Implement LOG_ZONE

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2018-02-20 14:02:06 -08:00 · 2018-02-20 14:02:06 -08:00 · 7ad7598d5b
commit 7ad7598d5b
parent 4dfc6d90b9
16 changed files with 176 additions and 58 deletions
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@ -282,7 +282,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_rules_chain ( 'accountout' ) ,
+			    ensure_chain ( $config{ACCOUNTING_TABLE}, 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
 			    $prerule ,
 			    $rule ,
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -172,6 +172,12 @@ our %EXPORT_TAGS = (
 				       related_chain
 				       invalid_chain
 				       untracked_chain
 				       rules_log
 				       blacklist_log
 				       established_log
 				       related_log
 				       invalid_log
 				       untracked_log
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@ -2266,6 +2272,56 @@ sub untracked_chain($$) {
    '&' . &rules_chain(@_);
 }
 #
 # Logname for chains between an ordered pair of zones
 #
 sub rules_log( $$ ) {
    my $logchain = $config{LOG_ZONE};
    if ( $logchain eq 'both' ) {
 	join "$config{ZONE2ZONE}", @_;
    } elsif ( $logchain eq 'src' ) {
 	$_[0];
    } else {
 	$_[1];
    }
 }
 #
 # Log name of the blacklist chain between an ordered pair of zones
 #
 sub blacklist_log($$) {
    &rules_log(@_) . '~';
 }
 #
 # Log name of the established chain between an ordered pair of zones
 #
 sub established_log($$) {
    '^' . &rules_log(@_)
 }
 #
 # Log name of the related chain between an ordered pair of zones
 #
 sub related_log($$) {
    '+' . &rules_log(@_);
 }
 #
 # Log name of the invalid chain between an ordered pair of zones
 #
 sub invalid_log($$) {
    '_' . &rules_log(@_);
 }
 #
 # Name of the untracked chain between an ordered pair of zones
 #
 sub untracked_log($$) {
    '&' . &rules_log(@_);
 }
 #
 # Create the base for a chain involving the passed interface -- we make this a function so it will be
 # easy to change the mapping should the need ever arrive.
@ -4629,7 +4685,7 @@ sub logchain( $$$$$$ ) {
 	log_irule_limit(
 		       $loglevel ,
 		       $logchainref ,
-		       $chainref->{name} ,
+		       $chainref->{logname} ,
 		       $disposition ,
 		       [] ,
 		       $logtag,
@ -6808,13 +6864,13 @@ sub log_irule_limit( $$$$$$$$@ ) {
 sub log_rule( $$$$ ) {
    my ( $level, $chainref, $disposition, $matches ) = @_;
-    log_rule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGLIMIT}, '', 'add', $matches;
+    log_rule_limit $level, $chainref, $chainref->{logname} , $disposition, $globals{LOGLIMIT}, '', 'add', $matches;
 }
 sub log_irule( $$$;@ ) {
    my ( $level, $chainref, $disposition, @matches ) = @_;
-    log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
+    log_irule_limit $level, $chainref, $chainref->{logname} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
 }
 #
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -881,6 +881,7 @@ sub initialize( $;$$$) {
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  LOG_LEVEL => undef,
 	  LOG_ZONE => undef,
 	  #
 	  # Location of Files
 	  #
@ -6791,6 +6792,13 @@ sub get_configuration( $$$ ) {
 	$config{LOG_BACKEND} = $val;
    }
    if ( supplied( $val = $config{LOG_ZONE} ) ) {
 	fatal_error "Invalid LOG_ZONE setting ($val)" unless $val =~ /^(src|dst|both)$/i;
 	$config{LOG_ZONE} = lc( $val );
    } else {
 	$config{LOG_ZONE} = 'both';
    }
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
    default_log_level 'SMURF_LOG_LEVEL',     '';
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -112,6 +112,13 @@ our %section_functions = ( ALL_SECTION ,        \&rules_chain,
 			   UNTRACKED_SECTION,   \&untracked_chain,
 			   NEW_SECTION,         \&rules_chain );
 our %log_functions = ( ALL_SECTION ,         \&rules_log ,
 		       BLACKLIST_SECTION ,   \&blacklist_log ,
 		       ESTABLISHED_SECTION , \&established_log ,
 		       RELATED_SECTION ,     \&related_log ,
 		       INVALID_SECTION ,     \&invalid_log ,
 		       UNTRACKED_SECTION ,   \&untracked_log ,
 		       NEW_SECTION ,         \&rules_log );
