Add support for nfacct

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-07-28 11:21:16 -07:00
parent 87c0f934aa
commit 735b7c2cf5
20 changed files with 229 additions and 35 deletions

View File

@ -615,6 +615,20 @@ show_connections_filter() {
fi
}
show_nfacct() {
if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
NFACCT=
else
NFACCT=$(mywhich nfacct)
[ -n "$NFACCT" ] || "No NF Accounting defined"
fi
if [ -n "$NFACCT" ]; then
$NFACCT list
echo
fi
}
#
# Show Command Executor
#
@ -920,6 +934,12 @@ show_command() {
echo
[ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
;;
nfacct)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
echo
show_nfacct
;;
*)
case "$g_program" in
*-lite)
@ -1202,6 +1222,9 @@ do_dump_command() {
perip_accounting
fi
heading "NF Accounting"
show_nfacct
if qt mywhich setkey; then
heading "PFKEY SPD"
setkey -DP
@ -2109,6 +2132,19 @@ determine_capabilities() {
qt $g_tool -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
NFACCT=
else
NFACCT=$(mywhich nfacct)
fi
if [ -n "$NFACCT" ] && qt $NFACCT add $chain; then
qt $g_tool -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
qt $g_tool -D $chain -m nfacct --nfacct-name $chain
qt $NFACCT del $chain
fi
if [ -n "$MANGLE_ENABLED" ]; then
qt $g_tool -t mangle -N $chain
@ -2131,12 +2167,6 @@ determine_capabilities() {
qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
if qt nfacct add $chain; then
qt $g_tool -t mangle -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
qt $g_tool -t mangle -D $chain -m nfacct --nfacct-name $chain
qt nfacct del $chain
fi
qt $g_tool -t mangle -F $chain
qt $g_tool -t mangle -X $chain

View File

@ -236,6 +236,11 @@ sub process_accounting_rule( ) {
}
} elsif ( $action =~ /^NFLOG/ ) {
$target = validate_level $action;
} elsif ( $action =~ /^NFACCT\((\w+)\)$/ ) {
require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
$nfobjects{$1} = 1;
$target = '';
$rule .= "-m nfacct --nfacct-name $1 ";
} else {
( $action, my $cmd ) = split /:/, $action;

View File

@ -36,7 +36,7 @@ use Shorewall::IPAddrs;
use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw/
our @EXPORT = qw(
DONT_OPTIMIZE
DONT_DELETE
DONT_MOVE
@ -86,10 +86,10 @@ our @EXPORT = qw/
$nat_table
$mangle_table
$filter_table
/;
);
our %EXPORT_TAGS = (
internal => [ qw/ STANDARD
internal => [ qw( STANDARD
NATRULE
BUILTIN
NONAT
@ -238,13 +238,15 @@ our %EXPORT_TAGS = (
set_global_variables
save_dynamic_chains
load_ipsets
create_nfobjects
create_netfilter_load
preview_netfilter_load
create_chainlist_reload
create_stop_load
%targets
%dscpmap
/ ],
%nfobjects
) ],
);
Exporter::export_ok_tags('internal');
@ -334,6 +336,7 @@ my $comment;
my @comments;
my $export;
my %renamed;
our %nfobjects;
#
# Target Types
@ -662,7 +665,8 @@ sub initialize( $$$ ) {
snmp => UDP,
tftp => UDP);
%isocodes = ();
%isocodes = ();
%nfobjects = ();
#
# The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@ -5406,6 +5410,7 @@ sub set_chain_variables() {
} else {
emit 'IPSET=ipset';
}
}
#
@ -6872,6 +6877,32 @@ sub load_ipsets() {
}
}
#
# Create nfacct objects if needed
#
sub create_nfobjects() {
my @objects = ( keys %nfobjects );
if ( @objects ) {
if ( $config{NFACCT} ) {
emit( qq(NFACCT="$config{NFACCT}") ,
'[ -x "$NFACCT" ] || startup_error "NFACCT=$NFACCT does not exist or is not executable"'
);
} else {
emit( 'NFACCT=$(mywhich nfacct)' ,
'[ -n "$NFACCT" ] || startup_error "No nfacct utility found"',
''
);
}
}
for ( keys %nfobjects ) {
emit( qq(if ! qt \$NFACCT get $_; then),
qq( \$NFACCT add $_),
qq(fi\n) );
}
}
#
#
# Generate the netfilter input

