Add IPSEC Accounting (again)

This commit is contained in:
Tom Eastep 2010-08-20 06:53:31 -07:00
parent d9d31ff132
commit 33ee9b1481
5 changed files with 308 additions and 24 deletions

View File

@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( setup_accounting ); our @EXPORT = qw( setup_accounting );
our @EXPORT_OK = qw( ); our @EXPORT_OK = qw( );
our $VERSION = '4.4.7'; our $VERSION = '4.4.13';
# #
# Called by the compiler to [re-]initialize this module's state # Called by the compiler to [re-]initialize this module's state
@ -52,7 +52,7 @@ sub process_accounting_rule( ) {
our $jumpchainref; our $jumpchainref;
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark) = split_line1 1, 9, 'Accounting File'; my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
if ( $action eq 'COMMENT' ) { if ( $action eq 'COMMENT' ) {
process_comment; process_comment;
@ -87,12 +87,19 @@ sub process_accounting_rule( ) {
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ); my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
my $rule2 = 0; my $rule2 = 0;
if ( $ipsec ne '-' ) {
fatal_error "A rule with non-empty IPSEC column can only appear in the 'accountin' and 'accountout' chains" unless $chain =~ /^account(in|out)$/;
$rule .= do_ipsec( $1, $ipsec);
}
unless ( $action eq 'COUNT' ) { unless ( $action eq 'COUNT' ) {
if ( $action eq 'DONE' ) { if ( $action eq 'DONE' ) {
$target = '-j RETURN'; $target = '-j RETURN';
} else { } else {
( $action, my $cmd ) = split /:/, $action; ( $action, my $cmd ) = split /:/, $action;
if ( $cmd ) { if ( $cmd ) {
fatal_error "No chain name may appear in the ACTION column when the IPSEC column is non-empty" if $ipsec ne '-';
if ( $cmd eq 'COUNT' ) { if ( $cmd eq 'COUNT' ) {
$rule2=1; $rule2=1;
} elsif ( $cmd ne 'JUMP' ) { } elsif ( $cmd ne 'JUMP' ) {
@ -193,6 +200,18 @@ sub setup_accounting() {
add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 ); add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
} }
} else { } else {
if ( $filter_table->{accountin} ) {
for my $chain ( qw/INPUT FORWARD/ ) {
add_jump( $filter_table->{$chain}, 'accountin', 0, '', 0, 0 );
}
}
if ( $filter_table->{accountout} ) {
for my $chain ( qw/FORWARD OUTPUT/ ) {
add_jump( $filter_table->{$chain}, 'accountout', 0, '', 0, 0 );
}
}
if ( $filter_table->{accounting} ) { if ( $filter_table->{accounting} ) {
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) { for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 ); add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );

View File

@ -2670,8 +2670,8 @@ sub do_ipsec_options($$$)
# #
# Handle a bi-directional IPSEC column # Handle a bi-directional IPSEC column
# #
sub do_ipsec($) { sub do_ipsec($$) {
my $ipsec = $_[0]; my ( $dir, $ipsec ) = @_;
if ( $ipsec eq '-' ) { if ( $ipsec eq '-' ) {
return ''; return '';
@ -2679,28 +2679,19 @@ sub do_ipsec($) {
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless have_capability( 'POLICY_MATCH' ); fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless have_capability( 'POLICY_MATCH' );
if ( $ipsec eq 'in' ) { my @options = split_list $ipsec, 'IPSEC options';
do_ipsec_options 'in', 'ipsec', '';
} elsif ( $ipsec eq 'out' ) {
do_ipsec_options 'out', 'ipsec', '';
} else {
my @options = split_list $ipsec, 'IPSEC options';
my $dir = shift @options;
fatal_error q(First IPSEC option must be 'in' or 'out') unless $dir =~ /^(?:in|out)$/; if ( @options == 1 ) {
if ( lc( $options[0] ) =~ /^(yes|ipsec)$/ ) {
if ( @options == 1 ) { return do_ipsec_options $dir, 'ipsec', '';
if ( lc( $options[0] ) =~ /^(yes|ipsec)$/ ) {
return do_ipsec_options $dir, 'ipsec', '';
}
if ( lc( $options[0] ) =~ /^(no|none)$/ ) {
return do_ipsec_options $dir, 'none', '';
}
} }
do_ipsec_options $dir, 'ipsec', join( ',', @options ); if ( lc( $options[0] ) =~ /^(no|none)$/ ) {
return do_ipsec_options $dir, 'none', '';
}
} }
do_ipsec_options $dir, 'ipsec', join( ',', @options );
} }
# #

View File

@ -6,6 +6,6 @@
# Please see http://shorewall.net/Accounting.html for examples and # Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file. # additional information about how to use this file.
# #
##################################################################################### #####################################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
# PORT(S) PORT(S) GROUP # PORT(S) PORT(S) GROUP

View File

@ -306,6 +306,143 @@
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
(Optional - Added in Shorewall 4.4.13 )</emphasis></term>
<listitem>
<para>The option-list consists of a comma-separated list of options
from the following list. Only packets that will be encrypted or have
been de-crypted via an SA that matches these options will have their
source address changed.</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>where <emphasis>number</emphasis> is specified using
setkey(8) using the 'unique:<emphasis>number</emphasis> option
for the SPD level.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
<listitem>
<para>where <emphasis>number</emphasis> is the SPI of the SA
used to encrypt/decrypt packets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto=</emphasis><emphasis
role="bold">ah</emphasis>|<emphasis
role="bold">esp</emphasis>|<emphasis
role="bold">ipcomp</emphasis></term>
<listitem>
<para>IPSEC Encapsulation Protocol</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">mss=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>sets the MSS field in TCP packets</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mode=</emphasis><emphasis
role="bold">transport</emphasis>|<emphasis
role="bold">tunnel</emphasis></term>
<listitem>
<para>IPSEC mode</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">strict</emphasis></term>
<listitem>
<para>Means that packets must match all rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">next</emphasis></term>
<listitem>
<para>Separates rules; can only be used with strict</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">yes</emphasis> or <emphasis
role="bold">ipsec</emphasis></term>
<listitem>
<para>When used by itself, causes all traffic that will be
encrypted/encapsulated or has been decrypted/un-encapsulted to
match the rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">no</emphasis> or <emphasis
role="bold">none</emphasis></term>
<listitem>
<para>When used by itself, causes all traffic that will not be
encrypted/encapsulated or has been decrypted/un-encapsulted to
match the rule.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If this column is non-empty, then:</para>
<itemizedlist>
<listitem>
<para>A chain NAME may not appear in the ACTION column.</para>
</listitem>
<listitem>
<para>The CHAIN column must contain either <emphasis
role="bold">accountin</emphasis> or <emphasis
role="bold">accountout</emphasis>.</para>
</listitem>
</itemizedlist>
<para>These rules will NOT appear in the <emphasis
role="bold">accounting</emphasis> chain.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para>In all of the above columns except <emphasis <para>In all of the above columns except <emphasis

View File

@ -305,6 +305,143 @@
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
(Optional - Added in Shorewall 4.4.13 )</emphasis></term>
<listitem>
<para>The option-list consists of a comma-separated list of options
from the following list. Only packets that will be encrypted or have
been de-crypted via an SA that matches these options will have their
source address changed.</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>where <emphasis>number</emphasis> is specified using
setkey(8) using the 'unique:<emphasis>number</emphasis> option
for the SPD level.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
<listitem>
<para>where <emphasis>number</emphasis> is the SPI of the SA
used to encrypt/decrypt packets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto=</emphasis><emphasis
role="bold">ah</emphasis>|<emphasis
role="bold">esp</emphasis>|<emphasis
role="bold">ipcomp</emphasis></term>
<listitem>
<para>IPSEC Encapsulation Protocol</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">mss=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>sets the MSS field in TCP packets</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mode=</emphasis><emphasis
role="bold">transport</emphasis>|<emphasis
role="bold">tunnel</emphasis></term>
<listitem>
<para>IPSEC mode</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">strict</emphasis></term>
<listitem>
<para>Means that packets must match all rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">next</emphasis></term>
<listitem>
<para>Separates rules; can only be used with strict</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">yes</emphasis> or <emphasis
role="bold">ipsec</emphasis></term>
<listitem>
<para>When used by itself, causes all traffic that will be
encrypted/encapsulated or has been decrypted/un-encapsulted to
match the rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">no</emphasis> or <emphasis
role="bold">none</emphasis></term>
<listitem>
<para>When used by itself, causes all traffic that will not be
encrypted/encapsulated or has been decrypted/un-encapsulted to
match the rule.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If this column is non-empty, then:</para>
<itemizedlist>
<listitem>
<para>A chain NAME may not appear in the ACTION column.</para>
</listitem>
<listitem>
<para>The CHAIN column must contain either <emphasis
role="bold">accountin</emphasis> or <emphasis
role="bold">accountout</emphasis>.</para>
</listitem>
</itemizedlist>
<para> These rules will NOT appear in the <emphasis
role="bold">accounting</emphasis> chain.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para>In all of the above columns except <emphasis <para>In all of the above columns except <emphasis