extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-18 23:20:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

More cleanup of action logging

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1502 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-07-28 19:22:00 +00:00
parent ed50013118
commit f82055bca8
2 changed files with 46 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
Shorewall2/firewall
View File

@ -187,15 +187,6 @@ run_ip() {
fi fi
} }
#
# Run arp and if an error occurs, stop the firewall and quit
#
run_arp() {
if ! arp $@ ; then
[ -z "$stopping" ] && { stop_firewall; exit 2; }
fi
}
# #
# Run tc and if an error occurs, stop the firewall and quit # Run tc and if an error occurs, stop the firewall and quit
# #
@ -1029,7 +1020,7 @@ find_broadcasts() {
# Find interface address--returns the first IP address assigned to the passed # Find interface address--returns the first IP address assigned to the passed
# device # device
# #
find_interface_address() # $1 = interface find_first_interface_address() # $1 = interface
{ {
# #
# get the line of output containing the first IP address # get the line of output containing the first IP address
@ -1082,28 +1073,6 @@ find_hosts_by_option() # $1 = option
done done
} }
#
# Determine if there are interfaces of the given zone and option
#
# Returns zero if any such interfaces are found and returns one otherwise.
#
have_interfaces_in_zone_with_option() # $1 = zone, $2 = option
{
local zne=$1
local z
local interface
for interface in $all_interfaces; do
eval z=\$$(chain_base $interface)_zone
[ "x$z" = "x$zne" ] && \
list_search $1 $options && \
return 0
done
return 1
}
# #
# Flush and delete all user-defined chains in the filter table # Flush and delete all user-defined chains in the filter table
# #
@ -1709,7 +1678,6 @@ setup_mac_lists() {
local addresses local addresses
local address local address
local chain local chain
local logpart
local macpart local macpart
local blob local blob
local hosts local hosts
@ -2785,16 +2753,18 @@ process_action() # $1 = action
} }
# #
# Create and record a log action chain # Create and record a log action chain -- in the functions that follow,
# the CHAIN, LEVEL and TAG variable serves as an arguments to the user's
# exit. We call the exit corresponding to the name of the action but we
# set CHAIN to the name of the iptables chain where rules are to be added.
# Similarly, LEVEL and TAG contain the log level and log tag respectively.
# #
createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ] createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
{ {
local actchain= action=$1 level=$2 local actchain= action=$1 level=$2
eval actchain=\$${action}_actchain eval actchain=\${${action}_actchain-1}
[ -n "$actchain" ] || actchain=1
case ${#action} in case ${#action} in
11) 11)
@ -2809,6 +2779,8 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
createchain $CHAIN No createchain $CHAIN No
LEVEL=${level%:*}
TAG=${level#*:}
run_user_exit $1 run_user_exit $1
fi fi
@ -2834,6 +2806,8 @@ createactionchain() # $1 = Action, including log level and tag if any
*) *)
CHAIN=$1 CHAIN=$1
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
LEVEL=
TAG=
createchain $CHAIN no createchain $CHAIN no
run_user_exit $CHAIN run_user_exit $CHAIN
fi fi
@ -3223,7 +3197,7 @@ add_nat_rule() {
if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then
eval interfaces=\$${source}_interfaces eval interfaces=\$${source}_interfaces
for interface in $interfaces; do for interface in $interfaces; do
addr=${addr:+$addr,}$(find_interface_address $interface) addr=${addr:+$addr,}$(find_first_interface_address $interface)
done done
fi fi
;; ;;
@ -4422,7 +4396,7 @@ setup_masq()
;; ;;
*:) *:)
add_snat_aliases= add_snat_aliases=
funninterface=${fullinterface%:} fullinterface=${fullinterface%:}
destnets="0.0.0.0/0" destnets="0.0.0.0/0"
;; ;;
*:*) *:*)

33
Shorewall2/releasenotes.txt
View File

@ -38,6 +38,14 @@ Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
/etc/shorewall/policy /etc/shorewall/policy
/etc/shorewall/tos /etc/shorewall/tos
2) The following builtin actions have been removed and have been
replaced by the new action logging implementation described in the
new features below.
logNotSyn
rLogNotSyn
dLogNotSyn
----------------------------------------------------------------------- -----------------------------------------------------------------------
New Features: New Features:
@ -127,4 +135,29 @@ New Features:
ACCEPT:debug - - tcp 22 ACCEPT:debug - - tcp 22
bar:debug! bar:debug!
This change has an effect on extension scripts used with
user-defined actions. If you define an action 'acton' and you have
a /etc/shorewall/acton script then when that script is invoked,
the following three variables will be set for use by the script:
$CHAIN = the name of the chain where your rules are to be
placed. When logging is used on an action invocation,
Shorewall creates a chain with a slightly different name from
the action itself.
$LEVEL = Log level. If empty, no logging was specified.
$TAG = Log Tag.
Example:
/etc/shorewall/rules:
acton:info:test
Your /etc/shorewall/acton file will be run with:
$CHAIN="acton1"
$LEVEL="info"
$TAG="test"