From a98c85cbc4a8162e22fecd3e4ec46a032c02308c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 28 Dec 2011 10:30:24 -0800 Subject: [PATCH 1/3] Make 'audit' work on a converted blacklist file. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 16 ++++++++++++++++ Shorewall/Perl/Shorewall/Rules.pm | 7 +++++++ 2 files changed, 23 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index e2bd02534..c88dfe321 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -57,6 +57,7 @@ our @EXPORT = qw( ensure_manual_chain ensure_audit_chain ensure_blacklog_chain + ensure_audit_blacklog_chain require_audit newlogchain log_rule_limit @@ -2243,6 +2244,21 @@ sub ensure_blacklog_chain( $$$$ ) { 'blacklog'; } +sub ensure_audit_blacklog_chain( $$$ ) { + my ( $target, $disposition, $level ) = @_; + + unless ( $filter_table->{A_blacklog} ) { + my $logchainref = new_manual_chain 'A_blacklog'; + + log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); + + add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ); + add_ijump( $logchainref, g => $target ); + } + + 'A_blacklog'; +} + # # Create and populate the passed AUDIT chain if it doesn't exist. Return chain name # diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 12dd06ea2..c82abf6bb 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2478,9 +2478,12 @@ sub process_rules() { if ( supplied $level ) { ensure_blacklog_chain( $target, $disposition, $level, $audit ); + ensure_audit_blacklog_chain( $target, $disposition, $level ) if have_capability 'AUDIT_TARGET'; } elsif ( $audit ) { require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's'; verify_audit( $disposition ); + } elsif ( have_capability 'AUDIT_TARGET' ) { + verify_audit( 'A_' . $disposition ); } } ); @@ -2489,6 +2492,10 @@ sub process_rules() { process_rule while read_a_line; $section = ''; + + if ( my $chainref = $filter_table->{A_blacklog} ) { + $chainref->{referenced} = 0 unless %{$chainref->{references}}; + } } $fn = open_file 'rules'; From 2ca7984f60e02d973f11023f0185c8b6e69dd3bf Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 29 Dec 2011 07:46:37 -0800 Subject: [PATCH 2/3] Add a caution to the Getting Started Doc Signed-off-by: Tom Eastep --- docs/GettingStarted.xml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/GettingStarted.xml b/docs/GettingStarted.xml index 630d61eaa..7a0692401 100644 --- a/docs/GettingStarted.xml +++ b/docs/GettingStarted.xml @@ -40,6 +40,12 @@ + + Do not attempt to install Shorewall on a + remote system. You are virtually assured to lock yourself + out. + + Please read this short article first. From 5b2f960db326fd1518e252d383385f575ead2cde Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 30 Dec 2011 07:22:14 -0800 Subject: [PATCH 3/3] Disallow :P in CLASSIFY rules and complain if :F is used when the SOURCE or DEST is $FW. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 30 +++++++++++++++++++----------- manpages/shorewall-tcrules.xml | 12 ++---------- manpages6/shorewall6-tcrules.xml | 10 +--------- 3 files changed, 22 insertions(+), 30 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index f36e703eb..44672be67 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -104,8 +104,7 @@ my %flow_keys = ( 'src' => 1, 'sk-gid' => 1, 'vlan-tag' => 1 ); -my %designator = ( P => 'tcpre' , - F => 'tcfor' , +my %designator = ( F => 'tcfor' , T => 'tcpost' ); my %tosoptions = ( 'tos-minimize-delay' => '0x10/0x10' , @@ -211,7 +210,8 @@ sub process_tc_rule( ) { fatal_error "Invalid MARK ($originalmark)" unless supplied $mark; - my $chain = $globals{MARKING_CHAIN}; + my $chain = $globals{MARKING_CHAIN}; + my $classid = 0; if ( $remainder ) { if ( $originalmark =~ /^\w+\(?.*\)$/ ) { @@ -221,33 +221,40 @@ sub process_tc_rule( ) { unless ( $mark =~ /^([0-9a-fA-F]+)$/ && $designator =~ /^([0-9a-fA-F]+)$/ && ( $chain = $designator{$remainder} ) ); - $mark = join( ':', $mark, $designator ); + $mark = join( ':', $mark, $designator ); + $classid = 1; } } my $target = 'MARK --set-mark'; my $tcsref; my $connmark = 0; - my $classid = 0; my $device = ''; my $fw = firewall_zone; my $list; if ( $source ) { if ( $source eq $fw ) { - $chain = 'tcout'; + if ( $classid ) { + fatal_error ":F is not allowed when the SOURCE is the firewall" if $chain eq 'tcfor'; + } else { + $chain = 'tcout'; + } $source = ''; - } else { - $chain = 'tcout' if $source =~ s/^($fw)://; + } elsif ( $source =~ s/^($fw):// ) { + fatal_error ":F is not allowed when the SOURCE is the firewall" if $chain eq 'tcfor'; + $chain = 'tcout'; } } if ( $dest ) { if ( $dest eq $fw ) { + fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid; $chain = 'tcin'; $dest = ''; - } else { - $chain = 'tcin' if $dest =~ s/^($fw)://; + } elsif ( $dest =~ s/^($fw):// ) { + fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid; + $chain = 'tcin'; } } @@ -268,8 +275,9 @@ sub process_tc_rule( ) { require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark; } else { - unless ( $remainder ) { + unless ( $classid ) { fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/; + fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin'; $chain = 'tcpost'; $mark = $originalmark; } diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml index 75c6dc590..cf433474d 100644 --- a/manpages/shorewall-tcrules.xml +++ b/manpages/shorewall-tcrules.xml @@ -205,7 +205,7 @@ Beginning with Shorewall 4.4.27, the classid may be optionally followed by ':' and a capital letter designating the - chain where classification is to occur. + chain where classification is to occur. @@ -216,19 +216,11 @@ - - P - - - PREROUTING chain. - - - T - POSTROUTING chain. + POSTROUTING chain (default). diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml index fa3a1f932..125ed8fbd 100644 --- a/manpages6/shorewall6-tcrules.xml +++ b/manpages6/shorewall6-tcrules.xml @@ -216,19 +216,11 @@ - - P - - - PREROUTING chain. - - - T - POSTROUTING chain. + POSTROUTING chain (default).