forked from extern/shorewall_code
Use log_irule_limit() internally where possible.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
55be5b0119
commit
3ec6745df9
@ -2609,6 +2609,7 @@ sub ensure_manual_chain($) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
sub log_rule_limit( $$$$$$$$ );
|
sub log_rule_limit( $$$$$$$$ );
|
||||||
|
sub log_irule_limit( $$$$$$$@ );
|
||||||
|
|
||||||
sub ensure_blacklog_chain( $$$$ ) {
|
sub ensure_blacklog_chain( $$$$ ) {
|
||||||
my ( $target, $disposition, $level, $audit ) = @_;
|
my ( $target, $disposition, $level, $audit ) = @_;
|
||||||
@ -2619,7 +2620,7 @@ sub ensure_blacklog_chain( $$$$ ) {
|
|||||||
$target =~ s/A_//;
|
$target =~ s/A_//;
|
||||||
$target = 'reject' if $target eq 'REJECT';
|
$target = 'reject' if $target eq 'REJECT';
|
||||||
|
|
||||||
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' );
|
||||||
|
|
||||||
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
||||||
add_ijump( $logchainref, g => $target );
|
add_ijump( $logchainref, g => $target );
|
||||||
@ -2634,7 +2635,7 @@ sub ensure_audit_blacklog_chain( $$$ ) {
|
|||||||
unless ( $filter_table->{A_blacklog} ) {
|
unless ( $filter_table->{A_blacklog} ) {
|
||||||
my $logchainref = new_manual_chain 'A_blacklog';
|
my $logchainref = new_manual_chain 'A_blacklog';
|
||||||
|
|
||||||
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' );
|
||||||
|
|
||||||
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target );
|
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target );
|
||||||
|
|
||||||
@ -4100,15 +4101,14 @@ sub logchain( $$$$$$ ) {
|
|||||||
#
|
#
|
||||||
# Now add the log rule and target rule without matches to the log chain.
|
# Now add the log rule and target rule without matches to the log chain.
|
||||||
#
|
#
|
||||||
log_rule_limit(
|
log_irule_limit(
|
||||||
$loglevel ,
|
$loglevel ,
|
||||||
$logchainref ,
|
$logchainref ,
|
||||||
$chainref->{name} ,
|
$chainref->{name} ,
|
||||||
$disposition ,
|
$disposition ,
|
||||||
'',
|
[] ,
|
||||||
$logtag,
|
$logtag,
|
||||||
'add',
|
'add' );
|
||||||
'' );
|
|
||||||
add_jump( $logchainref, $target, 0, $exceptionrule );
|
add_jump( $logchainref, $target, 0, $exceptionrule );
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -6074,7 +6074,7 @@ sub log_rule_limit( $$$$$$$$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub log_irule_limit( $$$$\@$$@ ) {
|
sub log_irule_limit( $$$$$$$@ ) {
|
||||||
my ($level, $chainref, $chain, $disposition, $limit, $tag, $command, @matches ) = @_;
|
my ($level, $chainref, $chain, $disposition, $limit, $tag, $command, @matches ) = @_;
|
||||||
|
|
||||||
my $prefix = '';
|
my $prefix = '';
|
||||||
@ -6084,7 +6084,7 @@ sub log_irule_limit( $$$$\@$$@ ) {
|
|||||||
|
|
||||||
return 1 if $level eq '';
|
return 1 if $level eq '';
|
||||||
|
|
||||||
%matches = %{transform_rule(@matches)} if @matches;
|
%matches = @matches;
|
||||||
|
|
||||||
unless ( $matches{limit} || $matches{hashlimit} ) {
|
unless ( $matches{limit} || $matches{hashlimit} ) {
|
||||||
$limit = $globals{LOGILIMIT} unless @$limit;
|
$limit = $globals{LOGILIMIT} unless @$limit;
|
||||||
@ -6155,10 +6155,12 @@ sub log_irule_limit( $$$$\@$$@ ) {
|
|||||||
$options =~ s/,/ /g;
|
$options =~ s/,/ /g;
|
||||||
}
|
}
|
||||||
|
|
||||||
$prefix = "LOG ${options}--log-level $level --log-prefix \"$prefix\" ";
|
$prefix = "LOG ${options}--log-level $level --log-prefix \"$prefix\"";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$prefix =~ s/ $//;
|
||||||
|
|
||||||
if ( $command eq 'add' ) {
|
if ( $command eq 'add' ) {
|
||||||
add_ijump ( $chainref, j => $prefix , @matches );
|
add_ijump ( $chainref, j => $prefix , @matches );
|
||||||
} else {
|
} else {
|
||||||
@ -6175,7 +6177,7 @@ sub log_rule( $$$$ ) {
|
|||||||
sub log_irule( $$$;@ ) {
|
sub log_irule( $$$;@ ) {
|
||||||
my ( $level, $chainref, $disposition, @matches ) = @_;
|
my ( $level, $chainref, $disposition, @matches ) = @_;
|
||||||
|
|
||||||
log_irule_limit $level, $chainref, $chainref->{name} , $disposition, @{$globals{LOGLIMIT}} , '', 'add', @matches;
