diff --git a/Shorewall/accounting b/Shorewall/accounting index 00b2e5d05..99b8f2de8 100755 --- a/Shorewall/accounting +++ b/Shorewall/accounting @@ -7,10 +7,33 @@ # that you define in this file. You may display these rules and their # packet and byte counters using the "shorewall show accounting" command. # -# In all columns of this file, the values "-", "any" and "all" may be used -# as wildcards +# Please see http://shorewall.net/Accounting.html for examples and +# additional information about how to use this file. # -# Columns are: +# This file has two sections -- the first section is used to create a +# hierarchy of accounting chains. The second section creates rules to +# count traffic through your firewall. +# +# In the first section of this file, entries have the following columns: +# +# ACTION - Must contain CHAIN +# +# CHAIN - The name of a chain to create. Shorewall will create +# this chain. If the chain already exists, a warning +# message is issued and the entry is ignored. +# +# NEXT CHAIN - Optional - The name of a previously-created chain +# +# If the NEXT CHAIN column is empty then Shorewall will add a single +# RETURN rule to the chain named in the CHAIN column. If the NEXT +# CHAIN column is not empty then Shorewall will add a jump from the +# newly-created chain to the chain named in the NEXT CHAIN column. +# +#ACTION CHAIN NEXT CHAIN + +# ADD YOUR CHAIN DECLARATIONS ABOVE THIS LINE +# +# Columns in the second section of this file are are: # # ACTION - What to do when a match is found. # @@ -19,7 +42,9 @@ # DONE - Count the match and don't attempt # to match any other accounting rules. # - The name of a chain. Shoreall will -# create the chain automatically. +# create the chain automatically if +# it was not created by an earlier +# CHAIN declaration above. # # SOURCE - Packet Source # @@ -46,4 +71,10 @@ # only be specified if the protocol is TCP or UDP (6 # or 17). # +# In all of the above columns except ACTION, the values "-", "any" and +# "all" may be used as wildcards +# +# Please see http://shorewall.net/Accounting.html for examples and +# additional information about how to use this file. +# #ACTION SOURCE DESTINATION PROTOCOL DEST PORT SOURCE PORT diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index c7375b4a0..fbd72477e 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -29,3 +29,7 @@ Changes since 1.4.6 14) Fixed bug where an interface name alone appears in the DESTINATION column of the accounting file. + +15) Add ACTION column to accounting file. + +16) Add CHAIN declarations to accounting file. diff --git a/Shorewall/firewall b/Shorewall/firewall index cd391ae69..e2c71445c 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1758,6 +1758,43 @@ delete_tc() done } +# +# Add an accounting chain +# +add_accounting_chain() { + chain_error() { + error_message "Warning: Invalid CHAIN declaration" $source $dest $protocol $port $sport + } + + if [ -n "${protocol}${port}${sport}" ] ; then + chain_error + return + fi + + if [ -z "$source" ] ; then + chain_error + return + fi + + if chain_exists $source; then + error_message "Warning: Chain $source already exists - CHAIN declaration $source $dest Ignored" + return + fi + + if createchain2 $source No; then + if [ -z "$dest" ]; then + run_iptables -A $source -j RETURN + echo " Accounting chain $source" created + elif iptables -A $source -j $dest ; then + echo " Accounting chain $source with next chain $dest created" + else + chain_error + fi + else + chain_error + fi +} + # # Process a record from the accounting file # @@ -1793,11 +1830,16 @@ process_accounting_rule() { -|all|any) ;; *) - rule="-i $source" + if [ -n "$source" ]; then + rule="-i $source" + else + accounting_error + return + fi ;; esac - [ "x$dest" != x ] && case $dest in + [ -n "$dest" ] && case $dest in *:*) rule="$rule -d ${dest#*:} -o ${dest%:*}" ;; @@ -1811,7 +1853,7 @@ process_accounting_rule() { ;; esac - [ "x$proto" != x ] && case $proto in + [ -n "$proto" ] && case $proto in -|any|all) ;; *) @@ -1819,7 +1861,7 @@ process_accounting_rule() { ;; esac - [ "x$port" != x ] && case $port in + [ -n "$port" ] && case $port in -|any|all) ;; *) @@ -1827,7 +1869,7 @@ process_accounting_rule() { ;; esac - [ "x$sport" != x ] && case $sport in + [ -n "$sport" ] && case $sport in -|any|all) ;; *) @@ -1873,7 +1915,14 @@ setup_accounting() # $1 = Name of accounting file strip_file accounting $1 while read action source dest proto port sport ; do - [ "x$source" != x ] && process_accounting_rule + case $action in + CHAIN) + add_accounting_chain + ;; + *) + process_accounting_rule + ;; + esac done < $TMP_DIR/accounting if chain_exists accounting; then diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index f0d10444a..743ee18be 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -131,9 +131,10 @@ New Features: will use all listed addresses/ranges in round-robin fashion. 7) An /etc/shorewall/accounting file has been added to allow for - traffic accounting. + traffic accounting. The file has two sections which will be + described in reverse order. - The file has the following columns: + The second seciton of the file has the following columns: ACTION - What to do when a match is found. @@ -194,3 +195,7 @@ New Features: named chain and the second is a RETURN rule which causes the accounting chain to be exited. + The first section of the file allows aggregation of counters in + chains in other chains. It does this by allowing you to create an + accounting chain hierarchy. This facility is described with an + example at http://shorewall.net/Accounting.html.