Add origin information for entries in shorewall[6].conf

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2016-01-25 15:49:18 -08:00 · 2016-01-25 15:49:18 -08:00 · 6ef136a546
commit 6ef136a546
parent 9b3b4579a2
3 changed files with 133 additions and 82 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -2302,6 +2302,7 @@ sub new_chain($$)
 		     references     => {},
 		     filtered       => 0,
 		     optflags       => 0,
+		     origin         => shortlineinfo1( '' ) || shortlineinfo( '' ),
 		   };

    trace( $chainref, 'N', undef, '' ) if $debug;
@ -2412,6 +2413,7 @@ sub add_ijump_internal( $$$$$;@ ) {
 	my ( $target ) = split ' ', $to;
 	$toref = $chain_table{$fromref->{table}}{$target};
 	fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target};
+	$origin ||= $fromref->{origin} if $globals{TRACK_RULES};
    }

    #
@ -2421,6 +2423,7 @@ sub add_ijump_internal( $$$$$;@ ) {
 	$toref->{referenced} = 1;
 	add_reference $fromref, $toref;
 	$jump = 'j' unless have_capability 'GOTO_TARGET';
+	$origin ||= $toref->{origin} if $globals{TRACK_RULES};
 	$ruleref = create_irule ($fromref, $jump => $to, @matches );
    } else {
 	$ruleref = create_irule( $fromref, 'j' => $to, @matches );
@ -6235,10 +6238,12 @@ sub log_rule_limit( $$$$$$$$ ) {
    my $prefix = '';
    my $chain            = get_action_chain_name  || $chn;
    my $disposition      = get_action_disposition || $dispo;
+    my $original_matches = $matches;
+    my $ruleref;

    $level = validate_level $level; # Do this here again because this function can be called directly from user exits.

-    return 1 if $level eq '';
+    return $dummyrule if $level eq '';

    $matches .= ' ' if $matches && substr( $matches, -1, 1 ) ne ' ';

@ -6316,10 +6321,12 @@ sub log_rule_limit( $$$$$$$$ ) {
    }

    if ( $command eq 'add' ) {
-	add_rule ( $chainref, $matches . $prefix , 1 );
+	$ruleref = add_rule ( $chainref, $matches . $prefix , $original_matches );
    } else {
-	insert_rule1 ( $chainref , 0 , $matches . $prefix );
+	$ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix );
    }
+
+    $ruleref;
 }

 sub log_irule_limit( $$$$$$$@ ) {
@ -6329,6 +6336,7 @@ sub log_irule_limit( $$$$$$$@ ) {
    my %matches;
    my $chain       = get_action_chain_name  || $chn;
    my $disposition = get_action_disposition || $dispo;
+    my $original_matches = @matches;

    $level = validate_level $level; # Do this here again because this function can be called directly from user exits.

@ -6410,7 +6418,7 @@ sub log_irule_limit( $$$$$$$@ ) {
    }

    if ( $command eq 'add' ) {
-	add_ijump_internal ( $chainref, j => $prefix , 1, '', @matches );
+	add_ijump_internal ( $chainref, j => $prefix , $original_matches, '', @matches );
    } else {
 	insert_ijump ( $chainref, j => $prefix, 0 , @matches );
    }
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -53,6 +53,7 @@ our @EXPORT = qw(
 		 currentlineinfo
 		 shortlineinfo
 		 shortlineinfo1
+		 shortlineinfo2
 		 clear_currentfilename
 		 validate_level

@ -175,6 +176,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $comment

 				       %config
+				       %origin
 				       %globals
 				       %config_files
 				       %shorewallrc
@ -298,6 +300,10 @@ our %globals;
 #
 our %config;
 #
+# Linenumber in shorewall[6].conf where each option was specified
+#
+our %origin;
+#
 # Entries in shorewall.conf that have been renamed
 #
 our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST_LOG_LEVEL' );
@ -893,7 +899,10 @@ sub initialize( $;$$) {
 	  ZONE_BITS => undef,
 	);

-
+    #
+    # Line numbers in shorewall6.conf where options are specified
+    #
+    %origin = ();
    #
    # Valid log levels
    #
@ -1194,17 +1203,16 @@ sub currentlineinfo() {
    }
 }

