More blacklist/audit fixes

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-06-04 08:45:23 -07:00
parent a9c0824a30
commit f1cbfab7ac
2 changed files with 26 additions and 16 deletions

View File

@ -203,7 +203,7 @@ sub setup_blacklist() {
my $chainref;
my $chainref1;
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
my $audit = $disposition =~ s/^A_//;
my $audit = $disposition =~ /^A_/;
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
my $orig_target = $target;
@ -218,6 +218,9 @@ sub setup_blacklist() {
if ( defined $level && $level ne '' ) {
my $logchainref = new_standard_chain 'blacklog';
$target =~ s/A_//;
$target = 'reject' if $target eq 'REJECT';
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
if ( $audit ) {
@ -233,7 +236,7 @@ sub setup_blacklist() {
$target = 'blacklog';
} elsif ( $audit ) {
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
$target = verify_audit( $config{BLACKLIST_DISPOSITION} );
$target = verify_audit( $disposition );
}
}
@ -259,7 +262,11 @@ sub setup_blacklist() {
my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
$options = 'src' if $options eq '-';
if ( $options eq '-' ) {
$options = 'src';
} elsif ( $options eq 'audit' ) {
$options = 'audit,src';
}
my ( $to, $from, $whitelist, $auditone ) = ( 0, 0, 0, 0 );
@ -284,7 +291,7 @@ sub setup_blacklist() {
$tgt = verify_audit( 'A_' . $target, $orig_target );
$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
}
}

View File

@ -648,7 +648,7 @@ sub complete_standard_chain ( $$$$ ) {
policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
}
sub require_audit($$);
sub require_audit($$;$);
#
# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
@ -1136,8 +1136,8 @@ sub map_old_actions( $ ) {
#
# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
sub ensure_audit_chain( $;$ ) {
my ( $target, $action ) = @_;
sub ensure_audit_chain( $;$$ ) {
my ( $target, $action, $tgt ) = @_;
push_comment( '' );
@ -1149,7 +1149,9 @@ sub ensure_audit_chain( $;$ ) {
unless ( $action ) {
$action = $target;
$action =~ s/^A_//;
}
}
$tgt ||= $action;
if ( $config{FAKE_AUDIT} ) {
add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' );
@ -1157,10 +1159,11 @@ sub ensure_audit_chain( $;$ ) {
add_rule $ref, '-j AUDIT --type ' . lc $action;
}
if ( $action eq 'REJECT' ) {
if ( $tgt eq 'REJECT' ) {
add_jump $ref , 'reject', 1;
} else {
add_jump $ref , $action, 0;
add_jump $ref , $tgt, 0;
}
}
@ -1173,8 +1176,8 @@ sub ensure_audit_chain( $;$ ) {
# Return the appropriate target based on whether the second argument is 'audit'
#
sub require_audit($$) {
my ($action, $audit ) = @_;
sub require_audit($$;$) {
my ($action, $audit, $tgt ) = @_;
return $action unless defined $audit and $audit ne '';
@ -1184,7 +1187,7 @@ sub require_audit($$) {
require_capability 'AUDIT_TARGET', 'audit', 's';
return ensure_audit_chain $target, $action;
return ensure_audit_chain $target, $action, $tgt;
}
#
@ -1632,12 +1635,12 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
#
# Confirm that we have AUDIT_TARGET capability and ensure the appropriate AUDIT chain.
#
sub verify_audit($;$) {
my ($target, $audit ) = @_;
sub verify_audit($;$$) {
my ($target, $audit, $tgt ) = @_;
require_capability 'AUDIT_TARGET', "$target rules", '';
return ensure_audit_chain $target, $audit;
return ensure_audit_chain $target, $audit, $tgt;
}
#