extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Introduce 'accountfwd' chain for forwarded accounting in sectioned configuration

Browse Source
This commit is contained in:
Tom Eastep 2011-02-18 15:44:55 -08:00
parent da1ae7d301
commit e47cb61c33
4 changed files with 19 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -94,7 +94,7 @@ sub process_section ($) {
$defaultchain = 'accountout'; $defaultchain = 'accountout';
$defaultrestriction = OUTPUT_RESTRICT; $defaultrestriction = OUTPUT_RESTRICT;
} else { } else {
$defaultchain = 'accounting'; $defaultchain = 'accountfwd';
$defaultrestriction = NO_RESTRICT; $defaultrestriction = NO_RESTRICT;
} }
@ -126,7 +126,7 @@ sub process_accounting_rule( ) {
our $disposition = ''; our $disposition = '';
sub reserved_chain_name($) { sub reserved_chain_name($) {
$_[0] =~ /^acc(?:ount(?:in|ing|out)|ipsecin|ipsecout)$/; $_[0] =~ /^acc(?:ount(?:fwd|in|ing|out)|ipsecin|ipsecout)$/;
} }
sub ipsec_chain_name($) { sub ipsec_chain_name($) {
@ -363,28 +363,25 @@ sub setup_accounting() {
} }
if ( $filter_table->{accounting} ) { if ( $filter_table->{accounting} ) {
dont_optimize( 'accounting' ) unless $section; dont_optimize( 'accounting' );
if ( $asection ) {
add_jump( $filter_table->{FORWARD}, 'accounting', 0, '', 0, 0 );
} else {
for my $chain ( qw/INPUT FORWARD/ ) { for my $chain ( qw/INPUT FORWARD/ ) {
add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 ); add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
} }
} }
if ( $filter_table->{accountfwd} ) {
add_jump( $filter_table->{FORWARD}, 'accountfwd', 0, '', 0, 0 );
} }
if ( $filter_table->{accountout} ) { if ( $filter_table->{accountout} ) {
add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 ); add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
} }
} elsif ( $filter_table->{accounting} ) { } elsif ( $filter_table->{accounting} ) {
if ( $asection ) { dont_optimize( 'accounting' );
add_jump( $filter_table->{FORWARD}, 'accounting', 0, '', 0, 0 );
} else {
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) { for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 ); add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
} }
} }
}
if ( $filter_table->{accipsecin} ) { if ( $filter_table->{accipsecin} ) {
for my $chain ( qw/INPUT FORWARD/ ) { for my $chain ( qw/INPUT FORWARD/ ) {

2
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1353,7 +1353,7 @@ sub ensure_accounting_chain( $$$ )
$chainref->{ipsec} = $ipsec; $chainref->{ipsec} = $ipsec;
$chainref->{dont_optimize} = 1 unless $config{OPTIMIZE_ACCOUNTING}; $chainref->{dont_optimize} = 1 unless $config{OPTIMIZE_ACCOUNTING};
unless ( $chain =~ '^account(?:in|ing|out)$' ) { unless ( $chain eq 'accounting' ) {
my $file = find_file $chain; my $file = find_file $chain;
if ( -f $file ) { if ( -f $file ) {

6
Shorewall/releasenotes.txt
View File

@ -79,7 +79,7 @@ None.
specify an output interface). specify an output interface).
- accountout: Rules that are valid in the OUTPUT chain (may not - accountout: Rules that are valid in the OUTPUT chain (may not
specify an input interface or a MAC address). specify an input interface or a MAC address).
- accounting: Other rules. - accountfwd: Other rules.
The new structure is enabled by sectioning the accounting file in a The new structure is enabled by sectioning the accounting file in a
manner similar to the rules file. manner similar to the rules file.
@ -105,13 +105,13 @@ None.
- The default value of the CHAIN column is: - The default value of the CHAIN column is:
- 'accountin' in the INPUT section - 'accountin' in the INPUT section
- 'accountout' in the OUTPUT section - 'accountout' in the OUTPUT section
- 'accounting' in the FORWARD section - 'accountfwd' in the FORWARD section
- Traffic addressed to the firewall goes through the rules defined - Traffic addressed to the firewall goes through the rules defined
in the INPUT section. in the INPUT section.
- Traffic originating on the firewall goes through the rules - Traffic originating on the firewall goes through the rules
defined in the OUTPUT section. defined in the OUTPUT section.
- Traffic being forwarded through the firewall goes through the - Traffic being forwarded through the firewall goes through the
rules from all three sections. rules defined in the FORWARD section.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S I V. R E L E A S E 4 . 4 H I G H L I G H T S

6
docs/Accounting.xml
View File

@ -269,7 +269,7 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para> Beginning with Shorewall 4.4.18, the accounting structure can be <para>Beginning with Shorewall 4.4.18, the accounting structure can be
created with three root chains:</para> created with three root chains:</para>
<itemizedlist> <itemizedlist>
@ -360,7 +360,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis role="bold">accounting</emphasis> in the <emphasis <para><emphasis role="bold">accountfwd</emphasis> in the <emphasis
role="bold">FORWARD</emphasis> section</para> role="bold">FORWARD</emphasis> section</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -378,7 +378,7 @@
<listitem> <listitem>
<para>Traffic being forwarded through the firewall goes through the <para>Traffic being forwarded through the firewall goes through the
rules from all three sections.</para> rules from the FORWARD sections.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>