From 17d1caf8c5ff15367f096f193565652a41199a4c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 6 Sep 2015 16:08:59 -0700 Subject: [PATCH] Allow tags in global LOG_LEVELs Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 6 +-- Shorewall/Perl/Shorewall/Config.pm | 16 +++++++ Shorewall/Perl/Shorewall/Misc.pm | 59 ++++++++++++++++++++----- Shorewall/Perl/Shorewall/Rules.pm | 26 ++++++----- Shorewall/manpages/shorewall.conf.xml | 33 +++++++------- Shorewall6/manpages/shorewall6.conf.xml | 33 +++++++------- 6 files changed, 116 insertions(+), 57 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 086ce6294..92ddb2f89 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2729,8 +2729,8 @@ sub ensure_manual_chain($) { sub log_irule_limit( $$$$$$$@ ); -sub ensure_blacklog_chain( $$$$ ) { - my ( $target, $disposition, $level, $audit ) = @_; +sub ensure_blacklog_chain( $$$$$ ) { + my ( $target, $disposition, $level, $tag, $audit ) = @_; unless ( $filter_table->{blacklog} ) { my $logchainref = new_manual_chain 'blacklog'; @@ -2738,7 +2738,7 @@ sub ensure_blacklog_chain( $$$$ ) { $target =~ s/A_//; $target = 'reject' if $target eq 'REJECT'; - log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' ); + log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add' ); add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit; add_ijump( $logchainref, g => $target ); diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index f28ae8c28..5550140cb 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -713,6 +713,14 @@ sub initialize( $;$$) { KLUDGEFREE => '', VERSION => "4.5.19-Beta1", CAPVERSION => 40609 , + BLACKLIST_LOG_TAG => '', + RELATED_LOG_TAG => '', + MACLIST_LOG_TAG => '', + TCP_FLAGS_LOG_TAG => '', + SMURF_LOG_TAG => '', + RPFILTER_LOG_TAG => '', + INVALID_LOG_TAG => '', + UNTRACKED_LOG_TAG => '', ); # # From shorewall.conf file @@ -3742,7 +3750,15 @@ sub default_log_level( $$ ) { unless ( supplied $value ) { $config{$level} = validate_level $default, $level; } else { + ( $value, my $tag ) = split( ':', $value , 2 ); $config{$level} = validate_level $value, $level; + if ( supplied $tag ) { + my $tag_name = $level; + + $tag_name =~ s/_LEVEL/_TAG/; + + $globals{$tag_name} = $tag; + } } } diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 102ee346d..aa5786950 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -136,10 +136,17 @@ sub setup_ecn() } } -sub add_rule_pair( $$$$ ) { - my ($chainref , $predicate , $target , $level ) = @_; +sub add_rule_pair( $$$$$ ) { + my ($chainref , $predicate , $target , $level, $tag ) = @_; - log_rule( $level, $chainref, "\U$target", $predicate ) if supplied $level; + log_rule_limit( $level, + $chainref, + $chainref->{name}, + "\U$target", + $globals{LOGLIMIT}, + $tag, + 'add', + $predicate ) if supplied $level; add_jump( $chainref , $target, 0, $predicate ); } @@ -195,13 +202,16 @@ sub convert_blacklist() { my $zones = find_zones_by_option 'blacklist', 'in'; my $zones1 = find_zones_by_option 'blacklist', 'out'; my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' }; + my $tag = $globals{MACLIST_LOG_TAG}; my $audit = $disposition =~ /^A_/; my $target = $disposition; my $orig_target = $target; my @rules; if ( @$zones || @$zones1 ) { - $target = "$target:$level" if supplied $level; + if ( supplied $level ) { + $target = supplied $tag ? "$target:$level:$tag":"$target:$level"; + } my $fn = open_file( 'blacklist' ); @@ -631,11 +641,12 @@ sub add_common_rules ( $ ) { my @state = state_imatch( $globals{BLACKLIST_STATES} ); my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED'; my $level = $config{BLACKLIST_LOG_LEVEL}; + my $tag = $globals{BLACKLIST_LOG_TAG}; my $rejectref = $filter_table->{reject}; if ( $config{DYNAMIC_BLACKLIST} ) { - add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level ); - add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level ); + add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag); + add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag); $dynamicref = set_optflags( new_standard_chain( 'dynamic' ) , DONT_OPTIMIZE ); add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' ); } @@ -648,6 +659,7 @@ sub add_common_rules ( $ ) { my $policy = $config{SFILTER_DISPOSITION}; $level = $config{SFILTER_LOG_LEVEL}; + $tag = $config{SFILTER_LOG_TAG}; my $audit = $policy =~ s/^A_//; my @ipsec = have_ipsec ? ( policy => '--pol none --dir in' ) : (); @@ -657,7 +669,14 @@ sub add_common_rules ( $ ) { # $chainref = new_standard_chain 'sfilter'; - log_rule $level , $chainref , $policy , '' if $level ne ''; + log_rule_limit( $level, + $chainref, + $chainref->{name}, + $policy, + $globals{LOGLIMIT}, + $tag, + 'add', + '' ) if $level ne ''; add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit; @@ -742,6 +761,7 @@ sub add_common_rules ( $ ) { if ( @$list ) { $policy = $config{RPFILTER_DISPOSITION}; $level = $config{RPFILTER_LOG_LEVEL}; + $tag = $globals{RPFILTER_LOG_TAG}; $audit = $policy =~ s/^A_//; if ( $level || $audit ) { @@ -750,7 +770,14 @@ sub add_common_rules ( $ ) { # $chainref = ensure_mangle_chain 'rplog'; - log_rule $level , $chainref , $policy , '' if $level ne ''; + log_rule_limit( $level, + $chainref, + $chainref->{name}, + $policy, + $globals{LOGLIMIT}, + $tag, + 'add', + '' ) if $level ne ''; add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit; @@ -811,7 +838,7 @@ sub add_common_rules ( $ ) { 'smurfs' , 'DROP', $globals{LOGILIMIT}, - '', + $globals{SMURF_LOG_TAG}, 'add' ); add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP'; add_ijump( $smurfref, j => 'DROP' ); @@ -933,6 +960,7 @@ sub add_common_rules ( $ ) { if ( @$list ) { my $level = $config{TCP_FLAGS_LOG_LEVEL}; + my $tag = $globals{TCP_FLAGS_LOG_TAG}; my $disposition = $config{TCP_FLAGS_DISPOSITION}; my $audit = $disposition =~ /^A_/; @@ -947,7 +975,15 @@ sub add_common_rules ( $ ) { $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options "; - log_rule $level , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, ''; + log_rule_limit( $level, + $logflagsref, + 'logflags', + $disposition, + $globals{LOGLIMIT}, + $tag, + 'add', + '' + ); $globals{LOGPARMS} = $savelogparms; @@ -1052,6 +1088,7 @@ sub setup_mac_lists( $ ) { my $target = $globals{MACLIST_TARGET}; my $level = $config{MACLIST_LOG_LEVEL}; + my $tag = $globals{MACLIST_LOG_TAG}; my $disposition = $config{MACLIST_DISPOSITION}; my $audit = ( $disposition =~ s/^A_// ); my $ttl = $config{MACLIST_TTL}; @@ -1220,7 +1257,7 @@ sub setup_mac_lists( $ ) { run_user_exit2( 'maclog', $chainref ); - log_irule_limit $level, $chainref , $chain , $disposition, [], '', 'add' if $level ne ''; + log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add' if $level ne ''; add_ijump $chainref, j => $target; } } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index ea1d8fded..dce4c555a 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1022,7 +1022,7 @@ sub finish_chain_section ($$$) { for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) { if ( $state{$_} ) { - my ( $char, $level, $target ) = @{$statetable{$_}}; + my ( $char, $level, $tag, $target ) = @{$statetable{$_}}; my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char; if ( $twochains || $level || $target ne 'ACCEPT' ) { @@ -1035,10 +1035,14 @@ sub finish_chain_section ($$$) { $chain2ref = new_chain( 'filter', "${char}$chainref->{name}" ); } - log_rule( $level, - $chain2ref, - uc $target, - '' ); + log_rule_limit( $level, + $chain2ref, + $chain2ref->{name}, + uc $target, + $globals{LOGLIMIT}, + $tag , + 'add' , + ''); $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT; @@ -3358,10 +3362,10 @@ sub process_rules() { # # Populate the state table # - %statetable = ( ESTABLISHED => [ '^', '', 'ACCEPT' ] , - RELATED => [ '+', $config{RELATED_LOG_LEVEL}, $globals{RELATED_TARGET} ] , - INVALID => [ '_', $config{INVALID_LOG_LEVEL}, $globals{INVALID_TARGET} ] , - UNTRACKED => [ '&', $config{UNTRACKED_LOG_LEVEL}, $globals{UNTRACKED_TARGET} ] , + %statetable = ( ESTABLISHED => [ '^', '', '', 'ACCEPT' ] , + RELATED => [ '+', $config{RELATED_LOG_LEVEL}, $globals{RELATED_LOG_TAG}, $globals{RELATED_TARGET} ] , + INVALID => [ '_', $config{INVALID_LOG_LEVEL}, $globals{INVALID_LOG_TAG}, $globals{INVALID_TARGET} ] , + UNTRACKED => [ '&', $config{UNTRACKED_LOG_LEVEL}, $globals{UNTRACKED_LOG_TAG}, $globals{UNTRACKED_TARGET} ] , ); %section_states = ( BLACKLIST_SECTION , $globals{BLACKLIST_STATES}, ESTABLISHED_SECTION, 'ESTABLISHED', @@ -3391,14 +3395,14 @@ sub process_rules() { if ( $fn ) { first_entry( sub () { - my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' }; + my ( $level, $disposition , $tag ) = ( @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' }, $globals{BLACKLIST_LOG_TAG} ) ; my $audit = $disposition =~ /^A_/; my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; progress_message2 "$doing $currentfilename..."; if ( supplied $level ) { - ensure_blacklog_chain( $target, $disposition, $level, $audit ); + ensure_blacklog_chain( $target, $disposition, $level, $tag, $audit ); ensure_audit_blacklog_chain( $target, $disposition, $level ) if have_capability 'AUDIT_TARGET'; } elsif ( $audit ) { require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's'; diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 129eeebf6..b3f8538b1 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -78,18 +78,19 @@ If you want to specify parameters to ULOG or NFLOG (e.g., - NFLOG(1,0,1)), then you must either quote the setting or you must escape - the parentheses. + NFLOG(1,0,1)), then you must quote the setting. - Examples: + Example: MACLIST_LOG_LEVEL="NFLOG(1,0,1)" - - or - - MACLIST_LOG_LEVEL=NFLOG\(1,0,1\) + Beginning with Shorewall 5.0.0, the log level may be followed by a + colon (":") and a log tag. The log tag normally + follows the packet disposition in Shorewall-generated Netfilter log + messages, separated from the disposition by a colon (e.g, "DROP:mytag"). + See LOGTAGONLY below for additional information. + Beginning with Shorewall 4.4.22, LOGMARK is also a valid level which logs the packet's mark value along with the other usual information. The syntax is: @@ -514,7 +515,7 @@ BLACKLIST_LOG_LEVEL=[log-level] + role="bold">BLACKLIST_LOG_LEVEL=[log-level[:log-tag]] Formerly named BLACKLIST_LOGLEVEL. This parameter determines @@ -1001,7 +1002,7 @@ net all DROP infothen the chain name is 'net-all' INVALID_LOG_LEVEL=log-level + role="bold">INVALID_LOG_LEVEL=log-level[:log-tag] Added in Shorewall 4.5.13. Packets in the INVALID state that @@ -1464,7 +1465,7 @@ LOG:info:,bar net fw MACLIST_LOG_LEVEL=[log-level] + role="bold">MACLIST_LOG_LEVEL=[log-level[:log-tag]] Determines the syslog level for logging connection requests @@ -2075,7 +2076,7 @@ LOG:info:,bar net fw RELATED_LOG_LEVEL=log-level + role="bold">RELATED_LOG_LEVEL=log-level[:log-tag] Added in Shorewall 4.4.27. Packets in the related state that @@ -2292,7 +2293,7 @@ INLINE - - - ; -j REJECT RPFILTER_LOG_LEVEL=log-level + role="bold">RPFILTER_LOG_LEVEL=log-level[:log-tag] Added in shorewall 4.5.7. Determines the logging of packets @@ -2353,7 +2354,7 @@ INLINE - - - ; -j REJECT SFILTER_LOG_LEVEL=log-level + role="bold">SFILTER_LOG_LEVEL=log-level[:log-tag] Added on Shorewall 4.4.20. Determines the logging of packets @@ -2398,7 +2399,7 @@ INLINE - - - ; -j REJECT SMURF_LOG_LEVEL=[log-level] + role="bold">SMURF_LOG_LEVEL=[log-level[:log-tag]] Specifies the logging level for smurf packets (see the @@ -2573,7 +2574,7 @@ INLINE - - - ; -j REJECT TCP_FLAGS_LOG_LEVEL=[log-level] + role="bold">TCP_FLAGS_LOG_LEVEL=[log-level[:log-tag]] Determines the syslog level for logging packets that fail the @@ -2649,7 +2650,7 @@ INLINE - - - ; -j REJECT UNTRACKED_LOG_LEVEL=log-level + role="bold">UNTRACKED_LOG_LEVEL=log-level[:log-tag] Added in Shorewall 4.5.13. Packets in the UNTRACKED state that diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index cade5b156..67ff6f66a 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -77,18 +77,19 @@ If you want to specify parameters to ULOG or NFLOG (e.g., - NFLOG(1,0,1)), then you must either quote the setting or you must escape - the parentheses. + NFLOG(1,0,1)), then you must quote the setting. - Examples: + Example: MACLIST_LOG_LEVEL="NFLOG(1,0,1)" - - or - - MACLIST_LOG_LEVEL=NFLOG\(1,0,1\) + Beginning with Shorewall 5.0.0, the log level may be followed by a + colon (":") and a log tag. The log tag normally + follows the packet disposition in Shorewall-generated Netfilter log + messages, separated from the disposition by a colon (e.g, "DROP:mytag"). + See LOGTAGONLY below for additional information. + The following options may be set in shorewall6.conf. @@ -434,7 +435,7 @@ BLACKLIST_LOG_LEVEL=[log-level] + role="bold">BLACKLIST_LOG_LEVEL=[log-level[:log-tag]] Formerly named BLACKLIST_LOGLEVEL. This parameter determines @@ -866,7 +867,7 @@ net all DROP infothen the chain name is 'net-all' INVALID_LOG_LEVEL=log-level + role="bold">INVALID_LOG_LEVEL=log-level[:log-tag] Added in Shorewall 4.5.13. Packets in the INVALID state that @@ -1291,7 +1292,7 @@ LOG:info:,bar net fw MACLIST_LOG_LEVEL=[log-level] + role="bold">MACLIST_LOG_LEVEL=[log-level[:log-tag]] Determines the syslog level for logging connection requests @@ -1830,7 +1831,7 @@ LOG:info:,bar net fw RELATED_LOG_LEVEL=log-level + role="bold">RELATED_LOG_LEVEL=log-level[:log-tag] Added in Shorewall 4.4.27. Packets in the related state that @@ -1971,7 +1972,7 @@ INLINE - - - ; -j REJECT RPFILTER_LOG_LEVEL=log-level + role="bold">RPFILTER_LOG_LEVEL=log-level[:log-tag] Added in shorewall 4.5.7. Determines the logging of packets @@ -2027,7 +2028,7 @@ INLINE - - - ; -j REJECT SMURF_LOG_LEVEL=[log-level] + role="bold">SMURF_LOG_LEVEL=[log-level[:log-tag]] Specifies the logging level for smurf packets (see the @@ -2057,7 +2058,7 @@ INLINE - - - ; -j REJECT SFILTER_LOG_LEVEL=log-level + role="bold">SFILTER_LOG_LEVEL=log-level[:log-tag] Added on Shorewall 4.4.20. Determines the logging of packets @@ -2235,7 +2236,7 @@ INLINE - - - ; -j REJECT TCP_FLAGS_LOG_LEVEL=[log-level] + role="bold">TCP_FLAGS_LOG_LEVEL=[log-level[:log-tag]] Determines the syslog level for logging packets that fail the @@ -2313,7 +2314,7 @@ INLINE - - - ; -j REJECT UNTRACKED_LOG_LEVEL=log-level + role="bold">UNTRACKED_LOG_LEVEL=log-level[:log-tag] Added in Shorewall 4.5.13. Packets in the UNTRACKED state that