Tom Eastep
2004-Feb-10 15:24 UTC
[Shorewall-devel] Re: [Shorewall-newbies] specific log-prefix ... patch
Let''s move this to the Shorewall Development list.... On Tuesday 10 February 2004 03:14 pm, xavier wrote:> here is a patch to allow this : > |ACCEPT<10/sec:20>:debug fw lan:$ntp_servers udp 123 - - - - ntp > > a problem with the patch is that now the logprefix is mandatory. > i''m trying to debug it, but i can''t find the flaw.Also, with two 5-character zones, you probably can''t specify a logprefix using the standard LOGFORMAT string -- the --log-prefix value will be too long. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, Feb 10, 2004 at 03:24:55PM -0800, Tom Eastep wrote: |Let''s move this to the Shorewall Development list.... | |On Tuesday 10 February 2004 03:14 pm, xavier wrote: |> here is a patch to allow this : |> |ACCEPT<10/sec:20>:debug fw lan:$ntp_servers udp 123 - - - - ntp |> |> a problem with the patch is that now the logprefix is mandatory. |> i''m trying to debug it, but i can''t find the flaw. | |Also, with two 5-character zones, you probably can''t specify a logprefix using |the standard LOGFORMAT string -- the --log-prefix value will be too long. | yup, that''s right, and that''s why i changed my logformat is shorewall.conf. it''s something smaller now. (s/Shorewall/fw/) (patch is against 1.4.10 btw) thanks -- xavier
On Tuesday 10 February 2004 06:58 pm, xavier wrote:> On Tue, Feb 10, 2004 at 03:24:55PM -0800, Tom Eastep wrote: > |Let''s move this to the Shorewall Development list.... > | > |On Tuesday 10 February 2004 03:14 pm, xavier wrote: > |> here is a patch to allow this : > |> |ACCEPT<10/sec:20>:debug fw lan:$ntp_servers udp 123 - - - - > |> | ntp > |> > |> a problem with the patch is that now the logprefix is mandatory. > |> i''m trying to debug it, but i can''t find the flaw. > | > |Also, with two 5-character zones, you probably can''t specify a logprefix > | using the standard LOGFORMAT string -- the --log-prefix value will be too > | long. > > yup, that''s right, and that''s why i changed my logformat is shorewall.conf. > it''s something smaller now. (s/Shorewall/fw/) > > (patch is against 1.4.10 btw)Frankly, I think I would rather see energy put into log processing tools than into trying to customize the raw log messages. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Here is a cleaner version of the patch.
(patch is against 1.4.10 btw)
you can do this now :
ACCEPT lan fw icmp 8
ACCEPT:debug lan fw tcp 6666 - - 10/sec:20
ACCEPT:debug fw lan icmp 8 - - 10/m - pingo
ACCEPT:debug fw lan:$freenode_servers tcp 6667 - - 10/sec:20 -
irc_fnde
ACCEPT:debug fw lan tcp 6667 1024:65535 - - -
irc2
ACCEPT:debug fw lan tcp 6667 - - - - irc3
Tom : thanks for the quotes tip ! ("$logprefix")
bye
--
xavier
-------------- next part --------------
Index: firewall
==================================================================RCS file:
/home/xavier/cvsx/xavier/work/box/natch/usr/share/shorewall/firewall,v
retrieving revision 1.1
retrieving revision 1.5
diff -u -r1.1 -r1.5
--- firewall 10 Feb 2004 22:03:41 -0000 1.1
+++ firewall 12 Feb 2004 21:00:10 -0000 1.5
@@ -990,15 +990,17 @@
#
# Add a logging rule.
#
-log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate
limit $... = predicates for the rule
+log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate
limit $5=logprefix $... = predicates for the rule
{
local level=$1
local chain=$2
local disposition=$3
local rulenum local limit="${4:-$LOGLIMIT}"
+ local dx="dx";
+ local logprefix="${5:-$dx}"
- shift;shift;shift;shift
+ shift;shift;shift;shift;shift;
if [ -n "$LOGRULENUMBERS" ]; then
eval rulenum=\$${chain}_logrules
@@ -1007,10 +1009,10 @@
case $level in
ULOG)
- eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix
''"`printf "$LOGFORMAT" $chain $rulenum
$disposition`"''
+ eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix
''"`printf "$LOGFORMAT" $chain $rulenum
$disposition`$logprefix "''
;;
*)
- eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level
--log-prefix ''"`printf "$LOGFORMAT" $chain $rulenum
$disposition`"''
+ eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level
--log-prefix ''"`printf "$LOGFORMAT" $chain $rulenum
$disposition`$logprefix "''
;;
esac
@@ -1024,10 +1026,10 @@
else
case $level in
ULOG)
- eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix
''"`printf "$LOGFORMAT" $chain
$disposition`"''
+ eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix
''"`printf "$LOGFORMAT" $chain $disposition`$logprefix
"''
;;
*)
- eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level
--log-prefix ''"`printf "$LOGFORMAT" $chain
$disposition`"''
+ eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level
--log-prefix ''"`printf "$LOGFORMAT" $chain
$disposition`$logprefix "''
;;
esac
@@ -1045,7 +1047,7 @@
shift;shift;shift
- log_rule_limit $level $chain $disposition "$LOGLIMIT" $@
+ log_rule_limit $level $chain $disposition "$LOGLIMIT"
"$logprefix" $@
}
#
@@ -2295,7 +2297,7 @@
for serv1 in `separate_list $serv`; do
for srv in `ip_range $serv1`; do
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $action $logtarget "$ratelimit" \
+ log_rule_limit $loglevel $action $logtarget "$ratelimit"
"$logprefix" \
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi
@@ -2305,7 +2307,7 @@
done
else
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $action $logtarget "$ratelimit" \
+ log_rule_limit $loglevel $action $logtarget "$ratelimit"
"$logprefix" \
`fix_bang $proto $sports $multiport $state $cli $dports`
fi
@@ -2483,7 +2485,7 @@
if [ -f $fn ]; then
echo "Processing $fn..."
