From e95003b82aa42979ccb0e84bacc9ce2207bb6dcf Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 22 May 2011 17:42:50 -0700
Subject: [PATCH] Add FAKE_AUDIT option

---
 Samples/Universal/shorewall.conf          |  4 ++
 Samples/one-interface/shorewall.conf      |  4 ++
 Samples/three-interfaces/shorewall.conf   |  4 ++
 Samples/two-interfaces/shorewall.conf     |  4 ++
 Samples6/Universal/shorewall6.conf        |  4 ++
 Samples6/one-interface/shorewall6.conf    |  4 ++
 Samples6/three-interfaces/shorewall6.conf |  4 ++
 Samples6/two-interfaces/shorewall6.conf   |  4 ++
 Shorewall/Perl/Shorewall/Chains.pm        |  2 +
 Shorewall/Perl/Shorewall/Config.pm        |  3 +-
 Shorewall/Perl/Shorewall/Misc.pm          | 45 ++++++++++++++++++++---
 Shorewall/Perl/Shorewall/Rules.pm         | 25 ++++++++++---
 Shorewall/releasenotes.txt                |  9 +++--
 Shorewall/shorewall                       |  5 ++-
 14 files changed, 105 insertions(+), 16 deletions(-)

diff --git a/Samples/Universal/shorewall.conf b/Samples/Universal/shorewall.conf
index 2296173b5..f22e4c76b 100644
--- a/Samples/Universal/shorewall.conf
+++ b/Samples/Universal/shorewall.conf
@@ -198,6 +198,8 @@ EXPORTMODULES=Yes
 
 ACCOUNTING_TABLE=filter
 
+LEGACY_FASTSTART=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -208,4 +210,6 @@ MACLIST_DISPOSITION=REJECT
 
 TCP_FLAGS_DISPOSITION=DROP
 
+SMURF_DISPOSITION=DROP
+
 #LAST LINE -- DO NOT REMOVE
diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf
index bd13f2769..abe851590 100644
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -209,6 +209,8 @@ EXPORTMODULES=Yes
 
 ACCOUNTING_TABLE=filter
 
+LEGACY_FASTSTART=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -219,4 +221,6 @@ MACLIST_DISPOSITION=REJECT
 
 TCP_FLAGS_DISPOSITION=DROP
 
+SMURF_DISPOSITION=DROP
+
 #LAST LINE -- DO NOT REMOVE
diff --git a/Samples/three-interfaces/shorewall.conf b/Samples/three-interfaces/shorewall.conf
index d526829d2..3039f5091 100644
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -209,6 +209,8 @@ EXPORTMODULES=Yes
 
 ACCOUNTING_TABLE=filter
 
+LEGACY_FASTSTART=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -219,4 +221,6 @@ MACLIST_DISPOSITION=REJECT
 
 TCP_FLAGS_DISPOSITION=DROP
 
+SMURF_DISPOSITION=DROP
+
 #LAST LINE -- DO NOT REMOVE
diff --git a/Samples/two-interfaces/shorewall.conf b/Samples/two-interfaces/shorewall.conf
index f99107561..a47c3da7f 100644
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -216,6 +216,8 @@ EXPORTMODULES=Yes
 
 ACCOUNTING_TABLE=filter
 
+LEGACY_FASTSTART=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -226,4 +228,6 @@ MACLIST_DISPOSITION=REJECT
 
 TCP_FLAGS_DISPOSITION=DROP
 
+SMURF_DISPOSITION=DROP
+
 #LAST LINE -- DO NOT REMOVE
diff --git a/Samples6/Universal/shorewall6.conf b/Samples6/Universal/shorewall6.conf
index 6d6ea0219..9367b1214 100644
--- a/Samples6/Universal/shorewall6.conf
+++ b/Samples6/Universal/shorewall6.conf
@@ -161,6 +161,8 @@ EXPORTMODULES=Yes
 
 ACCOUNTING_TABLE=filter
 
+LEGACY_FASTSTART=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -169,4 +171,6 @@ BLACKLIST_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+SMURF_DISPOSITION=DROP
+
 #LAST LINE -- DO NOT REMOVE
diff --git a/Samples6/one-interface/shorewall6.conf b/Samples6/one-interface/shorewall6.conf
index 9e09bc9b8..1bfd910d1 100644
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -163,6 +163,8 @@ EXPORTMODULES=Yes
 
