From e33573eff9d24f41e7b6961830d7be52470cf403 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 21 May 2003 21:36:05 +0000 Subject: [PATCH] Change LOGMARKER/LOGFORMAT Implementation git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@566 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 3 + Shorewall/firewall | 179 ++++++++++++++++--------------------- Shorewall/releasenotes.txt | 7 ++ Shorewall/shorewall | 18 ++-- Shorewall/shorewall.conf | 19 ++-- 5 files changed, 113 insertions(+), 113 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index c8972d1cb..7fc863e5c 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -2,3 +2,6 @@ Changes since 1.4.3a 1. Implement REDIRECT-. +2. Change LOGMARKER to a printf mask and allow embedded spaces. Renamed + it LOGFORMAT to avoid confusion. + diff --git a/Shorewall/firewall b/Shorewall/firewall index 80d17cbaf..96dc32d09 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -904,6 +904,40 @@ run_user_exit() # $1 = file name fi } +# +# Add a logging rule. +# +log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule +{ + local level=$1 + local chain=$2 + local disposition=$3 + local rulenum= + + shift;shift;shift + + eval rulenum=\$${chain}_logrules + + [ -z "$rulenum" ] && rulenum=1 + + case $level in + ULOG) + eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"' + ;; + *) + eval iptables -A $chain $@ -j LOG $LOGPARMS --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"' + ;; + esac + + if [ $? -ne 0 ] ; then + [ -z "$stopping" ] && { stop_firewall; exit 2; } + fi + + rulenum=$(($rulenum + 1)) + + eval ${chain}_logrules=$rulenum +} + # # Stop the Firewall # @@ -1281,18 +1315,6 @@ setup_mac_lists() { fi done < $TMP_DIR/maclist # - # Setup Logging variables - # - if [ -n "$MACLIST_LOG_LEVEL" ]; then - if [ "$MACLIST_LOG_LEVEL" = ULOG ]; then - logpart="-j ULOG $LOGPARMS --ulog-prefix" - else - logpart="-j LOG $LOGPARMS --log-level $MACLIST_LOG_LEVEL --log-prefix" - fi - else - logpart= - fi - # # Must take care of our own broadcasts and multicasts then terminate the verification # chains # @@ -1322,8 +1344,9 @@ setup_mac_lists() { shift done - [ -n "$logpart" ] && \ - run_iptables -A $chain $logpart "${LOGMARKER}$chain:$MACLIST_DISPOSITION:" + if [ -n "$MACLIST_LOG_LEVEL" ]; then + log_rule $MACLIST_LOG_LEVEL $chain $MACLIST_DISPOSITION + fi run_iptables -A $chain -j $maclist_target done @@ -2017,21 +2040,11 @@ add_a_rule() if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then serv="${serv:+-d $serv}" - if [ -n "$loglevel" ]; then - if [ "$loglevel" = ULOG ]; then - run_iptables2 -A $chain $proto $multiport \ - $state $cli $sports $serv $dports -j ULOG $LOGPARMS \ - --ulog-prefix "${LOGMARKER}$chain:$logtarget:" - else - run_iptables2 -A $chain $proto $multiport \ - $state $cli $sports $serv $dports -j LOG $LOGPARMS \ - --log-prefix "${LOGMARKER}$chain:$logtarget:" \ - --log-level $loglevel - fi + log_rule $loglevel $chain $logtarget \ + `fix_bang $proto $sports $multiport $state $cli $serv $dports` fi - run_iptables2 -A $chain $proto $multiport $state $cli $sports \ $serv $dports -j $target fi @@ -2046,16 +2059,8 @@ add_a_rule() if [ $command != check ]; then if [ -n "$loglevel" ]; then - if [ "$loglevel" = ULOG ]; then - run_iptables2 -A $chain $proto $multiport \ - $dest_interface $state $cli $sports $dports -j ULOG \ - $LOGPARMS --ulog-prefix "${LOGMARKER}$chain:$logtarget:" - else - run_iptables2 -A $chain $proto $multiport \ - $dest_interface $state $cli $sports $dports -j LOG \ - $LOGPARMS --log-prefix "${LOGMARKER}$chain:$logtarget:" \ - --log-level $loglevel - fi + log_rule $loglevel $chain $logtarget \ + `fix_bang $proto $multiport $dest_interface $state $cli $sports $dports` fi if [ $logtarget != LOG ]; then @@ -2567,13 +2572,7 @@ policy_rules() # $1 = chain to add rules to esac if [ $# -eq 3 -a "x${3}" != "x-" ]; then - if [ "$3" = ULOG ]; then - run_iptables -A $1 -j ULOG $LOGPARMS \ - --ulog-prefix "${LOGMARKER}${1}:${2}:" - else - run_iptables -A $1 -j LOG $LOGPARMS \ - --log-prefix "${LOGMARKER}${1}:${2}:" --log-level $3 - fi + log_rule $3 $1 $2 fi [ -n "$target" ] && run_iptables -A $1 -j $target @@ -2893,16 +2892,7 @@ setup_masq() # add_blacklist_rule() { if [ -n "$BLACKLIST_LOGLEVEL" ]; then - if [ "$BLACKLIST_LOGLEVEL" = ULOG ]; then - run_iptables2 -A blacklst $source $proto $dport -j \ - ULOG $LOGPARMS --ulog-prefix \ - "${LOGMARKER}blacklst:$BLACKLIST_DISPOSITION:" - else - run_iptables2 -A blacklst $source $proto $dport -j \ - LOG $LOGPARMS --log-prefix \ - "${LOGMARKER}blacklst:$BLACKLIST_DISPOSITION:" \ - --log-level $BLACKLIST_LOGLEVEL - fi + log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION `fix_bang $source $proto $dport` fi run_iptables2 -A blacklst $source $proto $dport -j $disposition @@ -3238,13 +3228,7 @@ initialize_netfilter () { createchain newnotsyn no run_user_exit newnotsyn if [ -n "$LOGNEWNOTSYN" ]; then - if [ "$LOGNEWNOTSYN" = ULOG ]; then - run_iptables -A newnotsyn -j ULOG $LOGPARMS \ - --ulog-prefix "${LOGMARKER}newnotsyn:DROP:" - else - run_iptables -A newnotsyn -j LOG $LOGPARMS \ - --log-prefix "${LOGMARKER}newnotsyn:DROP:" --log-level $LOGNEWNOTSYN - fi + log_rule $LOGNEWNOTSYN newnotsyn DROP fi run_iptables -A newnotsyn -j DROP @@ -3315,14 +3299,7 @@ build_common_chain() { # Construct zone-independent rules # add_common_rules() { - logdisp() # $1 = Chain Name - { - if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then - echo "ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}${1}:DROP:" - else - echo "LOG $LOGPARMS --log-prefix ${LOGMARKER}${1}:DROP: --log-level $RFC1918_LOG_LEVEL" - fi - } + local savelogparms= # # Reject Rules # @@ -3347,16 +3324,17 @@ add_common_rules() { createchain badpkt no if [ -n "$LOGUNCLEAN" ]; then - if [ "$LOGUNCLEAN" = ULOG ]; then - logoptions="-j ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}badpkt:DROP:" - logoptions="$logoptions --log-ip-options" - else - logoptions="-j LOG $LOGPARMS --log-prefix ${LOGMARKER}badpkt:DROP:" - logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" - fi + savelogparms="$LOGPARMS" - run_iptables -A badpkt -p tcp $logoptions --log-tcp-options - run_iptables -A badpkt -p ! tcp $logoptions + LOGPARMS="$LOGPARMS --log-ip-options" + + log_rule $LOGUNCLEAN badpkt DROP -p ! tcp + + LOGPARMS="$LOGPARMS --log-tcp-options" + + log_rule $LOGUNCLEAN badpkt DROP -p tcp + + LOGPARMS="$savelogparms" fi run_iptables -A badpkt -j DROP @@ -3379,16 +3357,17 @@ add_common_rules() { [ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info - if [ "$LOGUNCLEAN" = ULOG ]; then - logoptions="-j ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}logpkt:LOG:" - logoptions="$logoptions --log-ip-options" - else - logoptions="-j LOG $LOGPARMS --log-prefix ${LOGMARKER}logpkt:LOG:" - logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" - fi + savelogparms="$LOGPARMS" + + LOGPARMS="$LOGPARMS --log-ip-options" - run_iptables -A logpkt -p tcp $logoptions --log-tcp-options - run_iptables -A logpkt -p ! tcp $logoptions + log_rule $LOGUNCLEAN logpkt DROP -p ! tcp + + LOGPARMS="$LOGPARMS --log-tcp-options" + + log_rule $LOGUNCLEAN logpkt DROP -p tcp + + LOGPARMS="$savelogparms" echo "Mangled/Invalid Packet Logging enabled on:" @@ -3425,7 +3404,9 @@ add_common_rules() { createchain rfc1918 no createchain logdrop no - run_iptables -A logdrop -j `logdisp rfc1918` + + log_rule $RFC1918_LOG_LEVEL logdrop DROP + run_iptables -A logdrop -j DROP if [ -n "$MANGLE_ENABLED" ]; then @@ -3438,7 +3419,7 @@ add_common_rules() { # run_iptables -t mangle -N man1918 run_iptables -t mangle -N logdrop - run_iptables -t mangle -A logdrop -j `logdisp man1918` + log_rule $RFC1918_LOG_LEVEL logdrop DROP -t mangle run_iptables -t mangle -A logdrop -j DROP fi @@ -3482,16 +3463,14 @@ add_common_rules() { if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then createchain logflags no - if [ "$TCP_FLAGS_LOG_LEVEL" = ULOG ]; then - run_iptables -A logflags -j ULOG $LOGPARMS \ - --ulog-prefix "${LOGMARKER}logflags:$TCP_FLAGS_DISPOSITION:" \ - --log-tcp-options --log-ip-options - else - run_iptables -A logflags -j LOG $LOGPARMS \ - --log-level $TCP_FLAGS_LOG_LEVEL \ - --log-prefix "${LOGMARKER}logflags:$TCP_FLAGS_DISPOSITION:" \ - --log-tcp-options --log-ip-options - fi + savelogparms="$LOGPARMS" + + LOGPARMS="$LOGPARMS --log-ip-options" + + log_rule $TCP_FLAGS_LOG_LEVEL logflags $TCP_FLAGS_DISPOSITION + + LOGPARMS="$savelogparms" + case $TCP_FLAGS_DISPOSITION in REJECT) run_iptables -A logflags -j REJECT --reject-with tcp-reset @@ -4355,7 +4334,7 @@ do_initialize() { SHARED_DIR=/usr/share/shorewall FUNCTIONS= VERSION_FILE= - LOGMARKER= + LOGFORMAT= stopping= have_mutex= @@ -4482,7 +4461,7 @@ do_initialize() { CLEAR_TC= fi - [ -n "$LOGMARKER" ] || LOGMARKER="Shorewall:" + [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%d:%s:" # # Strip the files that we use often diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 3ea891ac3..178d3406d 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -9,3 +9,10 @@ New Features: Netfilter nat table REDIRECT rule is added but not the companion filter table ACCEPT rule. +2) The LOGMARKER variable has been renamed LOGFORMAT and has been + changed to a 'printf' formatting template which accepts three + arguments (the chain name, logging rule number and the disposition). + To use LOGFORMAT with ULOG, set it as: + + LOGFORMAT="fp=%s:%d a=%s" + diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 5a291f8b4..44c9cc5db 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -135,7 +135,9 @@ get_config() { [ -n "$FW" ] || FW=fw - [ -n "$LOGMARKER" ] || LOGMARKER="Shorewall:" + [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" + + [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" } # @@ -261,9 +263,9 @@ packet_log() # $1 = number of messages [ -n "$realtail" ] && options="-n$1" - grep "${LOGMARKER}\|ipt_unclean" $LOGFILE | \ + grep "${LOGFORMAT}\|ipt_unclean" $LOGFILE | \ sed s/" kernel:"// | \ - sed s/" $host $LOGMARKER"/" "/ | \ + sed s/" $host $LOGFORMAT"/" "/ | \ sed s/" $host kernel: ipt_unclean: "/" "/ | \ sed 's/MAC=.*SRC=/SRC=/' | \ tail $options @@ -734,27 +736,27 @@ case "$1" in timeout=30 - if [ `grep -c "$LOGMARKER" $LOGFILE ` -gt 0 ] ; then + if [ `grep -c "$LOGFORMAT" $LOGFILE ` -gt 0 ] ; then echo " HITS IP DATE" echo " ---- --------------- ------" - grep "$LOGMARKER" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn + grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn echo "" echo " HITS IP PORT" echo " ---- --------------- -----" - grep "$LOGMARKER" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ + grep "$LOGFORMAT" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ t s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn echo "" echo " HITS DATE" echo " ---- ------" - grep "$LOGMARKER" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn + grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn echo "" echo " HITS PORT SERVICE(S)" echo " ---- ----- ----------" - grep '${LOGMARKER}.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ + grep '${LOGFORMAT}.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ while read count port ; do # List all services defined for the given port srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u` diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 798e700df..27db2289a 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -55,13 +55,22 @@ LOGFILE=/var/log/messages # -# LOG MARKER +# LOG FORMAT # -# Used to identify Shorewall log messages.If not specified or specified as -# empty (LOGMARKER="") then the value "Shorewall:" is assumed. You must not -# embed white space in the LOGMARKER value. +# Shell 'printf' Formatting template for the --log-prefix value in log messages +# generated by Shorewall. to identify Shorewall log messages. The supplied +# template is expected to accept three arguments; the first is the chain name, +# the second is the logging rule number within that chain and the third is the +# ACTION specifying the disposition of the packet being logged. +# +# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as: +# +# LOGFORMAT="fp=%s:%d a=%s" +# +# If not specified or specified as empty (LOGFORMAT="") then the value +# "Shorewall:%s:%d:%s:" is assumed. -LOGMARKER="Shorewall:" +LOGFORMAT="Shorewall:%s:%d:%s:" # # LOG RATE LIMITING