From d15475efaed069e150cc861d179fda16f972de3e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 20 May 2011 07:47:35 -0700 Subject: [PATCH] Cleanup of AUDIT before Beta 3 - Correct merge snafus - Rename the new actions (e.g., ADROP->A_DROP) - Correct MACLIST_DISPOSITION logic --- Shorewall-init/install.sh | 2 +- Shorewall-init/shorewall-init.spec | 4 ++- Shorewall-init/uninstall.sh | 2 +- Shorewall/Perl/Shorewall/Config.pm | 37 +++++++++++++----------- Shorewall/Perl/Shorewall/Rules.pm | 46 ++++++++++++++++-------------- Shorewall/actions.std | 6 ++-- Shorewall/lib.cli | 6 ++-- Shorewall/releasenotes.txt | 16 +++++------ Shorewall6/lib.cli | 6 ++-- manpages/shorewall-rules.xml | 11 +++++++ manpages6/shorewall6-rules.xml | 13 ++++++++- 11 files changed, 89 insertions(+), 60 deletions(-) diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh index b4d3bb498..263783c73 100755 --- a/Shorewall-init/install.sh +++ b/Shorewall-init/install.sh @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.20-Beta2 +VERSION=4.4.20-Beta3 usage() # $1 = exit status { diff --git a/Shorewall-init/shorewall-init.spec b/Shorewall-init/shorewall-init.spec index 680a2a827..00589fa18 100644 --- a/Shorewall-init/shorewall-init.spec +++ b/Shorewall-init/shorewall-init.spec @@ -1,6 +1,6 @@ %define name shorewall-init %define version 4.4.20 -%define release 0Beta2 +%define release 0Beta3 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -120,6 +120,8 @@ fi %changelog * Wed May 18 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.20-0Beta3 +* Wed May 18 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.20-0Beta2 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.19-1 diff --git a/Shorewall-init/uninstall.sh b/Shorewall-init/uninstall.sh index 70ebafd26..39373e60e 100755 --- a/Shorewall-init/uninstall.sh +++ b/Shorewall-init/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.20-Beta2 +VERSION=4.4.20-Beta3 usage() # $1 = exit status { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 8c684990c..34e18def6 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -264,6 +264,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT', MARK_ANYWHERE => 'Mark in any table', HEADER_MATCH => 'Header Match', ACCOUNT_TARGET => 'ACCOUNT Target', + AUDIT_TARGET => 'AUDIT Target', CAPVERSION => 'Capability Version', KERNELVERSION => 'Kernel Version', ); @@ -418,7 +419,7 @@ sub initialize( $ ) { EXPORT => 0, STATEMATCH => '-m state --state', UNTRACKED => 0, - VERSION => "4.4.20-Beta2", + VERSION => "4.4.20-Beta3", CAPVERSION => 40417 , ); # @@ -624,7 +625,8 @@ sub initialize( $ ) { FWMARK_RT_MASK => undef, MARK_ANYWHERE => undef, HEADER_MATCH => undef, - ACCOUNT_TARGET => undef, + ACCOUNT_TARGET => undef, + AUDIT_TARGET => undef, CAPVERSION => undef, KERNELVERSION => undef, ); @@ -2712,6 +2714,7 @@ sub determine_capabilities() { $capabilities{FWMARK_RT_MASK} = detect_capability( 'FWMARK_RT_MASK' ); $capabilities{MARK_ANYWHERE} = detect_capability( 'MARK_ANYWHERE' ); $capabilities{ACCOUNT_TARGET} = detect_capability( 'ACCOUNT_TARGET' ); + $capabilities{AUDIT_TARGET} = detect_capability( 'AUDIT_TARGET' ); qt1( "$iptables -F $sillyname" ); @@ -3342,8 +3345,8 @@ sub get_configuration( $ ) { default 'BLACKLIST_DISPOSITION' , 'DROP'; - unless ( $config{BLACKLIST_DISPOSITION} =~ /^A?DROP$/ || $config{BLACKLIST_DISPOSITION} =~ /^A?REJECT/ ) { - fatal_error q(BLACKLIST_DISPOSITION must be 'DROP', 'ADROP', 'REJECT' or 'AREJECT'); + unless ( $config{BLACKLIST_DISPOSITION} =~ /^(?:A_)?DROP$/ || $config{BLACKLIST_DISPOSITION} =~ /^(?:A_)?REJECT/ ) { + fatal_error q(BLACKLIST_DISPOSITION must be 'DROP', 'A_DROP', 'REJECT' or 'A_REJECT'); } default_log_level 'BLACKLIST_LOGLEVEL', ''; @@ -3356,25 +3359,25 @@ sub get_configuration( $ ) { default_log_level 'SMURF_LOG_LEVEL', ''; default_log_level 'LOGALLNEW', ''; - $globals{MACLIST_TARGET} = 'reject'; - if ( $val = $config{MACLIST_DISPOSITION} ) { - unless ( $val =~ /^A?REJECT$/ ) { - if ( $val =~ /^A?DROP/ ) { - $globals{MACLIST_TARGET} = $val; - } elsif ( $val eq 'ACCEPT' ) { - $globals{MACLIST_TARGET} = 'RETURN'; - } else { - fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION" - } + if ( $val =~ /^((?:A_)?