extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 15:43:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add IPSEC Accounting (again)

Browse Source
This commit is contained in:
Tom Eastep 2010-08-20 06:53:31 -07:00
parent d9d31ff132
commit 33ee9b1481
5 changed files with 308 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_accounting );
our @EXPORT_OK = qw( );
our $VERSION = '4.4.7';
our $VERSION = '4.4.13';
#
# Called by the compiler to [re-]initialize this module's state
@ -52,7 +52,7 @@ sub process_accounting_rule( ) {
our $jumpchainref;
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark) = split_line1 1, 9, 'Accounting File';
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
if ( $action eq 'COMMENT' ) {
process_comment;
@ -86,6 +86,11 @@ sub process_accounting_rule( ) {
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
my $rule2 = 0;
if ( $ipsec ne '-' ) {
fatal_error "A rule with non-empty IPSEC column can only appear in the 'accountin' and 'accountout' chains" unless $chain =~ /^account(in|out)$/;
$rule .= do_ipsec( $1, $ipsec);
}
unless ( $action eq 'COUNT' ) {
if ( $action eq 'DONE' ) {
@ -93,6 +98,8 @@ sub process_accounting_rule( ) {
} else {
( $action, my $cmd ) = split /:/, $action;
if ( $cmd ) {
fatal_error "No chain name may appear in the ACTION column when the IPSEC column is non-empty" if $ipsec ne '-';
if ( $cmd eq 'COUNT' ) {
$rule2=1;
} elsif ( $cmd ne 'JUMP' ) {
@ -193,6 +200,18 @@ sub setup_accounting() {
add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
}
} else {
if ( $filter_table->{accountin} ) {
for my $chain ( qw/INPUT FORWARD/ ) {
add_jump( $filter_table->{$chain}, 'accountin', 0, '', 0, 0 );
}
}
if ( $filter_table->{accountout} ) {
for my $chain ( qw/FORWARD OUTPUT/ ) {
add_jump( $filter_table->{$chain}, 'accountout', 0, '', 0, 0 );
}
}
if ( $filter_table->{accounting} ) {
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );

31
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -2670,8 +2670,8 @@ sub do_ipsec_options($$$)
#
# Handle a bi-directional IPSEC column
#
sub do_ipsec($) {
my $ipsec = $_[0];
sub do_ipsec($$) {
my ( $dir, $ipsec ) = @_;
if ( $ipsec eq '-' ) {
return '';
@ -2679,28 +2679,19 @@ sub do_ipsec($) {
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless have_capability( 'POLICY_MATCH' );
if ( $ipsec eq 'in' ) {
do_ipsec_options 'in', 'ipsec', '';
} elsif ( $ipsec eq 'out' ) {
do_ipsec_options 'out', 'ipsec', '';
} else {
my @options = split_list $ipsec, 'IPSEC options';
my $dir = shift @options;
my @options = split_list $ipsec, 'IPSEC options';
fatal_error q(First IPSEC option must be 'in' or 'out') unless $dir =~ /^(?:in|out)$/;
if ( @options == 1 ) {
if ( lc( $options[0] ) =~ /^(yes|ipsec)$/ ) {
return do_ipsec_options $dir, 'ipsec', '';
}
if ( @options == 1 ) {
if ( lc( $options[0] ) =~ /^(yes|ipsec)$/ ) {
return do_ipsec_options $dir, 'ipsec', '';
}
if ( lc( $options[0] ) =~ /^(no|none)$/ ) {
return do_ipsec_options $dir, 'none', '';
}
if ( lc( $options[0] ) =~ /^(no|none)$/ ) {
return do_ipsec_options $dir, 'none', '';
}
do_ipsec_options $dir, 'ipsec', join( ',', @options );
}
do_ipsec_options $dir, 'ipsec', join( ',', @options );
}
#

4
Shorewall/configfiles/accounting
View File

@ -6,6 +6,6 @@
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#####################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK
#####################################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
# PORT(S) PORT(S) GROUP

