mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Add iptrace/noiptrace commands
This commit is contained in:
parent
08cfa6d19a
commit
dcb4ca61a5
@ -14,6 +14,10 @@ Changes in Shorewall 4.4.0-Beta2
|
||||
|
||||
5) Add 'upnpclient' interface option.
|
||||
|
||||
6) Fix handling of optional interfaces.
|
||||
|
||||
7) Add 'iptrace' and 'noiptrace' command.
|
||||
|
||||
Changes in Shorewall 4.4.0-Beta1
|
||||
|
||||
1) Correct typo in Shorewall6 two-interface sample shorewall.conf.
|
||||
|
@ -149,6 +149,33 @@ None.
|
||||
that, like all aspects of UPnP, this is a security hole so use this
|
||||
option at your own risk.
|
||||
|
||||
2) 'iptrace' and 'noiptrace' commands have been added to both
|
||||
/sbin/shorewall and /sbin/shorewall6.
|
||||
|
||||
These are low-level debugging commands that cause
|
||||
iptables/ip6tables TRACE log messages to be generated. See 'man
|
||||
iptables' and 'man ip6tables' for details.
|
||||
|
||||
The syntax for the commands is:
|
||||
|
||||
iptrace <iptables/ip6tables match expression>
|
||||
noiptrace <iptables/ip6tables match expression>
|
||||
|
||||
iptrace starts the trace; noiptrace turns it off.
|
||||
|
||||
The match expression must be an expression that is legal in both
|
||||
the raw table OUTPUT and PREROUTING chains.
|
||||
|
||||
Examaple:
|
||||
|
||||
To trace all packets desinted for IP address 206.124.146.176:
|
||||
|
||||
shorewall iptrace -d 206.124.146.176
|
||||
|
||||
To turn that trace off:
|
||||
|
||||
shorewall noiptrace -d 206.124.146.176
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S IN 4 . 4
|
||||
----------------------------------------------------------------------------
|
||||
|
@ -1454,10 +1454,12 @@ usage() # $1 = exit status
|
||||
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
|
||||
echo " ipdecimal { <address> | <integer> }"
|
||||
echo " iprange <address>-<address>"
|
||||
echo " iptrace <iptables match expression>"
|
||||
echo " load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
|
||||
echo " logdrop <address> ..."
|
||||
echo " logreject <address> ..."
|
||||
echo " logwatch [<refresh interval>]"
|
||||
echo " noiptrace <iptables match expression>"
|
||||
echo " refresh [ <chain>... ]"
|
||||
echo " reject <address> ..."
|
||||
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
|
||||
@ -2012,6 +2014,26 @@ case "$COMMAND" in
|
||||
shift
|
||||
safe_commands $@
|
||||
;;
|
||||
iptrace)
|
||||
get_config
|
||||
shift
|
||||
if shorewall_is_started ; then
|
||||
$IPTABLES -t raw -A PREROUTING $@ -j TRACE
|
||||
$IPTABLES -t raw -A OUTPUT $@ -j TRACE
|
||||
else
|
||||
fatal_error "Shorewall is not started"
|
||||
fi
|
||||
;;
|
||||
noiptrace)
|
||||
get_config
|
||||
shift
|
||||
if shorewall_is_started ; then
|
||||
$IPTABLES -t raw -D PREROUTING $@ -j TRACE
|
||||
$IPTABLES -t raw -D OUTPUT $@ -j TRACE
|
||||
else
|
||||
fatal_error "Shorewall is not started"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
|
@ -1371,10 +1371,12 @@ usage() # $1 = exit status
|
||||
echo " export [ <directory1> ] [<user>@]<system>[:<directory2>]"
|
||||
echo " forget [ <file name> ]"
|
||||
echo " help"
|
||||
echo " iptrace <ip6tables match expression>"
|
||||
echo " load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
|
||||
echo " logdrop <address> ..."
|
||||
echo " logreject <address> ..."
|
||||
echo " logwatch [<refresh interval>]"
|
||||
echo " noiptrace <ip6tables match expression>"
|
||||
echo " refresh [ <chain>... ]"
|
||||
echo " reject <address> ..."
