mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-03 12:09:14 +01:00
Redesign Accounting
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@720 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
b6adee2804
commit
e58b08c4b7
@ -10,43 +10,32 @@
|
||||
# Please see http://shorewall.net/Accounting.html for examples and
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
# This file has two sections -- the first section is used to create a
|
||||
# hierarchy of accounting chains. The second section creates rules to
|
||||
# count traffic through your firewall.
|
||||
#
|
||||
# In the first section of this file, entries have the following columns:
|
||||
#
|
||||
# ACTION - Must contain CHAIN
|
||||
#
|
||||
# CHAIN - The name of a chain to create. Shorewall will create
|
||||
# this chain. If the chain already exists, a warning
|
||||
# message is issued and the entry is ignored.
|
||||
#
|
||||
# NEXT CHAIN - Optional - The name of a previously-created chain
|
||||
#
|
||||
# If the NEXT CHAIN column is empty then Shorewall will add a single
|
||||
# RETURN rule to the chain named in the CHAIN column. If the NEXT
|
||||
# CHAIN column is not empty then Shorewall will add a jump from the
|
||||
# newly-created chain to the chain named in the NEXT CHAIN column.
|
||||
#
|
||||
#ACTION CHAIN NEXT
|
||||
# CHAIN
|
||||
|
||||
# ADD YOUR CHAIN DECLARATIONS ABOVE THIS LINE
|
||||
#
|
||||
# Columns in the second section of this file are are:
|
||||
# Columns are:
|
||||
#
|
||||
# ACTION - What to do when a match is found.
|
||||
#
|
||||
# COUNT - Simply count the match and continue
|
||||
# with the next rule
|
||||
# DONE - Count the match and don't attempt
|
||||
# to match any other accounting rules.
|
||||
# <chain> - The name of a chain. Shoreall will
|
||||
# create the chain automatically if
|
||||
# it was not created by an earlier
|
||||
# CHAIN declaration above.
|
||||
# to match any other accounting rules
|
||||
# in the chain specified in the CHAIN
|
||||
# column.
|
||||
# <chain>[:COUNT]
|
||||
# - Where <chain> is the name of
|
||||
# a chain. Shorewall will create
|
||||
# the chain automatically if it
|
||||
# doesn't already exist. Causes
|
||||
# a jump to that chain. If :COUNT
|
||||
# is including, a counting rule
|
||||
# matching this record will be
|
||||
# added to <chain>
|
||||
#
|
||||
# CHAIN - The name of a chain. If specified as "-" the
|
||||
# 'accounting' chain is assumed. This is the chain
|
||||
# where the accounting rule is added. The chain will
|
||||
# be created if it doesn't already exist.
|
||||
#
|
||||
# SOURCE - Packet Source
|
||||
#
|
||||
# The name of an interface, an address (host or net) or
|
||||
@ -72,13 +61,13 @@
|
||||
# only be specified if the protocol is TCP or UDP (6
|
||||
# or 17).
|
||||
#
|
||||
# In all of the above columns except ACTION, the values "-", "any" and
|
||||
# "all" may be used as wildcards
|
||||
# In all of the above columns except ACTION and CHAIN, the values "-",
|
||||
# "any" and "all" may be used as wildcards
|
||||
#
|
||||
# Please see http://shorewall.net/Accounting.html for examples and
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
#ACTION SOURCE DESTINATION PROTOCOL DEST SOURCE
|
||||
# PORT PORT
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE
|
||||
# PORT PORT
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@ -52,3 +52,7 @@ Changes since 1.4.6
|
||||
|
||||
24) Add "RATE LIMIT" column for those who prefer their config files to
|
||||
be wide but normalized.
|
||||
|
||||
25) Redesign the accounting facility to make it simpler and more
|
||||
flexible.
