extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-18 15:46:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add origin information for entries in shorewall[6].conf

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-01-25 15:49:18 -08:00
parent 9b3b4579a2
commit 6ef136a546
3 changed files with 133 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -2302,6 +2302,7 @@ sub new_chain($$)
references => {}, references => {},
filtered => 0, filtered => 0,
optflags => 0, optflags => 0,
origin => shortlineinfo1( '' ) || shortlineinfo( '' ),
}; };
trace( $chainref, 'N', undef, '' ) if $debug; trace( $chainref, 'N', undef, '' ) if $debug;
@ -2412,6 +2413,7 @@ sub add_ijump_internal( $$$$$;@ ) {
my ( $target ) = split ' ', $to; my ( $target ) = split ' ', $to;
$toref = $chain_table{$fromref->{table}}{$target}; $toref = $chain_table{$fromref->{table}}{$target};
fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target}; fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target};
$origin ||= $fromref->{origin} if $globals{TRACK_RULES};
} }
# #
@ -2421,6 +2423,7 @@ sub add_ijump_internal( $$$$$;@ ) {
$toref->{referenced} = 1; $toref->{referenced} = 1;
add_reference $fromref, $toref; add_reference $fromref, $toref;
$jump = 'j' unless have_capability 'GOTO_TARGET'; $jump = 'j' unless have_capability 'GOTO_TARGET';
$origin ||= $toref->{origin} if $globals{TRACK_RULES};
$ruleref = create_irule ($fromref, $jump => $to, @matches ); $ruleref = create_irule ($fromref, $jump => $to, @matches );
} else { } else {
$ruleref = create_irule( $fromref, 'j' => $to, @matches ); $ruleref = create_irule( $fromref, 'j' => $to, @matches );
@ -6235,10 +6238,12 @@ sub log_rule_limit( $$$$$$$$ ) {
my $prefix = ''; my $prefix = '';
my $chain = get_action_chain_name || $chn; my $chain = get_action_chain_name || $chn;
my $disposition = get_action_disposition || $dispo; my $disposition = get_action_disposition || $dispo;
my $original_matches = $matches;
my $ruleref;
$level = validate_level $level; # Do this here again because this function can be called directly from user exits. $level = validate_level $level; # Do this here again because this function can be called directly from user exits.
return 1 if $level eq ''; return $dummyrule if $level eq '';
$matches .= ' ' if $matches && substr( $matches, -1, 1 ) ne ' '; $matches .= ' ' if $matches && substr( $matches, -1, 1 ) ne ' ';
@ -6316,10 +6321,12 @@ sub log_rule_limit( $$$$$$$$ ) {
} }
if ( $command eq 'add' ) { if ( $command eq 'add' ) {
add_rule ( $chainref, $matches . $prefix , 1 ); $ruleref = add_rule ( $chainref, $matches . $prefix , $original_matches );
} else { } else {
insert_rule1 ( $chainref , 0 , $matches . $prefix ); $ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix );
} }
$ruleref;
} }
sub log_irule_limit( $$$$$$$@ ) { sub log_irule_limit( $$$$$$$@ ) {
@ -6329,6 +6336,7 @@ sub log_irule_limit( $$$$$$$@ ) {
my %matches; my %matches;
my $chain = get_action_chain_name || $chn; my $chain = get_action_chain_name || $chn;
my $disposition = get_action_disposition || $dispo; my $disposition = get_action_disposition || $dispo;
my $original_matches = @matches;
$level = validate_level $level; # Do this here again because this function can be called directly from user exits. $level = validate_level $level; # Do this here again because this function can be called directly from user exits.