-sub shortlineinfo1( $ ) {
-    if ( $globals{TRACK_RULES} ) {
+sub shortlineinfo2() {
    if ( $currentfile ) {
 	join( ':', $currentfilename, $currentlinenumber );
    } else {
-	    #
-	    # Alternate lineinfo may have been passed
-	    #
-	    $_[0] || ''
+	''
    }
 }
+
+sub shortlineinfo1( $ ) {
+    $globals{TRACK_RULES} ? $currentfile ? shortlineinfo2 : $_[0] || '' : '';
 }

 sub shortlineinfo( $ ) {
@ -5052,6 +5060,8 @@ sub process_shorewall_conf( $$ ) {

 		    warning_message "Option $var=$val is deprecated"
 			if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var};
+
+		    $origin{$var} = shortlineinfo2;
 		} else {
 		    fatal_error "Unrecognized $product.conf entry";
 		}
@ -5833,11 +5843,14 @@ sub get_configuration( $$$$ ) {
 	    $config{TRACK_RULES}  = '';
 	} else {
 	    default_yes_no 'TRACK_RULES'        , '';
+	    $globals{TRACK_RULES} = '';
 	}
    } else {
 	default_yes_no 'TRACK_RULES'            , '';
    }

+    %origin = () unless $globals{TRACK_RULES};
+	    
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@ -655,7 +655,7 @@ sub add_common_rules ( $ ) {
    setup_mss;

    if ( $config{FASTACCEPT} ) {
-	add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch $faststate )
+	add_ijump_extended( $filter_table->{OUTPUT} , j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )
    }

    my $policy   = $config{SFILTER_DISPOSITION};
@ -663,6 +663,7 @@ sub add_common_rules ( $ ) {
    $tag         = $config{SFILTER_LOG_TAG};
    my $audit    = $policy =~ s/^A_//;
    my @ipsec    = have_ipsec ? ( policy => '--pol none --dir in' ) : ();
+    my $origin   = $origin{SFILTER_DISPOSITION};

    if ( $level || $audit ) {
 	#
@ -670,18 +671,21 @@ sub add_common_rules ( $ ) {
 	#
 	$chainref = new_standard_chain 'sfilter';

-	log_rule_limit( $level,
+	if ( $level ne '' ) {
+	    my $ruleref = log_rule_limit( $level,
 					  $chainref,
 					  $chainref->{name},
 					  $policy,
 					  $globals{LOGLIMIT},
 					  $tag,
 					  'add',
-			'' ) if $level ne '';
+				      '' );
+	    $ruleref->{origin} = $origin{SFILTER_LOG_LEVEL};
+	}

-	add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
+	add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;

-	add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
+	add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin );

 	$target = 'sfilter';
    } else {
@ -697,11 +701,22 @@ sub add_common_rules ( $ ) {
 	$chainref = new_standard_chain 'sfilter1';

 	add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
-	log_rule $level , $chainref , $policy , '' if $level ne '';

-	add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
+	if ( $level ne '' ) {
+	    my $ruleref = log_rule_limit( $level,
+					  $chainref,
+					  $chainref->{name},
+					  $policy,
+					  $globals{LOGLIMIT},
+					  $tag,
+					  'add',
+					  '' );
+	    $ruleref->{origin} = $origin;
+	}

-	add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
+	add_ijump_extended( $chainref, j => 'AUDIT', $origin{SFILTER_DISPOSITION}, targetopts => '--type ' . lc $policy ) if $audit;
+
+	add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin );

 	$target1 = 'sfilter1';
    } else {
@ -743,8 +758,8 @@ sub add_common_rules ( $ ) {
 	    }

 	    for ( option_chains( $interface ) ) {
-		add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
-		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref;
+		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
    }
@ -765,6 +780,8 @@ sub add_common_rules ( $ ) {
 	$level    = $config{RPFILTER_LOG_LEVEL};
 	$tag      = $globals{RPFILTER_LOG_TAG};
 	$audit    = $policy =~ s/^A_//;
+	my $origin
+                  = $origin{RPFILTER_DISPOSITION};
 	
 	if ( $level || $audit ) {
 	    #
@ -772,18 +789,21 @@ sub add_common_rules ( $ ) {
 	    #
 	    $chainref = ensure_mangle_chain 'rplog';

-	    log_rule_limit( $level,
+	    if ( $level ne '' ) {
+		my $ruleref = log_rule_limit( $level,
 					      $chainref,
 					      $chainref->{name},
 					      $policy,
 					      $globals{LOGLIMIT},
 					      $tag,
 					      'add',
-			    '' ) if $level ne '';
+					      '' );
+		$ruleref->{origin} = $origin{RPFILTER_LOG_LEVEL};
+	    }

-	    add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
+	    add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;

-	    add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
+	    add_ijump_extended( $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy, $origin );

 	    $target = 'rplog';
 	} else {
@ -808,8 +828,9 @@ sub add_common_rules ( $ ) {
 	    }
 	}

-	add_ijump( $rpfilterref,
+	add_ijump_extended( $rpfilterref,
 			    j        => $target,
+			    $origin,
 			    rpfilter => '--validmark --invert',
 			    state_imatch 'NEW,RELATED,INVALID',
 			    @ipsec
@ -832,19 +853,24 @@ sub add_common_rules ( $ ) {
 	$chainref = new_standard_chain 'smurfs';

 	my $smurfdest = $config{SMURF_DISPOSITION};
+	my $origin    = $origin{SMURF_DISPOSITION};

 	if ( supplied $config{SMURF_LOG_LEVEL} ) {
 	    my $smurfref = new_chain( 'filter', 'smurflog' );

