[Shorewall-newbies] specific log-prefix ... patch

xavier list.shorewall-newbies at natch.dyndns.org
Tue Feb 10 15:14:26 PST 2004


here is a patch to allow this : 

|ACCEPT<10/sec:20>:debug fw      lan:$ntp_servers      udp 123 - - - - ntp

a problem with the patch is that now the logprefix is mandatory.
i'm trying to debug it, but i  can't find the flaw.

thanks for such a good software, Tom !

bye

-- 
xavier
-------------- next part --------------
Index: firewall
===================================================================
RCS file: /home/xavier/cvsx/xavier/work/box/natch/usr/share/shorewall/firewall,v
retrieving revision 1.1
retrieving revision 1.3
diff -u -r1.1 -r1.3
--- firewall	10 Feb 2004 22:03:41 -0000	1.1
+++ firewall	10 Feb 2004 23:11:24 -0000	1.3
@@ -990,15 +990,17 @@
 #
 # Add a logging rule.
 #
-log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limit $... = predicates for the rule
+log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limit $5=logprefix $... = predicates for the rule
 {
     local level=$1
     local chain=$2
     local disposition=$3
     local rulenum=
     local limit="${4:-$LOGLIMIT}"
+    local dx="dx";
+    local logprefix="${5:-$dx}"
 
-    shift;shift;shift;shift
+    shift;shift;shift;shift;shift;
 
     if [ -n "$LOGRULENUMBERS" ]; then
 	eval rulenum=\$${chain}_logrules
@@ -1007,10 +1009,10 @@
 
 	case $level in
 	    ULOG)
-		eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
+		eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition` $logprefix"' 
 		;;
 	    *)
-		eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
+		eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition` $logprefix"' 
 		;;
 	esac
 	
@@ -1024,10 +1026,10 @@
     else
 	case $level in
 	    ULOG)
-		eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
+		eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $disposition`"' $logprefix
 		;;
 	    *)
-		eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
+		eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"' $logprefix
 		;;
 	esac
 	
@@ -1045,7 +1047,7 @@
 
     shift;shift;shift
 
-    log_rule_limit $level $chain $disposition "$LOGLIMIT" $@
+    log_rule_limit $level $chain $disposition "$LOGLIMIT" $logprefix $@
 }
 
 #
@@ -2295,7 +2297,7 @@
 	    for serv1 in `separate_list $serv`; do
 		for srv in `ip_range $serv1`; do
 		    if [ -n "$loglevel" ]; then
-			log_rule_limit $loglevel $action $logtarget "$ratelimit" \
+			log_rule_limit $loglevel $action $logtarget "$ratelimit"  $logprefix\
 			    `fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
 		    fi
 		    
@@ -2305,7 +2307,7 @@
 	    done
 	else
 	    if [ -n "$loglevel" ]; then
-		log_rule_limit $loglevel $action $logtarget "$ratelimit" \
+		log_rule_limit $loglevel $action $logtarget "$ratelimit" $logprefix \
 		    `fix_bang $proto $sports $multiport $state $cli $dports`
 	    fi
 		    
@@ -2483,7 +2485,7 @@
 	if [ -f $fn ]; then
 	    echo "Processing $fn..."
 	    strip_file $f $fn
-	    while read xtarget xclients xservers xprotocol xports xcports xratelimit ; do
+	    while read xtarget xclients xservers xprotocol xports xcports xratelimit xlogprefix ; do
 		expandv xtarget
 		temp="${xtarget%:*}"
 		case "${temp%<*}" in
@@ -2613,7 +2615,7 @@
 	    else
 		for adr in `separate_list $addr`; do
 		    if [ -n "$loglevel" ]; then
-			log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \
+			log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" $logprefix -t nat \
 			    `fix_bang $proto $cli $sports -d $adr $multiport $dports`
 		    fi
 
@@ -2644,7 +2646,7 @@
 		done
 
 		if [ -n "$loglevel" ]; then
-		    log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat
+		    log_rule_limit $loglevel $chain $logtarget "$ratelimit" $logprefix -t nat
 		fi
 
 		addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
@@ -2652,7 +2654,7 @@
 		for adr in `separate_list $addr`; do
 		    if [ -n "$loglevel" ]; then
 			ensurenatchain $chain
-			log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \
+			log_rule_limit $loglevel $chain $logtarget "$ratelimit" $logprefix -t nat \
 			    `fix_bang $proto $cli $sports -d $adr $multiport $dports`
 		    fi
 		    
@@ -2866,7 +2868,7 @@
 			    if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
 				for adr in `separate_list $addr`; do
 				    if [ -n "$loglevel" -a -z "$natrule" ]; then
-					log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \
+					log_rule_limit $loglevel $chain $logtarget "$ratelimit" $logprefix -m conntrack --ctorigdst $adr \
 					    $userandgroup `fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
 				    fi
 
@@ -2875,7 +2877,7 @@
 				done
 			    else
 				if [ -n "$loglevel" -a -z "$natrule" ]; then
-				    log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
+				    log_rule_limit $loglevel $chain $logtarget "$ratelimit" $logprefix $userandgroup \
 					`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
 				fi
 
@@ -2886,7 +2888,7 @@
 		    done
 		else
 		    if [ -n "$loglevel" -a -z "$natrule" ]; then
-		        log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
+		        log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup $logprefix\
 			    `fix_bang $proto $sports $multiport $state $cli $dports`
 		    fi
 
@@ -2905,7 +2907,7 @@
 
 	if [ $command != check ]; then
 	    if [ -n "$loglevel" ]; then
-		log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
+		log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup $logprefix \
 		    `fix_bang $proto $multiport $dest_interface $state $cli $sports $dports`
 	    fi
 
@@ -2929,6 +2931,7 @@
                # $7 = address
                # $8 = ratelimit
                # $9 = userset
+               # $10 = logprefix
 {
     local target="$1"
     local clients="$2"
@@ -2940,7 +2943,8 @@
     local ratelimit="$8"
     local userset="$9"
     local userandgroup=
-    local rule="`echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userset`"
+    local logprefix="${10}"
+    local rule="`echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userset $logprefix`"
 
     # Function Body - isolate rate limit
 
@@ -3297,7 +3301,7 @@
 		if [ "${ysourcezone}" != "${ydestzone}" ] ; then
 		    eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
 		    if [ "$ypolicy" != NONE ] ; then
-			process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset
+			process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset $xlogprefix
 		    fi
 		fi
 	    done
@@ -3305,7 +3309,7 @@
     }
 
     do_it() {
-	expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset
+	expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset xlogprefix
 
 	if [ "x$xclients" = xall ]; then
 	    xclients="$zones $FW"
@@ -3322,7 +3326,7 @@
 	    continue
 	fi
 	
-	process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset
+	process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset $xlogprefix
     }
 
     while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do


More information about the Shorewall-newbies mailing list