extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow logging from the RAW table

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-12-31 11:04:43 -08:00
parent 11e61ec6e5
commit ac6a506e35
3 changed files with 199 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -81,32 +81,51 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT; fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
} }
my $target = $action; my $disposition = $action;
my $exception_rule = ''; my $exception_rule = '';
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} ); my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
my $level = '';
if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
$action = join( ":" , 'LOG', $action );
}
if ( $action eq 'NOTRACK' ) { if ( $action eq 'NOTRACK' ) {
# #
# A patch that deimplements the NOTRACK target has been posted on the # A patch that deimplements the NOTRACK target has been posted on the
# Netfilter development list # Netfilter development list
# #
$action = 'CT --notrack' if have_capability 'CT_TARGET'; if ( have_capability 'CT_TARGET' ) {
} elsif ( $action ne 'DROP' ) { $action = 'CT --notrack';
( $target, my ( $option, $args, $junk ) ) = split ':', $action, 4; $disposition = 'notrack';
}
} elsif ( $action =~ /^(DROP|LOG)(:(.+))?$/ ) {
if ( $2 ) {
validate_level( $level = $3 );
$action = $1;
$disposition = $1;
}
} else {
( $disposition, my ( $option, $args ), $level ) = split ':', $action, 4;
fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT'; fatal_error "Invalid notrack ACTION ( $action )" if $disposition ne 'CT';
validate_level( $level ) if supplied $level;
require_capability 'CT_TARGET', 'CT entries in the conntrack file', ''; require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
if ( $option eq 'notrack' ) { if ( $option eq 'notrack' ) {
fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args; fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
$action = 'CT --notrack'; $action = 'CT --notrack';
$disposition = 'notrack';
} else { } else {
fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args; fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
if ( $option eq 'helper' ) { if ( $option eq 'helper' ) {
my $modifiers = ''; my $modifiers = '';
$disposition = "helper";
if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) { if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
$args = $1; $args = $1;
$modifiers = $2; $modifiers = $2;
@ -149,8 +168,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
$dest , $dest ,
'' , '' ,
$action , $action ,
'' , $level || '' ,
$target , $disposition ,
$exception_rule ); $exception_rule );
progress_message " Conntrack rule \"$currentline\" $done"; progress_message " Conntrack rule \"$currentline\" $done";
@ -224,6 +243,8 @@ sub process_format( $ ) {
sub setup_conntrack() { sub setup_conntrack() {
$format = 1;
for my $name ( qw/notrack conntrack/ ) { for my $name ( qw/notrack conntrack/ ) {
my $fn = open_file( $name, 3 , 1 ); my $fn = open_file( $name, 3 , 1 );
@ -271,11 +292,11 @@ sub setup_conntrack() {
} }
} elsif ( $action =~ s/:O$// ) { } elsif ( $action =~ s/:O$// ) {
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ); process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) { } elsif ( $action =~ s/:OP$// || $action =~ s/:PO// ) {
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ); process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ); process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} else { } else {
$action =~ s/:P//; $action =~ s/:P$//;
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ); process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} }
} }

61
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -88,7 +88,7 @@
role="bold">NOTRACK</emphasis>|<emphasis role="bold">NOTRACK</emphasis>|<emphasis
role="bold">CT</emphasis>:<emphasis role="bold">CT</emphasis>:<emphasis
role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
role="bold">CT:notrack</emphasis>|DROP}[:<replaceable>chain-designator</replaceable>]</term> role="bold">CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
<listitem> <listitem>
<para>This column is only present when FORMAT &gt;= 2. Values other <para>This column is only present when FORMAT &gt;= 2. Values other
@ -100,23 +100,19 @@
<para><option>NOTRACK</option> or <para><option>NOTRACK</option> or
<option>CT:notrack</option></para> <option>CT:notrack</option></para>
<para>Disables connection tracking for this packet.</para> <para>Disables connection tracking for this packet. If a
<replaceable>log-level</replaceable> is specified, the packet
will also be logged at that level.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><option>DROP</option></para> <para><option>CT:helper</option>:<replaceable>name</replaceable></para>
<para>Added in Shorewall 4.5.10. Silently discard the
packet.</para>
</listitem>
<listitem>
<para><option>helper</option>:<replaceable>name</replaceable></para>
<para>Attach the helper identified by the <para>Attach the helper identified by the
<replaceable>name</replaceable> to this connection. This is more <replaceable>name</replaceable> to this connection. This is more
flexible than loading the conntrack helper with preset flexible than loading the conntrack helper with preset ports. If
ports.</para> a <replaceable>log-level</replaceable> is specified, the packet
will also be logged at that level.</para>
<para>At this writing, the available helpers are:</para> <para>At this writing, the available helpers are:</para>
@ -175,14 +171,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term></term>
<listitem>
<para></para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>sane</term> <term>sane</term>
@ -253,6 +241,39 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem> </listitem>
<listitem>
<para><option>DROP</option></para>
<para>Added in Shorewall 4.5.10. Silently discard the packet. If
a <replaceable>log-level</replaceable> is specified, the packet
will also be logged at that level.</para>
</listitem>
<listitem>
<para><option>LOG</option></para>
<para>Added in Shoreawll 4.6.0. Logs the packet using the
specified <replaceable>log-level</replaceable> and<replaceable>
log-tag </replaceable>(if any). If no log-level is specified,
then 'info' is assumed.</para>
</listitem>
<listitem>
<para><option>NFLOG</option></para>
<para>Added in Shoreawll 4.6.0. Queues the packet to a backend
logging daemon using the NFLOG netfilter target with the
specified <replaceable>nflog-parameters</replaceable>.</para>
</listitem>
<listitem>
<para><option>ULOG</option></para>
<para>Added in Shoreawll 4.6.0. Queues the packet to a backend
logging daemon using the ULOG netfilter target with the
specified <replaceable>ulog-parameters</replaceable>.</para>
</listitem>
</itemizedlist> </itemizedlist>
<para>When FORMAT = 1, this column is not present and the rule is <para>When FORMAT = 1, this column is not present and the rule is

139
Shorewall6/manpages/shorewall6-conntrack.xml
View File

@ -88,7 +88,7 @@
role="bold">NOTRACK</emphasis>|<emphasis role="bold">NOTRACK</emphasis>|<emphasis
role="bold">CT</emphasis>:<emphasis role="bold">CT</emphasis>:<emphasis
role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
role="bold">CT:notrack</emphasis>|drop}[:<replaceable>chain-designator</replaceable>]</term> role="bold">CT:notrack</emphasis>|DROP|LOG|NFLOG(<replaceable>nflog-parameters</replaceable>)}[:<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
<listitem> <listitem>
<para>This column is only present when FORMAT &gt;= 2. Values other <para>This column is only present when FORMAT &gt;= 2. Values other
@ -100,14 +100,9 @@
<para><option>NOTRACK</option> or <para><option>NOTRACK</option> or
<option>CT:notrack</option></para> <option>CT:notrack</option></para>
<para>Disables connection tracking for this packet.</para> <para>Disables connection tracking for this packet. If a
</listitem> <replaceable>log-level</replaceable> is specified, the packet
will also be logged at that level.</para>
<listitem>
<para><option>DROP</option></para>
<para>Added in Shorewall 4.5.10. Silently discard the
packet.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -115,8 +110,105 @@
<para>Attach the helper identified by the <para>Attach the helper identified by the
<replaceable>name</replaceable> to this connection. This is more <replaceable>name</replaceable> to this connection. This is more
flexible than loading the conntrack helper with preset ports. flexible than loading the conntrack helper with preset ports. If
May be followed by an option list of a <replaceable>log-level</replaceable> is specified, the packet
will also be logged at that level.</para>
<para>At this writing, the available helpers are:</para>
<variablelist>
<varlistentry>
<term>amanda</term>
<listitem>
<para>Requires that the amanda netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ftp</term>
<listitem>
<para>Requires that the FTP netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>irc</term>
<listitem>
<para>Requires that the IRC netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>netbios-ns</term>
<listitem>
<para>Requires that the netbios_ns (sic) helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>RAS and Q.931</term>
<listitem>
<para>These require that the H323 netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>pptp</term>
<listitem>
<para>Requires that the pptp netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>sane</term>
<listitem>
<para>Requires that the SANE netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>sip</term>
<listitem>
<para>Requires that the SIP netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>snmp</term>
<listitem>
<para>Requires that the SNMP netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>tftp</term>
<listitem>
<para>Requires that the TFTP netfilter helper is
present.</para>
</listitem>
</varlistentry>
</variablelist>
<para>May be followed by an option list of
<replaceable>arg</replaceable>=<replaceable>val</replaceable> <replaceable>arg</replaceable>=<replaceable>val</replaceable>
pairs in parentheses:</para> pairs in parentheses:</para>
@ -149,6 +241,31 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem> </listitem>
<listitem>
<para><option>DROP</option></para>
<para>Added in Shorewall 4.5.10. Silently discard the packet. If
a <replaceable>log-level</replaceable> is specified, the packet
will also be logged at that level.</para>
</listitem>
<listitem>
<para><option>LOG</option></para>
<para>Added in Shoreawll 4.6.0. Logs the packet using the
specified <replaceable>log-level</replaceable> and<replaceable>
log-tag </replaceable>(if any). If no log-level is specified,
then 'info' is assumed.</para>
</listitem>
<listitem>
<para><option>NFLOG</option></para>
<para>Added in Shoreawll 4.6.0. Queues the packet to a backend
logging daemon using the NFLOG netfilter target with the
specified <replaceable>nflog-parameters</replaceable>.</para>
</listitem>
</itemizedlist> </itemizedlist>
<para>When FORMAT = 1, this column is not present and the rule is <para>When FORMAT = 1, this column is not present and the rule is