Change LOGMARKER/LOGFORMAT Implementation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@566 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -2,3 +2,6 @@ Changes since 1.4.3a
 
 1. Implement REDIRECT-.
 
+2. Change LOGMARKER to a printf mask and allow embedded spaces. Renamed
+   it LOGFORMAT to avoid confusion.
+

Shorewall/firewall

@@ -904,6 +904,40 @@ run_user_exit() # $1 = file name
     fi
 }
 
+#
+# Add a logging rule.
+#
+log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
+{
+    local level=$1
+    local chain=$2
+    local disposition=$3
+    local rulenum=
+
+    shift;shift;shift
+
+    eval rulenum=\$${chain}_logrules
+
+    [ -z "$rulenum" ] && rulenum=1
+
+    case $level in
+	ULOG)
+	    eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
+	    ;;
+	*)
+	    eval iptables -A $chain $@ -j LOG $LOGPARMS --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
+	    ;;
+    esac
+
+    if [ $? -ne 0 ] ; then
+	[ -z "$stopping" ] && { stop_firewall; exit 2; }
+    fi
+
+    rulenum=$(($rulenum + 1))
+
+    eval ${chain}_logrules=$rulenum
+}
+
 #
 # Stop the Firewall
 #
@@ -1281,18 +1315,6 @@ setup_mac_lists() {
 	fi
     done < $TMP_DIR/maclist
     #
-    # Setup Logging variables
-    #
-    if [ -n "$MACLIST_LOG_LEVEL" ]; then
-	if [ "$MACLIST_LOG_LEVEL" = ULOG ]; then
-	    logpart="-j ULOG $LOGPARMS --ulog-prefix"
-	else
-	    logpart="-j LOG $LOGPARMS --log-level $MACLIST_LOG_LEVEL --log-prefix"
-	fi
-    else
-	logpart=
-    fi
-    #
     # Must take care of our own broadcasts and multicasts then terminate the verification
     # chains
     #
@@ -1322,8 +1344,9 @@ setup_mac_lists() {
 	    shift
 	done
 
-	[ -n "$logpart" ] && \
+	if [ -n "$MACLIST_LOG_LEVEL" ]; then
-	    run_iptables -A $chain $logpart "${LOGMARKER}$chain:$MACLIST_DISPOSITION:"
+	    log_rule $MACLIST_LOG_LEVEL $chain $MACLIST_DISPOSITION 
+	fi
 
 	run_iptables -A $chain -j $maclist_target
     done
@@ -2017,20 +2040,10 @@ add_a_rule()
 
 	    if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
 		serv="${serv:+-d $serv}"
-
 		if [ -n "$loglevel" ]; then
-		    if [ "$loglevel" = ULOG ]; then
+		    log_rule $loglevel $chain $logtarget \
-			run_iptables2 -A $chain $proto $multiport \
+			`fix_bang $proto $sports $multiport $state $cli $serv $dports`
-			    $state $cli $sports $serv $dports -j ULOG $LOGPARMS \
-			    --ulog-prefix "${LOGMARKER}$chain:$logtarget:"
-		    else
-			run_iptables2 -A $chain $proto $multiport \
-			    $state $cli $sports $serv $dports -j LOG $LOGPARMS \
-			    --log-prefix "${LOGMARKER}$chain:$logtarget:" \
-			    --log-level $loglevel
 		fi
-		fi
-
 
 		run_iptables2 -A $chain $proto $multiport $state $cli $sports \
 		    $serv $dports -j $target
@@ -2046,16 +2059,8 @@ add_a_rule()
 
 	if [ $command != check ]; then
 	    if [ -n "$loglevel" ]; then
-		if [ "$loglevel" = ULOG ]; then
+		log_rule $loglevel $chain $logtarget \
-		    run_iptables2 -A $chain $proto $multiport \
+		    `fix_bang $proto $multiport $dest_interface $state $cli $sports $dports`
-			$dest_interface $state $cli $sports $dports -j ULOG \
-			$LOGPARMS --ulog-prefix "${LOGMARKER}$chain:$logtarget:"
-		else
-		    run_iptables2 -A $chain $proto $multiport \
-			$dest_interface $state $cli $sports $dports -j LOG \
-			$LOGPARMS --log-prefix "${LOGMARKER}$chain:$logtarget:" \
-			--log-level $loglevel
-		fi
 	    fi
 
