mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-03 08:25:52 +02:00
Add MACLIST_LOG_BROADCASTS option
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4670 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
9b4b3e73d0
commit
c133e2c246
@ -12,6 +12,8 @@ Changes in 3.3.3
|
|||||||
|
|
||||||
6) Add macro.RDP.
|
6) Add macro.RDP.
|
||||||
|
|
||||||
|
7) Implement MACLIST_LOG_BROADCASTS.
|
||||||
|
|
||||||
Changes in 3.3.1
|
Changes in 3.3.1
|
||||||
|
|
||||||
1) Load the proxyarp lib when 'proxyarp' option is specified.
|
1) Load the proxyarp lib when 'proxyarp' option is specified.
|
||||||
|
|||||||
@ -1731,6 +1731,7 @@ do_initialize() {
|
|||||||
REJECT_DEFAULT=
|
REJECT_DEFAULT=
|
||||||
ACCEPT_DEFAULT=
|
ACCEPT_DEFAULT=
|
||||||
QUEUE_DEFAULT=
|
QUEUE_DEFAULT=
|
||||||
|
MACLIST_LOG_BROADCASTS=
|
||||||
|
|
||||||
LOGLIMIT=
|
LOGLIMIT=
|
||||||
LOGPARMS=
|
LOGPARMS=
|
||||||
@ -1859,17 +1860,17 @@ do_initialize() {
|
|||||||
[ -n "$FORWARDPING" ] && \
|
[ -n "$FORWARDPING" ] && \
|
||||||
fatal_error "FORWARDPING=Yes is no longer supported"
|
fatal_error "FORWARDPING=Yes is no longer supported"
|
||||||
|
|
||||||
maclist_target=reject
|
MACLIST_TARGET=reject
|
||||||
|
|
||||||
if [ -n "$MACLIST_DISPOSITION" ] ; then
|
if [ -n "$MACLIST_DISPOSITION" ] ; then
|
||||||
case $MACLIST_DISPOSITION in
|
case $MACLIST_DISPOSITION in
|
||||||
REJECT)
|
REJECT)
|
||||||
;;
|
;;
|
||||||
DROP)
|
DROP)
|
||||||
maclist_target=DROP
|
MACLIST_TARGET=DROP
|
||||||
;;
|
;;
|
||||||
ACCEPT)
|
ACCEPT)
|
||||||
maclist_target=RETURN
|
MACLIST_TARGET=RETURN
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
|
fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
|
||||||
@ -1944,6 +1945,7 @@ do_initialize() {
|
|||||||
HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
|
HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
|
||||||
TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
|
TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
|
||||||
USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
|
USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
|
||||||
|
MACLIST_LOG_BROADCASTS=$(added_param_value_yes MACLIST_LOG_BROADCASTS $MACLIST_LOG_BROADCASTS)
|
||||||
[ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
|
[ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
|
||||||
|
|
||||||
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
|
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
|
||||||
|
|||||||
@ -41,7 +41,7 @@ setup_mac_lists() {
|
|||||||
local ipsec
|
local ipsec
|
||||||
local policy=
|
local policy=
|
||||||
|
|
||||||
create_mac_chain()
|
create_mac_chain()
|
||||||
{
|
{
|
||||||
case $MACLIST_TABLE in
|
case $MACLIST_TABLE in
|
||||||
filter)
|
filter)
|
||||||
@ -198,7 +198,7 @@ setup_mac_lists() {
|
|||||||
for interface in $maclist_interfaces; do
|
for interface in $maclist_interfaces; do
|
||||||
|
|
||||||
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
|
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
|
||||||
|
|
||||||
if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
|
if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
|
||||||
indent >&3 << __EOF__
|
indent >&3 << __EOF__
|
||||||
|
|
||||||
@ -221,20 +221,45 @@ __EOF__
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
||||||
|
if [ $MACLIST_DISPOSITION != ACCEPT -a -z "$MACLIST_LOG_BROADCASTS" ]; then
|
||||||
|
#
|
||||||
|
# Don't log broadcasts
|
||||||
|
#
|
||||||
|
if [ -n "$USEPKTTYPE" ]; then
|
||||||
|
run_iptables -t $MACLIST_TABLE -A $chain -m pkttype --pkt-type broadcast -j DROP