strip_file $f $fn
- while read xtarget xclients xservers xprotocol xports xcports xratelimit ;
do
+ while read xtarget xclients xservers xprotocol xports xcports xratelimit
xlogprefix ; do
expandv xtarget
temp="${xtarget%:*}"
case "${temp%<*}" in
@@ -2613,7 +2615,7 @@
else
for adr in `separate_list $addr`; do
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \
+ log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit"
"$logprefix" -t nat \
`fix_bang $proto $cli $sports -d $adr $multiport $dports`
fi
@@ -2644,7 +2646,7 @@
done
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" -t nat
fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for
port redirection
@@ -2652,7 +2654,7 @@
for adr in `separate_list $addr`; do
if [ -n "$loglevel" ]; then
ensurenatchain $chain
- log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" -t nat \
`fix_bang $proto $cli $sports -d $adr $multiport $dports`
fi
@@ -2866,7 +2868,7 @@
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in `separate_list $addr`; do
if [ -n "$loglevel" -a -z "$natrule" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m
conntrack --ctorigdst $adr \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" -m conntrack --ctorigdst $adr \
$userandgroup `fix_bang $proto $sports $multiport $state $cli -d $srv
$dports`
fi
@@ -2875,7 +2877,7 @@
done
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit"
$userandgroup \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" $userandgroup \
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi
@@ -2886,7 +2888,7 @@
done
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit"
$userandgroup \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" $userandgroup \
`fix_bang $proto $sports $multiport $state $cli $dports`
fi
@@ -2905,7 +2907,7 @@
if [ $command != check ]; then
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit"
$userandgroup \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" $userandgroup \
`fix_bang $proto $multiport $dest_interface $state $cli $sports $dports`
fi
@@ -2929,6 +2931,7 @@
# $7 = address
# $8 = ratelimit
# $9 = userset
+ # $10 = logprefix
{
local target="$1"
local clients="$2"
@@ -2940,7 +2943,8 @@
local ratelimit="$8"
local userset="$9"
local userandgroup- local rule="`echo $target $clients $servers
$protocol $ports $cports $address $ratelimit $userset`"
+ local logprefix="${10}"
+ local rule="`echo $target $clients $servers $protocol $ports $cports
$address $ratelimit $userset $logprefix`"
# Function Body - isolate rate limit
@@ -3297,7 +3301,7 @@
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then
- process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports
$xaddress $xratelimit $xuserset
+ process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports
$xaddress $xratelimit $xuserset $xlogprefix
fi
fi
done
@@ -3305,7 +3309,7 @@
}
do_it() {
- expandv xclients xservers xprotocol xports xcports xaddress xratelimit
xuserset
+ expandv xclients xservers xprotocol xports xcports xaddress xratelimit
xuserset xlogprefix
if [ "x$xclients" = xall ]; then
xclients="$zones $FW"
@@ -3322,7 +3326,7 @@
continue
fi
- process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports
$xaddress $xratelimit $xuserset
+ process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports
$xaddress $xratelimit $xuserset $xlogprefix
}
while read xtarget xclients xservers xprotocol xports xcports xaddress
xratelimit xuserset; do
Tom Eastep
2004-Feb-12 14:34 UTC
[Shorewall-devel] Re: specific log-prefix ... cleaner patch
On Thursday 12 February 2004 02:16 pm, xavier wrote:> Here is a cleaner version of the patch. > (patch is against 1.4.10 btw) > > > you can do this now : > > ACCEPT lan fw icmp 8 > ACCEPT:debug lan fw tcp 6666 - - 10/sec:20 > ACCEPT:debug fw lan icmp 8 - - 10/m - > pingo ACCEPT:debug fw lan:$freenode_servers tcp 6667 - - > 10/sec:20 - irc_fnde ACCEPT:debug fw lan tcp > 6667 1024:65535 - - - irc2 ACCEPT:debug fw lan > tcp 6667 - - - - irc3 > > > Tom : thanks for the quotes tip ! ("$logprefix") >What about the code beginning at around line 5688 (1.4.10a)? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
|What about the code beginning at around line 5688 (1.4.10a)? Yes, that''s a problem, the logprefix does not get parsed at that point (and nothing isn''t yet parsed, so there is no quick hack here) so the iptables commands might fail ; fortunately, thanks to you, Shorewall is pretty good at recovering from that : $ shorewall restart Loading /usr/share/shorewall/functions... [snip] Processing Actions... Processing /etc/shorewall/rules... Rule "ACCEPT lan fw icmp 8" added. Rule "ACCEPT:debug lan fw tcp 6666 - - 10/sec:20" added. iptables v1.2.8: Maximum prefix length 29 for --log-prefix Try `iptables -h'' or ''iptables --help'' for more information. Processing /etc/shorewall/stop ... Processing /etc/shorewall/stopped ... zsh: terminated shorewall restart so Shorewall recover from that by stopping. i could check the total size in log_rule_limit(), and strip it to 29 chars if its too big. (sounds a bit like a bad hack to me, but afterall, why not...) with a warning message, it gives the operator a chance to correct his mistake _and_ having a firewall working as it should, not stopped. what do you think ? bye -- xavier
Tom Eastep
2004-Feb-13 15:14 UTC
[Shorewall-devel] Re: specific log-prefix ... cleaner patch
On Friday 13 February 2004 12:23 pm, xavier wrote:> |What about the code beginning at around line 5688 (1.4.10a)? > > Yes, that''s a problem, the logprefix does not get parsed at > that point (and nothing isn''t yet parsed, so there is no quick hack here) > > so the iptables commands might fail ; > > fortunately, thanks to you, Shorewall is > pretty good at recovering from that : > > $ shorewall restart > Loading /usr/share/shorewall/functions... > > [snip] > > Processing Actions... > Processing /etc/shorewall/rules... > Rule "ACCEPT lan fw icmp 8" added. > Rule "ACCEPT:debug lan fw tcp 6666 - - 10/sec:20" added. > iptables v1.2.8: Maximum prefix length 29 for --log-prefix > Try `iptables -h'' or ''iptables --help'' for more information. > Processing /etc/shorewall/stop ... > Processing /etc/shorewall/stopped ... > zsh: terminated shorewall restart > > so Shorewall recover from that by stopping.Most folks don''t think of that as recovery.> > i could check the total size in log_rule_limit(), > and strip it to 29 chars if its too big. > (sounds a bit like a bad hack to me, but afterall, why not...) > > with a warning message, it gives the operator a chance to correct > his mistake _and_ having a firewall working as it should, not stopped. > > what do you think ?I think that''s a better solution. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
|> i could check the total size in log_rule_limit(), |> and strip it to 29 chars if its too big. |> (sounds a bit like a bad hack to me, but afterall, why not...) |> |> with a warning message, it gives the operator a chance to correct |> his mistake _and_ having a firewall working as it should, not stopped. |> |> what do you think ? | |I think that''s a better solution. I''m currently working on it on Shorewall 2.0 rc2. -- xavier
xavier
2004-Mar-15 15:17 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
Here is a patch for 2.0.0
I''m checking the lenght of the logprefix, warning the user,
cutting the logprefix to 29 and continue with the rule.
