On 1/6/13 10:55 AM, Tom Eastep wrote: > On 01/06/2013 07:10 AM, Mr Dash Four wrote:
>>
>> 7. Allow @{XXXX} shorewall variables to be modified in custom actions -
>> why having control of the @{logtag} (and other such shorewall variables)
>> is important:
>>
>> policy
>> ~~~~~~
>> $FW net DROP:IELOG(-,1,2)
>>
>> produces:
>>
>> -A fw2net -j NFLOG --nflog-group 1 --nflog-range 0 --nflog-threshold 1
>> --nflog-prefix "Shorewall:fw2net:LOG:" -m comment --comment "IELOG"
>> -A fw2net -j NFLOG --nflog-group 2 --nflog-range 0 --nflog-threshold 1
>> --nflog-prefix "Shorewall:fw2net:LOG:" -m comment --comment "IELOG"
>> -A fw2net -j DROP
>>
>> Since I cannot change the --nflog-prefix (which I presume is supplied to
>> my IELOG custom action via @{logtag}), shorewall, in its infinite
>> wisdom, determines that the tag should be "Shorewall:fw2net:LOG:", which
>> is clearly wrong, given that the operation in question is DROP.
>>
>> If I had access to this variable *and* was able to change it, I would
>> have corrected this in the action itself (provided I could also pass
>> @{logtag} to the NFLOG action - something I still doubt), not to mention
>> that I would have done a lot of other nice things with this action too
>> if I knew how the tests in ?IF operate.
>
> What you are asking for is a way to set the 'disposition' field in the
> log prefix. I'll work on that.
If you:
1) Apply the attached patch
2) Set LOGTAGONLY=Yes in shorewall.conf
3) Change action.IELOG as follows:
?FORMAT 2
?IF $1 && ($1 eq 'log')
LOG:info(uid,tcp_options,ip_options,macdecode,tcp_sequence):,$5
?ENDIF
?IF $2
NFLOG($2,0,1):,$5
?ENDIF
?IF $3
NFLOG($3,0,1):,$5
?ENDIF
?IF $4
AUDIT($4)
?ENDIF
?IF $5
$5
?ENDIF
then this output is produced:
-A loc2fw -j LOG --log-uid --log-tcp-options --log-ip-options
--log-macdecode --log-tcp-sequence --log-level 6 --log-prefix
"Shorewall:loc2fw:DROP:"
-A loc2fw -j NFLOG --nflog-group 1 --nflog-range 0 --nflog-threshold 1
--nflog-prefix "Shorewall:loc2fw:DROP:"
-A loc2fw -j NFLOG --nflog-group 2 --nflog-range 0 --nflog-threshold 1
--nflog-prefix "Shorewall:loc2fw:DROP:"
When LOGTAGONLY=Yes and this patch is applied, then log tags are
interpreted as <chain>,<disposition>. So by specifying a log tag of
",$5", the disposition in the --log-prefix is set to $5. If either
<chain> or <disposition> (or both) then the contents of those fields is
as it is currently.
Another way to code the action would be:
?FORMAT 2
?IF $5
?SET tag ",$5"
?ELSE
?SET tag '';
?ENDIF
?IF $1 && ($1 eq 'log')
LOG:info(uid,tcp_options,ip_options,macdecode,tcp_sequence):$tag
?ENDIF
?IF $2
NFLOG($2,0,1):$tag
?ENDIF
?IF $3
NFLOG($3,0,1):$tag
?ENDIF
?IF $4
AUDIT($4)
?ENDIF
?IF $5
$5
?ENDIF
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Chains.pm
b/Shorewall/Perl/Shorewall/Chains.pm
index bd0891a..9213901 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -5393,8 +5393,15 @@ sub log_rule_limit( $$$$$$$$ ) {
}
} else {
if ( $tag ) {
- if ( $config{LOGTAGONLY} ) {
- $chain = $tag;
+ if ( $config{LOGTAGONLY} && $tag ne ',' ) {
+ if ( $tag =~ /^,/ ) {
+ ( $disposition = $tag ) =~ s/,//;
+ } elsif ( $tag =~ /,/ ) {
+ ( $chain, $disposition ) = split ',', $tag;
+ } else {
+ $chain = $tag;
+ }
+
$tag = '';
} else {
$tag .= ' ';
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_123012
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
