Cleanup of AUDIT before Beta 3

- Correct merge snafus
- Rename the new actions (e.g., ADROP->A_DROP)
- Correct MACLIST_DISPOSITION logic
This commit is contained in:
Tom Eastep 2011-05-20 07:47:35 -07:00
parent e9df13a42b
commit d15475efae
11 changed files with 89 additions and 60 deletions

View File

@ -23,7 +23,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.20-Beta2 VERSION=4.4.20-Beta3
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1,6 +1,6 @@
%define name shorewall-init %define name shorewall-init
%define version 4.4.20 %define version 4.4.20
%define release 0Beta2 %define release 0Beta3
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name} Name: %{name}
@ -120,6 +120,8 @@ fi
%changelog %changelog
* Wed May 18 2011 Tom Eastep tom@shorewall.net * Wed May 18 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0Beta3
* Wed May 18 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0Beta2 - Updated to 4.4.20-0Beta2
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net * Sat Apr 16 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1 - Updated to 4.4.19-1

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.20-Beta2 VERSION=4.4.20-Beta3
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -264,6 +264,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
MARK_ANYWHERE => 'Mark in any table', MARK_ANYWHERE => 'Mark in any table',
HEADER_MATCH => 'Header Match', HEADER_MATCH => 'Header Match',
ACCOUNT_TARGET => 'ACCOUNT Target', ACCOUNT_TARGET => 'ACCOUNT Target',
AUDIT_TARGET => 'AUDIT Target',
CAPVERSION => 'Capability Version', CAPVERSION => 'Capability Version',
KERNELVERSION => 'Kernel Version', KERNELVERSION => 'Kernel Version',
); );
@ -418,7 +419,7 @@ sub initialize( $ ) {
EXPORT => 0, EXPORT => 0,
STATEMATCH => '-m state --state', STATEMATCH => '-m state --state',
UNTRACKED => 0, UNTRACKED => 0,
VERSION => "4.4.20-Beta2", VERSION => "4.4.20-Beta3",
CAPVERSION => 40417 , CAPVERSION => 40417 ,
); );
# #
@ -625,6 +626,7 @@ sub initialize( $ ) {
MARK_ANYWHERE => undef, MARK_ANYWHERE => undef,
HEADER_MATCH => undef, HEADER_MATCH => undef,
ACCOUNT_TARGET => undef, ACCOUNT_TARGET => undef,
AUDIT_TARGET => undef,
CAPVERSION => undef, CAPVERSION => undef,
KERNELVERSION => undef, KERNELVERSION => undef,
); );
@ -2712,6 +2714,7 @@ sub determine_capabilities() {
$capabilities{FWMARK_RT_MASK} = detect_capability( 'FWMARK_RT_MASK' ); $capabilities{FWMARK_RT_MASK} = detect_capability( 'FWMARK_RT_MASK' );
$capabilities{MARK_ANYWHERE} = detect_capability( 'MARK_ANYWHERE' ); $capabilities{MARK_ANYWHERE} = detect_capability( 'MARK_ANYWHERE' );
$capabilities{ACCOUNT_TARGET} = detect_capability( 'ACCOUNT_TARGET' ); $capabilities{ACCOUNT_TARGET} = detect_capability( 'ACCOUNT_TARGET' );
$capabilities{AUDIT_TARGET} = detect_capability( 'AUDIT_TARGET' );
qt1( "$iptables -F $sillyname" ); qt1( "$iptables -F $sillyname" );
@ -3342,8 +3345,8 @@ sub get_configuration( $ ) {
default 'BLACKLIST_DISPOSITION' , 'DROP'; default 'BLACKLIST_DISPOSITION' , 'DROP';
unless ( $config{BLACKLIST_DISPOSITION} =~ /^A?DROP$/ || $config{BLACKLIST_DISPOSITION} =~ /^A?REJECT/ ) { unless ( $config{BLACKLIST_DISPOSITION} =~ /^(?:A_)?DROP$/ || $config{BLACKLIST_DISPOSITION} =~ /^(?:A_)?REJECT/ ) {
fatal_error q(BLACKLIST_DISPOSITION must be 'DROP', 'ADROP', 'REJECT' or 'AREJECT'); fatal_error q(BLACKLIST_DISPOSITION must be 'DROP', 'A_DROP', 'REJECT' or 'A_REJECT');
} }
default_log_level 'BLACKLIST_LOGLEVEL', ''; default_log_level 'BLACKLIST_LOGLEVEL', '';
@ -3356,25 +3359,25 @@ sub get_configuration( $ ) {
default_log_level 'SMURF_LOG_LEVEL', ''; default_log_level 'SMURF_LOG_LEVEL', '';
default_log_level 'LOGALLNEW', ''; default_log_level 'LOGALLNEW', '';
$globals{MACLIST_TARGET} = 'reject';
if ( $val = $config{MACLIST_DISPOSITION} ) { if ( $val = $config{MACLIST_DISPOSITION} ) {
unless ( $val =~ /^A?REJECT$/ ) { if ( $val =~ /^((?:A_)?(?:DROP))$/ ) {
if ( $val =~ /^A?DROP/ ) { $globals{MACLIST_TARGET} = $1;
} elsif ( $val eq 'REJECT' ) {
$globals{MACLIST_TARGET} = 'reject';
} elsif ( $val eq 'A_REJECT' ) {
$globals{MACLIST_TARGET} = $val; $globals{MACLIST_TARGET} = $val;
} elsif ( $val eq 'ACCEPT' ) { } elsif ( $val eq 'ACCEPT' ) {
$globals{MACLIST_TARGET} = 'RETURN'; $globals{MACLIST_TARGET} = 'RETURN';
} else { } else {
fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION" fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
} }
}
} else { } else {
$config{MACLIST_DISPOSITION} = 'REJECT'; $config{MACLIST_DISPOSITION} = 'reject';
} }
if ( $val = $config{MACLIST_TABLE} ) { if ( $val = $config{MACLIST_TABLE} ) {
if ( $val eq 'mangle' ) { if ( $val eq 'mangle' ) {
fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^(A?REJECT)$/; fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
} else { } else {
fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter'; fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter';
} }
@ -3383,7 +3386,7 @@ sub get_configuration( $ ) {
} }
if ( $val = $config{TCP_FLAGS_DISPOSITION} ) { if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(A?REJECT|A?ACCEPT|A?DROP)$/; fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:A_)?(REJECT|ACCEPT|DROP)$/;
} else { } else {
$config{TCP_FLAGS_DISPOSITION} = 'DROP'; $config{TCP_FLAGS_DISPOSITION} = 'DROP';
} }

