From 09f58512be0625b2cab7eeea684547df3cbf7ffe Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 28 Dec 2011 09:34:34 -0800 Subject: [PATCH] Make 'audit' work on a converted blacklist file. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 16 ++++++++++++++++ Shorewall/Perl/Shorewall/Rules.pm | 7 +++++++ 2 files changed, 23 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index e2bd02534..c88dfe321 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -57,6 +57,7 @@ our @EXPORT = qw( ensure_manual_chain ensure_audit_chain ensure_blacklog_chain + ensure_audit_blacklog_chain require_audit newlogchain log_rule_limit @@ -2243,6 +2244,21 @@ sub ensure_blacklog_chain( $$$$ ) { 'blacklog'; } +sub ensure_audit_blacklog_chain( $$$ ) { + my ( $target, $disposition, $level ) = @_; + + unless ( $filter_table->{A_blacklog} ) { + my $logchainref = new_manual_chain 'A_blacklog'; + + log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); + + add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ); + add_ijump( $logchainref, g => $target ); + } + + 'A_blacklog'; +} + # # Create and populate the passed AUDIT chain if it doesn't exist. Return chain name # diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 12dd06ea2..fb3e26cbe 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2478,9 +2478,12 @@ sub process_rules() { if ( supplied $level ) { ensure_blacklog_chain( $target, $disposition, $level, $audit ); + ensure_audit_blacklog_chain( $target, $disposition, $level ) if have_capability 'AUDIT_TARGET'; } elsif ( $audit ) { require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's'; verify_audit( $disposition ); + } elsif ( have_capability 'AUDIT_TARGET' ) { + verify_audit( 'A_' . $disposition ); } } ); @@ -2489,6 +2492,10 @@ sub process_rules() { process_rule while read_a_line; $section = ''; + + if ( my $chainref = $filter_table->{A_blacklog} ) { + $chainref->{referenced} = 0 unless @{$chainref->{references}}; + } } $fn = open_file 'rules';