Commit 31f0319b authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

Log.optfrags: packet mirroring

parent a6d6b5bd
......@@ -299,6 +299,11 @@ with these modes:
</tbody>
</table>
Copies of the eligible packets are sent to all hosts defined with the
**mirror** attribute of the logging class. The hosts may be defined
using IP addresses or DNS names. If this attribute is defined,
**mode** defaults to **none**.
[Filter](#filter) and [policy](#policy) rules can have an attribute
named **log**. If it is a string, it is interpreted as a reference to
a logging class, and logging is performed according to the
......
......@@ -5,6 +5,8 @@ See LICENSE file for license details
]]--
local resolve = require('awall.host')
local model = require('awall.model')
local class = model.class
......@@ -23,8 +25,9 @@ end
local Log = class(model.ConfigObject)
function Log:optfrags()
local mode = self.mode or 'log'
local mode = self.mode
if mode == 'none' then return {} end
if not (mode or self.mirror) then mode = 'log' end
local selector, ofrags
......@@ -48,35 +51,49 @@ function Log:optfrags()
end
end
local optmap = {
log={level='level', prefix='prefix'},
nflog={
group='group',
prefix='prefix',
range='range',
threshold='threshold'
},
ulog={
group='nlgroup',
prefix='prefix',
range='cprange',
threshold='qthreshold'
local targets = {}
if mode then
local optmap = {
log={level='level', prefix='prefix'},
nflog={
group='group',
prefix='prefix',
range='range',
threshold='threshold'
},
ulog={
group='nlgroup',
prefix='prefix',
range='cprange',
threshold='qthreshold'
}
}
}
if not optmap[mode] then self:error('Invalid logging mode: '..mode) end
if not optmap[mode] then self:error('Invalid logging mode: '..mode) end
local target = mode:upper()
for s, t in pairs(optmap[mode]) do
local value = self[s]
if value then
if s == 'prefix' then value = util.quote(value) end
target = target..' --'..mode..'-'..t..' '..value
end
end
local target = mode:upper()
for s, t in pairs(optmap[mode]) do
local value = self[s]
if value then
if s == 'prefix' then value = util.quote(value) end
target = target..' --'..mode..'-'..t..' '..value
table.insert(
targets, {family=mode == 'ulog' and 'inet' or nil, target=target}
)
end
for _, hostdef in util.listpairs(self.mirror) do
for _, addr in ipairs(resolve(hostdef, self)) do
table.insert(
targets, {family=addr[1], target='TEE --gateway '..addr[2]}
)
end
end
return combinations(
ofrags, {{family=mode == 'ulog' and 'inet' or nil, target=target}}
)
return combinations(ofrags, targets)
end
function Log.get(rule, spec, default)
......
{
"log": {
"dual": { "mode": "log", "mirror": "fc00::1" },
"mirror": { "mirror": [ "10.0.0.1", "10.0.0.2", "fc00::2" ] },
"none": { "mode": "none" },
"ulog": { "mode": "ulog", "limit": { "interval": 5 } }
},
"packet-log": [
{ "out": "_fw" },
{ "out": "_fw", "log": "mirror" },
{ "out": "_fw", "log": "ulog" }
],
"filter": [
......@@ -17,6 +20,12 @@
{ "log": true },
{ "log": true, "action": "drop" },
{ "log": true, "action": "pass" },
{ "log": "dual" },
{ "log": "dual", "action": "drop" },
{ "log": "dual", "action": "pass" },
{ "log": "mirror" },
{ "log": "mirror", "action": "drop" },
{ "log": "mirror", "action": "pass" },
{ "log": "none" },
{ "log": "none", "action": "drop" },
{ "log": "none", "action": "pass" },
......