|
||||
|
||||
|
||||
@ -1763,66 +1763,27 @@ delete_tc()
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Add an accounting chain
|
||||
#
|
||||
add_accounting_chain() {
|
||||
chain_error() {
|
||||
error_message "Warning: Invalid CHAIN declaration" $source $dest $protocol $port $sport
|
||||
}
|
||||
|
||||
if [ -n "${protocol}${port}${sport}" ] ; then
|
||||
chain_error
|
||||
return
|
||||
fi
|
||||
|
||||
if [ -z "$source" ] ; then
|
||||
chain_error
|
||||
return
|
||||
fi
|
||||
|
||||
if havechain $source; then
|
||||
error_message "Warning: Chain $source already exists - CHAIN declaration $source $dest Ignored"
|
||||
return
|
||||
fi
|
||||
|
||||
if createchain2 $source No; then
|
||||
if [ -z "$dest" ]; then
|
||||
run_iptables -A $source -j RETURN
|
||||
echo " Accounting chain $source" created
|
||||
elif iptables -A $source -j $dest ; then
|
||||
echo " Accounting chain $source with next chain $dest created"
|
||||
else
|
||||
chain_error
|
||||
fi
|
||||
else
|
||||
chain_error
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Process a record from the accounting file
|
||||
#
|
||||
process_accounting_rule() {
|
||||
rule=
|
||||
rule2=
|
||||
chain=
|
||||
jumpchain=
|
||||
|
||||
accounting_error() {
|
||||
error_message "Warning: Invalid Accounting rule" $action $source $dest $proto $port $sport
|
||||
error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport
|
||||
}
|
||||
|
||||
jump_to_chain() {
|
||||
if ! havechain $chain; then
|
||||
if createchain2 $chain No; then
|
||||
run_iptables -A $chain -j RETURN
|
||||
else
|
||||
if ! havechain $jumpchain; then
|
||||
if ! createchain2 $jumpchain No; then
|
||||
accounting_error
|
||||
return 2
|
||||
fi
|
||||
fi
|
||||
|
||||
rule="$rule -j $chain"
|
||||
rule="$rule -j $jumpchain"
|
||||
}
|
||||
|
||||
case $source in
|
||||
@ -1883,22 +1844,29 @@ process_accounting_rule() {
|
||||
DONE)
|
||||
rule="$rule -j RETURN"
|
||||
;;
|
||||
*:DONE)
|
||||
chain=${action%:*}
|
||||
rule2="$rule -j RETURN"
|
||||
*:COUNT)
|
||||
rule2="$rule"
|
||||
jumpchain=${action%:*}
|
||||
jump_to_chain || return
|
||||
;;
|
||||
JUMP:*)
|
||||
jumpchain=${action#*:}
|
||||
jump_to_chain || return
|
||||
;;
|
||||
*)
|
||||
chain=$action
|
||||
jumpchain=$action
|
||||
jump_to_chain || return
|
||||
;;
|
||||
esac
|
||||
|
||||
havechain accounting || createchain accounting No
|
||||
|
||||
if iptables -A accounting $rule ; then
|
||||
[ "x$rule2" != x ] && run_iptables -A accounting $rule2
|
||||
echo " Accounting rule" $action $source $dest $proto $port $sport Added
|
||||
[ "x$chain" = "x-" ] && chain=accounting
|
||||
[ -z "$chain" ] && chain=accounting
|
||||
|
||||
havechain $chain || createchain $chain No
|
||||
|
||||
if iptables -A $chain $rule ; then
|
||||
[ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2
|
||||
echo " Accounting rule" $action $chain $source $dest $proto $port $sport Added
|
||||
else
|
||||
accounting_error
|
||||
fi
|
||||
@ -1914,15 +1882,9 @@ setup_accounting() # $1 = Name of accounting file
|
||||
|
||||
strip_file accounting $1
|
||||
|
||||
while read action source dest proto port sport ; do
|
||||
case $action in
|
||||
CHAIN)
|
||||
add_accounting_chain
|
||||
;;
|
||||
*)
|
||||
process_accounting_rule
|
||||
;;
|
||||
esac
|
||||
while read action chain source dest proto port sport ; do
|
||||
expandv action chain source dest proto port sport
|
||||
process_accounting_rule
|
||||
done < $TMP_DIR/accounting
|
||||
|
||||
if havechain accounting; then
|
||||
|
||||
Loading…
Reference in New Issue
Block a user