 #
 # Section => STATE map - initialized in process_rules().
 #
@ -403,8 +410,8 @@ sub initialize( $ ) {
 #
 # Create a rules chain
 #
-sub new_rules_chain( $ ) {
+sub new_rules_chain( $$ ) {
-    my $chainref = new_chain( 'filter', $_[0] );
+    my $chainref = new_chain( 'filter', &rules_chain( @_ ), &rules_log( @_ ) );
    if ( $config{FASTACCEPT} ) {
 	if ( $globals{RELATED_TARGET} eq 'ACCEPT' && ! $config{RELATED_LOG_LEVEL} ) {
@ -445,7 +452,7 @@ sub new_policy_chain($$$$$)
 {
    my ($source, $dest, $policy, $provisional, $audit) = @_;
-    my $chainref = new_rules_chain( rules_chain( ${source}, ${dest} ) );
+    my $chainref = new_rules_chain( ${source}, ${dest} );
    convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional, $audit );
@ -455,9 +462,11 @@ sub new_policy_chain($$$$$)
 #
 # Set the passed chain's policychain and policy to the passed values.
 #
-sub set_policy_chain($$$$$$)
+sub set_policy_chain($$$$$)
 {
-    my ( $chain, $source, $dest, $polchainref, $policy, $intrazone ) = @_;
+    my ( $source, $dest, $polchainref, $policy, $intrazone ) = @_;
    my $chain = rules_chain( $source, $dest );
    my $chainref = $filter_table->{$chain};
@ -467,7 +476,7 @@ sub set_policy_chain($$$$$$)
 	    $chainref->{provisional} = '';
 	}
    } else {
-	$chainref = new_rules_chain $chain;
+	$chainref = new_rules_chain( $source, $dest );
    }
    unless ( $chainref->{policychain} ) {
@ -483,6 +492,7 @@ sub set_policy_chain($$$$$$)
 	    if ( defined $polchainref->{synparams} ) {
 		$chainref->{synparams}   = $polchainref->{synparams};
 		$chainref->{synchain}    = $polchainref->{synchain};
 		$chainref->{synlog}      = $polchainref->{synlog};
 	    }
 	    $chainref->{pactions}    = $polchainref->{pactions} || [];
@ -743,7 +753,8 @@ sub process_a_policy1($$$$$$$) {
 	$value  = do_ratelimit $synparams, 'ACCEPT'  if $synparams ne '';
 	$value .= do_connlimit $connlimit            if $connlimit ne '';
 	$chainref->{synparams} = $value;
-	$chainref->{synchain}  = $chain
+	$chainref->{synchain}  = $chain;
 	$chainref->{synlog}    = '@' . $chainref->{logname};
    }
    $chainref->{pactions} = $pactionref;
@ -753,19 +764,19 @@ sub process_a_policy1($$$$$$$) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $zone, $zone1, $chainref, $policy, $intrazone;
+		    set_policy_chain $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain rules_chain( ${zone}, ${server} ), $zone, $server, $chainref, $policy, $intrazone;
+		set_policy_chain $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $zone, $chainref, $policy, $intrazone;
+	    set_policy_chain $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
    } else {
@ -832,6 +843,8 @@ sub save_policies() {
    }
 }
 sub ensure_rules_chain( $$ );
 #
 # Process the policy file
 #
@ -881,19 +894,15 @@ sub process_policies()
 	if ( $type == LOCAL ) {
 	    for my $zone1 ( off_firewall_zones ) {
 		unless ( $zone eq $zone1 ) {
-		    my $name  = rules_chain( $zone,  $zone1 );
+		    set_policy_chain( $zone,  $zone1, ensure_rules_chain( $zone, $zone1  ), 'NONE', 0 );
-		    my $name1 = rules_chain( $zone1, $zone  );
+		    set_policy_chain( $zone1, $zone,  ensure_rules_chain( $zone1, $zone ), 'NONE', 0 );
 		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
 		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	} elsif ( $type == LOOPBACK ) {
 	    for my $zone1 ( off_firewall_zones ) {
 		unless ( $zone eq $zone1 || zone_type( $zone1 ) == LOOPBACK ) {
-		    my $name  = rules_chain( $zone,  $zone1 );
+		    set_policy_chain( $zone,  $zone1, ensure_rules_chain( $zone, $zone1  ), 'NONE', 0 );
-		    my $name1 = rules_chain( $zone1, $zone  );
+		    set_policy_chain( $zone1, $zone,  ensure_rules_chain( $zone1, $zone ), 'NONE', 0 );
 		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
 		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	}
@ -1062,7 +1071,7 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
    progress_message_nocompress "   Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
 }
-sub ensure_rules_chain( $ );
+sub finish_chain_sections( $ );
 #
 # Finish all policy Chains
@ -1076,7 +1085,7 @@ sub complete_policy_chains() {
 	    my $provisional = $chainref->{provisional};
 	    my $defaults    = $chainref->{pactions};
 	    my $name        = $chainref->{name};
-	    my $synparms    = $chainref->{synparms};
+	    my $synparams   = $chainref->{synparams};
 	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
 		if ( $config{OPTIMIZE} & 2 ) {
@ -1086,13 +1095,13 @@ sub complete_policy_chains() {
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
-		    ensure_rules_chain $name if ( @$defaults         ||
+		    finish_chain_sections( $chainref ) if ( @$defaults         ||
 							    $loglevel          ||
-						  $synparms          ||
+							    $synparams         ||
 							    $config{MULTICAST} ||
 							    ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ) );
 		} else {
-		    ensure_rules_chain $name;
+		    finish_chain_sections( $chainref );
 		}
 	    }
@ -1149,13 +1158,14 @@ sub setup_syn_flood_chains() {
 	my $limit = $chainref->{synparams};
 	if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
 	    my $level = $chainref->{loglevel};
-	    my $synchainref = @zones > 1 ?
