holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

More AUDIT changes

Browse Source
This commit is contained in:
Tom Eastep 2011-05-18 21:25:57 -07:00
parent 465e729288
commit d2ab27c071
4 changed files with 75 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Shorewall/Perl/Shorewall/Config.pm
View File

@ -130,6 +130,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
%globals %globals
%config_files %config_files
@auditoptions
F_IPV4 F_IPV4
F_IPV6 F_IPV6
@ -311,6 +313,10 @@ our %config_files = ( #accounting => 1,
tunnels => 1, tunnels => 1,
zones => 1 ); zones => 1 );
# #
# Options that involve the the AUDIT target
#
my @auditoptions = qw( BLACKLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
#
# Directories to search for configuration files # Directories to search for configuration files
# #
my @config_path; my @config_path;
@ -562,8 +568,7 @@ sub initialize( $ ) {
PANIC => 0, PANIC => 0,
NONE => '', NONE => '',
NFLOG => 'NFLOG', NFLOG => 'NFLOG',
LOGMARK => 'LOGMARK', LOGMARK => 'LOGMARK' );
AUDIT => 'AUDIT' );
# #
# From parsing the capabilities file or capabilities detection # From parsing the capabilities file or capabilities detection
@ -2056,12 +2061,6 @@ sub validate_level( $ ) {
return 'LOGMARK'; return 'LOGMARK';
} }
if ( $level =~ /^AUDIT\(.+\)$/ ) {
require_capability( 'AUDIT_TARGET', 'AUDIT', 's' );
fatal_error "Invalid AUDIT type ($2)" unless $2 =~ /^(?:DROP|REJECT|ACCEPT)$/;
return "AUDIT --type $2";
}
level_error( $rawlevel ); level_error( $rawlevel );
} }
@ -2535,7 +2534,7 @@ sub Account_Target() {
} }
sub Audit_Target() { sub Audit_Target() {
qt1( "$iptables -A $sillyname -j AUDIT --type DROP" ); qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
} }
our %detect_capability = our %detect_capability =
@ -3345,8 +3344,8 @@ sub get_configuration( $ ) {
default 'BLACKLIST_DISPOSITION' , 'DROP'; default 'BLACKLIST_DISPOSITION' , 'DROP';
unless ( $config{BLACKLIST_DISPOSITION} eq 'DROP' || $config{BLACKLIST_DISPOSITION} eq 'REJECT' ) { unless ( $config{BLACKLIST_DISPOSITION} =~ /^A?DROP$/ || $config{BLACKLIST_DISPOSITION} =~ /^A?REJECT/ ) {
fatal_error q(BLACKLIST_DISPOSITION must be 'DROP' or 'REJECT'); fatal_error q(BLACKLIST_DISPOSITION must be 'DROP', 'ADROP', 'REJECT' or 'AREJECT');
} }
default_log_level 'BLACKLIST_LOGLEVEL', ''; default_log_level 'BLACKLIST_LOGLEVEL', '';
@ -3362,22 +3361,22 @@ sub get_configuration( $ ) {
$globals{MACLIST_TARGET} = 'reject'; $globals{MACLIST_TARGET} = 'reject';
if ( $val = $config{MACLIST_DISPOSITION} ) { if ( $val = $config{MACLIST_DISPOSITION} ) {
unless ( $val eq 'REJECT' ) { unless ( $val =~ /^A?REJECT$/ ) {
if ( $val eq 'DROP' ) { unless ( $val =~ /^A?DROP/ ) {
$globals{MACLIST_TARGET} = 'DROP'; if ( $val eq 'ACCEPT' ) {
} elsif ( $val eq 'ACCEPT' ) {
$globals{MACLIST_TARGET} = 'RETURN'; $globals{MACLIST_TARGET} = 'RETURN';
} else { } else {
fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION" fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
} }
} }
}
} else { } else {
$config{MACLIST_DISPOSITION} = 'REJECT'; $config{MACLIST_DISPOSITION} = 'REJECT';
} }
if ( $val = $config{MACLIST_TABLE} ) { if ( $val = $config{MACLIST_TABLE} ) {
if ( $val eq 'mangle' ) { if ( $val eq 'mangle' ) {
fatal_error 'MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} eq 'REJECT'; fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^(A?REJECT)$/;
} else { } else {
fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter'; fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter';
} }
@ -3386,7 +3385,7 @@ sub get_configuration( $ ) {
} }
if ( $val = $config{TCP_FLAGS_DISPOSITION} ) { if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(REJECT|ACCEPT|DROP)$/; fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(A?REJECT|A?ACCEPT|A?DROP)$/;
} else { } else {
$config{TCP_FLAGS_DISPOSITION} = 'DROP'; $config{TCP_FLAGS_DISPOSITION} = 'DROP';
} }

