Add ACCOUNTING_TABLE option

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-17 12:51:33 -07:00 · 2011-05-17 12:51:33 -07:00 · fd70e73d34
commit fd70e73d34
parent 680ca519ed
15 changed files with 132 additions and 33 deletions
--- a/Samples/Universal/shorewall.conf
+++ b/Samples/Universal/shorewall.conf
@ -196,6 +196,8 @@ COMPLETE=Yes

 EXPORTMODULES=Yes

+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@ -207,6 +207,8 @@ COMPLETE=No

 EXPORTMODULES=Yes

+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@ -207,6 +207,8 @@ COMPLETE=No

 EXPORTMODULES=Yes

+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@ -214,6 +214,8 @@ COMPLETE=No

 EXPORTMODULES=Yes

+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/Universal/shorewall6.conf
+++ b/Samples6/Universal/shorewall6.conf
@ -159,6 +159,8 @@ COMPLETE=Yes

 EXPORTMODULES=Yes

+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@ -161,6 +161,8 @@ COMPLETE=No

 EXPORTMODULES=Yes

+ACCOUNTING_TABLE=filter
+
 ##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@ -161,6 +161,8 @@ COMPLETE=No

 EXPORTMODULES=Yes

+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@ -161,6 +161,8 @@ COMPLETE=No

 EXPORTMODULES=Yes

+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@ -50,6 +50,7 @@ my $defaultrestriction;
 my $restriction;
 my $accounting_commands = { COMMENT => 0, SECTION => 2 };
 my $sectionname;
+my $acctable;

 #
 # Sections in the Accounting File
@ -57,15 +58,21 @@ my $sectionname;

 use constant {
 	      LEGACY      => 0,
-	      INPUT   => 1,
-	      OUTPUT  => 2,
-	      FORWARD => 3 };
+	      PREROUTING  => 1,
+	      INPUT       => 2,
+	      OUTPUT      => 3,
+	      FORWARD     => 4,
+	      POSTROUTING => 5
+	  };
 #
 # Map names to values
 #
-our %asections = ( INPUT   => INPUT,
+our %asections = ( PREROUTING  => PREROUTING,
+		   INPUT       => INPUT,
 		   FORWARD     => FORWARD,
-		   OUTPUT  => OUTPUT );
+		   OUTPUT      => OUTPUT,
+		   POSTROUTING => POSTROUTING
+		 );

 #
 # Called by the compiler to [re-]initialize this module's state
@ -108,9 +115,18 @@ sub process_section ($) {
    } elsif ( $sectionname eq 'OUTPUT' ) {
 	$defaultchain = 'accountout';
 	$defaultrestriction = OUTPUT_RESTRICT;
-    } else {
+    } elsif ( $sectionname eq 'FORWARD' ) {
 	$defaultchain = 'accountfwd';
 	$defaultrestriction = NO_RESTRICT;
+     } else {
+	 fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
+	 if ( $sectionname eq 'PREROUTING' ) {
+	     $defaultchain = 'accountpre';
+	     $defaultrestriction = PREROUTE_RESTRICT;
+	 } else {
+	     $defaultchain = 'accountpost';
+	     $defaultrestriction = POSTROUTE_RESTRICT;
+	 }
     }

    $asection = $newsect;
@ -121,6 +137,8 @@ sub process_section ($) {
 #
 sub process_accounting_rule( ) {

+    $acctable = $config{ACCOUNTING_TABLE};
+
    $jumpchainref = 0;

    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File', $accounting_commands;
@ -261,7 +279,7 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
    }

-    my $chainref = $filter_table->{$chain};
+    my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
    my $dir;

    if ( ! $chainref ) {
@ -376,41 +394,51 @@ sub setup_accounting() {
 	clear_comment;

 	if ( $nonEmpty ) {
+	    my $tableref = $chain_table{$acctable};
+
 	    if ( have_bridges || $asection ) {
-		if ( $filter_table->{accountin} ) {
-		    add_jump( $filter_table->{INPUT}, 'accountin', 0, '', 0, 0 );
+		if ( $tableref->{accountin} ) {
+		    add_jump( $tableref->{INPUT}, 'accountin', 0, '', 0, 0 );
 		}