View File

@ -368,6 +368,7 @@ sub generate_script_3($) {
emit '';
load_ipsets;
create_nfobjects;
if ( $family == F_IPV4 ) {
emit ( 'if [ "$COMMAND" = refresh ]; then' ,

View File

@ -573,6 +573,7 @@ sub initialize( $;$ ) {
IPSECFILE => undef,
LOCKFILE => undef,
GEOIPDIR => undef,
NFACCT => undef,
#
# Default Actions/Macros
#
@ -3223,7 +3224,7 @@ sub NFAcct_Match() {
if ( qt1( "nfacct add $sillyname" ) ) {
$result = qt1( "$iptables -A $sillyname -m nfacct --nfacct-name $sillyname" );
qt( "iptables -D $sillyname -m nfacct $sillyname" );
qt( "$iptables -D $sillyname -m nfacct --nfacct-name $sillyname" );
qt( "nfacct del $sillyname" );
}

View File

@ -69,6 +69,8 @@ LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

View File

@ -80,6 +80,8 @@ LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

View File

@ -78,6 +78,8 @@ LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

View File

@ -81,6 +81,8 @@ LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

View File

@ -69,6 +69,8 @@ LOCKFILE=
MODULESDIR=
NFACCT=
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl

View File

@ -294,8 +294,25 @@
</varlistentry>
<varlistentry>
<term>NFLOG[(nflog-parameters)] - Added in
Shorewall-4.4.20.</term>
<term><emphasis
role="bold">NFACCT</emphasis>(<replaceable>object</replaceable>)</term>
<listitem>
<para>Added in Shorewall 4.5.7. Provides a form of accounting
that survives <command>shorewall stop/shorewall</command>
start and <command>shorewall restart</command>. Requires the
NFaccnt Match capability in your kernel and iptables.
<replaceable>object</replaceable> names an nfacct object (see
man nfaccnt(8)). Multiple rules can specify the same
<replaceable>object</replaceable>; all packets that match any
of the rules increment the packet and bytes count of the
object.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NFLOG</emphasis>[(nflog-parameters)]
- Added in Shorewall-4.4.20.</term>
<listitem>
<para>Causes each matching packet to be sent via the currently
@ -306,7 +323,7 @@
</varlistentry>
<varlistentry>
<term>COMMENT</term>
<term><emphasis role="bold">COMMENT</emphasis></term>
<listitem>
<para>The remainder of the line is treated as a comment which

View File

@ -96,7 +96,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -106,7 +106,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -116,7 +116,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -126,7 +126,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -482,7 +482,7 @@
</itemizedlist>
<blockquote>
<para></para>
<para/>
<para>If CONFIG_PATH is not given or if it is set to the empty
value then the contents of /usr/share/shorewall/configpath are
@ -829,7 +829,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</varlistentry>
</variablelist>
<para></para>
<para/>
<blockquote>
<para>If this variable is not set or is given an empty value
@ -1039,7 +1039,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</itemizedlist>
<para></para>
<para/>
<blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for
@ -1056,7 +1056,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
control your firewall after you enable this option.</para>
</important>
<para></para>
<para/>
<caution>
<para>Do not use this option if the resulting log messages will
@ -1437,6 +1437,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">NFACCT=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.7. Specifies the pathname of the nfacct
utiliity. If not specified, Shorewall will use the PATH settting to
find the program.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NULL_ROUTE_RFC1918=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -1709,7 +1720,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">"</emphasis></term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>

View File

@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

View File

@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

View File

@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

View File

@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

View File

@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"

