holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Improve chain-completion rule tracking

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-02 14:57:47 -08:00
parent 28983a0194
commit 916a392fb0
2 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -6350,7 +6350,7 @@ sub log_rule_limit( $$$$$$$$;$ ) {
$ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix ); $ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix );
} }
$ruleref->{origin} = $origin if $origin; $ruleref->{origin} = $origin ||= $chainref->{origin} if reftype $ruleref;
$ruleref; $ruleref;
} }

17
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1028,7 +1028,7 @@ sub finish_chain_section ($$$) {
for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) { for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
if ( $state{$_} ) { if ( $state{$_} ) {
my ( $char, $level, $tag, $target ) = @{$statetable{$_}}; my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char; my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
if ( $twochains || $level || $target ne 'ACCEPT' ) { if ( $twochains || $level || $target ne 'ACCEPT' ) {
@ -1048,17 +1048,18 @@ sub finish_chain_section ($$$) {
$globals{LOGLIMIT}, $globals{LOGLIMIT},
$tag , $tag ,
'add' , 'add' ,
''); '',
$level_origin );
$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT; $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
add_ijump( $chain2ref, g => $target ) if $target; add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
$target = $chain2ref->{name} unless $twochains; $target = $chain2ref->{name} unless $twochains;
} }
if ( $twochains ) { if ( $twochains ) {
add_ijump $chainref, g => $target if $target; add_ijump_extended $chainref, g => $target , $origin if $target;
delete $state{$_}; delete $state{$_};
last; last;
} }
@ -1073,7 +1074,7 @@ sub finish_chain_section ($$$) {
delete $state{ESTABLISHED}; delete $state{ESTABLISHED};
} }
add_ijump( $chainref, j => $target, state_imatch $_ ); add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
} }
delete $state{$_}; delete $state{$_};
@ -3454,9 +3455,9 @@ sub process_rules() {
# Populate the state table # Populate the state table
# #
%statetable = ( ESTABLISHED => [ '^', '', '', 'ACCEPT' ] , %statetable = ( ESTABLISHED => [ '^', '', '', 'ACCEPT' ] ,
RELATED => [ '+', $config{RELATED_LOG_LEVEL}, $globals{RELATED_LOG_TAG}, $globals{RELATED_TARGET} ] , RELATED => [ '+', $config{RELATED_LOG_LEVEL}, $globals{RELATED_LOG_TAG}, $globals{RELATED_TARGET} , $origin{RELATED_DISPOSITION} , $origin{RELATED_LOG_LEVEL} ] ,
INVALID => [ '_', $config{INVALID_LOG_LEVEL}, $globals{INVALID_LOG_TAG}, $globals{INVALID_TARGET} ] , INVALID => [ '_', $config{INVALID_LOG_LEVEL}, $globals{INVALID_LOG_TAG}, $globals{INVALID_TARGET} , $origin{INVALID_DISPOSITION} , $origin{INVALID_LOG_LEVEL} ] ,
UNTRACKED => [ '&', $config{UNTRACKED_LOG_LEVEL}, $globals{UNTRACKED_LOG_TAG}, $globals{UNTRACKED_TARGET} ] , UNTRACKED => [ '&', $config{UNTRACKED_LOG_LEVEL}, $globals{UNTRACKED_LOG_TAG}, $globals{UNTRACKED_TARGET} , $origin{UNTRACKED_DISPOSITION} , $origin{UNTRACKED_LOG_LEVEL} ] ,
); );
%section_states = ( BLACKLIST_SECTION , $globals{BLACKLIST_STATES}, %section_states = ( BLACKLIST_SECTION , $globals{BLACKLIST_STATES},
ESTABLISHED_SECTION, 'ESTABLISHED', ESTABLISHED_SECTION, 'ESTABLISHED',