 ACCOUNTING_TABLE=filter
 
+LEGACY_ACCOUNTING=No
+
 ##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -171,4 +173,6 @@ BLACKLIST_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+SMURF_DISPOSITION=DROP
+
 #LAST LINE -- DO NOT REMOVE
diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf
index cf6ea45b2..5f22c6f9e 100644
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -163,6 +163,8 @@ EXPORTMODULES=Yes
 
 ACCOUNTING_TABLE=filter
 
+LEGACY_FASTSTART=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -171,4 +173,6 @@ BLACKLIST_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+SMURF_DISPOSITION=No
+
 #LAST LINE -- DO NOT REMOVE
diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf
index 228af544f..c53ade8ee 100644
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -163,6 +163,8 @@ EXPORTMODULES=Yes
 
 ACCOUNTING_TABLE=filter
 
+LEGACY_FASTSTART=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -171,4 +173,6 @@ BLACKLIST_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
 
+SMURF_DISPOSITION=DROP
+
 #LAST LINE -- DO NOT REMOVE
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 5b9f9bf07..9a23ad8db 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1598,6 +1598,8 @@ sub initialize_chain_table()
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
     }
+
+    dont_delete ensure_filter_chain 'AUDIT', 0 if $config{FAKE_AUDIT};
 }
 
 #
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 5210822ad..23d46eece 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -541,6 +541,7 @@ sub initialize( $ ) {
 	  COMPLETE => undef,
 	  EXPORTMODULES => undef,
 	  LEGACY_FASTSTART => undef,
+	  FAKE_AUDIT => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -2536,7 +2537,7 @@ sub Account_Target() {
 }
 
 sub Audit_Target() {
-    qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
+    $config{FAKE_AUDIT} || qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
 }
 
 our %detect_capability =
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index cfa5262cb..6885592f9 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -218,7 +218,13 @@ sub setup_blacklist() {
 
 	    log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add',	'' );
 
-	    add_rule( $logchainref, '-j AUDIT --type ' . lc $target ) if $audit;
+	    if ( $audit ) {
+		if ( $config{FAKE_AUDIT} ) {
+		    add_rule( $logchainref, '-j AUDIT -m comment --comment "--type ' . lc $target . '"' );
+		} else {
+		    add_rule( $logchainref, '-j AUDIT --type ' . lc $target );
+		}
+	    }
 
 	    add_jump $logchainref, $target, 1;
 
@@ -510,7 +516,14 @@ sub add_common_rules() {
 			    '',
 			    'add',
 			    '' );
-	    add_rule( $smurfref, '-j AUDIT --type drop' ) if $smurfdest eq 'A_DROP';
+	    if ( $smurfdest eq 'A_DROP' ) {
+		if ( $config{FAKE_AUDIT} ) {
+		    add_rule( $smurfref, '-j AUDIT -m comment --comment "--type drop"' );
+		} else {
+		    add_rule( $smurfref, '-j AUDIT --type drop' );
+		}
+	    }
+ 
 	    add_rule( $smurfref, '-j DROP' );
 
 	    $smurfdest = 'smurflog';
@@ -647,7 +660,12 @@ sub add_common_rules() {
 
 	    if ( $audit ) {
 		$disposition =~ s/^A_//;
-		add_rule( $logflagsref, '-j AUDIT --type ' . lc $disposition );
+		
+		if ( $config{FAKE_AUDIT} ) {
+		    add_rule( $logflagsref, '-j AUDIT -m comment --comment "--type ' . lc $disposition . '"' );
+		} else {
+		    add_rule( $logflagsref, '-j AUDIT --type ' . lc $disposition );
+		}
 	    }
 
 	    if ( $disposition eq 'REJECT' ) {
@@ -821,13 +839,29 @@ sub setup_mac_lists( $ ) {
 			    my $source = match_source_net $address;
 			    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
 				if defined $level && $level ne '';
-			    add_rule( $chainref , '-j AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
+			    
+			    if ( $audit && $disposition ne 'ACCEPT' ) {
+				if ( $config{FAKE_AUDIT} ) {
+				    add_rule( $chainref , '-j AUDIT -m comment --comment "--type ' . lc $disposition . '"' );
+				} else {
+				    add_rule( $chainref , '-j AUDIT --type ' . lc $disposition );
+				}
+			    }
+
 			    add_jump $chainref , $targetref->{target}, 0, "${mac}${source}";
 			}
 		    } else {
 			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
 			    if defined $level && $level ne '';
-			add_rule( $chainref , '-j AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
+
+			if ( $audit && $disposition ne 'ACCEPT' ) {
+			    if ( $config{FAKE_AUDIT} ) {
+				add_rule( $chainref , '-j AUDIT -m comment --comment "--type ' . lc $disposition . '"' );
+			    } else {
+				add_rule( $chainref , '-j AUDIT --type ' . lc $disposition );
+			    }
+			}
+
 			add_jump $chainref , $targetref->{target}, 0, "$mac";
 		    }
 
@@ -1151,6 +1185,7 @@ sub generate_matrix() {
 
     progress_message2 'Generating Rule Matrix...';
     progress_message  '  Handling blacklisting and complex zones...';
+
     #
     # Special processing for complex and/or blacklisting configurations
     #
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 330970c80..758051759 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -518,7 +518,14 @@ sub policy_rules( $$$$$ ) {
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 	
-	add_rule( $chainref , '-j AUDIT --type ' . lc $target ) if $chainref->{audit};
+	if ( $chainref->{audit} ) {
+	    if ( $config{FAKE_AUDIT} ) {
+		add_rule( $chainref , '-j AUDIT -m comment --comment "--type ' . lc $target . '"' );
+	    } else { 
+		add_rule( $chainref , '-j AUDIT --type ' . lc $target );
+	    }
+	}
+
 	add_jump( $chainref , $target eq 'REJECT' ? 'reject' : $target, 1 ) unless $target eq 'CONTINUE';
     }
 }
@@ -1142,8 +1149,12 @@ sub require_audit($$) {
     unless ( $ref ) {
 	$ref = new_chain 'filter', $target;
 
-	add_rule $ref, '-j AUDIT --type ' . lc $action;
-	
+	if ( $config{FAKE_AUDIT} ) {
+	    add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' );
+	} else {
+	    add_rule $ref, '-j AUDIT --type ' . lc $action;
+	}
+
 	if ( $action eq 'REJECT' ) {
 	    add_jump $ref , 'reject', 1;
 	} else {
@@ -1610,8 +1621,12 @@ sub verify_audit($) {
 
 	$action =~ s/^A_//;
 
-	add_rule $ref, '-j AUDIT --type ' . lc $action;
-	
+	if ( $config{FAKE_AUDIT} ) {
+	    add_rule $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"';
+	} else {
+	    add_rule $ref, '-j AUDIT --type ' . lc $action;
+	}
+
 	if ( $action eq 'REJECT' ) {
 	    add_jump $ref , 'reject', 1;
 	} else {
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index d2705e508..a1f2678d7 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -136,14 +136,15 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 	lower-case letter.
 
 6)  Up to this release, the behaviors of 'start -f' and 'restart -f'
-    were inconsistent. The 'start -f' command compares the modification
-    times of /etc/shorewall[6] with /var/lib/shorewall[6]/restore while
-    'restart -f' compares with /var/lib/shorewall[6]/firewall.
+    has been inconsistent with AUTOMAKE=Yes. The 'start -f' and
+    'restart -f' commands compares the modification times of
+    /etc/shorewall[6] with /var/lib/shorewall[6]/restore while
+    AUTOMAKE compares with /var/lib/shorewall[6]/firewall.
 
     To make the two consistent, a new LEGACY_FASTSTART option has been
     added. The default value when the option isn't specified is
     LEGACY_FASTSTART=Yes which preserves the old behavior. When
-    LEGACY_FASTSTART=No, both commands compare with
+    LEGACY_FASTSTART=No, 'start -f' and 'restart -f' compare with
     /var/lib/shorewall[6]/firewall.
 
 ----------------------------------------------------------------------------
diff --git a/Shorewall/shorewall b/Shorewall/shorewall
index c456dc5c0..442607f30 100755
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -501,10 +501,13 @@ start_command() {
     if [ -n "${g_fast}${AUTOMAKE}" ]; then
 	if [ -z "$g_fast" -o -z "$LEGACY_FASTSTART" ]; then
 	    #
-	    # Automake -- use the last compiled script
+	    # Automake or LEGACY_FASTSTART=No -- use the last compiled script
 	    #
 	    object=firewall
 	else
+	    #
+	    # 'start -f' with LEGACY_FASTSTART=Yes -- use last saved configuration
+	    #
 	    object=$RESTOREFILE
 	fi