mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-25 09:03:30 +01:00
Fixes for blacklist conversion
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
4f9afc32ec
commit
ab1b65d6a8
@ -55,6 +55,7 @@ our @EXPORT = qw(
|
|||||||
ensure_filter_chain
|
ensure_filter_chain
|
||||||
ensure_manual_chain
|
ensure_manual_chain
|
||||||
ensure_audit_chain
|
ensure_audit_chain
|
||||||
|
ensure_blacklog_chain
|
||||||
require_audit
|
require_audit
|
||||||
newlogchain
|
newlogchain
|
||||||
log_rule_limit
|
log_rule_limit
|
||||||
@ -2168,6 +2169,24 @@ sub ensure_manual_chain($) {
|
|||||||
$chainref;
|
$chainref;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub ensure_blacklog_chain( $$$$ ) {
|
||||||
|
my ( $target, $disposition, $level, $audit ) = @_;
|
||||||
|
|
||||||
|
unless ( $filter_table->{blacklog} ) {
|
||||||
|
my $logchainref = new_manual_chain 'blacklog';
|
||||||
|
|
||||||
|
$target =~ s/A_//;
|
||||||
|
$target = 'reject' if $target eq 'REJECT';
|
||||||
|
|
||||||
|
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
||||||
|
|
||||||
|
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
||||||
|
add_ijump( $logchainref, g => $target );
|
||||||
|
}
|
||||||
|
|
||||||
|
'blacklog';
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
|
# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
|
||||||
#
|
#
|
||||||
@ -3512,7 +3531,7 @@ sub do_test ( $$ )
|
|||||||
my $invert = $testval =~ s/^!// ? '! ' : '';
|
my $invert = $testval =~ s/^!// ? '! ' : '';
|
||||||
|
|
||||||
if ( $config{ZONE_BITS} ) {
|
if ( $config{ZONE_BITS} ) {
|
||||||
$testval = join( '/', in_hex( find_zone( $testval )->{mark} ), in_hex( $globals{ZONE_MASK} ) ) unless $testval =~ /^\d/ || $testval =~ /:/;
|
$testval = join( '/', in_hex( zone_mark( $testval ) ), in_hex( $globals{ZONE_MASK} ) ) unless $testval =~ /^\d/ || $testval =~ /:/;
|
||||||
}
|
}
|
||||||
|
|
||||||
my $match = $testval =~ s/:C$// ? "-m connmark ${invert}--mark" : "-m mark ${invert}--mark";
|
my $match = $testval =~ s/:C$// ? "-m connmark ${invert}--mark" : "-m mark ${invert}--mark";
|
||||||
|
@ -220,17 +220,7 @@ sub setup_blacklist() {
|
|||||||
$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
|
$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
|
||||||
|
|
||||||
if ( supplied $level ) {
|
if ( supplied $level ) {
|
||||||
my $logchainref = new_standard_chain 'blacklog';
|
$target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
|
||||||
|
|
||||||
$target =~ s/A_//;
|
|
||||||
$target = 'reject' if $target eq 'REJECT';
|
|
||||||
|
|
||||||
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
|
||||||
|
|
||||||
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
|
||||||
add_ijump( $logchainref, g => $target );
|
|
||||||
|
|
||||||
$target = 'blacklog';
|
|
||||||
} elsif ( $audit ) {
|
} elsif ( $audit ) {
|
||||||
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
|
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
|
||||||
$target = verify_audit( $disposition );
|
$target = verify_audit( $disposition );
|
||||||
@ -405,16 +395,6 @@ sub convert_blacklist() {
|
|||||||
|
|
||||||
if ( @$zones || @$zones1 ) {
|
if ( @$zones || @$zones1 ) {
|
||||||
if ( supplied $level ) {
|
if ( supplied $level ) {
|
||||||
my $logchainref = new_standard_chain 'blacklog';
|
|
||||||
|
|
||||||
$target =~ s/A_//;
|
|
||||||
$target = 'reject' if $target eq 'REJECT';
|
|
||||||
|
|
||||||
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
|
||||||
|
|
||||||
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
|
||||||
add_ijump( $logchainref, g => $target );
|
|
||||||
|
|
||||||
$target = 'blacklog';
|
$target = 'blacklog';
|
||||||
} elsif ( $audit ) {
|
} elsif ( $audit ) {
|
||||||
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
|
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
|
||||||
@ -447,7 +427,7 @@ sub convert_blacklist() {
|
|||||||
|
|
||||||
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
|
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
|
||||||
|
|
||||||
my $tgt = $whitelist ? 'RETURN' : $target;
|
my $tgt = $whitelist ? 'WHITELIST' : $target;
|
||||||
|
|
||||||
if ( $auditone ) {
|
if ( $auditone ) {
|
||||||
fatal_error "'audit' not allowed in whitelist entries" if $whitelist;
|
fatal_error "'audit' not allowed in whitelist entries" if $whitelist;
|
||||||
@ -520,11 +500,7 @@ EOF
|
|||||||
for ( @rules ) {
|
for ( @rules ) {
|
||||||
my ( $srcdst, $tgt, $networks, $protocols, $ports ) = @$_;
|
my ( $srcdst, $tgt, $networks, $protocols, $ports ) = @$_;
|
||||||
|
|
||||||
if ( $level ) {
|
|
||||||
$tgt .= ":$level\t";
|
|
||||||
} else {
|
|
||||||
$tgt .= "\t\t";
|
$tgt .= "\t\t";
|
||||||
}
|
|
||||||
|
|
||||||
my $list = $srcdst eq 'src' ? $zones : $zones1;
|
my $list = $srcdst eq 'src' ? $zones : $zones1;
|
||||||
|
|
||||||
|
@ -2441,11 +2441,23 @@ sub process_rule ( ) {
|
|||||||
# Process the Rules File
|
# Process the Rules File
|
||||||
#
|
#
|
||||||
sub process_rules() {
|
sub process_rules() {
|
||||||
|
|
||||||
my $fn = open_file 'blrules';
|
my $fn = open_file 'blrules';
|
||||||
|
|
||||||
if ( $fn ) {
|
if ( $fn ) {
|
||||||
first_entry "$doing $fn...";
|
first_entry( sub () {
|
||||||
|
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
|
||||||
|
my $audit = $disposition =~ /^A_/;
|
||||||
|
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
|
||||||
|
|
||||||
|
progress_message2 "$doing $fn...";
|
||||||
|
|
||||||
|
if ( supplied $level ) {
|
||||||
|
ensure_blacklog_chain( $target, $disposition, $level, $audit );
|
||||||
|
} elsif ( $audit ) {
|
||||||
|
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
|
||||||
|
verify_audit( $disposition );
|
||||||
|
}
|
||||||
|
} );
|
||||||
|
|
||||||
$section = 'BLACKLIST';
|
$section = 'BLACKLIST';
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user