Mercurial > mbse-firewall / changeset

changeset

Added support for nfacct objects. Version 0.0.13

Sat, 01 Feb 2014 20:06:04 +0100

author
Michiel Broek <mbroek@mbse.eu>
date
Sat, 01 Feb 2014 20:06:04 +0100
changeset 2
7c794ae9f4de
parent 1
96a14c72b423
child 3
6b45cf9df8cf

Added support for nfacct objects. Version 0.0.13

etc/nfacct.conf.example file | annotate | diff | comparison | revisions
sbin/mbse-firewall file | annotate | diff | comparison | revisions 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/etc/nfacct.conf.example	Sat Feb 01 20:06:04 2014 +0100
@@ -0,0 +1,9 @@
+# /etc/mbse-firewall/conf.d/nfacct.conf
+#
+# List with netfilter accounting objects.
+#
+# This file is loaded with the following commands: install or start.
+# Comments begin with a # and can be placed behind entries too.
+#
+ipv4.in			# ipv4 input traffic
+ipv4.http		# ipv4 webserver traffic
--- a/sbin/mbse-firewall	Thu Jan 30 15:20:46 2014 +0100
+++ b/sbin/mbse-firewall	Sat Feb 01 20:06:04 2014 +0100
@@ -22,7 +22,7 @@
 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
 # ---------------------------------------------------------------------------
 
-MBSEFW_VERSION="0.0.12"
+MBSEFW_VERSION="0.0.13"
 
 # Sanity checks
 if [ "$(id -u)" != "0" ]; then
@@ -53,6 +53,7 @@
 GREP=$(which grep 2>/dev/null)
 IPSET=$(which ipset 2>/dev/null)
 SYSCTL=$(which sysctl 2>/dev/null)
+NFACCT=$(which nfacct 2>/dev/null)
 
 if [ "$USE_IPV6" = "1" ]; then
   IP6TABLES=$(which ip6tables 2>/dev/null)
@@ -185,6 +186,21 @@
 
 
 
+fw_init_nfacct() {
+  NFACCTCONF="/etc/mbse-firewall/conf.d/nfacct.conf"
+  if [ -f $NFACCTCONF ]; then
+    echo "Init netfilter accounting" | $LOGGER
+    $GREP -Ev '^#|^;|^\s*$' $NFACCTCONF | while read L ; do
+      set $L
+      if [ -z "$($NFACCT list | $GREP $1)" ]; then
+        $NFACCT add $1
+      fi
+    done
+  fi
+}
+
+
+
 fw_init_sysctl() {
   # If we have bridges and don't want iptables to work between
   # the physical interfaces, turn it off.
@@ -249,6 +265,9 @@
     echo -n "."
   fi
 
+  fw_init_nfacct
+  echo -n "."
+
   # accept established and related connections
   $IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT 
   $IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT 
@@ -665,6 +684,7 @@
     # Do a full restore of all saved data
     echo -n "Starting $(basename $0) $MBSEFW_VERSION: "
     echo "Start new firewall" | $LOGGER
+    fw_init_nfacct
     reset_iptables DROP
     echo -n "."
     fw_init_sysctl

Mercurial Repository: mbse-firewall

mercurial