(?:DROP))$/ ) { + $globals{MACLIST_TARGET} = $1; + } elsif ( $val eq 'REJECT' ) { + $globals{MACLIST_TARGET} = 'reject'; + } elsif ( $val eq 'A_REJECT' ) { + $globals{MACLIST_TARGET} = $val; + } elsif ( $val eq 'ACCEPT' ) { + $globals{MACLIST_TARGET} = 'RETURN'; + } else { + fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION" } } else { - $config{MACLIST_DISPOSITION} = 'REJECT'; + $config{MACLIST_DISPOSITION} = 'reject'; } if ( $val = $config{MACLIST_TABLE} ) { if ( $val eq 'mangle' ) { - fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^(A?REJECT)$/; + fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/; } else { fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter'; } @@ -3383,7 +3386,7 @@ sub get_configuration( $ ) { } if ( $val = $config{TCP_FLAGS_DISPOSITION} ) { - fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(A?REJECT|A?ACCEPT|A?DROP)$/; + fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:A_)?(REJECT|ACCEPT|DROP)$/; } else { $config{TCP_FLAGS_DISPOSITION} = 'DROP'; } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 7c4a544cb..f8d4dcc58 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -97,9 +97,9 @@ my %usedactions; # # Enumerate the AUDIT builtins # -my %auditactions = ( AACCEPT => 1, - ADROP => 1, - AREJECT => 1 +my %auditactions = ( A_ACCEPT => 1, + A_DROP => 1, + A_REJECT => 1 ); # @@ -176,9 +176,9 @@ sub initialize( $ ) { %usedactions = (); if ( $family == F_IPV4 ) { - @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AACCEPT ADROP AREJECT/; + @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit A_ACCEPT A_DROP A_REJECT/; } else { - @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AACCEPT ADROP AREJECT/; + @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid A_ACCEPT A_DROP A_REJECT/; } } @@ -341,7 +341,9 @@ sub process_a_policy() { fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy}; - fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy}; + if ( $audit ) { + fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy}; + } if ( $default ) { if ( "\L$default" eq 'none' ) { @@ -466,10 +468,10 @@ sub process_policies() ACCEPT => undef, REJECT => undef, DROP => undef, - AACCEPT => undef, - AREJECT => undef, - ADROP => undef, - ACONTINUE => undef, + A_ACCEPT => undef, + A_DROP => undef, + A_REJECT => undef, + CONTINUE => undef, QUEUE => undef, NFQUEUE => undef, NONE => undef @@ -1308,32 +1310,32 @@ sub Limit( $$$$ ) { add_rule $chainref, '-j ACCEPT'; } -sub AACCEPT ( $$$ ) { +sub A_ACCEPT ( $$$ ) { my ($chainref, $level, $tag) = @_; - require_capability 'AUDIT_TARGET' , 'AACCEPT rules', ''; + require_capability 'AUDIT_TARGET' , 'A_ACCEPT rules', ''; - log_rule_limit $level, $chainref, 'AACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne ''; + log_rule_limit $level, $chainref, 'A_ACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne ''; add_rule $chainref , '-j AUDIT --type accept'; add_rule $chainref , '-j ACCEPT'; } -sub ADROP ( $$$ ) { +sub A_DROP ( $$$ ) { my ($chainref, $level, $tag) = @_; - require_capability 'AUDIT_TARGET' , 'ADROP rules', ''; + require_capability 'AUDIT_TARGET' , 'A_DROP rules', ''; - log_rule_limit $level, $chainref, 'ADROP' , 'DROP', '', $tag, 'add', '' if $level ne ''; + log_rule_limit $level, $chainref, 'A_DROP' , 'DROP', '', $tag, 'add', '' if $level ne ''; add_rule $chainref , '-j AUDIT --type drop'; add_rule $chainref , '-j DROP'; } -sub AREJECT ( $$$ ) { +sub A_REJECT ( $$$ ) { my ($chainref, $level, $tag) = @_; - require_capability 'AUDIT_TARGET' , 'AREJECT rules', ''; + require_capability 'AUDIT_TARGET' , 'A_REJECT rules', ''; - log_rule_limit $level, $chainref, 'AREJECT' , 'REJECT', '', $tag, 'add', '' if $level ne ''; + log_rule_limit $level, $chainref, 'A_REJECT' , 'REJECT', '', $tag, 'add', '' if $level ne ''; add_rule $chainref , '-j AUDIT --type reject'; add_rule $chainref , '-j reject'; } @@ -1347,9 +1349,9 @@ my %builtinops = ( 'dropBcast' => \&dropBcast, 'allowinUPnP' => \&allowinUPnP, 'forwardUPnP' => \&forwardUPnP, 'Limit' => \&Limit, - 