extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 00:34:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implement LOG_BACKEND option

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-09-24 15:26:13 -07:00
parent 4815f7eba3
commit 580e00dabd
20 changed files with 212 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -742,6 +742,8 @@ sub compiler {
}
setup_source_routing($family);
setup_log_backend;
#
# Proxy Arp/Ndp
#

15
Shorewall/Perl/Shorewall/Config.pm
View File

@ -741,6 +741,7 @@ sub initialize( $;$$) {
RPFILTER_LOG_LEVEL => undef,
INVALID_LOG_LEVEL => undef,
UNTRACKED_LOG_LEVEL => undef,
LOG_BACKEND => undef,
#
# Location of Files
#
@ -5747,6 +5748,20 @@ sub get_configuration( $$$$$ ) {
default_log_level 'INVALID_LOG_LEVEL', '';
default_log_level 'UNTRACKED_LOG_LEVEL', '';
if ( defined( $val = $config{LOG_BACKEND} ) ) {
if ( $family == F_IPV4 && $val eq 'ULOG' ) {
$val = 'xt_ULOG';
} elsif ( $val eq 'netlink' ) {
$val = 'nfnetlink_log';
} elsif ( $val eq 'LOG' ) {
$val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_log';
} else {
fatal_error "Invalid LOG Backend ($val)";
}
$config{LOG_BACKEND} = $val;
}
warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
default_log_level 'SMURF_LOG_LEVEL', '';

15
Shorewall/Perl/Shorewall/Proc.pm
View File

@ -42,6 +42,7 @@ our @EXPORT = qw(
setup_source_routing
setup_accept_ra
setup_forwarding
setup_log_backend
);
our @EXPORT_OK = qw( setup_interface_proc );
our $VERSION = 'MODULEVERSION';
@ -348,5 +349,19 @@ sub setup_interface_proc( $ ) {
}
}
sub setup_log_backend() {
if ( my $setting = $config{LOG_BACKEND} ) {
my $file = '/proc/sys/net/netfilter/nf_log';
emit( "if -f $file; then",
" if echo $setting > $file; then",
" progress_message 'Log Backend set to $setting'",
" else",
" error_meessage 'WARNING: Unable to set log backend to $setting'",
"else",
" error_message 'WARNING: $file does not exist - log backend not set",
"fi\n" );
}
}
1;

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -33,6 +33,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2

2
Shorewall/configfiles/shorewall.conf
View File

@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2

6
Shorewall/helpers
View File

@ -57,3 +57,9 @@ loadmodule nf_nat_proto_gre
loadmodule nf_nat_sip
loadmodule nf_nat_snmp_basic
loadmodule nf_nat_tftp
#
# While not actually helpers, these are handy to have
#
loadmodule xt_NFLOG
loadmodule xt_ULOG
loadmodule nfnetlink_log

39
Shorewall/manpages/shorewall.conf.xml
View File

@ -1306,6 +1306,45 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
backend to be used for the <command>iptrace</command> command (see
<ulink url="manpages/shorewall.html">shorewall(8)</ulink>).</para>
<para><replaceable>backend</replaceable> is one of:</para>
<variablelist>
<varlistentry>
<term>LOG</term>
<listitem>
<para>Use standard kernel logging.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ULOG</term>
<listitem>
<para>Use ULOG logging to ulogd.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>netlink</term>
<listitem>
<para>Use netlink logging to ulogd version 2 or later.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis

13
Shorewall/manpages/shorewall.xml
View File

@ -1129,15 +1129,10 @@
be one or more matches that may appear in both the raw table OUTPUT
and raw table PREROUTING chains.</para>
<para>When using ipt_LOG, the trace records are written to the
kernel's log buffer with facility = kernel and priority = warning,
and they are routed from there by your logging daemon (syslogd,
rsyslog, syslog-ng, ...). When using nfnetlink_log or ipt_ULOG, the
trace records go to ulogd.</para>
<para>In either case, Shorewall has no control over where the
messages are written; consult your logging daemon's
documentation.</para>
<para>The log message destination is determined by the
currently-selected IPv4 <ulink
url="/shorewall_logging.html#Backends">logging
backend</ulink>.</para>
</listitem>
</varlistentry>

2
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_VERBOSITY=2
LOGALLNEW=

2
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_VERBOSITY=2
LOGALLNEW=

2
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_VERBOSITY=2
LOGALLNEW=

2
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_VERBOSITY=2
LOGALLNEW=

2
Shorewall6/configfiles/shorewall6.conf
View File

@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_VERBOSITY=2
LOGALLNEW=

5
Shorewall6/helpers
View File

@ -34,3 +34,8 @@ loadmodule nf_conntrack_proto_sctp
loadmodule nf_conntrack_sip
loadmodule nf_conntrack_tftp
loadmodule nf_conntrack_sane
#
# While not actually helpers, these are handy to have
#
loadmodule xt_NFLOG
loadmodule nfnetlink_log

32
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -1157,6 +1157,38 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
backend to be used for the <command>iptrace</command> command (see
<ulink
url="manpages6/shorewall6.html">shorewall6(8)</ulink>).</para>
<para><replaceable>backend</replaceable> is one of:</para>
<variablelist>
<varlistentry>
<term>LOG</term>
<listitem>
<para>Use standard kernel logging.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>netlink</term>
<listitem>
<para>Use netlink logging to ulogd version 2 or later.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOG_VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>

13
Shorewall6/manpages/shorewall6.xml
View File

@ -1012,15 +1012,10 @@
be one or more matches that may appear in both the raw table OUTPUT
and raw table PREROUTING chains.</para>
<para>When using ipt6_LOG, the trace records are written to the
kernel's log buffer with facility = kernel and priority = warning,
and they are routed from there by your logging daemon (syslogd,
rsyslog, syslog-ng, ...). When using nfnetlink_log or ipt_ULOG, the
trace records go to ulogd.</para>
<para>In either case, Shorewall has no control over where the
messages written; consult your logging daemon's
documentation.</para>
<para>The log message destination is determined by the
currently-selected IPv6 <ulink
url="/shorewall_logging.html#Backends">logging
backend</ulink>.</para>
</listitem>
</varlistentry>

70
docs/shorewall_logging.xml
View File

@ -320,6 +320,76 @@ ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 </programlis
</section>
</section>
<section>
<title id="Backends">Log Backends</title>
<para>Netfilter logging allows configuration of multiple backends. Logging
backends provide the The low-level forward of log messages. There are
currently three backends:</para>
<variablelist>
<varlistentry>
<term>LOG (ipt_LOG and ip6t_LOG).</term>
<listitem>
<para>Normal kernel-based logging to a syslog daemon.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ULOG (ipt_ULOG)</term>
<listitem>
<para>ULOG logging as described ablve. Only available for
IPv4.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>netlink (nfnetlink_log)</term>
<listitem>
<para>The logging backend behind NFLOG, defined above.</para>
</listitem>
</varlistentry>
</variablelist>
<para>The currently-available and currently-selected IPv4 and IPv6
backends are shown in /proc/sys/net/netfilter/nf_log:</para>
<programlisting>cat /proc/net/netfilter/nf_log
0 NONE (nfnetlink_log)
1 NONE (nfnetlink_log)
2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
3 NONE (nfnetlink_log)
4 NONE (nfnetlink_log)
5 NONE (nfnetlink_log)
6 NONE (nfnetlink_log)
7 NONE (nfnetlink_log)
8 NONE (nfnetlink_log)
9 NONE (nfnetlink_log)
10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)</programlisting>
<para>The magic numbers (0-12) are Linux address family numbers (AF_INET
is 2 and AF_INET6 is 10).</para>
<para>The name immediately following the number is the currently-selected
backend, and the ones in parantheses are the ones that are available. You
can change the currently selected backend by echoing it's name into
/proc/net/netfilter/nf_log.<replaceable>number</replaceable>.</para>
<para>Example - change the IPv4 backend to LOG:</para>
<programlisting>echo ipt_LOG &gt; /proc/net/netfilter/nf_log.2</programlisting>
<para>Beginning with Shorewall 4.6.4, you can configure the backend using
the LOG_BACKEND option in <ulink
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
</section>
<section id="Syslog-ng">
<title>Syslog-ng</title>