Cleanup of AUDIT before Beta 3

- Correct merge snafus - Rename the new actions (e.g., ADROP->A_DROP) - Correct MACLIST_DISPOSITION logic
2024-11-22 07:33:43 +01:00 · 2011-05-20 07:47:35 -07:00 · 2011-05-20 07:47:35 -07:00 · d15475efae
commit d15475efae
parent e9df13a42b
11 changed files with 89 additions and 60 deletions
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.20-Beta2
+VERSION=4.4.20-Beta3

 usage() # $1 = exit status
 {
--- a/Shorewall-init/shorewall-init.spec
+++ b/Shorewall-init/shorewall-init.spec
@ -1,6 +1,6 @@
 %define name shorewall-init
 %define version 4.4.20
-%define release 0Beta2
+%define release 0Beta3

 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@ -120,6 +120,8 @@ fi

 %changelog
 * Wed May 18 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-0Beta3
+* Wed May 18 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.20-0Beta2
 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-1
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.20-Beta2
+VERSION=4.4.20-Beta3

 usage() # $1 = exit status
 {
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -264,6 +264,7 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 MARK_ANYWHERE   => 'Mark in any table',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
+		 AUDIT_TARGET    => 'AUDIT Target',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@ -418,7 +419,7 @@ sub initialize( $ ) {
 		    EXPORT     => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
-		    VERSION    => "4.4.20-Beta2",
+		    VERSION    => "4.4.20-Beta3",
 		    CAPVERSION => 40417 ,
 		  );
    #
@ -624,7 +625,8 @@ sub initialize( $ ) {
 	       FWMARK_RT_MASK => undef,
 	       MARK_ANYWHERE => undef,
 	       HEADER_MATCH => undef,
-               ACCOUNT_TARGET => undef,
+	       ACCOUNT_TARGET => undef,
+	       AUDIT_TARGET => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@ -2712,6 +2714,7 @@ sub determine_capabilities() {
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
+	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );


 	qt1( "$iptables -F $sillyname" );
@ -3342,8 +3345,8 @@ sub get_configuration( $ ) {

    default 'BLACKLIST_DISPOSITION'    , 'DROP';

-    unless ( $config{BLACKLIST_DISPOSITION} =~ /^A?DROP$/ || $config{BLACKLIST_DISPOSITION} =~ /^A?REJECT/ ) {
-	fatal_error q(BLACKLIST_DISPOSITION must be 'DROP', 'ADROP', 'REJECT' or 'AREJECT');
+    unless ( $config{BLACKLIST_DISPOSITION} =~ /^(?:A_)?DROP$/ || $config{BLACKLIST_DISPOSITION} =~ /^(?:A_)?REJECT/ ) {
+	fatal_error q(BLACKLIST_DISPOSITION must be 'DROP', 'A_DROP', 'REJECT' or 'A_REJECT');
    }

    default_log_level 'BLACKLIST_LOGLEVEL',  '';
@ -3356,25 +3359,25 @@ sub get_configuration( $ ) {
    default_log_level 'SMURF_LOG_LEVEL',     '';
    default_log_level 'LOGALLNEW',           '';

-    $globals{MACLIST_TARGET} = 'reject';
-
    if ( $val = $config{MACLIST_DISPOSITION} ) {
-	unless ( $val =~ /^A?REJECT$/ ) {
-	    if ( $val =~ /^A?DROP/ ) {
-		$globals{MACLIST_TARGET} = $val;
-	    } elsif ( $val eq 'ACCEPT' ) {
-		$globals{MACLIST_TARGET} = 'RETURN';
-	    } else {
-		fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
-	    }
+	if ( $val =~ /^((?:A_)?(?:DROP))$/ ) {
+	    $globals{MACLIST_TARGET} = $1;
+	} elsif ( $val eq 'REJECT' ) {
+	    $globals{MACLIST_TARGET} = 'reject';
+	} elsif ( $val eq 'A_REJECT' ) {
+	    $globals{MACLIST_TARGET} = $val;
+	} elsif ( $val eq 'ACCEPT' ) {
+	    $globals{MACLIST_TARGET} = 'RETURN';
+	} else {
+	    fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
 	}
    } else {
-	$config{MACLIST_DISPOSITION} = 'REJECT';
+	$config{MACLIST_DISPOSITION} = 'reject';
    }