@ -6410,7 +6418,7 @@ sub log_irule_limit( $$$$$$$@ ) {
} }
if ( $command eq 'add' ) { if ( $command eq 'add' ) {
add_ijump_internal ( $chainref, j => $prefix , 1, '', @matches ); add_ijump_internal ( $chainref, j => $prefix , $original_matches, '', @matches );
} else { } else {
insert_ijump ( $chainref, j => $prefix, 0 , @matches ); insert_ijump ( $chainref, j => $prefix, 0 , @matches );
} }

29
Shorewall/Perl/Shorewall/Config.pm
View File

@ -53,6 +53,7 @@ our @EXPORT = qw(
currentlineinfo currentlineinfo
shortlineinfo shortlineinfo
shortlineinfo1 shortlineinfo1
shortlineinfo2
clear_currentfilename clear_currentfilename
validate_level validate_level
@ -175,6 +176,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
$comment $comment
%config %config
%origin
%globals %globals
%config_files %config_files
%shorewallrc %shorewallrc
@ -298,6 +300,10 @@ our %globals;
# #
our %config; our %config;
# #
# Linenumber in shorewall[6].conf where each option was specified
#
our %origin;
#
# Entries in shorewall.conf that have been renamed # Entries in shorewall.conf that have been renamed
# #
our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST_LOG_LEVEL' ); our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST_LOG_LEVEL' );
@ -893,7 +899,10 @@ sub initialize( $;$$) {
ZONE_BITS => undef, ZONE_BITS => undef,
); );
#
# Line numbers in shorewall6.conf where options are specified
#
%origin = ();
# #
# Valid log levels # Valid log levels
# #
@ -1194,19 +1203,18 @@ sub currentlineinfo() {
} }
} }
sub shortlineinfo1( $ ) { sub shortlineinfo2() {
if ( $globals{TRACK_RULES} ) {
if ( $currentfile ) { if ( $currentfile ) {
join( ':', $currentfilename, $currentlinenumber ); join( ':', $currentfilename, $currentlinenumber );
} else { } else {
# ''
# Alternate lineinfo may have been passed
#
$_[0] || ''
}
} }
} }
sub shortlineinfo1( $ ) {
$globals{TRACK_RULES} ? $currentfile ? shortlineinfo2 : $_[0] || '' : '';
}
sub shortlineinfo( $ ) { sub shortlineinfo( $ ) {
if ( $config{TRACK_RULES} ) { if ( $config{TRACK_RULES} ) {
if ( $currentfile ) { if ( $currentfile ) {
@ -5052,6 +5060,8 @@ sub process_shorewall_conf( $$ ) {
warning_message "Option $var=$val is deprecated" warning_message "Option $var=$val is deprecated"
if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var}; if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var};
$origin{$var} = shortlineinfo2;
} else { } else {
fatal_error "Unrecognized $product.conf entry"; fatal_error "Unrecognized $product.conf entry";
} }
@ -5833,11 +5843,14 @@ sub get_configuration( $$$$ ) {
$config{TRACK_RULES} = ''; $config{TRACK_RULES} = '';
} else { } else {
default_yes_no 'TRACK_RULES' , ''; default_yes_no 'TRACK_RULES' , '';
$globals{TRACK_RULES} = '';
} }
} else { } else {
default_yes_no 'TRACK_RULES' , ''; default_yes_no 'TRACK_RULES' , '';
} }
%origin = () unless $globals{TRACK_RULES};
default_yes_no 'INLINE_MATCHES' , ''; default_yes_no 'INLINE_MATCHES' , '';
default_yes_no 'BASIC_FILTERS' , ''; default_yes_no 'BASIC_FILTERS' , '';
default_yes_no 'WORKAROUNDS' , 'Yes'; default_yes_no 'WORKAROUNDS' , 'Yes';

92
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -655,7 +655,7 @@ sub add_common_rules ( $ ) {
setup_mss; setup_mss;
if ( $config{FASTACCEPT} ) { if ( $config{FASTACCEPT} ) {
add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch $faststate ) add_ijump_extended( $filter_table->{OUTPUT} , j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )
} }
my $policy = $config{SFILTER_DISPOSITION}; my $policy = $config{SFILTER_DISPOSITION};
@ -663,6 +663,7 @@ sub add_common_rules ( $ ) {
$tag = $config{SFILTER_LOG_TAG}; $tag = $config{SFILTER_LOG_TAG};
my $audit = $policy =~ s/^A_//; my $audit = $policy =~ s/^A_//;
my @ipsec = have_ipsec ? ( policy => '--pol none --dir in' ) : (); my @ipsec = have_ipsec ? ( policy => '--pol none --dir in' ) : ();
my $origin = $origin{SFILTER_DISPOSITION};
if ( $level || $audit ) { if ( $level || $audit ) {
