Commit 54642b82 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

test: ulog

parent c5056f21
{
"log": { "none": { "mode": "none" } },
"log": {
"none": { "mode": "none" },
"ulog": { "mode": "ulog", "limit": { "interval": 5 } }
},
"filter": [
{},
{ "action": "drop" },
......@@ -12,6 +15,11 @@
{ "log": true, "action": "pass" },
{ "log": "none" },
{ "log": "none", "action": "drop" },
{ "log": "none", "action": "pass" }
{ "log": "none", "action": "pass" },
{ "log": "ulog" },
{ "log": "ulog", "action": "drop" },
{ "log": "ulog", "action": "pass" },
{ "in": "_fw", "log": "ulog", "action": "pass" }
]
}
......@@ -21,7 +21,7 @@ for _, izone in ipairs{false, 'A', 'B', {'B', 'C'}} do
for _, dest in ipairs{
false, daddr, {daddr, '172.16.2.0/16'}, {daddr, 'fc00::2'}
} do
for _, log in ipairs{false, true} do
for _, log in ipairs{false, true, 'ulog'} do
for _, action in ipairs{false, 'pass'} do
table.insert(
res,
......
......@@ -8,6 +8,8 @@ See LICENSE file for license details
util = require('awall.util')
json = require('cjson')
LOGOPTIONS = {false, true, 'none', 'ulog'}
res = {}
function add(limit_type, filter)
......@@ -15,7 +17,7 @@ function add(limit_type, filter)
for _, high_rate in ipairs{false, true} do
local function add_limit(limit)
for _, log in ipairs{false, true, 'none'} do
for _, log in ipairs(LOGOPTIONS) do
for _, action in ipairs{false, 'pass'} do
if not (high_rate and log and action) then
table.insert(
......@@ -38,7 +40,7 @@ function add(limit_type, filter)
add_limit(count or 1)
for _, interval in ipairs{false, 5} do
for _, log in ipairs{true, false, 'none'} do
for _, log in ipairs(LOGOPTIONS) do
local limit = {count=count, interval=interval or nil}
if log ~= true then limit.log = log end
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -200,7 +200,42 @@ Filter 18 {"action":"pass","log":"none"}
inet6/filter/INPUT
inet6/filter/OUTPUT
Filter 19 {"in":["_fw","A"]}
Filter 19 {"log":"ulog"}
(log)
inet/filter/FORWARD -j logaccept-1
inet/filter/INPUT -j logaccept-1
inet/filter/OUTPUT -j logaccept-1
inet/filter/logaccept-1 -m limit --limit 12/minute -j ULOG
inet/filter/logaccept-1 -j ACCEPT
inet6/filter/FORWARD -j logaccept-1
inet6/filter/INPUT -j logaccept-1
inet6/filter/OUTPUT -j logaccept-1
inet6/filter/logaccept-1 -j ACCEPT
Filter 20 {"action":"drop","log":"ulog"}
(log)
inet/filter/FORWARD -j logdrop-3
inet/filter/INPUT -j logdrop-3
inet/filter/OUTPUT -j logdrop-3
inet/filter/logdrop-3 -m limit --limit 12/minute -j ULOG
inet/filter/logdrop-3 -j DROP
inet6/filter/FORWARD -j logdrop-3
inet6/filter/INPUT -j logdrop-3
inet6/filter/OUTPUT -j logdrop-3
inet6/filter/logdrop-3 -j DROP
Filter 21 {"action":"pass","log":"ulog"}
(log)
inet/filter/FORWARD -j logpass-1
inet/filter/INPUT -j logpass-1
inet/filter/OUTPUT -j logpass-1
inet/filter/logpass-1 -m limit --limit 12/minute -j ULOG
Filter 22 {"action":"pass","in":"_fw","log":"ulog"}
(log)
inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
Filter 23 {"in":["_fw","A"]}
(zone)
inet/filter/FORWARD -i eth0 -j ACCEPT
inet/filter/INPUT -i eth0 -j ACCEPT
......@@ -209,12 +244,12 @@ Filter 19 {"in":["_fw","A"]}
inet6/filter/INPUT -i eth0 -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 20 {"in":"B","out":"C"}
Filter 24 {"in":"B","out":"C"}
(zone)
inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
Filter 21 {"out":["_fw","B"]}
Filter 25 {"out":["_fw","B"]}
(zone)
inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
inet/filter/INPUT -j ACCEPT
......@@ -223,7 +258,7 @@ Filter 21 {"out":["_fw","B"]}
inet6/filter/INPUT -j ACCEPT
inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
Filter 22 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
Filter 26 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
(zone)
inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
