extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-02 02:49:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add FAKE_AUDIT option

Browse Source
This commit is contained in:
Tom Eastep 2011-05-22 17:42:50 -07:00
parent 5d04c93a16
commit e95003b82a
14 changed files with 105 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Samples/Universal/shorewall.conf
View File

@ -198,6 +198,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter
LEGACY_FASTSTART=No
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
@ -208,4 +210,6 @@ MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

4
Samples/one-interface/shorewall.conf
View File

@ -209,6 +209,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter
LEGACY_FASTSTART=No
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
@ -219,4 +221,6 @@ MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

4
Samples/three-interfaces/shorewall.conf
View File

@ -209,6 +209,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter
LEGACY_FASTSTART=No
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
@ -219,4 +221,6 @@ MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

4
Samples/two-interfaces/shorewall.conf
View File

@ -216,6 +216,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter
LEGACY_FASTSTART=No
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
@ -226,4 +228,6 @@ MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

4
Samples6/Universal/shorewall6.conf
View File

@ -161,6 +161,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter
LEGACY_FASTSTART=No
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
@ -169,4 +171,6 @@ BLACKLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

4
Samples6/one-interface/shorewall6.conf
View File

@ -163,6 +163,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter
LEGACY_ACCOUNTING=No
##############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
@ -171,4 +173,6 @@ BLACKLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

4
Samples6/three-interfaces/shorewall6.conf
View File

@ -163,6 +163,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter
LEGACY_FASTSTART=No
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
@ -171,4 +173,6 @@ BLACKLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=No
#LAST LINE -- DO NOT REMOVE

4
Samples6/two-interfaces/shorewall6.conf
View File

@ -163,6 +163,8 @@ EXPORTMODULES=Yes
ACCOUNTING_TABLE=filter
LEGACY_FASTSTART=No
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
@ -171,4 +173,6 @@ BLACKLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

2
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1598,6 +1598,8 @@ sub initialize_chain_table()
new_builtin_chain 'mangle', $chain, 'ACCEPT';
}
}
dont_delete ensure_filter_chain 'AUDIT', 0 if $config{FAKE_AUDIT};
}
#

3
Shorewall/Perl/Shorewall/Config.pm
View File

@ -541,6 +541,7 @@ sub initialize( $ ) {
COMPLETE => undef,
EXPORTMODULES => undef,
LEGACY_FASTSTART => undef,
FAKE_AUDIT => undef,
#
# Packet Disposition
#
@ -2536,7 +2537,7 @@ sub Account_Target() {
}
sub Audit_Target() {
qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
$config{FAKE_AUDIT} || qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
}
our %detect_capability =

43
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -218,7 +218,13 @@ sub setup_blacklist() {
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
add_rule( $logchainref, '-j AUDIT --type ' . lc $target ) if $audit;
if ( $audit ) {
if ( $config{FAKE_AUDIT} ) {
add_rule( $logchainref, '-j AUDIT -m comment --comment "--type ' . lc $target . '"' );
} else {
add_rule( $logchainref, '-j AUDIT --type ' . lc $target );
}
}
add_jump $logchainref, $target, 1;
@ -510,7 +516,14 @@ sub add_common_rules() {
'',
'add',
'' );
add_rule( $smurfref, '-j AUDIT --type drop' ) if $smurfdest eq 'A_DROP';
if ( $smurfdest eq 'A_DROP' ) {
if ( $config{FAKE_AUDIT} ) {
add_rule( $smurfref, '-j AUDIT -m comment --comment "--type drop"' );
} else {
add_rule( $smurfref, '-j AUDIT --type drop' );
}
}
add_rule( $smurfref, '-j DROP' );
$smurfdest = 'smurflog';
@ -647,8 +660,13 @@ sub add_common_rules() {
if ( $audit ) {
$disposition =~ s/^A_//;
if ( $config{FAKE_AUDIT} ) {
add_rule( $logflagsref, '-j AUDIT -m comment --comment "--type ' . lc $disposition . '"' );
} else {
add_rule( $logflagsref, '-j AUDIT --type ' . lc $disposition );
}
}
if ( $disposition eq 'REJECT' ) {
add_rule $logflagsref , '-p 6 -j REJECT --reject-with tcp-reset';
@ -821,13 +839,29 @@ sub setup_mac_lists( $ ) {
my $source = match_source_net $address;
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
if defined $level && $level ne '';
add_rule( $chainref , '-j AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
if ( $audit && $disposition ne 'ACCEPT' ) {
if ( $config{FAKE_AUDIT} ) {
add_rule( $chainref , '-j AUDIT -m comment --comment "--type ' . lc $disposition . '"' );
} else {
add_rule( $chainref , '-j AUDIT --type ' . lc $disposition );
}
}
add_jump $chainref , $targetref->{target}, 0, "${mac}${source}";
}
} else {
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
if defined $level && $level ne '';
add_rule( $chainref , '-j AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
if ( $audit && $disposition ne 'ACCEPT' ) {
if ( $config{FAKE_AUDIT} ) {
add_rule( $chainref , '-j AUDIT -m comment --comment "--type ' . lc $disposition . '"' );
} else {
add_rule( $chainref , '-j AUDIT --type ' . lc $disposition );
}
}
add_jump $chainref , $targetref->{target}, 0, "$mac";
}
@ -1151,6 +1185,7 @@ sub generate_matrix() {
progress_message2 'Generating Rule Matrix...';
progress_message ' Handling blacklisting and complex zones...';
#
# Special processing for complex and/or blacklisting configurations
#

