extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 17:58:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add logging to new MAC Verification targets

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3357 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-01-23 16:52:59 +00:00
parent 5eecd59292
commit a996fd988f
3 changed files with 61 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
Shorewall/compiler
View File

@ -2323,10 +2323,10 @@ setup_mac_lists() {
if [ -n "$MACLIST_TTL" ]; then if [ -n "$MACLIST_TTL" ]; then
chain1=$(macrecent_target $interface) chain1=$(macrecent_target $interface)
create_mac_chain $chain1 create_mac_chain $chain1
run_iptables -t $MACLIST_TABLE -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN run_iptables -A $chain -t $MACLIST_TABLE -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
run_iptables -t $MACLIST_TABLE -A $chain -j $chain1 run_iptables -A $chain -t $MACLIST_TABLE -j $chain1
run_iptables -t $MACLIST_TABLE -A $chain -m recent --update --name $chain -j RETURN run_iptables -A $chain -t $MACLIST_TABLE -m recent --update --name $chain -j RETURN
run_iptables -t $MACLIST_TABLE -A $chain -m recent --set --name $chain run_iptables -A $chain -t $MACLIST_TABLE -m recent --set --name $chain
fi fi
done done
@ -2336,20 +2336,39 @@ setup_mac_lists() {
while read disposition interface mac addresses; do while read disposition interface mac addresses; do
expandv disposition interface mac addresses expandv disposition interface mac addresses
level=
case $disposition in case $disposition in
ACCEPT:*)
level=${disposition#*:}
disposition=ACCEPT
target=RETURN
;;
ACCEPT) ACCEPT)
disposition=RETURN target=RETURN
;;
REJECT:*)
[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
target=reject
disposition=REJECT
;; ;;
REJECT) REJECT)
[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle" [ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
target=reject
;;
DROP:*)
level=${disposition#*:}
disposition=DROP
target=DROP
;; ;;
DROP) DROP)
target=DROP
;; ;;
*) *)
addresses="$mac" addresses="$mac"
mac="$interface" mac="$interface"
interface="$disposition" interface="$disposition"
disposition=RETURN target=RETURN
;; ;;
esac esac
@ -2374,17 +2393,21 @@ setup_mac_lists() {
if [ -z "$addresses" ]; then if [ -z "$addresses" ]; then
fatal_error "You must specify a MAC address or an IP address" fatal_error "You must specify a MAC address or an IP address"
else else
mac= macpart=
fi fi
else else
macpart=$(mac_match $mac) macpart=$(mac_match $mac)
fi fi
if [ -z "$addresses" ]; then if [ -z "$addresses" ]; then
run_iptables -t $MACLIST_TABLE -A $chain $macpart $physdev_part -j $disposition [ -n "$level" ] && \
log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part
run_iptables -A $chain -t $MACLIST_TABLE $macpart $physdev_part -j $target
else else
for address in $(separate_list $addresses) ; do for address in $(separate_list $addresses) ; do
run_iptables2 -t $MACLIST_TABLE -A $chain $macpart -s $address $physdev_part -j $disposition [ -n "$level" ] && \
log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart -s $address $physdev_part
run_iptables2 -A $chain -t $MACLIST_TABLE $macpart -s $address $physdev_part -j $target
done done
fi fi
done < $TMP_DIR/maclist done < $TMP_DIR/maclist
@ -2416,7 +2439,7 @@ __EOF__
log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
fi fi
run_iptables -t $MACLIST_TABLE -A $chain -j $maclist_target run_iptables -A $chain -t $MACLIST_TABLE -j $maclist_target
done done
# #
# Generate jumps from the input and forward chains # Generate jumps from the input and forward chains

31
Shorewall/firewall
View File

@ -2577,10 +2577,10 @@ setup_mac_lists() {
if [ -n "$MACLIST_TTL" ]; then if [ -n "$MACLIST_TTL" ]; then
chain1=$(macrecent_target $interface) chain1=$(macrecent_target $interface)
create_mac_chain $chain1 create_mac_chain $chain1
run_iptables -t $MACLIST_TABLE -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN run_iptables -A $chain -t $MACLIST_TABLE -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
run_iptables -t $MACLIST_TABLE -A $chain -j $chain1 run_iptables -A $chain -t $MACLIST_TABLE -j $chain1
run_iptables -t $MACLIST_TABLE -A $chain -m recent --update --name $chain -j RETURN run_iptables -A $chain -t $MACLIST_TABLE -m recent --update --name $chain -j RETURN
run_iptables -t $MACLIST_TABLE -A $chain -m recent --set --name $chain run_iptables -A $chain -t $MACLIST_TABLE -m recent --set --name $chain
fi fi
done done
@ -2591,12 +2591,27 @@ setup_mac_lists() {
expandv disposition interface mac addresses expandv disposition interface mac addresses
case $disposition in case $disposition in
ACCEPT:*)
level=${disposition#*:}
disposition=ACCEPT
target=RETURN
;;
ACCEPT) ACCEPT)
disposition=RETURN disposition=RETURN
;; ;;
REJECT:*)
[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
target=reject
disposition=REJECT
;;
REJECT) REJECT)
[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle" [ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
;; ;;
DROP:*)
level=${disposition#*:}
disposition=DROP
target=DROP
;;
DROP) DROP)
;; ;;
*) *)
@ -2635,10 +2650,14 @@ setup_mac_lists() {
fi fi
if [ -z "$addresses" ]; then if [ -z "$addresses" ]; then
run_iptables -t $MACLIST_TABLE -A $chain $macpart $physdev_part -j $disposition [ -n "$level" ] && \
log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part
run_iptables -A $chain -t $MACLIST_TABLE $macpart $physdev_part -j $target
else else
for address in $(separate_list $addresses) ; do for address in $(separate_list $addresses) ; do
run_iptables2 -t $MACLIST_TABLE -A $chain $macpart -s $address $physdev_part -j $disposition [ -n "$level" ] && \
log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart -s $address $physdev_part
run_iptables2 -A $chain -t $MACLIST_TABLE $macpart -s $address $physdev_part -j $target
done done
fi fi
done < $TMP_DIR/maclist done < $TMP_DIR/maclist

3
Shorewall/releasenotes.txt
View File

@ -39,6 +39,9 @@ New Features added in 3.1.4
contain REJECT). This change is upward compatible so your existing maclist contain REJECT). This change is upward compatible so your existing maclist
file can still be used. file can still be used.
ACCEPT, DROP and REJECT may be optionally followed by a log level to cause the
packet to be logged.
2) Shorewall has always been very noisy (lots of messages). No more. The default 2) Shorewall has always been very noisy (lots of messages). No more. The default
is now to be very quiet and you get more detail using the -v option (or -vv if is now to be very quiet and you get more detail using the -v option (or -vv if
you want the old noisy behavior). The -q option is still supported but only you want the old noisy behavior). The -q option is still supported but only