rules permitted with this patch :
ACCEPT:debug fw lan icmp 8 - - 10/m - pingout
what do you think about it ?
thanks
--
xavier
-------------- next part --------------
--- firewall-2.0.0 2004-03-15 18:03:07.000000000 -0500
+++ firewall 2004-03-15 18:13:44.000000000 -0500
@@ -906,21 +906,32 @@
local disposition=$3
local rulenum local limit="${4:-$LOGLIMIT}"
+ local dx="";
+ local logprefix="${5:-$dx}"
+ logprefix="$logprefix "
- shift;shift;shift;shift
+ shift;shift;shift;shift;shift
+
+
+
if [ -n "$LOGRULENUMBERS" ]; then
eval rulenum=\$${chain}_logrules
[ -z "$rulenum" ] && rulenum=1
-
+
+ logprefixtemp="$(printf "$LOGFORMAT" $chain $rulenum
$disposition)$logprefix"
+ if [ ${#logprefixtemp} -gt 29 ]; then
+ logprefixtemp="$(echo $logprefixtemp |cut -b -29)"
+ echo " Logprefix too LONG ! cutting it to 29 : $logprefixtemp"
+ fi
+
case $level in
ULOG)
- eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix
''"$(printf "$LOGFORMAT" $chain $rulenum
$disposition)"''
+ eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix
''"$logprefixtemp"''
;;
*)
- eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \
- --log-prefix ''"$(printf "$LOGFORMAT" $chain
$rulenum $disposition)"''
+ eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level
--log-prefix ''"$logprefixtemp"''
;;
esac
@@ -932,13 +943,21 @@
eval ${chain}_logrules=$rulenum
else
+
+ logprefixtemp="$(printf "$LOGFORMAT" $chain
$disposition)$logprefix"
+ if [ ${#logprefixtemp} -gt 29 ]; then
+ logprefixtemp="$(echo $logprefixtemp |cut -b -29)"
+ echo " Logprefix too LONG ! cutting it to 29 : $logprefixtemp"
+ fi
+
+
case $level in
ULOG)
- eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix
''"$(printf "$LOGFORMAT" $chain
$disposition)"''
+ eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix
''"$logprefixtemp"''
;;
*)
- eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \
- --log-prefix ''"$(printf "$LOGFORMAT" $chain
$disposition)"''
+
+ eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level
--log-prefix ''"$logprefixtemp"''
;;
esac
@@ -956,7 +975,7 @@
shift;shift;shift
- log_rule_limit $level $chain $disposition "$LOGLIMIT" $@
+ log_rule_limit $level $chain $disposition "$LOGLIMIT"
"$logprefix" $@
}
#
@@ -2188,7 +2207,7 @@
for serv1 in $(separate_list $serv); do
for srv in $(ip_range $serv1); do
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $action $logtarget "$ratelimit"
$userandgroup \
+ log_rule_limit $loglevel $action $logtarget "$ratelimit"
"$logprefix" $userandgroup \
$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi
@@ -2198,7 +2217,7 @@
done
else
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $action $logtarget "$ratelimit"
$userandgroup \
+ log_rule_limit $loglevel $action $logtarget "$ratelimit"
"$logprefix" $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dports)
fi
@@ -2230,7 +2249,8 @@
local cports="$7"
local ratelimit="$8"
local userspec="$9"
- local rule="$(echo $target $clients $servers $protocol $ports $cports
$ratelimit)"
+ local logprefix="${10}"
+ local rule="$(echo $target $clients $servers $protocol $ports $cports
$ratelimit $logprefix)"
local userandgroup
if [ -n "$ratelimit" ]; then
@@ -2436,7 +2456,7 @@
if [ -f $fn ]; then
echo " Pre-processing $fn..."
