Revise and document IPSEC Accounting

- Place accounting rules in accipsecin and accipsecout - Add warning when rule inserted into unreferenced accounting chain - Add warning when an accounting chain has no references Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-02-17 02:00:57 +01:00 · 2010-08-20 08:24:45 -07:00 · 2010-08-20 08:24:45 -07:00 · e70d9c82d8
commit e70d9c82d8
parent 33ee9b1481
4 changed files with 53 additions and 24 deletions
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@ -61,6 +61,10 @@ sub process_accounting_rule( ) {

    our $disposition = '';

+    sub reserved_chain_name($) {
+	$_[0] =~ /^acc(?:ount(?:ing|out)|ipsecin|ipsecout)$/;
+    }
+
    sub check_chain( $ ) {
 	my $chainref = shift;
 	fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy};
@ -72,6 +76,7 @@ sub process_accounting_rule( ) {

    sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
+	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
 	$jumpchainref = ensure_accounting_chain( $jumpchain );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
@ -88,7 +93,7 @@ sub process_accounting_rule( ) {
    my $rule2 = 0;
    
    if ( $ipsec ne '-' ) {
-	fatal_error "A rule with non-empty IPSEC column can only appear in the 'accountin' and 'accountout' chains" unless $chain =~ /^account(in|out)$/;
+	fatal_error "A rule with non-empty IPSEC column can only appear in the 'accipsecin' and 'accipsecout' chains" unless $chain =~ /^accipsec(in|out)$/;
 	$rule .= do_ipsec( $1, $ipsec);
    }

@ -144,7 +149,12 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
    }

-    my $chainref = ensure_accounting_chain $chain;
+    my $chainref = $filter_table->{$chain};
+
+    if ( ! $chainref ) {
+	warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
+	$chainref = ensure_accounting_chain $chain;
+    }

    expand_rule
 	$chainref ,
@ -185,8 +195,6 @@ sub setup_accounting() {

    $nonEmpty |= process_accounting_rule while read_a_line;

-    fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting};
-
    clear_comment;

    if ( have_bridges ) {
@ -199,25 +207,28 @@ sub setup_accounting() {
 	if ( $filter_table->{accountout} ) {
 	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 	}
-    } else {
-	if ( $filter_table->{accountin} ) {
-	    for my $chain ( qw/INPUT FORWARD/ ) {
-		add_jump( $filter_table->{$chain}, 'accountin', 0,  '', 0, 0 );
-	    }
-	}
-
-	if ( $filter_table->{accountout} ) {
-	    for my $chain ( qw/FORWARD OUTPUT/ ) {
-		add_jump( $filter_table->{$chain}, 'accountout', 0, '', 0, 0 );
-	    }
-	}
-
-	if ( $filter_table->{accounting} ) {
-	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
-	    }
+    } elsif ( $filter_table->{accounting} ) {
+	for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
+	    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	}
    }
+
+    if ( $filter_table->{accipsecin} ) {
+	for my $chain ( qw/INPUT FORWARD/ ) {
+	    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+	}
+    }
+
+    if ( $filter_table->{accipsecout} ) {
+	for my $chain ( qw/FORWARD OUTPUT/ ) {
+	    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
+	}
+    }
+
+    for ( accounting_chainrefs ) {
+	warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
+    }
+
 }

 1;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -109,6 +109,7 @@ our %EXPORT_TAGS = (
 				       find_chain
 				       ensure_chain
 				       ensure_accounting_chain
+				       accounting_chainrefs
 				       ensure_mangle_chain
 				       ensure_nat_chain
 				       ensure_raw_chain
@ -1204,6 +1205,13 @@ sub ensure_accounting_chain( $  )
    $chainref;
 }

+#
+# Return a list of references to accounting chains
+#
+sub accounting_chainrefs() {
+    grep $_->{accounting} , values %$filter_table;
+}
+
 sub ensure_mangle_chain($) {
    my $chain = $_[0];

--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -54,6 +54,16 @@ None.
 	     any+!dmz,loc   (All zones except 'dmz' and 'loc' and
 	     		     include intra-zone rules).

+2)  An IPSEC column has been added to the accounting file, allowing you
+    to segregate IPSEC traffic from non-IPSEC traffic. See 'man
+    shorewall-accounting' (man shorewall6-accounting) for details.
+
+    Note that accounting rules that have a non-empty IPSEC column
+    may only appear in the 'accipsecin' and 'accipsecout' chains. The
+    former contains rules that select de-capsulated/decrypted traffic
+    while the latter contains rules that select traffic that will be
+    encapsulated/encrypted.
+
 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
--- a/manpages6/shorewall6-accounting.xml
+++ b/manpages6/shorewall6-accounting.xml
@ -433,12 +433,12 @@

            <listitem>
              <para>The CHAIN column must contain either <emphasis
-              role="bold">accountin</emphasis> or <emphasis
-              role="bold">accountout</emphasis>.</para>
+              role="bold">accipsecin</emphasis> or <emphasis
+              role="bold">accipsecout</emphasis>.</para>
            </listitem>
          </itemizedlist>

-          <para> These rules will NOT appear in the <emphasis
+          <para>These rules will NOT appear in the <emphasis
          role="bold">accounting</emphasis> chain.</para>
        </listitem>
      </varlistentry>