forked from extern/shorewall_code
Add the TRACK_RULES option
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
765b748283
commit
aabb22a50f
@ -287,6 +287,7 @@ our $VERSION = '4.5_18';
|
||||
# policy => <policy>
|
||||
# policychain => <name of policy chain> -- self-reference if this is a policy chain
|
||||
# policypair => [ <policy source>, <policy dest> ] -- Used for reporting duplicated policies
|
||||
# origin => <filename and line number of entry that created this policy chain>
|
||||
# loglevel => <level>
|
||||
# synparams => <burst/limit + connlimit>
|
||||
# synchain => <name of synparam chain>
|
||||
@ -322,7 +323,7 @@ our $VERSION = '4.5_18';
|
||||
#
|
||||
# Only 'referenced' chains get written to the iptables-restore input.
|
||||
#
|
||||
# 'loglevel', 'synparams', 'synchain', 'audit' and 'default' only apply to policy chains.
|
||||
# 'loglevel', 'synparams', 'synchain', 'audit', 'default' abd 'origin' only apply to policy chains.
|
||||
###########################################################################################################################################
|
||||
#
|
||||
# For each ordered pair of zones, there may exist a 'canonical rules chain' in the filter table; the name of this chain is formed by
|
||||
@ -1224,7 +1225,8 @@ sub push_rule( $$ ) {
|
||||
my $complete = 0;
|
||||
my $ruleref = transform_rule( $_[1], $complete );
|
||||
|
||||
$ruleref->{comment} = "$comment" if $comment;
|
||||
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
|
||||
|
||||
$ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
|
||||
|
||||
push @{$chainref->{rules}}, $ruleref;
|
||||
@ -1458,9 +1460,7 @@ sub create_irule( $$$;@ ) {
|
||||
$ruleref->{target} = '';
|
||||
}
|
||||
|
||||
if ( $comment ) {
|
||||
$ruleref->{comment} = $comment unless $ruleref->{comment};
|
||||
}
|
||||
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $ruleref->{comment} || $comment;
|
||||
|
||||
$iprangematch = 0;
|
||||
|
||||
@ -1616,7 +1616,8 @@ sub insert_rule1($$$)
|
||||
|
||||
my $ruleref = transform_rule( $rule );
|
||||
|
||||
$ruleref->{comment} = "$comment" if $comment;
|
||||
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
|
||||
|
||||
assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) , $chainref->{name} );
|
||||
$ruleref->{mode} = CAT_MODE;
|
||||
|
||||
@ -1656,9 +1657,8 @@ sub insert_irule( $$$$;@ ) {
|
||||
$chainref->{optflags} |= push_matches( $ruleref, @matches );
|
||||
}
|
||||
|
||||
if ( $comment ) {
|
||||
$ruleref->{comment} = $comment unless $ruleref->{comment};
|
||||
}
|
||||
|
||||
$ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
|
||||
|
||||
splice( @{$chainref->{rules}}, $number, 0, $ruleref );
|
||||
|
||||
@ -3027,8 +3027,8 @@ sub calculate_digest( $ ) {
|
||||
#
|
||||
# Replace jumps to the passed chain with jumps to the passed target
|
||||
#
|
||||
sub replace_references( $$$;$ ) {
|
||||
my ( $chainref, $target, $targetopts, $digest ) = @_;
|
||||
sub replace_references( $$$$;$ ) {
|
||||
my ( $chainref, $target, $targetopts, $comment, $digest ) = @_;
|
||||
my $tableref = $chain_table{$chainref->{table}};
|
||||
my $count = 0;
|
||||
my $name = $chainref->{name};
|
||||
@ -3045,6 +3045,7 @@ sub replace_references( $$$;$ ) {
|
||||
if ( $_->{target} eq $name ) {
|
||||
$_->{target} = $target;
|
||||
$_->{targetopts} = $targetopts if $targetopts;
|
||||
$_->{comment} = $comment unless $_->{comment};
|
||||
|
||||
if ( $targetref ) {
|
||||
add_reference ( $fromref, $targetref );
|
||||
@ -3291,7 +3292,10 @@ sub optimize_level4( $$ ) {
|
||||
#
|
||||
# Replace all references to this chain with references to the target
|
||||
#
|
||||
replace_references $chainref, $firstrule->{target}, $firstrule->{targetopts};
|
||||
replace_references( $chainref,
|
||||
