forked from extern/shorewall_code
Fixes for blacklist conversion
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
4f9afc32ec
commit
ab1b65d6a8
@ -55,6 +55,7 @@ our @EXPORT = qw(
|
||||
ensure_filter_chain
|
||||
ensure_manual_chain
|
||||
ensure_audit_chain
|
||||
ensure_blacklog_chain
|
||||
require_audit
|
||||
newlogchain
|
||||
log_rule_limit
|
||||
@ -2168,6 +2169,24 @@ sub ensure_manual_chain($) {
|
||||
$chainref;
|
||||
}
|
||||
|
||||
sub ensure_blacklog_chain( $$$$ ) {
|
||||
my ( $target, $disposition, $level, $audit ) = @_;
|
||||
|
||||
unless ( $filter_table->{blacklog} ) {
|
||||
my $logchainref = new_manual_chain 'blacklog';
|
||||
|
||||
$target =~ s/A_//;
|
||||
$target = 'reject' if $target eq 'REJECT';
|
||||
|
||||
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
||||
|
||||
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
||||
add_ijump( $logchainref, g => $target );
|
||||
}
|
||||
|
||||
'blacklog';
|
||||
}
|
||||
|
||||
#
|
||||
# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
|
||||
#
|
||||
@ -3512,7 +3531,7 @@ sub do_test ( $$ )
|
||||
my $invert = $testval =~ s/^!// ? '! ' : '';
|
||||
|
||||
if ( $config{ZONE_BITS} ) {
|
||||
$testval = join( '/', in_hex( find_zone( $testval )->{mark} ), in_hex( $globals{ZONE_MASK} ) ) unless $testval =~ /^\d/ || $testval =~ /:/;
|
||||
$testval = join( '/', in_hex( zone_mark( $testval ) ), in_hex( $globals{ZONE_MASK} ) ) unless $testval =~ /^\d/ || $testval =~ /:/;
|
||||
}
|
||||
|
||||
my $match = $testval =~ s/:C$// ? "-m connmark ${invert}--mark" : "-m mark ${invert}--mark";
|
||||
|
||||
@ -220,17 +220,7 @@ sub setup_blacklist() {
|
||||
$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
|
||||
|
||||
if ( supplied $level ) {
|
||||
my $logchainref = new_standard_chain 'blacklog';
|
||||
|
||||
$target =~ s/A_//;
|
||||
$target = 'reject' if $target eq 'REJECT';
|
||||
|
||||
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
||||
|
||||
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
||||
add_ijump( $logchainref, g => $target );
|
||||
|
||||
$target = 'blacklog';
|
||||
$target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
|
||||
} elsif ( $audit ) {
|
||||
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
|
||||
$target = verify_audit( $disposition );
|
||||
@ -405,16 +395,6 @@ sub convert_blacklist() {
|
||||
|
||||
if ( @$zones || @$zones1 ) {
|
||||
if ( supplied $level ) {
|
||||
my $logchainref = new_standard_chain 'blacklog';
|
||||
|
||||
$target =~ s/A_//;
|
||||
$target = 'reject' if $target eq 'REJECT';
|
||||
|
||||
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
||||
|
||||
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
||||
add_ijump( $logchainref, g => $target );
|
||||
|
||||
$target = 'blacklog';
|
||||
} elsif ( $audit ) {
|
||||
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
|
||||
@ -447,7 +427,7 @@ sub convert_blacklist() {
|
||||
|
||||
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
|
||||
|
||||
my $tgt = $whitelist ? 'RETURN' : $target;
|
||||
my $tgt = $whitelist ? 'WHITELIST' : $target;
|
||||
|
||||
if ( $auditone ) {
|
||||
fatal_error "'audit' not allowed in whitelist entries" if $whitelist;
|
||||
@ -520,11 +500,7 @@ EOF
|
||||
for ( @rules ) {
|
||||
my ( $srcdst, $tgt, $networks, $protocols, $ports ) = @$_;
|
||||
|
||||
if ( $level ) {
|
||||
$tgt .= ":$level\t";
|
||||
} else {
|
||||
$tgt .= "\t\t";
|
||||
}
|
||||
$tgt .= "\t\t";
|
||||
|
||||
my $list = $srcdst eq 'src' ? $zones : $zones1;
|
||||
|
||||
|
||||
@ -2441,11 +2441,23 @@ sub process_rule ( ) {
|
||||
# Process the Rules File
|
||||
#
|
||||
sub process_rules() {
|
||||
|
||||
my $fn = open_file 'blrules';
|
||||
|
||||
if ( $fn ) {
|
||||
first_entry "$doing $fn...";
|
||||
first_entry( sub () {
|
||||
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
|
||||
my $audit = $disposition =~ /^A_/;
|
||||
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
|
||||
|
||||
progress_message2 "$doing $fn...";
|
||||
|
||||
if ( supplied $level ) {
|
||||
ensure_blacklog_chain( $target, $disposition, $level, $audit );
|
||||
} elsif ( $audit ) {
|
||||
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
|
||||
verify_audit( $disposition );
|
||||
}
|
||||
} );
|
||||
|
||||
$section = 'BLACKLIST';
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user