From 814494e277fde3edd580823ce17617224e70bbb0 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 19 May 2011 08:35:40 -0700
Subject: [PATCH] More AUDIT changes

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Config.pm | 14 +++----
 Shorewall/Perl/Shorewall/Rules.pm  | 36 +++++++++++++-----
 Shorewall/action.AAccept           | 14 +++++++
 Shorewall/action.ADrop             | 60 ++++++++++++++++++++++++++++++
 Shorewall/action.AReject           | 59 +++++++++++++++++++++++++++++
 Shorewall/actions.std              |  3 ++
 6 files changed, 170 insertions(+), 16 deletions(-)
 create mode 100644 Shorewall/action.AAccept
 create mode 100644 Shorewall/action.ADrop
 create mode 100644 Shorewall/action.AReject

diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index a98c32030..01b2e9f8f 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -315,7 +315,7 @@ our %config_files = ( #accounting      => 1,
 #
 # Options that involve the the AUDIT target
 #
-my @auditoptions = qw( BLACKLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
+my @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
 #
 # Directories to search for configuration files
 #
@@ -3362,12 +3362,12 @@ sub get_configuration( $ ) {
 
     if ( $val = $config{MACLIST_DISPOSITION} ) {
 	unless ( $val =~ /^A?REJECT$/ ) {
-	    unless ( $val =~ /^A?DROP/ ) {
-		if ( $val eq 'ACCEPT' ) {
-		    $globals{MACLIST_TARGET} = 'RETURN';
-		} else {
-		    fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
-		}
+	    if ( $val =~ /^A?DROP/ ) {
+		$globals{MACLIST_TARGET} = $val;
+	    } elsif ( $val eq 'ACCEPT' ) {
+		$globals{MACLIST_TARGET} = 'RETURN';
+	    } else {
+		fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
 	    }
 	}
     } else {
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index d5e4f6219..cd448fa53 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -168,9 +168,9 @@ sub initialize( $ ) {
     %usedactions       = ();
 
     if ( $family == F_IPV4 ) {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AACCEPT ADROP AREJECT/;
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AUDIT AACCEPT ADROP AREJECT/;
     } else {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AACCEPT ADROP AREJECT/;
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AUDIT AACCEPT ADROP AREJECT/;
     }
 }
 
@@ -1291,10 +1291,21 @@ sub Limit( $$$$ ) {
     add_rule $chainref, '-j ACCEPT';
 }
 
+sub AUDIT( $$$$) {
+    my ($chainref, $level, $tag, $type ) = @_;
+
+    require_capability 'AUDIT_TARGET' , 'AUDIT rules', '';
+
+    fatal_error "Logging is not permitted in the AUDIT action" if $level;
+    fatal_error "AUDIT requires a 'type' parameter";
+    fatal_error "Invalid AUDIT type ($type)" unless $type =~ /^(accept|drop|reject)$/;
+    add_rule $chainref , "-j AUDIT --type $type";
+}
+
 sub AACCEPT ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    require_capability 'AUDIT_TARGET' , 'AACCEPT policies and rules', '';
+    require_capability 'AUDIT_TARGET' , 'AACCEPT rules', '';
 
     log_rule_limit $level, $chainref, 'AACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
     add_rule $chainref , '-j AUDIT --type accept';
@@ -1304,7 +1315,7 @@ sub AACCEPT ( $$$ ) {
 sub ADROP ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    require_capability 'AUDIT_TARGET' , 'ADROP policies and rules', '';
+    require_capability 'AUDIT_TARGET' , 'ADROP rules', '';
 
     log_rule_limit $level, $chainref, 'ADROP' , 'DROP', '', $tag, 'add', '' if $level ne '';
     add_rule $chainref , '-j AUDIT --type drop';
@@ -1314,7 +1325,7 @@ sub ADROP ( $$$ ) {
 sub AREJECT ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    require_capability 'AUDIT_TARGET' , 'AREJECT policies and rules', '';
+    require_capability 'AUDIT_TARGET' , 'AREJECT rules', '';
 
     log_rule_limit $level, $chainref, 'AREJECT' , 'REJECT', '', $tag, 'add', '' if $level ne '';
     add_rule $chainref , '-j AUDIT --type reject';
@@ -1329,7 +1340,12 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		   'allowInvalid'   => \&allowInvalid,
 		   'allowinUPnP'    => \&allowinUPnP,
 		   'forwardUPnP'    => \&forwardUPnP,
-		   'Limit'          => \&Limit, );
+		   'Limit'          => \&Limit,
+		   'AUDIT'          => \&AUDIT,
+		   'AACCEPT'        => \&AACCEPT,
+		   'ADROP'          => \&ADROP,
+		   'AREJECT'        => \&AREJECT
+		 );
 
