From 70a9240de6e02c13dad54f1d45441944d0427464 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 4 Jan 2016 13:10:03 -0800
Subject: [PATCH] Make IP[6]TABLES transparent

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Accounting.pm |  7 +++++--
 Shorewall/Perl/Shorewall/Chains.pm     |  7 ++++---
 Shorewall/Perl/Shorewall/Misc.pm       |  3 ++-
 Shorewall/Perl/Shorewall/Nat.pm        |  8 ++++++--
 Shorewall/Perl/Shorewall/Raw.pm        |  7 ++++++-
 Shorewall/Perl/Shorewall/Rules.pm      | 23 ++++++++++++++---------
 Shorewall/Perl/Shorewall/Tc.pm         | 14 ++++++++++----
 7 files changed, 47 insertions(+), 22 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm
index da461daa7..12f5cdee3 100644
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -291,7 +291,8 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 			    '' ,
 			    $target ,
 			    '' ,
-			    $disposition ,
+		            $disposition ,
+		            '' ,
 			    ''  );
 	    }
 	}
@@ -386,6 +387,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	$target ,
 	'' ,
 	$disposition ,
+	'' ,
 	'' ;
 
     if ( $rule2 || $jump ) {
@@ -414,7 +416,8 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    '' ,
 		    '' ,
 		    '' ,
-		    '' ,
+	            '' ,
+	            '' ,
 		    '' );
     }
 
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index c3d9d0f15..2c789c5bf 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -7428,7 +7428,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule( $$$$$$$$$$$;$ )
+sub expand_rule( $$$$$$$$$$$$;$ )
 {
     my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7441,6 +7441,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 	$loglevel ,    # Log level (and tag)
 	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
 	$exceptionrule,# Caller's matches used in exclusion case
+	$usergenerated,# Rule came from the IP[6]TABLES target
 	$logname,      # Name of chain to name in log messages
        ) = @_;
 
@@ -7605,9 +7606,9 @@ sub expand_rule( $$$$$$$$$$$;$ )
 
 		    my $cond3 = conditional_rule( $chainref, $dnet );
 
-		    if ( $loglevel eq '' ) {
+		    if ( $loglevel eq '' || $usergenerated ) {
 			#
-			# No logging -- add the target rule with matches to the rule chain
+			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
 			    add_expanded_jump( $chainref, $targetref , 0, $matches );
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index e21f776fb..9d3fb58ed 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -614,7 +614,8 @@ sub process_stoppedrules() {
 				 $target,
 				 '',
 				 $disposition,
-				 do_proto( $proto, '-', '-' ) );
+				 do_proto( $proto, '-', '-' ),
+				 '');
 		}
 	    } else {
 		warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";
diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm
index 8cf61ce32..172f58e2f 100644
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -345,7 +345,8 @@ sub process_one_masq1( $$$$$$$$$$$ )
 		     $target ,
 		     '' ,
 		     '' ,
-		     $exceptionrule )
+		     $exceptionrule ,
+		     '' )
 	    unless unreachable_warning( 0, $chainref );
 
 	conditional_rule_end( $chainref ) if $detectaddress || $conditional;
@@ -795,7 +796,8 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 		  $target ,
 		  $loglevel ,
 		  $log_action ,
-		  $serverport ? do_proto( $proto, '', '' ) : '',
+		  $serverport ? do_proto( $proto, '', '' ) : '' ,
+		  '' ,
 		)
 	unless unreachable_warning( $wildcard, $chainref );
 
@@ -867,6 +869,7 @@ sub handle_nonat_rule( $$$$$$$$$$$ ) {
 			 $loglevel,
 			 $log_action,
 			 '',
+			 '',
 			 dnat_chain( $sourcezone  ) )
 		unless unreachable_warning( $wildcard, $chn );
 