......@@ -315,6 +350,9 @@ Log _default {"limit":1}
Log none {"mode":"none"}
(log)
Log ulog {"limit":{"interval":5},"mode":"ulog"}
(log)
Mark 1 {"in":["_fw","A"],"mark":1}
(zone)
......@@ -569,10 +607,13 @@ hash:net family inet
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logreject-0 - [0:0]
:logtarpit-0 - [0:0]
:tarpit - [0:0]
......@@ -595,6 +636,9 @@ hash:net family inet
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-3
-A FORWARD -j logpass-1
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
......@@ -665,6 +709,9 @@ hash:net family inet
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-1
-A INPUT -j logdrop-3
-A INPUT -j logpass-1
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
......@@ -688,6 +735,10 @@ hash:net family inet
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-3
-A OUTPUT -j logpass-1
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A OUTPUT -p icmp -j icmp-routing
......@@ -696,13 +747,18 @@ hash:net family inet
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
-A logaccept-0 -m limit --limit 1/second -j LOG
-A logaccept-0 -j ACCEPT
-A logaccept-1 -m limit --limit 12/minute -j ULOG
-A logaccept-1 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -m limit --limit 1/second -j LOG
-A logdrop-2 -j DROP
-A logdrop-3 -m limit --limit 12/minute -j ULOG
-A logdrop-3 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -m limit --limit 12/minute -j ULOG
-A logreject-0 -m limit --limit 1/second -j LOG
-A logreject-0 -j REJECT
-A logtarpit-0 -m limit --limit 1/second -j LOG
......@@ -755,9 +811,11 @@ COMMIT
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logpass-0 - [0:0]
:logreject-0 - [0:0]
:logtarpit-0 - [0:0]
......@@ -781,6 +839,8 @@ COMMIT
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
......@@ -827,6 +887,8 @@ COMMIT
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-1
-A INPUT -j logdrop-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
......@@ -850,6 +912,8 @@ COMMIT
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-3
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
......@@ -859,12 +923,14 @@ COMMIT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
-A logaccept-0 -m limit --limit 1/second -j LOG
-A logaccept-0 -j ACCEPT
-A logaccept-1 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -m limit --limit 1/second -j LOG
-A logdrop-2 -j DROP
-A logdrop-3 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logreject-0 -m limit --limit 1/second -j LOG
-A logreject-0 -j REJECT
......
......@@ -5,10 +5,13 @@
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logreject-0 - [0:0]
:logtarpit-0 - [0:0]
:tarpit - [0:0]
......@@ -31,6 +34,9 @@
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-3
-A FORWARD -j logpass-1
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
......@@ -101,6 +107,9 @@
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-1
-A INPUT -j logdrop-3
-A INPUT -j logpass-1
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
......@@ -124,6 +133,10 @@
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-3
-A OUTPUT -j logpass-1
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A OUTPUT -p icmp -j icmp-routing
......@@ -132,13 +145,18 @@
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
-A logaccept-0 -m limit --limit 1/second -j LOG
-A logaccept-0 -j ACCEPT
-A logaccept-1 -m limit --limit 12/minute -j ULOG
-A logaccept-1 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -m limit --limit 1/second -j LOG
-A logdrop-2 -j DROP
-A logdrop-3 -m limit --limit 12/minute -j ULOG
-A logdrop-3 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -m limit --limit 12/minute -j ULOG
-A logreject-0 -m limit --limit 1/second -j LOG
-A logreject-0 -j REJECT
-A logtarpit-0 -m limit --limit 1/second -j LOG
......
