More AUDIT changes

Shorewall/Perl/Shorewall/Config.pm

@@ -130,6 +130,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %globals
 				       %config_files
 
+				       @auditoptions
+
 		                       F_IPV4
 		                       F_IPV6
 
@@ -311,6 +313,10 @@ our %config_files = ( #accounting      => 1,
 		      tunnels          => 1,
 		      zones            => 1 );
 #
+# Options that involve the the AUDIT target
+#
+my @auditoptions = qw( BLACKLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
+#
 # Directories to search for configuration files
 #
 my @config_path;
@@ -562,8 +568,7 @@ sub initialize( $ ) {
 		     PANIC   => 0,
 		     NONE    => '',
 		     NFLOG   => 'NFLOG',
-		     LOGMARK => 'LOGMARK',
-		     AUDIT   => 'AUDIT' );
+		     LOGMARK => 'LOGMARK' );
 
     #
     # From parsing the capabilities file or capabilities detection
@@ -2056,12 +2061,6 @@ sub validate_level( $ ) {
 	    return 'LOGMARK';
 	}
 
-	if ( $level =~ /^AUDIT\(.+\)$/ ) {
-	    require_capability( 'AUDIT_TARGET', 'AUDIT', 's' );
-	    fatal_error "Invalid AUDIT type ($2)" unless $2 =~ /^(?:DROP|REJECT|ACCEPT)$/;
-	    return "AUDIT --type $2";
-	}
-
 	level_error( $rawlevel );
     }
 
@@ -2535,7 +2534,7 @@ sub Account_Target() {
 }
 
 sub Audit_Target() {
-    qt1( "$iptables -A $sillyname -j AUDIT --type DROP" );
+    qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
 }
 
 our %detect_capability =
@@ -3345,8 +3344,8 @@ sub get_configuration( $ ) {
 
     default 'BLACKLIST_DISPOSITION'    , 'DROP';
 
-    unless ( $config{BLACKLIST_DISPOSITION} eq 'DROP' || $config{BLACKLIST_DISPOSITION} eq 'REJECT' ) {
-	fatal_error q(BLACKLIST_DISPOSITION must be 'DROP' or 'REJECT');
+    unless ( $config{BLACKLIST_DISPOSITION} =~ /^A?DROP$/ || $config{BLACKLIST_DISPOSITION} =~ /^A?REJECT/ ) {
+	fatal_error q(BLACKLIST_DISPOSITION must be 'DROP', 'ADROP', 'REJECT' or 'AREJECT');
     }
 
     default_log_level 'BLACKLIST_LOGLEVEL',  '';
@@ -3362,14 +3361,14 @@ sub get_configuration( $ ) {
     $globals{MACLIST_TARGET} = 'reject';
 
     if ( $val = $config{MACLIST_DISPOSITION} ) {
-	unless ( $val eq 'REJECT' ) {
-	    if ( $val eq 'DROP' ) {
-		$globals{MACLIST_TARGET} = 'DROP';
-	    } elsif ( $val eq 'ACCEPT' ) {
-		$globals{MACLIST_TARGET} = 'RETURN';
-	    } else {
-		fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
+	unless ( $val =~ /^A?REJECT$/ ) {
+	    unless ( $val =~ /^A?DROP/ ) {
+		if ( $val eq 'ACCEPT' ) {
+		    $globals{MACLIST_TARGET} = 'RETURN';
+		} else {
+		    fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
 		}
+	    }
 	}
     } else {
 	$config{MACLIST_DISPOSITION} = 'REJECT';
@@ -3377,7 +3376,7 @@ sub get_configuration( $ ) {
 
     if ( $val = $config{MACLIST_TABLE} ) {
 	if ( $val eq 'mangle' ) {
-	    fatal_error 'MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} eq 'REJECT';
+	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^(A?REJECT)$/;
 	} else {
 	    fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter';
 	}
@@ -3386,7 +3385,7 @@ sub get_configuration( $ ) {
     }
 
     if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
-	fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(REJECT|ACCEPT|DROP)$/;
+	fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(A?REJECT|A?ACCEPT|A?DROP)$/;
     } else {
 	$config{TCP_FLAGS_DISPOSITION} = 'DROP';
     }