 	    if [ $logtarget != LOG ]; then
@@ -2567,13 +2572,7 @@ policy_rules() # $1 = chain to add rules to
     esac
 
     if [ $# -eq 3 -a "x${3}" != "x-" ]; then
-	if [ "$3" = ULOG ]; then
+	log_rule $3 $1 $2 
-	    run_iptables -A $1 -j ULOG $LOGPARMS \
-		--ulog-prefix "${LOGMARKER}${1}:${2}:"
-	else
-	    run_iptables -A $1 -j LOG $LOGPARMS \
-		--log-prefix "${LOGMARKER}${1}:${2}:" --log-level $3
-	fi
     fi
 
     [ -n "$target" ] && run_iptables -A $1 -j $target
@@ -2893,16 +2892,7 @@ setup_masq()
 #
 add_blacklist_rule() {
     if [ -n "$BLACKLIST_LOGLEVEL" ]; then
-	if [ "$BLACKLIST_LOGLEVEL" = ULOG ]; then
+	log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION  `fix_bang $source $proto $dport`
-	    run_iptables2 -A blacklst $source $proto $dport -j \
-		ULOG $LOGPARMS --ulog-prefix \
-		"${LOGMARKER}blacklst:$BLACKLIST_DISPOSITION:"
-	else
-	    run_iptables2 -A blacklst $source $proto $dport -j \
-		LOG $LOGPARMS --log-prefix \
-		"${LOGMARKER}blacklst:$BLACKLIST_DISPOSITION:" \
-		--log-level $BLACKLIST_LOGLEVEL
-	fi
     fi
 
     run_iptables2 -A blacklst $source $proto $dport -j $disposition
@@ -3238,13 +3228,7 @@ initialize_netfilter () {
 	createchain newnotsyn no
 	run_user_exit newnotsyn
 	if [ -n "$LOGNEWNOTSYN" ]; then
-	    if [ "$LOGNEWNOTSYN" = ULOG ]; then
+	    log_rule $LOGNEWNOTSYN newnotsyn DROP
-		run_iptables -A newnotsyn -j ULOG $LOGPARMS \
-		    --ulog-prefix "${LOGMARKER}newnotsyn:DROP:"
-	    else
-		run_iptables -A newnotsyn -j LOG $LOGPARMS \
-		    --log-prefix "${LOGMARKER}newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
-	    fi
 	fi
 
 	run_iptables -A newnotsyn -j DROP
@@ -3315,14 +3299,7 @@ build_common_chain() {
 # Construct zone-independent rules
 #
 add_common_rules() {
-    logdisp() # $1 = Chain Name
+    local savelogparms=
-    {
-	if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then
-	    echo "ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}${1}:DROP:"
-	else
-	    echo "LOG $LOGPARMS --log-prefix ${LOGMARKER}${1}:DROP: --log-level $RFC1918_LOG_LEVEL"
-	fi
-    }
     #
     # Reject Rules
     #
@@ -3347,16 +3324,17 @@ add_common_rules() {
 	createchain badpkt no
 
 	if [ -n "$LOGUNCLEAN" ]; then
-            if [ "$LOGUNCLEAN" = ULOG ]; then
+	    savelogparms="$LOGPARMS"
-		logoptions="-j ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}badpkt:DROP:"
-		logoptions="$logoptions --log-ip-options"
-	    else
-		logoptions="-j LOG $LOGPARMS --log-prefix ${LOGMARKER}badpkt:DROP:"
-		logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
-	    fi
 