@@ -888,6 +891,7 @@ sub handle_nonat_rule( $$$$$$$$$$$ ) {
 		 $loglevel ,
 		 $log_action ,
 		 '',
+		 '',
 	       )
 	unless unreachable_warning( $wildcard, $nonat_chain );
 }
diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index 43ea02d7f..085a28d43 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -98,6 +98,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	$action = join( ":" , 'LOG', $action );
     }
 
+    my $usergenerated;
+
     if ( $action eq 'NOTRACK' ) {
 	#
 	# A patch that deimplements the NOTRACK target has been posted on the
@@ -204,7 +206,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 		 $action ,
 		 $level || '' ,
 		 $disposition ,
-		 $exception_rule );
+		 $exception_rule ,
+		 $usergenerated && ! $level );
 
     progress_message "  Conntrack rule \"$currentline\" $done";
 }
@@ -247,6 +250,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 			 $action_target ,
 			 '',
 			 'CT' ,
+			 '' ,
 			 '' );
 	} else {
 	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
@@ -261,6 +265,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 			 $action_target ,
 			 '' ,
 			 'CT' ,
+			 '' ,
 			 '' );
 	}
     }
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 5a69b33a3..735717607 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2264,6 +2264,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $matches     = $rule;
     my $raw_matches = '';
     my $exceptionrule = '';
+    my $usergenerated;
 
     if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@@ -2287,6 +2288,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
     fatal_error "Unknown ACTION ($action)" unless $actiontype;
 
+    $usergenerated = $actiontype & IPTABLES;
+
     if ( $actiontype == MACRO ) {
 	#
 	# process_macro() will call process_rule() recursively for each rule in the macro body
@@ -2333,15 +2336,16 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$param = $param eq '' ? 'drop' : $param;
 	fatal_error "Invalid AUDIT type ($param) -- must be 'accept', 'drop' or 'reject'" unless $param =~ /^(?:accept|drop|reject)$/;
 	$actiontype = STANDARD;
-    } elsif ( $actiontype & NFLOG ) {
-	validate_level( $action );
-	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
-	$action   = 'LOG';
-    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
-	fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
-	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
+    } elsif ( ! $usergenerated ) {
+	if ( $actiontype & NFLOG ) {
+	    validate_level( $action );
+	    $loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
+	    $action   = 'LOG';
+	} elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
+	    fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
+	    fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
+	}
     }
-
     #
     # We can now dispense with the postfix character
     #
@@ -2909,7 +2913,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     $action ,
 		     $loglevel ,
 		     $log_action ,
-		     $exceptionrule )
+		     $exceptionrule ,
+		     $usergenerated && ! $loglevel )
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
     }
 
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 365e6e454..de76d36db 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -227,6 +227,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
     our $designator;
     our $ttl            = 0;
     my $fw              = firewall_zone;
+    my $usergenerated;
 
     sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
@@ -290,7 +291,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 			     "$target $option " . join( '/', in_hex( $markval ) , $mask ) ,
 			     '',
 			     $target ,
-			     $exceptionrule );
+			     $exceptionrule ,
+			     ''  );
 	    }
 
 	    $done = 1;
@@ -524,7 +526,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
-		$target = $params;
+		$target        = $params;
+		$usergenerated = 1;
 	    },
 	},
 
@@ -539,7 +542,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
-		$target = $params;
+		$target        = $params;
+		$usergenerated = 1;
 	    },
 	},
 
@@ -850,7 +854,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 					 $target,
 					 '' ,
 					 $target ,
-					 $exceptionrule ) )
+					 $exceptionrule ,
+					 $usergenerated ) )
 	     && $device ) {
 	    #
 	    # expand_rule() returns destination device if any
@@ -3118,6 +3123,7 @@ sub process_secmark_rule1( $$$$$$$$$ ) {
 		 $target ,
 		 '' ,
 		 $disposition,
+		 '' ,
 		 '' );
 
     progress_message "Secmarks rule \"$currentline\" $done";