strip_file $f $fn
- while read xtarget xclients xservers xprotocol xports xcports xratelimit
$xuserspec; do
+ while read xtarget xclients xservers xprotocol xports xcports xratelimit
$xuserspec xlogprefix; do
expandv xtarget
temp="${xtarget%:*}"
case "${temp%<*}" in
@@ -2446,7 +2466,7 @@
if list_search $temp $ACTIONS; then
eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\"
else
- rule="$(echo $xtarget $xclients $xservers $xprotocol $xports
$xcports $xratelimit $xuserspec)"
+ rule="$(echo $xtarget $xclients $xservers $xprotocol $xports
$xcports $xratelimit $xuserspec $xlogprefix)"
fatal_error "Invalid TARGET in rule \"$rule\""
fi
;;
@@ -2480,7 +2500,7 @@
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then
- process_action $xaction $xtarget $yclients $yservers $xprotocol $xports
$xcports $xratelimit $xuserspec
+ process_action $xaction $xtarget $yclients $yservers $xprotocol $xports
$xcports $xratelimit $xuserspec $xlogprefix
fi
fi
done
@@ -2488,7 +2508,7 @@
}
do_it() {
- expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
+ expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
xlogprefix
if [ "x$xclients" = xall ]; then
xclients="$zones $FW"
@@ -2505,7 +2525,7 @@
continue
fi
- process_action $xaction $xtarget $xclients $xservers $xprotocol $xports
$xcports $xratelimit $xuserspec
+ process_action $xaction $xtarget $xclients $xservers $xprotocol $xports
$xcports $xratelimit $xuserspec $xlogprefix
}
#
@@ -2538,7 +2558,7 @@
fn=$(find_file $f)
echo "Processing $fn..."
- while read xtarget xclients xservers xprotocol xports xcports xratelimit
$xuserspec; do
+ while read xtarget xclients xservers xprotocol xports xcports xratelimit
$xuserspec xlogprefix; do
do_it
done < $TMP_DIR/$f
;;
@@ -2644,14 +2664,14 @@
done
if [ -n "$loglevel" ]; then
- log_rule $loglevel $chain $logtarget -t nat
+ log_rule $loglevel $chain $logtarget "$logprefix" -t nat
fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for
port redirection
else
for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \
+ log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit"
"$logprefix" -t nat \
$(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports)
fi
@@ -2682,7 +2702,7 @@
done
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" -t nat
fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for
port redirection
@@ -2690,7 +2710,7 @@
for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then
ensurenatchain $chain
- log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" -t nat \
$(fix_bang $proto $cli $sports -d $adr $multiport $dports)
fi
@@ -2901,7 +2921,7 @@
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m
conntrack --ctorigdst $adr \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" -m conntrack --ctorigdst $adr \
$userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv
$dports)
fi
@@ -2910,7 +2930,7 @@
done
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit"
$userandgroup \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" $userandgroup \
$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi
@@ -2921,7 +2941,7 @@
done
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit"
$userandgroup \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dports)
fi
@@ -2940,7 +2960,7 @@
if [ $COMMAND != check ]; then
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit"
$userandgroup \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" $userandgroup \
$(fix_bang $proto $multiport $dest_interface $cli $sports $dports)
fi
@@ -2974,8 +2994,9 @@
local address="$7"
local ratelimit="$8"
local userspec="$9"
+ local logprefix="${10}"
local userandgroup- local rule="$(echo $target $clients $servers
$protocol $ports $cports $address $ratelimit $userspec)"
+ local rule="$(echo $target $clients $servers $protocol $ports $cports
$address $ratelimit $userspec $logprefix)"
# Function Body - isolate rate limit
@@ -3266,7 +3287,7 @@
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then
- process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports
$xaddress $xratelimit $xuserspec
+ process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports
$xaddress $xratelimit $xuserspec $xlogprefix
fi
fi
done
@@ -3274,7 +3295,7 @@
}
do_it() {
- expandv xclients xservers xprotocol xports xcports xaddress xratelimit
xuserspec
+ expandv xclients xservers xprotocol xports xcports xaddress xratelimit
xuserspec xlogprefix
if [ "x$xclients" = xall ]; then
xclients="$zones $FW"
@@ -3291,10 +3312,10 @@
continue
fi
- process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports
$xaddress $xratelimit $xuserspec
+ process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports
$xaddress $xratelimit $xuserspec $xlogprefix
}
- while read xtarget xclients xservers xprotocol xports xcports xaddress
xratelimit xuserspec; do
+ while read xtarget xclients xservers xprotocol xports xcports xaddress
xratelimit xuserspec xlogprefix; do
temp="${xtarget%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
@@ -3309,7 +3330,7 @@
do_it
else
- rule="$(echo $xtarget $xclients $xservers $xprotocol $xports
$xcports $xaddress $xratelimit $xuserspec)"
+ rule="$(echo $xtarget $xclients $xservers $xprotocol $xports
$xcports $xaddress $xratelimit $xuserspec $xlogprefix)"
fatal_error "Invalid Action in rule \"$rule\""
fi
;;
Tom Eastep
2004-Mar-15 15:25 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
On Monday 15 March 2004 03:17 pm, xavier wrote:> Here is a patch for 2.0.0 > > I''m checking the lenght of the logprefix, warning the user, > cutting the logprefix to 29 and continue with the rule. > > rules permitted with this patch : > > ACCEPT:debug fw lan icmp 8 - - 10/m - > pingout > > > what do you think about it ?I would still like to see something done with LOGPREFIX check performed during initialization. I''ll also need a patch to the rules file. If you can take care of those two things, we''ll include this in 2.0.1. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
xavier
2004-Mar-16 18:20 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
On Mon, Mar 15, 2004 at 03:25:42PM -0800, Tom Eastep wrote: |On Monday 15 March 2004 03:17 pm, xavier wrote: |> Here is a patch for 2.0.0 |> |> I''m checking the lenght of the logprefix, warning the user, |> cutting the logprefix to 29 and continue with the rule. |> |> rules permitted with this patch : |> |> ACCEPT:debug fw lan icmp 8 - - 10/m - |> pingout |> |> |> what do you think about it ? | | |I would still like to see something done with LOGPREFIX check performed during |initialization. | |I''ll also need a patch to the rules file. | |If you can take care of those two things, we''ll include this in 2.0.1. I''ll work on it. bye -- xavier
xavier
2004-Mar-17 13:24 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
|I''ll also need a patch to the rules file.
