extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-08 14:01:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add ULOG and NFLOG capabilities plus LOGMARK for IPv6

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-11-12 14:10:48 -08:00
parent bf010dc03e
commit 73ed66b9b9
5 changed files with 87 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
Shorewall/Perl/Shorewall/Config.pm
View File

@ -268,6 +268,8 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
TIME_MATCH => 'Time Match', TIME_MATCH => 'Time Match',
GOTO_TARGET => 'Goto Support', GOTO_TARGET => 'Goto Support',
LOG_TARGET => 'LOG Target', LOG_TARGET => 'LOG Target',
ULOG_TARGET => 'ULOG Target',
NFLOG_TARGET => 'NFLOG Target',
LOGMARK_TARGET => 'LOGMARK Target', LOGMARK_TARGET => 'LOGMARK Target',
IPMARK_TARGET => 'IPMARK Target', IPMARK_TARGET => 'IPMARK Target',
PERSISTENT_SNAT => 'Persistent SNAT', PERSISTENT_SNAT => 'Persistent SNAT',
@ -656,6 +658,8 @@ sub initialize( $ ) {
TIME_MATCH => undef, TIME_MATCH => undef,
GOTO_TARGET => undef, GOTO_TARGET => undef,
LOG_TARGET => 1, # Assume that we have it. LOG_TARGET => 1, # Assume that we have it.
ULOG_TARGET => undef,
NFLOG_TARGET => undef,
LOGMARK_TARGET => undef, LOGMARK_TARGET => undef,
IPMARK_TARGET => undef, IPMARK_TARGET => undef,
TPROXY_TARGET => undef, TPROXY_TARGET => undef,
@ -2139,68 +2143,81 @@ sub validate_level( $ ) {
my $level = uc $rawlevel; my $level = uc $rawlevel;
if ( supplied ( $level ) ) { if ( supplied ( $level ) ) {
$level =~ s/!$//; my $value = $level;
my $value = $validlevels{$level}; my $qualifier;
if ( defined $value ) { $value =~ s/^!//;
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ) unless $value eq '';
unless ( $value =~ /^[0-7]$/ ) {
level_error( $level ) unless $level =~ /^!?([A-Za-z0-7]+)(.*)$/ && defined( $value = $validlevels{$1} );
$qualifier = $2;
}
if ( $value =~ /^[0-7]$/ ) {
#
# Syslog Level
#
level_error( $rawlevel ) if supplied $qualifier;
require_capability ( 'LOG_TARGET' , "Log level $level", 's' ) unless $value eq '';
return $value; return $value;
} }
if ( $level =~ /^[0-7]$/ ) { return '' unless $value;
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
return $level;
}
if ( $level =~ /^(NFLOG|ULOG)[(](.*)[)]$/ ) { require_capability( "${value}_TARGET", "Log level $level", 's' );
my $olevel = $1;
my @options = split /,/, $2; if ( $value =~ /^(NFLOG|ULOG)$/ ) {
my $olevel = $value;
if ( $qualifier =~ /^[(](.*)[)]$/ ) {
my @options = split /,/, $1;
my $prefix = lc $olevel; my $prefix = lc $olevel;
my $index = $prefix eq 'ulog' ? 3 : 0; my $index = $prefix eq 'ulog' ? 3 : 0;
level_error( $level ) if @options > 3; level_error( $rawlevel ) if @options > 3;
for ( @options ) { for ( @options ) {
if ( supplied( $_ ) ) { if ( supplied( $_ ) ) {
level_error( $level ) unless /^\d+/; level_error( $rawlevel ) unless /^\d+/;
$olevel .= " --${prefix}-$suffixes[$index] $_"; $olevel .= " --${prefix}-$suffixes[$index] $_";
} }
$index++; $index++;
} }
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ); } elsif ( $qualifier =~ /^ --/ ) {