-	    log_irule_limit( $config{SMURF_LOG_LEVEL},
+	    my $ruleref = log_irule_limit( $config{SMURF_LOG_LEVEL},
 					   $smurfref,
 					   'smurfs' ,
 					   'DROP',
 					   $globals{LOGILIMIT},
 					   $globals{SMURF_LOG_TAG},
 					   'add' );
-	    add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
-	    add_ijump( $smurfref, j => 'DROP' );
+
+	    $ruleref->{origin} = $origin{SMURF_LOG_LEVEL};
+
+	    add_ijump_extended( $smurfref, j => 'AUDIT', $origin, targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
+
+	    add_ijump_extended( $smurfref, j => 'DROP' , $origin );

 	    $smurfdest = 'smurflog';
 	} else {
@ -858,7 +884,7 @@ sub add_common_rules ( $ ) {
 		add_ijump $chainref , j => 'RETURN', s => '::';
 	    }

-	    add_ijump( $chainref, g => $smurfdest, addrtype => '--src-type BROADCAST' ) ;
+	    add_ijump_extended( $chainref, g => $smurfdest, $origin, addrtype => '--src-type BROADCAST' ) ;
 	} else {
 	    if ( $family == F_IPV4 ) {
 		add_commands $chainref, 'for address in $ALL_BCASTS; do';
@ -867,15 +893,15 @@ sub add_common_rules ( $ ) {
 	    }

 	    incr_cmd_level $chainref;
-	    add_ijump( $chainref, g => $smurfdest, s => '$address' );
+	    add_ijump_extended( $chainref, g => $smurfdest, $origin, s => '$address' );
 	    decr_cmd_level $chainref;
 	    add_commands $chainref, 'done';
 	}

 	if ( $family == F_IPV4 ) {
-	    add_ijump( $chainref, g => $smurfdest, s => '224.0.0.0/4' );
+	    add_ijump_extended( $chainref, g => $smurfdest, $origin, s => '224.0.0.0/4' );
 	} else {
-	    add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST );
+	    add_ijump_extended( $chainref, g => $smurfdest, $origin, s => IPv6_MULTICAST );
 	}

 	my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';
@ -974,6 +1000,7 @@ sub add_common_rules ( $ ) {
 	my $tag   = $globals{TCP_FLAGS_LOG_TAG};
 	my $disposition = $config{TCP_FLAGS_DISPOSITION};
 	my $audit = $disposition =~ /^A_/;
+	my $origin = $origin{TCP_FLAGS_DISPOSITION};

 	progress_message2 "$doing TCP Flags filtering...";

@ -986,27 +1013,28 @@ sub add_common_rules ( $ ) {

 	    $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";

-	    log_rule_limit( $level,
+	    my $ruleref = log_rule_limit( $level,
 					  $logflagsref,
 					  'logflags',
 					  $disposition,
 					  $globals{LOGLIMIT},
 					  $tag,
 					  'add',
-			    ''
-			  );
+					  '' );
+
+	    $ruleref->{origin} = $origin{TCP_FLAGS_LOG_LEVEL};

 	    $globals{LOGPARMS} = $savelogparms;

 	    if ( $audit ) {
 		$disposition =~ s/^A_//;
-		add_ijump( $logflagsref, j => 'AUDIT', targetopts => '--type ' . lc $disposition );
+		add_ijump_extended( $logflagsref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $disposition );
 	    }

 	    if ( $disposition eq 'REJECT' ) {
-		add_ijump $logflagsref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
+		add_ijump_extended $logflagsref , j => 'REJECT', $origin, targetopts => '--reject-with tcp-reset', p => 6;
 	    } else {
-		add_ijump $logflagsref , j => $disposition;
+		add_ijump_extended $logflagsref , j => $disposition, $origin;
 	    }

 	    $disposition = 'logflags';
@ -2246,17 +2274,19 @@ sub generate_matrix() {
 			 nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
 			 filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );

+	my $origin = $origin{LOGALLNEW};
+
 	for my $table ( qw/mangle nat filter/ ) {
 	    for my $chain ( @{$builtins{$table}} ) {
-		log_rule_limit
-		    $config{LOGALLNEW} ,
+		my $ruleref = log_rule_limit( $config{LOGALLNEW} ,
 					      $chain_table{$table}{$chain} ,
 					      $table ,
 					      $chain ,
 					      '' ,
 					      '' ,
 					      'insert' ,
-		    state_match('NEW');
+					      state_match('NEW') );
+		$ruleref->{origin} = $origin;
 	    }
 	}
    }