diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 6ef4d9d96..9e7bce03b 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -112,3 +112,5 @@ Changes since 2.0.3 53) Add mss= option to the ipsec file. 54) Added CONNMARK/ipp2p support. + +55) Added LOGALLNEW support. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 6dfa80e4a..101970b82 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1252,7 +1252,7 @@ run_user_exit() # $1 = file name # # Add a logging rule. # -log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $... = predicates for the rule +log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule { local level=$1 local chain=$2 @@ -1261,10 +1261,11 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi local rulenum= local limit="${5:-$LOGLIMIT}" local tag=${6:+$6 } + local command=${7:--A} local prefix local base=$(chain_base $displayChain) - shift;shift;shift;shift;shift + shift;shift;shift;shift;shift;shift;shift if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then displayChain=$tag @@ -1291,10 +1292,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi case $level in ULOG) - iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" + iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" ;; *) - iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" + iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" ;; esac @@ -1311,7 +1312,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo shift;shift;shift - log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" $@ + log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@ } # @@ -2978,7 +2979,7 @@ add_an_action() for serv1 in $(separate_list $serv); do for srv in $(firewall_ip_range $serv1); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \ + log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \ $(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports) fi @@ -2988,7 +2989,7 @@ add_an_action() done else if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \ + log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \ $(fix_bang $proto $sports $multiport $cli $dest_interface $dports) fi @@ -3498,8 +3499,8 @@ process_actions3() { ;; *) if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast - log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -m pkttype --pkt-type multicast + log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast + log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast fi ;; esac @@ -3513,7 +3514,7 @@ process_actions3() { ;; *) [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -d $address + log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address ;; esac @@ -3530,8 +3531,8 @@ process_actions3() { ;; *) if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast - log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type multicast + log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast + log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast fi ;; esac @@ -3545,7 +3546,7 @@ process_actions3() { ;; *) [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -d $address + log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address ;; esac @@ -3559,28 +3560,28 @@ process_actions3() { if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -p tcp ! --syn + log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn run_iptables -A $xchain -p tcp ! --syn -j DROP fi ;; dropNotSyn) if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -p tcp ! --syn + log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn run_iptables -A $xchain -p tcp ! --syn -j DROP fi ;; rejNotSyn) if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -p tcp ! --syn + log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset fi ;; dropInvalid) if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -m state --state INVALID + log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -m state --state INVALID run_iptables -A $xchain -m state --state INVALID -j DROP fi ;; @@ -3731,7 +3732,7 @@ add_nat_rule() { else for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \ + log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -A -t nat \ $(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports) fi @@ -3762,7 +3763,7 @@ add_nat_rule() { done if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat fi addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection @@ -3770,7 +3771,7 @@ add_nat_rule() { for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then ensurenatchain $chain - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat \ + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \ $(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports) fi @@ -3983,7 +3984,7 @@ add_a_rule() if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then for adr in $(separate_list $addr); do if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \ + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \ $userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi @@ -3992,7 +3993,7 @@ add_a_rule() done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi @@ -4008,7 +4009,7 @@ add_a_rule() done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ $(fix_bang $proto $sports $multiport $cli $dports) fi @@ -4032,7 +4033,7 @@ add_a_rule() if [ $COMMAND != check ]; then if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) fi @@ -6418,6 +6419,26 @@ activate_rules() run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT done + + if [ -n "$LOGALLNEW" ]; then + for table in mangle nat filter; do + case $table in + mangle) + chains="PREROUTING INPUT FORWARD POSTROUTING" + ;; + nat) + chains="PREROUTING POSTROUTING OUTPUT" + ;; + *) + chains="INPUT FORWARD OUTPUT" + ;; + esac + + for chain in $chains; do + log_rule_limit $LOGALLNEW $chain $table $chain "" "" -I -m state --state NEW -t $table + done + done + fi } # @@ -6999,6 +7020,7 @@ do_initialize() { RETAIN_ALIASES= DELAYBLACKLISTLOAD= LOGTAGONLY= + LOGALLNEW= RESTOREBASE= TMP_DIR= diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 034109ecd..f0bed00f5 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -604,3 +604,23 @@ New Features: 24) Shorewall now has support for the CONNMARK target from iptables. See the /etc/shorewall/tcrules file for details. +25) A new debugging option LOGALLNEW has been added to + shorewall.conf. When set to a log level, this option causes + Shorewall to generaate a logging rule as the first rule in each + builtin chain. + + - The table name is used as the chain name in the log prefix. + - The chain name is used as the target in the log prefix. + + Example: Using the default LOGFORMAT, the log prefix for logging + from the nat table's PREROUTING chain is: + + Shorewall:nat:PREROUTING + + IMPORTANT: There is no rate limiting on these logging rules so + use LOGALLNEW at your own risk; it may cause high CPU and disk + utilization and you may not be able to control your firewall after + you enable this option. + + DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL + BE SENT TO ANOTHER SYSTEM. diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf index 04ddb559b..e6bfc7943 100755 --- a/Shorewall2/shorewall.conf +++ b/Shorewall2/shorewall.conf @@ -135,6 +135,18 @@ LOGTAGONLY=No LOGRATE= LOGBURST= +# +# LOG ALL NEW +# +# This option should only be used when you are trying to analyze a problem. +# It causes all packets in the Netfilter NEW state to be logged as the +# first rule in each builtin chain. To use this option, set LOGALLNEW to +# the log level that you want these packets logged at (e.g., +# LOGALLNEW=debug). +# + +LOGALLNEW= + # # BLACKLIST LOG LEVEL #