Add MACLIST_LOG_BROADCASTS option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4670 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-22 21:48:39 +01:00 · 2006-10-12 21:56:16 +00:00 · 2006-10-12 21:56:16 +00:00 · c133e2c246
commit c133e2c246
parent 9b4b3e73d0
5 changed files with 52 additions and 7 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -12,6 +12,8 @@ Changes in 3.3.3

 6)  Add macro.RDP.

+7)  Implement MACLIST_LOG_BROADCASTS.
+
 Changes in 3.3.1

 1)  Load the proxyarp lib when 'proxyarp' option is specified.
--- a/Shorewall/lib.config
+++ b/Shorewall/lib.config
@ -1731,6 +1731,7 @@ do_initialize() {
    REJECT_DEFAULT=
    ACCEPT_DEFAULT=
    QUEUE_DEFAULT=
+    MACLIST_LOG_BROADCASTS=

    LOGLIMIT=
    LOGPARMS=
@ -1859,17 +1860,17 @@ do_initialize() {
    [ -n "$FORWARDPING" ] && \
 	fatal_error "FORWARDPING=Yes is no longer supported"

-    maclist_target=reject
+    MACLIST_TARGET=reject

    if [ -n "$MACLIST_DISPOSITION" ] ; then
 	case $MACLIST_DISPOSITION in
 	    REJECT)
 		;;
 	    DROP)
-		maclist_target=DROP
+		MACLIST_TARGET=DROP
 		;;
 	    ACCEPT)
-		maclist_target=RETURN
+		MACLIST_TARGET=RETURN
 		;;
 	    *)
 		fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
@ -1944,6 +1945,7 @@ do_initialize() {
    HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
    TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
    USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
+    MACLIST_LOG_BROADCASTS=$(added_param_value_yes MACLIST_LOG_BROADCASTS $MACLIST_LOG_BROADCASTS)
    [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
    
    [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
--- a/Shorewall/lib.maclist
+++ b/Shorewall/lib.maclist
@ -41,7 +41,7 @@ setup_mac_lists() {
    local ipsec
    local policy=

-    create_mac_chain()
+    create_mac_chain()			
    {
 	case $MACLIST_TABLE in
 	    filter)
@ -198,7 +198,7 @@ setup_mac_lists() {
    for interface in $maclist_interfaces; do

 	[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
-
+	    
 	if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
 	    indent >&3 << __EOF__

@ -221,20 +221,45 @@ __EOF__
 	fi

 	if [ -n "$MACLIST_LOG_LEVEL" ]; then
+	    if [ $MACLIST_DISPOSITION != ACCEPT -a -z "$MACLIST_LOG_BROADCASTS" ]; then
+		#
+		# Don't log broadcasts
+	        #
+	        if [ -n "$USEPKTTYPE" ]; then
+		    run_iptables -t $MACLIST_TABLE -A $chain -m pkttype --pkt-type broadcast -j DROP
+		    run_iptables -t $MACLIST_TABLE -A $chain -m pkttype --pkt-type multicast -j DROP
+		else
+		    for interface in $(find_bcastdetect_interfaces); do
+			indent >&3 << __EOF__
+
+ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
+    run_iptables -t $MACLIST_TABLE -A $chain -d \$address -j DROP
+done
+
+__EOF__
+		    done
+
+		    for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
+			run_iptables -t $MACLIST_TABLE -A $chain -d $address -j DROP
+		    done
+		fi
+	    fi
+	    
 	    log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
 	fi

 	if [ $MACLIST_DISPOSITION != ACCEPT ]; then
-	    run_iptables -A $chain -t $MACLIST_TABLE -j $maclist_target
+	    run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET
 	fi
    done
    #
    # Generate jumps from the input and forward chains
    #
+    [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
+    
    for hosts in $maclist_hosts; do
 	ipsec=${hosts%^*}
 	hosts=${hosts#*^}
-	[ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
 	interface=${hosts%%:*}
 	hosts=${hosts#*:}
 	case $MACLIST_TABLE in
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -117,6 +117,14 @@ Other changes in 3.3.3
 4)  A new macro (macro.RDP) has been added for Microsoft Remote
    Desktop. This macro was contributed by Tuomo Soini.

+5)  A new MACLIST_LOG_BROADCASTS option has been added to
+    shorewall.conf. When set to 'No', suppresses logging of broadcast
+    and multicast traffic as a result of MACLIST_LOG_LEVEL having been
+    set to a non-empty value.
+
+    The default is MACLIST_LOG_BROADCASTS=Yes which is compatible with
+    the traditional behavior of MACLIST_LOG_LEVEL.
+
 Migration Considerations:

 1)  Shorewall supports the notion of "default actions". A default
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@ -228,11 +228,19 @@ BLACKLIST_LOGLEVEL=
 # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
 # such connection requests will not be logged.
 #
+# If MACLIST_LOG_LEVEL is non-empty, then MACLIST_LOG_BROADCASTS determines
+# whether broadcast/multicast traffic is dropped or rejected silently.
+#
+# 	MACLIST_LOG_BROADCASTS=No  -- Don't log broadcast/multicast
+# 	MACLIST_LOG_BROADCASTS=Yes -- Log broadcast/multicast (Default)
+#	
 # See the comment at the top of this section for a description of log levels
 #

 MACLIST_LOG_LEVEL=info

+MACLIST_LOG_BROADCASTS=Yes
+
 #
 # TCP FLAGS Log Level
 #