'AACCEPT' => \&AACCEPT, - 'ADROP' => \&ADROP, - 'AREJECT' => \&AREJECT + 'A_ACCEPT' => \&A_ACCEPT, + 'A_DROP' => \&A_DROP, + 'A_REJECT' => \&A_REJECT ); # diff --git a/Shorewall/actions.std b/Shorewall/actions.std index f2e337ea9..1862fa87b 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -8,9 +8,9 @@ # # Builtin Actions are: # -# AACCEPT # Audits then accepts a connection request -# ADROP # Audits then drops a connection request -# AREJECT # Audits then drops a connection request +# A_ACCEPT # Audits then accepts a connection request +# A_DROP # Audits then drops a connection request +# A_REJECT # Audits then drops a connection request # allowBcast # Silently Allow Broadcast/multicast # dropBcast # Silently Drop Broadcast/multicast # dropNotSyn # Silently Drop Non-syn TCP packets diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index 78f41376a..975090a45 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -739,9 +739,9 @@ show_command() { case $1 in actions) [ $# -gt 1 ] && usage 1 - echo "AACCEPT # Audit and accept the connection" - echo "ADROP # Audit and drop the connection" - echo "AREJECT # Audit and reject the connection " + echo "A_ACCEPT # Audit and accept the connection" + echo "A_DROP # Audit and drop the connection" + echo "A_REJECT # Audit and reject the connection " echo "allowBcast # Silently Allow Broadcast/multicast" echo "allowInvalid # Accept packets that are in the INVALID conntrack state." echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index cbc832c45..b1d25acaf 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -93,25 +93,25 @@ All bug fixes from 4.4.19.1 - 4.4.19.4. c) Three new builtin actions that may be used in the rules file, in macros and in other actions. - AACCEPT - Audits and accepts the connection request - ADROP - Audits and drops the connection request - AREJECT - Audits and rejects + A_ACCEPT - Audits and accepts the connection request + A_DROP - Audits and drops the connection request + A_REJECT - Audits and rejects A log level may be supplied with these actions to provide both auditing and logging. Example: - AACCEPT:info loc net ... + A_ACCEPT:info loc net ... d) The BLACKLIST_DISPOSITION, MACLIST_DISPOSITION and TCP_FLAGS_DISPOSITION options may be set as follows: - BLACKLIST_DISPOSITION ADROP or AREJECT - MACLIST_DISPOSITION ADROP - AREJECT, unless + BLACKLIST_DISPOSITION A_DROP or A_REJECT + MACLIST_DISPOSITION A_DROP + A_REJECT, unless MACLIST_TABLE=mangle - TCP_FLAGS_DISPOSITION ADROP or AREJECT + TCP_FLAGS_DISPOSITION A_DROP or A_REJECT ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index bc2f510a6..1f28a80ba 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -630,9 +630,9 @@ show_command() { case $1 in actions) [ $# -gt 1 ] && usage 1 - echo "AACCEPT # Audit and accept the connection" - echo "ADROP # Audit and drop the connection" - echo "AREJECT # Audit and reject the connection " + echo "A_ACCEPT # Audit and accept the connection" + echo "A_DROP # Audit and drop the connection" + echo "A_REJECT # Audit and reject the connection " echo "allowBcast # Accept Multicast and Anycast Packets" echo "dropBcast # Silently Drop Multicast and Anycast Packets" echo "allowInvalid # Accept packets that are in the INVALID conntrack state." diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index d246e4d0d..89323de82 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -322,6 +322,17 @@ + + NFLOG[(nflog-parameters)] + + + queues matching packets to a backend logging daemon via + a netlink socket then continues to the next rule. See http://www.shorewall.net/shorewall_logging.html. + + + NFQUEUE[(queuenumber)] diff --git a/manpages6/shorewall6-rules.xml b/manpages6/shorewall6-rules.xml index d6d34be01..8682588d5 100644 --- a/manpages6/shorewall6-rules.xml +++ b/manpages6/shorewall6-rules.xml @@ -244,7 +244,18 @@ - NFQUEUE + NFLOG[(nflog-parameters)] + + + queues matching packets to a backend logging daemon via + a netlink socket then continues to the next rule. See http://www.shorewall.net/shorewall_logging.html. + + + + + NFQUEUE Queues the packet to a user-space application using the