......@@ -8,16 +8,16 @@ See LICENSE file for license details
util = require('awall.util')
json = require('cjson')
LOGOPTIONS = {false, true, 'none', 'ulog'}
res = {}
function add(limit_type, filter)
local logopts = {false, true, 'mirror', 'none', 'ulog'}
for _, high_rate in ipairs{false, true} do
local function add_limit(limit)
for _, log in ipairs(LOGOPTIONS) do
for _, log in ipairs(logopts) do
for _, action in ipairs{false, 'pass'} do
if not (high_rate and log and action) then
table.insert(
......@@ -40,7 +40,7 @@ function add(limit_type, filter)
add_limit(count or 1)
for _, interval in ipairs{false, 5} do
for _, log in ipairs(LOGOPTIONS) do
for _, log in ipairs(logopts) do
local limit = {count=count, interval=interval or nil}
if log ~= true then limit.log = log end
......
This diff is collapsed.
......@@ -545,6 +545,8 @@
:logaccept-266 - [0:0]
:logaccept-267 - [0:0]
:logaccept-268 - [0:0]
:logaccept-269 - [0:0]
:logaccept-270 - [0:0]
:logaccept-3 - [0:0]
:logaccept-32 - [0:0]
:logaccept-33 - [0:0]
......@@ -611,6 +613,8 @@
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logdrop-4 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logpass-10 - [0:0]
......@@ -687,7 +691,9 @@
:logpass-166 - [0:0]
:logpass-167 - [0:0]
:logpass-168 - [0:0]
:logpass-169 - [0:0]
:logpass-17 - [0:0]
:logpass-170 - [0:0]
:logpass-18 - [0:0]
:logpass-19 - [0:0]
:logpass-2 - [0:0]
......@@ -1881,12 +1887,18 @@
-A FORWARD -j logaccept-267
-A FORWARD -j logdrop-1
-A FORWARD -j logpass-167
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-268
-A FORWARD -j logdrop-2
-A FORWARD -j logpass-168
-A FORWARD -j logaccept-269
-A FORWARD -j logdrop-3
-A FORWARD -j logpass-169
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-270
-A FORWARD -j logdrop-4
-A FORWARD -j logpass-170
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
......@@ -1938,6 +1950,8 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
......@@ -2658,12 +2672,18 @@
-A INPUT -j logaccept-267
-A INPUT -j logdrop-1
-A INPUT -j logpass-167
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-268
-A INPUT -j logdrop-2
-A INPUT -j logpass-168
-A INPUT -j logaccept-269
-A INPUT -j logdrop-3
-A INPUT -j logpass-169
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-270
-A INPUT -j logdrop-4
-A INPUT -j logpass-170
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
......@@ -2930,12 +2950,18 @@
-A OUTPUT -j logaccept-267
-A OUTPUT -j logdrop-1
-A OUTPUT -j logpass-167
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-268
-A OUTPUT -j logdrop-2
-A OUTPUT -j logpass-168
-A OUTPUT -j logaccept-269
-A OUTPUT -j logdrop-3
-A OUTPUT -j logpass-169
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-270
-A OUTPUT -j logdrop-4
-A OUTPUT -j logpass-170
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
......@@ -3891,8 +3917,13 @@
-A logaccept-266 -j ACCEPT
-A logaccept-267 -m limit --limit 1/second -j LOG
-A logaccept-267 -j ACCEPT
-A logaccept-268 -m limit --limit 12/minute -j ULOG
-A logaccept-268 -j LOG
-A logaccept-268 -j ACCEPT
-A logaccept-269 -j TEE --gateway 10.0.0.1
-A logaccept-269 -j TEE --gateway 10.0.0.2
-A logaccept-269 -j ACCEPT
-A logaccept-270 -m limit --limit 12/minute -j ULOG
-A logaccept-270 -j ACCEPT
-A logaccept-3 -m limit --limit 12/minute -j ULOG
-A logaccept-3 -j ACCEPT
-A logaccept-32 -m limit --limit 1/second -j LOG
......@@ -4023,8 +4054,13 @@
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -m limit --limit 12/minute -j ULOG
-A logdrop-2 -j LOG
-A logdrop-2 -j DROP
-A logdrop-3 -j TEE --gateway 10.0.0.1
-A logdrop-3 -j TEE --gateway 10.0.0.2
-A logdrop-3 -j DROP
-A logdrop-4 -m limit --limit 12/minute -j ULOG
-A logdrop-4 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -m limit --limit 12/minute -j ULOG
-A logpass-10 -m limit --limit 12/minute -j ULOG
......@@ -4100,8 +4136,11 @@
-A logpass-165 -m limit --limit 1/second -j LOG
-A logpass-166 -m limit --limit 12/minute -j ULOG
-A logpass-167 -m limit --limit 1/second -j LOG
-A logpass-168 -m limit --limit 12/minute -j ULOG
-A logpass-168 -j LOG
-A logpass-169 -j TEE --gateway 10.0.0.1
-A logpass-169 -j TEE --gateway 10.0.0.2
-A logpass-17 -m limit --limit 1/second -j LOG
-A logpass-170 -m limit --limit 12/minute -j ULOG
-A logpass-18 -m limit --limit 12/minute -j ULOG
-A logpass-19 -m limit --limit 1/second -j LOG
-A logpass-2 -m limit --limit 1/second -j LOG
......
