mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-30 19:43:45 +01:00
More blacklist/audit fixes
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
a9c0824a30
commit
f1cbfab7ac
@ -203,7 +203,7 @@ sub setup_blacklist() {
|
||||
my $chainref;
|
||||
my $chainref1;
|
||||
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
|
||||
my $audit = $disposition =~ s/^A_//;
|
||||
my $audit = $disposition =~ /^A_/;
|
||||
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
|
||||
my $orig_target = $target;
|
||||
|
||||
@ -218,6 +218,9 @@ sub setup_blacklist() {
|
||||
if ( defined $level && $level ne '' ) {
|
||||
my $logchainref = new_standard_chain 'blacklog';
|
||||
|
||||
$target =~ s/A_//;
|
||||
$target = 'reject' if $target eq 'REJECT';
|
||||
|
||||
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
||||
|
||||
if ( $audit ) {
|
||||
@ -233,7 +236,7 @@ sub setup_blacklist() {
|
||||
$target = 'blacklog';
|
||||
} elsif ( $audit ) {
|
||||
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
|
||||
$target = verify_audit( $config{BLACKLIST_DISPOSITION} );
|
||||
$target = verify_audit( $disposition );
|
||||
}
|
||||
}
|
||||
|
||||
@ -259,7 +262,11 @@ sub setup_blacklist() {
|
||||
|
||||
my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
|
||||
|
||||
$options = 'src' if $options eq '-';
|
||||
if ( $options eq '-' ) {
|
||||
$options = 'src';
|
||||
} elsif ( $options eq 'audit' ) {
|
||||
$options = 'audit,src';
|
||||
}
|
||||
|
||||
my ( $to, $from, $whitelist, $auditone ) = ( 0, 0, 0, 0 );
|
||||
|
||||
@ -284,7 +291,7 @@ sub setup_blacklist() {
|
||||
|
||||
|
||||
|
||||
$tgt = verify_audit( 'A_' . $target, $orig_target );
|
||||
$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -648,7 +648,7 @@ sub complete_standard_chain ( $$$$ ) {
|
||||
policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
|
||||
}
|
||||
|
||||
sub require_audit($$);
|
||||
sub require_audit($$;$);
|
||||
|
||||
#
|
||||
# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
|
||||
@ -1136,8 +1136,8 @@ sub map_old_actions( $ ) {
|
||||
#
|
||||
# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
|
||||
|
||||
sub ensure_audit_chain( $;$ ) {
|
||||
my ( $target, $action ) = @_;
|
||||
sub ensure_audit_chain( $;$$ ) {
|
||||
my ( $target, $action, $tgt ) = @_;
|
||||
|
||||
push_comment( '' );
|
||||
|
||||
@ -1149,7 +1149,9 @@ sub ensure_audit_chain( $;$ ) {
|
||||
unless ( $action ) {
|
||||
$action = $target;
|
||||
$action =~ s/^A_//;
|
||||
}
|
||||
}
|
||||
|
||||
$tgt ||= $action;
|
||||
|
||||
if ( $config{FAKE_AUDIT} ) {
|
||||
add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' );
|
||||
@ -1157,10 +1159,11 @@ sub ensure_audit_chain( $;$ ) {
|
||||
add_rule $ref, '-j AUDIT --type ' . lc $action;
|
||||
}
|
||||
|
||||
if ( $action eq 'REJECT' ) {
|
||||
|
||||
if ( $tgt eq 'REJECT' ) {
|
||||
add_jump $ref , 'reject', 1;
|
||||
} else {
|
||||
add_jump $ref , $action, 0;
|
||||
add_jump $ref , $tgt, 0;
|
||||
}
|
||||
}
|
||||
|
||||
@ -1173,8 +1176,8 @@ sub ensure_audit_chain( $;$ ) {
|
||||
# Return the appropriate target based on whether the second argument is 'audit'
|
||||
#
|
||||
|
||||
sub require_audit($$) {
|
||||
my ($action, $audit ) = @_;
|
||||
sub require_audit($$;$) {
|
||||
my ($action, $audit, $tgt ) = @_;
|
||||
|
||||
return $action unless defined $audit and $audit ne '';
|
||||
|
||||
@ -1184,7 +1187,7 @@ sub require_audit($$) {
|
||||
|
||||
require_capability 'AUDIT_TARGET', 'audit', 's';
|
||||
|
||||
return ensure_audit_chain $target, $action;
|
||||
return ensure_audit_chain $target, $action, $tgt;
|
||||
}
|
||||
|
||||
#
|
||||
@ -1632,12 +1635,12 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
|
||||
#
|
||||
# Confirm that we have AUDIT_TARGET capability and ensure the appropriate AUDIT chain.
|
||||
#
|
||||
sub verify_audit($;$) {
|
||||
my ($target, $audit ) = @_;
|
||||
sub verify_audit($;$$) {
|
||||
my ($target, $audit, $tgt ) = @_;
|
||||
|
||||
require_capability 'AUDIT_TARGET', "$target rules", '';
|
||||
|
||||
return ensure_audit_chain $target, $audit;
|
||||
return ensure_audit_chain $target, $audit, $tgt;
|
||||
}
|
||||
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user