View File

@ -97,9 +97,9 @@ my %usedactions;
# #
# Enumerate the AUDIT builtins # Enumerate the AUDIT builtins
# #
my %auditactions = ( AACCEPT => 1, my %auditactions = ( A_ACCEPT => 1,
ADROP => 1, A_DROP => 1,
AREJECT => 1 A_REJECT => 1
); );
# #
@ -176,9 +176,9 @@ sub initialize( $ ) {
%usedactions = (); %usedactions = ();
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AACCEPT ADROP AREJECT/; @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit A_ACCEPT A_DROP A_REJECT/;
} else { } else {
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AACCEPT ADROP AREJECT/; @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid A_ACCEPT A_DROP A_REJECT/;
} }
} }
@ -341,7 +341,9 @@ sub process_a_policy() {
fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy}; fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
if ( $audit ) {
fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy}; fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
}
if ( $default ) { if ( $default ) {
if ( "\L$default" eq 'none' ) { if ( "\L$default" eq 'none' ) {
@ -466,10 +468,10 @@ sub process_policies()
ACCEPT => undef, ACCEPT => undef,
REJECT => undef, REJECT => undef,
DROP => undef, DROP => undef,
AACCEPT => undef, A_ACCEPT => undef,
AREJECT => undef, A_DROP => undef,
ADROP => undef, A_REJECT => undef,
ACONTINUE => undef, CONTINUE => undef,
QUEUE => undef, QUEUE => undef,
NFQUEUE => undef, NFQUEUE => undef,
NONE => undef NONE => undef
@ -1308,32 +1310,32 @@ sub Limit( $$$$ ) {
add_rule $chainref, '-j ACCEPT'; add_rule $chainref, '-j ACCEPT';
} }
sub AACCEPT ( $$$ ) { sub A_ACCEPT ( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'AACCEPT rules', ''; require_capability 'AUDIT_TARGET' , 'A_ACCEPT rules', '';
log_rule_limit $level, $chainref, 'AACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne ''; log_rule_limit $level, $chainref, 'A_ACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type accept'; add_rule $chainref , '-j AUDIT --type accept';
add_rule $chainref , '-j ACCEPT'; add_rule $chainref , '-j ACCEPT';
} }
sub ADROP ( $$$ ) { sub A_DROP ( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'ADROP rules', ''; require_capability 'AUDIT_TARGET' , 'A_DROP rules', '';
log_rule_limit $level, $chainref, 'ADROP' , 'DROP', '', $tag, 'add', '' if $level ne ''; log_rule_limit $level, $chainref, 'A_DROP' , 'DROP', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type drop'; add_rule $chainref , '-j AUDIT --type drop';
add_rule $chainref , '-j DROP'; add_rule $chainref , '-j DROP';
} }
sub AREJECT ( $$$ ) { sub A_REJECT ( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'AREJECT rules', ''; require_capability 'AUDIT_TARGET' , 'A_REJECT rules', '';
log_rule_limit $level, $chainref, 'AREJECT' , 'REJECT', '', $tag, 'add', '' if $level ne ''; log_rule_limit $level, $chainref, 'A_REJECT' , 'REJECT', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type reject'; add_rule $chainref , '-j AUDIT --type reject';
add_rule $chainref , '-j reject'; add_rule $chainref , '-j reject';
} }
@ -1347,9 +1349,9 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
'allowinUPnP' => \&allowinUPnP, 'allowinUPnP' => \&allowinUPnP,
'forwardUPnP' => \&forwardUPnP, 'forwardUPnP' => \&forwardUPnP,
'Limit' => \&Limit, 'Limit' => \&Limit,
'AACCEPT' => \&AACCEPT, 'A_ACCEPT' => \&A_ACCEPT,
'ADROP' => \&ADROP, 'A_DROP' => \&A_DROP,
'AREJECT' => \&AREJECT 'A_REJECT' => \&A_REJECT
); );
# #

