Merge pull request #1597 from stdweird/shorewall_policy_audit

ncm-shorewall: support audit in shorewall/iptables
quattor · Jul 28, 2023 · 395f803 · 395f803
2 parents 1fedce4 + c406c1f
commit 395f803
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 2 deletions.
diff --git a/ncm-shorewall/src/main/pan/components/shorewall/schema.pan b/ncm-shorewall/src/main/pan/components/shorewall/schema.pan
@@ -88,6 +88,8 @@ type component_shorewall_policy = {
     "burst" ? string
     "limit" ? string
     "connlimit" ? string
+    @{enable audit on the policy}
+    "audit" ? boolean
 };
 
 # Keep this list in sync with list from TT file
@@ -153,6 +155,10 @@ type component_shorewall_rules = {
     "headers" ? string
     "switch" ? string
     "helper" ? string
+    @{use the audit action}
+    "audit" ? boolean
+    @{action loglevel}
+    "loglevel" ? string
 };
 
 type component_shorewall_shorewall_blacklist = string with

diff --git a/ncm-shorewall/src/main/resources/line/policy.tt b/ncm-shorewall/src/main/resources/line/policy.tt
@@ -2,7 +2,7 @@
 [%-      CASE 'burst' -%]
 [%-         el -%][% line.exists('limit') ? ':' _ line.limit : '' -%]
 [%-      CASE 'policy' -%]
-[%-         el FILTER upper -%]
+[%-         el FILTER upper -%][% line.exists('audit') && line.audit ? ':audit' : '' -%]
 [%-      CASE -%]
 [%-         CCM.is_list(el) ? el.join(',') : el -%]
 [%- END -%]
diff --git a/ncm-shorewall/src/main/resources/line/rules.tt b/ncm-shorewall/src/main/resources/line/rules.tt
@@ -4,7 +4,7 @@
 [%-      CASE 'user' -%]
 [%-         el -%][% line.exists('group') ? ':' _ line.group : '' -%]
 [%-      CASE 'action' -%]
-[%-         el FILTER upper -%]
+[%-         line.exists('audit') && line.audit ? 'A_' : '' -%][%- el FILTER upper -%][%- line.exists('loglevel') ? ':' _ line.loglevel : '' -%]
 [%-      CASE -%]
 [%-         CCM.is_list(el) ? el.join(',') : el -%]
 [%- END -%]
diff --git a/ncm-shorewall/src/main/resources/tests/profiles/policy.pan b/ncm-shorewall/src/main/resources/tests/profiles/policy.pan
@@ -21,3 +21,10 @@ prefix '/config/2';
 "policy" = "reject";
 "src" = "all";
 "connlimit" = "alot";
+
+prefix '/config/3';
+"dst" = "all";
+"loglevel" = "info";
+"policy" = "reject";
+"src" = "all";
+"audit" = true;
diff --git a/ncm-shorewall/src/main/resources/tests/profiles/rules.pan b/ncm-shorewall/src/main/resources/tests/profiles/rules.pan
@@ -22,3 +22,10 @@ prefix '/config/1';
 "src/address/1" = "5.6.7.8/32";
 "src/interface" = "etx1";
 "src/zone" = "ext";
+
+prefix '/config/2';
+"action" = "reject";
+"dst/zone" = "fww";
+"src/zone" = "extt";
+"audit" = true;
+"loglevel" = "info";
diff --git a/ncm-shorewall/src/main/resources/tests/regexps/policy b/ncm-shorewall/src/main/resources/tests/regexps/policy
@@ -7,3 +7,4 @@ contentspath=/config
 ^fw\tall\tACCEPT$
 ^int\tall\tACCEPT\t-\tabc:123$
 ^all\tall\tREJECT\tinfo\t-\talot$
+^all\tall\tREJECT:audit\tinfo$
diff --git a/ncm-shorewall/src/main/resources/tests/regexps/rules b/ncm-shorewall/src/main/resources/tests/regexps/rules
@@ -6,3 +6,4 @@ contentspath=/config
 ---
 ^ACCEPT\tall\tfw\ticmp\t8,9\t-\t-\t-\tmyuser:mygroup$
 ^ACCEPT\text:etx1:1.2.3.4/16,5.6.7.8/32\tfw\ttcp\t22$
+^A_REJECT:info\textt\tfww$