Here it is. Let me know how you find it.
|I would still like to see something done with LOGPREFIX check performed during
|initialization.
During initialization ?
near line 5622 ? :
near :
------------------
temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null)
if [ $? -ne 0 ]; then
startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi
fi
if [ ${#temp} -gt 29 ]; then
startup_error "LOGFORMAT string is too long:
\"$LOGFORMAT\""
fi
------------------
doing something about it would mean parsing the files ?
(and the files are not parsed at that point...)
remember i''m cutting it at execution time so that it never fails...
tell me what you have in mind for doing something during initialization.
--
xavier
-------------- next part --------------
--- ../cvs/shorewall/Shorewall2/rules 2004-03-17 14:53:01.000000000 -0500
+++ rules 2004-03-17 15:57:12.000000000 -0500
@@ -208,7 +208,7 @@
# address is not altered.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
-# this colume:
+# this column:
#
# <rate>/<interval>[:<burst>]
#
@@ -240,6 +240,29 @@
# !:kids #program must not be run by a member
# #of the ''kids'' group
#
+#
+# LOGPREFIX You may add a specific log prefix to rules which are
+# already logged (see the ACTIONS paragraph) by adding
+# a word in this column. Spaces are not allowed, but
+# underscores are.
+#
+# Examples:
+#
+# pingw # print Shorewall:fw2lan:ACCEPT:pingw
+# mailo # print Shorewall:fw2lan:ACCEPT:mailo
+# ma_ou # print Shorewall:fw2lan:ACCEPT:ma_ou
+#
+#
+# The default log format is LOGFORMAT="Shorewall:%s:%s:"
+# You might want to reduce it to something shorter to
+# allow you longer logprefixes. (in shorewall.conf :
+# LOGFORMAT="Sw:%s:%s:" or something similar)
+# (the total lenght permitted by iptables is 29 chars.)
+# Shorewall:fw2lan:ACCEPT is already 23 chars.
+#
+#
+#
+#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
@@ -257,9 +280,9 @@
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
-# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
-# # PORT PORT(S) DEST
-# DNAT<3/sec:10> net loc:192.168.1.3 tcp http
+# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
+# # PORT PORT(S) DEST LIMIT
+# DNAT net loc:192.168.1.3 tcp http - -
<3/sec:10>
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
@@ -283,7 +306,20 @@
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22
+#
+# Example: You want to explicitly log when a user named bob use https
+# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ LOG
+# # PORT PORT(S) DEST LIMIT GROUP
PREFIX
+# ACCEPT:debug fw lan tcp 443 - - -
bob hs_bob
+#
+# Example: You want to explicitly log outgoing pings
+# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ LOG
+# # PORT PORT(S) DEST LIMIT GROUP
PREFIX
+# ACCEPT:debug fw lan icmp 8 - - -
- p_out
+
+
+
####################################################################################################
-#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
-# PORT PORT(S) DEST LIMIT GROUP
+#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
USER/ LOG
+# PORT PORT(S) DEST LIMIT
GROUP PREFIX
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Tom Eastep
2004-Mar-17 13:35 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
On Wednesday 17 March 2004 01:23 pm, xavier wrote:> |I''ll also need a patch to the rules file. > > Here it is. Let me know how you find it. > > |I would still like to see something done with LOGPREFIX check performed > | during initialization. > > During initialization ? > > near line 5622 ? : > near : > ------------------ > temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null) > if [ $? -ne 0 ]; then > startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" > fi > fi > > if [ ${#temp} -gt 29 ]; then > startup_error "LOGFORMAT string is too long: \"$LOGFORMAT\"" > fi > ------------------ > > > doing something about it would mean parsing the files ? > (and the files are not parsed at that point...) > > remember i''m cutting it at execution time so that it never fails... > > tell me what you have in mind for doing something during initialization.Given the comments you added in the rules file, there''s probably no need to do anything in the above code. Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2004-Mar-18 07:23 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
Although I included the patches in 2.0.1 Beta 1, I didn''t announce them. After looking at the firewall patch more closely, I have backed it out of my tree for now. In the log_rule function, the logprefix variable is a hidden argument (you are passing "$loglimit" to log_rule_limit without extracting that argument from the log_rule argument list) yet you are passing "$logprefix" to log_limit near like 2664. I do not like the idea of $logprefix being a hidden argument to log_rule. I also see that you added support for logprefix in action.* files but didn''t update the template. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
xavier
2004-Mar-19 08:34 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
On Thu, Mar 18, 2004 at 07:23:40AM -0800, Tom Eastep wrote: |Although I included the patches in 2.0.1 Beta 1, I didn''t announce them. After |looking at the firewall patch more closely, I have backed it out of my tree |for now. | |In the log_rule function, the logprefix variable is a hidden argument (you are |passing "$loglimit" to log_rule_limit without extracting that argument from |the log_rule argument list) yet you are passing "$logprefix" to log_limit |near like 2664. I do not like the idea of $logprefix being a hidden argument |to log_rule. i''ll check that | |I also see that you added support for logprefix in action.* files but didn''t |update the template. i''ll update it. cheers, -- xavier
Tom Eastep
