Log prefix; set routeback on brige ports

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1199 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-03-17 21:37:58 +00:00
parent 9ec066441c
commit e3584b67ed
2 changed files with 108 additions and 41 deletions

View File

@ -696,7 +696,7 @@ validate_interfaces_file() {
# Validate the zone names and options in the hosts file # Validate the zone names and options in the hosts file
# #
validate_hosts_file() { validate_hosts_file() {
local z hosts options r interface host option local z hosts options r interface host option options1 bridge
while read z hosts options; do while read z hosts options; do
expandv z hosts options expandv z hosts options
@ -712,22 +712,32 @@ validate_hosts_file() {
hosts=${hosts#*:} hosts=${hosts#*:}
for host in $(separate_list $hosts); do for host in $(separate_list $hosts); do
bridge=
[ -n "$BRIDGING" ] && case $host in [ -n "$BRIDGING" ] && case $host in
*:*) *:*)
eval ${iface}_is_bridge=Yes bridge=Yes
list_search ${host%:*} $all_interfaces && \ list_search ${host%:*} $all_interfaces && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
;; ;;
*.*.*.*) *.*.*.*)
;; ;;
*) *)
bridge=Yes
eval ${iface}_is_bridge=Yes eval ${iface}_is_bridge=Yes
list_search $host $all_interfaces && \ list_search $host $all_interfaces && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
;; ;;
esac esac
for option in $(separate_list $options); do options1=$(separate_list $options)
if [ -n "$bridge" ]; then
eval ${iface}_is_bridge=Yes
list_search routeback $options1 || options1="$options1 routeback"
fi
for option in $options1 ; do
case $option in case $option in
maclist|-) maclist|-)
;; ;;
@ -1012,21 +1022,32 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi
local disposition=$3 local disposition=$3
local rulenum= local rulenum=
local limit="${4:-$LOGLIMIT}" local limit="${4:-$LOGLIMIT}"
local dx="";
local logprefix="${5:-$dx}"
logprefix="$logprefix "
shift;shift;shift;shift shift;shift;shift;shift;shift
if [ -n "$LOGRULENUMBERS" ]; then if [ -n "$LOGRULENUMBERS" ]; then
eval rulenum=\$${chain}_logrules eval rulenum=\$${chain}_logrules
[ -z "$rulenum" ] && rulenum=1 [ -z "$rulenum" ] && rulenum=1
logprefixtemp="$(printf "$LOGFORMAT" $chain $rulenum $disposition)$logprefix"
if [ ${#logprefixtemp} -gt 29 ]; then
logprefixtemp="$(echo $logprefixtemp |cut -b -29)"
echo " Logprefix too LONG ! cutting it to 29 : $logprefixtemp"
fi
case $level in case $level in
ULOG) ULOG)
eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"' eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$logprefixtemp"'
;; ;;
*) *)
eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \ eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"$logprefixtemp"'
--log-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"'
;; ;;
esac esac
@ -1038,13 +1059,21 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi
eval ${chain}_logrules=$rulenum eval ${chain}_logrules=$rulenum
else else
logprefixtemp="$(printf "$LOGFORMAT" $chain $disposition)$logprefix"
if [ ${#logprefixtemp} -gt 29 ]; then
logprefixtemp="$(echo $logprefixtemp |cut -b -29)"
echo " Logprefix too LONG ! cutting it to 29 : $logprefixtemp"
fi
case $level in case $level in
ULOG) ULOG)
eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$logprefixtemp"'
;; ;;
*) *)
eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \
--log-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"$logprefixtemp"'
;; ;;
esac esac
@ -1062,7 +1091,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
shift;shift;shift shift;shift;shift
log_rule_limit $level $chain $disposition "$LOGLIMIT" $@ log_rule_limit $level $chain $disposition "$LOGLIMIT" "$logprefix" $@
} }
# #
@ -2331,7 +2360,7 @@ add_an_action()
for serv1 in $(separate_list $serv); do for serv1 in $(separate_list $serv); do
for srv in $(ip_range $serv1); do for srv in $(ip_range $serv1); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \ log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logprefix" $userandgroup \
$(fix_bang $proto $sports $multiport $cli -d $srv $dports) $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi fi
@ -2341,7 +2370,7 @@ add_an_action()
done done
else else
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \ log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logprefix" $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dports) $(fix_bang $proto $sports $multiport $cli $dports)
fi fi
@ -2373,7 +2402,8 @@ process_action() # $1 = action
local cports="$7" local cports="$7"
local ratelimit="$8" local ratelimit="$8"
local userspec="$9" local userspec="$9"
local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit)" local logprefix="${10}"
local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit $logprefix)"
local userandgroup= local userandgroup=
if [ -n "$ratelimit" ]; then if [ -n "$ratelimit" ]; then
@ -2579,7 +2609,7 @@ process_actions1() {
if [ -f $fn ]; then if [ -f $fn ]; then
echo " Pre-processing $fn..." echo " Pre-processing $fn..."
