Cleanup of AUDIT before Beta 3

- Correct merge snafus
- Rename the new actions (e.g., ADROP->A_DROP)
- Correct MACLIST_DISPOSITION logic
This commit is contained in:
Tom Eastep 2011-05-20 07:47:35 -07:00
parent e9df13a42b
commit d15475efae
11 changed files with 89 additions and 60 deletions

View File

@ -23,7 +23,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.20-Beta2
VERSION=4.4.20-Beta3
usage() # $1 = exit status
{

View File

@ -1,6 +1,6 @@
%define name shorewall-init
%define version 4.4.20
%define release 0Beta2
%define release 0Beta3
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name}
@ -120,6 +120,8 @@ fi
%changelog
* Wed May 18 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0Beta3
* Wed May 18 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0Beta2
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.20-Beta2
VERSION=4.4.20-Beta3
usage() # $1 = exit status
{

View File

@ -264,6 +264,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
MARK_ANYWHERE => 'Mark in any table',
HEADER_MATCH => 'Header Match',
ACCOUNT_TARGET => 'ACCOUNT Target',
AUDIT_TARGET => 'AUDIT Target',
CAPVERSION => 'Capability Version',
KERNELVERSION => 'Kernel Version',
);
@ -418,7 +419,7 @@ sub initialize( $ ) {
EXPORT => 0,
STATEMATCH => '-m state --state',
UNTRACKED => 0,
VERSION => "4.4.20-Beta2",
VERSION => "4.4.20-Beta3",
CAPVERSION => 40417 ,
);
#
@ -625,6 +626,7 @@ sub initialize( $ ) {
MARK_ANYWHERE => undef,
HEADER_MATCH => undef,
ACCOUNT_TARGET => undef,
AUDIT_TARGET => undef,
CAPVERSION => undef,
KERNELVERSION => undef,
);
@ -2712,6 +2714,7 @@ sub determine_capabilities() {
$capabilities{FWMARK_RT_MASK} = detect_capability( 'FWMARK_RT_MASK' );
$capabilities{MARK_ANYWHERE} = detect_capability( 'MARK_ANYWHERE' );
$capabilities{ACCOUNT_TARGET} = detect_capability( 'ACCOUNT_TARGET' );
$capabilities{AUDIT_TARGET} = detect_capability( 'AUDIT_TARGET' );
qt1( "$iptables -F $sillyname" );
@ -3342,8 +3345,8 @@ sub get_configuration( $ ) {
default 'BLACKLIST_DISPOSITION' , 'DROP';
unless ( $config{BLACKLIST_DISPOSITION} =~ /^A?DROP$/ || $config{BLACKLIST_DISPOSITION} =~ /^A?REJECT/ ) {
fatal_error q(BLACKLIST_DISPOSITION must be 'DROP', 'ADROP', 'REJECT' or 'AREJECT');
unless ( $config{BLACKLIST_DISPOSITION} =~ /^(?:A_)?DROP$/ || $config{BLACKLIST_DISPOSITION} =~ /^(?:A_)?REJECT/ ) {
fatal_error q(BLACKLIST_DISPOSITION must be 'DROP', 'A_DROP', 'REJECT' or 'A_REJECT');
}
default_log_level 'BLACKLIST_LOGLEVEL', '';
@ -3356,25 +3359,25 @@ sub get_configuration( $ ) {
default_log_level 'SMURF_LOG_LEVEL', '';
default_log_level 'LOGALLNEW', '';
$globals{MACLIST_TARGET} = 'reject';
if ( $val = $config{MACLIST_DISPOSITION} ) {
unless ( $val =~ /^A?REJECT$/ ) {
if ( $val =~ /^A?DROP/ ) {
if ( $val =~ /^((?:A_)?(?:DROP))$/ ) {
$globals{MACLIST_TARGET} = $1;
} elsif ( $val eq 'REJECT' ) {
$globals{MACLIST_TARGET} = 'reject';
} elsif ( $val eq 'A_REJECT' ) {
$globals{MACLIST_TARGET} = $val;
} elsif ( $val eq 'ACCEPT' ) {
$globals{MACLIST_TARGET} = 'RETURN';
} else {
fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
}
}
} else {
$config{MACLIST_DISPOSITION} = 'REJECT';
$config{MACLIST_DISPOSITION} = 'reject';
}
if ( $val = $config{MACLIST_TABLE} ) {
if ( $val eq 'mangle' ) {
fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^(A?REJECT)$/;
fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
} else {
fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter';
}
@ -3383,7 +3386,7 @@ sub get_configuration( $ ) {
}
if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(A?REJECT|A?ACCEPT|A?DROP)$/;
fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:A_)?(REJECT|ACCEPT|DROP)$/;
} else {
$config{TCP_FLAGS_DISPOSITION} = 'DROP';
}

