mirror of
https://gitlab.com/shorewall/code.git
synced 2025-08-18 12:47:25 +02:00
Add the TRACK_RULES option
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
@@ -287,6 +287,7 @@ our $VERSION = '4.5_18';
|
||||
# policy => <policy>
|
||||
# policychain => <name of policy chain> -- self-reference if this is a policy chain
|
||||
# policypair => [ <policy source>, <policy dest> ] -- Used for reporting duplicated policies
|
||||
# origin => <filename and line number of entry that created this policy chain>
|
||||
# loglevel => <level>
|
||||
# synparams => <burst/limit + connlimit>
|
||||
# synchain => <name of synparam chain>
|
||||
@@ -322,7 +323,7 @@ our $VERSION = '4.5_18';
|
||||
#
|
||||
# Only 'referenced' chains get written to the iptables-restore input.
|
||||
#
|
||||
# 'loglevel', 'synparams', 'synchain', 'audit' and 'default' only apply to policy chains.
|
||||
# 'loglevel', 'synparams', 'synchain', 'audit', 'default' abd 'origin' only apply to policy chains.
|
||||
###########################################################################################################################################
|
||||
#
|
||||
# For each ordered pair of zones, there may exist a 'canonical rules chain' in the filter table; the name of this chain is formed by
|
||||
@@ -1224,7 +1225,8 @@ sub push_rule( $$ ) {
|
||||
my $complete = 0;
|
||||
my $ruleref = transform_rule( $_[1], $complete );
|
||||
|
||||
$ruleref->{comment} = "$comment" if $comment;
|
||||
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
|
||||
|
||||
$ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
|
||||
|
||||
push @{$chainref->{rules}}, $ruleref;
|
||||
@@ -1458,9 +1460,7 @@ sub create_irule( $$$;@ ) {
|
||||
$ruleref->{target} = '';
|
||||
}
|
||||
|
||||
if ( $comment ) {
|
||||
$ruleref->{comment} = $comment unless $ruleref->{comment};
|
||||
}
|
||||
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $ruleref->{comment} || $comment;
|
||||
|
||||
$iprangematch = 0;
|
||||
|
||||
@@ -1616,7 +1616,8 @@ sub insert_rule1($$$)
|
||||
|
||||
my $ruleref = transform_rule( $rule );
|
||||
|
||||
$ruleref->{comment} = "$comment" if $comment;
|
||||
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
|
||||
|
||||
assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) , $chainref->{name} );
|
||||
$ruleref->{mode} = CAT_MODE;
|
||||
|
||||
@@ -1656,9 +1657,8 @@ sub insert_irule( $$$$;@ ) {
|
||||
$chainref->{optflags} |= push_matches( $ruleref, @matches );
|
||||
}
|
||||
|
||||
if ( $comment ) {
|
||||
$ruleref->{comment} = $comment unless $ruleref->{comment};
|
||||
}
|
||||
|
||||
$ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
|
||||
|
||||
splice( @{$chainref->{rules}}, $number, 0, $ruleref );
|
||||
|
||||
@@ -3027,8 +3027,8 @@ sub calculate_digest( $ ) {
|
||||
#
|
||||
# Replace jumps to the passed chain with jumps to the passed target
|
||||
#
|
||||
sub replace_references( $$$;$ ) {
