mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 23:53:30 +01:00
Add IPSEC Accounting (again)
This commit is contained in:
parent
d9d31ff132
commit
33ee9b1481
@ -35,7 +35,7 @@ use strict;
|
|||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
our @EXPORT = qw( setup_accounting );
|
our @EXPORT = qw( setup_accounting );
|
||||||
our @EXPORT_OK = qw( );
|
our @EXPORT_OK = qw( );
|
||||||
our $VERSION = '4.4.7';
|
our $VERSION = '4.4.13';
|
||||||
|
|
||||||
#
|
#
|
||||||
# Called by the compiler to [re-]initialize this module's state
|
# Called by the compiler to [re-]initialize this module's state
|
||||||
@ -52,7 +52,7 @@ sub process_accounting_rule( ) {
|
|||||||
|
|
||||||
our $jumpchainref;
|
our $jumpchainref;
|
||||||
|
|
||||||
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark) = split_line1 1, 9, 'Accounting File';
|
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
|
||||||
|
|
||||||
if ( $action eq 'COMMENT' ) {
|
if ( $action eq 'COMMENT' ) {
|
||||||
process_comment;
|
process_comment;
|
||||||
@ -87,12 +87,19 @@ sub process_accounting_rule( ) {
|
|||||||
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
|
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
|
||||||
my $rule2 = 0;
|
my $rule2 = 0;
|
||||||
|
|
||||||
|
if ( $ipsec ne '-' ) {
|
||||||
|
fatal_error "A rule with non-empty IPSEC column can only appear in the 'accountin' and 'accountout' chains" unless $chain =~ /^account(in|out)$/;
|
||||||
|
$rule .= do_ipsec( $1, $ipsec);
|
||||||
|
}
|
||||||
|
|
||||||
unless ( $action eq 'COUNT' ) {
|
unless ( $action eq 'COUNT' ) {
|
||||||
if ( $action eq 'DONE' ) {
|
if ( $action eq 'DONE' ) {
|
||||||
$target = '-j RETURN';
|
$target = '-j RETURN';
|
||||||
} else {
|
} else {
|
||||||
( $action, my $cmd ) = split /:/, $action;
|
( $action, my $cmd ) = split /:/, $action;
|
||||||
if ( $cmd ) {
|
if ( $cmd ) {
|
||||||
|
fatal_error "No chain name may appear in the ACTION column when the IPSEC column is non-empty" if $ipsec ne '-';
|
||||||
|
|
||||||
if ( $cmd eq 'COUNT' ) {
|
if ( $cmd eq 'COUNT' ) {
|
||||||
$rule2=1;
|
$rule2=1;
|
||||||
} elsif ( $cmd ne 'JUMP' ) {
|
} elsif ( $cmd ne 'JUMP' ) {
|
||||||
@ -193,6 +200,18 @@ sub setup_accounting() {
|
|||||||
add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
|
add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
if ( $filter_table->{accountin} ) {
|
||||||
|
for my $chain ( qw/INPUT FORWARD/ ) {
|
||||||
|
add_jump( $filter_table->{$chain}, 'accountin', 0, '', 0, 0 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $filter_table->{accountout} ) {
|
||||||
|
for my $chain ( qw/FORWARD OUTPUT/ ) {
|
||||||
|
add_jump( $filter_table->{$chain}, 'accountout', 0, '', 0, 0 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if ( $filter_table->{accounting} ) {
|
if ( $filter_table->{accounting} ) {
|
||||||
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
|
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
|
||||||
add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
|
add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
|
||||||
|
@ -2670,8 +2670,8 @@ sub do_ipsec_options($$$)
|
|||||||
#
|
#
|
||||||
# Handle a bi-directional IPSEC column
|
# Handle a bi-directional IPSEC column
|
||||||
#
|
#
|
||||||
sub do_ipsec($) {
|
sub do_ipsec($$) {
|
||||||
my $ipsec = $_[0];
|
my ( $dir, $ipsec ) = @_;
|
||||||
|
|
||||||
if ( $ipsec eq '-' ) {
|
if ( $ipsec eq '-' ) {
|
||||||
return '';
|
return '';
|
||||||
@ -2679,28 +2679,19 @@ sub do_ipsec($) {
|
|||||||
|
|
||||||
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless have_capability( 'POLICY_MATCH' );
|
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless have_capability( 'POLICY_MATCH' );
|
||||||
|
|
||||||
if ( $ipsec eq 'in' ) {
|
my @options = split_list $ipsec, 'IPSEC options';
|
||||||
do_ipsec_options 'in', 'ipsec', '';
|
|
||||||
} elsif ( $ipsec eq 'out' ) {
|
|
||||||
do_ipsec_options 'out', 'ipsec', '';
|
|
||||||
} else {
|
|
||||||
my @options = split_list $ipsec, 'IPSEC options';
|
|
||||||
my $dir = shift @options;
|
|
||||||
|
|
||||||
fatal_error q(First IPSEC option must be 'in' or 'out') unless $dir =~ /^(?:in|out)$/;
|
if ( @options == 1 ) {
|
||||||
|
if ( lc( $options[0] ) =~ /^(yes|ipsec)$/ ) {
|
||||||
if ( @options == 1 ) {
|
return do_ipsec_options $dir, 'ipsec', '';
|
||||||
if ( lc( $options[0] ) =~ /^(yes|ipsec)$/ ) {
|
|
||||||
return do_ipsec_options $dir, 'ipsec', '';
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( lc( $options[0] ) =~ /^(no|none)$/ ) {
|
|
||||||
return do_ipsec_options $dir, 'none', '';
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
do_ipsec_options $dir, 'ipsec', join( ',', @options );
|
if ( lc( $options[0] ) =~ /^(no|none)$/ ) {
|
||||||
|
return do_ipsec_options $dir, 'none', '';
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
do_ipsec_options $dir, 'ipsec', join( ',', @options );
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -6,6 +6,6 @@
|
|||||||
# Please see http://shorewall.net/Accounting.html for examples and
|
# Please see http://shorewall.net/Accounting.html for examples and
|
||||||
# additional information about how to use this file.
|
# additional information about how to use this file.
|
||||||
#
|
#
|
||||||
#####################################################################################
|
#####################################################################################################
|
||||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK
|
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
|
||||||
# PORT(S) PORT(S) GROUP
|
# PORT(S) PORT(S) GROUP
|
||||||
|
@ -306,6 +306,143 @@
|
|||||||
</variablelist>
|
</variablelist>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
|
||||||
|
(Optional - Added in Shorewall 4.4.13 )</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The option-list consists of a comma-separated list of options
|
||||||
|
from the following list. Only packets that will be encrypted or have
|
||||||
|
been de-crypted via an SA that matches these options will have their
|
||||||
|
source address changed.</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>where <emphasis>number</emphasis> is specified using
|
||||||
|
setkey(8) using the 'unique:<emphasis>number</emphasis> option
|
||||||
|
for the SPD level.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">spi=</emphasis><number></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>where <emphasis>number</emphasis> is the SPI of the SA
|
||||||
|
used to encrypt/decrypt packets.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">proto=</emphasis><emphasis
|
||||||
|
role="bold">ah</emphasis>|<emphasis
|
||||||
|
role="bold">esp</emphasis>|<emphasis
|
||||||
|
role="bold">ipcomp</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>IPSEC Encapsulation Protocol</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">mss=</emphasis><emphasis>number</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>sets the MSS field in TCP packets</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">mode=</emphasis><emphasis
|
||||||
|
role="bold">transport</emphasis>|<emphasis
|
||||||
|
role="bold">tunnel</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>IPSEC mode</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>only available with mode=tunnel</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>only available with mode=tunnel</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">strict</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Means that packets must match all rules.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">next</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Separates rules; can only be used with strict</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">yes</emphasis> or <emphasis
|
||||||
|
role="bold">ipsec</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When used by itself, causes all traffic that will be
|
||||||
|
encrypted/encapsulated or has been decrypted/un-encapsulted to
|
||||||
|
match the rule.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">no</emphasis> or <emphasis
|
||||||
|
role="bold">none</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When used by itself, causes all traffic that will not be
|
||||||
|
encrypted/encapsulated or has been decrypted/un-encapsulted to
|
||||||
|
match the rule.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>If this column is non-empty, then:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>A chain NAME may not appear in the ACTION column.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The CHAIN column must contain either <emphasis
|
||||||
|
role="bold">accountin</emphasis> or <emphasis
|
||||||
|
role="bold">accountout</emphasis>.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>These rules will NOT appear in the <emphasis
|
||||||
|
role="bold">accounting</emphasis> chain.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para>In all of the above columns except <emphasis
|
<para>In all of the above columns except <emphasis
|
||||||
|
@ -305,6 +305,143 @@
|
|||||||
</variablelist>
|
</variablelist>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
|
||||||
|
(Optional - Added in Shorewall 4.4.13 )</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The option-list consists of a comma-separated list of options
|
||||||
|
from the following list. Only packets that will be encrypted or have
|
||||||
|
been de-crypted via an SA that matches these options will have their
|
||||||
|
source address changed.</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>where <emphasis>number</emphasis> is specified using
|
||||||
|
setkey(8) using the 'unique:<emphasis>number</emphasis> option
|
||||||
|
for the SPD level.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">spi=</emphasis><number></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>where <emphasis>number</emphasis> is the SPI of the SA
|
||||||
|
used to encrypt/decrypt packets.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">proto=</emphasis><emphasis
|
||||||
|
role="bold">ah</emphasis>|<emphasis
|
||||||
|
role="bold">esp</emphasis>|<emphasis
|
||||||
|
role="bold">ipcomp</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>IPSEC Encapsulation Protocol</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">mss=</emphasis><emphasis>number</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>sets the MSS field in TCP packets</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">mode=</emphasis><emphasis
|
||||||
|
role="bold">transport</emphasis>|<emphasis
|
||||||
|
role="bold">tunnel</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>IPSEC mode</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>only available with mode=tunnel</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>only available with mode=tunnel</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">strict</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Means that packets must match all rules.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">next</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Separates rules; can only be used with strict</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">yes</emphasis> or <emphasis
|
||||||
|
role="bold">ipsec</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When used by itself, causes all traffic that will be
|
||||||
|
encrypted/encapsulated or has been decrypted/un-encapsulted to
|
||||||
|
match the rule.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">no</emphasis> or <emphasis
|
||||||
|
role="bold">none</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When used by itself, causes all traffic that will not be
|
||||||
|
encrypted/encapsulated or has been decrypted/un-encapsulted to
|
||||||
|
match the rule.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>If this column is non-empty, then:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>A chain NAME may not appear in the ACTION column.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The CHAIN column must contain either <emphasis
|
||||||
|
role="bold">accountin</emphasis> or <emphasis
|
||||||
|
role="bold">accountout</emphasis>.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para> These rules will NOT appear in the <emphasis
|
||||||
|
role="bold">accounting</emphasis> chain.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para>In all of the above columns except <emphasis
|
<para>In all of the above columns except <emphasis
|
||||||
|
Loading…
Reference in New Issue
Block a user