......@@ -182,7 +182,9 @@
:logaccept-26 - [0:0]
:logaccept-267 - [0:0]
:logaccept-268 - [0:0]
:logaccept-269 - [0:0]
:logaccept-27 - [0:0]
:logaccept-270 - [0:0]
:logaccept-28 - [0:0]
:logaccept-29 - [0:0]
:logaccept-30 - [0:0]
......@@ -220,6 +222,8 @@
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logdrop-4 - [0:0]
:logpass-0 - [0:0]
:logpass-109 - [0:0]
:logpass-115 - [0:0]
......@@ -228,6 +232,8 @@
:logpass-136 - [0:0]
:logpass-137 - [0:0]
:logpass-167 - [0:0]
:logpass-168 - [0:0]
:logpass-169 - [0:0]
:logpass-25 - [0:0]
:logpass-26 - [0:0]
:logpass-27 - [0:0]
......@@ -528,11 +534,17 @@
-A FORWARD -j logaccept-267
-A FORWARD -j logdrop-1
-A FORWARD -j logpass-167
-A FORWARD -j logaccept-268
-A FORWARD -j logdrop-2
-A FORWARD -j logpass-168
-A FORWARD -j logaccept-269
-A FORWARD -j logdrop-3
-A FORWARD -j logpass-169
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-268
-A FORWARD -j logdrop-2
-A FORWARD -j logaccept-270
-A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
......@@ -559,6 +571,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
......@@ -751,11 +764,17 @@
-A INPUT -j logaccept-267
-A INPUT -j logdrop-1
-A INPUT -j logpass-167
-A INPUT -j logaccept-268
-A INPUT -j logdrop-2
-A INPUT -j logpass-168
-A INPUT -j logaccept-269
-A INPUT -j logdrop-3
-A INPUT -j logpass-169
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-268
-A INPUT -j logdrop-2
-A INPUT -j logaccept-270
-A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
......@@ -860,11 +879,17 @@
-A OUTPUT -j logaccept-267
-A OUTPUT -j logdrop-1
-A OUTPUT -j logpass-167
-A OUTPUT -j logaccept-268
-A OUTPUT -j logdrop-2
-A OUTPUT -j logpass-168
-A OUTPUT -j logaccept-269
-A OUTPUT -j logdrop-3
-A OUTPUT -j logpass-169
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-268
-A OUTPUT -j logdrop-2
-A OUTPUT -j logaccept-270
-A OUTPUT -j logdrop-4
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
......@@ -1085,8 +1110,13 @@
-A logaccept-26 -j ACCEPT
-A logaccept-267 -m limit --limit 1/second -j LOG
-A logaccept-267 -j ACCEPT
-A logaccept-268 -j LOG
-A logaccept-268 -j TEE --gateway fc00::1
-A logaccept-268 -j ACCEPT
-A logaccept-269 -j TEE --gateway fc00::2
-A logaccept-269 -j ACCEPT
-A logaccept-27 -j ACCEPT
-A logaccept-270 -j ACCEPT
-A logaccept-28 -m limit --limit 1/second -j LOG
-A logaccept-28 -j ACCEPT
-A logaccept-29 -j ACCEPT
......@@ -1144,7 +1174,12 @@
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -j LOG
-A logdrop-2 -j TEE --gateway fc00::1
-A logdrop-2 -j DROP
-A logdrop-3 -j TEE --gateway fc00::2
-A logdrop-3 -j DROP
-A logdrop-4 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-109 -m limit --limit 1/second -j LOG
-A logpass-115 -m limit --limit 1/second -j LOG
......@@ -1153,6 +1188,9 @@
-A logpass-136 -m limit --limit 1/second -j LOG
-A logpass-137 -m limit --limit 1/second -j LOG
-A logpass-167 -m limit --limit 1/second -j LOG
-A logpass-168 -j LOG
-A logpass-168 -j TEE --gateway fc00::1
