mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-24 07:08:53 +01:00
Prepare for more parameterized actions
- Export add_commands, incr_cmd_level and decr_cmd_level by default - Move ensure_audit_chain and require_audit from Rules.pm to Chains.pm - Add get_action_logging() function - Export require_capability and have_capability by default Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
ad71faacaa
commit
7e3f97c154
@ -35,23 +35,29 @@ use strict;
|
|||||||
|
|
||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
our @EXPORT = qw(
|
our @EXPORT = qw(
|
||||||
add_rule
|
add_rule
|
||||||
add_jump
|
add_jump
|
||||||
insert_rule
|
insert_rule
|
||||||
new_chain
|
add_commands
|
||||||
new_manual_chain
|
incr_cmd_level
|
||||||
ensure_manual_chain
|
decr_cmd_level
|
||||||
log_rule_limit
|
new_chain
|
||||||
dont_optimize
|
new_manual_chain
|
||||||
dont_delete
|
ensure_manual_chain
|
||||||
dont_move
|
ensure_audit_chain
|
||||||
|
require_audit
|
||||||
|
log_rule_limit
|
||||||
|
dont_optimize
|
||||||
|
dont_delete
|
||||||
|
dont_move
|
||||||
|
get_action_logging
|
||||||
|
|
||||||
%chain_table
|
%chain_table
|
||||||
$raw_table
|
$raw_table
|
||||||
$nat_table
|
$nat_table
|
||||||
$mangle_table
|
$mangle_table
|
||||||
$filter_table
|
$filter_table
|
||||||
);
|
);
|
||||||
|
|
||||||
our %EXPORT_TAGS = (
|
our %EXPORT_TAGS = (
|
||||||
internal => [ qw( STANDARD
|
internal => [ qw( STANDARD
|
||||||
@ -78,7 +84,6 @@ our %EXPORT_TAGS = (
|
|||||||
NOT_RESTORE
|
NOT_RESTORE
|
||||||
|
|
||||||
initialize_chain_table
|
initialize_chain_table
|
||||||
add_commands
|
|
||||||
copy_rules
|
copy_rules
|
||||||
move_rules
|
move_rules
|
||||||
insert_rule1
|
insert_rule1
|
||||||
@ -90,8 +95,6 @@ our %EXPORT_TAGS = (
|
|||||||
clear_comment
|
clear_comment
|
||||||
push_comment
|
push_comment
|
||||||
pop_comment
|
pop_comment
|
||||||
incr_cmd_level
|
|
||||||
decr_cmd_level
|
|
||||||
forward_chain
|
forward_chain
|
||||||
rules_chain
|
rules_chain
|
||||||
zone_forward_chain
|
zone_forward_chain
|
||||||
@ -1559,6 +1562,77 @@ sub ensure_manual_chain($) {
|
|||||||
$chainref;
|
$chainref;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
|
||||||
|
#
|
||||||
|
|
||||||
|
sub ensure_audit_chain( $;$$ ) {
|
||||||
|
my ( $target, $action, $tgt ) = @_;
|
||||||
|
|
||||||
|
push_comment( '' );
|
||||||
|
|
||||||
|
my $ref = $filter_table->{$target};
|
||||||
|
|
||||||
|
unless ( $ref ) {
|
||||||
|
$ref = new_chain 'filter', $target;
|
||||||
|
|
||||||
|
unless ( $action ) {
|
||||||
|
$action = $target;
|
||||||
|
$action =~ s/^A_//;
|
||||||
|
}
|
||||||
|
|
||||||
|
$tgt ||= $action;
|
||||||
|
|
||||||
|
if ( $config{FAKE_AUDIT} ) {
|
||||||
|
add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' );
|
||||||
|
} else {
|
||||||
|
add_rule $ref, '-j AUDIT --type ' . lc $action;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if ( $tgt eq 'REJECT' ) {
|
||||||
|
add_jump $ref , 'reject', 1;
|
||||||
|
} else {
|
||||||
|
add_jump $ref , $tgt, 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pop_comment;
|
||||||
|
|
||||||
|
return $target;
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Return the appropriate target based on whether the second argument is 'audit'
|
||||||
|
#
|
||||||
|
|
||||||
|
sub require_audit($$;$) {
|
||||||
|
my ($action, $audit, $tgt ) = @_;
|
||||||
|
|
||||||
|
return $action unless supplied $audit;
|
||||||
|
|
||||||
|
my $target = 'A_' . $action;
|
||||||
|
|
||||||
|
fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
|
||||||
|
|
||||||
|
require_capability 'AUDIT_TARGET', 'audit', 's';
|
||||||
|
|
||||||
|
return ensure_audit_chain $target, $action, $tgt;
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Returns the Level and Tag for the current action chain
|
||||||
|
#
|
||||||
|
sub get_action_logging() {
|
||||||
|
my $chainref = get_action_chain;
|
||||||
|
my $wholeaction = $chainref->{action};
|
||||||
|
my ( undef, $level, $tag, undef ) = split ':', $wholeaction;
|
||||||
|
|
||||||
|
$level = '' if $level =~ /^none/;
|
||||||
|
|
||||||
|
( $level, $tag );