# #
@ -670,18 +671,21 @@ sub add_common_rules ( $ ) {
# #
$chainref = new_standard_chain 'sfilter'; $chainref = new_standard_chain 'sfilter';
log_rule_limit( $level, if ( $level ne '' ) {
my $ruleref = log_rule_limit( $level,
$chainref, $chainref,
$chainref->{name}, $chainref->{name},
$policy, $policy,
$globals{LOGLIMIT}, $globals{LOGLIMIT},
$tag, $tag,
'add', 'add',
'' ) if $level ne ''; '' );
$ruleref->{origin} = $origin{SFILTER_LOG_LEVEL};
}
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit; add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin );
$target = 'sfilter'; $target = 'sfilter';
} else { } else {
@ -697,11 +701,22 @@ sub add_common_rules ( $ ) {
$chainref = new_standard_chain 'sfilter1'; $chainref = new_standard_chain 'sfilter1';
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' ); add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
log_rule $level , $chainref , $policy , '' if $level ne '';
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit; if ( $level ne '' ) {
my $ruleref = log_rule_limit( $level,
$chainref,
$chainref->{name},
$policy,
$globals{LOGLIMIT},
$tag,
'add',
'' );
$ruleref->{origin} = $origin;
}
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; add_ijump_extended( $chainref, j => 'AUDIT', $origin{SFILTER_DISPOSITION}, targetopts => '--type ' . lc $policy ) if $audit;
add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin );
$target1 = 'sfilter1'; $target1 = 'sfilter1';
} else { } else {
@ -743,8 +758,8 @@ sub add_common_rules ( $ ) {
} }
for ( option_chains( $interface ) ) { for ( option_chains( $interface ) ) {
add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref; add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref;
add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT}; add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
} }
} }
} }
@ -765,6 +780,8 @@ sub add_common_rules ( $ ) {
$level = $config{RPFILTER_LOG_LEVEL}; $level = $config{RPFILTER_LOG_LEVEL};
$tag = $globals{RPFILTER_LOG_TAG}; $tag = $globals{RPFILTER_LOG_TAG};
$audit = $policy =~ s/^A_//; $audit = $policy =~ s/^A_//;
my $origin
= $origin{RPFILTER_DISPOSITION};
if ( $level || $audit ) { if ( $level || $audit ) {
# #
@ -772,18 +789,21 @@ sub add_common_rules ( $ ) {
# #
$chainref = ensure_mangle_chain 'rplog'; $chainref = ensure_mangle_chain 'rplog';
log_rule_limit( $level, if ( $level ne '' ) {
my $ruleref = log_rule_limit( $level,
$chainref, $chainref,
$chainref->{name}, $chainref->{name},
$policy, $policy,
$globals{LOGLIMIT}, $globals{LOGLIMIT},
$tag, $tag,
'add', 'add',
'' ) if $level ne ''; '' );
$ruleref->{origin} = $origin{RPFILTER_LOG_LEVEL};
}
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit; add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin );
$target = 'rplog'; $target = 'rplog';
} else { } else {
@ -808,8 +828,9 @@ sub add_common_rules ( $ ) {
} }
} }
add_ijump( $rpfilterref, add_ijump_extended( $rpfilterref,
j => $target, j => $target,
$origin,
rpfilter => '--validmark --invert', rpfilter => '--validmark --invert',
state_imatch 'NEW,RELATED,INVALID', state_imatch 'NEW,RELATED,INVALID',
@ipsec @ipsec
@ -832,19 +853,24 @@ sub add_common_rules ( $ ) {
$chainref = new_standard_chain 'smurfs'; $chainref = new_standard_chain 'smurfs';
my $smurfdest = $config{SMURF_DISPOSITION}; my $smurfdest = $config{SMURF_DISPOSITION};
my $origin = $origin{SMURF_DISPOSITION};
if ( supplied $config{SMURF_LOG_LEVEL} ) { if ( supplied $config{SMURF_LOG_LEVEL} ) {
my $smurfref = new_chain( 'filter', 'smurflog' ); my $smurfref = new_chain( 'filter', 'smurflog' );
log_irule_limit( $config{SMURF_LOG_LEVEL}, my $ruleref = log_irule_limit( $config{SMURF_LOG_LEVEL},
$smurfref, $smurfref,
'smurfs' , 'smurfs' ,
'DROP', 'DROP',
$globals{LOGILIMIT}, $globals{LOGILIMIT},
$globals{SMURF_LOG_TAG}, $globals{SMURF_LOG_TAG},
'add' ); 'add' );
add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
add_ijump( $smurfref, j => 'DROP' ); $ruleref->{origin} = $origin{SMURF_LOG_LEVEL};
add_ijump_extended( $smurfref, j => 'AUDIT', $origin, targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
add_ijump_extended( $smurfref, j => 'DROP' , $origin );
$smurfdest = 'smurflog'; $smurfdest = 'smurflog';
} else { } else {
@ -858,7 +884,7 @@ sub add_common_rules ( $ ) {
add_ijump $chainref , j => 'RETURN', s => '::'; add_ijump $chainref , j => 'RETURN', s => '::';
} }
add_ijump( $chainref, g => $smurfdest, addrtype => '--src-type BROADCAST' ) ; add_ijump_extended( $chainref, g => $smurfdest, $origin, addrtype => '--src-type BROADCAST' ) ;
} else { } else {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_commands $chainref, 'for address in $ALL_BCASTS; do'; add_commands $chainref, 'for address in $ALL_BCASTS; do';
@ -867,15 +893,15 @@ sub add_common_rules ( $ ) {
} }
incr_cmd_level $chainref; incr_cmd_level $chainref;
add_ijump( $chainref, g => $smurfdest, s => '$address' ); add_ijump_extended( $chainref, g => $smurfdest, $origin, s => '$address' );
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
} }
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_ijump( $chainref, g => $smurfdest, s => '224.0.0.0/4' ); add_ijump_extended( $chainref, g => $smurfdest, $origin, s => '224.0.0.0/4' );
} else { } else {
add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST ); add_ijump_extended( $chainref, g => $smurfdest, $origin, s => IPv6_MULTICAST );
} }
my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID'; my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';
@ -974,6 +1000,7 @@ sub add_common_rules ( $ ) {
my $tag = $globals{TCP_FLAGS_LOG_TAG}; my $tag = $globals{TCP_FLAGS_LOG_TAG};
my $disposition = $config{TCP_FLAGS_DISPOSITION}; my $disposition = $config{TCP_FLAGS_DISPOSITION};
my $audit = $disposition =~ /^A_/; my $audit = $disposition =~ /^A_/;
my $origin = $origin{TCP_FLAGS_DISPOSITION};
progress_message2 "$doing TCP Flags filtering..."; progress_message2 "$doing TCP Flags filtering...";
@ -986,27 +1013,28 @@ sub add_common_rules ( $ ) {
$globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options "; $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";
log_rule_limit( $level, my $ruleref = log_rule_limit( $level,
$logflagsref, $logflagsref,
'logflags', 'logflags',
$disposition, $disposition,
$globals{LOGLIMIT}, $globals{LOGLIMIT},
$tag, $tag,
'add', 'add',
'' '' );
);
$ruleref->{origin} = $origin{TCP_FLAGS_LOG_LEVEL};
$globals{LOGPARMS} = $savelogparms; $globals{LOGPARMS} = $savelogparms;
if ( $audit ) { if ( $audit ) {
$disposition =~ s/^A_//; $disposition =~ s/^A_//;
add_ijump( $logflagsref, j => 'AUDIT', targetopts => '--type ' . lc $disposition ); add_ijump_extended( $logflagsref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $disposition );
} }
if ( $disposition eq 'REJECT' ) { if ( $disposition eq 'REJECT' ) {
add_ijump $logflagsref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6; add_ijump_extended $logflagsref , j => 'REJECT', $origin, targetopts => '--reject-with tcp-reset', p => 6;
} else { } else {
add_ijump $logflagsref , j => $disposition; add_ijump_extended $logflagsref , j => $disposition, $origin;
} }
$disposition = 'logflags'; $disposition = 'logflags';
@ -2246,17 +2274,19 @@ sub generate_matrix() {
nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] , nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
filter=> [ qw/INPUT FORWARD OUTPUT/ ] ); filter=> [ qw/INPUT FORWARD OUTPUT/ ] );
my $origin = $origin{LOGALLNEW};
for my $table ( qw/mangle nat filter/ ) { for my $table ( qw/mangle nat filter/ ) {
for my $chain ( @{$builtins{$table}} ) { for my $chain ( @{$builtins{$table}} ) {
log_rule_limit my $ruleref = log_rule_limit( $config{LOGALLNEW} ,
$config{LOGALLNEW} ,
$chain_table{$table}{$chain} , $chain_table{$table}{$chain} ,
$table , $table ,
$chain , $chain ,
'' , '' ,
'' , '' ,
'insert' , 'insert' ,
state_match('NEW'); state_match('NEW') );
$ruleref->{origin} = $origin;
} }
} }
} }