$firstrule->{target},
|
||||
$firstrule->{targetopts},
|
||||
$firstrule->{comment} );
|
||||
$progress = 1;
|
||||
}
|
||||
} elsif ( $firstrule->{target} ) {
|
||||
@ -3511,7 +3515,7 @@ sub optimize_level8( $$$ ) {
|
||||
if ( $chainref->{digest} eq $chainref1->{digest} ) {
|
||||
progress_message " Chain $chainref1->{name} combined with $chainref->{name}";
|
||||
$progress = 1;
|
||||
replace_references $chainref1, $chainref->{name}, undef, 1;
|
||||
replace_references $chainref1, $chainref->{name}, undef, '', 1;
|
||||
|
||||
unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
|
||||
#
|
||||
@ -7599,7 +7603,9 @@ sub add_interface_options( $ ) {
|
||||
} else {
|
||||
for my $interface ( @input_interfaces ) {
|
||||
$chain1ref = $input_chains{$interface};
|
||||
add_ijump ( $chainref , j => $chain1ref->{name}, @input_interfaces > 1 ? imatch_source_dev( $interface ) : () ) if @{$chain1ref->{rules}};
|
||||
add_ijump ( $chainref ,
|
||||
j => $chain1ref->{name},
|
||||
@input_interfaces > 1 ? imatch_source_dev( $interface ) : () )->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}};
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@ -7612,7 +7618,7 @@ sub add_interface_options( $ ) {
|
||||
} else {
|
||||
for my $interface ( @forward_interfaces ) {
|
||||
$chain1ref = $forward_chains{$interface};
|
||||
add_ijump ( $chainref , j => $chain1ref->{name}, @forward_interfaces > 1 ? imatch_source_dev( $interface ) : () ) if @{$chain1ref->{rules}};
|
||||
add_ijump ( $chainref , j => $chain1ref->{name}, @forward_interfaces > 1 ? imatch_source_dev( $interface ) : () )->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -48,6 +48,7 @@ our @EXPORT = qw(
|
||||
fatal_error
|
||||
assert
|
||||
currentlineinfo
|
||||
shortlineinfo
|
||||
clear_currentfilename
|
||||
validate_level
|
||||
|
||||
@ -213,7 +214,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
|
||||
Exporter::export_ok_tags('internal');
|
||||
|
||||
our $VERSION = 'MODULEVERSION';
|
||||
our $VERSION = '4.5.20-Beta1';
|
||||
|
||||
#
|
||||
# describe the current command, it's present progressive, and it's completion.
|
||||
@ -800,6 +801,7 @@ sub initialize( $;$$) {
|
||||
DEFER_DNS_RESOLUTION => undef,
|
||||
USE_RT_NAMES => undef,
|
||||
CHAIN_SCRIPTS => undef,
|
||||
TRACK_RULES => undef,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@ -1116,6 +1118,22 @@ sub currentlineinfo() {
|
||||
}
|
||||
}
|
||||
|
||||
sub shortlineinfo( $ ) {
|
||||
if ( $config{TRACK_RULES} ) {
|
||||
if ( $currentfile ) {
|
||||
my $comment = '@@@ '. join( ':', $currentfilename, $currentlinenumber ) . ' @@@';
|
||||
$comment = '@@@ ' . join( ':' , basename($currentfilename), $currentlinenumber) . ' @@@' if length $comment > 255;
|
||||
$comment = '@@@ Filename Too Long @@@' if length $comment > 255;
|
||||
$comment;
|
||||
} else {
|
||||
#
|
||||
# Alternate lineinfo may have been passed
|
||||
#
|
||||
$_[0] || ''
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub handle_first_entry();
|
||||
|
||||
#
|
||||
@ -5354,6 +5372,9 @@ sub get_configuration( $$$$ ) {
|
||||
default_yes_no 'MULTICAST' , '';
|
||||
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||
default_yes_no 'CHAIN_SCRIPTS' , 'Yes';
|
||||
default_yes_no 'TRACK_RULES' , '';
|
||||
|
||||
require_capability 'COMMENTS', 'TRACK_RULES=Yes', 's' if $config{TRACK_RULES};
|
||||
|
||||
default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
|
||||
default_yes_no 'USE_DEFAULT_RT' , '';
|
||||
|
||||
@ -832,7 +832,8 @@ sub add_common_rules ( $ ) {
|
||||
}
|
||||
|
||||
for $interface ( all_real_interfaces ) {
|
||||
ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
|
||||
ensure_chain( 'filter', $_ )->{origin} = interface_origin( $interface )
|
||||
for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