17
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -518,7 +518,14 @@ sub policy_rules( $$$$$ ) {
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
fatal_error "Null target in policy_rules()" unless $target;
add_rule( $chainref , '-j AUDIT --type ' . lc $target ) if $chainref->{audit};
if ( $chainref->{audit} ) {
if ( $config{FAKE_AUDIT} ) {
add_rule( $chainref , '-j AUDIT -m comment --comment "--type ' . lc $target . '"' );
} else {
add_rule( $chainref , '-j AUDIT --type ' . lc $target );
}
}
add_jump( $chainref , $target eq 'REJECT' ? 'reject' : $target, 1 ) unless $target eq 'CONTINUE';
}
}
@ -1142,7 +1149,11 @@ sub require_audit($$) {
unless ( $ref ) {
$ref = new_chain 'filter', $target;
if ( $config{FAKE_AUDIT} ) {
add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' );
} else {
add_rule $ref, '-j AUDIT --type ' . lc $action;
}
if ( $action eq 'REJECT' ) {
add_jump $ref , 'reject', 1;
@ -1610,7 +1621,11 @@ sub verify_audit($) {
$action =~ s/^A_//;
if ( $config{FAKE_AUDIT} ) {
add_rule $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"';
} else {
add_rule $ref, '-j AUDIT --type ' . lc $action;
}
if ( $action eq 'REJECT' ) {
add_jump $ref , 'reject', 1;

9
Shorewall/releasenotes.txt
View File

@ -136,14 +136,15 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
lower-case letter.
6) Up to this release, the behaviors of 'start -f' and 'restart -f'
were inconsistent. The 'start -f' command compares the modification
times of /etc/shorewall[6] with /var/lib/shorewall[6]/restore while
'restart -f' compares with /var/lib/shorewall[6]/firewall.
has been inconsistent with AUTOMAKE=Yes. The 'start -f' and
'restart -f' commands compares the modification times of
/etc/shorewall[6] with /var/lib/shorewall[6]/restore while
AUTOMAKE compares with /var/lib/shorewall[6]/firewall.
To make the two consistent, a new LEGACY_FASTSTART option has been
added. The default value when the option isn't specified is
LEGACY_FASTSTART=Yes which preserves the old behavior. When
LEGACY_FASTSTART=No, both commands compare with
LEGACY_FASTSTART=No, 'start -f' and 'restart -f' compare with
/var/lib/shorewall[6]/firewall.
----------------------------------------------------------------------------

5
Shorewall/shorewall
View File

@ -501,10 +501,13 @@ start_command() {
if [ -n "${g_fast}${AUTOMAKE}" ]; then
if [ -z "$g_fast" -o -z "$LEGACY_FASTSTART" ]; then
#
# Automake -- use the last compiled script
# Automake or LEGACY_FASTSTART=No -- use the last compiled script
#
object=firewall
else
#
# 'start -f' with LEGACY_FASTSTART=Yes -- use last saved configuration
#
object=$RESTOREFILE
fi