extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-02 02:49:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enhanced operational logging

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7729 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-11-23 21:33:36 +00:00
parent 4ea9d2587e
commit 4016d69b8d
10 changed files with 297 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-common/changelog.txt
View File

@ -1,3 +1,7 @@
Changes in 4.1.2
1) Enhanced Operational Logging
Changes in 4.1.1
1) Fix ULOG/NFLOG output.

6
Shorewall-common/init.sh
View File

@ -61,7 +61,7 @@ usage() {
################################################################################
# Get startup options (override default)
################################################################################
OPTIONS=
OPTIONS="-v0"
if [ -f /etc/sysconfig/shorewall ]; then
. /etc/sysconfig/shorewall
elif [ -f /etc/default/shorewall ] ; then
@ -74,7 +74,7 @@ fi
command="$1"
case "$command" in
start)
start|restart|stop)
exec /sbin/shorewall $OPTIONS $@
;;
stop|restart|status)
@ -82,7 +82,7 @@ case "$command" in
;;
reload)
shift
exec /sbin/shorewall restart $@
exec /sbin/shorewall $OPTIONS restart $@
;;
*)
usage

1
Shorewall-common/lib.config
View File

@ -1805,7 +1805,6 @@ do_initialize() {
else
startup_error "$config does not exist!"
fi
#
# Restore CONFIG_PATH if the shorewall.conf file cleared it
#

77
Shorewall-common/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 4.1 Patch Release 0.
Shorewall 4.1 Patch Release 2.
----------------------------------------------------------------------------
R E L E A S E 4 . 1 H I G H L I G H T S
@ -8,23 +8,56 @@ Shorewall 4.1 Patch Release 0.
2) Support for NFLOG has been added.
Problems corrected in Shorewall 4.1.1.
3) Enhanced operational logging
1) Previously, incorrect output was generated by parameter lists to
ULOG or NFLOG.
Problems corrected in Shorewall 4.1.2.
2) Specifying NFQUEUE(<queue-number>) in the POLICY column of the
policy file resulted in an error.
None.
Other changes in Shorewall 4.1.2.
Other changes in Shorewall 4.1.1.
1) Shorewall 4.1.2 contains enhanced operational logging capabilities
through a set of related enhancements to Shorewall-common and
Shorewall-shell. The enhancements are not supported by
Shorewall-shell.
1) You may now specify an interface address in the INTERFACE column of
/etc/shorewall/providers. See New Feature 1) below.
a) The STARTUP_LOG option in /etc/shorewall/shorewall.conf gives
the name of the Shorewall operational log. The log will be
created if it does not exist.
b) The LOG_VERBOSITY option in /etc/shorewall/shorewall.conf gives
the verbosity at which logging will occur. It uses the same
value range as VERBOSITY:
-1 Do not log
0 Almost quiet
1 Only major steps
2 Verbose
c) An absolute VERBOSITY may be specified on the command line
using the -v option followed by -1,0,1 or 2.
Example:
shorewall -v2 check
d) The /etc/init.d/shorewall script supplied with the
shorewall.net packages sets '-v0' as the default. This may be
overridden with the OPTIONS setting in /etc/defaults/shorewall or
/etc/sysconfig/shorewall.
Logging occurs on both Shorewall-perl and the generated script when
the following commands are issued:
start
restart
refresh
Messages in the log are always timestamped.
New Features in Shorewall 4.1.
1) Shorewall 4.1.0 contains experimental support for multiple Internet
1) Shorewall 4.1 contains experimental support for multiple Internet
providers through a single ethernet interface. Configuring two
providers through a single interface differs from two providers
through two interfaces in several ways.
@ -34,7 +67,9 @@ New Features in Shorewall 4.1.
to determine which provider a packet was received through. Note
that only routed traffic can be categorized using this technique.
b) The 'shared' provider option must be specified for both providers.
b) You must specify the address on the interface that corresponds to
a particular provider in the INTERFACE column by following the
interface name with a colon (":") and the address.
c) Entries in /etc/shorewall/masq must be qualified by the provider
name (or number).
@ -43,25 +78,26 @@ New Features in Shorewall 4.1.
iptables. If you use a capabilities file, you need to regenerate
the file with Shorewall 4.0.6 or Shorewall-lite 4.0.6.
e) You specify the address on the interface that corresponds to a
particular provider in the INTERFACE column by following the
interface name with a colon (":") and the address.
f) You must add route_rules entries for networks that are accessed
e) You must add route_rules entries for networks that are accessed
through a particular provider.
f) If you have additional IP addresses through either provider,
you must add route_rules to direct traffic FROM each of those
addresses through the appropriate provider.
Example:
Providers Blarg (1) and Avvanta (2) are both connected to
eth0. The firewall's IP address with Blarg is 206.124.146.176/24
(gateway 206.124.146.254) and the IP address from Avvanta is
130.252.144.8/24 (gateway 130.252.144.254).
130.252.144.8/24 (gateway 130.252.144.254). We have a second IP
address (206.124.146.177) from Blarg.
/etc/shorewall/providers:
#PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Blarg 1 1 main eth0:206.124.146.176 206.124.146.254 shared,...
Avvanta 2 2 main eth0:130.252.144.8 130.252.144.254 shared,...
#PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY
Blarg 1 1 main eth0:206.124.146.176 206.124.146.254 ...
Avvanta 2 2 main eth0:130.252.144.8 130.252.144.254 ...
/etc/shorewall/masq:
@ -76,6 +112,7 @@ New Features in Shorewall 4.1.
#SOURCE DEST PROVIDER PRIORITY
- 206.124.146.0/24 Blarg 1000
- 130.252.144.0/24 Avvanta 1000
206.124.146.177 - Blarg 26000
2) You may now include the name of a table (nat, mangle or filter) in
a 'shorewall refresh' command by following the name with a colon