strip_file $f $fn strip_file $f $fn
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec xlogprefix; do
expandv xtarget expandv xtarget
temp="${xtarget%:*}" temp="${xtarget%:*}"
case "${temp%<*}" in case "${temp%<*}" in
@ -2589,7 +2619,7 @@ process_actions1() {
if list_search $temp $ACTIONS; then if list_search $temp $ACTIONS; then
eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\" eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\"
else else
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xlogprefix)"
fatal_error "Invalid TARGET in rule \"$rule\"" fatal_error "Invalid TARGET in rule \"$rule\""
fi fi
;; ;;
@ -2623,7 +2653,7 @@ process_actions2() {
if [ "${ysourcezone}" != "${ydestzone}" ] ; then if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then if [ "$ypolicy" != NONE ] ; then
process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec $xlogprefix
fi fi
fi fi
done done
@ -2631,7 +2661,7 @@ process_actions2() {
} }
do_it() { do_it() {
expandv xclients xservers xprotocol xports xcports xratelimit xuserspec expandv xclients xservers xprotocol xports xcports xratelimit xuserspec xlogprefix
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then
xclients="$zones $FW" xclients="$zones $FW"
@ -2648,7 +2678,7 @@ process_actions2() {
continue continue
fi fi
process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xlogprefix
} }
# #
@ -2681,7 +2711,7 @@ process_actions2() {
fn=$(find_file $f) fn=$(find_file $f)
echo "Processing $fn..." echo "Processing $fn..."
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec xlogprefix; do
do_it do_it
done < $TMP_DIR/$f done < $TMP_DIR/$f
;; ;;
@ -2787,14 +2817,14 @@ add_nat_rule() {
done done
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule $loglevel $chain $logtarget -t nat log_rule $loglevel $chain $logtarget "$logprefix" -t nat
fi fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
else else
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \ log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" "$logprefix" -t nat \
$(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports) $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports)
fi fi
@ -2825,7 +2855,7 @@ add_nat_rule() {
done done
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" -t nat
fi fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
@ -2833,7 +2863,7 @@ add_nat_rule() {
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
ensurenatchain $chain ensurenatchain $chain
log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" -t nat \
$(fix_bang $proto $cli $sports -d $adr $multiport $dports) $(fix_bang $proto $cli $sports -d $adr $multiport $dports)
fi fi
@ -3041,7 +3071,7 @@ add_a_rule()
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" -m conntrack --ctorigdst $adr \
$userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports) $userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi fi
@ -3050,7 +3080,7 @@ add_a_rule()
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" $userandgroup \
$(fix_bang $proto $sports $multiport $cli -d $srv $dports) $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi fi
@ -3061,7 +3091,7 @@ add_a_rule()
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dports) $(fix_bang $proto $sports $multiport $cli $dports)
fi fi
@ -3080,7 +3110,7 @@ add_a_rule()
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" $userandgroup \
$(fix_bang $proto $multiport $dest_interface $cli $sports $dports) $(fix_bang $proto $multiport $dest_interface $cli $sports $dports)
fi fi
@ -3114,8 +3144,9 @@ process_rule() # $1 = target
local address="$7" local address="$7"
local ratelimit="$8" local ratelimit="$8"
local userspec="$9" local userspec="$9"
local logprefix="${10}"
local userandgroup= local userandgroup=
local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec)" local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec $logprefix)"
# Function Body - isolate rate limit # Function Body - isolate rate limit
@ -3406,7 +3437,7 @@ process_rules()
if [ "${ysourcezone}" != "${ydestzone}" ] ; then if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then if [ "$ypolicy" != NONE ] ; then
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xlogprefix
fi fi
fi fi
done done
@ -3414,7 +3445,7 @@ process_rules()
} }
do_it() { do_it() {
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec xlogprefix
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then
xclients="$zones $FW" xclients="$zones $FW"
@ -3431,10 +3462,10 @@ process_rules()
continue continue
fi fi
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xlogprefix
} }
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec xlogprefix; do
temp="${xtarget%:*}" temp="${xtarget%:*}"
case "${temp%<*}" in case "${temp%<*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
@ -3449,7 +3480,7 @@ process_rules()
do_it do_it
else else
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xlogprefix)"
fatal_error "Invalid Action in rule \"$rule\"" fatal_error "Invalid Action in rule \"$rule\""
fi fi
;; ;;