View File

@ -236,8 +236,25 @@
</varlistentry>
<varlistentry>
<term>NFLOG[(nflog-parameters)] - Added in
Shorewall-4.4.20.</term>
<term><emphasis
role="bold">NFACCT</emphasis>(<replaceable>object</replaceable>)</term>
<listitem>
<para>Added in Shorewall 4.5.7. Provides a form of accounting
that survives <command>shorewall stop/shorewall</command>
start and <command>shorewall restart</command>. Requires the
NFaccnt Match capability in your kernel and iptables.
<replaceable>object</replaceable> names an nfacct object (see
man nfaccnt(8)). Multiple rules can specify the same
<replaceable>object</replaceable>; all packets that match any
of the rules increment the packet and bytes count of the
object.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NFLOG</emphasis>[(nflog-parameters)]
- Added in Shorewall-4.4.20.</term>
<listitem>
<para>Causes each matching packet to be sent via the currently
@ -248,7 +265,7 @@
</varlistentry>
<varlistentry>
<term>COMMENT</term>
<term><emphasis role="bold">COMMENT</emphasis></term>
<listitem>
<para>The remainder of the line is treated as a comment which

View File

@ -82,7 +82,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -92,7 +92,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -102,7 +102,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -112,7 +112,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -902,7 +902,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</itemizedlist>
<para></para>
<para/>
<blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for
@ -919,7 +919,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
control your firewall after you enable this option.</para>
</important>
<para></para>
<para/>
<caution>
<para>Do not use this option if the resulting log messages will
@ -1261,6 +1261,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">NFACCT=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.7. Specifies the pathname of the nfacct
utiliity. If not specified, Shorewall will use the PATH settting to
find the program.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">OPTIMIZE=</emphasis>[<replaceable>value</replaceable>]</term>
@ -1507,7 +1518,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">"</emphasis></term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>

View File

@ -296,7 +296,7 @@
<emphasis role="bold">OUTPUT</emphasis> and <emphasis
role="bold">FORWARD</emphasis> and must appear in that order (although any
of them may be omitted). The first non-commentary record in the accounting
file must be a section header when sectioning is used. </para>
file must be a section header when sectioning is used.</para>
<para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
added to shorewall.conf and shorewall6.conf. That setting determines the
@ -562,4 +562,54 @@ IP: 70.90.191.123 SRC packets: 42 bytes: 4604 DST packets: 44 bytes: 10662
gateway:~#
</programlisting>
</section>
<section id="nfacct">
<title>Accounting using nfacct</title>
<para>Beginning with the 3.3 kernels, Netfilter supports a form of
accounting (nfacct) that is triggered by iptables rules but that survives
purging and/or reloading the Netfilter ruleset. Shorewall support for this
form of accounting was added in Shorewall 4.5.7.</para>
<para>As of this writing (late July 2012), Fedora 17 has partial support
for this feature but not all. It is necessary to download and build the
following:</para>
<itemizedlist>
<listitem>
<para>libnetfilter_acct</para>
</listitem>
<listitem>
<para>nfacct</para>
</listitem>
</itemizedlist>
<para>The following Fedora packages are also required:</para>
<itemizedlist>
<listitem>
<para>libnetlink and libnetlink-dev</para>
</listitem>
<listitem>
<para>libmnl and libmnl-dev</para>
</listitem>
</itemizedlist>
<para>The tarballs are available from the Netfilter download sites.</para>
<para>The nfacct utility can create, delete and display <firstterm>nfacct
objects</firstterm>. These named objects consist of a packet and byte
counter. Packets matching those netfilter rules that use the nfacct match
cause the packet and byte count in the object named in the match to be
incremented.</para>
<para>To use nfaccnt with Shorewall, use the NFACCT target. See <ulink
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>(5)
for details.</para>
<para>The <command>shorewall show nfacct</command> command is a thin
wrapper around the <command>nfacct list</command> command.</para>
</section>
</article>