Fixes for blacklist conversion

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-11-19 08:18:58 -08:00
parent 4f9afc32ec
commit ab1b65d6a8
3 changed files with 37 additions and 30 deletions

View File

@ -55,6 +55,7 @@ our @EXPORT = qw(
ensure_filter_chain ensure_filter_chain
ensure_manual_chain ensure_manual_chain
ensure_audit_chain ensure_audit_chain
ensure_blacklog_chain
require_audit require_audit
newlogchain newlogchain
log_rule_limit log_rule_limit
@ -2168,6 +2169,24 @@ sub ensure_manual_chain($) {
$chainref; $chainref;
} }
sub ensure_blacklog_chain( $$$$ ) {
my ( $target, $disposition, $level, $audit ) = @_;
unless ( $filter_table->{blacklog} ) {
my $logchainref = new_manual_chain 'blacklog';
$target =~ s/A_//;
$target = 'reject' if $target eq 'REJECT';
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
add_ijump( $logchainref, g => $target );
}
'blacklog';
}
# #
# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name # Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
# #
@ -3512,7 +3531,7 @@ sub do_test ( $$ )
my $invert = $testval =~ s/^!// ? '! ' : ''; my $invert = $testval =~ s/^!// ? '! ' : '';
if ( $config{ZONE_BITS} ) { if ( $config{ZONE_BITS} ) {
$testval = join( '/', in_hex( find_zone( $testval )->{mark} ), in_hex( $globals{ZONE_MASK} ) ) unless $testval =~ /^\d/ || $testval =~ /:/; $testval = join( '/', in_hex( zone_mark( $testval ) ), in_hex( $globals{ZONE_MASK} ) ) unless $testval =~ /^\d/ || $testval =~ /:/;
} }
my $match = $testval =~ s/:C$// ? "-m connmark ${invert}--mark" : "-m mark ${invert}--mark"; my $match = $testval =~ s/:C$// ? "-m connmark ${invert}--mark" : "-m mark ${invert}--mark";

View File

@ -220,17 +220,7 @@ sub setup_blacklist() {
$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1; $chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
if ( supplied $level ) { if ( supplied $level ) {
my $logchainref = new_standard_chain 'blacklog'; $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
$target =~ s/A_//;
$target = 'reject' if $target eq 'REJECT';
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
add_ijump( $logchainref, g => $target );
$target = 'blacklog';
} elsif ( $audit ) { } elsif ( $audit ) {
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's'; require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
$target = verify_audit( $disposition ); $target = verify_audit( $disposition );
@ -405,16 +395,6 @@ sub convert_blacklist() {
if ( @$zones || @$zones1 ) { if ( @$zones || @$zones1 ) {
if ( supplied $level ) { if ( supplied $level ) {
my $logchainref = new_standard_chain 'blacklog';
$target =~ s/A_//;
$target = 'reject' if $target eq 'REJECT';
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
add_ijump( $logchainref, g => $target );
$target = 'blacklog'; $target = 'blacklog';
} elsif ( $audit ) { } elsif ( $audit ) {
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's'; require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
@ -447,7 +427,7 @@ sub convert_blacklist() {
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1; warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
my $tgt = $whitelist ? 'RETURN' : $target; my $tgt = $whitelist ? 'WHITELIST' : $target;
if ( $auditone ) { if ( $auditone ) {
fatal_error "'audit' not allowed in whitelist entries" if $whitelist; fatal_error "'audit' not allowed in whitelist entries" if $whitelist;
@ -520,11 +500,7 @@ EOF
for ( @rules ) { for ( @rules ) {
my ( $srcdst, $tgt, $networks, $protocols, $ports ) = @$_; my ( $srcdst, $tgt, $networks, $protocols, $ports ) = @$_;
if ( $level ) {
$tgt .= ":$level\t";
} else {
$tgt .= "\t\t"; $tgt .= "\t\t";
}
my $list = $srcdst eq 'src' ? $zones : $zones1; my $list = $srcdst eq 'src' ? $zones : $zones1;

View File

@ -2441,11 +2441,23 @@ sub process_rule ( ) {
# Process the Rules File # Process the Rules File
# #
sub process_rules() { sub process_rules() {
my $fn = open_file 'blrules'; my $fn = open_file 'blrules';
if ( $fn ) { if ( $fn ) {
first_entry "$doing $fn..."; first_entry( sub () {
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
my $audit = $disposition =~ /^A_/;
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
progress_message2 "$doing $fn...";
if ( supplied $level ) {
ensure_blacklog_chain( $target, $disposition, $level, $audit );
} elsif ( $audit ) {
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
verify_audit( $disposition );
}
} );
$section = 'BLACKLIST'; $section = 'BLACKLIST';