# HG changeset patch
# User Michiel Broek <mbroek@mbse.eu>
# Date 1391281564 -3600
# Node ID 7c794ae9f4de1dcd2f69b6573b9dc53e9ce97088
# Parent  96a14c72b4232bc1931c4026f691097da115a355
Added support for nfacct objects. Version 0.0.13

diff -r 96a14c72b423 -r 7c794ae9f4de etc/nfacct.conf.example
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/etc/nfacct.conf.example	Sat Feb 01 20:06:04 2014 +0100
@@ -0,0 +1,9 @@
+# /etc/mbse-firewall/conf.d/nfacct.conf
+#
+# List with netfilter accounting objects.
+#
+# This file is loaded with the following commands: install or start.
+# Comments begin with a # and can be placed behind entries too.
+#
+ipv4.in			# ipv4 input traffic
+ipv4.http		# ipv4 webserver traffic
diff -r 96a14c72b423 -r 7c794ae9f4de sbin/mbse-firewall
--- a/sbin/mbse-firewall	Thu Jan 30 15:20:46 2014 +0100
+++ b/sbin/mbse-firewall	Sat Feb 01 20:06:04 2014 +0100
@@ -22,7 +22,7 @@
 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
 # ---------------------------------------------------------------------------
 
-MBSEFW_VERSION="0.0.12"
+MBSEFW_VERSION="0.0.13"
 
 # Sanity checks
 if [ "$(id -u)" != "0" ]; then
@@ -53,6 +53,7 @@
 GREP=$(which grep 2>/dev/null)
 IPSET=$(which ipset 2>/dev/null)
 SYSCTL=$(which sysctl 2>/dev/null)
+NFACCT=$(which nfacct 2>/dev/null)
 
 if [ "$USE_IPV6" = "1" ]; then
   IP6TABLES=$(which ip6tables 2>/dev/null)
@@ -185,6 +186,21 @@
 
 
 
+fw_init_nfacct() {
+  NFACCTCONF="/etc/mbse-firewall/conf.d/nfacct.conf"
+  if [ -f $NFACCTCONF ]; then
+    echo "Init netfilter accounting" | $LOGGER
+    $GREP -Ev '^#|^;|^\s*$' $NFACCTCONF | while read L ; do
+      set $L
+      if [ -z "$($NFACCT list | $GREP $1)" ]; then
+        $NFACCT add $1
+      fi
+    done
+  fi
+}
+
+
+
 fw_init_sysctl() {
   # If we have bridges and don't want iptables to work between
   # the physical interfaces, turn it off.
@@ -249,6 +265,9 @@
     echo -n "."
   fi
 
+  fw_init_nfacct
+  echo -n "."
+
   # accept established and related connections
   $IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT 
   $IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT 
@@ -665,6 +684,7 @@
     # Do a full restore of all saved data
     echo -n "Starting $(basename $0) $MBSEFW_VERSION: "
     echo "Start new firewall" | $LOGGER
+    fw_init_nfacct
     reset_iptables DROP
     echo -n "."
     fw_init_sysctl