Add the AUDIT built-in and delete the Audit action.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-12-22 06:10:42 +01:00 · 2012-11-22 08:24:33 -08:00 · 2012-11-22 08:24:33 -08:00 · df7ce1a7d1
commit df7ce1a7d1
parent 4a05571e7e
6 changed files with 33 additions and 56 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -2465,6 +2465,7 @@ sub initialize_chain_table($) {
 		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
 		    'NONAT'           => STANDARD  + NONAT + NATONLY,
+		    'AUDIT'           => STANDARD,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
@ -2520,6 +2521,7 @@ sub initialize_chain_table($) {
 	#
 	%targets = ('ACCEPT'          => STANDARD,
 		    'ACCEPT!'         => STANDARD,
+		    'AUDIT'           => STANDARD,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'REJECT'          => STANDARD,
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1841,6 +1841,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	fatal_error "$action rules require a set name parameter" unless $param;
    } elsif ( $actiontype & ACTION ) {
 	split_list $param, 'Action parameter';
+    } elsif ( $basictarget eq 'AUDIT' ) {
+	require_capability ( 'AUDIT_TARGET', 'The AUDIT action', 's' );
+	$param = $param eq '' ? 'drop' : $param;
+	fatal_error "Invalid AUDIT type ($param) -- must be 'accept', 'drop' or 'reject'" unless $param =~ /^(?:accept|drop|reject)$/;
    } else {
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
    }
@ -1909,7 +1913,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		      $actiontype |= HELPER if $section eq 'NEW';
 		  }
 	      } ,
-	      
+
+	      AUDIT => sub() {
+		  $action = "AUDIT --type $param";
+	      } ,
+
 	      REDIRECT => sub () {
 		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
 		  if ( $dest eq '-' ) {
--- a/Shorewall/action.Audit
+++ b/Shorewall/action.Audit
@ -1,54 +0,0 @@
-#
-# Shorewall 4 - AUDIT Action
-#
-#    /usr/share/shorewall/action.AUDIT
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#   AUDIT[(type)]
-#
-#       Default type is drop
-#
-##########################################################################################
-FORMAT 2
-
-DEFAULTS drop
-
-?BEGIN PERL;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my ( $type ) = get_action_params( 1 );
-
-fatal_error "Invalid AUDIT type ($type)" unless $type =~ /^(?:accept|drop|reject)$/;
-
-require_capability('AUDIT_TARGET', 'The AUDIT action', 's');
-
-my $chainref         = get_action_chain;
-
-add_ijump( $chainref, j=> 'AUDIT', targetopts => "--type $type" );
-
-allow_optimize( $chainref );
-
-1;
-
-?END PERL;
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@ -35,7 +35,6 @@
 #ACTION
 A_Drop 		    # Audited Default Action for DROP policy
 A_Reject	    # Audited Default action for REJECT policy
-Audit               # Audits a request
 Broadcast	    # Handles Broadcast/Multicast/Anycast
 Drop		    # Default Action for DROP policy
 DropSmurfs          # Drop smurf packets
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@ -224,6 +224,17 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>AUDIT[(accept|drop|reject)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.10. Audits the packet with the
+                specified type; if the type is omitted, then
+                <option>drop</option> is assumed. Require AUDIT_TARGET support
+                in the kernel and iptables.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>A_ACCEPT, A_ACCEPT+ and A_ACCEPT!</term>

--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@ -183,6 +183,17 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>AUDIT[(accept|drop|reject)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.10. Audits the packet with the
+                specified type; if the type is omitted, then
+                <option>drop</option> is assumed. Require AUDIT_TARGET support
+                in the kernel and iptables.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>A_ACCEPT, A_ACCEPT+ and A_ACCEPT!</term>