    if ( $val = $config{MACLIST_TABLE} ) {
 	if ( $val eq 'mangle' ) {
-	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^(A?REJECT)$/;
+	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
 	} else {
 	    fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter';
 	}
@ -3383,7 +3386,7 @@ sub get_configuration( $ ) {
    }

    if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
-	fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(A?REJECT|A?ACCEPT|A?DROP)$/;
+	fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:A_)?(REJECT|ACCEPT|DROP)$/;
    } else {
 	$config{TCP_FLAGS_DISPOSITION} = 'DROP';
    }
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -97,9 +97,9 @@ my %usedactions;
 #
 # Enumerate the AUDIT builtins
 #
-my %auditactions = ( AACCEPT => 1,
-		     ADROP   => 1,
-		     AREJECT => 1
+my %auditactions = ( A_ACCEPT => 1,
+		     A_DROP   => 1,
+		     A_REJECT => 1
 		   );

 #
@ -176,9 +176,9 @@ sub initialize( $ ) {
    %usedactions       = ();

    if ( $family == F_IPV4 ) {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AACCEPT ADROP AREJECT/;
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit A_ACCEPT A_DROP A_REJECT/;
    } else {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AACCEPT ADROP AREJECT/;
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid A_ACCEPT A_DROP A_REJECT/;
    }
 }

@ -341,7 +341,9 @@ sub process_a_policy() {
    
    fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};

-    fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
+    if ( $audit ) {
+	fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
+    }

    if ( $default ) {
 	if ( "\L$default" eq 'none' ) {
@ -466,10 +468,10 @@ sub process_policies()
 			  ACCEPT => undef,
 			  REJECT => undef,
 			  DROP   => undef,
-			  AACCEPT => undef,
-			  AREJECT => undef,
-			  ADROP   => undef,
-			  ACONTINUE => undef,
+			  A_ACCEPT => undef,
+			  A_DROP   => undef,
+			  A_REJECT => undef,
+			  CONTINUE => undef,
 			  QUEUE => undef,
 			  NFQUEUE => undef,
 			  NONE => undef
@ -1308,32 +1310,32 @@ sub Limit( $$$$ ) {
    add_rule $chainref, '-j ACCEPT';
 }

-sub AACCEPT ( $$$ ) {
+sub A_ACCEPT ( $$$ ) {
    my ($chainref, $level, $tag) = @_;

-    require_capability 'AUDIT_TARGET' , 'AACCEPT rules', '';
+    require_capability 'AUDIT_TARGET' , 'A_ACCEPT rules', '';

-    log_rule_limit $level, $chainref, 'AACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
+    log_rule_limit $level, $chainref, 'A_ACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
    add_rule $chainref , '-j AUDIT --type accept';
    add_rule $chainref , '-j ACCEPT';
 }

-sub ADROP ( $$$ ) {
+sub A_DROP ( $$$ ) {
    my ($chainref, $level, $tag) = @_;

-    require_capability 'AUDIT_TARGET' , 'ADROP rules', '';
+    require_capability 'AUDIT_TARGET' , 'A_DROP rules', '';

-    log_rule_limit $level, $chainref, 'ADROP' , 'DROP', '', $tag, 'add', '' if $level ne '';
+    log_rule_limit $level, $chainref, 'A_DROP' , 'DROP', '', $tag, 'add', '' if $level ne '';
    add_rule $chainref , '-j AUDIT --type drop';
    add_rule $chainref , '-j DROP';
 }

-sub AREJECT ( $$$ ) {
+sub A_REJECT ( $$$ ) {
    my ($chainref, $level, $tag) = @_;

-    require_capability 'AUDIT_TARGET' , 'AREJECT rules', '';
+    require_capability 'AUDIT_TARGET' , 'A_REJECT rules', '';

-    log_rule_limit $level, $chainref, 'AREJECT' , 'REJECT', '', $tag, 'add', '' if $level ne '';
+    log_rule_limit $level, $chainref, 'A_REJECT' , 'REJECT', '', $tag, 'add', '' if $level ne '';
    add_rule $chainref , '-j AUDIT --type reject';
    add_rule $chainref , '-j reject';
 }
@ -1347,9 +1349,9 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		   'allowinUPnP'    => \&allowinUPnP,
 		   'forwardUPnP'    => \&forwardUPnP,
 		   'Limit'          => \&Limit,
-		   'AACCEPT'        => \&AACCEPT,
-		   'ADROP'          => \&ADROP,
-		   'AREJECT'        => \&AREJECT
+		   'A_ACCEPT'       => \&A_ACCEPT,
+		   'A_DROP'         => \&A_DROP,
+		   'A_REJECT'       => \&A_REJECT
 		 );

