forked from extern/shorewall_code
Add ULOG Support
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@362 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
faa859e84a
commit
b9891e08e2
@ -1032,8 +1032,8 @@ validate_policy()
|
|||||||
|
|
||||||
if [ -n "${clientwild}" ]; then
|
if [ -n "${clientwild}" ]; then
|
||||||
if [ -n "${serverwild}" ]; then
|
if [ -n "${serverwild}" ]; then
|
||||||
for zone in $zones $FW; do
|
for zone in $zones $FW all; do
|
||||||
for zone1 in $zones $FW; do
|
for zone1 in $zones $FW all; do
|
||||||
eval pc=\$${zone}2${zone1}_policychain
|
eval pc=\$${zone}2${zone1}_policychain
|
||||||
|
|
||||||
[ -n "$pc" ] || \
|
[ -n "$pc" ] || \
|
||||||
@ -1041,7 +1041,7 @@ validate_policy()
|
|||||||
done
|
done
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
for zone in $zones $FW; do
|
for zone in $zones $FW all; do
|
||||||
eval pc=\$${zone}2${server}_policychain
|
eval pc=\$${zone}2${server}_policychain
|
||||||
|
|
||||||
[ -n "$pc" ] || \
|
[ -n "$pc" ] || \
|
||||||
@ -1049,7 +1049,7 @@ validate_policy()
|
|||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
elif [ -n "$serverwild" ]; then
|
elif [ -n "$serverwild" ]; then
|
||||||
for zone in $zones $FW; do
|
for zone in $zones $FW all; do
|
||||||
eval pc=\$${client}2${zone}_policychain
|
eval pc=\$${client}2${zone}_policychain
|
||||||
|
|
||||||
[ -n "$pc" ] || \
|
[ -n "$pc" ] || \
|
||||||
@ -1541,7 +1541,11 @@ setup_mac_lists() {
|
|||||||
# Setup Logging variables
|
# Setup Logging variables
|
||||||
#
|
#
|
||||||
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
||||||
logpart="-j LOG $LOGPARMS --log-level $MACLIST_LOG_LEVEL --log-prefix"
|
if [ "$MACLIST_LOG_LEVEL" = ULOG ]; then
|
||||||
|
logpart="-j ULOG $LOGPARMS --ulog-prefix"
|
||||||
|
else
|
||||||
|
logpart="-j LOG $LOGPARMS --log-level $MACLIST_LOG_LEVEL --log-prefix"
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
logpart=
|
logpart=
|
||||||
fi
|
fi
|
||||||
@ -2130,10 +2134,19 @@ add_a_rule()
|
|||||||
|
|
||||||
serv="${serv:+-d $serv}"
|
serv="${serv:+-d $serv}"
|
||||||
|
|
||||||
[ -n "$loglevel" ] && run_iptables -A $chain $proto $multiport \
|
if [ -n "$loglevel" ]; then
|
||||||
$state $cli $sports $serv $dports -j LOG $LOGPARMS \
|
if [ "$loglevel" = ULOG ]; then
|
||||||
--log-prefix "Shorewall:$chain:$logtarget:" \
|
run_iptables -A $chain $proto $multiport \
|
||||||
--log-level $loglevel
|
$state $cli $sports $serv $dports -j ULOG $LOGPARMS \
|
||||||
|
--ulog-prefix "Shorewall:$chain:$logtarget:" \
|
||||||
|
else
|
||||||
|
run_iptables -A $chain $proto $multiport \
|
||||||
|
$state $cli $sports $serv $dports -j LOG $LOGPARMS \
|
||||||
|
--log-prefix "Shorewall:$chain:$logtarget:" \
|
||||||
|
--log-level $loglevel
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
run_iptables -A $chain $proto $multiport $state $cli $sports \
|
run_iptables -A $chain $proto $multiport $state $cli $sports \
|
||||||
$serv $dports -j $target
|
$serv $dports -j $target
|
||||||
else
|
else
|
||||||
@ -2144,11 +2157,19 @@ add_a_rule()
|
|||||||
"Error: An ORIGINAL DESTINATION ($addr) is only allowed in" \
|
"Error: An ORIGINAL DESTINATION ($addr) is only allowed in" \
|
||||||
" a DNAT or REDIRECT: \"$rule\""
|
" a DNAT or REDIRECT: \"$rule\""
|
||||||
|
|
||||||
[ -n "$loglevel" ] && run_iptables -A $chain $proto $multiport \
|
if [ -n "$loglevel" ]; then
|
||||||
$dest_interface $state $cli $sports $dports -j LOG \
|
if [ "$loglevel" = ULOG ]; then
|
||||||
$LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \
|
run_iptables -A $chain $proto $multiport \
|
||||||
--log-level $loglevel
|
$dest_interface $state $cli $sports $dports -j ULOG \
|
||||||
|
$LOGPARMS --ulog-prefix "Shorewall:$chain:$logtarget:"
|
||||||
|
else
|
||||||
|
run_iptables -A $chain $proto $multiport \
|
||||||
|
$dest_interface $state $cli $sports $dports -j LOG \
|
||||||
|
$LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \
|
||||||
|
--log-level $loglevel
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
run_iptables -A $chain $proto $multiport $dest_interface $state \
|
run_iptables -A $chain $proto $multiport $dest_interface $state \
|
||||||
$cli $sports $dports -j $target
|
$cli $sports $dports -j $target
|
||||||
fi
|
fi
|
||||||
@ -2619,8 +2640,16 @@ policy_rules() # $1 = chain to add rules to
|
|||||||
|
|
||||||
esac
|
esac
|
||||||
|
|
||||||
[ $# -eq 3 ] && [ "x${3}" != "x-" ] && run_iptables -A $1 -j LOG $LOGPARMS \
|
if [ $# -eq 3 -a "x${3}" != "x-" ]; then
|
||||||
--log-prefix "Shorewall:${1}:${2}:" --log-level $3
|
if [ "$3" = ULOG ]; then
|
||||||
|
run_iptables -A $1 -j ULOG $LOGPARMS \
|
||||||
|
--ulog-prefix "Shorewall:${1}:${2}:"
|
||||||
|
else
|
||||||
|
run_iptables -A $1 -j LOG $LOGPARMS \
|
||||||
|
--log-prefix "Shorewall:${1}:${2}:" --log-level $3
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
[ -n "$target" ] && run_iptables -A $1 -j $target
|
[ -n "$target" ] && run_iptables -A $1 -j $target
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2899,11 +2928,17 @@ setup_intrazone() # $1 = zone
|
|||||||
# $dport = destination port selector
|
# $dport = destination port selector
|
||||||
#
|
#
|
||||||
add_blacklist_rule() {
|
add_blacklist_rule() {
|
||||||
[ -n "$BLACKLIST_LOGLEVEL" ] && \
|
if [ -n "$BLACKLIST_LOGLEVEL" ]; then
|
||||||
run_iptables -A blacklst $source $proto $dport -j \
|
run_iptables -A blacklst $source $proto $dport -j \
|
||||||
LOG $LOGPARMS --log-prefix \
|
ULOG $LOGPARMS --ulog-prefix \
|
||||||
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
|
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:"
|
||||||
--log-level $BLACKLIST_LOGLEVEL
|
else
|
||||||
|
run_iptables -A blacklst $source $proto $dport -j \
|
||||||
|
LOG $LOGPARMS --log-prefix \
|
||||||
|
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
|
||||||
|
--log-level $BLACKLIST_LOGLEVEL
|
||||||
|
fi
|
||||||
|
|
||||||
run_iptables -A blacklst $source $proto $dport -j $disposition
|
run_iptables -A blacklst $source $proto $dport -j $disposition
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3197,9 +3232,16 @@ initialize_netfilter () {
|
|||||||
if [ -z "$NEWNOTSYN" ]; then
|
if [ -z "$NEWNOTSYN" ]; then
|
||||||
createchain newnotsyn no
|
createchain newnotsyn no
|
||||||
run_user_exit newnotsyn
|
run_user_exit newnotsyn
|
||||||
[ -n "$LOGNEWNOTSYN" ] && \
|
if [ -n "$LOGNEWNOTSYN" ]; then
|
||||||
run_iptables -A newnotsyn -j LOG \
|
if [ "$LOGNEWNOTSYN" = ULOG ]; then
|
||||||
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
|
run_iptables -A newnotsyn -j ULOG \
|
||||||
|
--ulog-prefix "Shorewall:newnotsyn:DROP:"
|
||||||
|
else
|
||||||
|
run_iptables -A newnotsyn -j LOG \
|
||||||
|
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
run_iptables -A newnotsyn -j DROP
|
run_iptables -A newnotsyn -j DROP
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3274,7 +3316,11 @@ build_common_chain() {
|
|||||||
add_common_rules() {
|
add_common_rules() {
|
||||||
logdisp() # $1 = Chain Name
|
logdisp() # $1 = Chain Name
|
||||||
{
|
{
|
||||||
echo "LOG --log-prefix "Shorewall:${1}:DROP:" --log-level info"
|
if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then
|
||||||
|
echo "ULOG --ulog-prefix Shorewall:${1}:DROP:"
|
||||||
|
else
|
||||||
|
echo "LOG --log-prefix Shorewall:${1}:DROP: --log-level info"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
# Reject Rules
|
# Reject Rules
|
||||||
@ -3290,10 +3336,17 @@ add_common_rules() {
|
|||||||
createchain badpkt no
|
createchain badpkt no
|
||||||
|
|
||||||
if [ -n "$LOGUNCLEAN" ]; then
|
if [ -n "$LOGUNCLEAN" ]; then
|
||||||
logoptions="$LOGPARAMS --log-prefix Shorewall:badpkt:DROP:"
|
if [ "$LOGUNCLEAN" = ULOG ]; then
|
||||||
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
|
logoptions="$LOGPARAMS --ulog-prefix Shorewall:badpkt:DROP:"
|
||||||
run_iptables -A badpkt -p tcp -j LOG $logoptions --log-tcp-options
|
logoptions="$logoptions --log-ip-options"
|
||||||
run_iptables -A badpkt -p ! tcp -j LOG $logoptions
|
run_iptables -A badpkt -p tcp -j ULOG $logoptions --log-tcp-options
|
||||||
|
run_iptables -A badpkt -p ! tcp -j ULOG $logoptions
|
||||||
|
else
|
||||||
|
logoptions="$LOGPARAMS --log-prefix Shorewall:badpkt:DROP:"
|
||||||
|
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
|
||||||
|
run_iptables -A badpkt -p tcp -j LOG $logoptions --log-tcp-options
|
||||||
|
run_iptables -A badpkt -p ! tcp -j LOG $logoptions
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_iptables -A badpkt -j DROP
|
run_iptables -A badpkt -j DROP
|
||||||
@ -3315,10 +3368,17 @@ add_common_rules() {
|
|||||||
createchain logpkt no
|
createchain logpkt no
|
||||||
|
|
||||||
[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
|
[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
|
||||||
logoptions="$LOGPARAMS --log-prefix Shorewall:logpkt:LOG:"
|
if [ "$LOGUNCLEAN" = ULOG ]; then
|
||||||
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
|
logoptions="$LOGPARAMS --ulog-prefix Shorewall:logpkt:LOG:"
|
||||||
run_iptables -A logpkt -p tcp -j LOG $logoptions --log-tcp-options
|
logoptions="$logoptions --log-ip-options"
|
||||||
run_iptables -A logpkt -p ! tcp -j LOG $logoptions
|
run_iptables -A logpkt -p tcp -j ULOG $logoptions --log-tcp-options
|
||||||
|
run_iptables -A logpkt -p ! tcp -j ULOG $logoptions
|
||||||
|
else
|
||||||
|
logoptions="$LOGPARAMS --log-prefix Shorewall:logpkt:LOG:"
|
||||||
|
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
|
||||||
|
run_iptables -A logpkt -p tcp -j LOG $logoptions --log-tcp-options
|
||||||
|
run_iptables -A logpkt -p ! tcp -j LOG $logoptions
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Mangled/Invalid Packet Logging enabled on:"
|
echo "Mangled/Invalid Packet Logging enabled on:"
|
||||||
|
|
||||||
@ -3412,11 +3472,16 @@ add_common_rules() {
|
|||||||
if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then
|
if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then
|
||||||
createchain logflags no
|
createchain logflags no
|
||||||
|
|
||||||
run_iptables -A logflags -j LOG $LOGPARMS \
|
if [ "$TCP_FLAGS_LOG_LEVEL" = ULOG ]; then
|
||||||
--log-level $TCP_FLAGS_LOG_LEVEL \
|
run_iptables -A logflags -j ULOG $LOGPARMS \
|
||||||
--log-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \
|
--ulog-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \
|
||||||
--log-tcp-options --log-ip-options
|
--log-tcp-options --log-ip-options
|
||||||
|
else
|
||||||
|
run_iptables -A logflags -j LOG $LOGPARMS \
|
||||||
|
--log-level $TCP_FLAGS_LOG_LEVEL \
|
||||||
|
--log-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \
|
||||||
|
--log-tcp-options --log-ip-options
|
||||||
|
fi
|
||||||
case $TCP_FLAGS_DISPOSITION in
|
case $TCP_FLAGS_DISPOSITION in
|
||||||
REJECT)
|
REJECT)
|
||||||
run_iptables -A logflags -j REJECT --reject-with tcp-reset
|
run_iptables -A logflags -j REJECT --reject-with tcp-reset
|
||||||
@ -4327,6 +4392,7 @@ do_initialize() {
|
|||||||
MACLIST_LOG_LEVEL=
|
MACLIST_LOG_LEVEL=
|
||||||
TCP_FLAGS_DISPOSITION=
|
TCP_FLAGS_DISPOSITION=
|
||||||
TCP_FLAGS_LOG_LEVEL=
|
TCP_FLAGS_LOG_LEVEL=
|
||||||
|
RFC1918_LOG_LEVEL=
|
||||||
stopping=
|
stopping=
|
||||||
have_mutex=
|
have_mutex=
|
||||||
masq_seq=1
|
masq_seq=1
|
||||||
@ -4436,6 +4502,8 @@ do_initialize() {
|
|||||||
TCP_FLAGS_DISPOSITION=DROP
|
TCP_FLAGS_DISPOSITION=DROP
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|||||||
@ -424,4 +424,14 @@ TCP_FLAGS_DISPOSITION=DROP
|
|||||||
|
|
||||||
TCP_FLAGS_LOG_LEVEL=info
|
TCP_FLAGS_LOG_LEVEL=info
|
||||||
|
|
||||||
|
#
|
||||||
|
# RFC1918 Log Level
|
||||||
|
#
|
||||||
|
# Specifies the logging level for packets that fail RFC 1918
|
||||||
|
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
|
||||||
|
# RFC1918_LOG_LEVEL=info is assumed.
|
||||||
|
#
|
||||||
|
|
||||||
|
RFC1918_LOG_LEVEL=info
|
||||||
|
|
||||||
#LAST LINE -- DO NOT REMOVE
|
#LAST LINE -- DO NOT REMOVE
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user