forked from extern/shorewall_code
Add ULOG and NFLOG capabilities plus LOGMARK for IPv6
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
bf010dc03e
commit
73ed66b9b9
@ -268,6 +268,8 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
TIME_MATCH => 'Time Match',
|
||||
GOTO_TARGET => 'Goto Support',
|
||||
LOG_TARGET => 'LOG Target',
|
||||
ULOG_TARGET => 'ULOG Target',
|
||||
NFLOG_TARGET => 'NFLOG Target',
|
||||
LOGMARK_TARGET => 'LOGMARK Target',
|
||||
IPMARK_TARGET => 'IPMARK Target',
|
||||
PERSISTENT_SNAT => 'Persistent SNAT',
|
||||
@ -656,6 +658,8 @@ sub initialize( $ ) {
|
||||
TIME_MATCH => undef,
|
||||
GOTO_TARGET => undef,
|
||||
LOG_TARGET => 1, # Assume that we have it.
|
||||
ULOG_TARGET => undef,
|
||||
NFLOG_TARGET => undef,
|
||||
LOGMARK_TARGET => undef,
|
||||
IPMARK_TARGET => undef,
|
||||
TPROXY_TARGET => undef,
|
||||
@ -2139,68 +2143,81 @@ sub validate_level( $ ) {
|
||||
my $level = uc $rawlevel;
|
||||
|
||||
if ( supplied ( $level ) ) {
|
||||
$level =~ s/!$//;
|
||||
my $value = $validlevels{$level};
|
||||
my $value = $level;
|
||||
my $qualifier;
|
||||
|
||||
if ( defined $value ) {
|
||||
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ) unless $value eq '';
|
||||
$value =~ s/^!//;
|
||||
|
||||
unless ( $value =~ /^[0-7]$/ ) {
|
||||
level_error( $level ) unless $level =~ /^!?([A-Za-z0-7]+)(.*)$/ && defined( $value = $validlevels{$1} );
|
||||
$qualifier = $2;
|
||||
}
|
||||
|
||||
if ( $value =~ /^[0-7]$/ ) {
|
||||
#
|
||||
# Syslog Level
|
||||
#
|
||||
level_error( $rawlevel ) if supplied $qualifier;
|
||||
|
||||
require_capability ( 'LOG_TARGET' , "Log level $level", 's' ) unless $value eq '';
|
||||
return $value;
|
||||
}
|
||||
|
||||
if ( $level =~ /^[0-7]$/ ) {
|
||||
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
|
||||
return $level;
|
||||
}
|
||||
return '' unless $value;
|
||||
|
||||
if ( $level =~ /^(NFLOG|ULOG)[(](.*)[)]$/ ) {
|
||||
my $olevel = $1;
|
||||
my @options = split /,/, $2;
|
||||
require_capability( "${value}_TARGET", "Log level $level", 's' );
|
||||
|
||||
if ( $value =~ /^(NFLOG|ULOG)$/ ) {
|
||||
my $olevel = $value;
|
||||
|
||||
if ( $qualifier =~ /^[(](.*)[)]$/ ) {
|
||||
my @options = split /,/, $1;
|
||||
my $prefix = lc $olevel;
|
||||
my $index = $prefix eq 'ulog' ? 3 : 0;
|
||||
|
||||
level_error( $level ) if @options > 3;
|
||||
level_error( $rawlevel ) if @options > 3;
|
||||
|
||||
for ( @options ) {
|
||||
if ( supplied( $_ ) ) {
|
||||
level_error( $level ) unless /^\d+/;
|
||||
level_error( $rawlevel ) unless /^\d+/;
|
||||
$olevel .= " --${prefix}-$suffixes[$index] $_";
|
||||
}
|
||||
|
||||
$index++;
|
||||
}
|
||||
|
||||
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
|
||||
} elsif ( $qualifier =~ /^ --/ ) {
|
||||
return $rawlevel;
|
||||
}
|
||||
|
||||
return $olevel;
|
||||
}
|
||||
|
||||
if ( $level =~ /^NFLOG --/ or $level =~ /^ULOG --/ ) {
|
||||
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
|
||||
#
|
||||
# Must be LOGMARK
|
||||
#
|
||||
if ( $qualifier =~ /^ --/ ) {
|
||||
return $rawlevel;
|
||||
}
|
||||
|
||||
if ( $level =~ /^LOGMARK --/ ) {
|
||||
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
|
||||
return $rawlevel;
|
||||
}
|
||||
my $sublevel;
|
||||
|
||||
if ( $level =~ /LOGMARK([(](.+)[)])?$/ ) {
|
||||
my $sublevel = $2;
|
||||
if ( supplied $qualifier ) {
|
||||
if ( $qualifier =~ /[(](.+)[)]?$/ ) {
|
||||
$sublevel = $1;
|
||||
|
||||
if ( $1 ) {
|
||||
$sublevel = $validlevels{$sublevel} unless $sublevel =~ /^[0-7]$/;
|
||||
level_error( $level ) unless defined $sublevel && $sublevel =~ /^[0-7]$/;
|
||||
level_error( $rawlevel ) unless defined $sublevel && $sublevel =~ /^[0-7]$/;
|
||||
} else {
|
||||
level_error( $rawlevel );
|
||||
}
|
||||
} else {
|
||||
$sublevel = 6; # info
|
||||
}
|
||||
|
||||
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
|
||||
require_capability( 'LOGMARK_TARGET' , 'LOGMARK', 's' );
|
||||
return "LOGMARK --log-level $sublevel";
|
||||
}
|
||||
|
||||
level_error( $rawlevel );
|
||||
}
|
||||
|
||||
'';
|
||||
}
|
||||
|
||||
@ -2672,6 +2689,14 @@ sub Log_Target() {
|
||||
qt1( "$iptables -A $sillyname -j LOG" );
|
||||
}
|
||||
|
||||
sub Ulog_Target() {
|
||||
qt1( "$iptables -A $sillyname -j ULOG" );
|
||||
}
|
||||
|
||||
sub NFLog_Target() {
|
||||
qt1( "$iptables -A $sillyname -j NFLOG" );
|
||||
}
|
||||
|
||||
sub Logmark_Target() {
|
||||
qt1( "$iptables -A $sillyname -j LOGMARK" );
|
||||
}
|
||||
@ -2747,6 +2772,8 @@ our %detect_capability =
|
||||
LENGTH_MATCH => \&Length_Match,
|
||||
LOGMARK_TARGET => \&Logmark_Target,
|
||||
LOG_TARGET => \&Log_Target,
|
||||
ULOG_TARGET => \&Ulog_Target,
|
||||
NFLOG_TARGET => \&NFLog_Target,
|
||||
MANGLE_ENABLED => \&Mangle_Enabled,
|
||||
MANGLE_FORWARD => \&Mangle_Forward,
|
||||
MARK => \&Mark,
|
||||
@ -2890,6 +2917,8 @@ sub determine_capabilities() {
|
||||
$capabilities{TIME_MATCH} = detect_capability( 'TIME_MATCH' );
|
||||
$capabilities{GOTO_TARGET} = detect_capability( 'GOTO_TARGET' );
|
||||
$capabilities{LOG_TARGET} = detect_capability( 'LOG_TARGET' );
|
||||
$capabilities{ULOG_TARGET} = detect_capability( 'ULOG_TARGET' );
|
||||
$capabilities{NFLOG_TARGET} = detect_capability( 'NFLOG_TARGET' );
|
||||
$capabilities{LOGMARK_TARGET} = detect_capability( 'LOGMARK_TARGET' );
|
||||
$capabilities{FLOW_FILTER} = detect_capability( 'FLOW_FILTER' );
|
||||
$capabilities{FWMARK_RT_MASK} = detect_capability( 'FWMARK_RT_MASK' );
|
||||
|
||||
@ -28,7 +28,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40407
|
||||
SHOREWALL_CAPVERSION=40425
|
||||
SHOREWALL_CAPVERSION=40426
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||
|
||||
@ -1729,6 +1729,8 @@ determine_capabilities() {
|
||||
LOGMARK_TARGET=
|
||||
IPMARK_TARGET=
|
||||
LOG_TARGET=Yes
|
||||
ULOG_TARGET=
|
||||
NFLOG_TARGET=
|
||||
PERSISTENT_SNAT=
|
||||
FLOW_FILTER=
|
||||
FWMARK_RT_MASK=
|
||||
@ -1886,6 +1888,8 @@ determine_capabilities() {
|
||||
qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
|
||||
qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
|
||||
qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
|
||||
qt $IPTABLES -A $chain -j ULOG && ULOG_TARGET=Yes
|
||||
qt $IPTABLES -A $chain -j NFLOG && NFLOG_TARGET=Yes
|
||||
qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
|
||||
qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
