From 5b68b5396d09bbb3fd77eb46cebb989472c7471c Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 13 Oct 2006 20:13:40 +0000 Subject: [PATCH] Add maclog extension script git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4674 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 +- Shorewall/compiler | 9 +- Shorewall/lib.maclist | 267 +++++++++++++++++-------------------- Shorewall/releasenotes.txt | 13 +- Shorewall/shorewall | 2 + Shorewall/shorewall.conf | 21 +-- 6 files changed, 154 insertions(+), 160 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 61f5fdbdb..19a19d492 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -12,7 +12,7 @@ Changes in 3.3.3 6) Add macro.RDP. -7) Implement MACLIST_LOG_BROADCASTS. +7) Add maclog extension file. Changes in 3.3.1 diff --git a/Shorewall/compiler b/Shorewall/compiler index fcf1feac9..12609fbd3 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -5196,8 +5196,8 @@ __EOF__ maclist_hosts=$(find_hosts_by_option maclist) if [ -n "$maclist_hosts" ]; then - save_progress_message "Setting up MAC Filtration..." - setup_mac_lists + save_progress_message "Setting up MAC Filtration -- Phase 1..." + setup_mac_lists 1 fi progress_message2 "$DOING $(find_file rules)..." @@ -5227,6 +5227,11 @@ __EOF__ process_actions3 fi + if [ -n "$maclist_hosts" ]; then + save_progress_message "Setting up MAC Filtration -- Phase 2..." + setup_mac_lists 2 + fi + save_progress_message "Applying Policies..." progress_message2 "$DOING $(find_file policy)..."; apply_policy_rules diff --git a/Shorewall/lib.maclist b/Shorewall/lib.maclist index bb6478dee..34919b080 100644 --- a/Shorewall/lib.maclist +++ b/Shorewall/lib.maclist @@ -28,7 +28,8 @@ # # Set up MAC Verification # -setup_mac_lists() { +setup_mac_lists() # $1 = Phase Number +{ local interface local mac local addresses @@ -85,50 +86,50 @@ setup_mac_lists() { fi done - progress_message "$DOING MAC Verification on $maclist_interfaces..." + progress_message "$DOING MAC Verification on $maclist_interfaces -- Phase $1..." # # Create chains. # - for interface in $maclist_interfaces; do - chain=$(mac_chain $interface) - create_mac_chain $chain - # - # If we're using the mangle table and the interface is DHCP-enabled then we need to accept DHCP broadcasts from 0.0.0.0 - # - if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then - run_iptables -t mangle -A $chain -s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN - fi + if [ $1 -eq 1 ]; then + for interface in $maclist_interfaces; do + chain=$(mac_chain $interface) + create_mac_chain $chain + # + # If we're using the mangle table and the interface is DHCP-enabled then we need to accept DHCP broadcasts from 0.0.0.0 + # + if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then + run_iptables -t mangle -A $chain -s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN + fi + + if [ -n "$MACLIST_TTL" ]; then + chain1=$(macrecent_target $interface) + create_mac_chain $chain1 + run_iptables -A $chain -t $MACLIST_TABLE -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN + run_iptables -A $chain -t $MACLIST_TABLE -j $chain1 + run_iptables -A $chain -t $MACLIST_TABLE -m recent --update --name $chain -j RETURN + run_iptables -A $chain -t $MACLIST_TABLE -m recent --set --name $chain + fi + done + # + # Process the maclist file producing the verification rules + # + while read disposition interface mac addresses; do + expandv disposition interface mac addresses - if [ -n "$MACLIST_TTL" ]; then - chain1=$(macrecent_target $interface) - create_mac_chain $chain1 - run_iptables -A $chain -t $MACLIST_TABLE -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN - run_iptables -A $chain -t $MACLIST_TABLE -j $chain1 - run_iptables -A $chain -t $MACLIST_TABLE -m recent --update --name $chain -j RETURN - run_iptables -A $chain -t $MACLIST_TABLE -m recent --set --name $chain - fi - done - - # - # Process the maclist file producing the verification rules - # - while read disposition interface mac addresses; do - expandv disposition interface mac addresses - - level= - - case $disposition in - ACCEPT:*) - level=${disposition#*:} - disposition=ACCEPT - target=RETURN - ;; - ACCEPT) - target=RETURN - ;; - REJECT:*) - [ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle" - target=reject + level= + + case $disposition in + ACCEPT:*) + level=${disposition#*:} + disposition=ACCEPT + target=RETURN + ;; + ACCEPT) + target=RETURN + ;; + REJECT:*) + [ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle" + target=reject disposition=REJECT ;; REJECT) @@ -150,57 +151,81 @@ setup_mac_lists() { disposition=ACCEPT target=RETURN ;; - esac + esac - physdev_part= + physdev_part= - if [ -n "$BRIDGING" ]; then - case $interface in - *:*) - physdev_part="-m physdev --physdev-in ${interface#*:}" - interface=${interface%:*} + if [ -n "$BRIDGING" ]; then + case $interface in + *:*) + physdev_part="-m physdev --physdev-in ${interface#*:}" + interface=${interface%:*} + ;; + esac + fi + + [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) + + if ! have_mac_chain $chain ; then + fatal_error "No hosts on $interface have the maclist option specified" + fi + + if [ x${mac:=-} = x- ]; then + if [ -z "$addresses" ]; then + fatal_error "You must specify a MAC address or an IP address" + else + macpart= + fi + else + macpart=$(mac_match $mac) + fi + + if [ -z "$addresses" ]; then + [ -n "$level" ] && \ + log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part + run_iptables -A $chain -t $MACLIST_TABLE $macpart $physdev_part -j $target + else + for address in $(separate_list $addresses) ; do + [ -n "$level" ] && \ + log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart -s $address $physdev_part + run_iptables2 -A $chain -t $MACLIST_TABLE $macpart -s $address $physdev_part -j $target + done + fi + done < $TMP_DIR/maclist + # + # Generate jumps from the input and forward chains + # + [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= + + for hosts in $maclist_hosts; do + ipsec=${hosts%^*} + hosts=${hosts#*^} + interface=${hosts%%:*} + hosts=${hosts#*:} + case $MACLIST_TABLE in + filter) + for chain in $(first_chains $interface) ; do + run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \ + $policy -j $(mac_chain $interface) + done + ;; + *) + run_iptables -t mangle -A PREROUTING -i $interface $(match_source_hosts $hosts) -m state --state NEW \ + $policy -j $(mac_chain $interface) ;; esac - fi + done + else + # + # Must take care of our own broadcasts and multicasts then terminate the verification + # chains + # + for interface in $maclist_interfaces; do - [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) - - if ! have_mac_chain $chain ; then - fatal_error "No hosts on $interface have the maclist option specified" - fi - - if [ x${mac:=-} = x- ]; then - if [ -z "$addresses" ]; then - fatal_error "You must specify a MAC address or an IP address" - else - macpart= - fi - else - macpart=$(mac_match $mac) - fi - - if [ -z "$addresses" ]; then - [ -n "$level" ] && \ - log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part - run_iptables -A $chain -t $MACLIST_TABLE $macpart $physdev_part -j $target - else - for address in $(separate_list $addresses) ; do - [ -n "$level" ] && \ - log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart -s $address $physdev_part - run_iptables2 -A $chain -t $MACLIST_TABLE $macpart -s $address $physdev_part -j $target - done - fi - done < $TMP_DIR/maclist - # - # Must take care of our own broadcasts and multicasts then terminate the verification - # chains - # - for interface in $maclist_interfaces; do - - [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) - - if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then - indent >&3 << __EOF__ + [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) + + if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then + indent >&3 << __EOF__ blob=\$(ip link show $interface 2> /dev/null) @@ -218,62 +243,20 @@ ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet // done __EOF__ - fi - - if [ -n "$MACLIST_LOG_LEVEL" ]; then - if [ $MACLIST_DISPOSITION != ACCEPT -a -z "$MACLIST_LOG_BROADCASTS" ]; then - # - # Don't log broadcasts - # - if [ -n "$USEPKTTYPE" ]; then - run_iptables -t $MACLIST_TABLE -A $chain -m pkttype --pkt-type broadcast -j DROP - run_iptables -t $MACLIST_TABLE -A $chain -m pkttype --pkt-type multicast -j DROP - else - for interface in $(find_bcastdetect_interfaces); do - indent >&3 << __EOF__ - -ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do - run_iptables -t $MACLIST_TABLE -A $chain -d \$address -j DROP -done - -__EOF__ - done - - for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do - run_iptables -t $MACLIST_TABLE -A $chain -d $address -j DROP - done fi - fi - - log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE - fi - if [ $MACLIST_DISPOSITION != ACCEPT ]; then - run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET - fi - done - # - # Generate jumps from the input and forward chains - # - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - - for hosts in $maclist_hosts; do - ipsec=${hosts%^*} - hosts=${hosts#*^} - interface=${hosts%%:*} - hosts=${hosts#*:} - case $MACLIST_TABLE in - filter) - for chain in $(first_chains $interface) ; do - run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \ - $policy -j $(mac_chain $interface) - done - ;; - *) - run_iptables -t mangle -A PREROUTING -i $interface $(match_source_hosts $hosts) -m state --state NEW \ - $policy -j $(mac_chain $interface) - ;; - esac - done + CHAIN=$chain + + append_file maclog + + if [ -n "$MACLIST_LOG_LEVEL" ]; then + log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE + fi + + if [ $MACLIST_DISPOSITION != ACCEPT ]; then + run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET + fi + done + fi } diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 13535acc1..85d3828d5 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -117,13 +117,12 @@ Other changes in 3.3.3 4) A new macro (macro.RDP) has been added for Microsoft Remote Desktop. This macro was contributed by Tuomo Soini. -5) A new MACLIST_LOG_BROADCASTS option has been added to - shorewall.conf. When set to 'No', suppresses logging of broadcast - and multicast traffic as a result of MACLIST_LOG_LEVEL having been - set to a non-empty value. - - The default is MACLIST_LOG_BROADCASTS=Yes which is compatible with - the traditional behavior of MACLIST_LOG_LEVEL. +5) A new 'maclog' extension file has been added. This file is + processed just before logging based on the setting of + MACLIST_LOG_LEVEL is done. When invoked, the CHAIN variable will + contain the name of the chain where rules should be inserted. + Remember that if you have specified MACLIST_TABLE=mangle, then your + run_iptables commands should include "-t mangle". Migration Considerations: diff --git a/Shorewall/shorewall b/Shorewall/shorewall index de752b605..8e551c3bb 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1111,6 +1111,8 @@ dump_command() { esac done + [ $VERBOSE -lt 2 ] && VERBOSE=2 + [ -n "$debugging" ] && set -x [ $# -eq 0 ] || usage 1 clear_term diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index dd075aae3..353310b39 100644 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -227,20 +227,25 @@ BLACKLIST_LOGLEVEL= # Specifies the logging level for connection requests that fail MAC # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then # such connection requests will not be logged. -# -# If MACLIST_LOG_LEVEL is non-empty, then MACLIST_LOG_BROADCASTS determines -# whether broadcast/multicast traffic is dropped or rejected silently. -# -# MACLIST_LOG_BROADCASTS=No -- Don't log broadcast/multicast -# MACLIST_LOG_BROADCASTS=Yes -- Log broadcast/multicast (Default) # # See the comment at the top of this section for a description of log levels # +# If you wish to filter messages logged under this option, then supply +# the /etc/shorewall/maclog extension script (you will have to create the +# file yourself). That script will be copied into the compiled firewall +# script at a point just before logging occurs. The shell variable CHAIN +# will be set to the name of the chain where the logging rule will be +# inserted. +# +# If you set MACLIST_TABLE=mangle later in this file, be sure that your +# 'run_iptables' commands include '-t mangle'. +# +# See http://www.shorewall.net/shorewall_extension_scripts.htm for more +# information about extension scripts. +# MACLIST_LOG_LEVEL=info -MACLIST_LOG_BROADCASTS=Yes - # # TCP FLAGS Log Level #