configurable logging

author: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> 2012-08-28 07:48:07 +0000
committer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> 2012-08-28 07:48:07 +0000
commit: fbb68587f8ea307f10206ab715b2542af1505c27 (patch)
tree: 60496964a548fd08bf1e2094a6f94fce5ea95b7d
parent: 382c27d26ee81a9982e1fa24eb2c3a9efadfc374 (diff)
download: awall-fbb68587f8ea307f10206ab715b2542af1505c27.tar.bz2
awall-fbb68587f8ea307f10206ab715b2542af1505c27.tar.xz
2 files changed, 67 insertions, 25 deletions
diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua
index d5652f4..9c0a3b9 100644
--- a/awall/modules/filter.lua
+++ b/awall/modules/filter.lua
@@ -10,14 +10,47 @@ module(..., package.seeall)
 require 'awall'
 require 'awall.host'
 require 'awall.model'
+require 'awall.object'
 require 'awall.optfrag'
 require 'awall.util'
 
 local model = awall.model
 local combinations = awall.optfrag.combinations
+local extend = awall.util.extend
+
+
+Log = awall.object.class(awall.object.Object)
+
+function Log:matchopts()
+   return self.limit and '-m limit --limit '..self.limit..'/second'
+end
+
+function Log:target() return string.upper(self.mode or 'log') end
+
 
 local Filter = model.class(model.Rule)
 
+function Filter:init(...)
+   model.Rule.init(self, unpack(arg))
+
+   -- alpine v2.4 compatibility
+   if util.contains({'logdrop', 'logreject'}, self.action) then
+      self:warning('Deprecated action: '..self.action)
+      self.action = string.sub(self.action, 4, -1)
+   end
+
+   local function log(spec, default)
+      if spec == nil then spec = default end
+      if spec == false then return end
+      if spec == true then spec = '_default' end
+      return self.root.log[spec] or self:error('Invalid log: '..spec)
+   end
+
+   self.log = log(self.log, self.action ~= 'accept')
+   local limit = self:limit()
+   if limit then self[limit].log = log(self[limit].log, true) end
+end
+
 function Filter:defaultzones()
    return self.dnat and {nil} or model.Rule.defaultzones(self)
 end
@@ -43,7 +76,7 @@ function Filter:trules()
 	 params[attr] = self[attr]
       end
       if extra then for k, v in pairs(extra) do params[k] = v end end
-      return awall.util.extend(res, self:create(cls, params):trules())
+      return extend(res, self:create(cls, params):trules())
    end
 
    if self.dnat then
@@ -80,7 +113,7 @@ function Filter:trules()
 
    if self.action == 'tarpit' then extrarules('no-track') end
 
-   awall.util.extend(res, model.Rule.trules(self))
+   extend(res, model.Rule.trules(self))
 
    return res
 end
@@ -103,25 +136,42 @@ function Filter:position()
 end
 
 function Filter:target()
-   if not self:limit() then return model.Rule.target(self) end
-   return self:newchain('limit')
+   if self:limit() then return self:newchain('limit') end
+   if self.log then return self:newchain('log'..self.action) end
+   return model.Rule.target(self)
 end
 
 function Filter:extraoptfrags()
    local res = {}
+
+   local function logchain(action, log, target)
+      extend(res, combinations({{chain=self:newchain('log'..action)}},
+			       {{opts=log:matchopts(), target=log:target()},
+				{target=target}}))
+   end
+
    local limit = self:limit()
    if limit then
       if self.action ~= 'accept' then
 	 self:error('Cannot specify limit for '..self.action..' filter')
       end
-      local optbase = '-m recent --name '..self:target()
-      table.insert(res, {chain=self:target(),
-			 opts=optbase..' --update --hitcount '..self[limit].count..' --seconds '..self[limit].interval,
-			 target='logdrop'})
-      table.insert(res, {chain=self:target(),
-			 opts=optbase..' --set',
-			 target='ACCEPT'})
+
+      local chain = self:newchain('limit')
+      local limitlog = self[limit].log
+
+      extend(res,
+	     combinations({{chain=chain,
+			    opts='-m recent --name '..chain}},
+			  {{opts='--update --hitcount '..self[limit].count..' --seconds '..self[limit].interval,
+				target=limitlog and self:newchain('logdrop') or 'DROP'},
+			     {opts='--set',
+			      target=self.log and self:newchain('log'..self.action) or 'ACCEPT'}}))
+
+      if limitlog then logchain('drop', limitlog, 'DROP') end
    end
+
+   if self.log then logchain(self.action, self.log, model.Rule.target(self)) end
+   
    return res
 end
 
@@ -132,7 +182,8 @@ local Policy = model.class(Filter)
 function Policy:servoptfrags() return nil end
 
 
-classes = {{'filter', Filter},
+classes = {{'log', Log},
+	   {'filter', Filter},
 	   {'policy', Policy}}
 
 
@@ -156,16 +207,6 @@ defrules['post-filter'] = combinations({{family='inet6',
 				       {{chain='INPUT'}, {chain='OUTPUT'}})
 
 
-achains = {}
-
-local limitedlog = {opts='-m limit --limit 1/second', target='LOG'}
-for i, target in ipairs({'drop', 'reject'}) do
-   util.extend(achains,
-	       combinations({{chain='log'..target}},
-			    {limitedlog, {target=string.upper(target)}}))
-end
-util.extend(achains,
-	    combinations({{chain='tarpit'}},
-			 {limitedlog,
-			  {opts='-p tcp', target='TARPIT'},
-			  {target='DROP'}}))
+achains = combinations({{chain='tarpit'}},
+		       {{opts='-p tcp', target='TARPIT'},
+			{target='DROP'}})
diff --git a/json/default-log.json b/json/default-log.json
new file mode 100644
index 0000000..c85a5a7
--- /dev/null
+++ b/json/default-log.json
@@ -0,0 +1 @@
+{ "log": { "_default": { "limit": 1 } } }
author	Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2012-08-28 07:48:07 +0000
committer	Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2012-08-28 07:48:07 +0000
commit	fbb68587f8ea307f10206ab715b2542af1505c27 (patch)
tree	60496964a548fd08bf1e2094a6f94fce5ea95b7d
parent	382c27d26ee81a9982e1fa24eb2c3a9efadfc374 (diff)
download	awall-fbb68587f8ea307f10206ab715b2542af1505c27.tar.bz2 awall-fbb68587f8ea307f10206ab715b2542af1505c27.tar.xz