Permalink
Browse files

bug fix for ENABLE_OVERRIDE_FW_CMD feature to use correct hash key

  • Loading branch information...
1 parent 08b171a commit f7696e3440a1ce8c17185bbabb97321e811eb2fe @mrash committed Jun 16, 2017
View
@@ -114,8 +114,14 @@
$ipt_opts{'iptout_pat'} = $config{'IPT_OUTPUT_PATTERN'};
$ipt_opts{'ipterr_pat'} = $config{'IPT_ERROR_PATTERN'};
-$ipt_opts{'firewall-cmd'} = $config{'FW_CMD'}
- if $config{'ENABLE_OVERRIDE_FW_CMD'} eq 'Y';
+if ($config{'ENABLE_OVERRIDE_FW_CMD'} eq 'Y') {
+ if ($config{'FW_CMD_ARGS'} ne 'NONE') {
+ $ipt_opts{'firewall-cmd'} = $config{'FW_CMD'};
+ $ipt_opts{'fwd_args'} = $config{'FW_CMD_ARGS'};
+ } else {
+ $ipt_opts{'iptables'} = $config{'FW_CMD'};
+ }
+}
open FWCHECK, "> $config{'FW_CHECK_FILE'}" or die "[*] Could not ",
"open $config{'FW_CHECK_FILE'}: $!";
@@ -533,7 +539,7 @@ ()
if ($config{'ENABLE_OVERRIDE_FW_CMD'} eq 'Y') {
die "[*] Must set a path to a firewall binary with FW_CMD"
if $config{'FW_CMD'} eq 'NONE';
- $cmds{'iptables'} = $config{'ENABLE_OVERRIDE_FW_CMD'};
+ $cmds{'iptables'} = $config{'FW_CMD'};
}
return;
View
14 psad
@@ -3379,8 +3379,14 @@ sub psad_init() {
$ipt_opts{'debug'} = 1 if $debug;
$ipt_opts{'verbose'} = 1 if $verbose;
- $ipt_opts{'firewall-cmd'} = $config{'FW_CMD'}
- if $config{'ENABLE_OVERRIDE_FW_CMD'} eq 'Y';
+ if ($config{'ENABLE_OVERRIDE_FW_CMD'} eq 'Y') {
+ if ($config{'FW_CMD_ARGS'} ne 'NONE') {
+ $ipt_opts{'firewall-cmd'} = $config{'FW_CMD'};
+ $ipt_opts{'fwd_args'} = $config{'FW_CMD_ARGS'};
+ } else {
+ $ipt_opts{'iptables'} = $config{'FW_CMD'};
+ }
+ }
### build iptables block config hash out of IPT_AUTO_CHAIN keywords
### (we don't check ENABLE_AUTO_IDS here since someone may have turned
@@ -3634,7 +3640,7 @@ sub validate_config() {
if ($config{'ENABLE_OVERRIDE_FW_CMD'} eq 'Y') {
die "[*] Must set a path to a firewall binary with FW_CMD"
if $config{'FW_CMD'} eq 'NONE';
- $cmds{'iptables'} = $config{'ENABLE_OVERRIDE_FW_CMD'};
+ $cmds{'iptables'} = $config{'FW_CMD'};
}
return;
@@ -11365,7 +11371,7 @@ sub required_vars() {
ENABLE_CUSTOM_SYSLOG_TS_RE FW_MSG_READ_MIN_PKTS ENABLE_DNS_LOOKUPS
ENABLE_WHOIS_LOOKUPS PSAD_FW_READ_PID_FILE DL1_UNIQUE_HOSTS
DL2_UNIQUE_HOSTS DL3_UNIQUE_HOSTS DL4_UNIQUE_HOSTS DL5_UNIQUE_HOSTS
- PORT_RANGE_SWEEP_THRESHOLD ENABLE_OVERRIDE_FW_CMD FW_CMD
+ PORT_RANGE_SWEEP_THRESHOLD ENABLE_OVERRIDE_FW_CMD FW_CMD FW_CMD_ARGS
));
&defined_vars(\@required_vars);
return;
View
@@ -335,9 +335,11 @@ STATUS_IP_THRESHOLD 25;
TOP_SCANS_CTR_THRESHOLD 1;
### Override iptables automatic search and force a path to a firewall
-### binary.
+### binary. If firewalld is used, then set this to the path to firewall-cmd
+### and set FW_CMD_ARGS to '--direct --passthrough ipv4';
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
+FW_CMD_ARGS NONE;
### Send scan logs to dshield.org. This is disabled by default,
### but is a good idea to enable it (subject to your site security
@@ -44,6 +44,7 @@ EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
+FW_CMD_ARGS NONE;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;
@@ -44,6 +44,7 @@ EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
+FW_CMD_ARGS NONE;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;
@@ -44,6 +44,7 @@ EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
+FW_CMD_ARGS NONE;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;
@@ -44,6 +44,7 @@ EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
+FW_CMD_ARGS NONE;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;
@@ -44,6 +44,7 @@ EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
+FW_CMD_ARGS NONE;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS N;
IGNORE_PORTS NONE;
@@ -44,6 +44,7 @@ EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
+FW_CMD_ARGS NONE;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;
@@ -44,6 +44,7 @@ EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
+FW_CMD_ARGS NONE;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;
@@ -44,6 +44,7 @@ EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
+FW_CMD_ARGS NONE;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;
@@ -44,6 +44,7 @@ EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
+FW_CMD_ARGS NONE;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;
@@ -44,6 +44,7 @@ EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
+FW_CMD_ARGS NONE;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;
@@ -44,6 +44,7 @@ EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
+FW_CMD_ARGS NONE;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;

0 comments on commit f7696e3

Please sign in to comment.