Add maclog extension script

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4674 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -12,7 +12,7 @@ Changes in 3.3.3
 
 6)  Add macro.RDP.
 
-7)  Implement MACLIST_LOG_BROADCASTS.
+7)  Add maclog extension file.
 
 Changes in 3.3.1
 

Shorewall/compiler

@@ -5196,8 +5196,8 @@ __EOF__
     maclist_hosts=$(find_hosts_by_option maclist)
 
     if [ -n "$maclist_hosts" ]; then
-	save_progress_message "Setting up MAC Filtration..."
+	save_progress_message "Setting up MAC Filtration -- Phase 1..."
-	setup_mac_lists
+	setup_mac_lists 1
     fi
 
     progress_message2 "$DOING $(find_file rules)..."
@@ -5227,6 +5227,11 @@ __EOF__
 	process_actions3
     fi
 
+    if [ -n "$maclist_hosts" ]; then
+	save_progress_message "Setting up MAC Filtration -- Phase 2..."
+	setup_mac_lists 2
+    fi
+
     save_progress_message "Applying Policies..."
 
     progress_message2 "$DOING $(find_file policy)...";   apply_policy_rules

Shorewall/lib.maclist

@@ -28,7 +28,8 @@
 #
 # Set up MAC Verification
 #
-setup_mac_lists() {
+setup_mac_lists() # $1 = Phase Number
+{
     local interface
     local mac
     local addresses
@@ -85,10 +86,11 @@ setup_mac_lists() {
 	fi
     done
 
-    progress_message "$DOING MAC Verification on $maclist_interfaces..."
+    progress_message "$DOING MAC Verification on $maclist_interfaces -- Phase $1..."
     #
     # Create chains.
     #
+    if [ $1 -eq 1 ]; then
 	for interface in $maclist_interfaces; do
 	    chain=$(mac_chain $interface)
 		create_mac_chain $chain
@@ -108,7 +110,6 @@ setup_mac_lists() {
 		    run_iptables -A $chain  -t $MACLIST_TABLE -m recent --set                           --name $chain
 		fi
 	done
-
         #
         # Process the maclist file producing the verification rules
         #
@@ -191,6 +192,30 @@ setup_mac_lists() {
 		    done
 		fi
 	done < $TMP_DIR/maclist
+        #
+        # Generate jumps from the input and forward chains
+        #
+        [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
+    
+        for hosts in $maclist_hosts; do
+	    ipsec=${hosts%^*}
+	    hosts=${hosts#*^}
+	    interface=${hosts%%:*}
+	    hosts=${hosts#*:}
+	    case $MACLIST_TABLE in
+		filter)
+		    for chain in $(first_chains $interface) ; do
+			run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
+			    $policy -j $(mac_chain $interface)
+		    done
+		    ;;
+		*)
+		    run_iptables -t mangle -A PREROUTING -i $interface $(match_source_hosts $hosts) -m state --state NEW \
+			$policy -j $(mac_chain $interface)
+		    ;;
+	    esac
+	done
+    else
         #
         # Must take care of our own broadcasts and multicasts then terminate the verification
         # chains
@@ -220,31 +245,11 @@ done
 __EOF__
 		fi
 
+		CHAIN=$chain
+
+		append_file maclog
+		
 		if [ -n "$MACLIST_LOG_LEVEL" ]; then
-	    if [ $MACLIST_DISPOSITION != ACCEPT -a -z "$MACLIST_LOG_BROADCASTS" ]; then
-		#
-		# Don't log broadcasts
-	        #
-	        if [ -n "$USEPKTTYPE" ]; then
-		    run_iptables -t $MACLIST_TABLE -A $chain -m pkttype --pkt-type broadcast -j DROP
-		    run_iptables -t $MACLIST_TABLE -A $chain -m pkttype --pkt-type multicast -j DROP
-		else
-		    for interface in $(find_bcastdetect_interfaces); do
-			indent >&3 << __EOF__
-
-ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
-    run_iptables -t $MACLIST_TABLE -A $chain -d \$address -j DROP
-done
-
-__EOF__
-		    done
-
-		    for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
-			run_iptables -t $MACLIST_TABLE -A $chain -d $address -j DROP
-		    done
-		fi
-	    fi
-	    
 		    log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
 		fi
 		
