forked from extern/shorewall_code
LOGALLNEW
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1712 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
c0fc8eb15e
commit
706242aa2c
@ -112,3 +112,5 @@ Changes since 2.0.3
|
||||
53) Add mss=<number> option to the ipsec file.
|
||||
|
||||
54) Added CONNMARK/ipp2p support.
|
||||
|
||||
55) Added LOGALLNEW support.
|
||||
|
||||
@ -1252,7 +1252,7 @@ run_user_exit() # $1 = file name
|
||||
#
|
||||
# Add a logging rule.
|
||||
#
|
||||
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $... = predicates for the rule
|
||||
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
|
||||
{
|
||||
local level=$1
|
||||
local chain=$2
|
||||
@ -1261,10 +1261,11 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
|
||||
local rulenum=
|
||||
local limit="${5:-$LOGLIMIT}"
|
||||
local tag=${6:+$6 }
|
||||
local command=${7:--A}
|
||||
local prefix
|
||||
local base=$(chain_base $displayChain)
|
||||
|
||||
shift;shift;shift;shift;shift
|
||||
shift;shift;shift;shift;shift;shift;shift
|
||||
|
||||
if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then
|
||||
displayChain=$tag
|
||||
@ -1291,10 +1292,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
|
||||
|
||||
case $level in
|
||||
ULOG)
|
||||
iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
||||
iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
||||
;;
|
||||
*)
|
||||
iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
||||
iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -1311,7 +1312,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
|
||||
|
||||
shift;shift;shift
|
||||
|
||||
log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" $@
|
||||
log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@
|
||||
}
|
||||
|
||||
#
|
||||
@ -2978,7 +2979,7 @@ add_an_action()
|
||||
for serv1 in $(separate_list $serv); do
|
||||
for srv in $(firewall_ip_range $serv1); do
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \
|
||||
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||
$(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports)
|
||||
fi
|
||||
|
||||
@ -2988,7 +2989,7 @@ add_an_action()
|
||||
done
|
||||
else
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \
|
||||
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||
$(fix_bang $proto $sports $multiport $cli $dest_interface $dports)
|
||||
fi
|
||||
|
||||
@ -3498,8 +3499,8 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
if [ -n "$xlevel" ]; then
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -m pkttype --pkt-type multicast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -3513,7 +3514,7 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -d $address
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3530,8 +3531,8 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
if [ -n "$xlevel" ]; then
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type multicast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -3545,7 +3546,7 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -d $address
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3559,28 +3560,28 @@ process_actions3() {
|
||||
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||
fi
|
||||
;;
|
||||
dropNotSyn)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||
fi
|
||||
;;
|
||||
rejNotSyn)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
|
||||
fi
|
||||
;;
|
||||
dropInvalid)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -m state --state INVALID
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -m state --state INVALID
|
||||
run_iptables -A $xchain -m state --state INVALID -j DROP
|
||||
fi
|
||||
;;
|
||||
@ -3731,7 +3732,7 @@ add_nat_rule() {
|
||||
else
|
||||
for adr in $(separate_list $addr); do
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \
|
||||
log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -A -t nat \
|
||||
$(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports)
|
||||
fi
|
||||
|
||||
@ -3762,7 +3763,7 @@ add_nat_rule() {
|
||||
done
|
||||
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat
|
||||
fi
|
||||
|
||||
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
|
||||
@ -3770,7 +3771,7 @@ add_nat_rule() {
|
||||
for adr in $(separate_list $addr); do
|
||||
if [ -n "$loglevel" ]; then
|
||||
ensurenatchain $chain
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat \
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \
|
||||
$(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports)
|
||||
fi
|
||||
|
||||
@ -3983,7 +3984,7 @@ add_a_rule()
|
||||
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
|
||||
for adr in $(separate_list $addr); do
|
||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
|
||||
$userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
|
||||
fi
|
||||
|
||||
@ -3992,7 +3993,7 @@ add_a_rule()
|
||||
done
|
||||
else
|
||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
|
||||
fi
|
||||
|
||||
@ -4008,7 +4009,7 @@ add_a_rule()
|
||||
done
|
||||
else
|
||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||
$(fix_bang $proto $sports $multiport $cli $dports)
|
||||
fi
|
||||
|
||||
@ -4032,7 +4033,7 @@ add_a_rule()
|
||||
|
||||
if [ $COMMAND != check ]; then
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
|
||||
fi
|
||||
|
||||
@ -6418,6 +6419,26 @@ activate_rules()
|
||||
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
run_iptables -D $chain -p udp --dport 53 -j ACCEPT
|
||||
done
|
||||
|
||||
if [ -n "$LOGALLNEW" ]; then
|
||||
for table in mangle nat filter; do
|
||||
case $table in
|
||||
mangle)
|
||||
chains="PREROUTING INPUT FORWARD POSTROUTING"
|
||||
;;
|
||||
nat)
|
||||
chains="PREROUTING POSTROUTING OUTPUT"
|
||||
;;
|
||||
*)
|
||||
chains="INPUT FORWARD OUTPUT"
|
||||
;;
|
||||
esac
|
||||
|
||||
for chain in $chains; do
|
||||
log_rule_limit $LOGALLNEW $chain $table $chain "" "" -I -m state --state NEW -t $table
|
||||
done
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
@ -6999,6 +7020,7 @@ do_initialize() {
|
||||
RETAIN_ALIASES=
|
||||
DELAYBLACKLISTLOAD=
|
||||
LOGTAGONLY=
|
||||
LOGALLNEW=
|
||||
|
||||
RESTOREBASE=
|
||||
TMP_DIR=
|
||||
|
||||
@ -604,3 +604,23 @@ New Features:
|
||||
24) Shorewall now has support for the CONNMARK target from iptables.
|
||||
See the /etc/shorewall/tcrules file for details.
|
||||
|
||||
25) A new debugging option LOGALLNEW has been added to
|
||||
shorewall.conf. When set to a log level, this option causes
|
||||
Shorewall to generaate a logging rule as the first rule in each
|
||||
builtin chain.
|
||||
|
||||
- The table name is used as the chain name in the log prefix.
|
||||
- The chain name is used as the target in the log prefix.
|
||||
|
||||
Example: Using the default LOGFORMAT, the log prefix for logging
|
||||
from the nat table's PREROUTING chain is:
|
||||
|
||||
Shorewall:nat:PREROUTING
|
||||
|
||||
IMPORTANT: There is no rate limiting on these logging rules so
|
||||
use LOGALLNEW at your own risk; it may cause high CPU and disk
|
||||
utilization and you may not be able to control your firewall after
|
||||
you enable this option.
|
||||
|
||||
DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL
|
||||
BE SENT TO ANOTHER SYSTEM.
|
||||
|
||||
@ -135,6 +135,18 @@ LOGTAGONLY=No
|
||||
LOGRATE=
|
||||
LOGBURST=
|
||||
|
||||
#
|
||||
# LOG ALL NEW
|
||||
#
|
||||
# This option should only be used when you are trying to analyze a problem.
|
||||
# It causes all packets in the Netfilter NEW state to be logged as the
|
||||
# first rule in each builtin chain. To use this option, set LOGALLNEW to
|
||||
# the log level that you want these packets logged at (e.g.,
|
||||
# LOGALLNEW=debug).
|
||||
#
|
||||
|
||||
LOGALLNEW=
|
||||
|
||||
#
|
||||
# BLACKLIST LOG LEVEL
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user