|
log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', @matches;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -7144,14 +7146,13 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
# Log rule
|
# Log rule
|
||||||
#
|
#
|
||||||
log_rule_limit( $loglevel ,
|
log_irule_limit( $loglevel ,
|
||||||
$echainref ,
|
$echainref ,
|
||||||
$chain,
|
$chain ,
|
||||||
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||||
'' ,
|
[] ,
|
||||||
$logtag ,
|
$logtag ,
|
||||||
'add' ,
|
'add' )
|
||||||
'' )
|
|
||||||
if $loglevel;
|
if $loglevel;
|
||||||
#
|
#
|
||||||
# Generate Final Rule
|
# Generate Final Rule
|
||||||
|
@ -926,14 +926,13 @@ sub add_common_rules ( $ ) {
|
|||||||
if ( supplied $config{SMURF_LOG_LEVEL} ) {
|
if ( supplied $config{SMURF_LOG_LEVEL} ) {
|
||||||
my $smurfref = new_chain( 'filter', 'smurflog' );
|
my $smurfref = new_chain( 'filter', 'smurflog' );
|
||||||
|
|
||||||
log_rule_limit( $config{SMURF_LOG_LEVEL},
|
log_irule_limit( $config{SMURF_LOG_LEVEL},
|
||||||
$smurfref,
|
$smurfref,
|
||||||
'smurfs' ,
|
'smurfs' ,
|
||||||
'DROP',
|
'DROP',
|
||||||
$globals{LOGLIMIT},
|
$globals{LOGILIMIT},
|
||||||
'',
|
'',
|
||||||
'add',
|
'add' );
|
||||||
'' );
|
|
||||||
add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
|
add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
|
||||||
add_ijump( $smurfref, j => 'DROP' );
|
add_ijump( $smurfref, j => 'DROP' );
|
||||||
|
|
||||||
@ -1334,7 +1333,7 @@ sub setup_mac_lists( $ ) {
|
|||||||
|
|
||||||
run_user_exit2( 'maclog', $chainref );
|
run_user_exit2( 'maclog', $chainref );
|
||||||
|
|
||||||
log_rule_limit $level, $chainref , $chain , $disposition, '', '', 'add', '' if $level ne '';
|
log_irule_limit $level, $chainref , $chain , $disposition, [], '', 'add' if $level ne '';
|
||||||
add_ijump $chainref, j => $target;
|
add_ijump $chainref, j => $target;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -901,14 +901,13 @@ sub setup_syn_flood_chains() {
|
|||||||
new_chain 'filter' , syn_flood_chain $chainref :
|
new_chain 'filter' , syn_flood_chain $chainref :
|
||||||
new_chain( 'filter' , '@' . $chainref->{name} );
|
new_chain( 'filter' , '@' . $chainref->{name} );
|
||||||
add_rule $synchainref , "${limit}-j RETURN";
|
add_rule $synchainref , "${limit}-j RETURN";
|
||||||
log_rule_limit( $level ,
|
log_irule_limit( $level ,
|
||||||
$synchainref ,
|
$synchainref ,
|
||||||
$chainref->{name} ,
|
$chainref->{name} ,
|
||||||
'DROP',
|
'DROP',
|
||||||
$globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' ,
|
@{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
|
||||||
'' ,
|
'' ,
|
||||||
'add' ,
|
'add' )
|
||||||
'' )
|
|
||||||
if $level ne '';
|
if $level ne '';
|
||||||
add_ijump $synchainref, j => 'DROP';
|
add_ijump $synchainref, j => 'DROP';
|
||||||
}
|
}
|
||||||
@ -1471,11 +1470,11 @@ sub dropBcast( $$$$ ) {
|
|||||||
|
|
||||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||||
if ( $level ne '' ) {
|
if ( $level ne '' ) {
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', addrtype => '--dst-type BROADCAST' );
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' );
|
||||||
} else {
|
} else {
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
|
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1488,17 +1487,17 @@ sub dropBcast( $$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
incr_cmd_level $chainref;
|
incr_cmd_level $chainref;
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
|
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '$address' ) if $level ne '';
|
||||||
add_ijump $chainref, j => $target, d => '$address';
|
add_ijump $chainref, j => $target, d => '$address';
|
||||||
decr_cmd_level $chainref;
|
decr_cmd_level $chainref;
|
||||||
add_commands $chainref, 'done';
|
add_commands $chainref, 'done';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' if $level ne '';
|
||||||
add_ijump $chainref, j => $target, d => '224.0.0.0/4';
|
add_ijump $chainref, j => $target, d => '224.0.0.0/4';
|
||||||
} else {
|
} else {
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST . ' ' ) if $level ne '';
|
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ) if $level ne '';
|
||||||
add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
|
add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1510,8 +1509,8 @@ sub allowBcast( $$$$ ) {
|
|||||||
|
|
||||||
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
|
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
|
||||||
if ( $level ne '' ) {
|
if ( $level ne '' ) {
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', addrtype => '--dst-type BROADCAST' );
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' );
|
||||||
}
|
}
|
||||||
|
|
||||||
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
|
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
|
||||||
@ -1523,17 +1522,17 @@ sub allowBcast( $$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
incr_cmd_level $chainref;
|
incr_cmd_level $chainref;
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
|
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '$address' ) if $level ne '';
|
||||||
add_ijump $chainref, j => $target, d => '$address';
|
add_ijump $chainref, j => $target, d => '$address';
|
||||||
decr_cmd_level $chainref;
|
decr_cmd_level $chainref;
|
||||||
add_commands $chainref, 'done';
|
add_commands $chainref, 'done';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => 224.0.0.0/4 ) if $level ne '';
|
||||||
add_ijump $chainref, j => $target, d => '224.0.0.0/4';
|
add_ijump $chainref, j => $target, d => '224.0.0.0/4';
|
||||||
} else {
|
} else {
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
|
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', d => IPv6_MULTICAST ) if $level ne '';
|
||||||
add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
|
add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1543,7 +1542,7 @@ sub dropNotSyn ( $$$$ ) {
|
|||||||
|
|
||||||
my $target = require_audit( 'DROP', $audit );
|
my $target = require_audit( 'DROP', $audit );
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
|
log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', p => '6 ! --syn' ) if $level ne '';
|
||||||
add_ijump $chainref , j => $target, p => '6 ! --syn';
|
add_ijump $chainref , j => $target, p => '6 ! --syn';
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1558,7 +1557,7 @@ sub rejNotSyn ( $$$$ ) {
|
|||||||
$target = require_audit( 'REJECT' , $audit );
|
$target = require_audit( 'REJECT' , $audit );
|
||||||
}
|
}
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
|
log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', p => '6 ! --syn' ) if $level ne '';
|
||||||
add_ijump $chainref , j => $target, p => '6 ! --syn';
|
add_ijump $chainref , j => $target, p => '6 ! --syn';
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1574,8 +1573,8 @@ sub allowinUPnP ( $$$$ ) {
|
|||||||
my $target = require_audit( 'ACCEPT', $audit );
|
my $target = require_audit( 'ACCEPT', $audit );
|
||||||
|
|
||||||
if ( $level ne '' ) {
|
if ( $level ne '' ) {
|
||||||
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 ';
|
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '17 --dport 1900' );
|
||||||
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
|
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '6 --dport 49152' );
|
||||||
}
|
}
|
||||||
|
|
||||||
add_ijump $chainref, j => $target, p => '17 --dport 1900';
|
add_ijump $chainref, j => $target, p => '17 --dport 1900';
|
||||||
@ -1610,7 +1609,7 @@ sub Limit( $$$$ ) {
|
|||||||
|
|
||||||
if ( $level ne '' ) {
|
if ( $level ne '' ) {
|
||||||
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
||||||
log_rule_limit $level, $xchainref, $param[0], 'DROP', '', $tag, 'add', '';
|
log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' );
|
||||||
add_ijump $xchainref, j => 'DROP';
|
add_ijump $xchainref, j => 'DROP';
|
||||||
add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
|
add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
|
||||||
} else {
|
} else {
|
||||||
|
Loading…
Reference in New Issue
Block a user