@@ -252,28 +257,6 @@ __EOF__
 		    run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET
 		fi
 	done
-    #
+    fi
-    # Generate jumps from the input and forward chains
-    #
-    [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
-    
-    for hosts in $maclist_hosts; do
-	ipsec=${hosts%^*}
-	hosts=${hosts#*^}
-	interface=${hosts%%:*}
-	hosts=${hosts#*:}
-	case $MACLIST_TABLE in
-	    filter)
-		for chain in $(first_chains $interface) ; do
-		    run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
-			$policy -j $(mac_chain $interface)
-		done
-		;;
-	    *)
-		run_iptables -t mangle -A PREROUTING -i $interface $(match_source_hosts $hosts) -m state --state NEW \
-			$policy -j $(mac_chain $interface)
-		;;
-	esac
-    done
 }
 

Shorewall/releasenotes.txt

@@ -117,13 +117,12 @@ Other changes in 3.3.3
 4)  A new macro (macro.RDP) has been added for Microsoft Remote
     Desktop. This macro was contributed by Tuomo Soini.
 
-5)  A new MACLIST_LOG_BROADCASTS option has been added to
+5)  A new 'maclog' extension file has been added. This file is
-    shorewall.conf. When set to 'No', suppresses logging of broadcast
+    processed just before logging based on the setting of
-    and multicast traffic as a result of MACLIST_LOG_LEVEL having been
+    MACLIST_LOG_LEVEL is done. When invoked, the CHAIN variable will
-    set to a non-empty value.
+    contain the name of the chain where rules should be inserted.
-
+    Remember that if you have specified MACLIST_TABLE=mangle, then your
-    The default is MACLIST_LOG_BROADCASTS=Yes which is compatible with
+    run_iptables commands should include "-t mangle".
-    the traditional behavior of MACLIST_LOG_LEVEL.
 
 Migration Considerations:
 

Shorewall/shorewall

@@ -1111,6 +1111,8 @@ dump_command() {
 	esac
     done
 
+    [ $VERBOSE -lt 2 ] && VERBOSE=2
+
     [ -n "$debugging" ] && set -x
     [ $# -eq 0 ] || usage 1
     clear_term

Shorewall/shorewall.conf

@@ -228,19 +228,24 @@ BLACKLIST_LOGLEVEL=
 # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
 # such connection requests will not be logged.
 #	
-# If MACLIST_LOG_LEVEL is non-empty, then MACLIST_LOG_BROADCASTS determines
-# whether broadcast/multicast traffic is dropped or rejected silently.
-#
-# 	MACLIST_LOG_BROADCASTS=No  -- Don't log broadcast/multicast
-# 	MACLIST_LOG_BROADCASTS=Yes -- Log broadcast/multicast (Default)
-#	
 # See the comment at the top of this section for a description of log levels
 #
+# If you wish to filter messages logged under this option, then supply
+# the /etc/shorewall/maclog extension script (you will have to create the
+# file yourself). That script will be copied into the compiled firewall
+# script at a point just before logging  occurs. The shell variable CHAIN
+# will be set to the name of the chain where the logging rule will be
+# inserted.
+#
+# If you set MACLIST_TABLE=mangle later in this file, be sure that your
+# 'run_iptables' commands include '-t mangle'.
+#
+# See http://www.shorewall.net/shorewall_extension_scripts.htm for more 
+# information about extension scripts.
+#
 
 MACLIST_LOG_LEVEL=info
 
-MACLIST_LOG_BROADCASTS=Yes
-
 #
 # TCP FLAGS Log Level
 #