Merge branch '4.4.20'

Shorewall/Perl/Shorewall/Misc.pm

@@ -203,7 +203,7 @@ sub setup_blacklist() {
     my $chainref;
     my $chainref1;
     my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
-    my $audit       = $disposition =~ s/^A_//;
+    my $audit       = $disposition =~ /^A_/;
     my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
     my $orig_target = $target;
     
@@ -218,6 +218,9 @@ sub setup_blacklist() {
 	if ( defined $level && $level ne '' ) {
 	    my $logchainref = new_standard_chain 'blacklog';
 
+	    $target =~ s/A_//;
+	    $target = 'reject' if $target eq 'REJECT';
+
 	    log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add',	'' );
 
 	    if ( $audit ) {
@@ -233,7 +236,7 @@ sub setup_blacklist() {
 	    $target = 'blacklog';
 	} elsif ( $audit ) {
 	    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
-	    $target = verify_audit( $config{BLACKLIST_DISPOSITION} );
+	    $target = verify_audit( $disposition );
 	}	    
     }
 
@@ -259,7 +262,11 @@ sub setup_blacklist() {
 
 		my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
 
-		$options = 'src' if $options eq '-';
+		if ( $options eq '-' ) {
+		    $options = 'src';
+		} elsif ( $options eq 'audit' ) {
+		    $options = 'audit,src';
+		}
 
 		my ( $to, $from, $whitelist, $auditone ) = ( 0, 0, 0, 0 );
 
@@ -284,7 +291,7 @@ sub setup_blacklist() {
 
 			
 
-			$tgt = verify_audit( 'A_' . $target, $orig_target );
+			$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
 		    }
 		}
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -648,7 +648,7 @@ sub complete_standard_chain ( $$$$ ) {
     policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }
 
-sub require_audit($$);
+sub require_audit($$;$);
 
 #
 # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
@@ -1136,8 +1136,8 @@ sub map_old_actions( $ ) {
 #
 # Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
 
-sub ensure_audit_chain( $;$ ) {
+sub ensure_audit_chain( $;$$ ) {
-    my ( $target, $action ) = @_;
+    my ( $target, $action, $tgt ) = @_;
 
     push_comment( '' );
 
@@ -1151,16 +1151,19 @@ sub ensure_audit_chain( $;$ ) {
 	    $action =~ s/^A_//;
 	}
 
+	$tgt ||= $action;
+
 	if ( $config{FAKE_AUDIT} ) {
 	    add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' );
 	} else {
 	    add_rule $ref, '-j AUDIT --type ' . lc $action;
 	}
 
-	if ( $action eq 'REJECT' ) {
+	
+	if ( $tgt eq 'REJECT' ) {
 	    add_jump $ref , 'reject', 1;
 	} else {
-	    add_jump $ref , $action, 0;
+	    add_jump $ref , $tgt, 0;
 	}
     }
 
@@ -1173,8 +1176,8 @@ sub ensure_audit_chain( $;$ ) {
 # Return the appropriate target based on whether the second argument is 'audit'
 #
 
-sub require_audit($$) {
+sub require_audit($$;$) {
-    my ($action, $audit ) = @_;
+    my ($action, $audit, $tgt ) = @_;
 
     return $action unless defined $audit and $audit ne '';
 
@@ -1184,7 +1187,7 @@ sub require_audit($$) {
 
     require_capability 'AUDIT_TARGET', 'audit', 's';
 
-    return ensure_audit_chain $target, $action;
+    return ensure_audit_chain $target, $action, $tgt;
 }   
   
 #
@@ -1632,12 +1635,12 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
 #
 # Confirm that we have AUDIT_TARGET capability and ensure the appropriate AUDIT chain.
 #
-sub verify_audit($;$) {
+sub verify_audit($;$$) {
-    my ($target, $audit ) = @_;
+    my ($target, $audit, $tgt ) = @_;
 
     require_capability 'AUDIT_TARGET', "$target rules", '';
 
-    return ensure_audit_chain $target, $audit;
+    return ensure_audit_chain $target, $audit, $tgt;
 }
 
 #