 #
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@ -8,9 +8,9 @@
 #
 # Builtin Actions are:
 #
-#    AACCEPT            # Audits then accepts a connection request
-#    ADROP              # Audits then drops a connection request
-#    AREJECT		# Audits then drops a connection request
+#    A_ACCEPT           # Audits then accepts a connection request
+#    A_DROP             # Audits then drops a connection request
+#    A_REJECT		# Audits then drops a connection request
 #    allowBcast		# Silently Allow Broadcast/multicast
 #    dropBcast		# Silently Drop Broadcast/multicast
 #    dropNotSyn		# Silently Drop Non-syn TCP packets
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@ -739,9 +739,9 @@ show_command() {
 		case $1 in
 		    actions)
 			[ $# -gt 1 ] && usage 1
-			echo "AACCEPT             # Audit and accept the connection"
-			echo "ADROP               # Audit and drop the connection"
-			echo "AREJECT             # Audit and reject the connection "
+			echo "A_ACCEPT            # Audit and accept the connection"
+			echo "A_DROP              # Audit and drop the connection"
+			echo "A_REJECT            # Audit and reject the connection "
 			echo "allowBcast          # Silently Allow Broadcast/multicast"
 			echo "allowInvalid        # Accept packets that are in the INVALID conntrack state."
 			echo "allowinUPnP         # Allow UPnP inbound (to firewall) traffic"
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -93,25 +93,25 @@ All bug fixes from 4.4.19.1 - 4.4.19.4.
    c)  Three new builtin actions that may be used in the rules file,
        in macros and in other actions.

-    	AACCEPT - Audits and accepts the connection request
-	ADROP   - Audits and drops the connection request
-	AREJECT - Audits and rejects
+    	A_ACCEPT - Audits and accepts the connection request
+	A_DROP   - Audits and drops the connection request
+	A_REJECT - Audits and rejects

 	A log level may be supplied with these actions to
 	provide both auditing and logging.

 	Example:

-	AACCEPT:info	loc	net	...
+	A_ACCEPT:info	loc	net	...

    d)  The BLACKLIST_DISPOSITION, MACLIST_DISPOSITION and
        TCP_FLAGS_DISPOSITION options may be set as follows:

-	BLACKLIST_DISPOSITION 	      ADROP or AREJECT
-	MACLIST_DISPOSITION           ADROP 
-				      AREJECT, unless
+	BLACKLIST_DISPOSITION 	      A_DROP or A_REJECT
+	MACLIST_DISPOSITION           A_DROP 
+				      A_REJECT, unless
 				               MACLIST_TABLE=mangle
-        TCP_FLAGS_DISPOSITION         ADROP or AREJECT
+        TCP_FLAGS_DISPOSITION         A_DROP or A_REJECT

 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@ -630,9 +630,9 @@ show_command() {
 		case $1 in
 		    actions)
 			[ $# -gt 1 ] && usage 1
-			echo "AACCEPT             # Audit and accept the connection"
-			echo "ADROP               # Audit and drop the connection"
-			echo "AREJECT             # Audit and reject the connection "
+			echo "A_ACCEPT            # Audit and accept the connection"
+			echo "A_DROP              # Audit and drop the connection"
+			echo "A_REJECT            # Audit and reject the connection "
 			echo "allowBcast          # Accept Multicast and Anycast Packets"
 			echo "dropBcast           # Silently Drop Multicast and Anycast Packets"
 			echo "allowInvalid        # Accept packets that are in the INVALID conntrack state."
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@ -322,6 +322,17 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
+
+              <listitem>
+                <para>queues matching packets to a backend logging daemon via
+                a netlink socket then continues to the next rule. See <ulink
+                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>
--- a/manpages6/shorewall6-rules.xml
+++ b/manpages6/shorewall6-rules.xml
@ -244,7 +244,18 @@
            </varlistentry>

            <varlistentry>
-              <term>NFQUEUE</term>
+              <term><emphasis
+              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
+
+              <listitem>
+                <para>queues matching packets to a backend logging daemon via
+                a netlink socket then continues to the next rule. See <ulink
+                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">NFQUEUE</emphasis></term>

              <listitem>
                <para>Queues the packet to a user-space application using the