Use log_irule_limit() internally where possible.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-07-02 11:48:02 -07:00
parent 55be5b0119
commit 3ec6745df9
3 changed files with 49 additions and 50 deletions

View File

@ -2609,6 +2609,7 @@ sub ensure_manual_chain($) {
} }
sub log_rule_limit( $$$$$$$$ ); sub log_rule_limit( $$$$$$$$ );
sub log_irule_limit( $$$$$$$@ );
sub ensure_blacklog_chain( $$$$ ) { sub ensure_blacklog_chain( $$$$ ) {
my ( $target, $disposition, $level, $audit ) = @_; my ( $target, $disposition, $level, $audit ) = @_;
@ -2619,7 +2620,7 @@ sub ensure_blacklog_chain( $$$$ ) {
$target =~ s/A_//; $target =~ s/A_//;
$target = 'reject' if $target eq 'REJECT'; $target = 'reject' if $target eq 'REJECT';
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' );
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit; add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
add_ijump( $logchainref, g => $target ); add_ijump( $logchainref, g => $target );
@ -2634,7 +2635,7 @@ sub ensure_audit_blacklog_chain( $$$ ) {
unless ( $filter_table->{A_blacklog} ) { unless ( $filter_table->{A_blacklog} ) {
my $logchainref = new_manual_chain 'A_blacklog'; my $logchainref = new_manual_chain 'A_blacklog';
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' );
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ); add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target );
@ -4100,15 +4101,14 @@ sub logchain( $$$$$$ ) {
# #
# Now add the log rule and target rule without matches to the log chain. # Now add the log rule and target rule without matches to the log chain.
# #
log_rule_limit( log_irule_limit(
$loglevel , $loglevel ,
$logchainref , $logchainref ,
$chainref->{name} , $chainref->{name} ,
$disposition , $disposition ,
'', [] ,
$logtag, $logtag,
'add', 'add' );
'' );
add_jump( $logchainref, $target, 0, $exceptionrule ); add_jump( $logchainref, $target, 0, $exceptionrule );
} }
@ -6074,7 +6074,7 @@ sub log_rule_limit( $$$$$$$$ ) {
} }
} }
sub log_irule_limit( $$$$\@$$@ ) { sub log_irule_limit( $$$$$$$@ ) {
my ($level, $chainref, $chain, $disposition, $limit, $tag, $command, @matches ) = @_; my ($level, $chainref, $chain, $disposition, $limit, $tag, $command, @matches ) = @_;
my $prefix = ''; my $prefix = '';
@ -6084,7 +6084,7 @@ sub log_irule_limit( $$$$\@$$@ ) {
return 1 if $level eq ''; return 1 if $level eq '';
%matches = %{transform_rule(@matches)} if @matches; %matches = @matches;
unless ( $matches{limit} || $matches{hashlimit} ) { unless ( $matches{limit} || $matches{hashlimit} ) {
$limit = $globals{LOGILIMIT} unless @$limit; $limit = $globals{LOGILIMIT} unless @$limit;
@ -6155,10 +6155,12 @@ sub log_irule_limit( $$$$\@$$@ ) {
$options =~ s/,/ /g; $options =~ s/,/ /g;
} }
$prefix = "LOG ${options}--log-level $level --log-prefix \"$prefix\" "; $prefix = "LOG ${options}--log-level $level --log-prefix \"$prefix\"";
} }
} }
$prefix =~ s/ $//;
if ( $command eq 'add' ) { if ( $command eq 'add' ) {
add_ijump ( $chainref, j => $prefix , @matches ); add_ijump ( $chainref, j => $prefix , @matches );
} else { } else {
@ -6175,7 +6177,7 @@ sub log_rule( $$$$ ) {
sub log_irule( $$$;@ ) { sub log_irule( $$$;@ ) {
my ( $level, $chainref, $disposition, @matches ) = @_; my ( $level, $chainref, $disposition, @matches ) = @_;
log_irule_limit $level, $chainref, $chainref->{name} , $disposition, @{$globals{LOGLIMIT}} , '', 'add', @matches; log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', @matches;
} }
# #
@ -7144,14 +7146,13 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
# #
# Log rule # Log rule
# #
log_rule_limit( $loglevel , log_irule_limit( $loglevel ,
$echainref , $echainref ,
$chain, $chain ,
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ), $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
'' , [] ,
$logtag , $logtag ,
'add' , 'add' )
'' )
if $loglevel; if $loglevel;
# #
# Generate Final Rule # Generate Final Rule

View File

@ -926,14 +926,13 @@ sub add_common_rules ( $ ) {
if ( supplied $config{SMURF_LOG_LEVEL} ) { if ( supplied $config{SMURF_LOG_LEVEL} ) {
my $smurfref = new_chain( 'filter', 'smurflog' ); my $smurfref = new_chain( 'filter', 'smurflog' );
log_rule_limit( $config{SMURF_LOG_LEVEL}, log_irule_limit( $config{SMURF_LOG_LEVEL},
$smurfref, $smurfref,
'smurfs' , 'smurfs' ,
'DROP', 'DROP',
$globals{LOGLIMIT}, $globals{LOGILIMIT},
'', '',
'add', 'add' );
'' );
add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP'; add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
add_ijump( $smurfref, j => 'DROP' ); add_ijump( $smurfref, j => 'DROP' );
@ -1334,7 +1333,7 @@ sub setup_mac_lists( $ ) {
run_user_exit2( 'maclog', $chainref ); run_user_exit2( 'maclog', $chainref );
log_rule_limit $level, $chainref , $chain , $disposition, '', '', 'add', '' if $level ne ''; log_irule_limit $level, $chainref , $chain , $disposition, [], '', 'add' if $level ne '';
add_ijump $chainref, j => $target; add_ijump $chainref, j => $target;
} }
} }

View File

@ -901,14 +901,13 @@ sub setup_syn_flood_chains() {
new_chain 'filter' , syn_flood_chain $chainref : new_chain 'filter' , syn_flood_chain $chainref :
new_chain( 'filter' , '@' . $chainref->{name} ); new_chain( 'filter' , '@' . $chainref->{name} );
add_rule $synchainref , "${limit}-j RETURN"; add_rule $synchainref , "${limit}-j RETURN";
log_rule_limit( $level , log_irule_limit( $level ,
$synchainref , $synchainref ,
$chainref->{name} , $chainref->{name} ,
'DROP', 'DROP',
$globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
'' , '' ,
'add' , 'add' )
'' )
if $level ne ''; if $level ne '';
add_ijump $synchainref, j => 'DROP'; add_ijump $synchainref, j => 'DROP';
} }
@ -1471,11 +1470,11 @@ sub dropBcast( $$$$ ) {
if ( have_capability( 'ADDRTYPE' ) ) { if ( have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) { if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', addrtype => '--dst-type BROADCAST' );
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 '; log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' );
} else { } else {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' ); log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST );
} }
} }
@ -1488,17 +1487,17 @@ sub dropBcast( $$$$ ) {
} }
incr_cmd_level $chainref; incr_cmd_level $chainref;
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne ''; log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '$address' ) if $level ne '';
add_ijump $chainref, j => $target, d => '$address'; add_ijump $chainref, j => $target, d => '$address';
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
} }
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' if $level ne '';
add_ijump $chainref, j => $target, d => '224.0.0.0/4'; add_ijump $chainref, j => $target, d => '224.0.0.0/4';
} else { } else {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST . ' ' ) if $level ne ''; log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ) if $level ne '';
add_ijump $chainref, j => $target, d => IPv6_MULTICAST; add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
} }
} }
@ -1510,8 +1509,8 @@ sub allowBcast( $$$$ ) {
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) { if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) { if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', addrtype => '--dst-type BROADCAST' );
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 '; log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' );
} }
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST'; add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
@ -1523,17 +1522,17 @@ sub allowBcast( $$$$ ) {
} }
incr_cmd_level $chainref; incr_cmd_level $chainref;
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne ''; log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '$address' ) if $level ne '';
add_ijump $chainref, j => $target, d => '$address'; add_ijump $chainref, j => $target, d => '$address';
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
} }
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => 224.0.0.0/4 ) if $level ne '';
add_ijump $chainref, j => $target, d => '224.0.0.0/4'; add_ijump $chainref, j => $target, d => '224.0.0.0/4';
} else { } else {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne ''; log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', d => IPv6_MULTICAST ) if $level ne '';
add_ijump $chainref, j => $target, d => IPv6_MULTICAST; add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
} }
} }
@ -1543,7 +1542,7 @@ sub dropNotSyn ( $$$$ ) {
my $target = require_audit( 'DROP', $audit ); my $target = require_audit( 'DROP', $audit );
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne ''; log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', p => '6 ! --syn' ) if $level ne '';
add_ijump $chainref , j => $target, p => '6 ! --syn'; add_ijump $chainref , j => $target, p => '6 ! --syn';
} }
@ -1558,7 +1557,7 @@ sub rejNotSyn ( $$$$ ) {
$target = require_audit( 'REJECT' , $audit ); $target = require_audit( 'REJECT' , $audit );
} }
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne ''; log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', p => '6 ! --syn' ) if $level ne '';
add_ijump $chainref , j => $target, p => '6 ! --syn'; add_ijump $chainref , j => $target, p => '6 ! --syn';
} }
@ -1574,8 +1573,8 @@ sub allowinUPnP ( $$$$ ) {
my $target = require_audit( 'ACCEPT', $audit ); my $target = require_audit( 'ACCEPT', $audit );
if ( $level ne '' ) { if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 '; log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '17 --dport 1900' );
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 '; log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '6 --dport 49152' );
} }
add_ijump $chainref, j => $target, p => '17 --dport 1900'; add_ijump $chainref, j => $target, p => '17 --dport 1900';
@ -1610,7 +1609,7 @@ sub Limit( $$$$ ) {
if ( $level ne '' ) { if ( $level ne '' ) {
my $xchainref = new_chain 'filter' , "$chainref->{name}%"; my $xchainref = new_chain 'filter' , "$chainref->{name}%";
log_rule_limit $level, $xchainref, $param[0], 'DROP', '', $tag, 'add', ''; log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' );
add_ijump $xchainref, j => 'DROP'; add_ijump $xchainref, j => 'DROP';
add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count"; add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
} else { } else {