diff --git a/Shorewall/accounting b/Shorewall/accounting index 2e9f5998c..29a912813 100755 --- a/Shorewall/accounting +++ b/Shorewall/accounting @@ -10,43 +10,32 @@ # Please see http://shorewall.net/Accounting.html for examples and # additional information about how to use this file. # -# This file has two sections -- the first section is used to create a -# hierarchy of accounting chains. The second section creates rules to -# count traffic through your firewall. # -# In the first section of this file, entries have the following columns: -# -# ACTION - Must contain CHAIN -# -# CHAIN - The name of a chain to create. Shorewall will create -# this chain. If the chain already exists, a warning -# message is issued and the entry is ignored. -# -# NEXT CHAIN - Optional - The name of a previously-created chain -# -# If the NEXT CHAIN column is empty then Shorewall will add a single -# RETURN rule to the chain named in the CHAIN column. If the NEXT -# CHAIN column is not empty then Shorewall will add a jump from the -# newly-created chain to the chain named in the NEXT CHAIN column. -# -#ACTION CHAIN NEXT -# CHAIN - -# ADD YOUR CHAIN DECLARATIONS ABOVE THIS LINE -# -# Columns in the second section of this file are are: +# Columns are: # # ACTION - What to do when a match is found. # # COUNT - Simply count the match and continue # with the next rule # DONE - Count the match and don't attempt -# to match any other accounting rules. -# - The name of a chain. Shoreall will -# create the chain automatically if -# it was not created by an earlier -# CHAIN declaration above. +# to match any other accounting rules +# in the chain specified in the CHAIN +# column. +# [:COUNT] +# - Where is the name of +# a chain. Shorewall will create +# the chain automatically if it +# doesn't already exist. Causes +# a jump to that chain. If :COUNT +# is including, a counting rule +# matching this record will be +# added to # +# CHAIN - The name of a chain. If specified as "-" the +# 'accounting' chain is assumed. This is the chain +# where the accounting rule is added. The chain will +# be created if it doesn't already exist. +# # SOURCE - Packet Source # # The name of an interface, an address (host or net) or @@ -72,13 +61,13 @@ # only be specified if the protocol is TCP or UDP (6 # or 17). # -# In all of the above columns except ACTION, the values "-", "any" and -# "all" may be used as wildcards +# In all of the above columns except ACTION and CHAIN, the values "-", +# "any" and "all" may be used as wildcards # # Please see http://shorewall.net/Accounting.html for examples and # additional information about how to use this file. # -#ACTION SOURCE DESTINATION PROTOCOL DEST SOURCE -# PORT PORT +#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE +# PORT PORT # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 94639126c..185201413 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -52,3 +52,7 @@ Changes since 1.4.6 24) Add "RATE LIMIT" column for those who prefer their config files to be wide but normalized. + +25) Redesign the accounting facility to make it simpler and more + flexible. + diff --git a/Shorewall/firewall b/Shorewall/firewall index 8d3a3a941..465db59f1 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1763,66 +1763,27 @@ delete_tc() done } -# -# Add an accounting chain -# -add_accounting_chain() { - chain_error() { - error_message "Warning: Invalid CHAIN declaration" $source $dest $protocol $port $sport - } - - if [ -n "${protocol}${port}${sport}" ] ; then - chain_error - return - fi - - if [ -z "$source" ] ; then - chain_error - return - fi - - if havechain $source; then - error_message "Warning: Chain $source already exists - CHAIN declaration $source $dest Ignored" - return - fi - - if createchain2 $source No; then - if [ -z "$dest" ]; then - run_iptables -A $source -j RETURN - echo " Accounting chain $source" created - elif iptables -A $source -j $dest ; then - echo " Accounting chain $source with next chain $dest created" - else - chain_error - fi - else - chain_error - fi -} - # # Process a record from the accounting file # process_accounting_rule() { rule= rule2= - chain= + jumpchain= accounting_error() { - error_message "Warning: Invalid Accounting rule" $action $source $dest $proto $port $sport + error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport } jump_to_chain() { - if ! havechain $chain; then - if createchain2 $chain No; then - run_iptables -A $chain -j RETURN - else + if ! havechain $jumpchain; then + if ! createchain2 $jumpchain No; then accounting_error return 2 fi fi - rule="$rule -j $chain" + rule="$rule -j $jumpchain" } case $source in @@ -1883,22 +1844,29 @@ process_accounting_rule() { DONE) rule="$rule -j RETURN" ;; - *:DONE) - chain=${action%:*} - rule2="$rule -j RETURN" + *:COUNT) + rule2="$rule" + jumpchain=${action%:*} + jump_to_chain || return + ;; + JUMP:*) + jumpchain=${action#*:} jump_to_chain || return ;; *) - chain=$action + jumpchain=$action jump_to_chain || return ;; esac - - havechain accounting || createchain accounting No - if iptables -A accounting $rule ; then - [ "x$rule2" != x ] && run_iptables -A accounting $rule2 - echo " Accounting rule" $action $source $dest $proto $port $sport Added + [ "x$chain" = "x-" ] && chain=accounting + [ -z "$chain" ] && chain=accounting + + havechain $chain || createchain $chain No + + if iptables -A $chain $rule ; then + [ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2 + echo " Accounting rule" $action $chain $source $dest $proto $port $sport Added else accounting_error fi @@ -1914,15 +1882,9 @@ setup_accounting() # $1 = Name of accounting file strip_file accounting $1 - while read action source dest proto port sport ; do - case $action in - CHAIN) - add_accounting_chain - ;; - *) - process_accounting_rule - ;; - esac + while read action chain source dest proto port sport ; do + expandv action chain source dest proto port sport + process_accounting_rule done < $TMP_DIR/accounting if havechain accounting; then