View File

@ -208,7 +208,7 @@
# address is not altered. # address is not altered.
# #
# RATE LIMIT You may rate-limit the rule by placing a value in # RATE LIMIT You may rate-limit the rule by placing a value in
# this colume: # this column:
# #
# <rate>/<interval>[:<burst>] # <rate>/<interval>[:<burst>]
# #
@ -240,6 +240,29 @@
# !:kids #program must not be run by a member # !:kids #program must not be run by a member
# #of the 'kids' group # #of the 'kids' group
# #
#
# LOGPREFIX You may add a specific log prefix to rules which are
# already logged (see the ACTIONS paragraph) by adding
# a word in this column. Spaces are not allowed, but
# underscores are.
#
# Examples:
#
# pingw # print Shorewall:fw2lan:ACCEPT:pingw
# mailo # print Shorewall:fw2lan:ACCEPT:mailo
# ma_ou # print Shorewall:fw2lan:ACCEPT:ma_ou
#
#
# The default log format is LOGFORMAT="Shorewall:%s:%s:"
# You might want to reduce it to something shorter to
# allow you longer logprefixes. (in shorewall.conf :
# LOGFORMAT="Sw:%s:%s:" or something similar)
# (the total lenght permitted by iptables is 29 chars.)
# Shorewall:fw2lan:ACCEPT is already 23 chars.
#
#
#
#
# Example: Accept SMTP requests from the DMZ to the internet # Example: Accept SMTP requests from the DMZ to the internet
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
@ -257,9 +280,9 @@
# to local system 192.168.1.3 with a limit of 3 per second and # to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10 # a maximum burst of 10
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# # PORT PORT(S) DEST # # PORT PORT(S) DEST LIMIT
# DNAT<3/sec:10> net loc:192.168.1.3 tcp http # DNAT net loc:192.168.1.3 tcp http - - <3/sec:10>
# #
# Example: Redirect all locally-originating www connection requests to # Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall # port 3128 on the firewall (Squid running on the firewall
@ -283,7 +306,20 @@
# # PORT PORT(S) DEST # # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 fw \ # ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22 # tcp 22
#
# Example: You want to explicitly log when a user named bob use https
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ LOG
# # PORT PORT(S) DEST LIMIT GROUP PREFIX
# ACCEPT:debug fw lan tcp 443 - - - bob hs_bob
#
# Example: You want to explicitly log outgoing pings
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ LOG
# # PORT PORT(S) DEST LIMIT GROUP PREFIX
# ACCEPT:debug fw lan icmp 8 - - - - p_out
#################################################################################################### ####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ LOG
# PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP PREFIX
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE