Add ACCOUNTING_TABLE option

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-06-20 01:37:59 +02:00 · 2011-05-17 12:51:33 -07:00 · 2011-05-17 12:51:33 -07:00 · fd70e73d34
commit fd70e73d34
parent 680ca519ed
15 changed files with 132 additions and 33 deletions
--- a/Samples/Universal/shorewall.conf
+++ b/Samples/Universal/shorewall.conf
@ -196,6 +196,8 @@ COMPLETE=Yes
 EXPORTMODULES=Yes
 ACCOUNTING_TABLE=filter
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@ -207,6 +207,8 @@ COMPLETE=No
 EXPORTMODULES=Yes
 ACCOUNTING_TABLE=filter
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@ -207,6 +207,8 @@ COMPLETE=No
 EXPORTMODULES=Yes
 ACCOUNTING_TABLE=filter
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@ -214,6 +214,8 @@ COMPLETE=No
 EXPORTMODULES=Yes
 ACCOUNTING_TABLE=filter
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/Universal/shorewall6.conf
+++ b/Samples6/Universal/shorewall6.conf
@ -159,6 +159,8 @@ COMPLETE=Yes
 EXPORTMODULES=Yes
 ACCOUNTING_TABLE=filter
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@ -161,6 +161,8 @@ COMPLETE=No
 EXPORTMODULES=Yes
 ACCOUNTING_TABLE=filter
 ##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@ -161,6 +161,8 @@ COMPLETE=No
 EXPORTMODULES=Yes
 ACCOUNTING_TABLE=filter
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@ -161,6 +161,8 @@ COMPLETE=No
 EXPORTMODULES=Yes
 ACCOUNTING_TABLE=filter
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@ -50,22 +50,29 @@ my $defaultrestriction;
 my $restriction;
 my $accounting_commands = { COMMENT => 0, SECTION => 2 };
 my $sectionname;
 my $acctable;
 #
 # Sections in the Accounting File
 #
 use constant {
-	      LEGACY  => 0,
+	      LEGACY      => 0,
-	      INPUT   => 1,
+	      PREROUTING  => 1,
-	      OUTPUT  => 2,
+	      INPUT       => 2,
-	      FORWARD => 3 };
+	      OUTPUT      => 3,
 	      FORWARD     => 4,
 	      POSTROUTING => 5
 	  };
 #
 # Map names to values
 #
-our %asections = ( INPUT   => INPUT,
+our %asections = ( PREROUTING  => PREROUTING,
-		   FORWARD => FORWARD,
+		   INPUT       => INPUT,
-		   OUTPUT  => OUTPUT );
+		   FORWARD     => FORWARD,
 		   OUTPUT      => OUTPUT,
 		   POSTROUTING => POSTROUTING
 		 );
 #
 # Called by the compiler to [re-]initialize this module's state
@ -108,10 +115,19 @@ sub process_section ($) {
    } elsif ( $sectionname eq 'OUTPUT' ) {
 	$defaultchain = 'accountout';
 	$defaultrestriction = OUTPUT_RESTRICT;
-    } else {
+    } elsif ( $sectionname eq 'FORWARD' ) {
 	$defaultchain = 'accountfwd';
 	$defaultrestriction = NO_RESTRICT;
-    }
+     } else {
 	 fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
 	 if ( $sectionname eq 'PREROUTING' ) {
 	     $defaultchain = 'accountpre';
 	     $defaultrestriction = PREROUTE_RESTRICT;
 	 } else {
 	     $defaultchain = 'accountpost';
 	     $defaultrestriction = POSTROUTE_RESTRICT;
 	 }
     }
    $asection = $newsect;
 }
@ -121,6 +137,8 @@ sub process_section ($) {
 #
 sub process_accounting_rule( ) {
    $acctable = $config{ACCOUNTING_TABLE};
    $jumpchainref = 0;
    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File', $accounting_commands;
@ -261,7 +279,7 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
    }
-    my $chainref = $filter_table->{$chain};
+    my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
    my $dir;
    if ( ! $chainref ) {
@ -376,41 +394,51 @@ sub setup_accounting() {
 	clear_comment;
 	if ( $nonEmpty ) {
 	    my $tableref = $chain_table{$acctable};
 	    if ( have_bridges || $asection ) {
-		if ( $filter_table->{accountin} ) {
+		if ( $tableref->{accountin} ) {
-		    add_jump( $filter_table->{INPUT}, 'accountin', 0, '', 0, 0 );
+		    add_jump( $tableref->{INPUT}, 'accountin', 0, '', 0, 0 );
 		}
-		if ( $filter_table->{accounting} ) {
+		if ( $tableref->{accounting} ) {
 		    dont_optimize( 'accounting' );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
-			add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+			add_jump( $tableref->{$chain}, 'accounting', 0, '', 0, 0 );
 		    }
 		}
-		if ( $filter_table->{accountfwd} ) {
+		if ( $tableref->{accountfwd} ) {
-		    add_jump( $filter_table->{FORWARD}, 'accountfwd', 0, '', 0, 0 );
+		    add_jump( $tableref->{FORWARD}, 'accountfwd', 0, '', 0, 0 );
 		}
-		if ( $filter_table->{accountout} ) {
+		if ( $tableref->{accountout} ) {
-		    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+		    add_jump( $tableref->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 		}
-	    } elsif ( $filter_table->{accounting} ) {
+
 		if ( $tableref->{accountpre} ) {
 		    add_jump( $tableref->{PREROUTING}, 'accountpre', 0, '', 0, 0 );
 		}
 		if ( $tableref->{accountpost} ) {
 		    add_jump( $tableref->{POSTROUTING}, 'accountpost', 0, '', 0, 0 );
 		}
 	    } elsif ( $tableref->{accounting} ) {
 		dont_optimize( 'accounting' );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+		    add_jump( $tableref->{$chain}, 'accounting', 0, '', 0, 0 );
 		}
 	    }
-	    if ( $filter_table->{accipsecin} ) {
+	    if ( $tableref->{accipsecin} ) {
 		for my $chain ( qw/INPUT FORWARD/ ) {
-		    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+		    add_jump( $tableref->{$chain}, 'accipsecin', 0,  '', 0, 0 );
 		}
 	    }
-	    if ( $filter_table->{accipsecout} ) {
+	    if ( $tableref->{accipsecout} ) {
 		for my $chain ( qw/FORWARD OUTPUT/ ) {
-		    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
+		    add_jump( $tableref->{$chain}, 'accipsecout', 0, '', 0, 0 );
 		}
 	    }
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -1382,7 +1382,9 @@ sub ensure_accounting_chain( $$$ )
 {
    my ($chain, $ipsec, $restriction ) = @_;
-    my $chainref = $filter_table->{$chain};
+    my $table = $config{ACCOUNTING_TABLE};
    my $chainref = $chain_table{$table}{$chain};
    if ( $chainref ) {
 	fatal_error "Non-accounting chain ($chain) used in an accounting rule" unless $chainref->{accounting};
@ -1390,7 +1392,7 @@ sub ensure_accounting_chain( $$$ )
    } else {
 	fatal_error "Chain name ($chain) too long" if length $chain > 29;
 	fatal_error "Invalid Chain name ($chain)" unless $chain =~ /^[-\w]+$/ && ! ( $builtin_target{$chain} || $config_files{$chain} );
-	$chainref = new_chain 'filter' , $chain;
+	$chainref = new_chain $table , $chain;
 	$chainref->{accounting}  = 1;
 	$chainref->{referenced}  = 1;
 	$chainref->{restriction} = $restriction;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -526,6 +526,7 @@ sub initialize( $ ) {
 	  ZONE2ZONE => undef,
 	  ACCOUNTING => undef,
 	  OPTIMIZE_ACCOUNTING => undef,
 	  ACCOUNTING_TABLE => undef,
 	  DYNAMIC_BLACKLIST => undef,
 	  LOAD_HELPERS_ONLY => undef,
 	  REQUIRE_INTERFACE => undef,
@ -3277,8 +3278,17 @@ sub get_configuration( $ ) {
    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'WIDE_TC_MARKS'              , '';
    default_yes_no 'TRACK_PROVIDERS'            , '';
    default_yes_no 'ACCOUNTING'                 , 'Yes';
    default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
    if ( defined $config{ACCOUNTING_TABLE} ) {
 	my $value = $config{ACCOUNTING_TABLE};
 	fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle';
    } else {
 	$config{ACCOUNTING_TABLE} = 'filter';
    }
    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability 'MARK' ? 'Yes' : '';
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@ -196,6 +196,8 @@ COMPLETE=No
 EXPORTMODULES=Yes
 ACCOUNTING_TABLE=filter
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -47,6 +47,21 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
    is compatible with 4.4.19 in that if a relative path name is
    supplied, then '/usr/' is prepended to the name.
 2)  A new ACCOUNTING_TABLE option has been added to shorewall.conf and
    shorwall6.conf. The setting determines the Netfilter table (filter
    or mangle) where accounting rules are created.
    When ACCOUNTING_TABLE=mangle, the allowable sections in the
    accounting file are as follows:
 	PREROUTING
        INPUT
 	OUTPUT
 	FORWARD
 	POSTROUTING
    Present sections must appear in that order.
 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
--- a/Shorewall6/shorewall6.conf
+++ b/Shorewall6/shorewall6.conf
@ -159,6 +159,8 @@ COMPLETE=No
 EXPORTMODULES=Yes
 ACCOUNTING_TABLE=filter
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@ -296,8 +296,18 @@
    <emphasis role="bold">OUTPUT</emphasis> and <emphasis
    role="bold">FORWARD</emphasis> and must appear in that order (although any
    of them may be omitted). The first non-commentary record in the accounting
-    file must be a section header when sectioning is used. Section headers
+    file must be a section header when sectioning is used. </para>
-    have the form:</para>
+
    <para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
    added to shorewall.conf and shorewall6.conf. That setting determines the
    Netfilter table (filter or mangle) where the accounting rules are added.
    When ACCOUNTING_TABLE=mangle is specified, the available sections are
    <emphasis role="bold">PREROUTING</emphasis>, <emphasis
    role="bold">INPUT</emphasis>, <emphasis role="bold">OUTPUT</emphasis>,
    <emphasis role="bold">FORWARD</emphasis> and <emphasis
    role="bold">POSTROUTING</emphasis>.</para>
    <para>Section headers have the form:</para>
    <para><option>SECTION</option>
    <replaceable>section-name</replaceable></para>
@ -316,11 +326,13 @@
      <listitem>
        <para>You may not specify an output interface in the <emphasis
-        role="bold">INPUT</emphasis> section.</para>
+        role="bold">PREROUTING</emphasis> and <emphasis
        role="bold">INPUT</emphasis> sections.</para>
      </listitem>
      <listitem>
-        <para>In the OUTPUT section:</para>
+        <para>In the <emphasis role="bold">OUTPUT</emphasis> and <emphasis
        role="bold">POSTROUTING</emphasis> sections:</para>
        <itemizedlist>
          <listitem>
@ -329,7 +341,8 @@
          <listitem>
            <para>You may not jump to a chain defined in the <emphasis
-            role="bold">INPUT</emphasis> section that specifies an input
+            role="bold">INPUT</emphasis> or <emphasis
            role="bold">PREROUTING</emphasis> sections that specifies an input
            interface</para>
          </listitem>
@ -339,8 +352,9 @@
          <listitem>
            <para>You may not jump to a chain defined in the <emphasis
-            role="bold">INPUT</emphasis> section that specifies specifies a
+            role="bold">INPUT</emphasis> or <emphasis
-            MAC address.</para>
+            role="bold">PREROUTING</emphasis> section that specifies specifies
            a MAC address.</para>
          </listitem>
        </itemizedlist>
      </listitem>
@ -363,6 +377,16 @@
            <para><emphasis role="bold">accountfwd</emphasis> in the <emphasis
            role="bold">FORWARD</emphasis> section</para>
          </listitem>
          <listitem>
            <para><emphasis role="bold">accountpre</emphasis> in the <emphasis
            role="bold">PREROUTING</emphasis> section</para>
          </listitem>
          <listitem>
            <para><emphasis role="bold">accountpost</emphasis> in the
            <emphasis role="bold">POSTROUTING</emphasis> section</para>
          </listitem>
        </itemizedlist>
      </listitem>