extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

LOGALLNEW

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1712 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-24 18:53:38 +00:00
parent c0fc8eb15e
commit 706242aa2c
4 changed files with 80 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall2/changelog.txt
View File

@ -112,3 +112,5 @@ Changes since 2.0.3
53) Add mss=<number> option to the ipsec file. 53) Add mss=<number> option to the ipsec file.
54) Added CONNMARK/ipp2p support. 54) Added CONNMARK/ipp2p support.
55) Added LOGALLNEW support.

70
Shorewall2/firewall
View File

@ -1252,7 +1252,7 @@ run_user_exit() # $1 = file name
# #
# Add a logging rule. # Add a logging rule.
# #
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $... = predicates for the rule log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
{ {
local level=$1 local level=$1
local chain=$2 local chain=$2
@ -1261,10 +1261,11 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
local rulenum= local rulenum=
local limit="${5:-$LOGLIMIT}" local limit="${5:-$LOGLIMIT}"
local tag=${6:+$6 } local tag=${6:+$6 }
local command=${7:--A}
local prefix local prefix
local base=$(chain_base $displayChain) local base=$(chain_base $displayChain)
shift;shift;shift;shift;shift shift;shift;shift;shift;shift;shift;shift
if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then
displayChain=$tag displayChain=$tag
@ -1291,10 +1292,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
case $level in case $level in
ULOG) ULOG)
iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;; ;;
*) *)
iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
;; ;;
esac esac
@ -1311,7 +1312,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
shift;shift;shift shift;shift;shift
log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" $@ log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@
} }
# #
@ -2978,7 +2979,7 @@ add_an_action()
for serv1 in $(separate_list $serv); do for serv1 in $(separate_list $serv); do
for srv in $(firewall_ip_range $serv1); do for srv in $(firewall_ip_range $serv1); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \ log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \
$(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports) $(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports)
fi fi
@ -2988,7 +2989,7 @@ add_an_action()
done done
else else
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \ log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dest_interface $dports) $(fix_bang $proto $sports $multiport $cli $dest_interface $dports)
fi fi
@ -3498,8 +3499,8 @@ process_actions3() {
;; ;;
*) *)
if [ -n "$xlevel" ]; then if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -m pkttype --pkt-type multicast log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
fi fi
;; ;;
esac esac
@ -3513,7 +3514,7 @@ process_actions3() {
;; ;;
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -d $address log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address
;; ;;
esac esac
@ -3530,8 +3531,8 @@ process_actions3() {
;; ;;
*) *)
if [ -n "$xlevel" ]; then if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type multicast log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
fi fi
;; ;;
esac esac
@ -3545,7 +3546,7 @@ process_actions3() {
;; ;;
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -d $address log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address
;; ;;
esac esac
@ -3559,28 +3560,28 @@ process_actions3() {
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP run_iptables -A $xchain -p tcp ! --syn -j DROP
fi fi
;; ;;
dropNotSyn) dropNotSyn)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP run_iptables -A $xchain -p tcp ! --syn -j DROP
fi fi
;; ;;
rejNotSyn) rejNotSyn)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
fi fi
;; ;;
dropInvalid) dropInvalid)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -m state --state INVALID log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j DROP run_iptables -A $xchain -m state --state INVALID -j DROP
fi fi
;; ;;
@ -3731,7 +3732,7 @@ add_nat_rule() {
else else
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \ log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -A -t nat \
$(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports) $(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports)
fi fi
@ -3762,7 +3763,7 @@ add_nat_rule() {
done done
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat
fi fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
@ -3770,7 +3771,7 @@ add_nat_rule() {
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
ensurenatchain $chain ensurenatchain $chain
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat \ log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \
$(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports) $(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports)
fi fi
@ -3983,7 +3984,7 @@ add_a_rule()
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \ log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
$userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
fi fi
@ -3992,7 +3993,7 @@ add_a_rule()
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
fi fi
@ -4008,7 +4009,7 @@ add_a_rule()
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dports) $(fix_bang $proto $sports $multiport $cli $dports)
fi fi
@ -4032,7 +4033,7 @@ add_a_rule()
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports) $(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
fi fi
@ -6418,6 +6419,26 @@ activate_rules()
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -D $chain -p udp --dport 53 -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT
done done
if [ -n "$LOGALLNEW" ]; then
for table in mangle nat filter; do
case $table in
mangle)
chains="PREROUTING INPUT FORWARD POSTROUTING"
;;
nat)
chains="PREROUTING POSTROUTING OUTPUT"
;;
*)
chains="INPUT FORWARD OUTPUT"
;;
esac
for chain in $chains; do
log_rule_limit $LOGALLNEW $chain $table $chain "" "" -I -m state --state NEW -t $table
done
done
fi
} }
# #
@ -6999,6 +7020,7 @@ do_initialize() {
RETAIN_ALIASES= RETAIN_ALIASES=
DELAYBLACKLISTLOAD= DELAYBLACKLISTLOAD=
LOGTAGONLY= LOGTAGONLY=
LOGALLNEW=
RESTOREBASE= RESTOREBASE=
TMP_DIR= TMP_DIR=

20
Shorewall2/releasenotes.txt
View File

@ -604,3 +604,23 @@ New Features:
24) Shorewall now has support for the CONNMARK target from iptables. 24) Shorewall now has support for the CONNMARK target from iptables.
See the /etc/shorewall/tcrules file for details. See the /etc/shorewall/tcrules file for details.
25) A new debugging option LOGALLNEW has been added to
shorewall.conf. When set to a log level, this option causes
Shorewall to generaate a logging rule as the first rule in each
builtin chain.
- The table name is used as the chain name in the log prefix.
- The chain name is used as the target in the log prefix.
Example: Using the default LOGFORMAT, the log prefix for logging
from the nat table's PREROUTING chain is:
Shorewall:nat:PREROUTING
IMPORTANT: There is no rate limiting on these logging rules so
use LOGALLNEW at your own risk; it may cause high CPU and disk
utilization and you may not be able to control your firewall after
you enable this option.
DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL
BE SENT TO ANOTHER SYSTEM.

12
Shorewall2/shorewall.conf
View File

@ -135,6 +135,18 @@ LOGTAGONLY=No
LOGRATE= LOGRATE=
LOGBURST= LOGBURST=
#
# LOG ALL NEW
#
# This option should only be used when you are trying to analyze a problem.
# It causes all packets in the Netfilter NEW state to be logged as the
# first rule in each builtin chain. To use this option, set LOGALLNEW to
# the log level that you want these packets logged at (e.g.,
# LOGALLNEW=debug).
#
LOGALLNEW=
# #
# BLACKLIST LOG LEVEL # BLACKLIST LOG LEVEL
# #