Commit 4050f8d1 authored by Mike Hibler's avatar Mike Hibler

Handle logging of firewall rules.

Right now this goes from the DB on through the client,
but there is currently no UI to allow the user to set it.
parent eec2a6b6
......@@ -7,13 +7,6 @@
use English;
use Getopt::Std;
#
# For firewall rule logging: log accepted or rejected packets.
# XXX debugging
#
my $logaccept = 0;
my $logreject = 0;
#
# Hosts we need un-firewalled static routes for
#
......@@ -191,10 +184,6 @@ sub doboot()
sub firewaller()
{
# XXX debugging
$fwinfo->{LOGACCEPT} = $logaccept;
$fwinfo->{LOGREJECT} = $logreject;
my ($upline, $downline) = os_fwconfig_line($fwinfo, @fwrules);
print FWC "case \"\$action\" in\n";
......
......@@ -1058,6 +1058,7 @@ sub getfwconfig($$;$)
my $rpat = q(RULENO=(\d*) RULE="(.*)");
my $vpat = q(VAR=(EMULAB_\w+) VALUE="(.*)");
my $hpat = q(HOST=([-\w]+) CNETIP=([\d\.]*) CNETMAC=([\da-f]{12}));
my $lpat = q(LOG=([\w,]+));
$fwinfo->{"TYPE"} = "none";
foreach my $line (@tmccresults) {
......@@ -1114,6 +1115,14 @@ sub getfwconfig($$;$)
# and save off the MACs
$fwhostmacs{$host} = $mac;
} elsif ($line =~ /$lpat/) {
for my $log (split(',', $1)) {
if ($log =~ /^allow|accept$/) {
$fwinfo->{"LOGACCEPT"} = 1;
} elsif ($log =~ /^deny|reject$/) {
$fwinfo->{"LOGREJECT"} = 1;
}
}
} else {
warn("*** WARNING: Bad firewall info line: $line\n");
return 1;
......
......@@ -603,13 +603,31 @@ sub os_fwconfig_line($@)
$upline .= " exit 1\n";
$upline .= " }\n";
}
if ($logaccept || $logreject) {
$upline .= " sysctl net.inet.ip.fw.verbose=1\n";
}
$upline .= " sysctl net.inet.ip.fw.enable=1 || {\n";
$upline .= " echo 'WARNING: could not enable firewall'\n";
$upline .= " exit 1\n";
$upline .= " }\n";
$upline .= " sysctl net.link.ether.bridge=1";
$downline = "sysctl net.link.ether.bridge=0\n";
#
# XXX maybe we should be more careful to ensure that the bridge
# is really down before turning off the firewall. OTOH, if
# someone has really hacked the firewall to the extent that they
# can prevent us from shutting down the bridge, then they should
# be quite capable of taking down the firewall on their own.
#
$downline = "sysctl net.link.ether.bridge=0 || {\n";
$downline .= " echo 'WARNING: could not disable bridge'\n";
$downline .= " echo ' firewall left enabled'\n";
$downline .= " exit 1\n";
$downline .= " }\n";
$downline .= " sysctl net.inet.ip.fw.enable=0\n";
if ($logaccept || $logreject) {
$downline .= " sysctl net.inet.ip.fw.verbose=0\n";
}
$downline .= " ipfw -q flush\n";
$downline .= " sysctl net.link.ether.bridge_cfg=\"\"\n";
$downline .= " sysctl net.link.ether.bridge_ipfw=0\n";
......
......@@ -5338,8 +5338,8 @@ COMMAND_PROTOTYPE(dofwinfo)
*
* XXX will only work if there is one firewall per experiment.
*/
res = mydb_query("select r.node_id,v.type,v.style,f.fwname,i.IP, "
" i.mac,f.vlan "
res = mydb_query("select r.node_id,v.type,v.style,v.log,f.fwname,"
" i.IP,i.mac,f.vlan "
"from firewalls as f "
"left join reserved as r on"
" f.pid=r.pid and f.eid=r.eid and f.fwname=r.vname "
......@@ -5348,7 +5348,7 @@ COMMAND_PROTOTYPE(dofwinfo)
"left join interfaces as i on r.node_id=i.node_id "
"where f.pid='%s' and f.eid='%s' "
"and i.role='ctrl'", /* XXX */
7, reqp->pid, reqp->eid);
8, reqp->pid, reqp->eid);
if (!res) {
error("FWINFO: %s: DB Error getting firewall info!\n",
......@@ -5394,7 +5394,7 @@ COMMAND_PROTOTYPE(dofwinfo)
if (strcmp(row[1], "ipfw2-vlan") == 0)
fwip = "0.0.0.0";
else
fwip = row[4];
fwip = row[5];
OUTPUT(buf, sizeof(buf), "TYPE=remote FWIP=%s\n", fwip);
mysql_free_result(res);
client_writeback(sock, buf, strlen(buf), tcp);
......@@ -5406,8 +5406,8 @@ COMMAND_PROTOTYPE(dofwinfo)
/*
* Grab vlan info if available
*/
if (row[6] && row[6][0])
vlan = row[6];
if (row[7] && row[7][0])
vlan = row[7];
else
vlan = "0";
......@@ -5419,14 +5419,24 @@ COMMAND_PROTOTYPE(dofwinfo)
*/
OUTPUT(buf, sizeof(buf),
"TYPE=%s STYLE=%s IN_IF=%s OUT_IF=%s IN_VLAN=%s OUT_VLAN=%s\n",
row[1], row[2], row[5], row[5], vlan, vlan);
row[1], row[2], row[6], row[6], vlan, vlan);
client_writeback(sock, buf, strlen(buf), tcp);
if (verbose)
info("FWINFO: %s", buf);
/*
* Put out info about firewall rule logging
*/
if (vers > 25 && row[3] && row[3][0]) {
OUTPUT(buf, sizeof(buf), "LOG=%s\n", row[3]);
client_writeback(sock, buf, strlen(buf), tcp);
if (verbose)
info("FWINFO: %s", buf);
}
strncpy(fwtype, row[1], sizeof(fwtype));
strncpy(fwstyle, row[2], sizeof(fwstyle));
strncpy(fwname, row[3], sizeof(fwname));
strncpy(fwname, row[4], sizeof(fwname));
mysql_free_result(res);
/*
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment