Complete accounting support

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@694 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-08-10 16:01:21 +00:00 · 2003-08-10 16:01:21 +00:00 · ac8585b68a
commit ac8585b68a
parent 1144d736bf
3 changed files with 130 additions and 8 deletions
--- a/Shorewall/accounting
+++ b/Shorewall/accounting
@ -12,6 +12,15 @@
 #
 # Columns are:
 #
+#	ACTION	      - What to do when a match is found.
+#
+#				COUNT	- Simply count the match and continue
+#					  with the next rule
+#				DONE	- Count the match and don't attempt
+#					  to match any other accounting rules.
+#				<chain> - The name of a chain. Shoreall will 
+#					  create the chain automatically.
+#
 #	SOURCE	      - Packet Source
 #
 #			The name of an interface, an address (host or net) or
@ -37,4 +46,4 @@
 #			only be specified if the protocol is TCP or UDP (6
 #			or 17).
 #
-#SOURCE		DESTINATION	PROTOCOL	DEST PORT   SOURCE PORT
+#ACTION	SOURCE		DESTINATION	PROTOCOL	DEST PORT   SOURCE PORT
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -241,6 +241,20 @@ createchain() # $1 = chain name, $2 = If "yes", create default rules
    eval ${1}_exists=Yes
 }

+createchain2() # $1 = chain name, $2 = If "yes", create default rules
+{
+    if iptables -N $1; then
+
+	if [ $2 = yes ]; then
+	    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
+	    [ -z "$NEWNOTSYN" ] && \
+		run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
+	fi
+	
+	eval ${1}_exists=Yes
+    fi
+}
+
 #
 # Determine if a chain exists
 #
@ -1749,6 +1763,24 @@ delete_tc()
 #
 process_accounting_rule() {
    rule=
+    chain=
+	
+    accounting_error() {
+	error_message "Warning: Invalid Accounting rule" $action $source $dest $proto $port $sport
+    }
+
+    jump_to_chain() {
+	if ! chain_exists $chain; then
+	    if createchain2 $chain No; then
+		run_iptables -A $chain -j RETURN
+	    else
+		accounting_error
+		return 2
+	    fi
+	fi
+	
+	rule="$rule -j $chain"
+    }

    case $source in
 	*:*)
@ -1802,10 +1834,32 @@ process_accounting_rule() {
 	    ;;
    esac

+    case $action in
+	COUNT)
+	    ;;
+	DONE)
+	    rule="$rule -j RETURN"
+	    ;;
+	*:DONE)
+	    chain=${action%:*}
+	    rule2="$rule -j RETURN"
+	    jump_to_chain || return
+	    ;;
+	*)
+	    chain=$action
+	    jump_to_chain || return
+	    ;;
+    esac
+		
    if iptables -A accounting $rule ; then
-	echo "   Accounting rule" $source $dest $proto $port $sport Added
+	if [ "x$rule2" != x ]; then
+	    if ! iptables -A accounting $rule2 ; then
+		return;
+	    fi
+	echo "   Accounting rule" $action $source $dest $proto $port $sport Added
+	fi
    else
-	error_message "Warning: Invalid Accounting rule" $source $dest $proto $port $sport
+	accounting_error
    fi
 }

@ -1825,7 +1879,7 @@ setup_accounting() # $1 = Name of accounting file
 	run_iptables -A $chain -j accounting
    done

-    while read source dest proto port sport ; do
+    while read action source dest proto port sport ; do
 	[ "x$source" != x ] && process_accounting_rule
    done < $TMP_DIR/accounting
 }
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -131,7 +131,66 @@ New Features:
   will use all listed addresses/ranges in round-robin fashion.

 7) An /etc/shorewall/accounting file has been added to allow for 
-   traffic accounting. This is a very crude and high-overhead 
-   facility but it is enough to allow you to isolate the cause of
-   unexpected increases in traffic volume. You may find documentation
-   of the file's format in the file itself and in the documentation.
+   traffic accounting.
+
+   The file has the following columns:
+
+	ACTION	      - What to do when a match is found.
+
+				COUNT	- Simply count the match and 
+					  continue trying to match the
+					  packet with the following
+					  accounting rules
+				DONE	- Count the match and don't
+					  attempt to match any
+					  following accounting rules.
+				<chain> - The name of a chain. Shorewall
+					  will create the chain
+					  automatically. If the name of
+					  the chain is followed by
+					  ":DONE" then after control
+					  returns from the named chain,
+					  the packet will not be
+					  matched against any of the
+					  following accounting rules.
+
+	SOURCE	      - Packet Source
+
+			The name of an interface, an address (host or
+			net) or an interface name followed by ":"
+			and a host or net address. 
+
+	DESTINATION   - Packet Destination
+
+			Format the same as the SOURCE column.
+
+	PROTOCOL	A protocol name (from /etc/protocols), a
+			protocol number.
+
+	DEST PORT	Destination Port number
+
+			Service name from /etc/services or port
+			number. May only be specified if the protocol
+			is TCP or UDP (6 or 17). 
+
+	SOURCE PORT	Source Port number
+
+			Service name from /etc/services or port
+			number. May only be specified if the protocol
+			is TCP or UDP (6 or 17).
+
+   In all columns except the first, the values "-","any" and "all" are
+   treated as wild-cards.
+
+   The accounting rules are evaluated in the Netfilter 'filter'
+   table. This is the same environment where the 'rules' file rules are
+   evaluated and in this environment, DNAT has already occurred in
+   inbound packets and SNAT has not yet occurred on outbound ones.
+
+   The accounting rules are placed in a chain called "accounting" and
+   can thus be displayed using "shorewall show accounting". It should
+   be noted that where the ACTION is <chain>:DONE then the entry
+   generates two rules in "accounting"; the first is a jump to the
+   named chain and the second is a RETURN rule which causes the
+   accounting chain to be exited.
+