diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index f363601b6..0112d5b67 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2302,6 +2302,7 @@ sub new_chain($$) references => {}, filtered => 0, optflags => 0, + origin => shortlineinfo1( '' ) || shortlineinfo( '' ), }; trace( $chainref, 'N', undef, '' ) if $debug; @@ -2412,6 +2413,7 @@ sub add_ijump_internal( $$$$$;@ ) { my ( $target ) = split ' ', $to; $toref = $chain_table{$fromref->{table}}{$target}; fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target}; + $origin ||= $fromref->{origin} if $globals{TRACK_RULES}; } # @@ -2421,6 +2423,7 @@ sub add_ijump_internal( $$$$$;@ ) { $toref->{referenced} = 1; add_reference $fromref, $toref; $jump = 'j' unless have_capability 'GOTO_TARGET'; + $origin ||= $toref->{origin} if $globals{TRACK_RULES}; $ruleref = create_irule ($fromref, $jump => $to, @matches ); } else { $ruleref = create_irule( $fromref, 'j' => $to, @matches ); @@ -6233,12 +6236,14 @@ sub log_rule_limit( $$$$$$$$ ) { my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches ) = @_; my $prefix = ''; - my $chain = get_action_chain_name || $chn; - my $disposition = get_action_disposition || $dispo; + my $chain = get_action_chain_name || $chn; + my $disposition = get_action_disposition || $dispo; + my $original_matches = $matches; + my $ruleref; $level = validate_level $level; # Do this here again because this function can be called directly from user exits. - return 1 if $level eq ''; + return $dummyrule if $level eq ''; $matches .= ' ' if $matches && substr( $matches, -1, 1 ) ne ' '; @@ -6316,10 +6321,12 @@ sub log_rule_limit( $$$$$$$$ ) { } if ( $command eq 'add' ) { - add_rule ( $chainref, $matches . $prefix , 1 ); + $ruleref = add_rule ( $chainref, $matches . $prefix , $original_matches ); } else { - insert_rule1 ( $chainref , 0 , $matches . $prefix ); + $ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix ); } + + $ruleref; } sub log_irule_limit( $$$$$$$@ ) { @@ -6329,6 +6336,7 @@ sub log_irule_limit( $$$$$$$@ ) { my %matches; my $chain = get_action_chain_name || $chn; my $disposition = get_action_disposition || $dispo; + my $original_matches = @matches; $level = validate_level $level; # Do this here again because this function can be called directly from user exits. @@ -6410,7 +6418,7 @@ sub log_irule_limit( $$$$$$$@ ) { } if ( $command eq 'add' ) { - add_ijump_internal ( $chainref, j => $prefix , 1, '', @matches ); + add_ijump_internal ( $chainref, j => $prefix , $original_matches, '', @matches ); } else { insert_ijump ( $chainref, j => $prefix, 0 , @matches ); } diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 58463db2c..2dd938be4 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -53,6 +53,7 @@ our @EXPORT = qw( currentlineinfo shortlineinfo shortlineinfo1 + shortlineinfo2 clear_currentfilename validate_level @@ -175,6 +176,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script $comment %config + %origin %globals %config_files %shorewallrc @@ -298,6 +300,10 @@ our %globals; # our %config; # +# Linenumber in shorewall[6].conf where each option was specified +# +our %origin; +# # Entries in shorewall.conf that have been renamed # our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST_LOG_LEVEL' ); @@ -893,7 +899,10 @@ sub initialize( $;$$) { ZONE_BITS => undef, ); - + # + # Line numbers in shorewall6.conf where options are specified + # + %origin = (); # # Valid log levels # @@ -1194,19 +1203,18 @@ sub currentlineinfo() { } } -sub shortlineinfo1( $ ) { - if ( $globals{TRACK_RULES} ) { - if ( $currentfile ) { - join( ':', $currentfilename, $currentlinenumber ); - } else { - # - # Alternate lineinfo may have been passed - # - $_[0] || '' - } +sub shortlineinfo2() { + if ( $currentfile ) { + join( ':', $currentfilename, $currentlinenumber ); + } else { + '' } } +sub shortlineinfo1( $ ) { + $globals{TRACK_RULES} ? $currentfile ? shortlineinfo2 : $_[0] || '' : ''; +} + sub shortlineinfo( $ ) { if ( $config{TRACK_RULES} ) { if ( $currentfile ) { @@ -5052,6 +5060,8 @@ sub process_shorewall_conf( $$ ) { warning_message "Option $var=$val is