return $rawlevel;
}
return $olevel; return $olevel;
} }
if ( $level =~ /^NFLOG --/ or $level =~ /^ULOG --/ ) { #
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ); # Must be LOGMARK
#
if ( $qualifier =~ /^ --/ ) {
return $rawlevel; return $rawlevel;
} }
if ( $level =~ /^LOGMARK --/ ) { my $sublevel;
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
return $rawlevel;
}
if ( $level =~ /LOGMARK([(](.+)[)])?$/ ) { if ( supplied $qualifier ) {
my $sublevel = $2; if ( $qualifier =~ /[(](.+)[)]?$/ ) {
$sublevel = $1;
if ( $1 ) {
$sublevel = $validlevels{$sublevel} unless $sublevel =~ /^[0-7]$/; $sublevel = $validlevels{$sublevel} unless $sublevel =~ /^[0-7]$/;
level_error( $level ) unless defined $sublevel && $sublevel =~ /^[0-7]$/; level_error( $rawlevel ) unless defined $sublevel && $sublevel =~ /^[0-7]$/;
} else {
level_error( $rawlevel );
}
} else { } else {
$sublevel = 6; # info $sublevel = 6; # info
} }
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
require_capability( 'LOGMARK_TARGET' , 'LOGMARK', 's' );
return "LOGMARK --log-level $sublevel"; return "LOGMARK --log-level $sublevel";
} }
level_error( $rawlevel );
}
''; '';
} }
@ -2672,6 +2689,14 @@ sub Log_Target() {
qt1( "$iptables -A $sillyname -j LOG" ); qt1( "$iptables -A $sillyname -j LOG" );
} }
sub Ulog_Target() {
qt1( "$iptables -A $sillyname -j ULOG" );
}
sub NFLog_Target() {
qt1( "$iptables -A $sillyname -j NFLOG" );
}
sub Logmark_Target() { sub Logmark_Target() {
qt1( "$iptables -A $sillyname -j LOGMARK" ); qt1( "$iptables -A $sillyname -j LOGMARK" );
} }
@ -2747,6 +2772,8 @@ our %detect_capability =
LENGTH_MATCH => \&Length_Match, LENGTH_MATCH => \&Length_Match,
LOGMARK_TARGET => \&Logmark_Target, LOGMARK_TARGET => \&Logmark_Target,
LOG_TARGET => \&Log_Target, LOG_TARGET => \&Log_Target,
ULOG_TARGET => \&Ulog_Target,
NFLOG_TARGET => \&NFLog_Target,
MANGLE_ENABLED => \&Mangle_Enabled, MANGLE_ENABLED => \&Mangle_Enabled,
MANGLE_FORWARD => \&Mangle_Forward, MANGLE_FORWARD => \&Mangle_Forward,
MARK => \&Mark, MARK => \&Mark,
@ -2890,6 +2917,8 @@ sub determine_capabilities() {
$capabilities{TIME_MATCH} = detect_capability( 'TIME_MATCH' ); $capabilities{TIME_MATCH} = detect_capability( 'TIME_MATCH' );
$capabilities{GOTO_TARGET} = detect_capability( 'GOTO_TARGET' ); $capabilities{GOTO_TARGET} = detect_capability( 'GOTO_TARGET' );
$capabilities{LOG_TARGET} = detect_capability( 'LOG_TARGET' ); $capabilities{LOG_TARGET} = detect_capability( 'LOG_TARGET' );
$capabilities{ULOG_TARGET} = detect_capability( 'ULOG_TARGET' );
$capabilities{NFLOG_TARGET} = detect_capability( 'NFLOG_TARGET' );
$capabilities{LOGMARK_TARGET} = detect_capability( 'LOGMARK_TARGET' ); $capabilities{LOGMARK_TARGET} = detect_capability( 'LOGMARK_TARGET' );
$capabilities{FLOW_FILTER} = detect_capability( 'FLOW_FILTER' ); $capabilities{FLOW_FILTER} = detect_capability( 'FLOW_FILTER' );
$capabilities{FWMARK_RT_MASK} = detect_capability( 'FWMARK_RT_MASK' ); $capabilities{FWMARK_RT_MASK} = detect_capability( 'FWMARK_RT_MASK' );

