Add IP accounting

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@692 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/accounting

@@ -0,0 +1,40 @@
+#
+# Shorewall version 1.4 - Accounting File
+#
+# /etc/shorewall/accounting
+#
+#	Accounting rules exist simply to count packets and bytes in categories
+#	that you define in this file. You may display these rules and their
+#	packet and byte counters using the "shorewall show accounting" command.
+#
+#	In all columns of this file, the values "-", "any" and "all" may be used
+#	as wildcards
+#
+# Columns are:
+#
+#	SOURCE	      - Packet Source
+#
+#			The name of an interface, an address (host or net) or
+#			an interface name followed by ":"
+#			and a host or net address. 
+#
+#	DESTINATION   - Packet Destination
+#
+#			Format the same as the SOURCE column.
+#
+#	PROTOCOL	A protocol name (from /etc/protocols), a protocol
+#			number.
+#
+#	DEST PORT	Destination Port number
+#
+#			Service name from /etc/services or port number. May
+#			only be specified if the protocol is TCP or UDP (6
+#			or 17). 
+#
+#	SOURCE PORT	Source Port number
+#
+#			Service name from /etc/services or port number. May
+#			only be specified if the protocol is TCP or UDP (6
+#			or 17).
+#
+#SOURCE		DESTINATION	PROTOCOL	DEST PORT   SOURCE PORT

Shorewall/changelog.txt

@@ -24,3 +24,5 @@ Changes since 1.4.6
 11) Simplify ip_broadcast()
 
 12) Add 'arp_filter' interface option.
+
+13) Added accounting file support

Shorewall/fallback.sh

@@ -134,6 +134,8 @@ restore_file /etc/shorewall/stopped
 
 restore_file /etc/shorewall/ecn
 
+restore_file /etc/shorewall/accounting
+
 if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
     restore_file /usr/lib/shorewall/version
     oldversion="`cat /usr/lib/shorewall/version`"

Shorewall/firewall

@@ -1745,6 +1745,92 @@ delete_tc()
 }
 
 #
+# Process a record from the accounting file
+#
+process_accounting_rule() {
+    rule=
+
+    case $source in
+	*:*)
+	    rule="-s ${source#*:} -i ${source%:*}"
+	    ;;
+	*.*.*.*)
+	    rule="-s $source"
+	    ;;
+	-|all|any)
+	    ;;
+	*)
+	    rule="-i $source"
+	    ;;
+    esac
+
+    [ "x$dest" != x ] && case $dest in
+	*:*)
+	    rule="$rule -d ${dest#*:} -o ${dest%:*}"
+	    ;;
+	*.*.*.*)
+	    rule="$rule -d $dest"
+	    ;;
+	-|all|any)
+	    ;;
+	*)
+	    rule="$rule -d $dest"
+	    ;;
+    esac
+
+    [ "x$proto" != x ] && case $proto in
+	-|any|all)
+	    ;;
+	*)
+	    rule="$rule -p $proto"
+	    ;;
+    esac
+
+    [ "x$port" != x ] && case $port in
+	-|any|all)
+	    ;;
+	*)
+	    rule="$rule --dport $port"
+	    ;;
+    esac
+
+    [ "x$sport" != x ] && case $sport in
+	-|any|all)
+	    ;;
+	*)
+	    rule="$rule --sport $sport"
+	    ;;
+    esac
+
+    if iptables -A accounting $rule ; then
+	echo "   Accounting rule" $source $dest $proto $port $sport Added
+    else
+	error_message "Warning: Invalid Accounting rule" $source $dest $proto $port $sport
+    fi
+}
+
+#
+# Set up Accounting
+#
+setup_accounting() # $1 = Name of accounting file
+{
+    
+    echo "Setting up Accounting..."
+
+    strip_file accounting $1
+
+    createchain accounting No
+    
+    for chain in INPUT FORWARD OUTPUT; do
+	run_iptables -A $chain -j accounting
+    done
+
+    while read source dest proto port sport ; do
+	[ "x$source" != x ] && process_accounting_rule
+    done < $TMP_DIR/accounting
+}
+
+#      
 # Check the configuration
 #
 check_config() {
@@ -3476,6 +3562,10 @@ initialize_netfilter () {
     run_iptables -A INPUT  -i lo -j ACCEPT
     run_iptables -A OUTPUT -o lo -j ACCEPT
 
+    accounting_file=`find_file accounting`
+
+    [ -f $accounting_file ] && setup_accounting $accounting_file
+
     #
     # Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
     #

Shorewall/install.sh

@@ -555,6 +555,16 @@ else
     echo
     echo "ECN  file installed as ${PREFIX}/etc/shorewall/ecn"
 fi
+##
+# Install the Accounting file
+#
+if [ -f ${PREFIX}/etc/shorewall/accounting ]; then
+    backup_file /etc/shorewall/accounting
+else
+    run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/accounting
+    echo
+    echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
+fi
 #
 # Backup the version file
 #

Shorewall/releasenotes.txt

@@ -126,3 +126,12 @@ New Features:
    specified). Note that using such a configuration in a production
    environment is strongly recommended against.
 
+6) The ADDRESS column in /etc/shorewall/masq may now include a
+   comma-separated list of addresses and/or address ranges. Netfilter
+   will use all listed addresses/ranges in round-robin fashion.
+
+7) An /etc/shorewall/accounting file has been added to allow for 
+   traffic accounting. This is a very crude and high-overhead 
+   facility but it is enough to allow you to isolate the cause of
+   unexpected increases in traffic volume. You may find documentation
+   of the file's format in the file itself and in the documentation.

Shorewall/shorewall.spec

@@ -98,6 +98,7 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
+%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
 %attr(0544,root,root) /sbin/shorewall
 %attr(0444,root,root) /usr/share/shorewall/functions
 %attr(0544,root,root) /usr/share/shorewall/firewall
@@ -107,6 +108,8 @@ fi
 
 %changelog
 * Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
+- Added /etc/shorewall/accounting
+* Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6_20030809-1
 * Thu Jul 31 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6_20030731-1