extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-25 04:01:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Implement Log Tags

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1272 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-04-20 21:47:49 +00:00
parent 3f4d4111ed
commit a29ff62fbe
4 changed files with 94 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Shorewall2/action.template
View File

@ -42,6 +42,15 @@
# to a separate log through use of ulogd # to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd). # (http://www.gnumonks.org/projects/ulogd).
# #
# Actions specifying logging may be followed by a
# logtag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. # SOURCE Source hosts to which the rule applies.
# A comma-separated list of subnets # A comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC # and/or hosts. Hosts may be specified by IP or MAC

81
Shorewall2/firewall
View File

@ -1071,53 +1071,45 @@ run_user_exit() # $1 = file name
# #
# Add a logging rule. # Add a logging rule.
# #
log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limit $... = predicates for the rule log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limit $5=log tag $... = predicates for the rule
{ {
local level=$1 local level=$1
local chain=$2 local chain=$2
local disposition=$3 local disposition=$3
local rulenum= local rulenum=
local limit="${4:-$LOGLIMIT}" local limit="${4:-$LOGLIMIT}"
local tag=$5
local prefix
shift;shift;shift;shift shift;shift;shift;shift;shift
if [ -n "$LOGRULENUMBERS" ]; then if [ -n "$LOGRULENUMBERS" ]; then
eval rulenum=\$${chain}_logrules eval rulenum=\$${chain}_logrules
[ -z "$rulenum" ] && rulenum=1 [ -z "$rulenum" ] && rulenum=1
case $level in prefix="$(printf "$LOGFORMAT" $chain $rulenum $disposition)${tag:+$tag }"
ULOG)
eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"'
;;
*)
eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \
--log-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"'
;;
esac
if [ $? -ne 0 ] ; then
[ -z "$stopping" ] && { stop_firewall; exit 2; }
fi
rulenum=$(($rulenum + 1))
eval ${chain}_logrules=$rulenum
else else
prefix="$(printf "$LOGFORMAT" $chain $disposition)${tag:+$tag }"
fi
if [ ${#prefix} -gt 29 ]; then
prefix="$(echo $prefix | cut -b -29)"
error_message "Warning: Log Prefix shortened to \"$prefix\""
fi
case $level in case $level in
ULOG) ULOG)
eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;; ;;
*) *)
eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \ iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
--log-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"'
;; ;;
esac esac
if [ $? -ne 0 ] ; then if [ $? -ne 0 ] ; then
[ -z "$stopping" ] && { stop_firewall; exit 2; } [ -z "$stopping" ] && { stop_firewall; exit 2; }
fi fi
fi
} }
log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
@ -1128,7 +1120,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
shift;shift;shift shift;shift;shift
log_rule_limit $level $chain $disposition "$LOGLIMIT" $@ log_rule_limit $level $chain $disposition "$LOGLIMIT" "" $@
} }
# #
@ -2322,6 +2314,7 @@ refresh_tc() {
# action = The chain for this rule # action = The chain for this rule
# ratelimit = Optional rate limiting clause # ratelimit = Optional rate limiting clause
# userandgroup = owner match clause # userandgroup = owner match clause
# logtag = Log tag
# #
add_an_action() add_an_action()
{ {
@ -2428,7 +2421,7 @@ add_an_action()
for serv1 in $(separate_list $serv); do for serv1 in $(separate_list $serv); do
for srv in $(ip_range $serv1); do for srv in $(ip_range $serv1); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \ log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logtag" $userandgroup \
$(fix_bang $proto $sports $multiport $cli -d $srv $dports) $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi fi
@ -2438,7 +2431,7 @@ add_an_action()
done done
else else
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \ log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logtag" $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dports) $(fix_bang $proto $sports $multiport $cli $dports)
fi fi
@ -2472,6 +2465,7 @@ process_action() # $1 = action
local userspec="$9" local userspec="$9"
local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit)" local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit)"
local userandgroup= local userandgroup=
local logtag=
if [ -n "$ratelimit" ]; then if [ -n "$ratelimit" ]; then
case $ratelimit in case $ratelimit in
@ -2525,8 +2519,14 @@ process_action() # $1 = action
loglevel= loglevel=
else else
loglevel="${target#*:}" loglevel="${target#*:}"
target="${target%:*}" target="${target%%:*}"
expandv loglevel expandv loglevel
if [ "$loglevel" != "${loglevel%:*}" ]; then
logtag="${loglevel#*:}"
loglevel="${loglevel%:*}"
expandv logtag
fi
fi fi
logtarget="$target" logtarget="$target"
@ -2678,7 +2678,7 @@ process_actions1() {
strip_file $f $fn strip_file $f $fn
