All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit 9d70c179 authored by Mike Hibler's avatar Mike Hibler

Add another firewall setup logging option, "tcpdump", which will start

up a tcpdump on both the inside and outside interfaces on the firewall
at boot time.  Another useful form of debugging.

Note: as with the "accept" and "deny" styles of logging, "tcpdump" cannot
be set through any interface other than setting it in the virt_firewalls
DB table directly.
parent 572da456
......@@ -1121,6 +1121,8 @@ sub getfwconfig($$;$)
$fwinfo->{"LOGACCEPT"} = 1;
} elsif ($log =~ /^deny|reject$/) {
$fwinfo->{"LOGREJECT"} = 1;
} elsif ($log eq "tcpdump") {
$fwinfo->{"LOGTCPDUMP"} = 1;
}
}
} else {
......
......@@ -525,6 +525,7 @@ sub os_fwconfig_line($@)
# XXX debugging
my $logaccept = defined($fwinfo->{LOGACCEPT}) ? $fwinfo->{LOGACCEPT} : 0;
my $logreject = defined($fwinfo->{LOGREJECT}) ? $fwinfo->{LOGREJECT} : 0;
my $dotcpdump = defined($fwinfo->{LOGTCPDUMP}) ? $fwinfo->{LOGTCPDUMP} : 0;
#
# Convert MAC info to a useable form and filter out the firewall itself
......@@ -581,9 +582,9 @@ sub os_fwconfig_line($@)
# routing tables). This *shouldn't* confuse anything on the firewall.
#
if (defined($fwinfo->{MACS})) {
my $myip = `cat /var/emulab/boot/myip`;
my $myip = `cat $BOOTDIR/myip`;
chomp($myip);
my $mymask = `cat /var/emulab/boot/mynetmask`;
my $mymask = `cat $BOOTDIR/mynetmask`;
chomp($mymask);
$upline .=
......@@ -617,6 +618,14 @@ sub os_fwconfig_line($@)
$upline .= " exit 1\n";
$upline .= " }\n";
}
if ($dotcpdump) {
$upline .= " tcpdump -i $vlandev ".
"-w $LOGDIR/in.tcpdump >/dev/null 2>&1 &\n";
$upline .= " tcpdump -i $pdev ".
"-w $LOGDIR/out.tcpdump not vlan >/dev/null 2>&1 &\n";
}
if ($logaccept || $logreject) {
$upline .= " sysctl net.inet.ip.fw.verbose=1\n";
}
......@@ -639,6 +648,9 @@ sub os_fwconfig_line($@)
$downline .= " exit 1\n";
$downline .= " }\n";
$downline .= " sysctl net.inet.ip.fw.enable=0\n";
if ($dotcpdump) {
$downline .= " killall tcpdump >/dev/null 2>&1\n";
}
if ($logaccept || $logreject) {
$downline .= " sysctl net.inet.ip.fw.verbose=0\n";
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment