forked from extern/shorewall_code
More cleanup of action logging
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1502 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
ed50013118
commit
f82055bca8
@ -187,15 +187,6 @@ run_ip() {
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Run arp and if an error occurs, stop the firewall and quit
|
||||
#
|
||||
run_arp() {
|
||||
if ! arp $@ ; then
|
||||
[ -z "$stopping" ] && { stop_firewall; exit 2; }
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Run tc and if an error occurs, stop the firewall and quit
|
||||
#
|
||||
@ -1029,7 +1020,7 @@ find_broadcasts() {
|
||||
# Find interface address--returns the first IP address assigned to the passed
|
||||
# device
|
||||
#
|
||||
find_interface_address() # $1 = interface
|
||||
find_first_interface_address() # $1 = interface
|
||||
{
|
||||
#
|
||||
# get the line of output containing the first IP address
|
||||
@ -1082,28 +1073,6 @@ find_hosts_by_option() # $1 = option
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Determine if there are interfaces of the given zone and option
|
||||
#
|
||||
# Returns zero if any such interfaces are found and returns one otherwise.
|
||||
#
|
||||
have_interfaces_in_zone_with_option() # $1 = zone, $2 = option
|
||||
{
|
||||
local zne=$1
|
||||
local z
|
||||
local interface
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
eval z=\$$(chain_base $interface)_zone
|
||||
|
||||
[ "x$z" = "x$zne" ] && \
|
||||
list_search $1 $options && \
|
||||
return 0
|
||||
done
|
||||
|
||||
return 1
|
||||
}
|
||||
|
||||
#
|
||||
# Flush and delete all user-defined chains in the filter table
|
||||
#
|
||||
@ -1709,7 +1678,6 @@ setup_mac_lists() {
|
||||
local addresses
|
||||
local address
|
||||
local chain
|
||||
local logpart
|
||||
local macpart
|
||||
local blob
|
||||
local hosts
|
||||
@ -2785,16 +2753,18 @@ process_action() # $1 = action
|
||||
}
|
||||
|
||||
#
|
||||
# Create and record a log action chain
|
||||
# Create and record a log action chain -- in the functions that follow,
|
||||
# the CHAIN, LEVEL and TAG variable serves as an arguments to the user's
|
||||
# exit. We call the exit corresponding to the name of the action but we
|
||||
# set CHAIN to the name of the iptables chain where rules are to be added.
|
||||
# Similarly, LEVEL and TAG contain the log level and log tag respectively.
|
||||
#
|
||||
|
||||
createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
|
||||
{
|
||||
local actchain= action=$1 level=$2
|
||||
|
||||
eval actchain=\$${action}_actchain
|
||||
|
||||
[ -n "$actchain" ] || actchain=1
|
||||
eval actchain=\${${action}_actchain-1}
|
||||
|
||||
case ${#action} in
|
||||
11)
|
||||
@ -2809,6 +2779,8 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
|
||||
|
||||
if [ $COMMAND != check ]; then
|
||||
createchain $CHAIN No
|
||||
LEVEL=${level%:*}
|
||||
TAG=${level#*:}
|
||||
run_user_exit $1
|
||||
fi
|
||||
|
||||
@ -2834,6 +2806,8 @@ createactionchain() # $1 = Action, including log level and tag if any
|
||||
*)
|
||||
CHAIN=$1
|
||||
if [ $COMMAND != check ]; then
|
||||
LEVEL=
|
||||
TAG=
|
||||
createchain $CHAIN no
|
||||
run_user_exit $CHAIN
|
||||
fi
|
||||
@ -3223,7 +3197,7 @@ add_nat_rule() {
|
||||
if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then
|
||||
eval interfaces=\$${source}_interfaces
|
||||
for interface in $interfaces; do
|
||||
addr=${addr:+$addr,}$(find_interface_address $interface)
|
||||
addr=${addr:+$addr,}$(find_first_interface_address $interface)
|
||||
done
|
||||
fi
|
||||
;;
|
||||
@ -4422,7 +4396,7 @@ setup_masq()
|
||||
;;
|
||||
*:)
|
||||
add_snat_aliases=
|
||||
funninterface=${fullinterface%:}
|
||||
fullinterface=${fullinterface%:}
|
||||
destnets="0.0.0.0/0"
|
||||
;;
|
||||
*:*)
|
||||
|
@ -38,6 +38,14 @@ Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
|
||||
/etc/shorewall/policy
|
||||
/etc/shorewall/tos
|
||||
|
||||
2) The following builtin actions have been removed and have been
|
||||
replaced by the new action logging implementation described in the
|
||||
new features below.
|
||||
|
||||
logNotSyn
|
||||
rLogNotSyn
|
||||
dLogNotSyn
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
New Features:
|
||||
|
||||
@ -127,4 +135,29 @@ New Features:
|
||||
ACCEPT:debug - - tcp 22
|
||||
bar:debug!
|
||||
|
||||
This change has an effect on extension scripts used with
|
||||
user-defined actions. If you define an action 'acton' and you have
|
||||
a /etc/shorewall/acton script then when that script is invoked,
|
||||
the following three variables will be set for use by the script:
|
||||
|
||||
$CHAIN = the name of the chain where your rules are to be
|
||||
placed. When logging is used on an action invocation,
|
||||
Shorewall creates a chain with a slightly different name from
|
||||
the action itself.
|
||||
|
||||
$LEVEL = Log level. If empty, no logging was specified.
|
||||
|
||||
$TAG = Log Tag.
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/rules:
|
||||
|
||||
acton:info:test
|
||||
|
||||
Your /etc/shorewall/acton file will be run with:
|
||||
|
||||
$CHAIN="acton1"
|
||||
$LEVEL="info"
|
||||
$TAG="test"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user