-		if ( $filter_table->{accounting} ) {
+		if ( $tableref->{accounting} ) {
 		    dont_optimize( 'accounting' );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
-			add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+			add_jump( $tableref->{$chain}, 'accounting', 0, '', 0, 0 );
 		    }
 		}

-		if ( $filter_table->{accountfwd} ) {
-		    add_jump( $filter_table->{FORWARD}, 'accountfwd', 0, '', 0, 0 );
+		if ( $tableref->{accountfwd} ) {
+		    add_jump( $tableref->{FORWARD}, 'accountfwd', 0, '', 0, 0 );
 		}

-		if ( $filter_table->{accountout} ) {
-		    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+		if ( $tableref->{accountout} ) {
+		    add_jump( $tableref->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 		}
-	    } elsif ( $filter_table->{accounting} ) {
+
+		if ( $tableref->{accountpre} ) {
+		    add_jump( $tableref->{PREROUTING}, 'accountpre', 0, '', 0, 0 );
+		}
+
+		if ( $tableref->{accountpost} ) {
+		    add_jump( $tableref->{POSTROUTING}, 'accountpost', 0, '', 0, 0 );
+		}
+	    } elsif ( $tableref->{accounting} ) {
 		dont_optimize( 'accounting' );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+		    add_jump( $tableref->{$chain}, 'accounting', 0, '', 0, 0 );
 		}
 	    }

-	    if ( $filter_table->{accipsecin} ) {
+	    if ( $tableref->{accipsecin} ) {
 		for my $chain ( qw/INPUT FORWARD/ ) {
-		    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+		    add_jump( $tableref->{$chain}, 'accipsecin', 0,  '', 0, 0 );
 		}
 	    }

-	    if ( $filter_table->{accipsecout} ) {
+	    if ( $tableref->{accipsecout} ) {
 		for my $chain ( qw/FORWARD OUTPUT/ ) {
-		    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
+		    add_jump( $tableref->{$chain}, 'accipsecout', 0, '', 0, 0 );
 		}
 	    }

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -1382,7 +1382,9 @@ sub ensure_accounting_chain( $$$ )
 {
    my ($chain, $ipsec, $restriction ) = @_;

-    my $chainref = $filter_table->{$chain};
+    my $table = $config{ACCOUNTING_TABLE};
+
+    my $chainref = $chain_table{$table}{$chain};

    if ( $chainref ) {
 	fatal_error "Non-accounting chain ($chain) used in an accounting rule" unless $chainref->{accounting};
@ -1390,7 +1392,7 @@ sub ensure_accounting_chain( $$$ )
    } else {
 	fatal_error "Chain name ($chain) too long" if length $chain > 29;
 	fatal_error "Invalid Chain name ($chain)" unless $chain =~ /^[-\w]+$/ && ! ( $builtin_target{$chain} || $config_files{$chain} );
-	$chainref = new_chain 'filter' , $chain;
+	$chainref = new_chain $table , $chain;
 	$chainref->{accounting}  = 1;
 	$chainref->{referenced}  = 1;
 	$chainref->{restriction} = $restriction;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -526,6 +526,7 @@ sub initialize( $ ) {
 	  ZONE2ZONE => undef,
 	  ACCOUNTING => undef,
 	  OPTIMIZE_ACCOUNTING => undef,
+	  ACCOUNTING_TABLE => undef,
 	  DYNAMIC_BLACKLIST => undef,
 	  LOAD_HELPERS_ONLY => undef,
 	  REQUIRE_INTERFACE => undef,
@ -3277,8 +3278,17 @@ sub get_configuration( $ ) {
    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'WIDE_TC_MARKS'              , '';
    default_yes_no 'TRACK_PROVIDERS'            , '';
+
    default_yes_no 'ACCOUNTING'                 , 'Yes';
    default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
+    
+    if ( defined $config{ACCOUNTING_TABLE} ) {
+	my $value = $config{ACCOUNTING_TABLE};
+	fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle';
+    } else {
+	$config{ACCOUNTING_TABLE} = 'filter';
+    }
+
    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability 'MARK' ? 'Yes' : '';
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@ -196,6 +196,8 @@ COMPLETE=No

 EXPORTMODULES=Yes

+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -47,6 +47,21 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
    is compatible with 4.4.19 in that if a relative path name is
    supplied, then '/usr/' is prepended to the name.