-	    run_iptables -A badpkt -p   tcp $logoptions --log-tcp-options
+	    LOGPARMS="$LOGPARMS --log-ip-options"
-	    run_iptables -A badpkt -p ! tcp $logoptions
+
+	    log_rule $LOGUNCLEAN badpkt DROP -p ! tcp 
+
+	    LOGPARMS="$LOGPARMS --log-tcp-options"
+
+	    log_rule $LOGUNCLEAN badpkt DROP -p tcp 
+
+	    LOGPARMS="$savelogparms"
 	fi
 
 	run_iptables -A badpkt -j DROP
@@ -3379,16 +3357,17 @@ add_common_rules() {
 
 	[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
 
-	if [ "$LOGUNCLEAN" = ULOG ]; then
+	savelogparms="$LOGPARMS"
-	    logoptions="-j ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}logpkt:LOG:"
-	    logoptions="$logoptions --log-ip-options"
-	else
-	    logoptions="-j LOG $LOGPARMS --log-prefix ${LOGMARKER}logpkt:LOG:"
-	    logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
-	fi
 	    
-	run_iptables -A logpkt -p   tcp $logoptions --log-tcp-options
+	LOGPARMS="$LOGPARMS --log-ip-options"
-	run_iptables -A logpkt -p ! tcp $logoptions
+
+	log_rule $LOGUNCLEAN logpkt DROP -p ! tcp 
+
+	LOGPARMS="$LOGPARMS --log-tcp-options"
+	
+	log_rule $LOGUNCLEAN logpkt DROP -p tcp 
+
+	LOGPARMS="$savelogparms"
 
 	echo "Mangled/Invalid Packet Logging enabled on:"
 
@@ -3425,7 +3404,9 @@ add_common_rules() {
 	createchain rfc1918 no
 
 	createchain logdrop no
-	run_iptables -A logdrop -j `logdisp rfc1918`
+	
+	log_rule $RFC1918_LOG_LEVEL logdrop DROP
+	
 	run_iptables -A logdrop -j DROP
 
 	if [ -n "$MANGLE_ENABLED" ]; then
@@ -3438,7 +3419,7 @@ add_common_rules() {
 	    #
 	    run_iptables -t mangle -N man1918
 	    run_iptables -t mangle -N logdrop
-	    run_iptables -t mangle -A logdrop -j `logdisp man1918`
+	    log_rule $RFC1918_LOG_LEVEL logdrop DROP -t mangle
 	    run_iptables -t mangle -A logdrop -j DROP
 	fi
 
@@ -3482,16 +3463,14 @@ add_common_rules() {
 	if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then
 	    createchain logflags no
 
-	    if [ "$TCP_FLAGS_LOG_LEVEL" = ULOG ]; then
+	    savelogparms="$LOGPARMS"
-		run_iptables -A logflags -j ULOG  $LOGPARMS \
+
-		    --ulog-prefix "${LOGMARKER}logflags:$TCP_FLAGS_DISPOSITION:" \
+	    LOGPARMS="$LOGPARMS --log-ip-options"
-		    --log-tcp-options --log-ip-options
+
-	    else
+	    log_rule $TCP_FLAGS_LOG_LEVEL logflags $TCP_FLAGS_DISPOSITION 
-		run_iptables -A logflags -j LOG  $LOGPARMS \
+
-		    --log-level $TCP_FLAGS_LOG_LEVEL \
+	    LOGPARMS="$savelogparms"
-		    --log-prefix "${LOGMARKER}logflags:$TCP_FLAGS_DISPOSITION:" \
+	    
-		    --log-tcp-options --log-ip-options
-	    fi
 	    case $TCP_FLAGS_DISPOSITION in
 		REJECT)
 		    run_iptables -A logflags -j REJECT --reject-with tcp-reset
@@ -4355,7 +4334,7 @@ do_initialize() {
     SHARED_DIR=/usr/share/shorewall
     FUNCTIONS=
     VERSION_FILE=
-    LOGMARKER=
+    LOGFORMAT=
 
     stopping=
     have_mutex=
@@ -4482,7 +4461,7 @@ do_initialize() {
 	CLEAR_TC=
     fi
 
-    [ -n "$LOGMARKER" ] || LOGMARKER="Shorewall:"
+    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%d:%s:"
 
     #
     # Strip the files that we use often

Shorewall/releasenotes.txt

@@ -9,3 +9,10 @@ New Features:
    Netfilter nat table REDIRECT rule is added but not the companion
    filter table ACCEPT rule.
 
