M. Vefa Bicakci
2009-Aug-25 15:47 UTC
[PATCH] A default log level of ULOG is ignored by the shorewall-perl compiler (but not by shorewall-shell)
Hello, I tried Shorewall for the first time today. I am currently using an up-to-date installation of Debian Sid, which has shorewall 4.2.10, shorewall-shell 4.2.10 and shorewall-perl 4.2.10.1. I noticed that even though I had the following /etc/shorewall/policy file, iptables would still show LOG rules at the end of the INPUT and OUTPUT chains instead of ULOG rules. (Other logging related rules have ULOG as expected.) === 8< ==#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT - net $FW DROP ULOG all all DROP ULOG === >8 == For the record, I have every log-level related option in /etc/shorewall/shorewall.conf set to ULOG. A further investigation showed that this problem only occurred with the Perl compiler and not with the shell compiler. After looking at the Perl scripts in /usr/share/shorewall-perl/Shorewall and looking at the shell compiler''s scripts, I found out the following: - When the shell compiler''s complete_standard_chain function finds a source/destination zone combination not defined by the policy file, it falls back to the "all2all" policy. - When the Perl compiler''s complete_standard_chain (in Policy.pm file) finds an undefined source/destination zone combination, it falls back to the arguments to that function, and _its fallback logging level is 6_, which causes regular LOG rules to be used for INPUT and OUTPUT chains. After playing with the Policy.pm script, I found that the following modification makes the Perl compiler act like the shell compiler: === 8< ==--- Policy.orig.pm 2009-06-18 00:00:00.000000000 +0000 +++ Policy.pm 2009-08-25 00:00:00.000000000 +0000 @@ -453,6 +453,10 @@ my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . ''_DEFAULT''} ); my $policychainref; + if (!$ruleschainref) { + $ruleschainref = $filter_table->{"all2all"}; + } + $policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref; ( $policy, $loglevel, $defaultaction ) = @{$policychainref}{''policy'', ''loglevel'', ''default'' } if $policychainref; === >8 == Actually, in my first attempt to solve this problem, I introduced a new configuration variable named LOGGING_DEFAULT and used that instead of the "6" in the relevant line, but later I thought that it was probably a bad idea to introduce a new configuration variable. I am attaching three "iptables -L -v -n" outputs. The one named "perl_unmodified.txt" is produced by shorewall''s unmodified Perl compiler and it is the one which has unwanted LOG rules instead of ULOG rules in the INPUT and OUTPUT chains. The one named "shell.txt" is produced by shorewall''s unmodified shell compiler. Finally, the one named "perl_modified.txt" is produced by shorewall''s Perl compiler with the patch above applied. As I said, I have just started to use Shorewall, so my patch might not make sense - in which case I would really appreciate a way of making ULOG method as the default logging method in the INPUT and OUTPUT chains if the user specifies it in the "all2all" line in the policy file. Regards, M. Vefa Bicakci ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Tom Eastep
2009-Aug-25 16:10 UTC
Re: [PATCH] A default log level of ULOG is ignored by the shorewall-perl compiler (but not by shorewall-shell)
M. Vefa Bicakci wrote:> Hello, > > I tried Shorewall for the first time today. I am currently using an up-to-date > installation of Debian Sid, which has shorewall 4.2.10, shorewall-shell 4.2.10 > and shorewall-perl 4.2.10.1. > > I noticed that even though I had the following /etc/shorewall/policy file, > iptables would still show LOG rules at the end of the INPUT and OUTPUT chains > instead of ULOG rules. (Other logging related rules have ULOG as expected.) > > === 8< ==> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > $FW net ACCEPT - > net $FW DROP ULOG > all all DROP ULOG > === >8 ==Thanks for the patch. There is a fairly simple workaround for this issue. In /etc/shorewall/policy, add: all $FW DROP ULOG #Rule for INPUT chain $FW all REJECT ULOG #Rule for OUTPUT chain I''ll include a form of your patch in the next 4.4 release. Don''t know if we will do another 4.2 full release but I''ll also include this change in the next patch release when we release it. Thanks again, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july