View File

@ -97,9 +97,9 @@ my %usedactions;
#
# Enumerate the AUDIT builtins
#
my %auditactions = ( AACCEPT => 1,
ADROP => 1,
AREJECT => 1
my %auditactions = ( A_ACCEPT => 1,
A_DROP => 1,
A_REJECT => 1
);
#
@ -176,9 +176,9 @@ sub initialize( $ ) {
%usedactions = ();
if ( $family == F_IPV4 ) {
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AACCEPT ADROP AREJECT/;
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit A_ACCEPT A_DROP A_REJECT/;
} else {
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AACCEPT ADROP AREJECT/;
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid A_ACCEPT A_DROP A_REJECT/;
}
}
@ -341,7 +341,9 @@ sub process_a_policy() {
fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
if ( $audit ) {
fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
}
if ( $default ) {
if ( "\L$default" eq 'none' ) {
@ -466,10 +468,10 @@ sub process_policies()
ACCEPT => undef,
REJECT => undef,
DROP => undef,
AACCEPT => undef,
AREJECT => undef,
ADROP => undef,
ACONTINUE => undef,
A_ACCEPT => undef,
A_DROP => undef,
A_REJECT => undef,
CONTINUE => undef,
QUEUE => undef,
NFQUEUE => undef,
NONE => undef
@ -1308,32 +1310,32 @@ sub Limit( $$$$ ) {
add_rule $chainref, '-j ACCEPT';
}
sub AACCEPT ( $$$ ) {
sub A_ACCEPT ( $$$ ) {
my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'AACCEPT rules', '';
require_capability 'AUDIT_TARGET' , 'A_ACCEPT rules', '';
log_rule_limit $level, $chainref, 'AACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
log_rule_limit $level, $chainref, 'A_ACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type accept';
add_rule $chainref , '-j ACCEPT';
}
sub ADROP ( $$$ ) {
sub A_DROP ( $$$ ) {
my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'ADROP rules', '';
require_capability 'AUDIT_TARGET' , 'A_DROP rules', '';
log_rule_limit $level, $chainref, 'ADROP' , 'DROP', '', $tag, 'add', '' if $level ne '';
log_rule_limit $level, $chainref, 'A_DROP' , 'DROP', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type drop';
add_rule $chainref , '-j DROP';
}
sub AREJECT ( $$$ ) {
sub A_REJECT ( $$$ ) {
my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'AREJECT rules', '';
require_capability 'AUDIT_TARGET' , 'A_REJECT rules', '';
log_rule_limit $level, $chainref, 'AREJECT' , 'REJECT', '', $tag, 'add', '' if $level ne '';
log_rule_limit $level, $chainref, 'A_REJECT' , 'REJECT', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type reject';
add_rule $chainref , '-j reject';
}
@ -1347,9 +1349,9 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
'allowinUPnP' => \&allowinUPnP,
'forwardUPnP' => \&forwardUPnP,
'Limit' => \&Limit,
'AACCEPT' => \&AACCEPT,
'ADROP' => \&ADROP,
'AREJECT' => \&AREJECT
'A_ACCEPT' => \&A_ACCEPT,
'A_DROP' => \&A_DROP,
'A_REJECT' => \&A_REJECT
);
#

View File

@ -8,9 +8,9 @@
#
# Builtin Actions are:
#
# AACCEPT # Audits then accepts a connection request
# ADROP # Audits then drops a connection request
# AREJECT # Audits then drops a connection request
# A_ACCEPT # Audits then accepts a connection request
# A_DROP # Audits then drops a connection request
# A_REJECT # Audits then drops a connection request
# allowBcast # Silently Allow Broadcast/multicast
# dropBcast # Silently Drop Broadcast/multicast
# dropNotSyn # Silently Drop Non-syn TCP packets

View File

@ -739,9 +739,9 @@ show_command() {
case $1 in
actions)
[ $# -gt 1 ] && usage 1
echo "AACCEPT # Audit and accept the connection"
echo "ADROP # Audit and drop the connection"
echo "AREJECT # Audit and reject the connection "
echo "A_ACCEPT # Audit and accept the connection"
echo "A_DROP # Audit and drop the connection"
echo "A_REJECT # Audit and reject the connection "
echo "allowBcast # Silently Allow Broadcast/multicast"
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"

View File

@ -93,25 +93,25 @@ All bug fixes from 4.4.19.1 - 4.4.19.4.
c) Three new builtin actions that may be used in the rules file,
in macros and in other actions.
AACCEPT - Audits and accepts the connection request
ADROP - Audits and drops the connection request
AREJECT - Audits and rejects
A_ACCEPT - Audits and accepts the connection request
A_DROP - Audits and drops the connection request
A_REJECT - Audits and rejects
A log level may be supplied with these actions to
provide both auditing and logging.
Example:
AACCEPT:info loc net ...
A_ACCEPT:info loc net ...
d) The BLACKLIST_DISPOSITION, MACLIST_DISPOSITION and
TCP_FLAGS_DISPOSITION options may be set as follows:
BLACKLIST_DISPOSITION ADROP or AREJECT
MACLIST_DISPOSITION ADROP
AREJECT, unless
BLACKLIST_DISPOSITION A_DROP or A_REJECT
MACLIST_DISPOSITION A_DROP
A_REJECT, unless
MACLIST_TABLE=mangle
TCP_FLAGS_DISPOSITION ADROP or AREJECT
TCP_FLAGS_DISPOSITION A_DROP or A_REJECT
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S

View File

@ -630,9 +630,9 @@ show_command() {
case $1 in
actions)
[ $# -gt 1 ] && usage 1
echo "AACCEPT # Audit and accept the connection"
echo "ADROP # Audit and drop the connection"
echo "AREJECT # Audit and reject the connection "
echo "A_ACCEPT # Audit and accept the connection"
echo "A_DROP # Audit and drop the connection"
echo "A_REJECT # Audit and reject the connection "
echo "allowBcast # Accept Multicast and Anycast Packets"
echo "dropBcast # Silently Drop Multicast and Anycast Packets"
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."

View File

@ -322,6 +322,17 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
<listitem>
<para>queues matching packets to a backend logging daemon via
a netlink socket then continues to the next rule. See <ulink
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>

View File

@ -244,7 +244,18 @@
</varlistentry>
<varlistentry>
<term>NFQUEUE</term>
<term><emphasis
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
<listitem>
<para>queues matching packets to a backend logging daemon via
a netlink socket then continues to the next rule. See <ulink
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NFQUEUE</emphasis></term>
<listitem>
<para>Queues the packet to a user-space application using the