Add ULOG Support

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@362 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-12-13 03:23:46 +00:00
parent faa859e84a
commit b9891e08e2
2 changed files with 115 additions and 37 deletions

View File

@ -1032,8 +1032,8 @@ validate_policy()
if [ -n "${clientwild}" ]; then
if [ -n "${serverwild}" ]; then
for zone in $zones $FW; do
for zone1 in $zones $FW; do
for zone in $zones $FW all; do
for zone1 in $zones $FW all; do
eval pc=\$${zone}2${zone1}_policychain
[ -n "$pc" ] || \
@ -1041,7 +1041,7 @@ validate_policy()
done
done
else
for zone in $zones $FW; do
for zone in $zones $FW all; do
eval pc=\$${zone}2${server}_policychain
[ -n "$pc" ] || \
@ -1049,7 +1049,7 @@ validate_policy()
done
fi
elif [ -n "$serverwild" ]; then
for zone in $zones $FW; do
for zone in $zones $FW all; do
eval pc=\$${client}2${zone}_policychain
[ -n "$pc" ] || \
@ -1541,7 +1541,11 @@ setup_mac_lists() {
# Setup Logging variables
#
if [ -n "$MACLIST_LOG_LEVEL" ]; then
logpart="-j LOG $LOGPARMS --log-level $MACLIST_LOG_LEVEL --log-prefix"
if [ "$MACLIST_LOG_LEVEL" = ULOG ]; then
logpart="-j ULOG $LOGPARMS --ulog-prefix"
else
logpart="-j LOG $LOGPARMS --log-level $MACLIST_LOG_LEVEL --log-prefix"
fi
else
logpart=
fi
@ -2130,10 +2134,19 @@ add_a_rule()
serv="${serv:+-d $serv}"
[ -n "$loglevel" ] && run_iptables -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j LOG $LOGPARMS \
--log-prefix "Shorewall:$chain:$logtarget:" \
--log-level $loglevel
if [ -n "$loglevel" ]; then
if [ "$loglevel" = ULOG ]; then
run_iptables -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:$chain:$logtarget:" \
else
run_iptables -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j LOG $LOGPARMS \
--log-prefix "Shorewall:$chain:$logtarget:" \
--log-level $loglevel
fi
fi
run_iptables -A $chain $proto $multiport $state $cli $sports \
$serv $dports -j $target
else
@ -2144,10 +2157,18 @@ add_a_rule()
"Error: An ORIGINAL DESTINATION ($addr) is only allowed in" \
" a DNAT or REDIRECT: \"$rule\""
[ -n "$loglevel" ] && run_iptables -A $chain $proto $multiport \
$dest_interface $state $cli $sports $dports -j LOG \
$LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \
--log-level $loglevel
if [ -n "$loglevel" ]; then
if [ "$loglevel" = ULOG ]; then
run_iptables -A $chain $proto $multiport \
$dest_interface $state $cli $sports $dports -j ULOG \
$LOGPARMS --ulog-prefix "Shorewall:$chain:$logtarget:"
else
run_iptables -A $chain $proto $multiport \
$dest_interface $state $cli $sports $dports -j LOG \
$LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \
--log-level $loglevel
fi
fi
run_iptables -A $chain $proto $multiport $dest_interface $state \
$cli $sports $dports -j $target
@ -2619,8 +2640,16 @@ policy_rules() # $1 = chain to add rules to
esac
[ $# -eq 3 ] && [ "x${3}" != "x-" ] && run_iptables -A $1 -j LOG $LOGPARMS \
--log-prefix "Shorewall:${1}:${2}:" --log-level $3
if [ $# -eq 3 -a "x${3}" != "x-" ]; then
if [ "$3" = ULOG ]; then
run_iptables -A $1 -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:${1}:${2}:"
else
run_iptables -A $1 -j LOG $LOGPARMS \
--log-prefix "Shorewall:${1}:${2}:" --log-level $3
fi
fi
[ -n "$target" ] && run_iptables -A $1 -j $target
}
@ -2899,11 +2928,17 @@ setup_intrazone() # $1 = zone
# $dport = destination port selector
#
add_blacklist_rule() {
[ -n "$BLACKLIST_LOGLEVEL" ] && \
if [ -n "$BLACKLIST_LOGLEVEL" ]; then
run_iptables -A blacklst $source $proto $dport -j \
LOG $LOGPARMS --log-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL
ULOG $LOGPARMS --ulog-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:"
else
run_iptables -A blacklst $source $proto $dport -j \
LOG $LOGPARMS --log-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL
fi
run_iptables -A blacklst $source $proto $dport -j $disposition
}