|
||||
my ( $chainref, $target, $targetopts, $digest ) = @_;
|
||||
sub replace_references( $$$$;$ ) {
|
||||
my ( $chainref, $target, $targetopts, $comment, $digest ) = @_;
|
||||
my $tableref = $chain_table{$chainref->{table}};
|
||||
my $count = 0;
|
||||
my $name = $chainref->{name};
|
||||
@@ -3045,6 +3045,7 @@ sub replace_references( $$$;$ ) {
|
||||
if ( $_->{target} eq $name ) {
|
||||
$_->{target} = $target;
|
||||
$_->{targetopts} = $targetopts if $targetopts;
|
||||
$_->{comment} = $comment unless $_->{comment};
|
||||
|
||||
if ( $targetref ) {
|
||||
add_reference ( $fromref, $targetref );
|
||||
@@ -3291,7 +3292,10 @@ sub optimize_level4( $$ ) {
|
||||
#
|
||||
# Replace all references to this chain with references to the target
|
||||
#
|
||||
replace_references $chainref, $firstrule->{target}, $firstrule->{targetopts};
|
||||
replace_references( $chainref,
|
||||
$firstrule->{target},
|
||||
$firstrule->{targetopts},
|
||||
$firstrule->{comment} );
|
||||
$progress = 1;
|
||||
}
|
||||
} elsif ( $firstrule->{target} ) {
|
||||
@@ -3511,7 +3515,7 @@ sub optimize_level8( $$$ ) {
|
||||
if ( $chainref->{digest} eq $chainref1->{digest} ) {
|
||||
progress_message " Chain $chainref1->{name} combined with $chainref->{name}";
|
||||
$progress = 1;
|
||||
replace_references $chainref1, $chainref->{name}, undef, 1;
|
||||
replace_references $chainref1, $chainref->{name}, undef, '', 1;
|
||||
|
||||
unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
|
||||
#
|
||||
@@ -7599,7 +7603,9 @@ sub add_interface_options( $ ) {
|
||||
} else {
|
||||
for my $interface ( @input_interfaces ) {
|
||||
$chain1ref = $input_chains{$interface};
|
||||
add_ijump ( $chainref , j => $chain1ref->{name}, @input_interfaces > 1 ? imatch_source_dev( $interface ) : () ) if @{$chain1ref->{rules}};
|
||||
add_ijump ( $chainref ,
|
||||
j => $chain1ref->{name},
|
||||
@input_interfaces > 1 ? imatch_source_dev( $interface ) : () )->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}};
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@@ -7612,7 +7618,7 @@ sub add_interface_options( $ ) {
|
||||
} else {
|
||||
for my $interface ( @forward_interfaces ) {
|
||||
$chain1ref = $forward_chains{$interface};
|
||||
add_ijump ( $chainref , j => $chain1ref->{name}, @forward_interfaces > 1 ? imatch_source_dev( $interface ) : () ) if @{$chain1ref->{rules}};
|
||||
add_ijump ( $chainref , j => $chain1ref->{name}, @forward_interfaces > 1 ? imatch_source_dev( $interface ) : () )->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -48,6 +48,7 @@ our @EXPORT = qw(
|
||||
fatal_error
|
||||
assert
|
||||
currentlineinfo
|
||||
shortlineinfo
|
||||
clear_currentfilename
|
||||
validate_level
|
||||
|
||||
@@ -213,7 +214,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
|
||||
Exporter::export_ok_tags('internal');
|
||||
|
||||
our $VERSION = 'MODULEVERSION';
|
||||
our $VERSION = '4.5.20-Beta1';
