forked from extern/shorewall_code
Cleanup of AUDIT before Beta 3
- Correct merge snafus - Rename the new actions (e.g., ADROP->A_DROP) - Correct MACLIST_DISPOSITION logic
This commit is contained in:
parent
e9df13a42b
commit
d15475efae
@ -23,7 +23,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.20-Beta2
|
||||
VERSION=4.4.20-Beta3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall-init
|
||||
%define version 4.4.20
|
||||
%define release 0Beta2
|
||||
%define release 0Beta3
|
||||
|
||||
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
|
||||
Name: %{name}
|
||||
@ -120,6 +120,8 @@ fi
|
||||
|
||||
%changelog
|
||||
* Wed May 18 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.20-0Beta3
|
||||
* Wed May 18 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.20-0Beta2
|
||||
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-1
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.20-Beta2
|
||||
VERSION=4.4.20-Beta3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -264,6 +264,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
MARK_ANYWHERE => 'Mark in any table',
|
||||
HEADER_MATCH => 'Header Match',
|
||||
ACCOUNT_TARGET => 'ACCOUNT Target',
|
||||
AUDIT_TARGET => 'AUDIT Target',
|
||||
CAPVERSION => 'Capability Version',
|
||||
KERNELVERSION => 'Kernel Version',
|
||||
);
|
||||
@ -418,7 +419,7 @@ sub initialize( $ ) {
|
||||
EXPORT => 0,
|
||||
STATEMATCH => '-m state --state',
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.4.20-Beta2",
|
||||
VERSION => "4.4.20-Beta3",
|
||||
CAPVERSION => 40417 ,
|
||||
);
|
||||
#
|
||||
@ -625,6 +626,7 @@ sub initialize( $ ) {
|
||||
MARK_ANYWHERE => undef,
|
||||
HEADER_MATCH => undef,
|
||||
ACCOUNT_TARGET => undef,
|
||||
AUDIT_TARGET => undef,
|
||||
CAPVERSION => undef,
|
||||
KERNELVERSION => undef,
|
||||
);
|
||||
@ -2712,6 +2714,7 @@ sub determine_capabilities() {
|
||||
$capabilities{FWMARK_RT_MASK} = detect_capability( 'FWMARK_RT_MASK' );
|
||||
$capabilities{MARK_ANYWHERE} = detect_capability( 'MARK_ANYWHERE' );
|
||||
$capabilities{ACCOUNT_TARGET} = detect_capability( 'ACCOUNT_TARGET' );
|
||||
$capabilities{AUDIT_TARGET} = detect_capability( 'AUDIT_TARGET' );
|
||||
|
||||
|
||||
qt1( "$iptables -F $sillyname" );
|
||||
@ -3342,8 +3345,8 @@ sub get_configuration( $ ) {
|
||||
|
||||
default 'BLACKLIST_DISPOSITION' , 'DROP';
|
||||
|
||||
unless ( $config{BLACKLIST_DISPOSITION} =~ /^A?DROP$/ || $config{BLACKLIST_DISPOSITION} =~ /^A?REJECT/ ) {
|
||||
fatal_error q(BLACKLIST_DISPOSITION must be 'DROP', 'ADROP', 'REJECT' or 'AREJECT');
|
||||
unless ( $config{BLACKLIST_DISPOSITION} =~ /^(?:A_)?DROP$/ || $config{BLACKLIST_DISPOSITION} =~ /^(?:A_)?REJECT/ ) {
|
||||
fatal_error q(BLACKLIST_DISPOSITION must be 'DROP', 'A_DROP', 'REJECT' or 'A_REJECT');
|
||||
}
|
||||
|
||||
default_log_level 'BLACKLIST_LOGLEVEL', '';
|
||||
@ -3356,25 +3359,25 @@ sub get_configuration( $ ) {
|
||||
default_log_level 'SMURF_LOG_LEVEL', '';
|
||||
default_log_level 'LOGALLNEW', '';
|
||||
|
||||
$globals{MACLIST_TARGET} = 'reject';
|
||||
|
||||
if ( $val = $config{MACLIST_DISPOSITION} ) {
|
||||
unless ( $val =~ /^A?REJECT$/ ) {
|
||||
if ( $val =~ /^A?DROP/ ) {
|
||||
if ( $val =~ /^((?:A_)?(?:DROP))$/ ) {
|
||||
$globals{MACLIST_TARGET} = $1;
|
||||
} elsif ( $val eq 'REJECT' ) {
|
||||
$globals{MACLIST_TARGET} = 'reject';
|
||||
} elsif ( $val eq 'A_REJECT' ) {
|
||||
$globals{MACLIST_TARGET} = $val;
|
||||
} elsif ( $val eq 'ACCEPT' ) {
|
||||
$globals{MACLIST_TARGET} = 'RETURN';
|
||||
} else {
|
||||
fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$config{MACLIST_DISPOSITION} = 'REJECT';
|
||||
$config{MACLIST_DISPOSITION} = 'reject';
|
||||
}
|
||||
|
||||
if ( $val = $config{MACLIST_TABLE} ) {
|
||||
if ( $val eq 'mangle' ) {
|
||||
fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^(A?REJECT)$/;
|
||||
fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
|
||||
} else {
|
||||
fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter';
|
||||
}
|
||||
@ -3383,7 +3386,7 @@ sub get_configuration( $ ) {
|
||||
}
|
||||
|
||||
if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
|
||||
fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(A?REJECT|A?ACCEPT|A?DROP)$/;
|
||||
fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:A_)?(REJECT|ACCEPT|DROP)$/;
|
||||
} else {
|
||||
$config{TCP_FLAGS_DISPOSITION} = 'DROP';
|
||||
}
|
||||
|
@ -97,9 +97,9 @@ my %usedactions;
|
||||
#
|
||||
# Enumerate the AUDIT builtins
|
||||
#
|
||||
my %auditactions = ( AACCEPT => 1,
|
||||
ADROP => 1,
|
||||
AREJECT => 1
|
||||
my %auditactions = ( A_ACCEPT => 1,
|
||||
A_DROP => 1,
|
||||
A_REJECT => 1
|
||||
);
|
||||
|
||||
#
|
||||
@ -176,9 +176,9 @@ sub initialize( $ ) {
|
||||
%usedactions = ();
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AACCEPT ADROP AREJECT/;
|
||||
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit A_ACCEPT A_DROP A_REJECT/;
|
||||
} else {
|
||||
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AACCEPT ADROP AREJECT/;
|
||||
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid A_ACCEPT A_DROP A_REJECT/;
|
||||
}
|
||||
}
|
||||
|
||||
@ -341,7 +341,9 @@ sub process_a_policy() {
|
||||
|
||||
fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
|
||||
|
||||
if ( $audit ) {
|
||||
fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
|
||||
}
|
||||
|
||||
if ( $default ) {
|
||||
if ( "\L$default" eq 'none' ) {
|
||||
@ -466,10 +468,10 @@ sub process_policies()
|
||||
ACCEPT => undef,
|
||||
REJECT => undef,
|
||||
DROP => undef,
|
||||
AACCEPT => undef,
|
||||
AREJECT => undef,
|
||||
ADROP => undef,
|
||||
ACONTINUE => undef,
|
||||
A_ACCEPT => undef,
|
||||
A_DROP => undef,
|
||||
A_REJECT => undef,
|
||||
CONTINUE => undef,
|
||||
QUEUE => undef,
|
||||
NFQUEUE => undef,
|
||||
NONE => undef
|
||||
@ -1308,32 +1310,32 @@ sub Limit( $$$$ ) {
|
||||
add_rule $chainref, '-j ACCEPT';
|
||||
}
|
||||
|
||||
sub AACCEPT ( $$$ ) {
|
||||
sub A_ACCEPT ( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
require_capability 'AUDIT_TARGET' , 'AACCEPT rules', '';
|
||||
require_capability 'AUDIT_TARGET' , 'A_ACCEPT rules', '';
|
||||
|
||||
log_rule_limit $level, $chainref, 'AACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
|
||||
log_rule_limit $level, $chainref, 'A_ACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
|
||||
add_rule $chainref , '-j AUDIT --type accept';
|
||||
add_rule $chainref , '-j ACCEPT';
|
||||
}
|
||||
|
||||
sub ADROP ( $$$ ) {
|
||||
sub A_DROP ( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
require_capability 'AUDIT_TARGET' , 'ADROP rules', '';
|
||||
require_capability 'AUDIT_TARGET' , 'A_DROP rules', '';
|
||||
|
||||
log_rule_limit $level, $chainref, 'ADROP' , 'DROP', '', $tag, 'add', '' if $level ne '';
|
||||
log_rule_limit $level, $chainref, 'A_DROP' , 'DROP', '', $tag, 'add', '' if $level ne '';
|
||||
add_rule $chainref , '-j AUDIT --type drop';
|
||||
add_rule $chainref , '-j DROP';
|
||||
}
|
||||
|
||||
sub AREJECT ( $$$ ) {
|
||||
sub A_REJECT ( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
require_capability 'AUDIT_TARGET' , 'AREJECT rules', '';
|
||||
require_capability 'AUDIT_TARGET' , 'A_REJECT rules', '';
|
||||
|
||||
log_rule_limit $level, $chainref, 'AREJECT' , 'REJECT', '', $tag, 'add', '' if $level ne '';
|
||||
log_rule_limit $level, $chainref, 'A_REJECT' , 'REJECT', '', $tag, 'add', '' if $level ne '';
|
||||
add_rule $chainref , '-j AUDIT --type reject';
|
||||
add_rule $chainref , '-j reject';
|
||||
}
|
||||
@ -1347,9 +1349,9 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
|
||||
'allowinUPnP' => \&allowinUPnP,
|
||||
'forwardUPnP' => \&forwardUPnP,
|
||||
'Limit' => \&Limit,
|
||||
'AACCEPT' => \&AACCEPT,
|
||||
'ADROP' => \&ADROP,
|
||||
'AREJECT' => \&AREJECT
|
||||
'A_ACCEPT' => \&A_ACCEPT,
|
||||
'A_DROP' => \&A_DROP,
|
||||
'A_REJECT' => \&A_REJECT
|
||||
);
|
||||
|
||||
#
|
||||
|
@ -8,9 +8,9 @@
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
# AACCEPT # Audits then accepts a connection request
|
||||
# ADROP # Audits then drops a connection request
|
||||
# AREJECT # Audits then drops a connection request
|
||||
# A_ACCEPT # Audits then accepts a connection request
|
||||
# A_DROP # Audits then drops a connection request
|
||||
# A_REJECT # Audits then drops a connection request
|
||||
# allowBcast # Silently Allow Broadcast/multicast
|
||||
# dropBcast # Silently Drop Broadcast/multicast
|
||||
# dropNotSyn # Silently Drop Non-syn TCP packets
|
||||
|
@ -739,9 +739,9 @@ show_command() {
|
||||
case $1 in
|
||||
actions)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "AACCEPT # Audit and accept the connection"
|
||||
echo "ADROP # Audit and drop the connection"
|
||||
echo "AREJECT # Audit and reject the connection "
|
||||
echo "A_ACCEPT # Audit and accept the connection"
|
||||
echo "A_DROP # Audit and drop the connection"
|
||||
echo "A_REJECT # Audit and reject the connection "
|
||||
echo "allowBcast # Silently Allow Broadcast/multicast"
|
||||
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
|
||||
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
|
||||
|
@ -93,25 +93,25 @@ All bug fixes from 4.4.19.1 - 4.4.19.4.
|
||||
c) Three new builtin actions that may be used in the rules file,
|
||||
in macros and in other actions.
|
||||
|
||||
AACCEPT - Audits and accepts the connection request
|
||||
ADROP - Audits and drops the connection request
|
||||
AREJECT - Audits and rejects
|
||||
A_ACCEPT - Audits and accepts the connection request
|
||||
A_DROP - Audits and drops the connection request
|
||||
A_REJECT - Audits and rejects
|
||||
|
||||
A log level may be supplied with these actions to
|
||||
provide both auditing and logging.
|
||||
|
||||
Example:
|
||||
|
||||
AACCEPT:info loc net ...
|
||||
A_ACCEPT:info loc net ...
|
||||
|
||||
d) The BLACKLIST_DISPOSITION, MACLIST_DISPOSITION and
|
||||
TCP_FLAGS_DISPOSITION options may be set as follows:
|
||||
|
||||
BLACKLIST_DISPOSITION ADROP or AREJECT
|
||||
MACLIST_DISPOSITION ADROP
|
||||
AREJECT, unless
|
||||
BLACKLIST_DISPOSITION A_DROP or A_REJECT
|
||||
MACLIST_DISPOSITION A_DROP
|
||||
A_REJECT, unless
|
||||
MACLIST_TABLE=mangle
|
||||
TCP_FLAGS_DISPOSITION ADROP or AREJECT
|
||||
TCP_FLAGS_DISPOSITION A_DROP or A_REJECT
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
||||
|
@ -630,9 +630,9 @@ show_command() {
|
||||
case $1 in
|
||||
actions)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "AACCEPT # Audit and accept the connection"
|
||||
echo "ADROP # Audit and drop the connection"
|
||||
echo "AREJECT # Audit and reject the connection "
|
||||
echo "A_ACCEPT # Audit and accept the connection"
|
||||
echo "A_DROP # Audit and drop the connection"
|
||||
echo "A_REJECT # Audit and reject the connection "
|
||||
echo "allowBcast # Accept Multicast and Anycast Packets"
|
||||
echo "dropBcast # Silently Drop Multicast and Anycast Packets"
|
||||
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
|
||||
|
@ -322,6 +322,17 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
|
||||
|
||||
<listitem>
|
||||
<para>queues matching packets to a backend logging daemon via
|
||||
a netlink socket then continues to the next rule. See <ulink
|
||||
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>
|
||||
|
@ -244,7 +244,18 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>NFQUEUE</term>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
|
||||
|
||||
<listitem>
|
||||
<para>queues matching packets to a backend logging daemon via
|
||||
a netlink socket then continues to the next rule. See <ulink
|
||||
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">NFQUEUE</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Queues the packet to a user-space application using the
|
||||
|
Loading…
Reference in New Issue
Block a user