forked from extern/shorewall_code
Added CHAIN declarations
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@698 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
24ed025834
commit
ab073a41a4
@ -7,10 +7,33 @@
|
||||
# that you define in this file. You may display these rules and their
|
||||
# packet and byte counters using the "shorewall show accounting" command.
|
||||
#
|
||||
# In all columns of this file, the values "-", "any" and "all" may be used
|
||||
# as wildcards
|
||||
# Please see http://shorewall.net/Accounting.html for examples and
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
# Columns are:
|
||||
# This file has two sections -- the first section is used to create a
|
||||
# hierarchy of accounting chains. The second section creates rules to
|
||||
# count traffic through your firewall.
|
||||
#
|
||||
# In the first section of this file, entries have the following columns:
|
||||
#
|
||||
# ACTION - Must contain CHAIN
|
||||
#
|
||||
# CHAIN - The name of a chain to create. Shorewall will create
|
||||
# this chain. If the chain already exists, a warning
|
||||
# message is issued and the entry is ignored.
|
||||
#
|
||||
# NEXT CHAIN - Optional - The name of a previously-created chain
|
||||
#
|
||||
# If the NEXT CHAIN column is empty then Shorewall will add a single
|
||||
# RETURN rule to the chain named in the CHAIN column. If the NEXT
|
||||
# CHAIN column is not empty then Shorewall will add a jump from the
|
||||
# newly-created chain to the chain named in the NEXT CHAIN column.
|
||||
#
|
||||
#ACTION CHAIN NEXT CHAIN
|
||||
|
||||
# ADD YOUR CHAIN DECLARATIONS ABOVE THIS LINE
|
||||
#
|
||||
# Columns in the second section of this file are are:
|
||||
#
|
||||
# ACTION - What to do when a match is found.
|
||||
#
|
||||
@ -19,7 +42,9 @@
|
||||
# DONE - Count the match and don't attempt
|
||||
# to match any other accounting rules.
|
||||
# <chain> - The name of a chain. Shoreall will
|
||||
# create the chain automatically.
|
||||
# create the chain automatically if
|
||||
# it was not created by an earlier
|
||||
# CHAIN declaration above.
|
||||
#
|
||||
# SOURCE - Packet Source
|
||||
#
|
||||
@ -46,4 +71,10 @@
|
||||
# only be specified if the protocol is TCP or UDP (6
|
||||
# or 17).
|
||||
#
|
||||
# In all of the above columns except ACTION, the values "-", "any" and
|
||||
# "all" may be used as wildcards
|
||||
#
|
||||
# Please see http://shorewall.net/Accounting.html for examples and
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
#ACTION SOURCE DESTINATION PROTOCOL DEST PORT SOURCE PORT
|
||||
|
@ -29,3 +29,7 @@ Changes since 1.4.6
|
||||
|
||||
14) Fixed bug where an interface name alone appears in the DESTINATION
|
||||
column of the accounting file.
|
||||
|
||||
15) Add ACTION column to accounting file.
|
||||
|
||||
16) Add CHAIN declarations to accounting file.
|
||||
|
@ -1758,6 +1758,43 @@ delete_tc()
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Add an accounting chain
|
||||
#
|
||||
add_accounting_chain() {
|
||||
chain_error() {
|
||||
error_message "Warning: Invalid CHAIN declaration" $source $dest $protocol $port $sport
|
||||
}
|
||||
|
||||
if [ -n "${protocol}${port}${sport}" ] ; then
|
||||
chain_error
|
||||
return
|
||||
fi
|
||||
|
||||
if [ -z "$source" ] ; then
|
||||
chain_error
|
||||
return
|
||||
fi
|
||||
|
||||
if chain_exists $source; then
|
||||
error_message "Warning: Chain $source already exists - CHAIN declaration $source $dest Ignored"
|
||||
return
|
||||
fi
|
||||
|
||||
if createchain2 $source No; then
|
||||
if [ -z "$dest" ]; then
|
||||
run_iptables -A $source -j RETURN
|
||||
echo " Accounting chain $source" created
|
||||
elif iptables -A $source -j $dest ; then
|
||||
echo " Accounting chain $source with next chain $dest created"
|
||||
else
|
||||
chain_error
|
||||
fi
|
||||
else
|
||||
chain_error
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Process a record from the accounting file
|
||||
#
|
||||
@ -1793,11 +1830,16 @@ process_accounting_rule() {
|
||||
-|all|any)
|
||||
;;
|
||||
*)
|
||||
if [ -n "$source" ]; then
|
||||
rule="-i $source"
|
||||
else
|
||||
accounting_error
|
||||
return
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
[ "x$dest" != x ] && case $dest in
|
||||
[ -n "$dest" ] && case $dest in
|
||||
*:*)
|
||||
rule="$rule -d ${dest#*:} -o ${dest%:*}"
|
||||
;;
|
||||
@ -1811,7 +1853,7 @@ process_accounting_rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
[ "x$proto" != x ] && case $proto in
|
||||
[ -n "$proto" ] && case $proto in
|
||||
-|any|all)
|
||||
;;
|
||||
*)
|
||||
@ -1819,7 +1861,7 @@ process_accounting_rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
[ "x$port" != x ] && case $port in
|
||||
[ -n "$port" ] && case $port in
|
||||
-|any|all)
|
||||
;;
|
||||
*)
|
||||
@ -1827,7 +1869,7 @@ process_accounting_rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
[ "x$sport" != x ] && case $sport in
|
||||
[ -n "$sport" ] && case $sport in
|
||||
-|any|all)
|
||||
;;
|
||||
*)
|
||||
@ -1873,7 +1915,14 @@ setup_accounting() # $1 = Name of accounting file
|
||||
strip_file accounting $1
|
||||
|
||||
while read action source dest proto port sport ; do
|
||||
[ "x$source" != x ] && process_accounting_rule
|
||||
case $action in
|
||||
CHAIN)
|
||||
add_accounting_chain
|
||||
;;
|
||||
*)
|
||||
process_accounting_rule
|
||||
;;
|
||||
esac
|
||||
done < $TMP_DIR/accounting
|
||||
|
||||
if chain_exists accounting; then
|
||||
|
@ -131,9 +131,10 @@ New Features:
|
||||
will use all listed addresses/ranges in round-robin fashion.
|
||||
|
||||
7) An /etc/shorewall/accounting file has been added to allow for
|
||||
traffic accounting.
|
||||
traffic accounting. The file has two sections which will be
|
||||
described in reverse order.
|
||||
|
||||
The file has the following columns:
|
||||
The second seciton of the file has the following columns:
|
||||
|
||||
ACTION - What to do when a match is found.
|
||||
|
||||
@ -194,3 +195,7 @@ New Features:
|
||||
named chain and the second is a RETURN rule which causes the
|
||||
accounting chain to be exited.
|
||||
|
||||
The first section of the file allows aggregation of counters in
|
||||
chains in other chains. It does this by allowing you to create an
|
||||
accounting chain hierarchy. This facility is described with an
|
||||
example at http://shorewall.net/Accounting.html.
|
||||
|
Loading…
Reference in New Issue
Block a user