Shorewall/Perl/Shorewall/Rules.pm

@@ -94,6 +94,14 @@ my %actions;
 #
 my %usedactions;
 
+#
+# Enumerate the AUDIT policies and map them to their underlying polices
+#
+my %auditpolicies = ( AACCEPT => 'ACCEPT',
+		      ADROP   => 'DROP',
+		      AREJECT => 'REJECT'
+		    ); 
+
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -160,9 +168,9 @@ sub initialize( $ ) {
     %usedactions       = ();
 
     if ( $family == F_IPV4 ) {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AACCEPT ADROP AREJECT/;
     } else {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AACCEPT ADROP AREJECT/;
     }
 }
 
@@ -326,9 +334,11 @@ sub process_a_policy() {
 	    fatal_error "Unknown Default Action ($default)";
 	}
     } else {
-	$default = $default_actions{$policy} || '';
+	$default = $default_actions{$auditpolicies{$policy} || $policy} || '';
     }
 
+    use_policy_action $policy if $auditpolicies{$policy};
+
     fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
 
     if ( defined $queue ) {
@@ -440,7 +450,10 @@ sub process_policies()
 			  ACCEPT => undef,
 			  REJECT => undef,
 			  DROP   => undef,
-			  CONTINUE => undef,
+			  AACCEPT => undef,
+			  AREJECT => undef,
+			  ADROP   => undef,
+			  ACONTINUE => undef,
 			  QUEUE => undef,
 			  NFQUEUE => undef,
 			  NONE => undef
@@ -1278,6 +1291,36 @@ sub Limit( $$$$ ) {
     add_rule $chainref, '-j ACCEPT';
 }
 
+sub AACCEPT ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    require_capability 'AUDIT_TARGET' , 'AACCEPT policies and rules', '';
+
+    log_rule_limit $level, $chainref, 'AACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
+    add_rule $chainref , '-j AUDIT --type accept';
+    add_rule $chainref , '-j ACCEPT';
+}
+
+sub ADROP ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    require_capability 'AUDIT_TARGET' , 'ADROP policies and rules', '';
+
+    log_rule_limit $level, $chainref, 'ADROP' , 'DROP', '', $tag, 'add', '' if $level ne '';
+    add_rule $chainref , '-j AUDIT --type drop';
+    add_rule $chainref , '-j DROP';
+}
+
+sub AREJECT ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    require_capability 'AUDIT_TARGET' , 'AREJECT policies and rules', '';
+
+    log_rule_limit $level, $chainref, 'AREJECT' , 'REJECT', '', $tag, 'add', '' if $level ne '';
+    add_rule $chainref , '-j AUDIT --type reject';
+    add_rule $chainref , '-j reject';
+}
+
 my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		   'allowBcast'     => \&allowBcast,
 		   'dropNotSyn'     => \&dropNotSyn,
@@ -1420,6 +1463,12 @@ sub process_action( $) {
 sub process_actions2 () {
     progress_message2 "$doing policy actions...";
 
+    for ( map normalized_action_name $_, grep $auditpolicies{$_}, @auditoptions ) {
+	if ( my $ref = use_action( $_ ) ) {
+	    process_action( $ref );
+	}
+    }
+
     for ( map normalize_action_name $_, ( grep ! ( $targets{$_} & BUILTIN ), keys %policy_actions ) ) {
 	if ( my $ref = use_action( $_ ) ) {
 	    process_action( $ref );

Shorewall/lib.cli

@@ -1847,7 +1847,7 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
     qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
     qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
-    qt $IPTABLES -A $chain -j AUDIT --type DROP && ACCOUNT_TARGET=Yes
+    qt $IPTABLES -A $chain -j AUDIT --type drop && ACCOUNT_TARGET=Yes
 
     qt $IPTABLES -F $chain
     qt $IPTABLES -X $chain

Shorewall6/lib.cli

@@ -1489,6 +1489,8 @@ determine_capabilities() {
     qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
     qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
     qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes
+    qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
+    
 
     qt $IP6TABLES -F $chain
     qt $IP6TABLES -X $chain