diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 55bbf27ed..ce26d805c 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -35,23 +35,29 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( - add_rule - add_jump - insert_rule - new_chain - new_manual_chain - ensure_manual_chain - log_rule_limit - dont_optimize - dont_delete - dont_move + add_rule + add_jump + insert_rule + add_commands + incr_cmd_level + decr_cmd_level + new_chain + new_manual_chain + ensure_manual_chain + ensure_audit_chain + require_audit + log_rule_limit + dont_optimize + dont_delete + dont_move + get_action_logging - %chain_table - $raw_table - $nat_table - $mangle_table - $filter_table - ); + %chain_table + $raw_table + $nat_table + $mangle_table + $filter_table + ); our %EXPORT_TAGS = ( internal => [ qw( STANDARD @@ -78,7 +84,6 @@ our %EXPORT_TAGS = ( NOT_RESTORE initialize_chain_table - add_commands copy_rules move_rules insert_rule1 @@ -90,8 +95,6 @@ our %EXPORT_TAGS = ( clear_comment push_comment pop_comment - incr_cmd_level - decr_cmd_level forward_chain rules_chain zone_forward_chain @@ -1559,6 +1562,77 @@ sub ensure_manual_chain($) { $chainref; } +# +# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name +# + +sub ensure_audit_chain( $;$$ ) { + my ( $target, $action, $tgt ) = @_; + + push_comment( '' ); + + my $ref = $filter_table->{$target}; + + unless ( $ref ) { + $ref = new_chain 'filter', $target; + + unless ( $action ) { + $action = $target; + $action =~ s/^A_//; + } + + $tgt ||= $action; + + if ( $config{FAKE_AUDIT} ) { + add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' ); + } else { + add_rule $ref, '-j AUDIT --type ' . lc $action; + } + + + if ( $tgt eq 'REJECT' ) { + add_jump $ref , 'reject', 1; + } else { + add_jump $ref , $tgt, 0; + } + } + + pop_comment; + + return $target; +} + +# +# Return the appropriate target based on whether the second argument is 'audit' +# + +sub require_audit($$;$) { + my ($action, $audit, $tgt ) = @_; + + return $action unless supplied $audit; + + my $target = 'A_' . $action; + + fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit'; + + require_capability 'AUDIT_TARGET', 'audit', 's'; + + return ensure_audit_chain $target, $action, $tgt; +} + +# +# Returns the Level and Tag for the current action chain +# +sub get_action_logging() { + my $chainref = get_action_chain; + my $wholeaction = $chainref->{action}; + my ( undef, $level, $tag, undef ) = split ':', $wholeaction; + + $level = '' if $level =~ /^none/; + + ( $level, $tag ); +} + # # Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration. # The function also initializes the target table with the pre-defined targets available for the specfied address family. diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 93b41dac4..c76f1e33f 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -47,14 +47,20 @@ our @EXPORT = qw( warning_message fatal_error assert + progress_message progress_message_nocompress progress_message2 progress_message3 + supplied + get_action_params get_action_chain set_action_param + + have_capability + require_capability ); our @EXPORT_OK = qw( $shorewall_dir initialize set_config_path shorewall); @@ -113,8 +119,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script add_param export_params get_configuration - require_capability - have_capability report_capabilities propagateconfig append_file diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 6ff1ef848..8fb547e7d 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -663,8 +663,6 @@ sub complete_standard_chain ( $$$$ ) { policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0; } -sub require_audit($$;$); - # # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy # @@ -1148,105 +1146,6 @@ sub map_old_actions( $ ) { } } -# -# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name - -sub ensure_audit_chain( $;$$ ) { - my ( $target, $action, $tgt ) = @_; - - push_comment( '' ); - - my $ref = $filter_table->{$target}; - - unless ( $ref ) { - $ref = new_chain 'filter', $target; - - unless ( $action ) { - $action = $target; - $action =~ s/^A_//; - } - - $tgt ||= $action; - - if ( $config{FAKE_AUDIT} ) { - add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' ); - } else { - add_rule $ref, '-j AUDIT --type ' . lc $action; - } - - - if ( $tgt eq 'REJECT' ) { - add_jump $ref , 'reject', 1; - } else { - add_jump $ref , $tgt, 0; - } - } - - pop_comment; - - return $target; -} - -# -# Return the appropriate target based on whether the second argument is 'audit' -# - -sub require_audit($$;$) { - my ($action, $audit, $tgt ) = @_; - - return $action unless supplied $audit; - - my $target = 'A_' . $action; - - fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit'; - - require_capability 'AUDIT_TARGET', 'audit', 's'; - - return ensure_audit_chain $target, $action, $tgt; -} - -# -# The following small functions generate rules for the builtin actions of the same name -# -sub dropBcast( $$$$ ) { - my ($chainref, $level, $tag, $audit) = @_; - - my $target = require_audit ( 'DROP', $audit ); - - if ( have_capability( 'ADDRTYPE' ) ) { - if ( $level ne '' ) { - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; - if ( $family == F_IPV4 ) { - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 '; - } else { - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' ); - } - } - - add_jump $chainref, $target, 0, "-m addrtype --dst-type BROADCAST "; - } else { - if ( $family == F_IPV4 ) { - add_commands $chainref, 'for address in $ALL_BCASTS; do'; - } else { - add_commands $chainref, 'for address in $ALL_ACASTS; do'; - } - - incr_cmd_level $chainref; - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne ''; - add_jump $chainref, $target, 0, "-d \$address "; - decr_cmd_level $chainref; - add_commands $chainref, 'done'; - - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; - } - - if ( $family == F_IPV4 ) { - add_jump $chainref, $target, 0, "-d 224.0.0.0/4 "; - } else { - add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' ); - } -} - sub allowBcast( $$$$ ) { my ($chainref, $level, $tag, $audit) = @_;