|
||||||
|
run_iptables -t $MACLIST_TABLE -A $chain -m pkttype --pkt-type multicast -j DROP
|
||||||
|
else
|
||||||
|
for interface in $(find_bcastdetect_interfaces); do
|
||||||
|
indent >&3 << __EOF__
|
||||||
|
|
||||||
|
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
|
||||||
|
run_iptables -t $MACLIST_TABLE -A $chain -d \$address -j DROP
|
||||||
|
done
|
||||||
|
|
||||||
|
__EOF__
|
||||||
|
done
|
||||||
|
|
||||||
|
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
||||||
|
run_iptables -t $MACLIST_TABLE -A $chain -d $address -j DROP
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
|
log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $MACLIST_DISPOSITION != ACCEPT ]; then
|
if [ $MACLIST_DISPOSITION != ACCEPT ]; then
|
||||||
run_iptables -A $chain -t $MACLIST_TABLE -j $maclist_target
|
run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
#
|
#
|
||||||
# Generate jumps from the input and forward chains
|
# Generate jumps from the input and forward chains
|
||||||
#
|
#
|
||||||
|
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
|
||||||
|
|
||||||
for hosts in $maclist_hosts; do
|
for hosts in $maclist_hosts; do
|
||||||
ipsec=${hosts%^*}
|
ipsec=${hosts%^*}
|
||||||
hosts=${hosts#*^}
|
hosts=${hosts#*^}
|
||||||
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
|
|
||||||
interface=${hosts%%:*}
|
interface=${hosts%%:*}
|
||||||
hosts=${hosts#*:}
|
hosts=${hosts#*:}
|
||||||
case $MACLIST_TABLE in
|
case $MACLIST_TABLE in
|
||||||
|
|||||||
@ -117,6 +117,14 @@ Other changes in 3.3.3
|
|||||||
4) A new macro (macro.RDP) has been added for Microsoft Remote
|
4) A new macro (macro.RDP) has been added for Microsoft Remote
|
||||||
Desktop. This macro was contributed by Tuomo Soini.
|
Desktop. This macro was contributed by Tuomo Soini.
|
||||||
|
|
||||||
|
5) A new MACLIST_LOG_BROADCASTS option has been added to
|
||||||
|
shorewall.conf. When set to 'No', suppresses logging of broadcast
|
||||||
|
and multicast traffic as a result of MACLIST_LOG_LEVEL having been
|
||||||
|
set to a non-empty value.
|
||||||
|
|
||||||
|
The default is MACLIST_LOG_BROADCASTS=Yes which is compatible with
|
||||||
|
the traditional behavior of MACLIST_LOG_LEVEL.
|
||||||
|
|
||||||
Migration Considerations:
|
Migration Considerations:
|
||||||
|
|
||||||
1) Shorewall supports the notion of "default actions". A default
|
1) Shorewall supports the notion of "default actions". A default
|
||||||
|
|||||||
@ -228,11 +228,19 @@ BLACKLIST_LOGLEVEL=
|
|||||||
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
|
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
|
||||||
# such connection requests will not be logged.
|
# such connection requests will not be logged.
|
||||||
#
|
#
|
||||||
|
# If MACLIST_LOG_LEVEL is non-empty, then MACLIST_LOG_BROADCASTS determines
|
||||||
|
# whether broadcast/multicast traffic is dropped or rejected silently.
|
||||||
|
#
|
||||||
|
# MACLIST_LOG_BROADCASTS=No -- Don't log broadcast/multicast
|
||||||
|
# MACLIST_LOG_BROADCASTS=Yes -- Log broadcast/multicast (Default)
|
||||||
|
#
|
||||||
# See the comment at the top of this section for a description of log levels
|
# See the comment at the top of this section for a description of log levels
|
||||||
#
|
#
|
||||||
|
|
||||||
MACLIST_LOG_LEVEL=info
|
MACLIST_LOG_LEVEL=info
|
||||||
|
|
||||||
|
MACLIST_LOG_BROADCASTS=Yes
|
||||||
|
|
||||||
#
|
#
|
||||||
# TCP FLAGS Log Level
|
# TCP FLAGS Log Level
|
||||||
#
|
#
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user