Allow auditing of the builtin actions

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-21 10:38:25 -07:00
parent 82d6a00c9e
commit 71ef1f48e2

View File

@ -1136,16 +1136,43 @@ sub map_old_actions( $ ) {
} }
} }
sub require_audit($$) {
my ($action, $audit ) = @_;
return $action unless defined $audit and $audit ne '';
fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
my $target = 'A_' . $action;
require_capability 'AUDIT_TARGET', 'audit', 's';
my $ref = $filter_table->{$target};
unless ( $ref ) {
$ref = new_chain 'filter', $target;
add_rule $ref, '-j AUDIT --type ' . lc $action;
if ( $action eq 'REJECT' ) {
add_jump $ref , 'reject', 1;
} else {
add_rule $ref , "-j $action";
}
$usedactions{normalize_action_name $target} = $ref;
}
return $target;
}
# #
# The following small functions generate rules for the builtin actions of the same name # The following small functions generate rules for the builtin actions of the same name
# #
sub dropBcast( $$$$ ) { sub dropBcast( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_; my ($chainref, $level, $tag, $audit) = @_;
if ( defined $audit && $audit ne '' ) { my $target = require_audit ( 'DROP', $audit );
fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
require_capability 'AUDIT_TARGET', 'audit', 's';
}
if ( have_capability( 'ADDRTYPE' ) ) { if ( have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) { if ( $level ne '' ) {
@ -1157,8 +1184,7 @@ sub dropBcast( $$$$ ) {
} }
} }
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j AUDIT --type drop' if $audit; add_rule $chainref, "-m addrtype --dst-type BROADCAST -j $target";
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
} else { } else {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_commands $chainref, 'for address in $ALL_BCASTS; do'; add_commands $chainref, 'for address in $ALL_BCASTS; do';
@ -1168,7 +1194,7 @@ sub dropBcast( $$$$ ) {
incr_cmd_level $chainref; incr_cmd_level $chainref;
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne ''; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
add_rule $chainref, '-d $address -j DROP'; add_rule $chainref, "-d \$address -j $target";
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
@ -1176,21 +1202,16 @@ sub dropBcast( $$$$ ) {
} }
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_rule $chainref, '-d 224.0.0.0/4 -j AUDIT --type drop' if $audit; add_rule $chainref, "-d 224.0.0.0/4 -j $target";
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
} else { } else {
add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j AUDIT --type drop' ); add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, "-j $target" );
add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' );
} }
} }
sub allowBcast( $$$$ ) { sub allowBcast( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_; my ($chainref, $level, $tag, $audit) = @_;
if ( defined $audit && $audit ne '' ) { my $target = require_audit( 'ACCEPT', $audit );
fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
require_capability 'AUDIT_TARGET', 'audit', 's';
}
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) { if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) { if ( $level ne '' ) {
@ -1198,10 +1219,8 @@ sub allowBcast( $$$$ ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 '; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
} }
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j AUDIT --type accept' if $audit; add_rule $chainref, "-m addrtype --dst-type BROADCAST -j $target";
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT'; add_rule $chainref, "-d 224.0.0.0/4 -j $target";
add_rule $chainref, '-d 224.0.0.0/4 -j AUDIT --type accept' if $audit;
add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
} else { } else {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_commands $chainref, 'for address in $ALL_BCASTS; do'; add_commands $chainref, 'for address in $ALL_BCASTS; do';
@ -1211,19 +1230,16 @@ sub allowBcast( $$$$ ) {
incr_cmd_level $chainref; incr_cmd_level $chainref;
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne ''; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
add_rule $chainref, '-d $address -j AUDIT --type accept' if $audit; add_rule $chainref, "-d \$address -j $target";
add_rule $chainref, '-d $address -j ACCEPT';
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
add_rule $chainref, '-d 224.0.0.0/4 -j AUDIT --type accept' if $audit; add_rule $chainref, "-d 224.0.0.0/4 -j $target";
add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
} else { } else {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne ''; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j AUDIT --type accept' ) if $audit; add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, "-j $target" );
add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' );
} }
} }
} }
@ -1231,53 +1247,41 @@ sub allowBcast( $$$$ ) {
sub dropNotSyn ( $$$$ ) { sub dropNotSyn ( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_; my ($chainref, $level, $tag, $audit) = @_;
if ( defined $audit && $audit ne '' ) { my $target = require_audit( 'DROP', $audit );
fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
require_capability 'AUDIT_TARGET', 'audit', 's';
}
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne ''; log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
add_rule $chainref , '-p 6 ! --syn -j AUDIT --type drop' if $audit; add_rule $chainref , "-p 6 ! --syn -j $target";
add_rule $chainref , '-p 6 ! --syn -j DROP';
} }
sub rejNotSyn ( $$$$ ) { sub rejNotSyn ( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_; my ($chainref, $level, $tag, $audit) = @_;
my $target = 'REJECT --reject-with tcp-reset';
if ( defined $audit && $audit ne '' ) { if ( defined $audit && $audit ne '' ) {
fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit'; $target = require_audit( 'REJECT' , $audit );
require_capability 'AUDIT_TARGET', 'audit', 's';
} }
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne ''; log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
add_rule $chainref , '-p 6 ! --syn -j AUDIT --type reject' if $audit; add_rule $chainref , "-p 6 ! --syn -j $target";
add_rule $chainref , '-p 6 ! --syn -j REJECT --reject-with tcp-reset';
} }
sub dropInvalid ( $$$$ ) { sub dropInvalid ( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_; my ($chainref, $level, $tag, $audit) = @_;
if ( defined $audit && $audit ne '' ) { my $target = require_audit( 'DROP', $audit );
fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
require_capability 'AUDIT_TARGET', 'audit', 's';
}
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne ''; log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
add_rule $chainref , "$globals{STATEMATCH} INVALID -j AUDIT --type drop" if $audit; add_rule $chainref , "$globals{STATEMATCH} INVALID -j $target";
add_rule $chainref , "$globals{STATEMATCH} INVALID -j DROP";
} }
sub allowInvalid ( $$$$ ) { sub allowInvalid ( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_; my ($chainref, $level, $tag, $audit) = @_;
if ( defined $audit && $audit ne '' ) { my $target = require_audit( 'ACCEPT', $audit );
fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
require_capability 'AUDIT_TARGET', 'audit', 's';
}
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne ''; log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
add_rule $chainref , "$globals{STATEMATCH} INVALID -j AUDIT --type accept" if $audit; add_rule $chainref , "$globals{STATEMATCH} INVALID -j $target";
add_rule $chainref , "$globals{STATEMATCH} INVALID -j ACCEPT";
} }
sub forwardUPnP ( $$$$ ) { sub forwardUPnP ( $$$$ ) {
@ -1289,20 +1293,15 @@ sub forwardUPnP ( $$$$ ) {
sub allowinUPnP ( $$$$ ) { sub allowinUPnP ( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_; my ($chainref, $level, $tag, $audit) = @_;
if ( defined $audit && $audit ne '' ) { my $target = require_audit( 'ACCEPT', $audit );
fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
require_capability 'AUDIT_TARGET', 'audit', 's';
}
if ( $level ne '' ) { if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 '; log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 ';
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 '; log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
} }
add_rule $chainref, '-p 17 --dport 1900 -j AUDIT --type accept' if $audit; add_rule $chainref, "-p 17 --dport 1900 -j $target";
add_rule $chainref, '-p 17 --dport 1900 -j ACCEPT'; add_rule $chainref, "-p 6 --dport 49152 -j $target";
add_rule $chainref, '-p 6 --dport 49152 -j AUDIT --type accept' if $audit;
add_rule $chainref, '-p 6 --dport 49152 -j ACCEPT';
} }
sub Limit( $$$$ ) { sub Limit( $$$$ ) {
@ -1348,7 +1347,7 @@ sub A_ACCEPT ( $$$ ) {
require_capability 'AUDIT_TARGET' , 'A_ACCEPT rules', ''; require_capability 'AUDIT_TARGET' , 'A_ACCEPT rules', '';
log_rule_limit $level, $chainref, 'A_ACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne ''; log_rule_limit $level, $chainref, $chainref->{name} , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type accept'; add_rule $chainref , '-j AUDIT --type accept';
add_rule $chainref , '-j ACCEPT'; add_rule $chainref , '-j ACCEPT';
} }
@ -1358,7 +1357,7 @@ sub A_DROP ( $$$ ) {
require_capability 'AUDIT_TARGET' , 'A_DROP rules', ''; require_capability 'AUDIT_TARGET' , 'A_DROP rules', '';
log_rule_limit $level, $chainref, 'A_DROP' , 'DROP', '', $tag, 'add', '' if $level ne ''; log_rule_limit $level, $chainref, $chainref->{name} , 'DROP', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type drop'; add_rule $chainref , '-j AUDIT --type drop';
add_rule $chainref , '-j DROP'; add_rule $chainref , '-j DROP';
} }
@ -1368,7 +1367,7 @@ sub A_REJECT ( $$$ ) {
require_capability 'AUDIT_TARGET' , 'A_REJECT rules', ''; require_capability 'AUDIT_TARGET' , 'A_REJECT rules', '';
log_rule_limit $level, $chainref, 'A_REJECT' , 'REJECT', '', $tag, 'add', '' if $level ne ''; log_rule_limit $level, $chainref, $chainref->{name} , 'REJECT', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type reject'; add_rule $chainref , '-j AUDIT --type reject';
add_rule $chainref , '-j reject'; add_rule $chainref , '-j reject';
} }