78
Shorewall-common/shorewall
View File

@ -224,7 +224,30 @@ get_config() {
export LOGFORMAT
fi
if [ -n "$STARTUP_LOG" ]; then
if [ -n "$LOG_VERBOSITY" ]; then
case $LOG_VERBOSITY in
-1)
;;
0|1|2)
[ -n "$STARTUP_LOG" ] || $LOG_VERBOSITY=-1;
;;
*)
echo " ERROR: INvalid LOG_VERBOSITY ($LOG_VERBOSITY)" >&2
exit 2;
;;
esac
else
$LOG_VERBOSITY=2;
fi
else
LOG_VERBOSITY=-1;
fi
else
STARTUP_LOG=
LOG_VERBOSITY=-1
fi
if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -x "$SHOREWALL_SHELL" ]; then
@ -235,7 +258,7 @@ get_config() {
[ -n "${VERBOSITY:=2}" ]
VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
[ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
export VERBOSE
@ -315,6 +338,15 @@ compiler() {
fi
fi
case $COMMAND in
*start|try|refresh)
;;
*)
STARTUP_LOG=
LOG_VERBOSITY=-1
;;
esac
[ $command = exec ] || command=
case "$compiler" in
@ -329,12 +361,14 @@ compiler() {
[ "$1" = nolock ] && shift;
shift
options="--verbose $VERBOSE ";
options="--verbose=$VERBOSE "
[ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG "
[ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY ";
[ -n "$EXPORT" ] && options="$options --export "
[ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR "
[ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR "
[ -n "$TIMESTAMP" ] && options="$options --timestamp "
[ "$debugging" = trace ] && options="$options --debug "
[ -n "$REFRESHCHAINS" ] && options="$options --refresh $REFRESHCHAINS"
[ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
[ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed"
#
# Run the appropriate params file
@ -348,6 +382,8 @@ compiler() {
$command perl $debugflags $pc $options $@
;;
shell)
LOG_VERBOSE=$LOG_VERBOSITY
export STARTUP_LOG LOG_VERBOSE
[ -x $sc ] || startup_error "SHOREWALL_COMPILER=shell requires the shorewall-shell package which is not installed"
[ -n "$REFRESHCHAINS" ] && startup_error "Shorewall-shell does not support refresh of specific chains"
$command $SHOREWALL_SHELL $sc $@
@ -407,6 +443,10 @@ start_command() {
option=
shift
;;
d*)
DEBUG=Yes
option=${option#d}
;;
f*)
FAST=Yes
option=${option#f}
@ -669,6 +709,10 @@ restart_command() {
finished=1
option=
;;
d*)
DEBUG=Yes
option=${option#d}
;;
n*)
NOROUTES=Yes
option=${option#n}
@ -1332,6 +1376,7 @@ SHOREWALL_DIR=
IPT_OPTIONS="-nv"
FAST=
VERBOSE_OFFSET=0
USE_VERBOSITY=
NOROUTES=
EXPORT=
export TIMESTAMP=
@ -1383,8 +1428,29 @@ while [ $finished -eq 0 ]; do
option=${option#f}
;;
v*)
VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
option=${option#v}
case $option in
-1*)
USE_VERBOSITY=-1
option=${option#-1}
;;
0*)
USE_VERBOSITY=0
option=${option#0}
;;
1*)
USE_VERBOSITY=1
option=${option#1}
;;
2*)
USE_VERBOSITY=2
option=${option#2}
;;
*)
VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
USE_VERBOSITY=
;;
esac
;;
n*)
NOROUTES=Yes

17
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -143,6 +143,8 @@ sub generate_script_1() {
qq(PATH="$config{PATH}") ,
'TERMINATOR=fatal_error' ,
qq(DONT_LOAD="@dont_load") ,
qq(STARTUP_LOG="$config{STARTUP_LOG}") ,
"LOG_VERBOSE=$config{LOG_VERBOSITY}" ,
''
);
@ -699,9 +701,9 @@ EOF
# If the first argument is non-null, it names the script file to generate.
# Otherwise, this is a 'check' command and no script is produced.
#
sub compiler( $$$$$ ) {
sub compiler( $$$$$$$ ) {
my ( $objectfile, $directory, $verbosity, $options , $chains ) = @_;
my ( $objectfile, $directory, $verbosity, $options , $chains , $log , $log_verbosity ) = @_;
$export = 0;
@ -712,10 +714,11 @@ sub compiler( $$$$$ ) {
set_shorewall_dir( $directory );
}
set_verbose( $verbosity ) unless $verbosity eq '';
$export = 1 if $options & EXPORT;
set_timestamp( 1 ) if $options & TIMESTAMP;
set_debug( 1 ) if $options & DEBUG;
set_verbose( $verbosity ) unless $verbosity eq '';
set_log($log, $log_verbosity) if $log;
$export = 1 if $options & EXPORT;
set_timestamp( 1 ) if $options & TIMESTAMP;
set_debug( 1 ) if $options & DEBUG;
#
# Get shorewall.conf and capabilities.
#
@ -875,6 +878,8 @@ sub compiler( $$$$$ ) {
generate_aux_config if $export;
}
close_log if $log;
1;
}

106
Shorewall-perl/Shorewall/Config.pm
View File

@ -54,12 +54,15 @@ our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shor
our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
finalize_object
numeric_value
emit
emit_unindented
save_progress_message
save_progress_message_short
set_timestamp
set_verbose
set_log
close_log
set_command
push_indent
pop_indent
@ -113,6 +116,10 @@ our ($command, $doing, $done );
#
our $verbose;
#
# Logging
#
our ( $log, $log_verbose );
#
# Timestamp each progress message, if true.
#
our $timestamp;
@ -228,6 +235,8 @@ sub initialize() {
( $command, $doing, $done ) = qw/ compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion.
$verbose = 0; # Verbosity setting. 0 = almost silent, 1 = major progress messages only, 2 = all progress messages (very noisy)
$log = undef; # File reference for log file
$log_verbose = -1; # Verbosity of log.
$timestamp = ''; # If true, we are to timestamp each progress message
$object = 0; # Object (script) file Handle Reference
$lastlineblank = 0; # Avoid extra blank lines in the output
@ -268,6 +277,8 @@ sub initialize() {
RFC1918_LOG_LEVEL => undef,
SMURF_LOG_LEVEL => undef,
LOG_MARTIANS => undef,
LOG_VERBOSITY => undef,
STARTUP_LOG => undef,
#
# Location of Files
#
@ -425,8 +436,10 @@ sub warning_message
if ( $debug ) {
print STDERR longmess( " WARNING: @_$currentlineinfo" );
print $log longmess( " WARNING: @_$currentlineinfo" ) if $log;
} else {
print STDERR " WARNING: @_$currentlineinfo\n";
print $log " WARNING: @_$currentlineinfo\n" if $log;
}
$| = 0;
@ -438,17 +451,51 @@ sub warning_message
sub fatal_error {
my $linenumber = $currentlinenumber || 1;
my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : '';
$| = 1;
if ( $log ) {
if ( $debug ) {
print $log longmess( " ERROR: @_$currentlineinfo" );
} else {
print $log " ERROR: @_$currentlineinfo\n";
}
close $log;
$log = undef;
}
confess " ERROR: @_$currentlineinfo" if $debug;
die " ERROR: @_$currentlineinfo\n";
}
sub fatal_error1 {
$| = 1;
if ( $log ) {
if ( $debug ) {
print $log longmess( " ERROR: @_\n" );
} else {
print $log " ERROR: @_\n";
}
close $log;
$log = undef;
}
confess " ERROR: @_" if $debug;
die " ERROR: @_\n";
}
#
# Convert value to decimal number
#
sub numeric_value ( $ ) {
my $mark = lc $_[0];
fatal_error "Invalid Numeric Value ($mark)" unless $mark =~ /^-?(0x[a-f0-9]+|0[0-7]*|[1-9]\d*)$/;
$mark =~ /^0/ ? oct $mark : $mark;
}
#
# Write the arguments to the object file (if any) with the current indentation.
#
@ -510,6 +557,36 @@ sub set_verbose( $ ) {
$verbose = shift;
}
#
# Set $log and $log_verbose
#
sub set_log ( $$ ) {
my ( $l, $v ) = @_;
if ( defined $v ) {
my $value = numeric_value( $v );
if ( ( $value < -1 ) || ( $value > 2 ) ) {
fatal_error "Invalid Log Verbosity ( $v )";
}
$log_verbose = $value;
}
if ( $l && $log_verbose >= 0 ) {
unless ( open $log , '>>' , $l ) {
$log = undef;
fatal_error "Unable to open $l for writing: $!";
}
} else {
$log_verbose = -1;
}
}
sub close_log() {
close $log, $log = undef if $log;
}
#
# Set $command, $doing and $done
#
@ -524,6 +601,8 @@ sub timestamp() {
printf '%02d:%02d:%02d ', ( localtime ) [2,1,0];
}
my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
#
# Write a message if $verbose >= 2
#
@ -538,6 +617,15 @@ sub progress_message {
$line =~ s/\s+/ /g;
print "$line\n";
}
if ( $log_verbose > 1 ) {
my @localtime = localtime;
printf $log '%s %02d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
my $line = "@_";
$line =~ s/\s+/ /g;
print $log "$line\n";
}
}
#
@ -548,6 +636,13 @@ sub progress_message2 {
timestamp if $timestamp;
print "@_\n";
}
if ( $log_verbose > 0 ) {
my @localtime = localtime;
printf $log '%s %02d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
print $log "@_\n";
}
}
#
@ -558,6 +653,13 @@ sub progress_message3 {
timestamp if $timestamp;
print "@_\n";
}
if ( $log_verbose > 0 ) {
my @localtime = localtime;
printf $log '%s %02d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
print $log "@_\n";
}
}
#
@ -1651,6 +1753,9 @@ sub get_configuration( $ ) {
check_trivalue ( 'ROUTE_FILTER', '' );
check_trivalue ( 'LOG_MARTIANS', '' );
default 'LOG_VERBOSITY' , -1;
default 'STARTUP_LOG' , '';
default_yes_no 'ADD_IP_ALIASES' , 'Yes';
default_yes_no 'ADD_SNAT_ALIASES' , '';
default_yes_no 'DETECT_DNAT_IPADDRS' , '';
@ -1993,6 +2098,7 @@ END {
#
close $object if $object;
close $scriptfile if $scriptfile;
close $log if $log;
#
# Unlink temporary files
#

10
Shorewall-perl/Shorewall/Zones.pm
View File

@ -37,7 +37,6 @@ our @EXPORT = qw( NOTHING
IPSECPROTO
IPSECMODE
numeric_value
determine_zones
zone_report
dump_zone_contents
@ -158,15 +157,6 @@ INIT {
initialize;
}
#
# Convert value to decimal number
#
sub numeric_value ( $ ) {
my $mark = lc $_[0];
fatal_error "Invalid Numeric Value ($mark)" unless $mark =~ /^(0x[a-f0-9]+|0[0-7]*|[1-9]\d*)$/;
$mark =~ /^0/ ? oct $mark : $mark;
}
#
# Parse the passed option list and return a reference to a hash as follows:
#

42
Shorewall-perl/compiler.pl
View File

@ -41,7 +41,18 @@ use Shorewall::Compiler;
use Getopt::Long;
sub usage() {
print STDERR "usage: compiler.pl [ --export ] [ --directory=<directory> ] [ --verbose={0-2} ] [ --timestamp ] [ -- debug ] [ --refresh=<chainlist> ] [ <filename> ]\n";
print STDERR 'usage: compiler.pl [ <option> ... ] <filename> ]
options are:
[ --export ]
[ --directory=<directory> ]
[ --verbose={0-2} ]
[ --timestamp ]
[ -- debug ]
[ --refresh=<chainlist> ]
[ --log=<filename> ]
[ --log-verbose={0-2} ]
';
exit 1;
}
@ -54,20 +65,25 @@ my $verbose = 0;
my $timestamp = '';
my $debug = 0;
my $chains = '';
my $log = '';
my $log_verbose = 0;
Getopt::Long::Configure ('bundling');
my $result = GetOptions('export' => \$export,
'e' => \$export,
'directory=s' => \$shorewall_dir,
'd=s' => \$shorewall_dir,
'verbose=i' => \$verbose,
'v=i' => \$verbose,
'timestamp' => \$timestamp,
't' => \$timestamp,
'debug' => \$debug,
'r=s' => \$chains,
'refresh=s' => \$chains
my $result = GetOptions('export' => \$export,
'e' => \$export,
'directory=s' => \$shorewall_dir,
'd=s' => \$shorewall_dir,
'verbose=i' => \$verbose,
'v=i' => \$verbose,
'timestamp' => \$timestamp,
't' => \$timestamp,
'debug' => \$debug,
'r=s' => \$chains,
'refresh=s' => \$chains,
'log=s' => \$log,
'l=s' => \$log,
'log_verbosity=i' => \$log_verbose,
);
usage unless $result && @ARGV < 2;
@ -78,4 +94,4 @@ $options |= EXPORT if $export;
$options |= TIMESTAMP if $timestamp;
$options |= DEBUG if $debug;
compiler $ARGV[0], $shorewall_dir, $verbose, $options, $chains;
compiler $ARGV[0], $shorewall_dir, $verbose, $options, $chains, $log , $log_verbose;

15
Shorewall-perl/prog.header
View File

@ -41,6 +41,11 @@ progress_message() # $* = Message
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSE -gt 1 ]; then
timestamp="$(date +'%_b %d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
progress_message2() # $* = Message
@ -51,6 +56,11 @@ progress_message2() # $* = Message
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSE -gt 0 ]; then
timestamp="$(date +'%_b %d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
progress_message3() # $* = Message
@ -61,6 +71,11 @@ progress_message3() # $* = Message
[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
echo "${timestamp}$@"
fi
if [ $LOG_VERBOSE -ge 0 ]; then
timestamp="$(date +'%_b %d %T') "
echo "${timestamp}$@" >> $STARTUP_LOG
fi
}
#