From a29ff62fbe6d6764fa1e3b0056610c0218390e50 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 20 Apr 2004 21:47:49 +0000 Subject: [PATCH] Implement Log Tags git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1272 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/action.template | 9 ++++ Shorewall2/firewall | 101 ++++++++++++++++++++---------------- Shorewall2/releasenotes.txt | 21 ++++++++ Shorewall2/rules | 9 ++++ 4 files changed, 94 insertions(+), 46 deletions(-) diff --git a/Shorewall2/action.template b/Shorewall2/action.template index 75307117f..49b042c75 100644 --- a/Shorewall2/action.template +++ b/Shorewall2/action.template @@ -42,6 +42,15 @@ # to a separate log through use of ulogd # (http://www.gnumonks.org/projects/ulogd). # +# Actions specifying logging may be followed by a +# logtag (a string of alphanumeric characters) +# are appended to the string generated by the +# LOGPREFIX (in /etc/shorewall/shorewall.conf). +# +# Example: ACCEPT:info:ftp would include 'ftp ' +# at the end of the log prefix generated by the +# LOGPREFIX setting. +# # SOURCE Source hosts to which the rule applies. # A comma-separated list of subnets # and/or hosts. Hosts may be specified by IP or MAC diff --git a/Shorewall2/firewall b/Shorewall2/firewall index af17171f0..b7d72078a 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1071,52 +1071,44 @@ run_user_exit() # $1 = file name # # Add a logging rule. # -log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limit $... = predicates for the rule +log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limit $5=log tag $... = predicates for the rule { local level=$1 local chain=$2 local disposition=$3 local rulenum= local limit="${4:-$LOGLIMIT}" + local tag=$5 + local prefix - shift;shift;shift;shift + shift;shift;shift;shift;shift if [ -n "$LOGRULENUMBERS" ]; then eval rulenum=\$${chain}_logrules [ -z "$rulenum" ] && rulenum=1 - case $level in - ULOG) - eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"' - ;; - *) - eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \ - --log-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"' - ;; - esac - - if [ $? -ne 0 ] ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi - - rulenum=$(($rulenum + 1)) - - eval ${chain}_logrules=$rulenum + prefix="$(printf "$LOGFORMAT" $chain $rulenum $disposition)${tag:+$tag }" else - case $level in - ULOG) - eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' - ;; - *) - eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \ - --log-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' - ;; - esac + prefix="$(printf "$LOGFORMAT" $chain $disposition)${tag:+$tag }" + fi + + if [ ${#prefix} -gt 29 ]; then + prefix="$(echo $prefix | cut -b -29)" + error_message "Warning: Log Prefix shortened to \"$prefix\"" + fi + + case $level in + ULOG) + iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" + ;; + *) + iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" + ;; + esac - if [ $? -ne 0 ] ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi + if [ $? -ne 0 ] ; then + [ -z "$stopping" ] && { stop_firewall; exit 2; } fi } @@ -1128,7 +1120,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo shift;shift;shift - log_rule_limit $level $chain $disposition "$LOGLIMIT" $@ + log_rule_limit $level $chain $disposition "$LOGLIMIT" "" $@ } # @@ -2322,6 +2314,7 @@ refresh_tc() { # action = The chain for this rule # ratelimit = Optional rate limiting clause # userandgroup = owner match clause +# logtag = Log tag # add_an_action() { @@ -2428,7 +2421,7 @@ add_an_action() for serv1 in $(separate_list $serv); do for srv in $(ip_range $serv1); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $sports $multiport $cli -d $srv $dports) fi @@ -2438,7 +2431,7 @@ add_an_action() done else if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $sports $multiport $cli $dports) fi @@ -2472,6 +2465,7 @@ process_action() # $1 = action local userspec="$9" local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit)" local userandgroup= + local logtag= if [ -n "$ratelimit" ]; then case $ratelimit in @@ -2525,10 +2519,16 @@ process_action() # $1 = action loglevel= else loglevel="${target#*:}" - target="${target%:*}" + target="${target%%:*}" expandv loglevel + if [ "$loglevel" != "${loglevel%:*}" ]; then + logtag="${loglevel#*:}" + loglevel="${loglevel%:*}" + expandv logtag + fi + fi - + logtarget="$target" case $target in @@ -2678,7 +2678,7 @@ process_actions1() { strip_file $f $fn while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do expandv xtarget - temp="${xtarget%:*}" + temp="${xtarget%%:*}" case "${temp%<*}" in ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) ;; @@ -2804,6 +2804,7 @@ process_actions2() { # multiport = String to invoke multiport match if appropriate # ratelimit = Optional rate limiting clause # userandgroup = -m owner match to limit the rule to a particular user and/or group +# logtag = Log tag # add_nat_rule() { local chain @@ -2891,7 +2892,7 @@ add_nat_rule() { else for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \ + log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \ $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports) fi @@ -2930,7 +2931,7 @@ add_nat_rule() { for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then ensurenatchain $chain - log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -t nat \ $(fix_bang $proto $cli $sports -d $adr $multiport $dports) fi @@ -2990,7 +2991,8 @@ add_nat_rule() { # chain = The canonical chain for this rule # ratelimit = Optional rate limiting clause # userandgroup= -m owner clause -# userspec = User name +# userspec = User name +# logtag = Log tag # add_a_rule() { @@ -3138,7 +3140,7 @@ add_a_rule() if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then for adr in $(separate_list $addr); do if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \ $userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports) fi @@ -3147,7 +3149,7 @@ add_a_rule() done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $sports $multiport $cli -d $srv $dports) fi @@ -3158,7 +3160,7 @@ add_a_rule() done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $sports $multiport $cli $dports) fi @@ -3177,7 +3179,7 @@ add_a_rule() if [ $COMMAND != check ]; then if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $multiport $dest_interface $cli $sports $dports) fi @@ -3213,6 +3215,7 @@ process_rule() # $1 = target local userspec="$9" local userandgroup= local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec)" + local logtag= # Function Body - isolate rate limit @@ -3235,8 +3238,14 @@ process_rule() # $1 = target loglevel= else loglevel="${target#*:}" - target="${target%:*}" + target="${target%%:*}" expandv loglevel + if [ "$loglevel" != "${loglevel%:*}" ]; then + logtag="${loglevel#*:}" + loglevel="${loglevel%:*}" + expandv logtag + fi + fi # # Save the original target in 'logtarget' for logging rules @@ -3532,7 +3541,7 @@ process_rules() } while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do - temp="${xtarget%:*}" + temp="${xtarget%%:*}" case "${temp%<*}" in ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) do_it diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index a3f4f9949..2bc234b4d 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -61,5 +61,26 @@ New Features: 5) An updated bogons file is included in this release. +6) In /etc/shorewall/rules and in action files generated from + /usr/share/shorewall/action.template, rules that perform logging can + specify an optional "log tag". A log tag is a string of alphanumeric + characters and is specified by following the log level with ":" and + the log tag. + + Example: + + ACCEPT:info:ftp net dmz tcp 21 + + The log tag is appended to the log prefix generated by the LOGPREFIX + variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log + prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will + generate "Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank). + The maximum length of a log prefix supported by iptables is 29 + characters; if a larger prefix is generated, Shorewall will issue a + warning message and will truncate the prefix to 29 characters. + + + + diff --git a/Shorewall2/rules b/Shorewall2/rules index 3d4adb7c5..8ab04e2b2 100755 --- a/Shorewall2/rules +++ b/Shorewall2/rules @@ -70,6 +70,15 @@ # to a separate log through use of ulogd # (http://www.gnumonks.org/projects/ulogd). # +# Actions specifying logging may be followed by a +# logtag (a string of alphanumeric characters) +# are appended to the string generated by the +# LOGPREFIX (in /etc/shorewall/shorewall.conf). +# +# Example: ACCEPT:info:ftp would include 'ftp ' +# at the end of the log prefix generated by the +# LOGPREFIX setting. +# # SOURCE Source hosts to which the rule applies. May be a zone # defined in /etc/shorewall/zones, $FW to indicate the # firewall itself, or "all" If the ACTION is DNAT or