......@@ -5,9 +5,11 @@
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logpass-0 - [0:0]
:logreject-0 - [0:0]
:logtarpit-0 - [0:0]
......@@ -31,6 +33,8 @@
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
......@@ -77,6 +81,8 @@
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-1
-A INPUT -j logdrop-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
......@@ -100,6 +106,8 @@
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-3
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
......@@ -109,12 +117,14 @@
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
-A logaccept-0 -m limit --limit 1/second -j LOG
-A logaccept-0 -j ACCEPT
-A logaccept-1 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -m limit --limit 1/second -j LOG
-A logdrop-2 -j DROP
-A logdrop-3 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logreject-0 -m limit --limit 1/second -j LOG
-A logreject-0 -j REJECT
......
......@@ -130,7 +130,42 @@ Filter 12 {"action":"pass","log":"none"}
inet6/filter/INPUT
inet6/filter/OUTPUT
Filter 13 {"in":"_fw","no-track":true,"service":"http"}
Filter 13 {"log":"ulog"}
(log)
inet/filter/FORWARD -j logaccept-1
inet/filter/INPUT -j logaccept-1
inet/filter/OUTPUT -j logaccept-1
inet/filter/logaccept-1 -m limit --limit 12/minute -j ULOG
inet/filter/logaccept-1 -j ACCEPT
inet6/filter/FORWARD -j logaccept-1
inet6/filter/INPUT -j logaccept-1
inet6/filter/OUTPUT -j logaccept-1
inet6/filter/logaccept-1 -j ACCEPT
Filter 14 {"action":"drop","log":"ulog"}
(log)
inet/filter/FORWARD -j logdrop-2
inet/filter/INPUT -j logdrop-2
inet/filter/OUTPUT -j logdrop-2
inet/filter/logdrop-2 -m limit --limit 12/minute -j ULOG
inet/filter/logdrop-2 -j DROP
inet6/filter/FORWARD -j logdrop-2
inet6/filter/INPUT -j logdrop-2
inet6/filter/OUTPUT -j logdrop-2
inet6/filter/logdrop-2 -j DROP
Filter 15 {"action":"pass","log":"ulog"}
(log)
inet/filter/FORWARD -j logpass-1
inet/filter/INPUT -j logpass-1
inet/filter/OUTPUT -j logpass-1
inet/filter/logpass-1 -m limit --limit 12/minute -j ULOG
Filter 16 {"action":"pass","in":"_fw","log":"ulog"}
(log)
inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
Filter 17 {"in":"_fw","no-track":true,"service":"http"}
(no-track)
inet/filter/INPUT -p tcp --sport 80 -j ACCEPT
inet/filter/OUTPUT -p tcp --dport 80 -j ACCEPT
......@@ -141,7 +176,7 @@ Filter 13 {"in":"_fw","no-track":true,"service":"http"}
inet6/raw/OUTPUT -p tcp --dport 80 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack
Filter 14 {"dest":"172.17.0.0\/16","no-track":true,"service":"radius","src":"172.16.0.0\/16"}
Filter 18 {"dest":"172.17.0.0\/16","no-track":true,"service":"radius","src":"172.16.0.0\/16"}
(no-track)
inet/filter/FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
inet/filter/FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
......@@ -164,7 +199,7 @@ Filter 14 {"dest":"172.17.0.0\/16","no-track":true,"service":"
inet/raw/PREROUTING -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
inet/raw/PREROUTING -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
Filter 15 {"dest":"172.18.0.0\/16","no-track":true,"service":"ssh"}
Filter 19 {"dest":"172.18.0.0\/16","no-track":true,"service":"ssh"}
(no-track)
inet/filter/FORWARD -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
inet/filter/FORWARD -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
......@@ -177,7 +212,7 @@ Filter 15 {"dest":"172.18.0.0\/16","no-track":true,"service":"
inet/raw/PREROUTING -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack
inet/raw/PREROUTING -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack
Filter 16 {"no-track":true,"out":"_fw","service":"ipsec"}
Filter 20 {"no-track":true,"out":"_fw","service":"ipsec"}
(no-track)
inet/filter/INPUT -p esp -j ACCEPT
inet/filter/INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
......@@ -196,7 +231,7 @@ Filter 16 {"no-track":true,"out":"_fw","service":"ipsec"}
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p esp -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack
Filter 17 {"in":["_fw","A"]}
Filter 21 {"in":["_fw","A"]}
(zone)
inet/filter/FORWARD -i eth0 -j ACCEPT
inet/filter/INPUT -i eth0 -j ACCEPT
......@@ -205,12 +240,12 @@ Filter 17 {"in":["_fw","A"]}
inet6/filter/INPUT -i eth0 -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 18 {"in":"B","out":"C"}
Filter 22 {"in":"B","out":"C"}
(zone)
inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
Filter 19 {"out":["_fw","B"]}
Filter 23 {"out":["_fw","B"]}
(zone)
inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
