Make 'audit' work on a converted blacklist file.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-28 10:30:24 -08:00 · 2011-12-28 10:30:24 -08:00 · a98c85cbc4
commit a98c85cbc4
parent 49eb84b9e2
2 changed files with 23 additions and 0 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -57,6 +57,7 @@ our @EXPORT = qw(
 		    ensure_manual_chain
 		    ensure_audit_chain
 		    ensure_blacklog_chain
+		    ensure_audit_blacklog_chain
 		    require_audit
 		    newlogchain
 		    log_rule_limit
@ -2243,6 +2244,21 @@ sub ensure_blacklog_chain( $$$$ ) {
    'blacklog';
 }

+sub ensure_audit_blacklog_chain( $$$ ) {
+    my ( $target, $disposition, $level ) = @_;
+
+    unless ( $filter_table->{A_blacklog} ) {
+	my $logchainref = new_manual_chain 'A_blacklog';
+
+	log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add',	'' );
+
+	add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target );
+	add_ijump( $logchainref, g => $target );
+    }
+
+    'A_blacklog';
+}
+
 #
 # Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
 #
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -2478,9 +2478,12 @@ sub process_rules() {

 			 if ( supplied $level ) {
 			     ensure_blacklog_chain( $target, $disposition, $level, $audit );
+			     ensure_audit_blacklog_chain( $target, $disposition, $level ) if have_capability 'AUDIT_TARGET';
 			 } elsif ( $audit ) {
 			     require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
 			     verify_audit( $disposition );
+			 } elsif ( have_capability 'AUDIT_TARGET' ) {
+			     verify_audit( 'A_' . $disposition );
 			 }
 		     } );
 	
@ -2489,6 +2492,10 @@ sub process_rules() {
 	process_rule while read_a_line;
 	    
 	$section = '';
+
+	if ( my $chainref = $filter_table->{A_blacklog} ) {
+	    $chainref->{referenced} = 0 unless %{$chainref->{references}};
+	}
    }

    $fn = open_file 'rules';