holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Redesign Accounting

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@720 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-08-20 16:54:27 +00:00
parent b6adee2804
commit e58b08c4b7
3 changed files with 50 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
Shorewall/accounting
View File

@ -10,43 +10,32 @@
# Please see http://shorewall.net/Accounting.html for examples and # Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file. # additional information about how to use this file.
# #
# This file has two sections -- the first section is used to create a
# hierarchy of accounting chains. The second section creates rules to
# count traffic through your firewall.
# #
# In the first section of this file, entries have the following columns: # Columns are:
#
# ACTION - Must contain CHAIN
#
# CHAIN - The name of a chain to create. Shorewall will create
# this chain. If the chain already exists, a warning
# message is issued and the entry is ignored.
#
# NEXT CHAIN - Optional - The name of a previously-created chain
#
# If the NEXT CHAIN column is empty then Shorewall will add a single
# RETURN rule to the chain named in the CHAIN column. If the NEXT
# CHAIN column is not empty then Shorewall will add a jump from the
# newly-created chain to the chain named in the NEXT CHAIN column.
#
#ACTION CHAIN NEXT
# CHAIN
# ADD YOUR CHAIN DECLARATIONS ABOVE THIS LINE
#
# Columns in the second section of this file are are:
# #
# ACTION - What to do when a match is found. # ACTION - What to do when a match is found.
# #
# COUNT - Simply count the match and continue # COUNT - Simply count the match and continue
# with the next rule # with the next rule
# DONE - Count the match and don't attempt # DONE - Count the match and don't attempt
# to match any other accounting rules. # to match any other accounting rules
# <chain> - The name of a chain. Shoreall will # in the chain specified in the CHAIN
# create the chain automatically if # column.
# it was not created by an earlier # <chain>[:COUNT]
# CHAIN declaration above. # - Where <chain> is the name of
# a chain. Shorewall will create
# the chain automatically if it
# doesn't already exist. Causes
# a jump to that chain. If :COUNT
# is including, a counting rule
# matching this record will be
# added to <chain>
# #
# CHAIN - The name of a chain. If specified as "-" the
# 'accounting' chain is assumed. This is the chain
# where the accounting rule is added. The chain will
# be created if it doesn't already exist.
#
# SOURCE - Packet Source # SOURCE - Packet Source
# #
# The name of an interface, an address (host or net) or # The name of an interface, an address (host or net) or
@ -72,13 +61,13 @@
# only be specified if the protocol is TCP or UDP (6 # only be specified if the protocol is TCP or UDP (6
# or 17). # or 17).
# #
# In all of the above columns except ACTION, the values "-", "any" and # In all of the above columns except ACTION and CHAIN, the values "-",
# "all" may be used as wildcards # "any" and "all" may be used as wildcards
# #
# Please see http://shorewall.net/Accounting.html for examples and # Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file. # additional information about how to use this file.
# #
#ACTION SOURCE DESTINATION PROTOCOL DEST SOURCE #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE
# PORT PORT # PORT PORT
# #
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall/changelog.txt
View File

@ -52,3 +52,7 @@ Changes since 1.4.6
24) Add "RATE LIMIT" column for those who prefer their config files to 24) Add "RATE LIMIT" column for those who prefer their config files to
be wide but normalized. be wide but normalized.
25) Redesign the accounting facility to make it simpler and more
flexible.

86
Shorewall/firewall
View File

@ -1763,66 +1763,27 @@ delete_tc()
done done
} }
#
# Add an accounting chain
#
add_accounting_chain() {
chain_error() {
error_message "Warning: Invalid CHAIN declaration" $source $dest $protocol $port $sport
}
if [ -n "${protocol}${port}${sport}" ] ; then
chain_error
return
fi
if [ -z "$source" ] ; then
chain_error
return
fi
if havechain $source; then
error_message "Warning: Chain $source already exists - CHAIN declaration $source $dest Ignored"
return
fi
if createchain2 $source No; then
if [ -z "$dest" ]; then
run_iptables -A $source -j RETURN
echo " Accounting chain $source" created
elif iptables -A $source -j $dest ; then
echo " Accounting chain $source with next chain $dest created"
else
chain_error
fi
else
chain_error
fi
}
# #
# Process a record from the accounting file # Process a record from the accounting file
# #
process_accounting_rule() { process_accounting_rule() {
rule= rule=
rule2= rule2=
chain= jumpchain=
accounting_error() { accounting_error() {
error_message "Warning: Invalid Accounting rule" $action $source $dest $proto $port $sport error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport
} }
jump_to_chain() { jump_to_chain() {
if ! havechain $chain; then if ! havechain $jumpchain; then
if createchain2 $chain No; then if ! createchain2 $jumpchain No; then
run_iptables -A $chain -j RETURN
else
accounting_error accounting_error
return 2 return 2
fi fi
fi fi
rule="$rule -j $chain" rule="$rule -j $jumpchain"
} }
case $source in case $source in
@ -1883,22 +1844,29 @@ process_accounting_rule() {
DONE) DONE)
rule="$rule -j RETURN" rule="$rule -j RETURN"
;; ;;
*:DONE) *:COUNT)
chain=${action%:*} rule2="$rule"
rule2="$rule -j RETURN" jumpchain=${action%:*}
jump_to_chain || return
;;
JUMP:*)
jumpchain=${action#*:}
jump_to_chain || return jump_to_chain || return
;; ;;
*) *)
chain=$action jumpchain=$action
jump_to_chain || return jump_to_chain || return
;; ;;
esac esac
havechain accounting || createchain accounting No
if iptables -A accounting $rule ; then [ "x$chain" = "x-" ] && chain=accounting
[ "x$rule2" != x ] && run_iptables -A accounting $rule2 [ -z "$chain" ] && chain=accounting
echo " Accounting rule" $action $source $dest $proto $port $sport Added
havechain $chain || createchain $chain No
if iptables -A $chain $rule ; then
[ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2
echo " Accounting rule" $action $chain $source $dest $proto $port $sport Added
else else
accounting_error accounting_error
fi fi
@ -1914,15 +1882,9 @@ setup_accounting() # $1 = Name of accounting file
strip_file accounting $1 strip_file accounting $1
while read action source dest proto port sport ; do while read action chain source dest proto port sport ; do
case $action in expandv action chain source dest proto port sport
CHAIN) process_accounting_rule
add_accounting_chain
;;
*)
process_accounting_rule
;;
esac
done < $TMP_DIR/accounting done < $TMP_DIR/accounting
if havechain accounting; then if havechain accounting; then