Add the AUDIT built-in and delete the Audit action.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-11-22 08:24:33 -08:00
parent 4a05571e7e
commit df7ce1a7d1
6 changed files with 33 additions and 56 deletions

View File

@ -2465,6 +2465,7 @@ sub initialize_chain_table($) {
'A_ACCEPT' => STANDARD + AUDIT,
'A_ACCEPT+' => STANDARD + NONAT + AUDIT,
'NONAT' => STANDARD + NONAT + NATONLY,
'AUDIT' => STANDARD,
'DROP' => STANDARD,
'DROP!' => STANDARD,
'A_DROP' => STANDARD + AUDIT,
@ -2520,6 +2521,7 @@ sub initialize_chain_table($) {
#
%targets = ('ACCEPT' => STANDARD,
'ACCEPT!' => STANDARD,
'AUDIT' => STANDARD,
'DROP' => STANDARD,
'DROP!' => STANDARD,
'REJECT' => STANDARD,

View File

@ -1841,6 +1841,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
fatal_error "$action rules require a set name parameter" unless $param;
} elsif ( $actiontype & ACTION ) {
split_list $param, 'Action parameter';
} elsif ( $basictarget eq 'AUDIT' ) {
require_capability ( 'AUDIT_TARGET', 'The AUDIT action', 's' );
$param = $param eq '' ? 'drop' : $param;
fatal_error "Invalid AUDIT type ($param) -- must be 'accept', 'drop' or 'reject'" unless $param =~ /^(?:accept|drop|reject)$/;
} else {
fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
}
@ -1910,6 +1914,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
}
} ,
AUDIT => sub() {
$action = "AUDIT --type $param";
} ,
REDIRECT => sub () {
my $z = $actiontype & NATONLY ? '' : firewall_zone;
if ( $dest eq '-' ) {

View File

@ -1,54 +0,0 @@
#
# Shorewall 4 - AUDIT Action
#
# /usr/share/shorewall/action.AUDIT
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2011 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# AUDIT[(type)]
#
# Default type is drop
#
##########################################################################################
FORMAT 2
DEFAULTS drop
?BEGIN PERL;
use Shorewall::IPAddrs;
use Shorewall::Config;
use Shorewall::Chains;
my ( $type ) = get_action_params( 1 );
fatal_error "Invalid AUDIT type ($type)" unless $type =~ /^(?:accept|drop|reject)$/;
require_capability('AUDIT_TARGET', 'The AUDIT action', 's');
my $chainref = get_action_chain;
add_ijump( $chainref, j=> 'AUDIT', targetopts => "--type $type" );
allow_optimize( $chainref );
1;
?END PERL;

View File

@ -35,7 +35,6 @@
#ACTION
A_Drop # Audited Default Action for DROP policy
A_Reject # Audited Default action for REJECT policy
Audit # Audits a request
Broadcast # Handles Broadcast/Multicast/Anycast
Drop # Default Action for DROP policy
DropSmurfs # Drop smurf packets

View File

@ -224,6 +224,17 @@
</listitem>
</varlistentry>
<varlistentry>
<term>AUDIT[(accept|drop|reject)]</term>
<listitem>
<para>Added in Shorewall 4.5.10. Audits the packet with the
specified type; if the type is omitted, then
<option>drop</option> is assumed. Require AUDIT_TARGET support
in the kernel and iptables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>A_ACCEPT, A_ACCEPT+ and A_ACCEPT!</term>

View File

@ -183,6 +183,17 @@
</listitem>
</varlistentry>
<varlistentry>
<term>AUDIT[(accept|drop|reject)]</term>
<listitem>
<para>Added in Shorewall 4.5.10. Audits the packet with the
specified type; if the type is omitted, then
<option>drop</option> is assumed. Require AUDIT_TARGET support
in the kernel and iptables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>A_ACCEPT, A_ACCEPT+ and A_ACCEPT!</term>