57
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -94,6 +94,14 @@ my %actions;
# #
my %usedactions; my %usedactions;
#
# Enumerate the AUDIT policies and map them to their underlying polices
#
my %auditpolicies = ( AACCEPT => 'ACCEPT',
ADROP => 'DROP',
AREJECT => 'REJECT'
);
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
@ -160,9 +168,9 @@ sub initialize( $ ) {
%usedactions = (); %usedactions = ();
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/; @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AACCEPT ADROP AREJECT/;
} else { } else {
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/; @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AACCEPT ADROP AREJECT/;
} }
} }
@ -326,9 +334,11 @@ sub process_a_policy() {
fatal_error "Unknown Default Action ($default)"; fatal_error "Unknown Default Action ($default)";
} }
} else { } else {
$default = $default_actions{$policy} || ''; $default = $default_actions{$auditpolicies{$policy} || $policy} || '';
} }
use_policy_action $policy if $auditpolicies{$policy};
fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy}; fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
if ( defined $queue ) { if ( defined $queue ) {
@ -440,7 +450,10 @@ sub process_policies()
ACCEPT => undef, ACCEPT => undef,
REJECT => undef, REJECT => undef,
DROP => undef, DROP => undef,
CONTINUE => undef, AACCEPT => undef,
AREJECT => undef,
ADROP => undef,
ACONTINUE => undef,
QUEUE => undef, QUEUE => undef,
NFQUEUE => undef, NFQUEUE => undef,
NONE => undef NONE => undef
@ -1278,6 +1291,36 @@ sub Limit( $$$$ ) {
add_rule $chainref, '-j ACCEPT'; add_rule $chainref, '-j ACCEPT';
} }
sub AACCEPT ( $$$ ) {
my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'AACCEPT policies and rules', '';
log_rule_limit $level, $chainref, 'AACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type accept';
add_rule $chainref , '-j ACCEPT';
}
sub ADROP ( $$$ ) {
my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'ADROP policies and rules', '';
log_rule_limit $level, $chainref, 'ADROP' , 'DROP', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type drop';
add_rule $chainref , '-j DROP';
}
sub AREJECT ( $$$ ) {
my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'AREJECT policies and rules', '';
log_rule_limit $level, $chainref, 'AREJECT' , 'REJECT', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type reject';
add_rule $chainref , '-j reject';
}
my %builtinops = ( 'dropBcast' => \&dropBcast, my %builtinops = ( 'dropBcast' => \&dropBcast,
'allowBcast' => \&allowBcast, 'allowBcast' => \&allowBcast,
'dropNotSyn' => \&dropNotSyn, 'dropNotSyn' => \&dropNotSyn,
@ -1420,6 +1463,12 @@ sub process_action( $) {
sub process_actions2 () { sub process_actions2 () {
progress_message2 "$doing policy actions..."; progress_message2 "$doing policy actions...";
for ( map normalized_action_name $_, grep $auditpolicies{$_}, @auditoptions ) {
if ( my $ref = use_action( $_ ) ) {
process_action( $ref );
}
}
for ( map normalize_action_name $_, ( grep ! ( $targets{$_} & BUILTIN ), keys %policy_actions ) ) { for ( map normalize_action_name $_, ( grep ! ( $targets{$_} & BUILTIN ), keys %policy_actions ) ) {
if ( my $ref = use_action( $_ ) ) { if ( my $ref = use_action( $_ ) ) {
process_action( $ref ); process_action( $ref );

2
Shorewall/lib.cli
View File

@ -1847,7 +1847,7 @@ determine_capabilities() {
qt $IPTABLES -A $chain -j LOG || LOG_TARGET= qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
qt $IPTABLES -A $chain -j AUDIT --type DROP && ACCOUNT_TARGET=Yes qt $IPTABLES -A $chain -j AUDIT --type drop && ACCOUNT_TARGET=Yes
qt $IPTABLES -F $chain qt $IPTABLES -F $chain
qt $IPTABLES -X $chain qt $IPTABLES -X $chain

2
Shorewall6/lib.cli
View File

@ -1489,6 +1489,8 @@ determine_capabilities() {
qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes
qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
qt $IP6TABLES -F $chain qt $IP6TABLES -F $chain
qt $IP6TABLES -X $chain qt $IP6TABLES -X $chain