2004-Mar-19 09:26 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
On Friday 19 March 2004 08:34 am, xavier wrote:> On Thu, Mar 18, 2004 at 07:23:40AM -0800, Tom Eastep wrote: > |Although I included the patches in 2.0.1 Beta 1, I didn''t announce them. > | After looking at the firewall patch more closely, I have backed it out of > | my tree for now. > | > |In the log_rule function, the logprefix variable is a hidden argument (you > | are passing "$loglimit" to log_rule_limit without extracting that > | argument from the log_rule argument list) yet you are passing > | "$logprefix" to log_limit near like 2664. I do not like the idea of > | $logprefix being a hidden argument to log_rule. > > i''ll check that > > |I also see that you added support for logprefix in action.* files but > | didn''t update the template. > > i''ll update it. >Thanks. After I merge the patch, I think I''ll probably change the implementation to remove the extra column and add the logprefix to the first column as in: REJECT:info:www I know that I nixed that idea earlier but: a) I think that specific log prefixes will be rarely used b) logging today is specified in the first column so adding the prefix there seems natural. c) I''m getting some private complaints that the rules file is getting too wide. Again, if you provide me with a clean patch with your implementation, I''ll do the work to switch the columns. Thanks again, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
xavier
2004-Mar-23 06:59 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
On Fri, Mar 19, 2004 at 09:26:35AM -0800, Tom Eastep wrote: |On Friday 19 March 2004 08:34 am, xavier wrote: |> On Thu, Mar 18, 2004 at 07:23:40AM -0800, Tom Eastep wrote: |> |Although I included the patches in 2.0.1 Beta 1, I didn''t announce them. |> | After looking at the firewall patch more closely, I have backed it out of |> | my tree for now. |> | |> |In the log_rule function, the logprefix variable is a hidden argument (you |> | are passing "$loglimit" to log_rule_limit without extracting that |> | argument from the log_rule argument list) yet you are passing |> | "$logprefix" to log_limit near like 2664. I do not like the idea of |> | $logprefix being a hidden argument to log_rule. |> |> i''ll check that |> |> |I also see that you added support for logprefix in action.* files but |> | didn''t update the template. |> |> i''ll update it. |> | |Thanks. | |After I merge the patch, I think I''ll probably change the implementation to |remove the extra column and add the logprefix to the first column as in: | | REJECT:info:www | |I know that I nixed that idea earlier but: | |a) I think that specific log prefixes will be rarely used |b) logging today is specified in the first column so adding the prefix there |seems natural. |c) I''m getting some private complaints that the rules file is getting too |wide. suits to me. looks good. | |Again, if you provide me with a clean patch with your implementation, I''ll do |the work to switch the columns. Ack. I''ll work on it. thanks -- xavier
xavier
2004-Mar-30 13:21 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
|I also see that you added support for logprefix in action.* files but didn''t |update the template. Here it is. may be the paragraph : +# An extrem solution could be LOGFORMAT="%0.0s%0.0s", +# which doesnt print any logprefix before the packet +# but let you have 29 chars for your logprefix. +# beware that, in this case, shorewall won''t be able +# to reparse his logs, since there is no identifaction +# string any more. could also go in the rule file, tell me what you think about it. -- xavier -------------- next part -------------- Index: action.template ==================================================================RCS file: /usr/local/cvs/Shorewall2/action.template,v retrieving revision 1.3 diff -u -r1.3 action.template --- action.template 21 Feb 2004 15:38:51 -0000 1.3 +++ action.template 30 Mar 2004 21:18:26 -0000 @@ -145,7 +145,33 @@ # !:kids #program must not be run by a member # #of the ''kids'' group # +# LOGPREFIX You may add a specific log prefix to rules which are +# already logged (see the ACTIONS paragraph) by adding +# a word in this column. Spaces are not allowed, but +# underscores are. +# +# Examples: +# +# pingw # print Shorewall:fw2lan:ACCEPT:pingw +# mailo # print Shorewall:fw2lan:ACCEPT:mailo +# ma_ou # print Shorewall:fw2lan:ACCEPT:ma_ou +# +# +# The default log format is LOGFORMAT="Shorewall:%s:%s:" +# You might want to reduce it to something shorter to +# allow you longer logprefixes. (in shorewall.conf : +# LOGFORMAT="Sw:%s:%s:" or something similar) +# (the total lenght permitted by iptables is 29 chars.) +# Shorewall:fw2lan:ACCEPT is already 23 chars. +# An extrem solution could be LOGFORMAT="%0.0s%0.0s", +# which doesnt print any logprefix before the packet +# but let you have 29 chars for your logprefix. +# beware that, in this case, shorewall won''t be able +# to reparse his logs, since there is no identifaction +# string any more. +# +# ###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT +#TARGET SOURCE DEST PROTO DEST SOURCE RATE LOG +# PORT PORT(S) LIMIT PREFIX #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
xavier
2004-Mar-30 13:45 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
|Although I included the patches in 2.0.1 Beta 1, I didn''t announce
them. After
|looking at the firewall patch more closely, I have backed it out of my tree
|for now.
|
|In the log_rule function, the logprefix variable is a hidden argument (you are
|passing "$loglimit" to log_rule_limit without extracting that
argument from
|the log_rule argument list) yet you are passing "$logprefix" to
log_limit
|near like 2664. I do not like the idea of $logprefix being a hidden argument
|to log_rule.
me neither.