+2)  A new ACCOUNTING_TABLE option has been added to shorewall.conf and
+    shorwall6.conf. The setting determines the Netfilter table (filter
+    or mangle) where accounting rules are created.
+
+    When ACCOUNTING_TABLE=mangle, the allowable sections in the
+    accounting file are as follows:
+
+	PREROUTING
+        INPUT
+	OUTPUT
+	FORWARD
+	POSTROUTING
+
+    Present sections must appear in that order.
+
 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
--- a/Shorewall6/shorewall6.conf
+++ b/Shorewall6/shorewall6.conf
@ -159,6 +159,8 @@ COMPLETE=No

 EXPORTMODULES=Yes

+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@ -296,8 +296,18 @@
    <emphasis role="bold">OUTPUT</emphasis> and <emphasis
    role="bold">FORWARD</emphasis> and must appear in that order (although any
    of them may be omitted). The first non-commentary record in the accounting
-    file must be a section header when sectioning is used. Section headers
-    have the form:</para>
+    file must be a section header when sectioning is used. </para>
+
+    <para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
+    added to shorewall.conf and shorewall6.conf. That setting determines the
+    Netfilter table (filter or mangle) where the accounting rules are added.
+    When ACCOUNTING_TABLE=mangle is specified, the available sections are
+    <emphasis role="bold">PREROUTING</emphasis>, <emphasis
+    role="bold">INPUT</emphasis>, <emphasis role="bold">OUTPUT</emphasis>,
+    <emphasis role="bold">FORWARD</emphasis> and <emphasis
+    role="bold">POSTROUTING</emphasis>.</para>
+
+    <para>Section headers have the form:</para>

    <para><option>SECTION</option>
    <replaceable>section-name</replaceable></para>
@ -316,11 +326,13 @@

      <listitem>
        <para>You may not specify an output interface in the <emphasis
-        role="bold">INPUT</emphasis> section.</para>
+        role="bold">PREROUTING</emphasis> and <emphasis
+        role="bold">INPUT</emphasis> sections.</para>
      </listitem>

      <listitem>
-        <para>In the OUTPUT section:</para>
+        <para>In the <emphasis role="bold">OUTPUT</emphasis> and <emphasis
+        role="bold">POSTROUTING</emphasis> sections:</para>

        <itemizedlist>
          <listitem>
@ -329,7 +341,8 @@

          <listitem>
            <para>You may not jump to a chain defined in the <emphasis
-            role="bold">INPUT</emphasis> section that specifies an input
+            role="bold">INPUT</emphasis> or <emphasis
+            role="bold">PREROUTING</emphasis> sections that specifies an input
            interface</para>
          </listitem>

@ -339,8 +352,9 @@

          <listitem>
            <para>You may not jump to a chain defined in the <emphasis
-            role="bold">INPUT</emphasis> section that specifies specifies a
-            MAC address.</para>
+            role="bold">INPUT</emphasis> or <emphasis
+            role="bold">PREROUTING</emphasis> section that specifies specifies
+            a MAC address.</para>
          </listitem>
        </itemizedlist>
      </listitem>
@ -363,6 +377,16 @@
            <para><emphasis role="bold">accountfwd</emphasis> in the <emphasis
            role="bold">FORWARD</emphasis> section</para>
          </listitem>
+
+          <listitem>
+            <para><emphasis role="bold">accountpre</emphasis> in the <emphasis
+            role="bold">PREROUTING</emphasis> section</para>
+          </listitem>
+
+          <listitem>
+            <para><emphasis role="bold">accountpost</emphasis> in the
+            <emphasis role="bold">POSTROUTING</emphasis> section</para>
+          </listitem>
        </itemizedlist>
      </listitem>