extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 17:28:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add FAKE_AUDIT option

Browse Source
This commit is contained in:
Tom Eastep 2011-05-22 17:42:50 -07:00
parent 5d04c93a16
commit e95003b82a
14 changed files with 105 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Samples/Universal/shorewall.conf
View File

@ -198,6 +198,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter ACCOUNTING_TABLE=filter
LEGACY_FASTSTART=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################
@ -208,4 +210,6 @@ MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

4
Samples/one-interface/shorewall.conf
View File

@ -209,6 +209,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter ACCOUNTING_TABLE=filter
LEGACY_FASTSTART=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################
@ -219,4 +221,6 @@ MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

4
Samples/three-interfaces/shorewall.conf
View File

@ -209,6 +209,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter ACCOUNTING_TABLE=filter
LEGACY_FASTSTART=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################
@ -219,4 +221,6 @@ MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

4
Samples/two-interfaces/shorewall.conf
View File

@ -216,6 +216,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter ACCOUNTING_TABLE=filter
LEGACY_FASTSTART=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################
@ -226,4 +228,6 @@ MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

4
Samples6/Universal/shorewall6.conf
View File

@ -161,6 +161,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter ACCOUNTING_TABLE=filter
LEGACY_FASTSTART=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################
@ -169,4 +171,6 @@ BLACKLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

4
Samples6/one-interface/shorewall6.conf
View File

@ -163,6 +163,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter ACCOUNTING_TABLE=filter
LEGACY_ACCOUNTING=No
############################################################################## ##############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################
@ -171,4 +173,6 @@ BLACKLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

4
Samples6/three-interfaces/shorewall6.conf
View File

@ -163,6 +163,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter ACCOUNTING_TABLE=filter
LEGACY_FASTSTART=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################
@ -171,4 +173,6 @@ BLACKLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=No
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

4
Samples6/two-interfaces/shorewall6.conf
View File

@ -163,6 +163,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter ACCOUNTING_TABLE=filter
LEGACY_FASTSTART=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################
@ -171,4 +173,6 @@ BLACKLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

2
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1598,6 +1598,8 @@ sub initialize_chain_table()
new_builtin_chain 'mangle', $chain, 'ACCEPT'; new_builtin_chain 'mangle', $chain, 'ACCEPT';
} }
} }
dont_delete ensure_filter_chain 'AUDIT', 0 if $config{FAKE_AUDIT};
} }
# #

3
Shorewall/Perl/Shorewall/Config.pm
View File

@ -541,6 +541,7 @@ sub initialize( $ ) {
COMPLETE => undef, COMPLETE => undef,
EXPORTMODULES => undef, EXPORTMODULES => undef,
LEGACY_FASTSTART => undef, LEGACY_FASTSTART => undef,
FAKE_AUDIT => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -2536,7 +2537,7 @@ sub Account_Target() {
} }
sub Audit_Target() { sub Audit_Target() {
qt1( "$iptables -A $sillyname -j AUDIT --type drop" ); $config{FAKE_AUDIT} || qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
} }
our %detect_capability = our %detect_capability =

45
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -218,7 +218,13 @@ sub setup_blacklist() {
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
add_rule( $logchainref, '-j AUDIT --type ' . lc $target ) if $audit; if ( $audit ) {
if ( $config{FAKE_AUDIT} ) {
add_rule( $logchainref, '-j AUDIT -m comment --comment "--type ' . lc $target . '"' );
} else {
add_rule( $logchainref, '-j AUDIT --type ' . lc $target );
}
}
add_jump $logchainref, $target, 1; add_jump $logchainref, $target, 1;
@ -510,7 +516,14 @@ sub add_common_rules() {
'', '',
'add', 'add',
'' ); '' );
add_rule( $smurfref, '-j AUDIT --type drop' ) if $smurfdest eq 'A_DROP'; if ( $smurfdest eq 'A_DROP' ) {
if ( $config{FAKE_AUDIT} ) {
add_rule( $smurfref, '-j AUDIT -m comment --comment "--type drop"' );
} else {
add_rule( $smurfref, '-j AUDIT --type drop' );
}
}
add_rule( $smurfref, '-j DROP' ); add_rule( $smurfref, '-j DROP' );
$smurfdest = 'smurflog'; $smurfdest = 'smurflog';
@ -647,7 +660,12 @@ sub add_common_rules() {
if ( $audit ) { if ( $audit ) {
$disposition =~ s/^A_//; $disposition =~ s/^A_//;
add_rule( $logflagsref, '-j AUDIT --type ' . lc $disposition );
if ( $config{FAKE_AUDIT} ) {
add_rule( $logflagsref, '-j AUDIT -m comment --comment "--type ' . lc $disposition . '"' );
} else {
add_rule( $logflagsref, '-j AUDIT --type ' . lc $disposition );
}
} }
if ( $disposition eq 'REJECT' ) { if ( $disposition eq 'REJECT' ) {
@ -821,13 +839,29 @@ sub setup_mac_lists( $ ) {
my $source = match_source_net $address; my $source = match_source_net $address;
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}" log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
if defined $level && $level ne ''; if defined $level && $level ne '';
add_rule( $chainref , '-j AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
if ( $audit && $disposition ne 'ACCEPT' ) {
if ( $config{FAKE_AUDIT} ) {
add_rule( $chainref , '-j AUDIT -m comment --comment "--type ' . lc $disposition . '"' );
} else {
add_rule( $chainref , '-j AUDIT --type ' . lc $disposition );
}
}
add_jump $chainref , $targetref->{target}, 0, "${mac}${source}"; add_jump $chainref , $targetref->{target}, 0, "${mac}${source}";
} }
} else { } else {
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
if defined $level && $level ne ''; if defined $level && $level ne '';
add_rule( $chainref , '-j AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
if ( $audit && $disposition ne 'ACCEPT' ) {
if ( $config{FAKE_AUDIT} ) {
add_rule( $chainref , '-j AUDIT -m comment --comment "--type ' . lc $disposition . '"' );
} else {
add_rule( $chainref , '-j AUDIT --type ' . lc $disposition );
}
}
add_jump $chainref , $targetref->{target}, 0, "$mac"; add_jump $chainref , $targetref->{target}, 0, "$mac";
} }
@ -1151,6 +1185,7 @@ sub generate_matrix() {
progress_message2 'Generating Rule Matrix...'; progress_message2 'Generating Rule Matrix...';
progress_message ' Handling blacklisting and complex zones...'; progress_message ' Handling blacklisting and complex zones...';
# #
# Special processing for complex and/or blacklisting configurations # Special processing for complex and/or blacklisting configurations
# #

