From f1cbfab7ac54598da3d152f026c188f1380952e8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 4 Jun 2011 08:45:23 -0700 Subject: [PATCH] More blacklist/audit fixes Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 15 +++++++++++---- Shorewall/Perl/Shorewall/Rules.pm | 27 +++++++++++++++------------ 2 files changed, 26 insertions(+), 16 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 8a48a7be8..8394c0e4c 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -203,7 +203,7 @@ sub setup_blacklist() { my $chainref; my $chainref1; my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' }; - my $audit = $disposition =~ s/^A_//; + my $audit = $disposition =~ /^A_/; my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; my $orig_target = $target; @@ -218,6 +218,9 @@ sub setup_blacklist() { if ( defined $level && $level ne '' ) { my $logchainref = new_standard_chain 'blacklog'; + $target =~ s/A_//; + $target = 'reject' if $target eq 'REJECT'; + log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); if ( $audit ) { @@ -233,7 +236,7 @@ sub setup_blacklist() { $target = 'blacklog'; } elsif ( $audit ) { require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's'; - $target = verify_audit( $config{BLACKLIST_DISPOSITION} ); + $target = verify_audit( $disposition ); } } @@ -259,7 +262,11 @@ sub setup_blacklist() { my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file'; - $options = 'src' if $options eq '-'; + if ( $options eq '-' ) { + $options = 'src'; + } elsif ( $options eq 'audit' ) { + $options = 'audit,src'; + } my ( $to, $from, $whitelist, $auditone ) = ( 0, 0, 0, 0 ); @@ -284,7 +291,7 @@ sub setup_blacklist() { - $tgt = verify_audit( 'A_' . $target, $orig_target ); + $tgt = verify_audit( 'A_' . $target, $orig_target, $target ); } } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 5e2b0b030..0b8d80519 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -648,7 +648,7 @@ sub complete_standard_chain ( $$$$ ) { policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0; } -sub require_audit($$); +sub require_audit($$;$); # # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy @@ -1136,8 +1136,8 @@ sub map_old_actions( $ ) { # # Create and populate the passed AUDIT chain if it doesn't exist. Return chain name -sub ensure_audit_chain( $;$ ) { - my ( $target, $action ) = @_; +sub ensure_audit_chain( $;$$ ) { + my ( $target, $action, $tgt ) = @_; push_comment( '' ); @@ -1149,7 +1149,9 @@ sub ensure_audit_chain( $;$ ) { unless ( $action ) { $action = $target; $action =~ s/^A_//; - } + } + + $tgt ||= $action; if ( $config{FAKE_AUDIT} ) { add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' ); @@ -1157,10 +1159,11 @@ sub ensure_audit_chain( $;$ ) { add_rule $ref, '-j AUDIT --type ' . lc $action; } - if ( $action eq 'REJECT' ) { + + if ( $tgt eq 'REJECT' ) { add_jump $ref , 'reject', 1; } else { - add_jump $ref , $action, 0; + add_jump $ref , $tgt, 0; } } @@ -1173,8 +1176,8 @@ sub ensure_audit_chain( $;$ ) { # Return the appropriate target based on whether the second argument is 'audit' # -sub require_audit($$) { - my ($action, $audit ) = @_; +sub require_audit($$;$) { + my ($action, $audit, $tgt ) = @_; return $action unless defined $audit and $audit ne ''; @@ -1184,7 +1187,7 @@ sub require_audit($$) { require_capability 'AUDIT_TARGET', 'audit', 's'; - return ensure_audit_chain $target, $action; + return ensure_audit_chain $target, $action, $tgt; } # @@ -1632,12 +1635,12 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) { # # Confirm that we have AUDIT_TARGET capability and ensure the appropriate AUDIT chain. # -sub verify_audit($;$) { - my ($target, $audit ) = @_; +sub verify_audit($;$$) { + my ($target, $audit, $tgt ) = @_; require_capability 'AUDIT_TARGET', "$target rules", ''; - return ensure_audit_chain $target, $audit; + return ensure_audit_chain $target, $audit, $tgt; } #