From 854f5fbb9fcb1c6af7df182240337da94417af71 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 27 Aug 2006 20:22:03 +0000 Subject: [PATCH] Ooops -- forgot lib.accounting git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4457 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/lib.accounting | 252 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 252 insertions(+) create mode 100644 Shorewall/lib.accounting diff --git a/Shorewall/lib.accounting b/Shorewall/lib.accounting new file mode 100644 index 000000000..60a4e0520 --- /dev/null +++ b/Shorewall/lib.accounting @@ -0,0 +1,252 @@ +#!/bin/sh +# +# Shorewall 3.2 -- /usr/share/shorewall/lib.accounting +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 1999,2000,2001,2002,2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA + +# +# Process a record from the accounting file +# +process_accounting_rule() { + rule= + rule2= + jumpchain= + user1= + + accounting_error() { + error_message "WARNING: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user + } + + accounting_interface_error() { + error_message "WARNING: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user + } + + accounting_interface_verify() { + verify_interface $1 || accounting_interface_error $1 + } + + jump_to_chain() { + if ! havechain $jumpchain; then + if ! createchain2 $jumpchain No; then + accounting_error + return 2 + fi + fi + + rule="$rule -j $jumpchain" + } + + do_ipp2p() { + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support" + case $proto in + *:*) + proto=${proto#*:} + ;; + *) + proto=tcp + ;; + esac + + rule="$rule -p $proto -m ipp2p --${port:-ipp2p}" + } + + case $source in + *:*) + accounting_interface_verify ${source%:*} + rule="$(source_ip_range ${source#*:}) $(match_source_dev ${source%:*})" + ;; + *.*.*.*|+*|!+*) + rule="$(source_ip_range $source)" + ;; + -|all|any) + ;; + *) + if [ -n "$source" ]; then + accounting_interface_verify $source + rule="$(match_source_dev $source)" + fi + ;; + esac + + [ -n "$dest" ] && case $dest in + *:*) + accounting_interface_verify ${dest%:*} + rule="$rule $(dest_ip_range ${dest#*:}) $(match_dest_dev ${dest%:*})" + ;; + *.*.*.*|+*|!*) + rule="$rule $(dest_ip_range $dest)" + ;; + -|all|any) + ;; + *) + accounting_interface_verify $dest + rule="$rule $(match_dest_dev $dest)" + ;; + esac + + [ -n "$proto" ] && case $proto in + -|any|all) + ;; + ipp2p|IPP2P|ipp2p:*|IPP2P:*) + do_ipp2p + ;; + *) + rule="$rule -p $proto" + ;; + esac + + multiport= + + [ -n "$port" ] && case $port in + -|any|all) + ;; + *) + if [ -n "$MULTIPORT" ]; then + rule="$rule -m multiport --dports $port" + multiport=Yes + else + rule="$rule --dport $port" + fi + ;; + esac + + [ -n "$sport" ] && case $sport in + -|any|all) + ;; + *) + if [ -n "$MULTIPORT" ]; then + [ -n "$multiport" ] && rule="$rule --sports $sport" || rule="$rule -m multiport --sports $sport" + else + rule="$rule --sport $sport" + fi + ;; + esac + + [ -n "$user" ] && case $user in + -|any|all) + ;; + *) + [ "$chain" != OUTPUT ] && \ + fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain" + rule="$rule -m owner" + user1="$user" + + case "$user" in + !*+*) + if [ -n "${user#*+}" ]; then + rule="$rule ! --cmd-owner ${user#*+} " + fi + user1=${user%+*} + ;; + *+*) + if [ -n "${user#*+}" ]; then + rule="$rule --cmd-owner ${user#*+} " + fi + user1=${user%+*} + ;; + esac + + case "$user1" in + !*:*) + if [ "$user1" != "!:" ]; then + temp="${user1#!}" + temp="${temp%:*}" + [ -n "$temp" ] && rule="$rule ! --uid-owner $temp " + temp="${user1#*:}" + [ -n "$temp" ] && rule="$rule ! --gid-owner $temp " + fi + ;; + *:*) + if [ "$user1" != ":" ]; then + temp="${user1%:*}" + [ -n "$temp" ] && rule="$rule --uid-owner $temp " + temp="${user1#*:}" + [ -n "$temp" ] && rule="$rule --gid-owner $temp " + fi + ;; + !*) + [ "$user1" != "!" ] && rule="$rule ! --uid-owner ${user1#!} " + ;; + *) + [ -n "$user1" ] && rule="$rule --uid-owner $user1 " + ;; + esac + ;; + esac + + case $action in + COUNT) + ;; + DONE) + rule="$rule -j RETURN" + ;; + *:COUNT) + rule2="$rule" + jumpchain=${action%:*} + jump_to_chain || return + ;; + JUMP:*) + jumpchain=${action#*:} + jump_to_chain || return + ;; + *) + jumpchain=$action + jump_to_chain || return + ;; + esac + + [ "x${chain:=accounting}" = "x-" ] && chain=accounting + + ensurechain1 $chain + + if do_iptables -A $chain $(fix_bang $rule) ; then + [ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2 + progress_message " Accounting rule \"$action $chain $source $dest $proto $port $sport $user\" $DONE" + save_progress_message_short " Accounting rule \\\"$action $chain $source $dest $proto $port $sport $user\\\" Added" + else + accounting_error + fi +} + +# +# Set up Accounting +# +setup_accounting() # $1 = Name of accounting file +{ + + progress_message2 "$DOING Accounting..." + + save_progress_message "Setting up Accounting..." + + strip_file accounting $1 + + while read action chain source dest proto port sport user ; do + expandv action chain source dest proto port sport user + process_accounting_rule + done < $TMP_DIR/accounting + + if havechain accounting; then + for chain in INPUT FORWARD OUTPUT; do + run_iptables -I $chain -j accounting + done + fi + +} +