Add maclog extension script

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4674 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-01 15:35:50 +02:00 · 2006-10-13 20:13:40 +00:00 · 2006-10-13 20:13:40 +00:00 · 5b68b5396d
commit 5b68b5396d
parent c133e2c246
6 changed files with 154 additions and 160 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -12,7 +12,7 @@ Changes in 3.3.3
 6)  Add macro.RDP.
-7)  Implement MACLIST_LOG_BROADCASTS.
+7)  Add maclog extension file.
 Changes in 3.3.1
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@ -5196,8 +5196,8 @@ __EOF__
    maclist_hosts=$(find_hosts_by_option maclist)
    if [ -n "$maclist_hosts" ]; then
-	save_progress_message "Setting up MAC Filtration..."
+	save_progress_message "Setting up MAC Filtration -- Phase 1..."
-	setup_mac_lists
+	setup_mac_lists 1
    fi
    progress_message2 "$DOING $(find_file rules)..."
@ -5227,6 +5227,11 @@ __EOF__
 	process_actions3
    fi
    if [ -n "$maclist_hosts" ]; then
 	save_progress_message "Setting up MAC Filtration -- Phase 2..."
 	setup_mac_lists 2
    fi
    save_progress_message "Applying Policies..."
    progress_message2 "$DOING $(find_file policy)...";   apply_policy_rules
--- a/Shorewall/lib.maclist
+++ b/Shorewall/lib.maclist
@ -28,7 +28,8 @@
 #
 # Set up MAC Verification
 #
-setup_mac_lists() {
+setup_mac_lists() # $1 = Phase Number
 {
    local interface
    local mac
    local addresses
@ -85,50 +86,50 @@ setup_mac_lists() {
 	fi
    done
-    progress_message "$DOING MAC Verification on $maclist_interfaces..."
+    progress_message "$DOING MAC Verification on $maclist_interfaces -- Phase $1..."
    #
    # Create chains.
    #
-    for interface in $maclist_interfaces; do
+    if [ $1 -eq 1 ]; then
-	chain=$(mac_chain $interface)
+	for interface in $maclist_interfaces; do
-	create_mac_chain $chain
+	    chain=$(mac_chain $interface)
-	#
+		create_mac_chain $chain
-	# If we're using the mangle table and the interface is DHCP-enabled then we need to accept DHCP broadcasts from 0.0.0.0
+	        #
-	#
+	        # If we're using the mangle table and the interface is DHCP-enabled then we need to accept DHCP broadcasts from 0.0.0.0
-	if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then
+	        #
-	    run_iptables -t mangle -A $chain -s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN
+		if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then
-	fi
+		    run_iptables -t mangle -A $chain -s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN
 		fi
 		if [ -n "$MACLIST_TTL" ]; then
 		    chain1=$(macrecent_target $interface)
 		    create_mac_chain $chain1
 		    run_iptables -A $chain  -t $MACLIST_TABLE -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
 		    run_iptables -A $chain  -t $MACLIST_TABLE                                                         -j $chain1
 		    run_iptables -A $chain  -t $MACLIST_TABLE -m recent --update                        --name $chain -j RETURN
 		    run_iptables -A $chain  -t $MACLIST_TABLE -m recent --set                           --name $chain
 		fi
 	done
        #
        # Process the maclist file producing the verification rules
        #
 	while read disposition interface mac addresses; do
 	    expandv disposition interface mac addresses
-	if [ -n "$MACLIST_TTL" ]; then
+	    level=
-	    chain1=$(macrecent_target $interface)
+	    
-	    create_mac_chain $chain1
+	    case $disposition in
-	    run_iptables -A $chain  -t $MACLIST_TABLE -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
+		ACCEPT:*)
-	    run_iptables -A $chain  -t $MACLIST_TABLE                                                         -j $chain1
+		    level=${disposition#*:}
-	    run_iptables -A $chain  -t $MACLIST_TABLE -m recent --update                        --name $chain -j RETURN
+		    disposition=ACCEPT
-	    run_iptables -A $chain  -t $MACLIST_TABLE -m recent --set                           --name $chain
+		    target=RETURN
-	fi
+		    ;;
-    done
+		ACCEPT)
-
+		    target=RETURN
-    #
+		    ;;
-    # Process the maclist file producing the verification rules
+		REJECT:*)
-    #
+		    [ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
-    while read disposition interface mac addresses; do
+		    target=reject
