Userset fix and logging fixes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@724 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -56,3 +56,7 @@ Changes since 1.4.6
 25) Redesign the accounting facility to make it simpler and more
     flexible.
 
+26) Add Henry Wang's fix for LOGRATE/LOGBURST and enhance to resolve
+    conflict between that facility and rate-limited logging rules.
+
+27) Add User Set capability.

Shorewall/fallback.sh

@@ -138,6 +138,8 @@ restore_file /etc/shorewall/accounting
 
 restore_file /etc/shorewall/usersets
 
+restore_file /etc/shorewall/users
+
 if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
     restore_file /usr/lib/shorewall/version
     oldversion="`cat /usr/lib/shorewall/version`"

Shorewall/firewall

@@ -1934,13 +1934,32 @@ process_user_set_entry() {
     local acceptchain=`accept_chain $userset`
     local dropchain=`drop_chain $userset`
     local rejectchain=`reject_chain $userset`
-    local rule="-m owner"
 
-    if ! havechain $acceptchain; then
-	createchain $acceptchain No
-	createchain $dropchain No
-	createchain $rejectchain No
-    fi
+    list_search $userset $usersets && \
+	fatal_error "Duplicate Uset Set: $userset"
+    usersets="$usersets $userset"
+
+    createchain $acceptchain No
+    createchain $dropchain No
+    createchain $rejectchain No
+
+    [ "x$reject" = "x-" ] && reject=""
+    eval ${userset}_reject="$reject"
+    [ "x$accept" = "x-" ] && accept=""
+    eval ${userset}_accept="$accept"
+    [ "x$drop" = "x-" ] && drop=""
+    eval ${userset}_drop="$drop"
+}
+    
+process_user_entry() {
+    local acceptchain=`accept_chain $userset`
+    local dropchain=`drop_chain $userset`
+    local rejectchain=`reject_chain $userset`
+    local rule="-m owner"
+    local level=
+    
+    list_search $userset $usersets || \
+	fatal_error "Unknown Uset Set: $userset"
 
     [ "x$user" = "x-" ] && user=
 
@@ -1950,8 +1969,19 @@ process_user_set_entry() {
     [ -n "$user" ]  && rule="$rule --uid-owner $user"  || user='*'
     [ -n "$group" ] && rule="$rule --gid-owner $group" || group='*'
 
+    eval level=\$${userset}_accept
+    [ -n "$level" ] && \
+	log_rule $level $acceptchain ACCEPT $rule
     run_iptables -A $acceptchain $rule -j ACCEPT
+ 
+    eval level=\$${userset}_drop
+    [ -n "$level" ] && \
+	log_rule $level $dropchain DROP $rule
     run_iptables -A $dropchain   $rule -j DROP
+    
+    eval level=\$${userset}_reject
+    [ -n "$level" ] && \
+	log_rule $level $rejectchain REJECT $rule
     run_iptables -A $rejectchain $rule -j reject
 
     echo "   User $user:$group added to user set $userset"
@@ -1959,15 +1989,21 @@ process_user_set_entry() {
 
 setup_usersets() # $1 = Name of usersets file
 {   
-    
     echo "Setting up User Sets..."
 
     strip_file usersets $1
 
-    while read userset user group ; do
-	expandv userset user group
+    while read userset reject accept drop; do
+	expandv userset reject accept drop
 	process_user_set_entry
     done < $TMP_DIR/usersets
+
+    strip_file users
+
+    while read userset user group ; do
+	expandv userset user group
+	process_user_entry
+    done < $TMP_DIR/users
 }
 
 #      
@@ -2084,7 +2120,7 @@ refresh_tc() {
 #		      by this function
 #    cport	    = Source Port Specification
 #    multiport	    = String to invoke multiport match if appropriate
-#    ratelimit   = Optional rate limiting clause
+#    ratelimit      = Optional rate limiting clause
 #
 add_nat_rule() {
     local chain
@@ -2172,7 +2208,7 @@ add_nat_rule() {
 	    else
 		for adr in `separate_list $addr`; do
 		    if [ -n "$loglevel" ]; then
-			log_rule $loglevel $OUTPUT $logtarget -t nat \
+			log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \
 			    `fix_bang $proto $cli $sports -d $adr $multiport $dports`
 		    fi
 
@@ -2558,6 +2594,9 @@ process_rule() # $1 = target
 		[ -n "$userset" ] && \
 		    fatal_error "A user set may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
 	esac
+
+	[ -n "$loglevel" ] && \
+	    fatal_error "Logging may not be specified on a rule with a User Set: rule \"$rule\""
     else
 	case $target in
 	    ACCEPT|LOG)