--- firewall.logprefix~ 2004-03-16 14:38:44.000000000 -0500
+++ firewall.logprefix 2004-03-30 16:24:07.000000000 -0500
@@ -972,8 +972,8 @@
local level=$1
local chain=$2
local disposition=$3
-
- shift;shift;shift
+ local logprefix=$4
+ shift;shift;shift;shift
log_rule_limit $level $chain $disposition "$LOGLIMIT"
"$logprefix" $@
}
attached, the whole patch
--
xavier
-------------- next part --------------
--- firewall-2.0.0 2004-03-15 18:03:07.000000000 -0500
+++ firewall.logprefix 2004-03-30 16:24:07.000000000 -0500
@@ -906,21 +906,32 @@
local disposition=$3
local rulenum local limit="${4:-$LOGLIMIT}"
+ local dx="";
+ local logprefix="${5:-$dx}"
+ logprefix="$logprefix "
- shift;shift;shift;shift
+ shift;shift;shift;shift;shift
+
+
+
if [ -n "$LOGRULENUMBERS" ]; then
eval rulenum=\$${chain}_logrules
[ -z "$rulenum" ] && rulenum=1
-
+
+ logprefixtemp="$(printf "$LOGFORMAT" $chain $rulenum
$disposition)$logprefix"
+ if [ ${#logprefixtemp} -gt 29 ]; then
+ logprefixtemp="$(echo $logprefixtemp |cut -b -29)"
+ echo " Logprefix too LONG ! cutting it to 29 : $logprefixtemp"
+ fi
+
case $level in
ULOG)
- eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix
''"$(printf "$LOGFORMAT" $chain $rulenum
$disposition)"''
+ eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix
''"$logprefixtemp"''
;;
*)
- eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \
- --log-prefix ''"$(printf "$LOGFORMAT" $chain
$rulenum $disposition)"''
+ eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level
--log-prefix ''"$logprefixtemp"''
;;
esac
@@ -932,13 +943,21 @@
eval ${chain}_logrules=$rulenum
else
+
+ logprefixtemp="$(printf "$LOGFORMAT" $chain
$disposition)$logprefix"
+ if [ ${#logprefixtemp} -gt 29 ]; then
+ logprefixtemp="$(echo $logprefixtemp |cut -b -29)"
+ echo " Logprefix too LONG ! cutting it to 29 : $logprefixtemp"
+ fi
+
+
case $level in
ULOG)
- eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix
''"$(printf "$LOGFORMAT" $chain
$disposition)"''
+ eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix
''"$logprefixtemp"''
;;
*)
- eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \
- --log-prefix ''"$(printf "$LOGFORMAT" $chain
$disposition)"''
+
+ eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level
--log-prefix ''"$logprefixtemp"''
;;
esac
@@ -953,10 +972,10 @@
local level=$1
local chain=$2
local disposition=$3
+ local logprefix=$4
+ shift;shift;shift;shift
- shift;shift;shift
-
- log_rule_limit $level $chain $disposition "$LOGLIMIT" $@
+ log_rule_limit $level $chain $disposition "$LOGLIMIT"
"$logprefix" $@
}
#
@@ -2188,7 +2207,7 @@
for serv1 in $(separate_list $serv); do
for srv in $(ip_range $serv1); do
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $action $logtarget "$ratelimit"
$userandgroup \
+ log_rule_limit $loglevel $action $logtarget "$ratelimit"
"$logprefix" $userandgroup \
$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi
@@ -2198,7 +2217,7 @@
done
else
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $action $logtarget "$ratelimit"
$userandgroup \
+ log_rule_limit $loglevel $action $logtarget "$ratelimit"
"$logprefix" $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dports)
fi
@@ -2230,7 +2249,8 @@
local cports="$7"
local ratelimit="$8"
local userspec="$9"
- local rule="$(echo $target $clients $servers $protocol $ports $cports
$ratelimit)"
+ local logprefix="${10}"
+ local rule="$(echo $target $clients $servers $protocol $ports $cports
$ratelimit $logprefix)"
local userandgroup
if [ -n "$ratelimit" ]; then
@@ -2436,7 +2456,7 @@
if [ -f $fn ]; then
echo " Pre-processing $fn..."
strip_file $f $fn
- while read xtarget xclients xservers xprotocol xports xcports xratelimit
$xuserspec; do
+ while read xtarget xclients xservers xprotocol xports xcports xratelimit
$xuserspec xlogprefix; do
expandv xtarget
temp="${xtarget%:*}"
case "${temp%<*}" in
@@ -2446,7 +2466,7 @@
if list_search $temp $ACTIONS; then
eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\"
else
- rule="$(echo $xtarget $xclients $xservers $xprotocol $xports
$xcports $xratelimit $xuserspec)"
+ rule="$(echo $xtarget $xclients $xservers $xprotocol $xports
$xcports $xratelimit $xuserspec $xlogprefix)"
fatal_error "Invalid TARGET in rule \"$rule\""
fi
;;
@@ -2480,7 +2500,7 @@
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then
- process_action $xaction $xtarget $yclients $yservers $xprotocol $xports
$xcports $xratelimit $xuserspec
+ process_action $xaction $xtarget $yclients $yservers $xprotocol $xports
$xcports $xratelimit $xuserspec $xlogprefix
fi
fi
done
@@ -2488,7 +2508,7 @@
}
do_it() {
- expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
+ expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
xlogprefix
if [ "x$xclients" = xall ]; then
xclients="$zones $FW"
@@ -2505,7 +2525,7 @@
continue
fi
- process_action $xaction $xtarget $xclients $xservers $xprotocol $xports
$xcports $xratelimit $xuserspec
+ process_action $xaction $xtarget $xclients $xservers $xprotocol $xports
$xcports $xratelimit $xuserspec $xlogprefix
}
#
@@ -2538,7 +2558,7 @@
fn=$(find_file $f)
echo "Processing $fn..."
