Implement LOG target option control.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-05-24 13:54:59 -07:00
parent 6142d4d535
commit fc97f6d00e
5 changed files with 134 additions and 17 deletions

View File

@ -759,9 +759,9 @@ sub set_rule_option( $$$ ) {
} }
} }
sub transform_rule( $;$ ) { sub transform_rule( $ ) {
my ( $input, $partial ) = @_; my $input = $_[0];
my $ruleref = $partial ? {} : { mode => CAT_MODE, target => '' }; my $ruleref = { mode => CAT_MODE, target => '' };
my $simple = 1; my $simple = 1;
$input =~ s/^\s*//; $input =~ s/^\s*//;
@ -818,11 +818,7 @@ sub transform_rule( $;$ ) {
set_rule_option( $ruleref, $option, $params ); set_rule_option( $ruleref, $option, $params );
} }
if ( $partial ) { $ruleref->{simple} = $simple;
delete $ruleref->{simple};
} else {
$ruleref->{simple} = $simple unless $partial;
}
$ruleref; $ruleref;
} }
@ -2534,7 +2530,7 @@ sub initialize_chain_table($) {
new_standard_chain 'reject'; new_standard_chain 'reject';
} }
my $ruleref = transform_rule( $globals{LOGLIMIT}, 1 ); my $ruleref = transform_rule( $globals{LOGLIMIT} );
$globals{iLOGLIMIT} = $globals{iLOGLIMIT} =
( $ruleref->{hashlimit} ? [ hashlimit => $ruleref->{hashlimit} ] : ( $ruleref->{hashlimit} ? [ hashlimit => $ruleref->{hashlimit} ] :
@ -5179,7 +5175,15 @@ sub log_rule_limit( $$$$$$$$ ) {
} elsif ( $level =~ /^NFLOG/ ) { } elsif ( $level =~ /^NFLOG/ ) {
$prefix = "-j $level "; $prefix = "-j $level ";
} else { } else {
$prefix = "-j LOG $globals{LOGPARMS}--log-level $level "; my $flags = $globals{LOGPARMS};
if ( $level =~ /^(.+)\((.*)\)$/ ) {
$level = $1;
$flags = join( ' ', $flags, $2 ) . ' ';
$flags =~ s/,/ /g;
}
$prefix = "-j LOG ${flags}--log-level $level ";
} }
} else { } else {
if ( $tag ) { if ( $tag ) {
@ -5214,7 +5218,15 @@ sub log_rule_limit( $$$$$$$$ ) {
$prefix = join( '', substr( $prefix, 0, 12 ) , ':' ) if length $prefix > 13; $prefix = join( '', substr( $prefix, 0, 12 ) , ':' ) if length $prefix > 13;
$prefix = "-j $level --log-prefix \"$prefix\" "; $prefix = "-j $level --log-prefix \"$prefix\" ";
} else { } else {
$prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" "; my $options = $globals{LOGPARMS};
if ( $level =~ /^(.+)\((.*)\)$/ ) {
$level = $1;
$options = join( ' ', $options, $2 ) . ' ';
$options =~ s/,/ /g;
}
$prefix = "-j LOG ${options}--log-level $level --log-prefix \"$prefix\" ";
} }
} }

View File

@ -2455,6 +2455,22 @@ sub level_error( $ ) {
fatal_error "Invalid log level ($_[0])"; fatal_error "Invalid log level ($_[0])";
} }
my %logoptions = ( tcp_sequence => '--log-tcp-sequence',
ip_options => '--log-ip-options',
tcp_options => '--log-tcp-options',
uid => '--log-uid',
macdecode => '--log-macdecode',
#
# Because a level can pass through validate_level() more than once,
# the full option names are also included here.
#
'--log-tcp-sequence' => '--log-tcp-sequence',
'--log-ip-options' => '--log-ip-options',
'--log-tcp-options' => '--log-tcp-options',
'--log-uid' => '--log-uid',
'--log-macdecode' => '--log-macdecode',
);
sub validate_level( $ ) { sub validate_level( $ ) {
my $rawlevel = $_[0]; my $rawlevel = $_[0];
my $level = uc $rawlevel; my $level = uc $rawlevel;
@ -2465,7 +2481,11 @@ sub validate_level( $ ) {
my $qualifier; my $qualifier;
unless ( $value =~ /^[0-7]$/ ) { unless ( $value =~ /^[0-7]$/ ) {
level_error( $level ) unless $level =~ /^([A-Za-z0-7]+)(.*)$/ && defined( $value = $validlevels{$1} ); } if ( $value =~ /^([0-7])(.*)$/ ) {
$value = $1;
$qualifier = $2;
} elsif ( $value =~ /^([A-Za-z0-7]+)(.*)$/ ) {
level_error( $level) unless defined( $value = $validlevels{$1} );
$qualifier = $2; $qualifier = $2;
} }
@ -2473,9 +2493,32 @@ sub validate_level( $ ) {
# #
# Syslog Level # Syslog Level
# #
level_error( $rawlevel ) if supplied $qualifier; if ( supplied $qualifier ) {
my $options = '';
my %options;
level_error ( $rawlevel ) unless $qualifier =~ /^\((.*)\)$/;
for ( split_list lc $1, "log options" ) {
my $option = $logoptions{$_};
fatal_error "Unknown LOG option ($_)" unless $option;
unless ( $options{$option} ) {
if ( $options ) {
$options = join( ',', $options, $option );
} else {
$options = $option;
}
$options{$option} = 1;
}
}
$value .= "($options)" if $options;
}
require_capability ( 'LOG_TARGET' , "Log level $level", 's' ); require_capability ( 'LOG_TARGET' , "Log level $level", 's' );
return $value; return $value;
} }

View File

@ -1588,7 +1588,10 @@
url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para> url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
<para><ulink <para><ulink
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para> url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para><ulink
url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorweall-blrules(5), shorewall-hosts(5), shorewall-blacklist(5), shorweall-blrules(5), shorewall-hosts(5),

View File

@ -1264,6 +1264,9 @@
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para><ulink
url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
<para><ulink <para><ulink
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para> url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

View File

@ -155,6 +155,61 @@
If you are unsure of the level to choose, 6 (info) is a safe bet. You If you are unsure of the level to choose, 6 (info) is a safe bet. You
may specify levels by name or by number.</para> may specify levels by name or by number.</para>
<para>Beginning with Shorewall 4.5.5, the
<replaceable>level</replaceable> name or number may be optionally
followed by a comma-separated list of one or more<replaceable> log
options</replaceable>. The list is enclosed in parentheses. Log options
cause additional information to be included in each log message.</para>
<para>Valid log options are:</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ip_options</emphasis></term>
<listitem>
<para>Log messages will include the option settings from the IP
header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">macdecode</emphasis></term>
<listitem>
<para>Decode the MAC address and protocol.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">tcp_sequence</emphasis></term>
<listitem>
<para>Include TCP sequence numbers.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">tcp_options</emphasis></term>
<listitem>
<para>Include options from the TCP header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">uid</emphasis></term>
<listitem>
<para>Include the UID of the sending program; only valid for
packets originating on the firewall itself.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Example: <emphasis
role="bold">info(tcp_options,tcp_sequence)</emphasis></para>
<para>Syslogd writes log messages to files (typically in <filename <para>Syslogd writes log messages to files (typically in <filename
class="directory">/var/log/</filename>*) based on their facility and class="directory">/var/log/</filename>*) based on their facility and
level. The mapping of these facility/level pairs to log files is done in level. The mapping of these facility/level pairs to log files is done in
@ -282,6 +337,7 @@ ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 </programlis
<para>For general information on the contents of Netfilter log messages, <para>For general information on the contents of Netfilter log messages,
see <ulink see <ulink
url="http://www.net.co.at/doc/howto/docs/iptables_netfilter_howto_de/docs/netfilter_log_format/index.html">http://www.net.co.at/doc/howto/docs/iptables_netfilter_howto_de/docs/netfilter_log_format/index.html</ulink>.</para> url="http://www.net.co.at/doc/howto/docs/iptables_netfilter_howto_de/docs/netfilter_log_format/index.html">http://www.net.co.at/doc/howto/docs/iptables_netfilter_howto_de/docs/netfilter_log_format/index.html</ulink>.</para>
<para>For Shorewall-specific information, see <ulink <para>For Shorewall-specific information, see <ulink
url="FAQ.htm#faq17">FAQ #17</ulink>.</para> url="FAQ.htm#faq17">FAQ #17</ulink>.</para>
</section> </section>