|
||||
|
||||
my $interfaceref = find_interface $interface;
|
||||
|
||||
@ -860,7 +861,7 @@ sub add_common_rules ( $ ) {
|
||||
|
||||
for ( option_chains( $interface ) ) {
|
||||
add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
|
||||
add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT};
|
||||
add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -383,6 +383,7 @@ sub set_policy_chain($$$$$$)
|
||||
|
||||
$chainref1->{policy} = $policy;
|
||||
$chainref1->{policypair} = [ $source, $dest ];
|
||||
$chainref1->{origin} = $chainref->{origin};
|
||||
}
|
||||
}
|
||||
|
||||
@ -573,6 +574,8 @@ sub process_a_policy() {
|
||||
my $chainref1 = $usedactions{$default};
|
||||
$chainref->{default} = $chainref1 ? $chainref1->{name} : $default;
|
||||
|
||||
$chainref->{origin} = shortlineinfo('');
|
||||
|
||||
if ( $clientwild ) {
|
||||
if ( $serverwild ) {
|
||||
for my $zone ( @zonelist ) {
|
||||
@ -880,11 +883,13 @@ sub complete_standard_chain ( $$$$ ) {
|
||||
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
|
||||
|
||||
if ( $policychainref ) {
|
||||
( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' }
|
||||
( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' };
|
||||
$stdchainref->{origin} = $policychainref->{origin};
|
||||
} elsif ( $defaultaction !~ /:/ ) {
|
||||
$defaultaction = join(":", $defaultaction, 'none', '', '' );
|
||||
}
|
||||
|
||||
|
||||
policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
|
||||
}
|
||||
|
||||
|
||||
@ -75,6 +75,7 @@ our @EXPORT = ( qw( NOTHING
|
||||
managed_interfaces
|
||||
unmanaged_interfaces
|
||||
interface_number
|
||||
interface_origin
|
||||
find_interface
|
||||
known_interface
|
||||
get_physical
|
||||
@ -1362,6 +1363,7 @@ sub process_interface( $$ ) {
|
||||
physical => $physical ,
|
||||
base => var_base( $physical ),
|
||||
zones => {},
|
||||
origin => shortlineinfo(''),
|
||||
};
|
||||
|
||||
if ( $zone ) {
|
||||
@ -1533,6 +1535,13 @@ sub interface_number( $ ) {
|
||||
$interfaces{$_[0]}{number} || 256;
|
||||
}
|
||||
|
||||
#
|
||||
# Return interface origin
|
||||
#
|
||||
sub interface_origin( $ ) {
|
||||
$interfaces{$_[0]}->{origin};
|
||||
}
|
||||
|
||||
#
|
||||
# Return the interfaces list
|
||||
#
|
||||
|
||||
@ -216,6 +216,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||
|
||||
TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=No
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
@ -227,6 +227,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||
|
||||
TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=No
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
@ -225,6 +225,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||
|
||||
TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=No
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
@ -228,6 +228,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||
|
||||
TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=No
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
@ -216,6 +216,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||
|
||||
TRACK_PROVIDERS=No
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=No
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
@ -478,7 +478,7 @@
|
||||
facility has the drawback that the compiler will attempt to run a
|
||||
non-script file just because it has the same name as a chain. To
|
||||
disable this facility, set CHAIN_SCRIPTS=No. If not specified or
|
||||
specified as the empty value, CHAIN_SCRIPTS=Yes is assumed. </para>
|
||||
specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1927,9 +1927,9 @@ LOG:info:,bar net fw</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>Rules with comments <empty>, "FOO" and "BAR"
|
||||
would result in the combined comment "Others and FOO, BAR".
