From 3ec6745df90061fdb490d8169e65a67bd14b01e5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 2 Jul 2013 11:48:02 -0700 Subject: [PATCH] Use log_irule_limit() internally where possible. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 37 ++++++++++++------------ Shorewall/Perl/Shorewall/Misc.pm | 17 ++++++----- Shorewall/Perl/Shorewall/Rules.pm | 45 +++++++++++++++--------------- 3 files changed, 49 insertions(+), 50 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 584c66178..51769ea91 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2609,6 +2609,7 @@ sub ensure_manual_chain($) { } sub log_rule_limit( $$$$$$$$ ); +sub log_irule_limit( $$$$$$$@ ); sub ensure_blacklog_chain( $$$$ ) { my ( $target, $disposition, $level, $audit ) = @_; @@ -2619,7 +2620,7 @@ sub ensure_blacklog_chain( $$$$ ) { $target =~ s/A_//; $target = 'reject' if $target eq 'REJECT'; - log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); + log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' ); add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit; add_ijump( $logchainref, g => $target ); @@ -2634,7 +2635,7 @@ sub ensure_audit_blacklog_chain( $$$ ) { unless ( $filter_table->{A_blacklog} ) { my $logchainref = new_manual_chain 'A_blacklog'; - log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); + log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' ); add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ); @@ -4100,15 +4101,14 @@ sub logchain( $$$$$$ ) { # # Now add the log rule and target rule without matches to the log chain. # - log_rule_limit( + log_irule_limit( $loglevel , $logchainref , $chainref->{name} , $disposition , - '', + [] , $logtag, - 'add', - '' ); + 'add' ); add_jump( $logchainref, $target, 0, $exceptionrule ); } @@ -6074,7 +6074,7 @@ sub log_rule_limit( $$$$$$$$ ) { } } -sub log_irule_limit( $$$$\@$$@ ) { +sub log_irule_limit( $$$$$$$@ ) { my ($level, $chainref, $chain, $disposition, $limit, $tag, $command, @matches ) = @_; my $prefix = ''; @@ -6084,7 +6084,7 @@ sub log_irule_limit( $$$$\@$$@ ) { return 1 if $level eq ''; - %matches = %{transform_rule(@matches)} if @matches; + %matches = @matches; unless ( $matches{limit} || $matches{hashlimit} ) { $limit = $globals{LOGILIMIT} unless @$limit; @@ -6155,10 +6155,12 @@ sub log_irule_limit( $$$$\@$$@ ) { $options =~ s/,/ /g; } - $prefix = "LOG ${options}--log-level $level --log-prefix \"$prefix\" "; + $prefix = "LOG ${options}--log-level $level --log-prefix \"$prefix\""; } } + $prefix =~ s/ $//; + if ( $command eq 'add' ) { add_ijump ( $chainref, j => $prefix , @matches ); } else { @@ -6175,7 +6177,7 @@ sub log_rule( $$$$ ) { sub log_irule( $$$;@ ) { my ( $level, $chainref, $disposition, @matches ) = @_; - log_irule_limit $level, $chainref, $chainref->{name} , $disposition, @{$globals{LOGLIMIT}} , '', 'add', @matches; + log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', @matches; } # @@ -7144,14 +7146,13 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) { # # Log rule # - log_rule_limit( $loglevel , - $echainref , - $chain, - $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ), - '' , - $logtag , - 'add' , - '' ) + log_irule_limit( $loglevel , + $echainref , + $chain , + $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ), + [] , + $logtag , + 'add' ) if $loglevel; # # Generate Final Rule diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index ff6cacc7b..e32071456 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -926,14 +926,13 @@ sub add_common_rules ( $ ) { if ( supplied $config{SMURF_LOG_LEVEL} ) { my $smurfref = new_chain( 'filter', 'smurflog' ); - log_rule_limit( $config{SMURF_LOG_LEVEL}, - $smurfref, - 'smurfs' , - 'DROP', - $globals{LOGLIMIT}, - '', - 'add', - '' ); + log_irule_limit( $config{SMURF_LOG_LEVEL}, + $smurfref, + 'smurfs' , + 'DROP', + $globals{LOGILIMIT}, + '', + 'add' ); add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP'; add_ijump( $smurfref, j => 'DROP' ); @@ -1334,7 +1333,7 @@ sub setup_mac_lists( $ ) { run_user_exit2( 'maclog', $chainref ); - log_rule_limit $level, $chainref , $chain , $disposition, '', '', 'add', '' if $level ne ''; + log_irule_limit $level, $chainref , $chain , $disposition, [], '', 'add' if $level ne ''; add_ijump $chainref, j => $target; } } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 6b7ebaea3..a74f8f675 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -901,14 +901,13 @@ sub setup_syn_flood_chains() { new_chain 'filter' , syn_flood_chain $chainref : new_chain( 'filter' , '@' . $chainref->{name} ); add_rule $synchainref , "${limit}-j RETURN"; - log_rule_limit( $level , - $synchainref , - $chainref->{name} , - 'DROP', - $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , + log_irule_limit( $level , + $synchainref , + $chainref->{name} , + 'DROP', + @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] , '' , - 'add' , - '' ) + 'add' ) if $level ne ''; add_ijump $synchainref, j => 'DROP'; } @@ -1471,11 +1470,11 @@ sub dropBcast( $$$$ ) { if ( have_capability( 'ADDRTYPE' ) ) { if ( $level ne '' ) { - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', addrtype => '--dst-type BROADCAST' ); if ( $family == F_IPV4 ) { - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 '; + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' ); } else { - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' ); + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ); } } @@ -1488,17 +1487,17 @@ sub dropBcast( $$$$ ) { } incr_cmd_level $chainref; - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne ''; + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '$address' ) if $level ne ''; add_ijump $chainref, j => $target, d => '$address'; decr_cmd_level $chainref; add_commands $chainref, 'done'; } if ( $family == F_IPV4 ) { - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; + log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' if $level ne ''; add_ijump $chainref, j => $target, d => '224.0.0.0/4'; } else { - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST . ' ' ) if $level ne ''; + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ) if $level ne ''; add_ijump $chainref, j => $target, d => IPv6_MULTICAST; } } @@ -1510,8 +1509,8 @@ sub allowBcast( $$$$ ) { if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) { if ( $level ne '' ) { - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 '; + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', addrtype => '--dst-type BROADCAST' ); + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' ); } add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST'; @@ -1523,17 +1522,17 @@ sub allowBcast( $$$$ ) { } incr_cmd_level $chainref; - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne ''; + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '$address' ) if $level ne ''; add_ijump $chainref, j => $target, d => '$address'; decr_cmd_level $chainref; add_commands $chainref, 'done'; } if ( $family == F_IPV4 ) { - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => 224.0.0.0/4 ) if $level ne ''; add_ijump $chainref, j => $target, d => '224.0.0.0/4'; } else { - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne ''; + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', d => IPv6_MULTICAST ) if $level ne ''; add_ijump $chainref, j => $target, d => IPv6_MULTICAST; } } @@ -1543,7 +1542,7 @@ sub dropNotSyn ( $$$$ ) { my $target = require_audit( 'DROP', $audit ); - log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne ''; + log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', p => '6 ! --syn' ) if $level ne ''; add_ijump $chainref , j => $target, p => '6 ! --syn'; } @@ -1558,7 +1557,7 @@ sub rejNotSyn ( $$$$ ) { $target = require_audit( 'REJECT' , $audit ); } - log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne ''; + log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', p => '6 ! --syn' ) if $level ne ''; add_ijump $chainref , j => $target, p => '6 ! --syn'; } @@ -1574,8 +1573,8 @@ sub allowinUPnP ( $$$$ ) { my $target = require_audit( 'ACCEPT', $audit ); if ( $level ne '' ) { - log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 '; - log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 '; + log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '17 --dport 1900' ); + log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '6 --dport 49152' ); } add_ijump $chainref, j => $target, p => '17 --dport 1900'; @@ -1610,7 +1609,7 @@ sub Limit( $$$$ ) { if ( $level ne '' ) { my $xchainref = new_chain 'filter' , "$chainref->{name}%"; - log_rule_limit $level, $xchainref, $param[0], 'DROP', '', $tag, 'add', ''; + log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' ); add_ijump $xchainref, j => 'DROP'; add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count"; } else {