 #
 # This function is called prior to processing of the policy file. It:
@@ -1463,14 +1479,16 @@ sub process_action( $) {
 sub process_actions2 () {
     progress_message2 "$doing policy actions...";
 
-    for ( map normalized_action_name $_, grep $auditpolicies{$_}, @auditoptions ) {
-	if ( my $ref = use_action( $_ ) ) {
+    my $ref;
+
+    for ( map normalized_action_name $_, grep $auditpolicies{$config{$_}}, @auditoptions ) {
+	if ( $ref = use_action( $_ ) ) {
 	    process_action( $ref );
 	}
     }
 
     for ( map normalize_action_name $_, ( grep ! ( $targets{$_} & BUILTIN ), keys %policy_actions ) ) {
-	if ( my $ref = use_action( $_ ) ) {
+	if ( $ref = use_action( $_ ) ) {
 	    process_action( $ref );
 	}
     }
diff --git a/Shorewall/action.AAccept b/Shorewall/action.AAccept
new file mode 100644
index 000000000..4852d5c1e
--- /dev/null
+++ b/Shorewall/action.AAccept
@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Audit Accept Action
+#
+# /usr/share/shorewall/action.AAccept
+#
+#	Specify this as the ACCEPT_ACTION if you want ACCEPT policies to be
+#	Audited
+#
+###############################################################################
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Audit the result
+#
+AUDIT('accept')
diff --git a/Shorewall/action.ADrop b/Shorewall/action.ADrop
new file mode 100644
index 000000000..b69f65b8c
--- /dev/null
+++ b/Shorewall/action.ADrop
@@ -0,0 +1,60 @@
+#
+# Shorewall version 4 - Drop Action
+#
+# /usr/share/shorewall/action.ADrop
+#
+#	Like action.Drop but also Audits
+#
+#	This action is invoked before a DROP policy is enforced. The purpose
+#	of the action is:
+#
+#	a) Avoid logging lots of useless cruft.
+#	b) Ensure that 'auth' requests are rejected, even if the policy is
+#	   DROP. Otherwise, you may experience problems establishing
+#	   connections with servers that use auth.
+#	c) Ensure that certain ICMP packets that are necessary for successful
+#	   internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+#
+###############################################################################
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Reject 'auth'
+#
+Auth(REJECT)
+#
+# Don't log broadcasts
+#
+dropBcast
+#
+# ACCEPT critical ICMP types
+#
+AllowICMPs	-	-	icmp
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log.
+#
+dropInvalid
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(DROP)
+DropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DropDNSrep
+#
+# Audit the result
+#
+AUDIT('drop')
diff --git a/Shorewall/action.AReject b/Shorewall/action.AReject
new file mode 100644
index 000000000..dd739ee17
--- /dev/null
+++ b/Shorewall/action.AReject
@@ -0,0 +1,59 @@
+#
+# Shorewall version 4 - AReject Action
+#
+# /usr/share/shorewall/action.Reject
+#
+#	This action is like Reject only it also audits
+#
+#	This action is invoked before a REJECT policy is enforced. The purpose
+#	of the action is:
+#
+#	a) Avoid logging lots of useless cruft.
+#	b) Ensure that certain ICMP packets that are necessary for successful
+#	   internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+###############################################################################
+#TARGET		SOURCE	DEST	PROTO
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Don't log 'auth' -- REJECT
+#
+Auth(REJECT)
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast
+#
+# ACCEPT critical ICMP types
+#
+AllowICMPs	-	-	icmp
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(REJECT)
+DropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DropDNSrep
+#
+# Audit the result
+#
+AUDIT('reject')
+
diff --git a/Shorewall/actions.std b/Shorewall/actions.std
index e98c2ed94..f2e337ea9 100644
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,6 +8,9 @@
 #
 # Builtin Actions are:
 #
+#    AACCEPT            # Audits then accepts a connection request
+#    ADROP              # Audits then drops a connection request
+#    AREJECT		# Audits then drops a connection request
 #    allowBcast		# Silently Allow Broadcast/multicast
 #    dropBcast		# Silently Drop Broadcast/multicast
 #    dropNotSyn		# Silently Drop Non-syn TCP packets