extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-23 13:11:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implement LOG_BACKEND option

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-09-24 15:26:13 -07:00
parent 4815f7eba3
commit 580e00dabd
20 changed files with 212 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -742,6 +742,8 @@ sub compiler {
} }
setup_source_routing($family); setup_source_routing($family);
setup_log_backend;
# #
# Proxy Arp/Ndp # Proxy Arp/Ndp
# #

15
Shorewall/Perl/Shorewall/Config.pm
View File

@ -741,6 +741,7 @@ sub initialize( $;$$) {
RPFILTER_LOG_LEVEL => undef, RPFILTER_LOG_LEVEL => undef,
INVALID_LOG_LEVEL => undef, INVALID_LOG_LEVEL => undef,
UNTRACKED_LOG_LEVEL => undef, UNTRACKED_LOG_LEVEL => undef,
LOG_BACKEND => undef,
# #
# Location of Files # Location of Files
# #
@ -5747,6 +5748,20 @@ sub get_configuration( $$$$$ ) {
default_log_level 'INVALID_LOG_LEVEL', ''; default_log_level 'INVALID_LOG_LEVEL', '';
default_log_level 'UNTRACKED_LOG_LEVEL', ''; default_log_level 'UNTRACKED_LOG_LEVEL', '';
if ( defined( $val = $config{LOG_BACKEND} ) ) {
if ( $family == F_IPV4 && $val eq 'ULOG' ) {
$val = 'xt_ULOG';
} elsif ( $val eq 'netlink' ) {
$val = 'nfnetlink_log';
} elsif ( $val eq 'LOG' ) {
$val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_log';
} else {
fatal_error "Invalid LOG Backend ($val)";
}
$config{LOG_BACKEND} = $val;
}
warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL}; warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
default_log_level 'SMURF_LOG_LEVEL', ''; default_log_level 'SMURF_LOG_LEVEL', '';

15
Shorewall/Perl/Shorewall/Proc.pm
View File

@ -42,6 +42,7 @@ our @EXPORT = qw(
setup_source_routing setup_source_routing
setup_accept_ra setup_accept_ra
setup_forwarding setup_forwarding
setup_log_backend
); );
our @EXPORT_OK = qw( setup_interface_proc ); our @EXPORT_OK = qw( setup_interface_proc );
our $VERSION = 'MODULEVERSION'; our $VERSION = 'MODULEVERSION';
@ -348,5 +349,19 @@ sub setup_interface_proc( $ ) {
} }
} }
sub setup_log_backend() {
if ( my $setting = $config{LOG_BACKEND} ) {
my $file = '/proc/sys/net/netfilter/nf_log';
emit( "if -f $file; then",
" if echo $setting > $file; then",
" progress_message 'Log Backend set to $setting'",
" else",
" error_meessage 'WARNING: Unable to set log backend to $setting'",
"else",
" error_message 'WARNING: $file does not exist - log backend not set",
"fi\n" );
}
}
1; 1;

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL= INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes LOG_MARTIANS=Yes
LOG_VERBOSITY=2 LOG_VERBOSITY=2

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL= INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes LOG_MARTIANS=Yes
LOG_VERBOSITY=2 LOG_VERBOSITY=2

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -33,6 +33,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL= INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes LOG_MARTIANS=Yes
LOG_VERBOSITY=2 LOG_VERBOSITY=2

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -36,6 +36,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL= INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes LOG_MARTIANS=Yes
LOG_VERBOSITY=2 LOG_VERBOSITY=2

2
Shorewall/configfiles/shorewall.conf
View File

@ -25,6 +25,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL= INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes LOG_MARTIANS=Yes
LOG_VERBOSITY=2 LOG_VERBOSITY=2

6
Shorewall/helpers
View File

@ -57,3 +57,9 @@ loadmodule nf_nat_proto_gre
loadmodule nf_nat_sip loadmodule nf_nat_sip
loadmodule nf_nat_snmp_basic loadmodule nf_nat_snmp_basic
loadmodule nf_nat_tftp loadmodule nf_nat_tftp
#
# While not actually helpers, these are handy to have
#
loadmodule xt_NFLOG
loadmodule xt_ULOG
loadmodule nfnetlink_log

39
Shorewall/manpages/shorewall.conf.xml
View File

@ -1306,6 +1306,45 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
backend to be used for the <command>iptrace</command> command (see
<ulink url="manpages/shorewall.html">shorewall(8)</ulink>).</para>
<para><replaceable>backend</replaceable> is one of:</para>
<variablelist>
<varlistentry>
<term>LOG</term>
<listitem>
<para>Use standard kernel logging.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ULOG</term>
<listitem>
<para>Use ULOG logging to ulogd.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>netlink</term>
<listitem>
<para>Use netlink logging to ulogd version 2 or later.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis

13
Shorewall/manpages/shorewall.xml
View File

@ -1129,15 +1129,10 @@
be one or more matches that may appear in both the raw table OUTPUT be one or more matches that may appear in both the raw table OUTPUT
and raw table PREROUTING chains.</para> and raw table PREROUTING chains.</para>
<para>When using ipt_LOG, the trace records are written to the <para>The log message destination is determined by the
kernel's log buffer with facility = kernel and priority = warning, currently-selected IPv4 <ulink
and they are routed from there by your logging daemon (syslogd, url="/shorewall_logging.html#Backends">logging
rsyslog, syslog-ng, ...). When using nfnetlink_log or ipt_ULOG, the backend</ulink>.</para>
trace records go to ulogd.</para>
<para>In either case, Shorewall has no control over where the
messages are written; consult your logging daemon's
documentation.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

2
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL= INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_VERBOSITY=2 LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=

2
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL= INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_VERBOSITY=2 LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=

2
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL= INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_VERBOSITY=2 LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=

2
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL= INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_VERBOSITY=2 LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=

2
Shorewall6/configfiles/shorewall6.conf
View File

@ -26,6 +26,8 @@ BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL= INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_VERBOSITY=2 LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=

5
Shorewall6/helpers
View File

@ -34,3 +34,8 @@ loadmodule nf_conntrack_proto_sctp
loadmodule nf_conntrack_sip loadmodule nf_conntrack_sip
loadmodule nf_conntrack_tftp loadmodule nf_conntrack_tftp
loadmodule nf_conntrack_sane loadmodule nf_conntrack_sane
#
# While not actually helpers, these are handy to have
#
loadmodule xt_NFLOG
loadmodule nfnetlink_log

32
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -1157,6 +1157,38 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOG_BACKEND=</emphasis>[<emphasis>backend</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.6.4. LOG_BACKEND determines the logging
backend to be used for the <command>iptrace</command> command (see
<ulink
url="manpages6/shorewall6.html">shorewall6(8)</ulink>).</para>
<para><replaceable>backend</replaceable> is one of:</para>
<variablelist>
<varlistentry>
<term>LOG</term>
<listitem>
<para>Use standard kernel logging.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>netlink</term>
<listitem>
<para>Use netlink logging to ulogd version 2 or later.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">LOG_VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term> role="bold">LOG_VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>

13
Shorewall6/manpages/shorewall6.xml
View File

@ -1012,15 +1012,10 @@
be one or more matches that may appear in both the raw table OUTPUT be one or more matches that may appear in both the raw table OUTPUT
and raw table PREROUTING chains.</para> and raw table PREROUTING chains.</para>
<para>When using ipt6_LOG, the trace records are written to the <para>The log message destination is determined by the
kernel's log buffer with facility = kernel and priority = warning, currently-selected IPv6 <ulink
and they are routed from there by your logging daemon (syslogd, url="/shorewall_logging.html#Backends">logging
rsyslog, syslog-ng, ...). When using nfnetlink_log or ipt_ULOG, the backend</ulink>.</para>
trace records go to ulogd.</para>
<para>In either case, Shorewall has no control over where the
messages written; consult your logging daemon's
documentation.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

70
docs/shorewall_logging.xml
View File

@ -320,6 +320,76 @@ ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 </programlis
</section> </section>
</section> </section>
<section>
<title id="Backends">Log Backends</title>
<para>Netfilter logging allows configuration of multiple backends. Logging
backends provide the The low-level forward of log messages. There are
currently three backends:</para>
<variablelist>
<varlistentry>
<term>LOG (ipt_LOG and ip6t_LOG).</term>
<listitem>
<para>Normal kernel-based logging to a syslog daemon.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ULOG (ipt_ULOG)</term>
<listitem>
<para>ULOG logging as described ablve. Only available for
IPv4.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>netlink (nfnetlink_log)</term>
<listitem>
<para>The logging backend behind NFLOG, defined above.</para>
</listitem>
</varlistentry>
</variablelist>
<para>The currently-available and currently-selected IPv4 and IPv6
backends are shown in /proc/sys/net/netfilter/nf_log:</para>
<programlisting>cat /proc/net/netfilter/nf_log
0 NONE (nfnetlink_log)
1 NONE (nfnetlink_log)
2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
3 NONE (nfnetlink_log)
4 NONE (nfnetlink_log)
5 NONE (nfnetlink_log)
6 NONE (nfnetlink_log)
7 NONE (nfnetlink_log)
8 NONE (nfnetlink_log)
9 NONE (nfnetlink_log)
10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)</programlisting>
<para>The magic numbers (0-12) are Linux address family numbers (AF_INET
is 2 and AF_INET6 is 10).</para>
<para>The name immediately following the number is the currently-selected
backend, and the ones in parantheses are the ones that are available. You
can change the currently selected backend by echoing it's name into
/proc/net/netfilter/nf_log.<replaceable>number</replaceable>.</para>
<para>Example - change the IPv4 backend to LOG:</para>
<programlisting>echo ipt_LOG &gt; /proc/net/netfilter/nf_log.2</programlisting>
<para>Beginning with Shorewall 4.6.4, you can configure the backend using
the LOG_BACKEND option in <ulink
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
</section>
<section id="Syslog-ng"> <section id="Syslog-ng">
<title>Syslog-ng</title> <title>Syslog-ng</title>