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
|
# Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
|
||||||
# The function also initializes the target table with the pre-defined targets available for the specfied address family.
|
# The function also initializes the target table with the pre-defined targets available for the specfied address family.
|
||||||
|
@ -47,14 +47,20 @@ our @EXPORT = qw(
|
|||||||
warning_message
|
warning_message
|
||||||
fatal_error
|
fatal_error
|
||||||
assert
|
assert
|
||||||
|
|
||||||
progress_message
|
progress_message
|
||||||
progress_message_nocompress
|
progress_message_nocompress
|
||||||
progress_message2
|
progress_message2
|
||||||
progress_message3
|
progress_message3
|
||||||
|
|
||||||
supplied
|
supplied
|
||||||
|
|
||||||
get_action_params
|
get_action_params
|
||||||
get_action_chain
|
get_action_chain
|
||||||
set_action_param
|
set_action_param
|
||||||
|
|
||||||
|
have_capability
|
||||||
|
require_capability
|
||||||
);
|
);
|
||||||
|
|
||||||
our @EXPORT_OK = qw( $shorewall_dir initialize set_config_path shorewall);
|
our @EXPORT_OK = qw( $shorewall_dir initialize set_config_path shorewall);
|
||||||
@ -113,8 +119,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
|||||||
add_param
|
add_param
|
||||||
export_params
|
export_params
|
||||||
get_configuration
|
get_configuration
|
||||||
require_capability
|
|
||||||
have_capability
|
|
||||||
report_capabilities
|
report_capabilities
|
||||||
propagateconfig
|
propagateconfig
|
||||||
append_file
|
append_file
|
||||||
|
@ -663,8 +663,6 @@ sub complete_standard_chain ( $$$$ ) {
|
|||||||
policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
|
policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub require_audit($$;$);
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
|
# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
|
||||||
#
|
#
|
||||||
@ -1148,105 +1146,6 @@ sub map_old_actions( $ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
|
||||||
# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
|
|
||||||
|
|
||||||
sub ensure_audit_chain( $;$$ ) {
|
|
||||||
my ( $target, $action, $tgt ) = @_;
|
|
||||||
|
|
||||||
push_comment( '' );
|
|
||||||
|
|
||||||
my $ref = $filter_table->{$target};
|
|
||||||
|
|
||||||
unless ( $ref ) {
|
|
||||||
$ref = new_chain 'filter', $target;
|
|
||||||
|
|
||||||
unless ( $action ) {
|
|
||||||
$action = $target;
|
|
||||||
$action =~ s/^A_//;
|
|
||||||
}
|
|
||||||
|
|
||||||
$tgt ||= $action;
|
|
||||||
|
|
||||||
if ( $config{FAKE_AUDIT} ) {
|
|
||||||
add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' );
|
|
||||||
} else {
|
|
||||||
add_rule $ref, '-j AUDIT --type ' . lc $action;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
if ( $tgt eq 'REJECT' ) {
|
|
||||||
add_jump $ref , 'reject', 1;
|
|
||||||
} else {
|
|
||||||
add_jump $ref , $tgt, 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
pop_comment;
|
|
||||||
|
|
||||||
return $target;
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Return the appropriate target based on whether the second argument is 'audit'
|
|
||||||
#
|
|
||||||
|
|
||||||
sub require_audit($$;$) {
|
|
||||||
my ($action, $audit, $tgt ) = @_;
|
|
||||||
|
|
||||||
return $action unless supplied $audit;
|
|
||||||
|
|
||||||
my $target = 'A_' . $action;
|
|
||||||
|
|
||||||
fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
|
|
||||||
|
|
||||||
require_capability 'AUDIT_TARGET', 'audit', 's';
|
|
||||||
|
|
||||||
return ensure_audit_chain $target, $action, $tgt;
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# The following small functions generate rules for the builtin actions of the same name
|
|
||||||
#
|
|
||||||
sub dropBcast( $$$$ ) {
|
|
||||||
my ($chainref, $level, $tag, $audit) = @_;
|
|
||||||
|
|
||||||
my $target = require_audit ( 'DROP', $audit );
|
|
||||||
|
|
||||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
|
||||||
if ( $level ne '' ) {
|
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
|
||||||
if ( $family == F_IPV4 ) {
|
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
|
||||||
} else {
|
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
add_jump $chainref, $target, 0, "-m addrtype --dst-type BROADCAST ";
|
|
||||||
} else {
|
|
||||||
if ( $family == F_IPV4 ) {
|
|
||||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
|
||||||
} else {
|
|
||||||
add_commands $chainref, 'for address in $ALL_ACASTS; do';
|
|
||||||
}
|
|
||||||
|
|
||||||
incr_cmd_level $chainref;
|
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
|
|
||||||
add_jump $chainref, $target, 0, "-d \$address ";
|
|
||||||
decr_cmd_level $chainref;
|
|
||||||
add_commands $chainref, 'done';
|
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
|
||||||
add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
|
|
||||||
} else {
|
|
||||||
add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
sub allowBcast( $$$$ ) {
|
sub allowBcast( $$$$ ) {
|
||||||
my ($chainref, $level, $tag, $audit) = @_;
|
my ($chainref, $level, $tag, $audit) = @_;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user