View File

@ -8,9 +8,9 @@
# #
# Builtin Actions are: # Builtin Actions are:
# #
# AACCEPT # Audits then accepts a connection request # A_ACCEPT # Audits then accepts a connection request
# ADROP # Audits then drops a connection request # A_DROP # Audits then drops a connection request
# AREJECT # Audits then drops a connection request # A_REJECT # Audits then drops a connection request
# allowBcast # Silently Allow Broadcast/multicast # allowBcast # Silently Allow Broadcast/multicast
# dropBcast # Silently Drop Broadcast/multicast # dropBcast # Silently Drop Broadcast/multicast
# dropNotSyn # Silently Drop Non-syn TCP packets # dropNotSyn # Silently Drop Non-syn TCP packets

View File

@ -739,9 +739,9 @@ show_command() {
case $1 in case $1 in
actions) actions)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "AACCEPT # Audit and accept the connection" echo "A_ACCEPT # Audit and accept the connection"
echo "ADROP # Audit and drop the connection" echo "A_DROP # Audit and drop the connection"
echo "AREJECT # Audit and reject the connection " echo "A_REJECT # Audit and reject the connection "
echo "allowBcast # Silently Allow Broadcast/multicast" echo "allowBcast # Silently Allow Broadcast/multicast"
echo "allowInvalid # Accept packets that are in the INVALID conntrack state." echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"

View File

@ -93,25 +93,25 @@ All bug fixes from 4.4.19.1 - 4.4.19.4.
c) Three new builtin actions that may be used in the rules file, c) Three new builtin actions that may be used in the rules file,
in macros and in other actions. in macros and in other actions.
AACCEPT - Audits and accepts the connection request A_ACCEPT - Audits and accepts the connection request
ADROP - Audits and drops the connection request A_DROP - Audits and drops the connection request
AREJECT - Audits and rejects A_REJECT - Audits and rejects
A log level may be supplied with these actions to A log level may be supplied with these actions to
provide both auditing and logging. provide both auditing and logging.
Example: Example:
AACCEPT:info loc net ... A_ACCEPT:info loc net ...
d) The BLACKLIST_DISPOSITION, MACLIST_DISPOSITION and d) The BLACKLIST_DISPOSITION, MACLIST_DISPOSITION and
TCP_FLAGS_DISPOSITION options may be set as follows: TCP_FLAGS_DISPOSITION options may be set as follows:
BLACKLIST_DISPOSITION ADROP or AREJECT BLACKLIST_DISPOSITION A_DROP or A_REJECT
MACLIST_DISPOSITION ADROP MACLIST_DISPOSITION A_DROP
AREJECT, unless A_REJECT, unless
MACLIST_TABLE=mangle MACLIST_TABLE=mangle
TCP_FLAGS_DISPOSITION ADROP or AREJECT TCP_FLAGS_DISPOSITION A_DROP or A_REJECT
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S I V. R E L E A S E 4 . 4 H I G H L I G H T S

View File

@ -630,9 +630,9 @@ show_command() {
case $1 in case $1 in
actions) actions)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "AACCEPT # Audit and accept the connection" echo "A_ACCEPT # Audit and accept the connection"
echo "ADROP # Audit and drop the connection" echo "A_DROP # Audit and drop the connection"
echo "AREJECT # Audit and reject the connection " echo "A_REJECT # Audit and reject the connection "
echo "allowBcast # Accept Multicast and Anycast Packets" echo "allowBcast # Accept Multicast and Anycast Packets"
echo "dropBcast # Silently Drop Multicast and Anycast Packets" echo "dropBcast # Silently Drop Multicast and Anycast Packets"
echo "allowInvalid # Accept packets that are in the INVALID conntrack state." echo "allowInvalid # Accept packets that are in the INVALID conntrack state."

View File

@ -322,6 +322,17 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
<listitem>
<para>queues matching packets to a backend logging daemon via
a netlink socket then continues to the next rule. See <ulink
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term> role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>

View File

@ -244,7 +244,18 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>NFQUEUE</term> <term><emphasis
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
<listitem>
<para>queues matching packets to a backend logging daemon via
a netlink socket then continues to the next rule. See <ulink
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NFQUEUE</emphasis></term>
<listitem> <listitem>
<para>Queues the packet to a user-space application using the <para>Queues the packet to a user-space application using the