137
manpages/shorewall-accounting.xml
View File

@ -306,6 +306,143 @@
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
(Optional - Added in Shorewall 4.4.13 )</emphasis></term>
<listitem>
<para>The option-list consists of a comma-separated list of options
from the following list. Only packets that will be encrypted or have
been de-crypted via an SA that matches these options will have their
source address changed.</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>where <emphasis>number</emphasis> is specified using
setkey(8) using the 'unique:<emphasis>number</emphasis> option
for the SPD level.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
<listitem>
<para>where <emphasis>number</emphasis> is the SPI of the SA
used to encrypt/decrypt packets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto=</emphasis><emphasis
role="bold">ah</emphasis>|<emphasis
role="bold">esp</emphasis>|<emphasis
role="bold">ipcomp</emphasis></term>
<listitem>
<para>IPSEC Encapsulation Protocol</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">mss=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>sets the MSS field in TCP packets</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mode=</emphasis><emphasis
role="bold">transport</emphasis>|<emphasis
role="bold">tunnel</emphasis></term>
<listitem>
<para>IPSEC mode</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">strict</emphasis></term>
<listitem>
<para>Means that packets must match all rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">next</emphasis></term>
<listitem>
<para>Separates rules; can only be used with strict</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">yes</emphasis> or <emphasis
role="bold">ipsec</emphasis></term>
<listitem>
<para>When used by itself, causes all traffic that will be
encrypted/encapsulated or has been decrypted/un-encapsulted to
match the rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">no</emphasis> or <emphasis
role="bold">none</emphasis></term>
<listitem>
<para>When used by itself, causes all traffic that will not be
encrypted/encapsulated or has been decrypted/un-encapsulted to
match the rule.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If this column is non-empty, then:</para>
<itemizedlist>
<listitem>
<para>A chain NAME may not appear in the ACTION column.</para>
</listitem>
<listitem>
<para>The CHAIN column must contain either <emphasis
role="bold">accountin</emphasis> or <emphasis
role="bold">accountout</emphasis>.</para>
</listitem>
</itemizedlist>
<para>These rules will NOT appear in the <emphasis
role="bold">accounting</emphasis> chain.</para>
</listitem>
</varlistentry>
</variablelist>
<para>In all of the above columns except <emphasis

137
manpages6/shorewall6-accounting.xml
View File

@ -305,6 +305,143 @@
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
(Optional - Added in Shorewall 4.4.13 )</emphasis></term>
<listitem>
<para>The option-list consists of a comma-separated list of options
from the following list. Only packets that will be encrypted or have
been de-crypted via an SA that matches these options will have their
source address changed.</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>where <emphasis>number</emphasis> is specified using
setkey(8) using the 'unique:<emphasis>number</emphasis> option
for the SPD level.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
<listitem>
<para>where <emphasis>number</emphasis> is the SPI of the SA
used to encrypt/decrypt packets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto=</emphasis><emphasis
role="bold">ah</emphasis>|<emphasis
role="bold">esp</emphasis>|<emphasis
role="bold">ipcomp</emphasis></term>
<listitem>
<para>IPSEC Encapsulation Protocol</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">mss=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>sets the MSS field in TCP packets</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mode=</emphasis><emphasis
role="bold">transport</emphasis>|<emphasis
role="bold">tunnel</emphasis></term>
<listitem>
<para>IPSEC mode</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">strict</emphasis></term>
<listitem>
<para>Means that packets must match all rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">next</emphasis></term>
<listitem>
<para>Separates rules; can only be used with strict</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">yes</emphasis> or <emphasis
role="bold">ipsec</emphasis></term>
<listitem>
<para>When used by itself, causes all traffic that will be
encrypted/encapsulated or has been decrypted/un-encapsulted to
match the rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">no</emphasis> or <emphasis
role="bold">none</emphasis></term>
<listitem>
<para>When used by itself, causes all traffic that will not be
encrypted/encapsulated or has been decrypted/un-encapsulted to
match the rule.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If this column is non-empty, then:</para>
<itemizedlist>
<listitem>
<para>A chain NAME may not appear in the ACTION column.</para>
</listitem>
<listitem>
<para>The CHAIN column must contain either <emphasis
role="bold">accountin</emphasis> or <emphasis
role="bold">accountout</emphasis>.</para>
</listitem>
</itemizedlist>
<para> These rules will NOT appear in the <emphasis
role="bold">accounting</emphasis> chain.</para>
</listitem>
</varlistentry>
</variablelist>
<para>In all of the above columns except <emphasis