deprecated" if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var}; + + $origin{$var} = shortlineinfo2; } else { fatal_error "Unrecognized $product.conf entry"; } @@ -5833,10 +5843,13 @@ sub get_configuration( $$$$ ) { $config{TRACK_RULES} = ''; } else { default_yes_no 'TRACK_RULES' , ''; + $globals{TRACK_RULES} = ''; } } else { default_yes_no 'TRACK_RULES' , ''; } + + %origin = () unless $globals{TRACK_RULES}; default_yes_no 'INLINE_MATCHES' , ''; default_yes_no 'BASIC_FILTERS' , ''; diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index b9216e9f3..26c4d15df 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -655,7 +655,7 @@ sub add_common_rules ( $ ) { setup_mss; if ( $config{FASTACCEPT} ) { - add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch $faststate ) + add_ijump_extended( $filter_table->{OUTPUT} , j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate ) } my $policy = $config{SFILTER_DISPOSITION}; @@ -663,6 +663,7 @@ sub add_common_rules ( $ ) { $tag = $config{SFILTER_LOG_TAG}; my $audit = $policy =~ s/^A_//; my @ipsec = have_ipsec ? ( policy => '--pol none --dir in' ) : (); + my $origin = $origin{SFILTER_DISPOSITION}; if ( $level || $audit ) { # @@ -670,18 +671,21 @@ sub add_common_rules ( $ ) { # $chainref = new_standard_chain 'sfilter'; - log_rule_limit( $level, - $chainref, - $chainref->{name}, - $policy, - $globals{LOGLIMIT}, - $tag, - 'add', - '' ) if $level ne ''; + if ( $level ne '' ) { + my $ruleref = log_rule_limit( $level, + $chainref, + $chainref->{name}, + $policy, + $globals{LOGLIMIT}, + $tag, + 'add', + '' ); + $ruleref->{origin} = $origin{SFILTER_LOG_LEVEL}; + } - add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit; + add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit; - add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; + add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin ); $target = 'sfilter'; } else { @@ -697,11 +701,22 @@ sub add_common_rules ( $ ) { $chainref = new_standard_chain 'sfilter1'; add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' ); - log_rule $level , $chainref , $policy , '' if $level ne ''; - add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit; + if ( $level ne '' ) { + my $ruleref = log_rule_limit( $level, + $chainref, + $chainref->{name}, + $policy, + $globals{LOGLIMIT}, + $tag, + 'add', + '' ); + $ruleref->{origin} = $origin; + } - add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; + add_ijump_extended( $chainref, j => 'AUDIT', $origin{SFILTER_DISPOSITION}, targetopts => '--type ' . lc $policy ) if $audit; + + add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin ); $target1 = 'sfilter1'; } else { @@ -743,8 +758,8 @@ sub add_common_rules ( $ ) { } for ( option_chains( $interface ) ) { - add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref; - add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT}; + add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref; + add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT}; } } } @@ -765,6 +780,8 @@ sub add_common_rules ( $ ) { $level = $config{RPFILTER_LOG_LEVEL}; $tag = $globals{RPFILTER_LOG_TAG}; $audit = $policy =~ s/^A_//; + my $origin + = $origin{RPFILTER_DISPOSITION}; if ( $level || $audit ) { # @@ -772,18 +789,21 @@ sub add_common_rules ( $ ) { # $chainref = ensure_mangle_chain 'rplog'; - log_rule_limit( $level, - $chainref, - $chainref->{name}, - $policy, - $globals{LOGLIMIT}, - $tag, - 'add', - '' ) if $level ne ''; + if ( $level ne '' ) { + my $ruleref = log_rule_limit( $level, + $chainref, + $chainref->{name}, + $policy, + $globals{LOGLIMIT}, + $tag, + 'add', + '' ); + $ruleref->{origin} = $origin{RPFILTER_LOG_LEVEL}; + } - add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit; + add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit; - add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; + add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin ); $target = 'rplog'; } else { @@ -808,11 +828,12 @@ sub add_common_rules ( $ ) { } } - add_ijump( $rpfilterref, - j => $target, - rpfilter => '--validmark --invert', - state_imatch 