2
Shorewall/lib.base
View File

@ -28,7 +28,7 @@
# #
SHOREWALL_LIBVERSION=40407 SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40425 SHOREWALL_CAPVERSION=40426
[ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ]

8
Shorewall/lib.cli
View File

@ -1729,6 +1729,8 @@ determine_capabilities() {
LOGMARK_TARGET= LOGMARK_TARGET=
IPMARK_TARGET= IPMARK_TARGET=
LOG_TARGET=Yes LOG_TARGET=Yes
ULOG_TARGET=
NFLOG_TARGET=
PERSISTENT_SNAT= PERSISTENT_SNAT=
FLOW_FILTER= FLOW_FILTER=
FWMARK_RT_MASK= FWMARK_RT_MASK=
@ -1886,6 +1888,8 @@ determine_capabilities() {
qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
qt $IPTABLES -A $chain -j LOG || LOG_TARGET= qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
qt $IPTABLES -A $chain -j ULOG && ULOG_TARGET=Yes
qt $IPTABLES -A $chain -j NFLOG && NFLOG_TARGET=Yes
qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
@ -1977,6 +1981,8 @@ report_capabilities() {
report_capability "LOGMARK Target" $LOGMARK_TARGET report_capability "LOGMARK Target" $LOGMARK_TARGET
report_capability "IPMARK Target" $IPMARK_TARGET report_capability "IPMARK Target" $IPMARK_TARGET
report_capability "LOG Target" $LOG_TARGET report_capability "LOG Target" $LOG_TARGET
report_capability "ULOG Target" $ULOG_TARGET
report_capability "NFLOG Target" $NFLOG_TARGET
report_capability "Persistent SNAT" $PERSISTENT_SNAT report_capability "Persistent SNAT" $PERSISTENT_SNAT
report_capability "TPROXY Target" $TPROXY_TARGET report_capability "TPROXY Target" $TPROXY_TARGET
report_capability "FLOW Classifier" $FLOW_FILTER report_capability "FLOW Classifier" $FLOW_FILTER
@ -2050,6 +2056,8 @@ report_capabilities1() {
report_capability1 LOGMARK_TARGET report_capability1 LOGMARK_TARGET
report_capability1 IPMARK_TARGET report_capability1 IPMARK_TARGET
report_capability1 LOG_TARGET report_capability1 LOG_TARGET
report_capability1 ULOG_TARGET
report_capability1 NFLOG_TARGET
report_capability1 PERSISTENT_SNAT report_capability1 PERSISTENT_SNAT
report_capability1 TPROXY_TARGET report_capability1 TPROXY_TARGET
report_capability1 FLOW_FILTER report_capability1 FLOW_FILTER

2
Shorewall6/lib.base
View File

@ -32,7 +32,7 @@
# #
SHOREWALL_LIBVERSION=40407 SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40425 SHOREWALL_CAPVERSION=40426
[ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]

12
Shorewall6/lib.cli
View File

@ -1556,6 +1556,9 @@ determine_capabilities() {
GOTO_TARGET= GOTO_TARGET=
IPMARK_TARGET= IPMARK_TARGET=
LOG_TARGET=Yes LOG_TARGET=Yes
ULOG_TARGET=
NFLOG_TARGET=
LOGMARK_TARGET=
FLOW_FILTER= FLOW_FILTER=
FWMARK_RT_MASK= FWMARK_RT_MASK=
MARK_ANYWHERE= MARK_ANYWHERE=
@ -1712,7 +1715,10 @@ determine_capabilities() {
qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
qt $IP6TABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
qt $IP6TABLES -A $chain -j LOG || LOG_TARGET= qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
qt $IP6TABLES -A $chain -j ULOG && ULOG_TARGET=Yes
qt $IP6TABLES -A $chain -j NFLOG && NFLOG_TARGET=Yes
qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes
@ -1804,7 +1810,10 @@ report_capabilities() {
report_capability "Time Match" $TIME_MATCH report_capability "Time Match" $TIME_MATCH
report_capability "Goto Support" $GOTO_TARGET report_capability "Goto Support" $GOTO_TARGET
report_capability "IPMARK Target" $IPMARK_TARGET report_capability "IPMARK Target" $IPMARK_TARGET
report_capability "LOGMARK Target" $LOGMARK_TARGET
report_capability "LOG Target" $LOG_TARGET report_capability "LOG Target" $LOG_TARGET
report_capability "ULOG Target" $ULOG_TARGET
report_capability "NFLOG Target" $NFLOG_TARGET
report_capability "TPROXY Target" $TPROXY_TARGET report_capability "TPROXY Target" $TPROXY_TARGET
report_capability "FLOW Classifier" $FLOW_FILTER report_capability "FLOW Classifier" $FLOW_FILTER
report_capability "fwmark route mask" $FWMARK_RT_MASK report_capability "fwmark route mask" $FWMARK_RT_MASK
@ -1874,7 +1883,10 @@ report_capabilities1() {
report_capability1 TIME_MATCH report_capability1 TIME_MATCH
report_capability1 GOTO_TARGET report_capability1 GOTO_TARGET
report_capability1 IPMARK_TARGET report_capability1 IPMARK_TARGET
report_capability1 LOGMARK_TARGET
report_capability1 LOG_TARGET report_capability1 LOG_TARGET
report_capability1 ULOG_TARGET
report_capability1 NFLOG_TARGET
report_capability1 TPROXY_TARGET report_capability1 TPROXY_TARGET
report_capability1 FLOW_FILTER report_capability1 FLOW_FILTER
report_capability1 FWMARK_RT_MASK report_capability1 FWMARK_RT_MASK