Fix sectioned IPSEC accounting.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2012-05-30 14:37:29 -07:00 · 2012-05-30 14:37:29 -07:00 · de184b32bc
commit de184b32bc
parent ea173ab628
3 changed files with 101 additions and 28 deletions
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@ -46,6 +46,7 @@ my $jumpchainref;
 my %accountingjumps;
 my $asection;
 my $defaultchain;
+my $ipsecdir;
 my $defaultrestriction;
 my $restriction;
 my $accounting_commands = { COMMENT => 0, SECTION => 2 };
@ -92,6 +93,7 @@ sub initialize() {
    # These are the legacy values
    #
    $defaultchain       = 'accounting';
+    $ipsecdir           = '';
    $defaultrestriction = NO_RESTRICT;
    $sectionname        = '';
 }
@ -111,20 +113,25 @@ sub process_section ($) {

    if ( $sectionname eq 'INPUT' ) {
 	$defaultchain = 'accountin';
+	$ipsecdir     = 'in';
 	$defaultrestriction = INPUT_RESTRICT;
    } elsif ( $sectionname eq 'OUTPUT' ) {
 	$defaultchain = 'accountout';
+	$ipsecdir     = 'out';
 	$defaultrestriction = OUTPUT_RESTRICT;
    } elsif ( $sectionname eq 'FORWARD' ) {
 	$defaultchain = 'accountfwd';
+	$ipsecdir     = '';
 	$defaultrestriction = NO_RESTRICT;
     } else {
 	 fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
 	 if ( $sectionname eq 'PREROUTING' ) {
 	     $defaultchain = 'accountpre';
+	     $ipsecdir     = 'in';
 	     $defaultrestriction = PREROUTE_RESTRICT;
 	 } else {
 	     $defaultchain = 'accountpost';
+	     $ipsecdir     = 'out';
 	     $defaultrestriction = POSTROUTE_RESTRICT;
 	 }
     }
@ -285,7 +292,21 @@ sub process_accounting_rule( ) {
    }

    my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
-    my $dir;
+    my $dir = $ipsecdir;
+
+    if ( $asection && $ipsec ne '-' ) {
+	if ( $ipsecdir ) {
+	    fatal_error "Invalid IPSEC ($ipsec)" if $ipsec =~ /^(?:in|out)\b/;
+	} else {
+	    if ( $ipsec =~ s/^(?:(in|out)\b)// ) {
+		$dir = $1;
+	    } else {
+		fatal_error q(IPSEC rules in the $asection section require that the value begin with 'in' or 'out');
+	    }
+	}
+
+	$rule .= do_ipsec( $dir, $ipsec );
+    }

    if ( ! $chainref ) {
 	if ( reserved_chain_name( $chain ) ) {
@ -297,6 +318,7 @@ sub process_accounting_rule( ) {
 	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
 	}

+	unless ( $asection ) {
 	    $dir = ipsec_chain_name( $chain );

 	    if ( $ipsec ne '-' ) {
@ -310,9 +332,11 @@ sub process_accounting_rule( ) {
 		warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
 		$chainref->{ipsec} = $dir;
 	    }
+	}
    } else {
 	fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};

+	unless ( $asection ) {
 	    if ( $ipsec ne '-' ) {
 		$dir = $chainref->{ipsec};
 		fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
@ -321,6 +345,7 @@ sub process_accounting_rule( ) {
 		$restriction |= $chainref->{restriction};
 	    }
 	}
+    }

    set_optflags( $chainref, DONT_OPTIMIZE ) if $target eq 'RETURN';

@ -366,7 +391,6 @@ sub process_accounting_rule( ) {
 	} else {
 	    $jumpchainref->{ipsec} = $chainref->{ipsec};
 	}
-
    }

    if ( $rule2 ) {
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@ -539,7 +539,8 @@

      <varlistentry>
        <term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
-        (Optional - Added in Shorewall 4.4.13 )</emphasis></term>
+        (Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1
+        )</emphasis></term>

        <listitem>
          <para>The option-list consists of a comma-separated list of options
@ -653,9 +654,30 @@
                match the rule.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">in</emphasis></term>
+
+              <listitem>
+                <para>May only be used in the FORWARD section and must be the
+                first or the only item the list. Indicates that matching
+                packets have been decrypted in input.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">out</emphasis></term>
+
+              <listitem>
+                <para>May only be used in the FORWARD section and must be the
+                first or the only item in the list. Indicates that matching
+                packets will be encrypted on output.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>

-          <para>If this column is non-empty, then:</para>
+          <para>If this column is non-empty and sections are not used,
+          then:</para>

          <itemizedlist>
            <listitem>
@ -671,11 +693,13 @@
              role="bold">accipsecout</emphasis> or a chain branched either
              directly or indirectly from those chains.</para>
            </listitem>
-          </itemizedlist>

+            <listitem>
              <para>These rules will NOT appear in the <emphasis
              role="bold">accounting</emphasis> chain.</para>
            </listitem>
+          </itemizedlist>
+        </listitem>
      </varlistentry>
    </variablelist>

--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@ -480,13 +480,15 @@

      <varlistentry>
        <term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
-        (Optional - Added in Shorewall 4.4.13 )</emphasis></term>
+        (Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1
+        )</emphasis></term>

        <listitem>
          <para>The option-list consists of a comma-separated list of options
          from the following list. Only packets that will be encrypted or have
          been de-crypted via an SA that matches these options will have their
-          source address changed.</para>
+          source address changed. May only be specified when sections are
+          used.</para>

          <variablelist>
            <varlistentry>
@ -594,9 +596,30 @@
                match the rule.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">in</emphasis></term>
+
+              <listitem>
+                <para>May only be used in the FORWARD section and must be the
+                first or the only item the list. Indicates that matching
+                packets have been decrypted in input.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">out</emphasis></term>
+
+              <listitem>
+                <para>May only be used in the FORWARD section and must be the
+                first or the only item in the list. Indicates that matching
+                packets will be encrypted on output.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>

-          <para>If this column is non-empty, then:</para>
+          <para>If this column is non-empty and sections are not used,
+          then:</para>

          <itemizedlist>
            <listitem>
@ -612,11 +635,13 @@
              role="bold">accipsecout</emphasis> or a chain branched either
              directly or indirectly from those chains.</para>
            </listitem>
-          </itemizedlist>

+            <listitem>
              <para>These rules will NOT appear in the <emphasis
              role="bold">accounting</emphasis> chain.</para>
            </listitem>
+          </itemizedlist>
+        </listitem>
      </varlistentry>

      <varlistentry>