 	expandv disposition interface mac addresses
 	level=
 	case $disposition in
 	    ACCEPT:*)
 		level=${disposition#*:}
 		disposition=ACCEPT
 		target=RETURN
 		;;
 	    ACCEPT)
 		target=RETURN
 		;;
 	    REJECT:*)
 		[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
 		target=reject
 		disposition=REJECT
 		;;
 	    REJECT)
@ -150,57 +151,81 @@ setup_mac_lists() {
 		disposition=ACCEPT
 		target=RETURN
 		;;
-	esac
+	    esac
-	physdev_part=
+	    physdev_part=
-	if [ -n "$BRIDGING" ]; then
+	    if [ -n "$BRIDGING" ]; then
-	    case $interface in
+		case $interface in
-		*:*)
+		    *:*)
-		    physdev_part="-m physdev --physdev-in ${interface#*:}"
+			physdev_part="-m physdev --physdev-in ${interface#*:}"
-		    interface=${interface%:*}
+			interface=${interface%:*}
 		    ;;
 		esac
 	    fi
 	    [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
 		if ! have_mac_chain $chain ; then
 		    fatal_error "No hosts on $interface have the maclist option specified"
 		fi
 		if [ x${mac:=-} = x- ]; then
 		    if [ -z "$addresses" ]; then
 			fatal_error "You must specify a MAC address or an IP address"
 		    else
 			macpart=
 		    fi
 		else
 		    macpart=$(mac_match $mac)
 		fi
 		if [ -z "$addresses" ]; then
 		    [ -n "$level" ] && \
 			log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part
 			run_iptables -A $chain -t $MACLIST_TABLE $macpart $physdev_part -j $target
 		else
 		    for address in $(separate_list $addresses) ; do
 			[ -n "$level" ] && \
 			    log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart -s $address $physdev_part
 			    run_iptables2 -A $chain -t $MACLIST_TABLE $macpart -s $address $physdev_part -j $target
 		    done
 		fi
 	done < $TMP_DIR/maclist
        #
        # Generate jumps from the input and forward chains
        #
        [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
        for hosts in $maclist_hosts; do
 	    ipsec=${hosts%^*}
 	    hosts=${hosts#*^}
 	    interface=${hosts%%:*}
 	    hosts=${hosts#*:}
 	    case $MACLIST_TABLE in
 		filter)
 		    for chain in $(first_chains $interface) ; do
 			run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
 			    $policy -j $(mac_chain $interface)
 		    done
 		    ;;
 		*)
 		    run_iptables -t mangle -A PREROUTING -i $interface $(match_source_hosts $hosts) -m state --state NEW \
 			$policy -j $(mac_chain $interface)
 		    ;;
 	    esac
-	fi
+	done
    else
        #
        # Must take care of our own broadcasts and multicasts then terminate the verification
        # chains
        #
 	for interface in $maclist_interfaces; do
-	[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
+	    [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
-
+		
-	if ! have_mac_chain $chain ; then
+		if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
-	    fatal_error "No hosts on $interface have the maclist option specified"
+		    indent >&3 << __EOF__
 	fi
 	if [ x${mac:=-} = x- ]; then
 	    if [ -z "$addresses" ]; then
 		fatal_error "You must specify a MAC address or an IP address"
 	    else
 		macpart=
 	    fi
 	else
 	    macpart=$(mac_match $mac)
 	fi
 	if [ -z "$addresses" ]; then
 	    [ -n "$level" ] && \
 		log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part
 	    run_iptables -A $chain -t $MACLIST_TABLE $macpart $physdev_part -j $target
 	else
 	    for address in $(separate_list $addresses) ; do
 		[ -n "$level" ] && \
 		    log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart -s $address $physdev_part
 		run_iptables2 -A $chain -t $MACLIST_TABLE $macpart -s $address $physdev_part -j $target
 	    done
 	fi
    done < $TMP_DIR/maclist
    #
    # Must take care of our own broadcasts and multicasts then terminate the verification
    # chains
    #
    for interface in $maclist_interfaces; do
 	[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
 	if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
 	    indent >&3 << __EOF__
 blob=\$(ip link show $interface 2> /dev/null)
@ -218,62 +243,20 @@ ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //
 done
 __EOF__
 	fi
 	if [ -n "$MACLIST_LOG_LEVEL" ]; then
 	    if [ $MACLIST_DISPOSITION != ACCEPT -a -z "$MACLIST_LOG_BROADCASTS" ]; then
 		#
 		# Don't log broadcasts
 	        #
 	        if [ -n "$USEPKTTYPE" ]; then
 		    run_iptables -t $MACLIST_TABLE -A $chain -m pkttype --pkt-type broadcast -j DROP
 		    run_iptables -t $MACLIST_TABLE -A $chain -m pkttype --pkt-type multicast -j DROP
 		else
 		    for interface in $(find_bcastdetect_interfaces); do
 			indent >&3 << __EOF__
 ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
    run_iptables -t $MACLIST_TABLE -A $chain -d \$address -j DROP
 done
 __EOF__
 		    done
 		    for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
 			run_iptables -t $MACLIST_TABLE -A $chain -d $address -j DROP
 		    done
 		fi
 	    fi
 	    log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
 	fi
-	if [ $MACLIST_DISPOSITION != ACCEPT ]; then
+		CHAIN=$chain
-	    run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET
+
-	fi
+		append_file maclog
-    done
+		
-    #
+		if [ -n "$MACLIST_LOG_LEVEL" ]; then
-    # Generate jumps from the input and forward chains
+		    log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
-    #
+		fi
-    [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
+		
-    
+		if [ $MACLIST_DISPOSITION != ACCEPT ]; then
-    for hosts in $maclist_hosts; do
+		    run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET
-	ipsec=${hosts%^*}
+		fi
-	hosts=${hosts#*^}
+	done
-	interface=${hosts%%:*}
+    fi
 	hosts=${hosts#*:}
 	case $MACLIST_TABLE in
 	    filter)
 		for chain in $(first_chains $interface) ; do
 		    run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
 			$policy -j $(mac_chain $interface)
 		done
 		;;
 	    *)
 		run_iptables -t mangle -A PREROUTING -i $interface $(match_source_hosts $hosts) -m state --state NEW \
 			$policy -j $(mac_chain $interface)
 		;;
 	esac
    done
 }
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -117,13 +117,12 @@ Other changes in 3.3.3
 4)  A new macro (macro.RDP) has been added for Microsoft Remote
    Desktop. This macro was contributed by Tuomo Soini.
-5)  A new MACLIST_LOG_BROADCASTS option has been added to
+5)  A new 'maclog' extension file has been added. This file is
-    shorewall.conf. When set to 'No', suppresses logging of broadcast
+    processed just before logging based on the setting of
-    and multicast traffic as a result of MACLIST_LOG_LEVEL having been
+    MACLIST_LOG_LEVEL is done. When invoked, the CHAIN variable will
-    set to a non-empty value.
+    contain the name of the chain where rules should be inserted.
-
+    Remember that if you have specified MACLIST_TABLE=mangle, then your
-    The default is MACLIST_LOG_BROADCASTS=Yes which is compatible with
+    run_iptables commands should include "-t mangle".
    the traditional behavior of MACLIST_LOG_LEVEL.
 Migration Considerations:
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -1111,6 +1111,8 @@ dump_command() {
 	esac
    done
    [ $VERBOSE -lt 2 ] && VERBOSE=2
    [ -n "$debugging" ] && set -x
    [ $# -eq 0 ] || usage 1
    clear_term
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@ -227,20 +227,25 @@ BLACKLIST_LOGLEVEL=
 # Specifies the logging level for connection requests that fail MAC
 # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
 # such connection requests will not be logged.
 #
 # If MACLIST_LOG_LEVEL is non-empty, then MACLIST_LOG_BROADCASTS determines
 # whether broadcast/multicast traffic is dropped or rejected silently.
 #
 # 	MACLIST_LOG_BROADCASTS=No  -- Don't log broadcast/multicast
 # 	MACLIST_LOG_BROADCASTS=Yes -- Log broadcast/multicast (Default)
 #	
 # See the comment at the top of this section for a description of log levels
 #
 # If you wish to filter messages logged under this option, then supply
 # the /etc/shorewall/maclog extension script (you will have to create the
 # file yourself). That script will be copied into the compiled firewall
 # script at a point just before logging  occurs. The shell variable CHAIN
 # will be set to the name of the chain where the logging rule will be
 # inserted.
 #
 # If you set MACLIST_TABLE=mangle later in this file, be sure that your
 # 'run_iptables' commands include '-t mangle'.
 #
 # See http://www.shorewall.net/shorewall_extension_scripts.htm for more 
 # information about extension scripts.
 #
 MACLIST_LOG_LEVEL=info
 MACLIST_LOG_BROADCASTS=Yes
 #
 # TCP FLAGS Log Level
 #