From d2ab27c07154970eca291c070738bdd3bb91e1af Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 18 May 2011 21:25:57 -0700 Subject: [PATCH] More AUDIT changes --- Shorewall/Perl/Shorewall/Config.pm | 39 ++++++++++---------- Shorewall/Perl/Shorewall/Rules.pm | 57 +++++++++++++++++++++++++++--- Shorewall/lib.cli | 2 +- Shorewall6/lib.cli | 2 ++ 4 files changed, 75 insertions(+), 25 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 5911ebb01..a98c32030 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -130,6 +130,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script %globals %config_files + @auditoptions + F_IPV4 F_IPV6 @@ -311,6 +313,10 @@ our %config_files = ( #accounting => 1, tunnels => 1, zones => 1 ); # +# Options that involve the the AUDIT target +# +my @auditoptions = qw( BLACKLIST_DISPOSITION TCP_FLAGS_DISPOSITION ); +# # Directories to search for configuration files # my @config_path; @@ -562,8 +568,7 @@ sub initialize( $ ) { PANIC => 0, NONE => '', NFLOG => 'NFLOG', - LOGMARK => 'LOGMARK', - AUDIT => 'AUDIT' ); + LOGMARK => 'LOGMARK' ); # # From parsing the capabilities file or capabilities detection @@ -2056,12 +2061,6 @@ sub validate_level( $ ) { return 'LOGMARK'; } - if ( $level =~ /^AUDIT\(.+\)$/ ) { - require_capability( 'AUDIT_TARGET', 'AUDIT', 's' ); - fatal_error "Invalid AUDIT type ($2)" unless $2 =~ /^(?:DROP|REJECT|ACCEPT)$/; - return "AUDIT --type $2"; - } - level_error( $rawlevel ); } @@ -2535,7 +2534,7 @@ sub Account_Target() { } sub Audit_Target() { - qt1( "$iptables -A $sillyname -j AUDIT --type DROP" ); + qt1( "$iptables -A $sillyname -j AUDIT --type drop" ); } our %detect_capability = @@ -3345,8 +3344,8 @@ sub get_configuration( $ ) { default 'BLACKLIST_DISPOSITION' , 'DROP'; - unless ( $config{BLACKLIST_DISPOSITION} eq 'DROP' || $config{BLACKLIST_DISPOSITION} eq 'REJECT' ) { - fatal_error q(BLACKLIST_DISPOSITION must be 'DROP' or 'REJECT'); + unless ( $config{BLACKLIST_DISPOSITION} =~ /^A?DROP$/ || $config{BLACKLIST_DISPOSITION} =~ /^A?REJECT/ ) { + fatal_error q(BLACKLIST_DISPOSITION must be 'DROP', 'ADROP', 'REJECT' or 'AREJECT'); } default_log_level 'BLACKLIST_LOGLEVEL', ''; @@ -3362,14 +3361,14 @@ sub get_configuration( $ ) { $globals{MACLIST_TARGET} = 'reject'; if ( $val = $config{MACLIST_DISPOSITION} ) { - unless ( $val eq 'REJECT' ) { - if ( $val eq 'DROP' ) { - $globals{MACLIST_TARGET} = 'DROP'; - } elsif ( $val eq 'ACCEPT' ) { - $globals{MACLIST_TARGET} = 'RETURN'; - } else { - fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION" + unless ( $val =~ /^A?REJECT$/ ) { + unless ( $val =~ /^A?DROP/ ) { + if ( $val eq 'ACCEPT' ) { + $globals{MACLIST_TARGET} = 'RETURN'; + } else { + fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION" } + } } } else { $config{MACLIST_DISPOSITION} = 'REJECT'; @@ -3377,7 +3376,7 @@ sub get_configuration( $ ) { if ( $val = $config{MACLIST_TABLE} ) { if ( $val eq 'mangle' ) { - fatal_error 'MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} eq 'REJECT'; + fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^(A?REJECT)$/; } else { fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter'; } @@ -3386,7 +3385,7 @@ sub get_configuration( $ ) { } if ( $val = $config{TCP_FLAGS_DISPOSITION} ) { - fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(REJECT|ACCEPT|DROP)$/; + fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(A?REJECT|A?ACCEPT|A?DROP)$/; } else { $config{TCP_FLAGS_DISPOSITION} = 'DROP'; } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 38021b7ce..d5e4f6219 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -94,6 +94,14 @@ my %actions; # my %usedactions; +# +# Enumerate the AUDIT policies and map them to their underlying polices +# +my %auditpolicies = ( AACCEPT => 'ACCEPT', + ADROP => 'DROP', + AREJECT => 'REJECT' + ); + # # Rather than initializing globals in an INIT block or during declaration, # we initialize them in a function. This is done for two reasons: @@ -160,9 +168,9 @@ sub initialize( $ ) { %usedactions = (); if ( $family == F_IPV4 ) { - @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/; + @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AACCEPT ADROP AREJECT/; } else { - @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/; + @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AACCEPT ADROP AREJECT/; } } @@ -326,9 +334,11 @@ sub process_a_policy() { fatal_error "Unknown Default Action ($default)"; } } else { - $default = $default_actions{$policy} || ''; + $default = $default_actions{$auditpolicies{$policy} || $policy} || ''; } + use_policy_action $policy if $auditpolicies{$policy}; + fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy}; if ( defined $queue ) { @@ -440,7 +450,10 @@ sub process_policies() ACCEPT => undef, REJECT => undef, DROP => undef, - CONTINUE => undef, + AACCEPT => undef, + AREJECT => undef, + ADROP => undef, + ACONTINUE => undef, QUEUE => undef, NFQUEUE => undef, NONE => undef @@ -1278,6 +1291,36 @@ sub Limit( $$$$ ) { add_rule $chainref, '-j ACCEPT'; } +sub AACCEPT ( $$$ ) { + my ($chainref, $level, $tag) = @_; + + require_capability 'AUDIT_TARGET' , 'AACCEPT policies and rules', ''; + + log_rule_limit $level, $chainref, 'AACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne ''; + add_rule $chainref , '-j AUDIT --type accept'; + add_rule $chainref , '-j ACCEPT'; +} + +sub ADROP ( $$$ ) { + my ($chainref, $level, $tag) = @_; + + require_capability 'AUDIT_TARGET' , 'ADROP policies and rules', ''; + + log_rule_limit $level, $chainref, 'ADROP' , 'DROP', '', $tag, 'add', '' if $level ne ''; + add_rule $chainref , '-j AUDIT --type drop'; + add_rule $chainref , '-j DROP'; +} + +sub AREJECT ( $$$ ) { + my ($chainref, $level, $tag) = @_; + + require_capability 'AUDIT_TARGET' , 'AREJECT policies and rules', ''; + + log_rule_limit $level, $chainref, 'AREJECT' , 'REJECT', '', $tag, 'add', '' if $level ne ''; + add_rule $chainref , '-j AUDIT --type reject'; + add_rule $chainref , '-j reject'; +} + my %builtinops = ( 'dropBcast' => \&dropBcast, 'allowBcast' => \&allowBcast, 'dropNotSyn' => \&dropNotSyn, @@ -1420,6 +1463,12 @@ sub process_action( $) { sub process_actions2 () { progress_message2 "$doing policy actions..."; + for ( map normalized_action_name $_, grep $auditpolicies{$_}, @auditoptions ) { + if ( my $ref = use_action( $_ ) ) { + process_action( $ref ); + } + } + for ( map normalize_action_name $_, ( grep ! ( $targets{$_} & BUILTIN ), keys %policy_actions ) ) { if ( my $ref = use_action( $_ ) ) { process_action( $ref ); diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index 0ceef14ce..a4d983aa5 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -1847,7 +1847,7 @@ determine_capabilities() { qt $IPTABLES -A $chain -j LOG || LOG_TARGET= qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes - qt $IPTABLES -A $chain -j AUDIT --type DROP && ACCOUNT_TARGET=Yes + qt $IPTABLES -A $chain -j AUDIT --type drop && ACCOUNT_TARGET=Yes qt $IPTABLES -F $chain qt $IPTABLES -X $chain diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index cc607dbe8..cb8b309f1 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -1489,6 +1489,8 @@ determine_capabilities() { qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes + qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes + qt $IP6TABLES -F $chain qt $IP6TABLES -X $chain