) ; do
-		[ -n "$level" ] && \
-		    log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart -s $address $physdev_part
-		run_iptables2 -A $chain -t $MACLIST_TABLE $macpart -s $address $physdev_part -j $target
-	    done
-	fi
-    done < $TMP_DIR/maclist
-    #
-    # Must take care of our own broadcasts and multicasts then terminate the verification
-    # chains
-    #
-    for interface in $maclist_interfaces; do
-
-	[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
-	    
-	if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
-	    indent >&3 << __EOF__
+	    [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
+		
+		if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
+		    indent >&3 << __EOF__

 blob=\$(ip link show $interface 2> /dev/null)

@ -218,62 +243,20 @@ ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //
 done

 __EOF__
-	fi
-
-	if [ -n "$MACLIST_LOG_LEVEL" ]; then
-	    if [ $MACLIST_DISPOSITION != ACCEPT -a -z "$MACLIST_LOG_BROADCASTS" ]; then
-		#
-		# Don't log broadcasts
-	        #
-	        if [ -n "$USEPKTTYPE" ]; then
-		    run_iptables -t $MACLIST_TABLE -A $chain -m pkttype --pkt-type broadcast -j DROP
-		    run_iptables -t $MACLIST_TABLE -A $chain -m pkttype --pkt-type multicast -j DROP
-		else
-		    for interface in $(find_bcastdetect_interfaces); do
-			indent >&3 << __EOF__
-
-ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
-    run_iptables -t $MACLIST_TABLE -A $chain -d \$address -j DROP
-done
-
-__EOF__
-		    done
-
-		    for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
-			run_iptables -t $MACLIST_TABLE -A $chain -d $address -j DROP
-		    done
 		fi
-	    fi
-	    
-	    log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
-	fi

-	if [ $MACLIST_DISPOSITION != ACCEPT ]; then
-	    run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET
-	fi
-    done
-    #
-    # Generate jumps from the input and forward chains
-    #
-    [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
-    
-    for hosts in $maclist_hosts; do
-	ipsec=${hosts%^*}
-	hosts=${hosts#*^}
-	interface=${hosts%%:*}
-	hosts=${hosts#*:}
-	case $MACLIST_TABLE in
-	    filter)
-		for chain in $(first_chains $interface) ; do
-		    run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
-			$policy -j $(mac_chain $interface)
-		done
-		;;
-	    *)
-		run_iptables -t mangle -A PREROUTING -i $interface $(match_source_hosts $hosts) -m state --state NEW \
-			$policy -j $(mac_chain $interface)
-		;;
-	esac
-    done
+		CHAIN=$chain
+
+		append_file maclog
+		
+		if [ -n "$MACLIST_LOG_LEVEL" ]; then
+		    log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
+		fi
+		
+		if [ $MACLIST_DISPOSITION != ACCEPT ]; then
+		    run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET
+		fi
+	done
+    fi
 }

--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -117,13 +117,12 @@ Other changes in 3.3.3
 4)  A new macro (macro.RDP) has been added for Microsoft Remote
    Desktop. This macro was contributed by Tuomo Soini.

-5)  A new MACLIST_LOG_BROADCASTS option has been added to
-    shorewall.conf. When set to 'No', suppresses logging of broadcast
-    and multicast traffic as a result of MACLIST_LOG_LEVEL having been
-    set to a non-empty value.
-
-    The default is MACLIST_LOG_BROADCASTS=Yes which is compatible with
-    the traditional behavior of MACLIST_LOG_LEVEL.
+5)  A new 'maclog' extension file has been added. This file is
+    processed just before logging based on the setting of
+    MACLIST_LOG_LEVEL is done. When invoked, the CHAIN variable will
+    contain the name of the chain where rules should be inserted.
+    Remember that if you have specified MACLIST_TABLE=mangle, then your
+    run_iptables commands should include "-t mangle".

 Migration Considerations:

--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -1111,6 +1111,8 @@ dump_command() {
 	esac
    done

+    [ $VERBOSE -lt 2 ] && VERBOSE=2
+
    [ -n "$debugging" ] && set -x
    [ $# -eq 0 ] || usage 1
    clear_term
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@ -227,20 +227,25 @@ BLACKLIST_LOGLEVEL=
 # Specifies the logging level for connection requests that fail MAC
 # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
 # such connection requests will not be logged.
-#
-# If MACLIST_LOG_LEVEL is non-empty, then MACLIST_LOG_BROADCASTS determines
-# whether broadcast/multicast traffic is dropped or rejected silently.
-#
-# 	MACLIST_LOG_BROADCASTS=No  -- Don't log broadcast/multicast
-# 	MACLIST_LOG_BROADCASTS=Yes -- Log broadcast/multicast (Default)
 #	
 # See the comment at the top of this section for a description of log levels
 #
+# If you wish to filter messages logged under this option, then supply
+# the /etc/shorewall/maclog extension script (you will have to create the
+# file yourself). That script will be copied into the compiled firewall
+# script at a point just before logging  occurs. The shell variable CHAIN
+# will be set to the name of the chain where the logging rule will be
+# inserted.
+#
+# If you set MACLIST_TABLE=mangle later in this file, be sure that your
+# 'run_iptables' commands include '-t mangle'.
+#
+# See http://www.shorewall.net/shorewall_extension_scripts.htm for more 
+# information about extension scripts.
+#

 MACLIST_LOG_LEVEL=info

-MACLIST_LOG_BROADCASTS=Yes
-
 #
 # TCP FLAGS Log Level
 #