- while read xtarget xclients xservers xprotocol xports xcports xratelimit
$xuserspec; do
+ while read xtarget xclients xservers xprotocol xports xcports xratelimit
$xuserspec xlogprefix; do
do_it
done < $TMP_DIR/$f
;;
@@ -2644,14 +2664,14 @@
done
if [ -n "$loglevel" ]; then
- log_rule $loglevel $chain $logtarget -t nat
+ log_rule $loglevel $chain $logtarget "$logprefix" -t nat
fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for
port redirection
else
for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \
+ log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit"
"$logprefix" -t nat \
$(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports)
fi
@@ -2682,7 +2702,7 @@
done
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" -t nat
fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for
port redirection
@@ -2690,7 +2710,7 @@
for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then
ensurenatchain $chain
- log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" -t nat \
$(fix_bang $proto $cli $sports -d $adr $multiport $dports)
fi
@@ -2901,7 +2921,7 @@
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m
conntrack --ctorigdst $adr \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" -m conntrack --ctorigdst $adr \
$userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv
$dports)
fi
@@ -2910,7 +2930,7 @@
done
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit"
$userandgroup \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" $userandgroup \
$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi
@@ -2921,7 +2941,7 @@
done
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit"
$userandgroup \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dports)
fi
@@ -2940,7 +2960,7 @@
if [ $COMMAND != check ]; then
if [ -n "$loglevel" ]; then
- log_rule_limit $loglevel $chain $logtarget "$ratelimit"
$userandgroup \
+ log_rule_limit $loglevel $chain $logtarget "$ratelimit"
"$logprefix" $userandgroup \
$(fix_bang $proto $multiport $dest_interface $cli $sports $dports)
fi
@@ -2974,8 +2994,9 @@
local address="$7"
local ratelimit="$8"
local userspec="$9"
+ local logprefix="${10}"
local userandgroup- local rule="$(echo $target $clients $servers
$protocol $ports $cports $address $ratelimit $userspec)"
+ local rule="$(echo $target $clients $servers $protocol $ports $cports
$address $ratelimit $userspec $logprefix)"
# Function Body - isolate rate limit
@@ -3266,7 +3287,7 @@
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then
- process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports
$xaddress $xratelimit $xuserspec
+ process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports
$xaddress $xratelimit $xuserspec $xlogprefix
fi
fi
done
@@ -3274,7 +3295,7 @@
}
do_it() {
- expandv xclients xservers xprotocol xports xcports xaddress xratelimit
xuserspec
+ expandv xclients xservers xprotocol xports xcports xaddress xratelimit
xuserspec xlogprefix
if [ "x$xclients" = xall ]; then
xclients="$zones $FW"
@@ -3291,10 +3312,10 @@
continue
fi
- process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports
$xaddress $xratelimit $xuserspec
+ process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports
$xaddress $xratelimit $xuserspec $xlogprefix
}
- while read xtarget xclients xservers xprotocol xports xcports xaddress
xratelimit xuserspec; do
+ while read xtarget xclients xservers xprotocol xports xcports xaddress
xratelimit xuserspec xlogprefix; do
temp="${xtarget%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
@@ -3309,7 +3330,7 @@
do_it
else
- rule="$(echo $xtarget $xclients $xservers $xprotocol $xports
$xcports $xaddress $xratelimit $xuserspec)"
+ rule="$(echo $xtarget $xclients $xservers $xprotocol $xports
$xcports $xaddress $xratelimit $xuserspec $xlogprefix)"
fatal_error "Invalid Action in rule \"$rule\""
fi
;;
xavier
2004-Mar-30 13:47 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
|After I merge the patch, I think I''ll probably change the implementation to |remove the extra column and add the logprefix to the first column as in: | | REJECT:info:www | |I know that I nixed that idea earlier but: | |a) I think that specific log prefixes will be rarely used |b) logging today is specified in the first column so adding the prefix there |seems natural. |c) I''m getting some private complaints that the rules file is getting too |wide. | |Again, if you provide me with a clean patch with your implementation, I''ll do |the work to switch the columns. I think this is an excellent idea. bye -- xavier
Tom Eastep
2004-Apr-03 15:25 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
xavier wrote:> |I also see that you added support for logprefix in action.* files but didn''t > |update the template. > > Here it is. > > may be the paragraph : > > +# An extrem solution could be LOGFORMAT="%0.0s%0.0s", > +# which doesnt print any logprefix before the packet > +# but let you have 29 chars for your logprefix. > +# beware that, in this case, shorewall won''t be able > +# to reparse his logs, since there is no identifaction > +# string any more. > > could also go in the rule file, tell me what you think about it.I don''t like advocating breaking one Shorewall feature in order to use another. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2004-Apr-03 15:30 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
xavier wrote:> |Although I included the patches in 2.0.1 Beta 1, I didn''t announce them. After > |looking at the firewall patch more closely, I have backed it out of my tree > |for now. > | > |In the log_rule function, the logprefix variable is a hidden argument (you are > |passing "$loglimit" to log_rule_limit without extracting that argument from > |the log_rule argument list) yet you are passing "$logprefix" to log_limit > |near like 2664. I do not like the idea of $logprefix being a hidden argument > |to log_rule. > > me neither. > > --- firewall.logprefix~ 2004-03-16 14:38:44.000000000 -0500 > +++ firewall.logprefix 2004-03-30 16:24:07.000000000 -0500 > @@ -972,8 +972,8 @@ > local level=$1 > local chain=$2 > local disposition=$3 > - > - shift;shift;shift > + local logprefix=$4 > + shift;shift;shift;shift > > log_rule_limit $level $chain $disposition "$LOGLIMIT" "$logprefix" $@ > } > > > attached, the whole patchSo now you have made log prefix the fourth argument to log_rule but you didn''t change any of the calls to that function! I think that log_rule should pass "" as the log prefix to log_rule_limit and I think you should change the one call to log_rule that needs the prefix passed to an equivalent call to log_rule_limit. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
xavier
2004-Apr-05 07:34 UTC
[Shorewall-devel] specific log-prefix ... cleaner patch for 2.0.0
On Sat, Apr 03, 2004 at 03:23:18PM -0800, Tom Eastep wrote: |xavier wrote: |> |>may be the paragraph : |> |>+# An extrem solution could be LOGFORMAT="%0.0s%0.0s", |>+# which doesnt print any logprefix before the packet |>+# but let you have 29 chars for your logprefix. |>+# beware that, in this case, shorewall won''t be able |>+# to reparse his logs, since there is no |>identifaction |>+# string any more. |> |>could also go in the rule file, tell me what you think about it. | |I don''t like advocating breaking one Shorewall feature in order to use |another. | ack. sounds reasonnable. -- xavier