+	    my $synchainref =
-		    new_chain 'filter' , syn_flood_chain $chainref :
+		@zones > 1 ?
-		    new_chain( 'filter' , '@' . $chainref->{name} );
+		new_chain( 'filter' , syn_flood_chain $chainref , $chainref->{synlog} ) :
 		new_chain( 'filter' , '@' . $chainref->{name}   , '@' . $chainref->{logname} );
 	    add_rule $synchainref , "${limit}-j RETURN";
 	    log_irule_limit( $level ,
 			     $synchainref ,
-			     $synchainref->{name} ,
+			     $synchainref->{logname} ,
 			     'DROP',
 			     @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
 			    '' ,
@ -1227,7 +1237,7 @@ sub finish_chain_section ($$$) {
 		    log_rule_limit( $level,
 				    $chain2ref,
-				    $chain2ref->{name},
+				    $chain2ref->{logname},
 				    uc $target,
 				    $globals{LOGLIMIT},
 				    $tag ,
@ -1306,20 +1316,9 @@ sub finish_chain_section ($$$) {
    pop_comment( $save_comment );
 }
-#
+sub finish_chain_sections( $ ) {
-# Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
+    my ( $chainref ) = @_;
 #
 # Return a reference to the chain's table entry.
 #
 sub ensure_rules_chain( $ )
 {
    my ($chain) = @_;
    my $chainref = $filter_table->{$chain};
    $chainref = new_rules_chain( $chain ) unless $chainref;
    unless ( $chainref->{referenced} ) {
 	if ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID,UNTRACKED';
 	} elsif ( $section == UNTRACKED_SECTION ) {
@ -1331,7 +1330,24 @@ sub ensure_rules_chain( $ )
 	}
 	$chainref->{referenced} = 1;
-    }
+}
 #
 # Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
 #
 # Return a reference to the chain's table entry.
 #
 sub ensure_rules_chain( $$ )
 {
    my ($source, $dest) = @_;
    my $chain = rules_chain( $source, $dest );
    my $chainref = $filter_table->{$chain};
    $chainref = new_rules_chain( $source, $dest ) unless $chainref;
    finish_chain_sections( $chainref ) unless $chainref->{referenced};
    $chainref;
 }
@ -2967,7 +2983,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#
 	# Mark the chain as referenced and add appropriate rules from earlier sections.
 	#
-	$chainref = ensure_rules_chain $chain;
+	$chainref = ensure_rules_chain ${sourcezone}, ${destzone};
 	#
 	# Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
 	#
@ -2977,7 +2993,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    unless ( $auxref ) {
 		my $save_comment = push_comment;
-		$auxref = new_chain 'filter', $auxchain;
+		$auxref = new_chain 'filter', $auxchain, $log_functions{$section}->( $sourcezone, $destzone );
 		$auxref->{blacklistsection} = 1 if $blacklist;
 		add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@ -85,8 +85,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
+		$inchainref  = ensure_rules_chain( ${zone}, ${fw} );
-		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+		$outchainref = ensure_rules_chain( ${fw}, ${zone} );
 		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  p => 50, @$source;
@ -250,8 +250,8 @@ sub setup_tunnels() {
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );
-	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
+	my $inchainref  = ensure_rules_chain( ${zone}, ${fw}   );
-	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+	my $outchainref = ensure_rules_chain( ${fw},   ${zone} );
 	$gateways = ALLIP if $gateways eq '-';
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@ -45,6 +45,8 @@ LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@ -56,6 +56,8 @@ LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@ -53,6 +53,8 @@ LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@ -56,6 +56,8 @@ LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@ -45,6 +45,8 @@ LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@ -1418,6 +1418,24 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">LOG_ZONE=</emphasis>[<emphasis
        role="bold"><option>src</option>|<option>dst</option>|<option>both</option></emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.2.0. When a log message is issued from a
          chain that relates to a pair of zones (e.g, 'fw-net'), the chain
          name normally appears in the log message (unless LOGTAGONLY=Yes and
          a log tag is specified). This can prevent OPTIMIZE category 8 from
          combining chains which are identical except for the names of the
          zones involved. LOG_ZONE allows for only the source or destination
          zone to appear in the messages by setting LOG_ZONE to
          <option>src</option> or <option>dest</option> respectively. If
          LOG_ZONE=<option>both</option> (the default), then the full chain
          name is included in log messages.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[:<replaceable>log-tag</replaceable>]</term>
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@ -44,6 +44,8 @@ LOG_BACKEND=
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@ -45,6 +45,8 @@ LOG_BACKEND=
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@ -44,6 +44,8 @@ LOG_BACKEND=
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@ -44,6 +44,8 @@ LOG_BACKEND=
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@ -44,6 +44,8 @@ LOG_BACKEND=
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages