Add iptrace/noiptrace commands

This commit is contained in:
Tom Eastep 2009-06-17 12:03:05 -07:00
parent 08cfa6d19a
commit dcb4ca61a5
7 changed files with 180 additions and 10 deletions

View File

@ -14,6 +14,10 @@ Changes in Shorewall 4.4.0-Beta2
5) Add 'upnpclient' interface option.
6) Fix handling of optional interfaces.
7) Add 'iptrace' and 'noiptrace' command.
Changes in Shorewall 4.4.0-Beta1
1) Correct typo in Shorewall6 two-interface sample shorewall.conf.

View File

@ -149,6 +149,33 @@ None.
that, like all aspects of UPnP, this is a security hole so use this
option at your own risk.
2) 'iptrace' and 'noiptrace' commands have been added to both
/sbin/shorewall and /sbin/shorewall6.
These are low-level debugging commands that cause
iptables/ip6tables TRACE log messages to be generated. See 'man
iptables' and 'man ip6tables' for details.
The syntax for the commands is:
iptrace <iptables/ip6tables match expression>
noiptrace <iptables/ip6tables match expression>
iptrace starts the trace; noiptrace turns it off.
The match expression must be an expression that is legal in both
the raw table OUTPUT and PREROUTING chains.
Examaple:
To trace all packets desinted for IP address 206.124.146.176:
shorewall iptrace -d 206.124.146.176
To turn that trace off:
shorewall noiptrace -d 206.124.146.176
----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 4
----------------------------------------------------------------------------

View File

@ -1454,10 +1454,12 @@ usage() # $1 = exit status
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
echo " ipdecimal { <address> | <integer> }"
echo " iprange <address>-<address>"
echo " iptrace <iptables match expression>"
echo " load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
echo " logdrop <address> ..."
echo " logreject <address> ..."
echo " logwatch [<refresh interval>]"
echo " noiptrace <iptables match expression>"
echo " refresh [ <chain>... ]"
echo " reject <address> ..."
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
@ -2012,6 +2014,26 @@ case "$COMMAND" in
shift
safe_commands $@
;;
iptrace)
get_config
shift
if shorewall_is_started ; then
$IPTABLES -t raw -A PREROUTING $@ -j TRACE
$IPTABLES -t raw -A OUTPUT $@ -j TRACE
else
fatal_error "Shorewall is not started"
fi
;;
noiptrace)
get_config
shift
if shorewall_is_started ; then
$IPTABLES -t raw -D PREROUTING $@ -j TRACE
$IPTABLES -t raw -D OUTPUT $@ -j TRACE
else
fatal_error "Shorewall is not started"
fi
;;
*)
usage 1
;;

View File

@ -1371,10 +1371,12 @@ usage() # $1 = exit status
echo " export [ <directory1> ] [<user>@]<system>[:<directory2>]"
echo " forget [ <file name> ]"
echo " help"
echo " iptrace <ip6tables match expression>"
echo " load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
echo " logdrop <address> ..."
echo " logreject <address> ..."
echo " logwatch [<refresh interval>]"
echo " noiptrace <ip6tables match expression>"
echo " refresh [ <chain>... ]"
echo " reject <address> ..."
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
@ -1857,7 +1859,26 @@ case "$COMMAND" in
shift
safe_commands $@
;;
*)
iptrace)
get_config
shift
if shorewall_is_started ; then
$IP6TABLES -t raw -A PREROUTING $@ -j TRACE
$IP6TABLES -t raw -A OUTPUT $@ -j TRACE
else
fatal_error "Shorewall6 is not started"
fi
;;
noiptrace)
get_config
shift
if shorewall_is_started ; then
$IP6TABLES -t raw -D PREROUTING $@ -j TRACE
$IP6TABLES -t raw -D OUTPUT $@ -j TRACE
else
fatal_error "Shorewall6 is not started"
fi
;; *)
usage 1
;;

View File

@ -119,11 +119,12 @@
<listitem>
<para>Set of hosts that you wish to masquerade. You can specify this
as an <emphasis>address</emphasis> (net or host) or as an
<emphasis>interface</emphasis> (use of an interface is deprecated).
If you give the name of an interface, the interface must be up
before you start the firewall and the Shorewall rules compiler will
warn you of that fact. (Shorewall will use your main routing table
to determine the appropriate addresses to masquerade).</para>
<emphasis>interface</emphasis> (use of an
<emphasis>interface</emphasis> is deprecated). If you give the name
of an interface, the interface must be up before you start the
firewall and the Shorewall rules compiler will warn you of that
fact. (Shorewall will use your main routing table to determine the
appropriate addresses to masquerade).</para>
<para>In order to exclude a address of the specified SOURCE, you may
append an <emphasis>exclusion</emphasis> ("!" and a comma-separated

View File

@ -219,6 +219,19 @@
choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>iptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
@ -279,6 +292,19 @@
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>noiptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
@ -835,6 +861,19 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">iptrace</emphasis></term>
<listitem>
<para>This is a low-level debugging command that causes iptables
TRACE log records to be created. See iptables(8) for details.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one or more matches that may appear in both the raw table OUTPUT
and raw table PREROUTING chains.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">load</emphasis></term>
@ -919,6 +958,19 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">noiptrace</emphasis></term>
<listitem>
<para>This is a low-level debugging command that cancels a trace
started by a preceding <command>iptrace</command> command.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one given in the <command>iptrace</command> command being
cancelled.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">refresh</emphasis></term>

View File

@ -144,6 +144,19 @@
<arg choice="plain"><option>help</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>iptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
@ -204,6 +217,19 @@
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>noiptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
@ -670,12 +696,16 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hits</emphasis></term>
<term><emphasis role="bold">iptrace</emphasis></term>
<listitem>
<para>Generates several reports from Shorewall6 log messages in the
current log file. If the <option>-t</option> option is included, the
reports are restricted to log messages generated today.</para>
<para>This is a low-level debugging command that causes iptables
TRACE log records to be created. See ip6tables(8) for
details.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one or more matches that may appear in both the raw table OUTPUT
and raw table PREROUTING chains.</para>
</listitem>
</varlistentry>
@ -763,6 +793,19 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">noiptrace</emphasis></term>
<listitem>
<para>This is a low-level debugging command that cancels a trace
started by a preceding <command>iptrace</command> command.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one given in the <command>iptrace</command> command being
cancelled.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">refresh</emphasis></term>