-A logpass-169 -j TEE --gateway fc00::2
-A logpass-25 -m limit --limit 1/second -j LOG
-A logpass-26 -m limit --limit 1/second -j LOG
-A logpass-27 -m limit --limit 1/second -j LOG
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -6,12 +6,18 @@
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logaccept-2 - [0:0]
:logaccept-3 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logdrop-4 - [0:0]
:logdrop-5 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logpass-2 - [0:0]
:logpass-3 - [0:0]
:logreject-0 - [0:0]
:logtarpit-0 - [0:0]
:tarpit - [0:0]
......@@ -31,12 +37,18 @@
-A FORWARD -j logaccept-0
-A FORWARD -j logdrop-2
-A FORWARD -j logpass-0
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-3
-A FORWARD -j logpass-1
-A FORWARD -j logaccept-2
-A FORWARD -j logdrop-4
-A FORWARD -j logpass-2
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-3
-A FORWARD -j logdrop-5
-A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
......@@ -88,6 +100,8 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
......@@ -106,12 +120,18 @@
-A INPUT -j logaccept-0
-A INPUT -j logdrop-2
-A INPUT -j logpass-0
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-1
-A INPUT -j logdrop-3
-A INPUT -j logpass-1
-A INPUT -j logaccept-2
-A INPUT -j logdrop-4
-A INPUT -j logpass-2
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-3
-A INPUT -j logdrop-5
-A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
......@@ -132,12 +152,18 @@
-A OUTPUT -j logaccept-0
-A OUTPUT -j logdrop-2
-A OUTPUT -j logpass-0
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-3
-A OUTPUT -j logpass-1
-A OUTPUT -j logaccept-2
-A OUTPUT -j logdrop-4
-A OUTPUT -j logpass-2
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-3
-A OUTPUT -j logdrop-5
-A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
......@@ -147,18 +173,31 @@
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
-A logaccept-0 -m limit --limit 1/second -j LOG
-A logaccept-0 -j ACCEPT
-A logaccept-1 -m limit --limit 12/minute -j ULOG
-A logaccept-1 -j LOG
-A logaccept-1 -j ACCEPT
-A logaccept-2 -j TEE --gateway 10.0.0.1
-A logaccept-2 -j TEE --gateway 10.0.0.2
-A logaccept-2 -j ACCEPT
-A logaccept-3 -m limit --limit 12/minute -j ULOG
-A logaccept-3 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -m limit --limit 1/second -j LOG
-A logdrop-2 -j DROP
-A logdrop-3 -m limit --limit 12/minute -j ULOG
-A logdrop-3 -j LOG
-A logdrop-3 -j DROP
-A logdrop-4 -j TEE --gateway 10.0.0.1
-A logdrop-4 -j TEE --gateway 10.0.0.2
-A logdrop-4 -j DROP
-A logdrop-5 -m limit --limit 12/minute -j ULOG
-A logdrop-5 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -m limit --limit 12/minute -j ULOG
-A logpass-1 -j LOG
-A logpass-2 -j TEE --gateway 10.0.0.1
-A logpass-2 -j TEE --gateway 10.0.0.2
-A logpass-3 -m limit --limit 12/minute -j ULOG
-A logreject-0 -m limit --limit 1/second -j LOG
-A logreject-0 -j REJECT
-A logtarpit-0 -m limit --limit 1/second -j LOG
......
......@@ -6,11 +6,17 @@
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logaccept-2 - [0:0]
:logaccept-3 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logdrop-4 - [0:0]
:logdrop-5 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logpass-2 - [0:0]
:logreject-0 - [0:0]
:logtarpit-0 - [0:0]
:tarpit - [0:0]
......@@ -30,11 +36,17 @@
-A FORWARD -j logaccept-0
-A FORWARD -j logdrop-2
-A FORWARD -j logpass-0
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-3
-A FORWARD -j logpass-1
-A FORWARD -j logaccept-2
-A FORWARD -j logdrop-4
-A FORWARD -j logpass-2
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-3
-A FORWARD -j logaccept-3
-A FORWARD -j logdrop-5
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
......@@ -61,6 +73,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
......@@ -79,11 +92,17 @@
-A INPUT -j logaccept-0
-A INPUT -j logdrop-2
-A INPUT -j logpass-0
-A INPUT -j logaccept-1
-A INPUT -j logdrop-3
-A INPUT -j logpass-1
-A INPUT -j logaccept-2
-A INPUT -j logdrop-4
-A INPUT -j logpass-2
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-1
-A INPUT -j logdrop-3
-A INPUT -j logaccept-3
-A INPUT -j logdrop-5
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
......@@ -104,11 +123,17 @@
-A OUTPUT -j logaccept-0
-A OUTPUT -j logdrop-2
-A OUTPUT -j logpass-0
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-3
-A OUTPUT -j logpass-1
-A OUTPUT -j logaccept-2
-A OUTPUT -j logdrop-4
-A OUTPUT -j logpass-2
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-3
-A OUTPUT -j logaccept-3
-A OUTPUT -j logdrop-5
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
......@@ -118,15 +143,28 @@
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
-A logaccept-0 -m limit --limit 1/second -j LOG
-A logaccept-0 -j ACCEPT
-A logaccept-1 -j LOG
-A logaccept-1 -j TEE --gateway fc00::1
-A logaccept-1 -j ACCEPT
-A logaccept-2 -j TEE --gateway fc00::2
-A logaccept-2 -j ACCEPT
-A logaccept-3 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -m limit --limit 1/second -j LOG
-A logdrop-2 -j DROP
-A logdrop-3 -j LOG
-A logdrop-3 -j TEE --gateway fc00::1
-A logdrop-3 -j DROP
-A logdrop-4 -j TEE --gateway fc00::2
-A logdrop-4 -j DROP
-A logdrop-5 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -j LOG
-A logpass-1 -j TEE --gateway fc00::1
-A logpass-2 -j TEE --gateway fc00::2
-A logreject-0 -m limit --limit 1/second -j LOG
-A logreject-0 -j REJECT
-A logtarpit-0 -m limit --limit 1/second -j LOG
......
This diff is collapsed.
......@@ -6,11 +6,17 @@
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logaccept-2 - [0:0]
:logaccept-3 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logdrop-4 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logpass-2 - [0:0]
:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
......@@ -21,12 +27,18 @@
-A FORWARD -j logaccept-0
-A FORWARD -j logdrop-1
-A FORWARD -j logpass-0
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-2
-A FORWARD -j logpass-1
-A FORWARD -j logaccept-2
-A FORWARD -j logdrop-3
-A FORWARD -j logpass-2
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-3
-A FORWARD -j logdrop-4
-A FORWARD -j logpass-3
-A FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
......@@ -84,6 +96,8 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
......@@ -96,12 +110,18 @@
-A INPUT -j logaccept-0
-A INPUT -j logdrop-1
-A INPUT -j logpass-0
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-1
-A INPUT -j logdrop-2
-A INPUT -j logpass-1
-A INPUT -j logaccept-2
-A INPUT -j logdrop-3
-A INPUT -j logpass-2
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-3
-A INPUT -j logdrop-4
-A INPUT -j logpass-3
-A INPUT -p tcp --sport 80 -j ACCEPT
-A INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
......@@ -125,12 +145,18 @@
-A OUTPUT -j logaccept-0
-A OUTPUT -j logdrop-1
-A OUTPUT -j logpass-0
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-2
-A OUTPUT -j logpass-1
-A OUTPUT -j logaccept-2
-A OUTPUT -j logdrop-3
-A OUTPUT -j logpass-2
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-3
-A OUTPUT -j logdrop-4
-A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
......