holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement NFLOG accounting action.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-17 13:42:13 -07:00
parent fd70e73d34
commit 495aa9b9ac
5 changed files with 79 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -224,6 +224,8 @@ sub process_accounting_rule( ) {
} else { } else {
fatal_error "Invalid ACCOUNT Action"; fatal_error "Invalid ACCOUNT Action";
} }
} elsif ( $action =~ /^NFLOG/ ) {
$target = validate_level $action;
} else { } else {
( $action, my $cmd ) = split /:/, $action; ( $action, my $cmd ) = split /:/, $action;

8
Shorewall/changelog.txt
View File

@ -2,9 +2,15 @@ Changes in Shorewall 4.4.20 Beta 2
1) Use 'my' unless variable is exported. 1) Use 'my' unless variable is exported.
2) Merged fixes from 4.4.19.4.
3) Implemented ACCOUNTING_TABLE
4) Implement NFLOG accounting action.
Changes in Shorewall 4.4.20 Beta 1 Changes in Shorewall 4.4.20 Beta 1
1) Apply Togan's patch for installation flexibility. 1) Apply Togan's patch for installation flexibility.
2) Disallow degenerate entry in tcpri. 2) Disallow degenerate entry in tcpri.

52
Shorewall/releasenotes.txt
View File

@ -13,20 +13,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) Previously, the compiler would allow a degenerate entry (only the All bug fixes from 4.4.19.1 - 4.4.19.4.
BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a
compilation error.
2) Previously, it was possible to specify tcfilters and tcrules that
classified traffic with the class-id of a non-leaf HFSC class. Such
classes are not capabable of handling packets.
Shorewall now generates a compile-time warning in this case and
ignores the entry.
If a non-leaf class is specified as the default class, then
Shorewall now generates a compile-time error since that
configuration allows no network traffic to flow.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G I I. K N O W N P R O B L E M S R E M A I N I N G
@ -62,6 +49,10 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
Present sections must appear in that order. Present sections must appear in that order.
3) An NFLOG 'ACTION' has been added to the accounting file to allow
sending matching packets (or the leading part of them) to backend
accounting daemons via a netlink socket.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S I V. R E L E A S E 4 . 4 H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -310,6 +301,39 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
Shorewall now generates a compile-time error since that Shorewall now generates a compile-time error since that
configuration allows no network traffic to flow. configuration allows no network traffic to flow.
3) Traditionally, Shorewall has not checked for the existance of
ipsets mentioned in the configuration, potentially resulting in a
run-time start/restart failure. Now, the compiler will issue a
WARNING if:
a) The compiler is being run by root.
b) The compilation isn't producing a script to run on a remote
system under a -lite product.
c) An ipset appearing in the configuration does not exist on the
local system.
4) As previously implemented, the 'refresh' command could fail or
could result in a ruleset other than what was intended. If there
had been changes in the ruleset since it was originally
started/restarted/restored that added or deleted sequenced chains
(chains such as ~lognnn and ~exclnnn), the resulting ruleset could
jump to the wrong such chains or could fail to 'refresh'
successfully.
This issue has been corrected as follows. When a 'refresh' is done
and individual chains are involved, then each table that contains
both sequenced chains and one of the chains being refreshed is
refreshed in its entirety.
For example, if 'shorwall refresh foo' is issued and the filter
table (which is the default) contains any sequenced chains, then
the entire table is reloaded. Note that this reload operation is
atomic so no packets are passed through an inconsistent
configuration.
5) When 'shorewall6 refresh' was run previously, a harmless
'ip6tables: Chain exists' message was generated.
4.4.19.3 4.4.19.3
1) The changes in 4.4.19.1 that corrected long-standing issues with 1) The changes in 4.4.19.1 that corrected long-standing issues with

18
manpages/shorewall-accounting.xml
View File

@ -116,7 +116,8 @@
<term><replaceable>network</replaceable></term> <term><replaceable>network</replaceable></term>
<listitem> <listitem>
<para>is an IPv4 network in CIDR notation (e.g., <para>is an IPv4 networ<emphasis
role="bold">k</emphasis> in CIDR notation (e.g.,
192.168.1.0/24). The network can be as large as a /8 192.168.1.0/24). The network can be as large as a /8
(class A).</para> (class A).</para>
</listitem> </listitem>
@ -145,6 +146,18 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>NFLOG[(nflog-parameters)] - Added in
Shorewall-4.4.20.</term>
<listitem>
<para>Causes each matching packet to be sent via the currently
loaded logging backend (usually nfnetlink_log) where it is
available to accounting daemons through a netlink
socket.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>COMMENT</term> <term>COMMENT</term>
@ -540,6 +553,9 @@
url="http://shorewall.net/Accounting.html">http://shorewall.net/Accounting.html url="http://shorewall.net/Accounting.html">http://shorewall.net/Accounting.html
</ulink></para> </ulink></para>
<para><ulink
url="http://shorewall.net/shorewall_logging.html">http://shorewall.net/shorewall_logging.html</ulink></para>
<para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5), <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),

15
manpages6/shorewall6-accounting.xml
View File

@ -88,6 +88,18 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>NFLOG[(nflog-parameters)] - Added in
Shorewall-4.4.20.</term>
<listitem>
<para>Causes each matching packet to be sent via the currently
loaded logging backend (usually nfnetlink_log) where it is
available to accounting daemons through a netlink
socket.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>COMMENT</term> <term>COMMENT</term>
@ -576,6 +588,9 @@
url="http://shorewall.net/Accounting.html">http://shorewall.net/Accounting.html url="http://shorewall.net/Accounting.html">http://shorewall.net/Accounting.html
</ulink></para> </ulink></para>
<para><ulink
url="http://shorewall.net/shorewall_logging.html">http://shorewall.net/shorewall_logging.html</ulink></para>
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5), <para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),