|
||||
qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
|
||||
@ -1977,6 +1981,8 @@ report_capabilities() {
|
||||
report_capability "LOGMARK Target" $LOGMARK_TARGET
|
||||
report_capability "IPMARK Target" $IPMARK_TARGET
|
||||
report_capability "LOG Target" $LOG_TARGET
|
||||
report_capability "ULOG Target" $ULOG_TARGET
|
||||
report_capability "NFLOG Target" $NFLOG_TARGET
|
||||
report_capability "Persistent SNAT" $PERSISTENT_SNAT
|
||||
report_capability "TPROXY Target" $TPROXY_TARGET
|
||||
report_capability "FLOW Classifier" $FLOW_FILTER
|
||||
@ -2050,6 +2056,8 @@ report_capabilities1() {
|
||||
report_capability1 LOGMARK_TARGET
|
||||
report_capability1 IPMARK_TARGET
|
||||
report_capability1 LOG_TARGET
|
||||
report_capability1 ULOG_TARGET
|
||||
report_capability1 NFLOG_TARGET
|
||||
report_capability1 PERSISTENT_SNAT
|
||||
report_capability1 TPROXY_TARGET
|
||||
report_capability1 FLOW_FILTER
|
||||
|
||||
@ -32,7 +32,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40407
|
||||
SHOREWALL_CAPVERSION=40425
|
||||
SHOREWALL_CAPVERSION=40426
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
||||
|
||||
@ -1556,6 +1556,9 @@ determine_capabilities() {
|
||||
GOTO_TARGET=
|
||||
IPMARK_TARGET=
|
||||
LOG_TARGET=Yes
|
||||
ULOG_TARGET=
|
||||
NFLOG_TARGET=
|
||||
LOGMARK_TARGET=
|
||||
FLOW_FILTER=
|
||||
FWMARK_RT_MASK=
|
||||
MARK_ANYWHERE=
|
||||
@ -1712,7 +1715,10 @@ determine_capabilities() {
|
||||
qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
|
||||
qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
|
||||
qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
|
||||
qt $IP6TABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
|
||||
qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
|
||||
qt $IP6TABLES -A $chain -j ULOG && ULOG_TARGET=Yes
|
||||
qt $IP6TABLES -A $chain -j NFLOG && NFLOG_TARGET=Yes
|
||||
qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
|
||||
qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
|
||||
qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes
|
||||
@ -1804,7 +1810,10 @@ report_capabilities() {
|
||||
report_capability "Time Match" $TIME_MATCH
|
||||
report_capability "Goto Support" $GOTO_TARGET
|
||||
report_capability "IPMARK Target" $IPMARK_TARGET
|
||||
report_capability "LOGMARK Target" $LOGMARK_TARGET
|
||||
report_capability "LOG Target" $LOG_TARGET
|
||||
report_capability "ULOG Target" $ULOG_TARGET
|
||||
report_capability "NFLOG Target" $NFLOG_TARGET
|
||||
report_capability "TPROXY Target" $TPROXY_TARGET
|
||||
report_capability "FLOW Classifier" $FLOW_FILTER
|
||||
report_capability "fwmark route mask" $FWMARK_RT_MASK
|
||||
@ -1874,7 +1883,10 @@ report_capabilities1() {
|
||||
report_capability1 TIME_MATCH
|
||||
report_capability1 GOTO_TARGET
|
||||
report_capability1 IPMARK_TARGET
|
||||
report_capability1 LOGMARK_TARGET
|
||||
report_capability1 LOG_TARGET
|
||||
report_capability1 ULOG_TARGET
|
||||
report_capability1 NFLOG_TARGET
|
||||
report_capability1 TPROXY_TARGET
|
||||
report_capability1 FLOW_FILTER
|
||||
report_capability1 FWMARK_RT_MASK
|
||||
|
||||
Loading…
Reference in New Issue
Block a user