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
expandv xtarget expandv xtarget
temp="${xtarget%:*}" temp="${xtarget%%:*}"
case "${temp%<*}" in case "${temp%<*}" in
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE)
;; ;;
@ -2804,6 +2804,7 @@ process_actions2() {
# multiport = String to invoke multiport match if appropriate # multiport = String to invoke multiport match if appropriate
# ratelimit = Optional rate limiting clause # ratelimit = Optional rate limiting clause
# userandgroup = -m owner match to limit the rule to a particular user and/or group # userandgroup = -m owner match to limit the rule to a particular user and/or group
# logtag = Log tag
# #
add_nat_rule() { add_nat_rule() {
local chain local chain
@ -2891,7 +2892,7 @@ add_nat_rule() {
else else
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \ log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \
$(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports) $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports)
fi fi
@ -2930,7 +2931,7 @@ add_nat_rule() {
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
ensurenatchain $chain ensurenatchain $chain
log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -t nat \
$(fix_bang $proto $cli $sports -d $adr $multiport $dports) $(fix_bang $proto $cli $sports -d $adr $multiport $dports)
fi fi
@ -2991,6 +2992,7 @@ add_nat_rule() {
# ratelimit = Optional rate limiting clause # ratelimit = Optional rate limiting clause
# userandgroup= -m owner clause # userandgroup= -m owner clause
# userspec = User name # userspec = User name
# logtag = Log tag
# #
add_a_rule() add_a_rule()
{ {
@ -3138,7 +3140,7 @@ add_a_rule()
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \
$userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports) $userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi fi
@ -3147,7 +3149,7 @@ add_a_rule()
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
$(fix_bang $proto $sports $multiport $cli -d $srv $dports) $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi fi
@ -3158,7 +3160,7 @@ add_a_rule()
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dports) $(fix_bang $proto $sports $multiport $cli $dports)
fi fi
@ -3177,7 +3179,7 @@ add_a_rule()
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
$(fix_bang $proto $multiport $dest_interface $cli $sports $dports) $(fix_bang $proto $multiport $dest_interface $cli $sports $dports)
fi fi
@ -3213,6 +3215,7 @@ process_rule() # $1 = target
local userspec="$9" local userspec="$9"
local userandgroup= local userandgroup=
local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec)" local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec)"
local logtag=
# Function Body - isolate rate limit # Function Body - isolate rate limit
@ -3235,8 +3238,14 @@ process_rule() # $1 = target
loglevel= loglevel=
else else
loglevel="${target#*:}" loglevel="${target#*:}"
target="${target%:*}" target="${target%%:*}"
expandv loglevel expandv loglevel
if [ "$loglevel" != "${loglevel%:*}" ]; then
logtag="${loglevel#*:}"
loglevel="${loglevel%:*}"
expandv logtag
fi
fi fi
# #
# Save the original target in 'logtarget' for logging rules # Save the original target in 'logtarget' for logging rules
@ -3532,7 +3541,7 @@ process_rules()
} }
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
temp="${xtarget%:*}" temp="${xtarget%%:*}"
case "${temp%<*}" in case "${temp%<*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
do_it do_it

21
Shorewall2/releasenotes.txt
View File

@ -61,5 +61,26 @@ New Features:
5) An updated bogons file is included in this release. 5) An updated bogons file is included in this release.
6) In /etc/shorewall/rules and in action files generated from
/usr/share/shorewall/action.template, rules that perform logging can
specify an optional "log tag". A log tag is a string of alphanumeric
characters and is specified by following the log level with ":" and
the log tag.
Example:
ACCEPT:info:ftp net dmz tcp 21
The log tag is appended to the log prefix generated by the LOGPREFIX
variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log
prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will
generate "Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank).
The maximum length of a log prefix supported by iptables is 29
characters; if a larger prefix is generated, Shorewall will issue a
warning message and will truncate the prefix to 29 characters.

9
Shorewall2/rules
View File

@ -70,6 +70,15 @@
# to a separate log through use of ulogd # to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd). # (http://www.gnumonks.org/projects/ulogd).
# #
# Actions specifying logging may be followed by a
# logtag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. May be a zone # SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the # defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or # firewall itself, or "all" If the ACTION is DNAT or