+2) The LOGMARKER variable has been renamed LOGFORMAT and has been
+   changed to a 'printf' formatting template which accepts three
+   arguments (the chain name, logging rule number and the disposition).
+   To use LOGFORMAT with ULOG, set it as:
+
+       LOGFORMAT="fp=%s:%d a=%s"
+

Shorewall/shorewall

@@ -135,7 +135,9 @@ get_config() {
 
     [ -n "$FW" ] || FW=fw
 
-    [ -n "$LOGMARKER" ] || LOGMARKER="Shorewall:"
+    [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
+
+    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
 }
 
 #
@@ -261,9 +263,9 @@ packet_log() # $1 = number of messages
 
     [ -n "$realtail" ] && options="-n$1"
 
-    grep "${LOGMARKER}\|ipt_unclean" $LOGFILE | \
+    grep "${LOGFORMAT}\|ipt_unclean" $LOGFILE | \
 	 sed s/" kernel:"// | \
-	 sed s/" $host $LOGMARKER"/" "/ | \
+	 sed s/" $host $LOGFORMAT"/" "/ | \
 	 sed s/" $host kernel: ipt_unclean: "/" "/ | \
 	 sed 's/MAC=.*SRC=/SRC=/' | \
 	 tail $options
@@ -734,27 +736,27 @@ case "$1" in
 
 	timeout=30
 
-	if [ `grep -c "$LOGMARKER" $LOGFILE ` -gt 0 ] ; then
+	if [ `grep -c "$LOGFORMAT" $LOGFILE ` -gt 0 ] ; then
 	    echo "   HITS IP		  DATE"
 	    echo "   ---- --------------- ------"
-	    grep "$LOGMARKER" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn
+	    grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn
 	    echo ""
 
 	    echo "   HITS IP		  PORT"
 	    echo "   ---- --------------- -----"
-	    grep "$LOGMARKER" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
+	    grep "$LOGFORMAT" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
 						t
 						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn
 	    echo ""
 
 	    echo "   HITS DATE"
 	    echo "   ---- ------"
-	    grep "$LOGMARKER" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn
+	    grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn
 	    echo ""
 
 	    echo "   HITS  PORT SERVICE(S)"
 	    echo "   ---- ----- ----------"
-	    grep '${LOGMARKER}.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
+	    grep '${LOGFORMAT}.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
 	    while read count port ; do
 		# List all services defined for the given port
 		srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u`

Shorewall/shorewall.conf

@@ -55,13 +55,22 @@
 LOGFILE=/var/log/messages
 
 #
-# LOG MARKER
+# LOG FORMAT
 #
-# Used to identify Shorewall log messages.If not specified or specified as
+# Shell 'printf' Formatting template for the --log-prefix value in log messages
-# empty (LOGMARKER="") then the value "Shorewall:" is assumed. You must not
+# generated by Shorewall. to identify Shorewall log messages. The supplied
-# embed white space in the LOGMARKER value.
+# template is expected to accept three arguments; the first is the chain name,
+# the second is the logging rule number within that chain and the third is the
+# ACTION specifying the disposition of the packet being logged.
+#
+# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
+#
+#	LOGFORMAT="fp=%s:%d a=%s"
+#
+# If not specified or specified as empty (LOGFORMAT="") then the value
+# "Shorewall:%s:%d:%s:" is assumed.
 
-LOGMARKER="Shorewall:"
+LOGFORMAT="Shorewall:%s:%d:%s:"
 
 #
 # LOG RATE LIMITING