|
||||
|
||||
#
|
||||
# describe the current command, it's present progressive, and it's completion.
|
||||
@@ -800,6 +801,7 @@ sub initialize( $;$$) {
|
||||
DEFER_DNS_RESOLUTION => undef,
|
||||
USE_RT_NAMES => undef,
|
||||
CHAIN_SCRIPTS => undef,
|
||||
TRACK_RULES => undef,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@@ -1116,6 +1118,22 @@ sub currentlineinfo() {
|
||||
}
|
||||
}
|
||||
|
||||
sub shortlineinfo( $ ) {
|
||||
if ( $config{TRACK_RULES} ) {
|
||||
if ( $currentfile ) {
|
||||
my $comment = '@@@ '. join( ':', $currentfilename, $currentlinenumber ) . ' @@@';
|
||||
$comment = '@@@ ' . join( ':' , basename($currentfilename), $currentlinenumber) . ' @@@' if length $comment > 255;
|
||||
$comment = '@@@ Filename Too Long @@@' if length $comment > 255;
|
||||
$comment;
|
||||
} else {
|
||||
#
|
||||
# Alternate lineinfo may have been passed
|
||||
#
|
||||
$_[0] || ''
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub handle_first_entry();
|
||||
|
||||
#
|
||||
@@ -5354,6 +5372,9 @@ sub get_configuration( $$$$ ) {
|
||||
default_yes_no 'MULTICAST' , '';
|
||||
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||
default_yes_no 'CHAIN_SCRIPTS' , 'Yes';
|
||||
default_yes_no 'TRACK_RULES' , '';
|
||||
|
||||
require_capability 'COMMENTS', 'TRACK_RULES=Yes', 's' if $config{TRACK_RULES};
|
||||
|
||||
default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
|
||||
default_yes_no 'USE_DEFAULT_RT' , '';
|
||||
|
||||
@@ -832,7 +832,8 @@ sub add_common_rules ( $ ) {
|
||||
}
|
||||
|
||||
for $interface ( all_real_interfaces ) {
|
||||
ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
|
||||
ensure_chain( 'filter', $_ )->{origin} = interface_origin( $interface )
|
||||
for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
|
||||
|
||||
my $interfaceref = find_interface $interface;
|
||||
|
||||
@@ -860,7 +861,7 @@ sub add_common_rules ( $ ) {
|
||||
|
||||
for ( option_chains( $interface ) ) {
|
||||
add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
|
||||
add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT};
|
||||
add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -383,6 +383,7 @@ sub set_policy_chain($$$$$$)
|
||||
|
||||
$chainref1->{policy} = $policy;
|
||||
$chainref1->{policypair} = [ $source, $dest ];
|
||||
$chainref1->{origin} = $chainref->{origin};
|
||||
}
|
||||
}
|
||||
|
||||
@@ -573,6 +574,8 @@ sub process_a_policy() {
|
||||
my $chainref1 = $usedactions{$default};
|
||||
$chainref->{default} = $chainref1 ? $chainref1->{name} : $default;
|
||||
|
||||
$chainref->{origin} = shortlineinfo('');
|
||||
|
||||
if ( $clientwild ) {
|
||||
if ( $serverwild ) {
|
||||
for my $zone ( @zonelist ) {
|
||||
@@ -880,11 +883,13 @@ sub complete_standard_chain ( $$$$ ) {
|
||||
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
|
||||
|
||||
if ( $policychainref ) {
|
||||
( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' }
|
||||
( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' };
|
||||
$stdchainref->{origin} = $policychainref->{origin};
|
||||
} elsif ( $defaultaction !~ /:/ ) {
|
||||
$defaultaction = join(":", $defaultaction, 'none', '', '' );
|
||||
}
|
||||
|
||||
|
||||
policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
|
||||
}
|
||||
|
||||
|
||||
@@ -75,6 +75,7 @@ our @EXPORT = ( qw( NOTHING
|
||||
managed_interfaces
|
||||
unmanaged_interfaces
|
||||
interface_number
|
||||
interface_origin
|
||||
find_interface
|
||||
known_interface
|
||||
get_physical
|
||||
@@ -1362,6 +1363,7 @@ sub process_interface( $$ ) {
|
||||
physical => $physical ,
|
||||
base => var_base( $physical ),
|
||||
zones => {},
|
||||
origin => shortlineinfo(''),
|
||||
};
|
||||
|
||||
if ( $zone ) {
|
||||
@@ -1533,6 +1535,13 @@ sub interface_number( $ ) {
|
||||
$interfaces{$_[0]}{number} || 256;
|
||||
}
|
||||
|
||||
#
|
||||
# Return interface origin
|
||||
#
|
||||
sub interface_origin( $ ) {
|
||||
$interfaces{$_[0]}->{origin};
|
||||
}
|
||||
|
||||
#
|
||||
# Return the interfaces list
|
||||
#
|
||||
|
||||
Reference in New Issue
Block a user