Shorewall/install.sh

@@ -573,7 +573,17 @@ if [ -f ${PREFIX}/etc/shorewall/usersets ]; then
 else
     run_install -o $OWNER -g $GROUP -m 0600 usersets ${PREFIX}/etc/shorewall/usersets
     echo
-    echo "User sets file installed as ${PREFIX}/etc/shorewall/usersets"
+    echo "User Sets file installed as ${PREFIX}/etc/shorewall/usersets"
+fi
+#
+# Install the User file
+#
+if [ -f ${PREFIX}/etc/shorewall/users ]; then
+    backup_file /etc/shorewall/users
+else
+    run_install -o $OWNER -g $GROUP -m 0600 users ${PREFIX}/etc/shorewall/users
+    echo
+    echo "Users file installed as ${PREFIX}/etc/shorewall/users"
 fi
 #
 # Backup the version file

Shorewall/releasenotes.txt

@@ -26,6 +26,8 @@ Problems Corrected since version 1.4.6:
     "shorewall monitor" on the "Dynamic Chains" page (previously named
     "Dynamic Chain").
 
+6) Thanks to Henry Yang, LOGRATE and LOGBURST now work again.
+
 Migration Issues:
 
 1) Once you have installed this version of Shorewall, you must 
@@ -36,6 +38,8 @@ Migration Issues:
    uses of "shorewall drop" and "shorewall reject" should be replaced
    with "shorewall dropall" and "shorewall rejectall".
 
+3) IP Traffic Accounting is changed from Snapshot 20030813. 
+
 New Features:
 
 1) Shorewall now creates a dynamic blacklisting chain for each interface
@@ -135,38 +139,34 @@ New Features:
    will use all listed addresses/ranges in round-robin fashion.
 
 7) An /etc/shorewall/accounting file has been added to allow for 
-   traffic accounting. The file has two sections.
+   traffic accounting..
 
-   The first section of the file is optional and allows aggregation of
-   counter chains into other counter chains. It does this by allowing
-   you to create an accounting chain hierarchy. See
-   http://shorewall.net/Accounting.html for a description of this
-   section.
+   The accounting rules are placed in a chain called "accounting" and
+   can thus be displayed using "shorewall show accounting".
 
-   The second section of the file has the following columns:
+   The file has the following columns:
 
-	ACTION	      - What to do when a match is found.
+       ACTION	     -  What to do when a match is found. Possible
+		        values are:
 
-				COUNT	- Simply count the match and 
-					  continue trying to match the
-					  packet with the following
-					  accounting rules
-				DONE	- Count the match and don't
-					  attempt to match any
-					  following accounting rules.
-				<chain> - The name of a chain that is
-					  to be jumped to. Shorewall
-					  will create the chain
-					  automatically if it was not
-					  created by a CHAIN entry in
-					  the first section of the
-					  file. If the name of
-					  the chain is followed by
-					  ":DONE" then after control
-					  returns from the named chain,
-					  the packet will not be
-					  matched against any of the
-					  following accounting rules.
+			COUNT - Simply count the match and continue
+			        trying to match the packet with the
+			        following accounting rules.
+
+			DONE  - Count the match and don't attempt to
+				match any following accounting rules.
+
+			<chain> - The name of a chain to jump to.
+				  Shorewall will create the chain
+				  automatically. If the name of the
+				  chain is followed by ":COUNT" then
+				  a COUNT rule matching this rule
+				  will automatically be added to
+				  <chain>
+
+	CHAIN	      - The name of the chain where the accounting
+			rule is to be added. If empty or "-" then
+			the "accounting" chain is assumed.
 
 	SOURCE	      - Packet Source
 
@@ -193,8 +193,8 @@ New Features:
 			number. May only be specified if the protocol
 			is TCP or UDP (6 or 17).
 
-   In all columns except the first, the values "-","any" and "all" are
-   treated as wild-cards.
+   In all columns except ACTION and CHAIN, the values "-","any" and
+   "all" are treated as wild-cards.
 
    The accounting rules are evaluated in the Netfilter 'filter'
    table. This is the same environment where the 'rules' file rules are
@@ -202,51 +202,9 @@ New Features:
    inbound packets and SNAT has not yet occurred on outbound ones.
 
    The accounting rules are placed in a chain called "accounting" and
-   can thus be displayed using "shorewall show accounting". It should
-   be noted that where the ACTION is <chain>:DONE then the entry
-   generates two rules in "accounting"; the first is a jump to the
-   named chain and the second is a RETURN rule which causes the
-   accounting chain to be exited.
-
-   Examples:
-
-	COUNT		eth0		eth1   # Count traffic going through the
-					       # router from eth0 to eth1
-	COUNT		eth0:206.124.146.177   # Count traffic from my
-					       # server arriving on
-					       # eth0
-	DONE		eth0		eth1:192.168.1.24
-					       # Count traffic entering
-					       # eth0 and going to host
-					       # 192.168.1.24 on
-					       # eth1. Don't check for
-					       # any more matches.
-   Example using CHAIN:
-
-        # This example shows how you can aggretate two counters. The
-        # counters being aggregated are input and output counters on
-        # the device 'ppp0'. The CHAIN declarations go in the first 
-	# section of the /etc/shorewall/accounting file.
-
-	CHAIN		tunnel		       # Create a chain called 'tunnel'
-	CHAIN		tunnelin	tunnel # Create a chain called
-					       # 'tunnelin' with all
-					       # traffic sent to
-					       # 'tunnelin' being sent
-					       # on to 'tunnel'
-	CHAIN		tunnelout	tunnel # Create a chain called
-					       # 'tunnelout' with all
-					       # traffic sent to
-					       # 'tunnelout' being sent
-					       # on to 'tunnel'
-					       # any more matches
-	tunnelin	ppp0		       # send all traffic from
-					       # ppp0 to the chain called
-					       # 'tunnelin'
-	tunnelout	any		ppp0   # send all traffic to 
-					       # ppp0 to the chain called
-					       # 'tunnelout'
+   can thus be displayed using "shorewall show accounting".
 
+   See http://shorewall.net/Accounting.html for examples.
  
 8) Bridge interfaces (br[0-9]) may now be used in /etc/shorewall/maclist.					       
 
@@ -285,6 +243,9 @@ New Features:
 
 	  where <rate>, <interval> and <burst> are as above.
    
+   You may not place a rate limit in both the ACTION and RATE LIMIT
+   columns.
+
    Let's take an example:
 
 	 ACCEPT<2/sec:4>	net	dmz	tcp	80
@@ -305,3 +266,7 @@ New Features:
 
 10) Multiple chains may now be displayed in one "shorewall show"
     command (e.g., shorewall show INPUT FORWARD OUTPUT).
+
+11) Output rules (those with $FW as the SOURCE) may now be limited to
+    a set of local users and/or groups. See
+    http://shorewall.net/UserSets.html for details.

Shorewall/rules

@@ -233,11 +233,13 @@
 #			REJECT.
 #			
 #			The format of the column is a comma separated list of
-#			user set names defined in the /etc/shorewall/usersets file.
+#			user set names defined in the /etc/shorewall/usersets
+#			file.
 #			
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
-#			the effective <user> and/or <group> specified.
+#			the effective <user> and/or <group> specified. A log
+#			level may not be given in the ACTION column.
 #
 #	Example: Accept SMTP requests from the DMZ to the internet
 #

Shorewall/shorewall.spec

@@ -100,6 +100,7 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/usersets
+%attr(0600,root,root) %config(noreplace) /etc/shorewall/users
 %attr(0544,root,root) /sbin/shorewall
 %attr(0444,root,root) /usr/share/shorewall/functions
 %attr(0544,root,root) /usr/share/shorewall/firewall
@@ -108,6 +109,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Sat Aug 23 2003 Tom Eastep <tom@shorewall.net>
+- Added /etc/shorewall/users
 * Thu Aug 21 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6_20030821-1
 - Added /etc/shorewall/usersets

Shorewall/users

@@ -0,0 +1,25 @@
+#
+# Shorewall version 1.4 - Users File
+#
+# /etc/shorewall/users
+#
+#	This file is used to associate local users and/or groups to Shorewall
+#	"User Sets". 
+# Columns are:
+#
+#	USERSET		The name of a user set defined in
+#			/etc/shorewall/usersets.
+#
+#	USER		A Linux user name or number defined in /etc/passwd.
+#
+#	GROUP		A linux group name or number defined in /etc/groups.
+#
+#	The GROUP may be omitted. If it is supplied, then the USER may be 
+#	entered as "-" in which case all members of the specified group are
+#	included in the USERSET.
+#
+################################################################################
+#USERSET	USER		GROUP
+#
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+

Shorewall/usersets

@@ -1,28 +1,29 @@
 #
-# Shorewall version 1.4 - User Sets File
+# Shorewall version 1.4 - Users Sets File
 #
 # /etc/shorewall/usersets
 #
-#	This file is used to define Shorewall "User Sets". A user set is a 
-#	list of <user>, <group> or <user:group> names and can be used to
-#	control access by individual users to other network hosts from the
-#	firewall system.
+#	A user set is a list of <user>, <group> or <user:group> names and can
+#	be used to control access by individual users to other network hosts
+#	from the firewall system.
 #
 # Columns are:
 #
 #	USERSET		The name of a user set. May be up to 6 characters in
 #			length and must be a valid shell identifier.
 #
-#	USER		A Linux user name or number defined in /etc/passwd.
+#	REJECT		The log level for REJECT rules that match a user in this
+#			userset.
 #
-#	GROUP		A linux group name or number defined in /etc/groups.
+#	ACCEPT		The log level for ACCEPT rules that match a user in this
+#			userset.
 #
-#	The GROUP may be omitted. If it is supplied, then the USER may be 
-#	entered as "-" in which case all members of the specified group are
-#	included in the USERSET.
+#	DROP		The log level for DROP rules that match a user in this
+#			userset.
 #
-################################################################################
-#USERSET	USER		GROUP
+# To omit one of the last three columns yet supply a value to one of the
+# following ones, enter "-".
+#
+#USERSET	REJECT	ACCEPT	DROP
 #
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-