'NEW,RELATED,INVALID', - @ipsec + add_ijump_extended( $rpfilterref, + j => $target, + $origin, + rpfilter => '--validmark --invert', + state_imatch 'NEW,RELATED,INVALID', + @ipsec ); } @@ -832,19 +853,24 @@ sub add_common_rules ( $ ) { $chainref = new_standard_chain 'smurfs'; my $smurfdest = $config{SMURF_DISPOSITION}; + my $origin = $origin{SMURF_DISPOSITION}; if ( supplied $config{SMURF_LOG_LEVEL} ) { my $smurfref = new_chain( 'filter', 'smurflog' ); - log_irule_limit( $config{SMURF_LOG_LEVEL}, - $smurfref, - 'smurfs' , - 'DROP', - $globals{LOGILIMIT}, - $globals{SMURF_LOG_TAG}, - 'add' ); - add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP'; - add_ijump( $smurfref, j => 'DROP' ); + my $ruleref = log_irule_limit( $config{SMURF_LOG_LEVEL}, + $smurfref, + 'smurfs' , + 'DROP', + $globals{LOGILIMIT}, + $globals{SMURF_LOG_TAG}, + 'add' ); + + $ruleref->{origin} = $origin{SMURF_LOG_LEVEL}; + + add_ijump_extended( $smurfref, j => 'AUDIT', $origin, targetopts => '--type drop' ) if $smurfdest eq 'A_DROP'; + + add_ijump_extended( $smurfref, j => 'DROP' , $origin ); $smurfdest = 'smurflog'; } else { @@ -858,7 +884,7 @@ sub add_common_rules ( $ ) { add_ijump $chainref , j => 'RETURN', s => '::'; } - add_ijump( $chainref, g => $smurfdest, addrtype => '--src-type BROADCAST' ) ; + add_ijump_extended( $chainref, g => $smurfdest, $origin, addrtype => '--src-type BROADCAST' ) ; } else { if ( $family == F_IPV4 ) { add_commands $chainref, 'for address in $ALL_BCASTS; do'; @@ -867,15 +893,15 @@ sub add_common_rules ( $ ) { } incr_cmd_level $chainref; - add_ijump( $chainref, g => $smurfdest, s => '$address' ); + add_ijump_extended( $chainref, g => $smurfdest, $origin, s => '$address' ); decr_cmd_level $chainref; add_commands $chainref, 'done'; } if ( $family == F_IPV4 ) { - add_ijump( $chainref, g => $smurfdest, s => '224.0.0.0/4' ); + add_ijump_extended( $chainref, g => $smurfdest, $origin, s => '224.0.0.0/4' ); } else { - add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST ); + add_ijump_extended( $chainref, g => $smurfdest, $origin, s => IPv6_MULTICAST ); } my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID'; @@ -974,6 +1000,7 @@ sub add_common_rules ( $ ) { my $tag = $globals{TCP_FLAGS_LOG_TAG}; my $disposition = $config{TCP_FLAGS_DISPOSITION}; my $audit = $disposition =~ /^A_/; + my $origin = $origin{TCP_FLAGS_DISPOSITION}; progress_message2 "$doing TCP Flags filtering..."; @@ -986,27 +1013,28 @@ sub add_common_rules ( $ ) { $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options "; - log_rule_limit( $level, - $logflagsref, - 'logflags', - $disposition, - $globals{LOGLIMIT}, - $tag, - 'add', - '' - ); + my $ruleref = log_rule_limit( $level, + $logflagsref, + 'logflags', + $disposition, + $globals{LOGLIMIT}, + $tag, + 'add', + '' ); + + $ruleref->{origin} = $origin{TCP_FLAGS_LOG_LEVEL}; $globals{LOGPARMS} = $savelogparms; if ( $audit ) { $disposition =~ s/^A_//; - add_ijump( $logflagsref, j => 'AUDIT', targetopts => '--type ' . lc $disposition ); + add_ijump_extended( $logflagsref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $disposition ); } if ( $disposition eq 'REJECT' ) { - add_ijump $logflagsref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6; + add_ijump_extended $logflagsref , j => 'REJECT', $origin, targetopts => '--reject-with tcp-reset', p => 6; } else { - add_ijump $logflagsref , j => $disposition; + add_ijump_extended $logflagsref , j => $disposition, $origin; } $disposition = 'logflags'; @@ -2246,17 +2274,19 @@ sub generate_matrix() { nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] , filter=> [ qw/INPUT FORWARD OUTPUT/ ] ); + my $origin = $origin{LOGALLNEW}; + for my $table ( qw/mangle nat filter/ ) { for my $chain ( @{$builtins{$table}} ) { - log_rule_limit - $config{LOGALLNEW} , - $chain_table{$table}{$chain} , - $table , - $chain , - '' , - '' , - 'insert' , - state_match('NEW'); + my $ruleref = log_rule_limit( $config{LOGALLNEW} , + $chain_table{$table}{$chain} , + $table , + $chain , + '' , + '' , + 'insert' , + state_match('NEW') ); + $ruleref->{origin} = $origin; } } }