|
||||
Note: Optimize level 16 requires "Extended Multi-port
|
||||
Match" in your iptables and kernel.</para>
|
||||
would result in the combined comment "Others and FOO,
|
||||
BAR". Note: Optimize level 16 requires "Extended
|
||||
Multi-port Match" in your iptables and kernel.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@ -2525,6 +2525,24 @@ LOG:info:,bar net fw</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TRACK_RULES=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.20. If set to <emphasis
|
||||
role="bold">Yes</emphasis>, causes the compiler to add a comment to
|
||||
iptables rules to indicate the file name and line number of the
|
||||
configuration entry that generated the rule. If set to <emphasis
|
||||
role="bold">No</emphasis> (the default), then no such comments are
|
||||
added.</para>
|
||||
|
||||
<para>Setting this option to <emphasis role="bold">Yes</emphasis>
|
||||
requires the <firstterm>Comments</firstterm> capability in iptables
|
||||
and kernel.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
|
||||
@ -2625,11 +2643,11 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.27. Normally, when Shorewall creates a
|
||||
Netfilter chain that relates to an interface, it uses the
|
||||
interface's logical name as the base of the chain name. For
|
||||
example, if the logical name for an interface is OAKLAND, then the
|
||||
input chain for traffic arriving on that interface would be
|
||||
'OAKLAND_in'. If this option is set to Yes, then the physical name
|
||||
of the interface will be used the base of the chain name.</para>
|
||||
interface's logical name as the base of the chain name. For example,
|
||||
if the logical name for an interface is OAKLAND, then the input
|
||||
chain for traffic arriving on that interface would be 'OAKLAND_in'.
|
||||
If this option is set to Yes, then the physical name of the
|
||||
interface will be used the base of the chain name.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@ -189,6 +189,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||
|
||||
TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=No
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
@ -189,6 +189,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||
|
||||
TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=No
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
@ -189,6 +189,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||
|
||||
TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=No
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
@ -189,6 +189,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||
|
||||
TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=No
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
@ -189,6 +189,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||
|
||||
TRACK_PROVIDERS=No
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=No
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
@ -1680,9 +1680,9 @@ LOG:info:,bar net fw</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>Rules with comments <empty>, "FOO" and "BAR"
|
||||
would result in the combined comment "Others and FOO, BAR".
|
||||
Note: Optimize level 16 requires "Extended Multi-port
|
||||
Match" in your iptables and kernel.</para>
|
||||
would result in the combined comment "Others and FOO,
|
||||
BAR". Note: Optimize level 16 requires "Extended
|
||||
Multi-port Match" in your iptables and kernel.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@ -2185,6 +2185,24 @@ LOG:info:,bar net fw</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TRACK_RULES=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.20. If set to <emphasis
|
||||
role="bold">Yes</emphasis>, causes the compiler to add a comment to
|
||||
iptables rules to indicate the file name and line number of the
|
||||
configuration entry that generated the rule. If set to <emphasis
|
||||
role="bold">No</emphasis> (the default), then no such comments are
|
||||
added.</para>
|
||||
|
||||
<para>Setting this option to <emphasis role="bold">Yes</emphasis>
|
||||
requires the <firstterm>Comments</firstterm> capability in ip6tables
|
||||
and kernel.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
|
||||
@ -2281,11 +2299,11 @@ LOG:info:,bar net fw</programlisting>
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.27. Normally, when Shorewall creates a
|
||||
Netfilter chain that relates to an interface, it uses the
|
||||
interface's logical name as the base of the chain name. For
|
||||
example, if the logical name for an interface is OAKLAND, then the
|
||||
input chain for traffic arriving on that interface would be
|
||||
'OAKLAND_in'. If this option is set to Yes, then the physical name
|
||||
of the interface will be used the base of the chain name.</para>
|
||||
interface's logical name as the base of the chain name. For example,
|
||||
if the logical name for an interface is OAKLAND, then the input
|
||||
chain for traffic arriving on that interface would be 'OAKLAND_in'.
|
||||
If this option is set to Yes, then the physical name of the
|
||||
interface will be used the base of the chain name.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user