holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add logging to new MAC Verification targets

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3357 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-01-23 16:52:59 +00:00
parent 5eecd59292
commit a996fd988f
3 changed files with 61 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
Shorewall/compiler
View File

@ -2323,10 +2323,10 @@ setup_mac_lists() {
if [ -n "$MACLIST_TTL" ]; then
chain1=$(macrecent_target $interface)
create_mac_chain $chain1
run_iptables -t $MACLIST_TABLE -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
run_iptables -t $MACLIST_TABLE -A $chain -j $chain1
run_iptables -t $MACLIST_TABLE -A $chain -m recent --update --name $chain -j RETURN
run_iptables -t $MACLIST_TABLE -A $chain -m recent --set --name $chain
run_iptables -A $chain -t $MACLIST_TABLE -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
run_iptables -A $chain -t $MACLIST_TABLE -j $chain1
run_iptables -A $chain -t $MACLIST_TABLE -m recent --update --name $chain -j RETURN
run_iptables -A $chain -t $MACLIST_TABLE -m recent --set --name $chain
fi
done
@ -2336,20 +2336,39 @@ setup_mac_lists() {
while read disposition interface mac addresses; do
expandv disposition interface mac addresses
level=
case $disposition in
ACCEPT:*)
level=${disposition#*:}
disposition=ACCEPT
target=RETURN
;;
ACCEPT)
disposition=RETURN
target=RETURN
;;
REJECT:*)
[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
target=reject
disposition=REJECT
;;
REJECT)
[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
target=reject
;;
DROP:*)
level=${disposition#*:}
disposition=DROP
target=DROP
;;
DROP)
target=DROP
;;
*)
addresses="$mac"
mac="$interface"
interface="$disposition"
disposition=RETURN
target=RETURN
;;
esac
@ -2374,17 +2393,21 @@ setup_mac_lists() {
if [ -z "$addresses" ]; then
fatal_error "You must specify a MAC address or an IP address"
else
mac=
macpart=
fi
else
macpart=$(mac_match $mac)
fi
if [ -z "$addresses" ]; then
run_iptables -t $MACLIST_TABLE -A $chain $macpart $physdev_part -j $disposition
[ -n "$level" ] && \
log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part
run_iptables -A $chain -t $MACLIST_TABLE $macpart $physdev_part -j $target
else
for address in $(separate_list $addresses) ; do
run_iptables2 -t $MACLIST_TABLE -A $chain $macpart -s $address $physdev_part -j $disposition
[ -n "$level" ] && \
log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart -s $address $physdev_part
run_iptables2 -A $chain -t $MACLIST_TABLE $macpart -s $address $physdev_part -j $target
done
fi
done < $TMP_DIR/maclist
@ -2416,7 +2439,7 @@ __EOF__
log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
fi
run_iptables -t $MACLIST_TABLE -A $chain -j $maclist_target
run_iptables -A $chain -t $MACLIST_TABLE -j $maclist_target
done
#
# Generate jumps from the input and forward chains

31
Shorewall/firewall
View File

@ -2577,10 +2577,10 @@ setup_mac_lists() {
if [ -n "$MACLIST_TTL" ]; then
chain1=$(macrecent_target $interface)
create_mac_chain $chain1
run_iptables -t $MACLIST_TABLE -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
run_iptables -t $MACLIST_TABLE -A $chain -j $chain1
run_iptables -t $MACLIST_TABLE -A $chain -m recent --update --name $chain -j RETURN
run_iptables -t $MACLIST_TABLE -A $chain -m recent --set --name $chain
run_iptables -A $chain -t $MACLIST_TABLE -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
run_iptables -A $chain -t $MACLIST_TABLE -j $chain1
run_iptables -A $chain -t $MACLIST_TABLE -m recent --update --name $chain -j RETURN
run_iptables -A $chain -t $MACLIST_TABLE -m recent --set --name $chain
fi
done
@ -2591,12 +2591,27 @@ setup_mac_lists() {
expandv disposition interface mac addresses
case $disposition in
ACCEPT:*)
level=${disposition#*:}
disposition=ACCEPT
target=RETURN
;;
ACCEPT)
disposition=RETURN
;;
REJECT:*)
[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
target=reject
disposition=REJECT
;;
REJECT)
[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
;;
DROP:*)
level=${disposition#*:}
disposition=DROP
target=DROP
;;
DROP)
;;
*)
@ -2635,10 +2650,14 @@ setup_mac_lists() {
fi
if [ -z "$addresses" ]; then
run_iptables -t $MACLIST_TABLE -A $chain $macpart $physdev_part -j $disposition
[ -n "$level" ] && \
log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part
run_iptables -A $chain -t $MACLIST_TABLE $macpart $physdev_part -j $target
else
for address in $(separate_list $addresses) ; do
run_iptables2 -t $MACLIST_TABLE -A $chain $macpart -s $address $physdev_part -j $disposition
[ -n "$level" ] && \
log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart -s $address $physdev_part
run_iptables2 -A $chain -t $MACLIST_TABLE $macpart -s $address $physdev_part -j $target
done
fi
done < $TMP_DIR/maclist

3
Shorewall/releasenotes.txt
View File

@ -39,6 +39,9 @@ New Features added in 3.1.4
contain REJECT). This change is upward compatible so your existing maclist
file can still be used.
ACCEPT, DROP and REJECT may be optionally followed by a log level to cause the
packet to be logged.
2) Shorewall has always been very noisy (lots of messages). No more. The default
is now to be very quiet and you get more detail using the -v option (or -vv if
you want the old noisy behavior). The -q option is still supported but only