Implement NFLOG accounting action.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-17 13:42:13 -07:00 · 2011-05-17 13:42:13 -07:00 · 495aa9b9ac
commit 495aa9b9ac
parent fd70e73d34
5 changed files with 79 additions and 16 deletions
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@ -224,6 +224,8 @@ sub process_accounting_rule( ) {
 	    } else {
 		fatal_error "Invalid ACCOUNT Action";
 	    }
+	} elsif ( $action =~ /^NFLOG/ ) {
+	    $target = validate_level $action;
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;

--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -2,9 +2,15 @@ Changes in Shorewall 4.4.20 Beta 2

 1)  Use 'my' unless variable is exported.

+2)  Merged fixes from 4.4.19.4.
+
+3)  Implemented ACCOUNTING_TABLE
+
+4)  Implement NFLOG accounting action.
+
 Changes in Shorewall 4.4.20 Beta 1

-1) Apply Togan's patch for installation flexibility.
+1)  Apply Togan's patch for installation flexibility.

 2)  Disallow degenerate entry in tcpri.

--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -13,20 +13,7 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------

-1)  Previously, the compiler would allow a degenerate entry (only the
-    BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a
-    compilation error.
-
-2)  Previously, it was possible to specify tcfilters and tcrules that
-    classified traffic with the class-id of a non-leaf HFSC class. Such
-    classes are not capabable of handling packets.
-
-    Shorewall now generates a compile-time warning in this case and
-    ignores the entry.
-
-    If a non-leaf class is specified as the default class, then
-    Shorewall now generates a compile-time error since that
-    configuration allows no network traffic to flow.
+All bug fixes from 4.4.19.1 - 4.4.19.4.

 ----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
@ -62,6 +49,10 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES

    Present sections must appear in that order.

+3)  An NFLOG 'ACTION' has been added to the accounting file to allow
+    sending matching packets (or the leading part of them) to backend
+    accounting daemons via a netlink socket. 
+
 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
@ -310,6 +301,39 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    Shorewall now generates a compile-time error since that
    configuration allows no network traffic to flow.

+3)  Traditionally, Shorewall has not checked for the existance of
+    ipsets mentioned in the configuration, potentially resulting in a
+    run-time start/restart failure. Now, the compiler will issue a
+    WARNING if:
+
+    a) The compiler is being run by root.
+    b) The compilation isn't producing a script to run on a remote
+       system under a -lite product.
+    c) An ipset appearing in the configuration does not exist on the
+       local system.
+
+4)  As previously implemented, the 'refresh' command could fail or
+    could result in a ruleset other than what was intended. If there
+    had been changes in the ruleset since it was originally
+    started/restarted/restored that added or deleted sequenced chains
+    (chains such as ~lognnn and ~exclnnn), the resulting ruleset could
+    jump to the wrong such chains or could fail to 'refresh'
+    successfully.
+
+    This issue has been corrected as follows. When a 'refresh' is done
+    and individual chains are involved, then each table that contains
+    both sequenced chains and one of the chains being refreshed is
+    refreshed in its entirety.
+
+    For example, if 'shorwall refresh foo' is issued and the filter
+    table (which is the default) contains any sequenced chains, then
+    the entire table is reloaded. Note that this reload operation is
+    atomic so no packets are passed through an inconsistent
+    configuration.
+
+5)  When 'shorewall6 refresh' was run previously, a harmless
+    'ip6tables: Chain exists' message was generated.
+
 4.4.19.3

 1)  The changes in 4.4.19.1 that corrected long-standing issues with
--- a/manpages/shorewall-accounting.xml
+++ b/manpages/shorewall-accounting.xml
@ -116,7 +116,8 @@
                    <term><replaceable>network</replaceable></term>

                    <listitem>
-                      <para>is an IPv4 network in CIDR notation (e.g.,
+                      <para>is an IPv4 networ<emphasis
+                      role="bold">k</emphasis> in CIDR notation (e.g.,
                      192.168.1.0/24). The network can be as large as a /8
                      (class A).</para>
                    </listitem>
@ -145,6 +146,18 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>NFLOG[(nflog-parameters)] - Added in
+              Shorewall-4.4.20.</term>
+
+              <listitem>
+                <para>Causes each matching packet to be sent via the currently
+                loaded logging backend (usually nfnetlink_log) where it is
+                available to accounting daemons through a netlink
+                socket.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>COMMENT</term>

@ -540,6 +553,9 @@
    url="http://shorewall.net/Accounting.html">http://shorewall.net/Accounting.html
    </ulink></para>

+    <para><ulink
+    url="http://shorewall.net/shorewall_logging.html">http://shorewall.net/shorewall_logging.html</ulink></para>
+
    <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
--- a/manpages6/shorewall6-accounting.xml
+++ b/manpages6/shorewall6-accounting.xml
@ -88,6 +88,18 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>NFLOG[(nflog-parameters)] - Added in
+              Shorewall-4.4.20.</term>
+
+              <listitem>
+                <para>Causes each matching packet to be sent via the currently
+                loaded logging backend (usually nfnetlink_log) where it is
+                available to accounting daemons through a netlink
+                socket.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>COMMENT</term>

@ -576,6 +588,9 @@
    url="http://shorewall.net/Accounting.html">http://shorewall.net/Accounting.html
    </ulink></para>

+    <para><ulink
+    url="http://shorewall.net/shorewall_logging.html">http://shorewall.net/shorewall_logging.html</ulink></para>
+
    <para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),