@ -3197,9 +3232,16 @@ initialize_netfilter () {
if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no
run_user_exit newnotsyn
[ -n "$LOGNEWNOTSYN" ] && \
run_iptables -A newnotsyn -j LOG \
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
if [ -n "$LOGNEWNOTSYN" ]; then
if [ "$LOGNEWNOTSYN" = ULOG ]; then
run_iptables -A newnotsyn -j ULOG \
--ulog-prefix "Shorewall:newnotsyn:DROP:"
else
run_iptables -A newnotsyn -j LOG \
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
fi
fi
run_iptables -A newnotsyn -j DROP
fi
@ -3274,7 +3316,11 @@ build_common_chain() {
add_common_rules() {
logdisp() # $1 = Chain Name
{
echo "LOG --log-prefix "Shorewall:${1}:DROP:" --log-level info"
if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then
echo "ULOG --ulog-prefix Shorewall:${1}:DROP:"
else
echo "LOG --log-prefix Shorewall:${1}:DROP: --log-level info"
fi
}
#
# Reject Rules
@ -3290,10 +3336,17 @@ add_common_rules() {
createchain badpkt no
if [ -n "$LOGUNCLEAN" ]; then
logoptions="$LOGPARAMS --log-prefix Shorewall:badpkt:DROP:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
run_iptables -A badpkt -p tcp -j LOG $logoptions --log-tcp-options
run_iptables -A badpkt -p ! tcp -j LOG $logoptions
if [ "$LOGUNCLEAN" = ULOG ]; then
logoptions="$LOGPARAMS --ulog-prefix Shorewall:badpkt:DROP:"
logoptions="$logoptions --log-ip-options"
run_iptables -A badpkt -p tcp -j ULOG $logoptions --log-tcp-options
run_iptables -A badpkt -p ! tcp -j ULOG $logoptions
else
logoptions="$LOGPARAMS --log-prefix Shorewall:badpkt:DROP:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
run_iptables -A badpkt -p tcp -j LOG $logoptions --log-tcp-options
run_iptables -A badpkt -p ! tcp -j LOG $logoptions
fi
fi
run_iptables -A badpkt -j DROP
@ -3315,10 +3368,17 @@ add_common_rules() {
createchain logpkt no
[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
logoptions="$LOGPARAMS --log-prefix Shorewall:logpkt:LOG:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
run_iptables -A logpkt -p tcp -j LOG $logoptions --log-tcp-options
run_iptables -A logpkt -p ! tcp -j LOG $logoptions
if [ "$LOGUNCLEAN" = ULOG ]; then
logoptions="$LOGPARAMS --ulog-prefix Shorewall:logpkt:LOG:"
logoptions="$logoptions --log-ip-options"
run_iptables -A logpkt -p tcp -j ULOG $logoptions --log-tcp-options
run_iptables -A logpkt -p ! tcp -j ULOG $logoptions
else
logoptions="$LOGPARAMS --log-prefix Shorewall:logpkt:LOG:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
run_iptables -A logpkt -p tcp -j LOG $logoptions --log-tcp-options
run_iptables -A logpkt -p ! tcp -j LOG $logoptions
fi
echo "Mangled/Invalid Packet Logging enabled on:"
@ -3412,11 +3472,16 @@ add_common_rules() {
if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then
createchain logflags no
run_iptables -A logflags -j LOG $LOGPARMS \
--log-level $TCP_FLAGS_LOG_LEVEL \
--log-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \
--log-tcp-options --log-ip-options
if [ "$TCP_FLAGS_LOG_LEVEL" = ULOG ]; then
run_iptables -A logflags -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \
--log-tcp-options --log-ip-options
else
run_iptables -A logflags -j LOG $LOGPARMS \
--log-level $TCP_FLAGS_LOG_LEVEL \
--log-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \
--log-tcp-options --log-ip-options
fi
case $TCP_FLAGS_DISPOSITION in
REJECT)
run_iptables -A logflags -j REJECT --reject-with tcp-reset
@ -4327,6 +4392,7 @@ do_initialize() {
MACLIST_LOG_LEVEL=
TCP_FLAGS_DISPOSITION=
TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL=
stopping=
have_mutex=
masq_seq=1
@ -4436,6 +4502,8 @@ do_initialize() {
TCP_FLAGS_DISPOSITION=DROP
fi
[ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info
}
#

View File

@ -424,4 +424,14 @@ TCP_FLAGS_DISPOSITION=DROP
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
RFC1918_LOG_LEVEL=info
#LAST LINE -- DO NOT REMOVE