extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-20 03:31:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

Reverse logprefix patches

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1203 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-03-18 15:13:04 +00:00
parent 5a173855b0
commit 302cae411e
2 changed files with 38 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
Shorewall2/firewall
View File

@ -1022,32 +1022,21 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi
local disposition=$3 local disposition=$3
local rulenum= local rulenum=
local limit="${4:-$LOGLIMIT}" local limit="${4:-$LOGLIMIT}"
local dx="";
local logprefix="${5:-$dx}"
logprefix="$logprefix "
shift;shift;shift;shift;shift
shift;shift;shift;shift
if [ -n "$LOGRULENUMBERS" ]; then if [ -n "$LOGRULENUMBERS" ]; then
eval rulenum=\$${chain}_logrules eval rulenum=\$${chain}_logrules
[ -z "$rulenum" ] && rulenum=1 [ -z "$rulenum" ] && rulenum=1
logprefixtemp="$(printf "$LOGFORMAT" $chain $rulenum $disposition)$logprefix"
if [ ${#logprefixtemp} -gt 29 ]; then
logprefixtemp="$(echo $logprefixtemp |cut -b -29)"
echo " Logprefix too LONG ! cutting it to 29 : $logprefixtemp"
fi
case $level in case $level in
ULOG) ULOG)
eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$logprefixtemp"' eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"'
;; ;;
*) *)
eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"$logprefixtemp"' eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \
--log-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"'
;; ;;
esac esac
@ -1059,21 +1048,13 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi
eval ${chain}_logrules=$rulenum eval ${chain}_logrules=$rulenum
else else
logprefixtemp="$(printf "$LOGFORMAT" $chain $disposition)$logprefix"
if [ ${#logprefixtemp} -gt 29 ]; then
logprefixtemp="$(echo $logprefixtemp |cut -b -29)"
echo " Logprefix too LONG ! cutting it to 29 : $logprefixtemp"
fi
case $level in case $level in
ULOG) ULOG)
eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$logprefixtemp"' eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"'
;; ;;
*) *)
eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \
eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"$logprefixtemp"' --log-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"'
;; ;;
esac esac
@ -1091,7 +1072,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
shift;shift;shift shift;shift;shift
log_rule_limit $level $chain $disposition "$LOGLIMIT" "$logprefix" $@ log_rule_limit $level $chain $disposition "$LOGLIMIT" $@
} }
# #
@ -2360,7 +2341,7 @@ add_an_action()
for serv1 in $(separate_list $serv); do for serv1 in $(separate_list $serv); do
for srv in $(ip_range $serv1); do for srv in $(ip_range $serv1); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logprefix" $userandgroup \ log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \
$(fix_bang $proto $sports $multiport $cli -d $srv $dports) $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi fi
@ -2370,7 +2351,7 @@ add_an_action()
done done
else else
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logprefix" $userandgroup \ log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dports) $(fix_bang $proto $sports $multiport $cli $dports)
fi fi
@ -2402,8 +2383,7 @@ process_action() # $1 = action
local cports="$7" local cports="$7"
local ratelimit="$8" local ratelimit="$8"
local userspec="$9" local userspec="$9"
local logprefix="${10}" local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit)"
local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit $logprefix)"
local userandgroup= local userandgroup=
if [ -n "$ratelimit" ]; then if [ -n "$ratelimit" ]; then
@ -2609,7 +2589,7 @@ process_actions1() {
if [ -f $fn ]; then if [ -f $fn ]; then
echo " Pre-processing $fn..." echo " Pre-processing $fn..."
strip_file $f $fn strip_file $f $fn
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec xlogprefix; do while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
expandv xtarget expandv xtarget
temp="${xtarget%:*}" temp="${xtarget%:*}"
case "${temp%<*}" in case "${temp%<*}" in
@ -2619,7 +2599,7 @@ process_actions1() {
if list_search $temp $ACTIONS; then if list_search $temp $ACTIONS; then
eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\" eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\"
else else
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xlogprefix)" rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
fatal_error "Invalid TARGET in rule \"$rule\"" fatal_error "Invalid TARGET in rule \"$rule\""
fi fi
;; ;;
@ -2653,7 +2633,7 @@ process_actions2() {
if [ "${ysourcezone}" != "${ydestzone}" ] ; then if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then if [ "$ypolicy" != NONE ] ; then
process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec $xlogprefix process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec
fi fi
fi fi
done done
@ -2661,7 +2641,7 @@ process_actions2() {
} }
do_it() { do_it() {
expandv xclients xservers xprotocol xports xcports xratelimit xuserspec xlogprefix expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then
xclients="$zones $FW" xclients="$zones $FW"
@ -2678,7 +2658,7 @@ process_actions2() {
continue continue
fi fi
process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xlogprefix process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
} }
# #
@ -2711,7 +2691,7 @@ process_actions2() {
fn=$(find_file $f) fn=$(find_file $f)
echo "Processing $fn..." echo "Processing $fn..."
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec xlogprefix; do while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
do_it do_it
done < $TMP_DIR/$f done < $TMP_DIR/$f
;; ;;
@ -2817,14 +2797,14 @@ add_nat_rule() {
done done
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule $loglevel $chain $logtarget "$logprefix" -t nat log_rule $loglevel $chain $logtarget -t nat
fi fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
else else
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" "$logprefix" -t nat \ log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \
$(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports) $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports)
fi fi
@ -2855,7 +2835,7 @@ add_nat_rule() {
done done
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" -t nat log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat
fi fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
@ -2863,7 +2843,7 @@ add_nat_rule() {
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
ensurenatchain $chain ensurenatchain $chain
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" -t nat \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \
$(fix_bang $proto $cli $sports -d $adr $multiport $dports) $(fix_bang $proto $cli $sports -d $adr $multiport $dports)
fi fi
@ -3071,7 +3051,7 @@ add_a_rule()
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" -m conntrack --ctorigdst $adr \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \
$userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports) $userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi fi
@ -3080,7 +3060,7 @@ add_a_rule()
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" $userandgroup \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
$(fix_bang $proto $sports $multiport $cli -d $srv $dports) $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi fi
@ -3091,7 +3071,7 @@ add_a_rule()
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" $userandgroup \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dports) $(fix_bang $proto $sports $multiport $cli $dports)
fi fi
@ -3110,7 +3090,7 @@ add_a_rule()
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" $userandgroup \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
$(fix_bang $proto $multiport $dest_interface $cli $sports $dports) $(fix_bang $proto $multiport $dest_interface $cli $sports $dports)
fi fi
@ -3144,9 +3124,8 @@ process_rule() # $1 = target
local address="$7" local address="$7"
local ratelimit="$8" local ratelimit="$8"
local userspec="$9" local userspec="$9"
local logprefix="${10}"
local userandgroup= local userandgroup=
local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec $logprefix)" local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec)"
# Function Body - isolate rate limit # Function Body - isolate rate limit
@ -3437,7 +3416,7 @@ process_rules()
if [ "${ysourcezone}" != "${ydestzone}" ] ; then if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then if [ "$ypolicy" != NONE ] ; then
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xlogprefix process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
fi fi
fi fi
done done
@ -3445,7 +3424,7 @@ process_rules()
} }
do_it() { do_it() {
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec xlogprefix expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then
xclients="$zones $FW" xclients="$zones $FW"
@ -3462,10 +3441,10 @@ process_rules()
continue continue
fi fi
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xlogprefix process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
} }
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec xlogprefix; do while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
temp="${xtarget%:*}" temp="${xtarget%:*}"
case "${temp%<*}" in case "${temp%<*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
@ -3480,7 +3459,7 @@ process_rules()
do_it do_it
else else
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xlogprefix)" rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
fatal_error "Invalid Action in rule \"$rule\"" fatal_error "Invalid Action in rule \"$rule\""
fi fi
;; ;;

48
Shorewall2/rules
View File

@ -208,7 +208,7 @@
# address is not altered. # address is not altered.
# #
# RATE LIMIT You may rate-limit the rule by placing a value in # RATE LIMIT You may rate-limit the rule by placing a value in
# this column: # this colume:
# #
# <rate>/<interval>[:<burst>] # <rate>/<interval>[:<burst>]
# #
@ -240,29 +240,6 @@
# !:kids #program must not be run by a member # !:kids #program must not be run by a member
# #of the 'kids' group # #of the 'kids' group
# #
#
# LOGPREFIX You may add a specific log prefix to rules which are
# already logged (see the ACTIONS paragraph) by adding
# a word in this column. Spaces are not allowed, but
# underscores are.
#
# Examples:
#
# pingw # print Shorewall:fw2lan:ACCEPT:pingw
# mailo # print Shorewall:fw2lan:ACCEPT:mailo
# ma_ou # print Shorewall:fw2lan:ACCEPT:ma_ou
#
#
# The default log format is LOGFORMAT="Shorewall:%s:%s:"
# You might want to reduce it to something shorter to
# allow you longer logprefixes. (in shorewall.conf :
# LOGFORMAT="Sw:%s:%s:" or something similar)
# (the total lenght permitted by iptables is 29 chars.)
# Shorewall:fw2lan:ACCEPT is already 23 chars.
#
#
#
#
# Example: Accept SMTP requests from the DMZ to the internet # Example: Accept SMTP requests from the DMZ to the internet
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
@ -280,9 +257,9 @@
# to local system 192.168.1.3 with a limit of 3 per second and # to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10 # a maximum burst of 10
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST LIMIT # # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp http - - <3/sec:10> # DNAT<3/sec:10> net loc:192.168.1.3 tcp http
# #
# Example: Redirect all locally-originating www connection requests to # Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall # port 3128 on the firewall (Squid running on the firewall
@ -306,20 +283,7 @@
# # PORT PORT(S) DEST # # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 fw \ # ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22 # tcp 22
#
# Example: You want to explicitly log when a user named bob use https
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ LOG
# # PORT PORT(S) DEST LIMIT GROUP PREFIX
# ACCEPT:debug fw lan tcp 443 - - - bob hs_bob
#
# Example: You want to explicitly log outgoing pings
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ LOG
# # PORT PORT(S) DEST LIMIT GROUP PREFIX
# ACCEPT:debug fw lan icmp 8 - - - - p_out
#################################################################################################### ####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ LOG #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP PREFIX # PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE