diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index dfc1f1ae8..f9e82db44 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -1,3 +1,7 @@ +Changes in 4.1.2 + +1) Enhanced Operational Logging + Changes in 4.1.1 1) Fix ULOG/NFLOG output. diff --git a/Shorewall-common/init.sh b/Shorewall-common/init.sh index 92c3628b8..ea6a41ceb 100755 --- a/Shorewall-common/init.sh +++ b/Shorewall-common/init.sh @@ -61,7 +61,7 @@ usage() { ################################################################################ # Get startup options (override default) ################################################################################ -OPTIONS= +OPTIONS="-v0" if [ -f /etc/sysconfig/shorewall ]; then . /etc/sysconfig/shorewall elif [ -f /etc/default/shorewall ] ; then @@ -74,7 +74,7 @@ fi command="$1" case "$command" in - start) + start|restart|stop) exec /sbin/shorewall $OPTIONS $@ ;; stop|restart|status) @@ -82,7 +82,7 @@ case "$command" in ;; reload) shift - exec /sbin/shorewall restart $@ + exec /sbin/shorewall $OPTIONS restart $@ ;; *) usage diff --git a/Shorewall-common/lib.config b/Shorewall-common/lib.config index a26f5a47d..66e06cfbd 100644 --- a/Shorewall-common/lib.config +++ b/Shorewall-common/lib.config @@ -1805,7 +1805,6 @@ do_initialize() { else startup_error "$config does not exist!" fi - # # Restore CONFIG_PATH if the shorewall.conf file cleared it # diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 48ee41df8..ba0adee7d 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 4.1 Patch Release 0. +Shorewall 4.1 Patch Release 2. ---------------------------------------------------------------------------- R E L E A S E 4 . 1 H I G H L I G H T S @@ -8,23 +8,56 @@ Shorewall 4.1 Patch Release 0. 2) Support for NFLOG has been added. -Problems corrected in Shorewall 4.1.1. +3) Enhanced operational logging -1) Previously, incorrect output was generated by parameter lists to - ULOG or NFLOG. +Problems corrected in Shorewall 4.1.2. -2) Specifying NFQUEUE() in the POLICY column of the - policy file resulted in an error. +None. +Other changes in Shorewall 4.1.2. -Other changes in Shorewall 4.1.1. +1) Shorewall 4.1.2 contains enhanced operational logging capabilities + through a set of related enhancements to Shorewall-common and + Shorewall-shell. The enhancements are not supported by + Shorewall-shell. -1) You may now specify an interface address in the INTERFACE column of - /etc/shorewall/providers. See New Feature 1) below. + a) The STARTUP_LOG option in /etc/shorewall/shorewall.conf gives + the name of the Shorewall operational log. The log will be + created if it does not exist. + + b) The LOG_VERBOSITY option in /etc/shorewall/shorewall.conf gives + the verbosity at which logging will occur. It uses the same + value range as VERBOSITY: + + -1 Do not log + 0 Almost quiet + 1 Only major steps + 2 Verbose + + c) An absolute VERBOSITY may be specified on the command line + using the -v option followed by -1,0,1 or 2. + + Example: + + shorewall -v2 check + + d) The /etc/init.d/shorewall script supplied with the + shorewall.net packages sets '-v0' as the default. This may be + overridden with the OPTIONS setting in /etc/defaults/shorewall or + /etc/sysconfig/shorewall. + + Logging occurs on both Shorewall-perl and the generated script when + the following commands are issued: + + start + restart + refresh + + Messages in the log are always timestamped. New Features in Shorewall 4.1. -1) Shorewall 4.1.0 contains experimental support for multiple Internet +1) Shorewall 4.1 contains experimental support for multiple Internet providers through a single ethernet interface. Configuring two providers through a single interface differs from two providers through two interfaces in several ways. @@ -34,7 +67,9 @@ New Features in Shorewall 4.1. to determine which provider a packet was received through. Note that only routed traffic can be categorized using this technique. - b) The 'shared' provider option must be specified for both providers. + b) You must specify the address on the interface that corresponds to + a particular provider in the INTERFACE column by following the + interface name with a colon (":") and the address. c) Entries in /etc/shorewall/masq must be qualified by the provider name (or number). @@ -43,25 +78,26 @@ New Features in Shorewall 4.1. iptables. If you use a capabilities file, you need to regenerate the file with Shorewall 4.0.6 or Shorewall-lite 4.0.6. - e) You specify the address on the interface that corresponds to a - particular provider in the INTERFACE column by following the - interface name with a colon (":") and the address. - - f) You must add route_rules entries for networks that are accessed + e) You must add route_rules entries for networks that are accessed through a particular provider. + f) If you have additional IP addresses through either provider, + you must add route_rules to direct traffic FROM each of those + addresses through the appropriate provider. + Example: Providers Blarg (1) and Avvanta (2) are both connected to eth0. The firewall's IP address with Blarg is 206.124.146.176/24 (gateway 206.124.146.254) and the IP address from Avvanta is - 130.252.144.8/24 (gateway 130.252.144.254). + 130.252.144.8/24 (gateway 130.252.144.254). We have a second IP + address (206.124.146.177) from Blarg. /etc/shorewall/providers: - #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS - Blarg 1 1 main eth0:206.124.146.176 206.124.146.254 shared,... - Avvanta 2 2 main eth0:130.252.144.8 130.252.144.254 shared,... + #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY + Blarg 1 1 main eth0:206.124.146.176 206.124.146.254 ... + Avvanta 2 2 main eth0:130.252.144.8 130.252.144.254 ... /etc/shorewall/masq: @@ -76,6 +112,7 @@ New Features in Shorewall 4.1. #SOURCE DEST PROVIDER PRIORITY - 206.124.146.0/24 Blarg 1000 - 130.252.144.0/24 Avvanta 1000 + 206.124.146.177 - Blarg 26000 2) You may now include the name of a table (nat, mangle or filter) in a 'shorewall refresh' command by following the name with a colon diff --git a/Shorewall-common/shorewall b/Shorewall-common/shorewall index 275a34c1f..b1be55769 100755 --- a/Shorewall-common/shorewall +++ b/Shorewall-common/shorewall @@ -224,7 +224,30 @@ get_config() { export LOGFORMAT - fi + if [ -n "$STARTUP_LOG" ]; then + if [ -n "$LOG_VERBOSITY" ]; then + case $LOG_VERBOSITY in + -1) + ;; + 0|1|2) + [ -n "$STARTUP_LOG" ] || $LOG_VERBOSITY=-1; + ;; + *) + echo " ERROR: INvalid LOG_VERBOSITY ($LOG_VERBOSITY)" >&2 + exit 2; + ;; + esac + else + $LOG_VERBOSITY=2; + fi + else + LOG_VERBOSITY=-1; + fi + + else + STARTUP_LOG= + LOG_VERBOSITY=-1 + fi if [ -n "$SHOREWALL_SHELL" ]; then if [ ! -x "$SHOREWALL_SHELL" ]; then @@ -235,7 +258,7 @@ get_config() { [ -n "${VERBOSITY:=2}" ] - VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY)) + [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY)) export VERBOSE @@ -315,6 +338,15 @@ compiler() { fi fi + case $COMMAND in + *start|try|refresh) + ;; + *) + STARTUP_LOG= + LOG_VERBOSITY=-1 + ;; + esac + [ $command = exec ] || command= case "$compiler" in @@ -329,12 +361,14 @@ compiler() { [ "$1" = nolock ] && shift; shift - options="--verbose $VERBOSE "; + options="--verbose=$VERBOSE " + [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG " + [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY "; [ -n "$EXPORT" ] && options="$options --export " - [ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR " + [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR " [ -n "$TIMESTAMP" ] && options="$options --timestamp " [ "$debugging" = trace ] && options="$options --debug " - [ -n "$REFRESHCHAINS" ] && options="$options --refresh $REFRESHCHAINS" + [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS" [ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed" # # Run the appropriate params file @@ -348,6 +382,8 @@ compiler() { $command perl $debugflags $pc $options $@ ;; shell) + LOG_VERBOSE=$LOG_VERBOSITY + export STARTUP_LOG LOG_VERBOSE [ -x $sc ] || startup_error "SHOREWALL_COMPILER=shell requires the shorewall-shell package which is not installed" [ -n "$REFRESHCHAINS" ] && startup_error "Shorewall-shell does not support refresh of specific chains" $command $SHOREWALL_SHELL $sc $@ @@ -407,6 +443,10 @@ start_command() { option= shift ;; + d*) + DEBUG=Yes + option=${option#d} + ;; f*) FAST=Yes option=${option#f} @@ -669,6 +709,10 @@ restart_command() { finished=1 option= ;; + d*) + DEBUG=Yes + option=${option#d} + ;; n*) NOROUTES=Yes option=${option#n} @@ -1332,6 +1376,7 @@ SHOREWALL_DIR= IPT_OPTIONS="-nv" FAST= VERBOSE_OFFSET=0 +USE_VERBOSITY= NOROUTES= EXPORT= export TIMESTAMP= @@ -1383,8 +1428,29 @@ while [ $finished -eq 0 ]; do option=${option#f} ;; v*) - VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 )) option=${option#v} + case $option in + -1*) + USE_VERBOSITY=-1 + option=${option#-1} + ;; + 0*) + USE_VERBOSITY=0 + option=${option#0} + ;; + 1*) + USE_VERBOSITY=1 + option=${option#1} + ;; + 2*) + USE_VERBOSITY=2 + option=${option#2} + ;; + *) + VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 )) + USE_VERBOSITY= + ;; + esac ;; n*) NOROUTES=Yes diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index 0d03eb06e..09f719014 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -143,6 +143,8 @@ sub generate_script_1() { qq(PATH="$config{PATH}") , 'TERMINATOR=fatal_error' , qq(DONT_LOAD="@dont_load") , + qq(STARTUP_LOG="$config{STARTUP_LOG}") , + "LOG_VERBOSE=$config{LOG_VERBOSITY}" , '' ); @@ -699,9 +701,9 @@ EOF # If the first argument is non-null, it names the script file to generate. # Otherwise, this is a 'check' command and no script is produced. # -sub compiler( $$$$$ ) { +sub compiler( $$$$$$$ ) { - my ( $objectfile, $directory, $verbosity, $options , $chains ) = @_; + my ( $objectfile, $directory, $verbosity, $options , $chains , $log , $log_verbosity ) = @_; $export = 0; @@ -712,10 +714,11 @@ sub compiler( $$$$$ ) { set_shorewall_dir( $directory ); } - set_verbose( $verbosity ) unless $verbosity eq ''; - $export = 1 if $options & EXPORT; - set_timestamp( 1 ) if $options & TIMESTAMP; - set_debug( 1 ) if $options & DEBUG; + set_verbose( $verbosity ) unless $verbosity eq ''; + set_log($log, $log_verbosity) if $log; + $export = 1 if $options & EXPORT; + set_timestamp( 1 ) if $options & TIMESTAMP; + set_debug( 1 ) if $options & DEBUG; # # Get shorewall.conf and capabilities. # @@ -875,6 +878,8 @@ sub compiler( $$$$$ ) { generate_aux_config if $export; } + close_log if $log; + 1; } diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index e6a627b56..89156bec8 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -54,12 +54,15 @@ our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shor our %EXPORT_TAGS = ( internal => [ qw( create_temp_object finalize_object + numeric_value emit emit_unindented save_progress_message save_progress_message_short set_timestamp set_verbose + set_log + close_log set_command push_indent pop_indent @@ -113,6 +116,10 @@ our ($command, $doing, $done ); # our $verbose; # +# Logging +# +our ( $log, $log_verbose ); +# # Timestamp each progress message, if true. # our $timestamp; @@ -228,6 +235,8 @@ sub initialize() { ( $command, $doing, $done ) = qw/ compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion. $verbose = 0; # Verbosity setting. 0 = almost silent, 1 = major progress messages only, 2 = all progress messages (very noisy) + $log = undef; # File reference for log file + $log_verbose = -1; # Verbosity of log. $timestamp = ''; # If true, we are to timestamp each progress message $object = 0; # Object (script) file Handle Reference $lastlineblank = 0; # Avoid extra blank lines in the output @@ -268,6 +277,8 @@ sub initialize() { RFC1918_LOG_LEVEL => undef, SMURF_LOG_LEVEL => undef, LOG_MARTIANS => undef, + LOG_VERBOSITY => undef, + STARTUP_LOG => undef, # # Location of Files # @@ -425,8 +436,10 @@ sub warning_message if ( $debug ) { print STDERR longmess( " WARNING: @_$currentlineinfo" ); + print $log longmess( " WARNING: @_$currentlineinfo" ) if $log; } else { print STDERR " WARNING: @_$currentlineinfo\n"; + print $log " WARNING: @_$currentlineinfo\n" if $log; } $| = 0; @@ -438,17 +451,51 @@ sub warning_message sub fatal_error { my $linenumber = $currentlinenumber || 1; my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : ''; + $| = 1; + + if ( $log ) { + if ( $debug ) { + print $log longmess( " ERROR: @_$currentlineinfo" ); + } else { + print $log " ERROR: @_$currentlineinfo\n"; + } + + close $log; + $log = undef; + } + confess " ERROR: @_$currentlineinfo" if $debug; die " ERROR: @_$currentlineinfo\n"; } sub fatal_error1 { $| = 1; + + if ( $log ) { + if ( $debug ) { + print $log longmess( " ERROR: @_\n" ); + } else { + print $log " ERROR: @_\n"; + } + + close $log; + $log = undef; + } + confess " ERROR: @_" if $debug; die " ERROR: @_\n"; } +# +# Convert value to decimal number +# +sub numeric_value ( $ ) { + my $mark = lc $_[0]; + fatal_error "Invalid Numeric Value ($mark)" unless $mark =~ /^-?(0x[a-f0-9]+|0[0-7]*|[1-9]\d*)$/; + $mark =~ /^0/ ? oct $mark : $mark; +} + # # Write the arguments to the object file (if any) with the current indentation. # @@ -510,6 +557,36 @@ sub set_verbose( $ ) { $verbose = shift; } +# +# Set $log and $log_verbose +# +sub set_log ( $$ ) { + my ( $l, $v ) = @_; + + if ( defined $v ) { + my $value = numeric_value( $v ); + + if ( ( $value < -1 ) || ( $value > 2 ) ) { + fatal_error "Invalid Log Verbosity ( $v )"; + } + + $log_verbose = $value; + } + + if ( $l && $log_verbose >= 0 ) { + unless ( open $log , '>>' , $l ) { + $log = undef; + fatal_error "Unable to open $l for writing: $!"; + } + } else { + $log_verbose = -1; + } +} + +sub close_log() { + close $log, $log = undef if $log; +} + # # Set $command, $doing and $done # @@ -524,6 +601,8 @@ sub timestamp() { printf '%02d:%02d:%02d ', ( localtime ) [2,1,0]; } +my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec ); + # # Write a message if $verbose >= 2 # @@ -538,6 +617,15 @@ sub progress_message { $line =~ s/\s+/ /g; print "$line\n"; } + + if ( $log_verbose > 1 ) { + my @localtime = localtime; + + printf $log '%s %02d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; + my $line = "@_"; + $line =~ s/\s+/ /g; + print $log "$line\n"; + } } # @@ -548,6 +636,13 @@ sub progress_message2 { timestamp if $timestamp; print "@_\n"; } + + if ( $log_verbose > 0 ) { + my @localtime = localtime; + + printf $log '%s %02d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; + print $log "@_\n"; + } } # @@ -558,6 +653,13 @@ sub progress_message3 { timestamp if $timestamp; print "@_\n"; } + + if ( $log_verbose > 0 ) { + my @localtime = localtime; + + printf $log '%s %02d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; + print $log "@_\n"; + } } # @@ -1651,6 +1753,9 @@ sub get_configuration( $ ) { check_trivalue ( 'ROUTE_FILTER', '' ); check_trivalue ( 'LOG_MARTIANS', '' ); + default 'LOG_VERBOSITY' , -1; + default 'STARTUP_LOG' , ''; + default_yes_no 'ADD_IP_ALIASES' , 'Yes'; default_yes_no 'ADD_SNAT_ALIASES' , ''; default_yes_no 'DETECT_DNAT_IPADDRS' , ''; @@ -1993,6 +2098,7 @@ END { # close $object if $object; close $scriptfile if $scriptfile; + close $log if $log; # # Unlink temporary files # diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index 1e41b7f25..e267da00c 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -37,7 +37,6 @@ our @EXPORT = qw( NOTHING IPSECPROTO IPSECMODE - numeric_value determine_zones zone_report dump_zone_contents @@ -158,15 +157,6 @@ INIT { initialize; } -# -# Convert value to decimal number -# -sub numeric_value ( $ ) { - my $mark = lc $_[0]; - fatal_error "Invalid Numeric Value ($mark)" unless $mark =~ /^(0x[a-f0-9]+|0[0-7]*|[1-9]\d*)$/; - $mark =~ /^0/ ? oct $mark : $mark; -} - # # Parse the passed option list and return a reference to a hash as follows: # diff --git a/Shorewall-perl/compiler.pl b/Shorewall-perl/compiler.pl index 3d45631da..bacb73cdd 100755 --- a/Shorewall-perl/compiler.pl +++ b/Shorewall-perl/compiler.pl @@ -41,7 +41,18 @@ use Shorewall::Compiler; use Getopt::Long; sub usage() { - print STDERR "usage: compiler.pl [ --export ] [ --directory= ] [ --verbose={0-2} ] [ --timestamp ] [ -- debug ] [ --refresh= ] [ ]\n"; + print STDERR 'usage: compiler.pl [