|
||||
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
|
||||
@ -1857,7 +1859,26 @@ case "$COMMAND" in
|
||||
shift
|
||||
safe_commands $@
|
||||
;;
|
||||
*)
|
||||
iptrace)
|
||||
get_config
|
||||
shift
|
||||
if shorewall_is_started ; then
|
||||
$IP6TABLES -t raw -A PREROUTING $@ -j TRACE
|
||||
$IP6TABLES -t raw -A OUTPUT $@ -j TRACE
|
||||
else
|
||||
fatal_error "Shorewall6 is not started"
|
||||
fi
|
||||
;;
|
||||
noiptrace)
|
||||
get_config
|
||||
shift
|
||||
if shorewall_is_started ; then
|
||||
$IP6TABLES -t raw -D PREROUTING $@ -j TRACE
|
||||
$IP6TABLES -t raw -D OUTPUT $@ -j TRACE
|
||||
else
|
||||
fatal_error "Shorewall6 is not started"
|
||||
fi
|
||||
;; *)
|
||||
usage 1
|
||||
;;
|
||||
|
||||
|
@ -119,11 +119,12 @@
|
||||
<listitem>
|
||||
<para>Set of hosts that you wish to masquerade. You can specify this
|
||||
as an <emphasis>address</emphasis> (net or host) or as an
|
||||
<emphasis>interface</emphasis> (use of an interface is deprecated).
|
||||
If you give the name of an interface, the interface must be up
|
||||
before you start the firewall and the Shorewall rules compiler will
|
||||
warn you of that fact. (Shorewall will use your main routing table
|
||||
to determine the appropriate addresses to masquerade).</para>
|
||||
<emphasis>interface</emphasis> (use of an
|
||||
<emphasis>interface</emphasis> is deprecated). If you give the name
|
||||
of an interface, the interface must be up before you start the
|
||||
firewall and the Shorewall rules compiler will warn you of that
|
||||
fact. (Shorewall will use your main routing table to determine the
|
||||
appropriate addresses to masquerade).</para>
|
||||
|
||||
<para>In order to exclude a address of the specified SOURCE, you may
|
||||
append an <emphasis>exclusion</emphasis> ("!" and a comma-separated
|
||||
|
@ -219,6 +219,19 @@
|
||||
choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>iptrace</option></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>iptables match
|
||||
expression</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
@ -279,6 +292,19 @@
|
||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>noiptrace</option></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>iptables match
|
||||
expression</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
@ -835,6 +861,19 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">iptrace</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This is a low-level debugging command that causes iptables
|
||||
TRACE log records to be created. See iptables(8) for details.</para>
|
||||
|
||||
<para>The <replaceable>iptables match expression</replaceable> must
|
||||
be one or more matches that may appear in both the raw table OUTPUT
|
||||
and raw table PREROUTING chains.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">load</emphasis></term>
|
||||
|
||||
@ -919,6 +958,19 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">noiptrace</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This is a low-level debugging command that cancels a trace
|
||||
started by a preceding <command>iptrace</command> command.</para>
|
||||
|
||||
<para>The <replaceable>iptables match expression</replaceable> must
|
||||
be one given in the <command>iptrace</command> command being
|
||||
cancelled.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">refresh</emphasis></term>
|
||||
|
||||
|
@ -144,6 +144,19 @@
|
||||
<arg choice="plain"><option>help</option></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>iptrace</option></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>iptables match
|
||||
expression</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
@ -204,6 +217,19 @@
|
||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>noiptrace</option></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>iptables match
|
||||
expression</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
@ -670,12 +696,16 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">hits</emphasis></term>
|
||||
<term><emphasis role="bold">iptrace</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Generates several reports from Shorewall6 log messages in the
|
||||
current log file. If the <option>-t</option> option is included, the
|
||||
reports are restricted to log messages generated today.</para>
|
||||
<para>This is a low-level debugging command that causes iptables
|
||||
TRACE log records to be created. See ip6tables(8) for
|
||||
details.</para>
|
||||
|
||||
<para>The <replaceable>iptables match expression</replaceable> must
|
||||
be one or more matches that may appear in both the raw table OUTPUT
|
||||
and raw table PREROUTING chains.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -763,6 +793,19 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">noiptrace</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This is a low-level debugging command that cancels a trace
|
||||
started by a preceding <command>iptrace</command> command.</para>
|
||||
|
||||
<para>The <replaceable>iptables match expression</replaceable> must
|
||||
be one given in the <command>iptrace</command> command being
|
||||
cancelled.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">refresh</emphasis></term>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user