25
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -518,7 +518,14 @@ sub policy_rules( $$$$$ ) {
log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
fatal_error "Null target in policy_rules()" unless $target; fatal_error "Null target in policy_rules()" unless $target;
add_rule( $chainref , '-j AUDIT --type ' . lc $target ) if $chainref->{audit}; if ( $chainref->{audit} ) {
if ( $config{FAKE_AUDIT} ) {
add_rule( $chainref , '-j AUDIT -m comment --comment "--type ' . lc $target . '"' );
} else {
add_rule( $chainref , '-j AUDIT --type ' . lc $target );
}
}
add_jump( $chainref , $target eq 'REJECT' ? 'reject' : $target, 1 ) unless $target eq 'CONTINUE'; add_jump( $chainref , $target eq 'REJECT' ? 'reject' : $target, 1 ) unless $target eq 'CONTINUE';
} }
} }
@ -1142,8 +1149,12 @@ sub require_audit($$) {
unless ( $ref ) { unless ( $ref ) {
$ref = new_chain 'filter', $target; $ref = new_chain 'filter', $target;
add_rule $ref, '-j AUDIT --type ' . lc $action; if ( $config{FAKE_AUDIT} ) {
add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' );
} else {
add_rule $ref, '-j AUDIT --type ' . lc $action;
}
if ( $action eq 'REJECT' ) { if ( $action eq 'REJECT' ) {
add_jump $ref , 'reject', 1; add_jump $ref , 'reject', 1;
} else { } else {
@ -1610,8 +1621,12 @@ sub verify_audit($) {
$action =~ s/^A_//; $action =~ s/^A_//;
add_rule $ref, '-j AUDIT --type ' . lc $action; if ( $config{FAKE_AUDIT} ) {
add_rule $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"';
} else {
add_rule $ref, '-j AUDIT --type ' . lc $action;
}
if ( $action eq 'REJECT' ) { if ( $action eq 'REJECT' ) {
add_jump $ref , 'reject', 1; add_jump $ref , 'reject', 1;
} else { } else {

9
Shorewall/releasenotes.txt
View File

@ -136,14 +136,15 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
lower-case letter. lower-case letter.
6) Up to this release, the behaviors of 'start -f' and 'restart -f' 6) Up to this release, the behaviors of 'start -f' and 'restart -f'
were inconsistent. The 'start -f' command compares the modification has been inconsistent with AUTOMAKE=Yes. The 'start -f' and
times of /etc/shorewall[6] with /var/lib/shorewall[6]/restore while 'restart -f' commands compares the modification times of
'restart -f' compares with /var/lib/shorewall[6]/firewall. /etc/shorewall[6] with /var/lib/shorewall[6]/restore while
AUTOMAKE compares with /var/lib/shorewall[6]/firewall.
To make the two consistent, a new LEGACY_FASTSTART option has been To make the two consistent, a new LEGACY_FASTSTART option has been
added. The default value when the option isn't specified is added. The default value when the option isn't specified is
LEGACY_FASTSTART=Yes which preserves the old behavior. When LEGACY_FASTSTART=Yes which preserves the old behavior. When
LEGACY_FASTSTART=No, both commands compare with LEGACY_FASTSTART=No, 'start -f' and 'restart -f' compare with
/var/lib/shorewall[6]/firewall. /var/lib/shorewall[6]/firewall.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

5
Shorewall/shorewall
View File

@ -501,10 +501,13 @@ start_command() {
if [ -n "${g_fast}${AUTOMAKE}" ]; then if [ -n "${g_fast}${AUTOMAKE}" ]; then
if [ -z "$g_fast" -o -z "$LEGACY_FASTSTART" ]; then if [ -z "$g_fast" -o -z "$LEGACY_FASTSTART" ]; then
# #
# Automake -- use the last compiled script # Automake or LEGACY_FASTSTART=No -- use the last compiled script
# #
object=firewall object=firewall
else else
#
# 'start -f' with LEGACY_FASTSTART=Yes -- use last saved configuration
#
object=$RESTOREFILE object=$RESTOREFILE
fi fi