inet/filter/INPUT -j ACCEPT
......@@ -219,7 +254,7 @@ Filter 19 {"out":["_fw","B"]}
inet6/filter/INPUT -j ACCEPT
inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
Filter 20 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
Filter 24 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
(zone)
inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
......@@ -311,6 +346,9 @@ Log _default {"limit":1}
Log none {"mode":"none"}
(log)
Log ulog {"limit":{"interval":5},"mode":"ulog"}
(log)
Mark 1 {"in":["_fw","A"],"mark":1}
(zone)
......@@ -565,9 +603,12 @@ hash:net family inet
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
......@@ -581,6 +622,9 @@ hash:net family inet
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-2
-A FORWARD -j logpass-1
-A FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
......@@ -651,6 +695,9 @@ hash:net family inet
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-1
-A INPUT -j logdrop-2
-A INPUT -j logpass-1
-A INPUT -p tcp --sport 80 -j ACCEPT
-A INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
......@@ -677,6 +724,10 @@ hash:net family inet
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-2
-A OUTPUT -j logpass-1
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
......@@ -694,11 +745,16 @@ hash:net family inet
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
-A logaccept-0 -m limit --limit 1/second -j LOG
-A logaccept-0 -j ACCEPT
-A logaccept-1 -m limit --limit 12/minute -j ULOG
-A logaccept-1 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -m limit --limit 12/minute -j ULOG
-A logdrop-2 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
......@@ -761,8 +817,10 @@ COMMIT
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logpass-0 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -j ACCEPT
......@@ -777,6 +835,8 @@ COMMIT
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-2
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
......@@ -817,6 +877,8 @@ COMMIT
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-1
-A INPUT -j logdrop-2
-A INPUT -p tcp --sport 80 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
......@@ -837,6 +899,8 @@ COMMIT
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-2
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT
......@@ -849,10 +913,12 @@ COMMIT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
-A logaccept-0 -m limit --limit 1/second -j LOG
-A logaccept-0 -j ACCEPT
-A logaccept-1 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
COMMIT
*mangle
......
......@@ -5,9 +5,12 @@
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
......@@ -21,6 +24,9 @@
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-2
-A FORWARD -j logpass-1
-A FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
......@@ -91,6 +97,9 @@
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-1
-A INPUT -j logdrop-2
-A INPUT -j logpass-1
-A INPUT -p tcp --sport 80 -j ACCEPT
-A INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
......@@ -117,6 +126,10 @@
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-2
-A OUTPUT -j logpass-1
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
......@@ -134,11 +147,16 @@
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
-A logaccept-0 -m limit --limit 1/second -j LOG
-A logaccept-0 -j ACCEPT
-A logaccept-1 -m limit --limit 12/minute -j ULOG
-A logaccept-1 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -m limit --limit 12/minute -j ULOG
-A logdrop-2 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
......
......@@ -5,8 +5,10 @@
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logpass-0 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -j ACCEPT
......@@ -21,6 +23,8 @@
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-2
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
......@@ -61,6 +65,8 @@
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-1
-A INPUT -j logdrop-2
-A INPUT -p tcp --sport 80 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
......@@ -81,6 +87,8 @@
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-2
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT
......@@ -93,10 +101,12 @@
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
-A logaccept-0 -m limit --limit 1/second -j LOG
-A logaccept-0 -j ACCEPT
-A logaccept-1 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
COMMIT
*mangle
......
......@@ -130,7 +130,42 @@ Filter 12 {"action":"pass","log":"none"}
inet6/filter/INPUT
inet6/filter/OUTPUT
Filter 13 {"in":["_fw","A"]}
Filter 13 {"log":"ulog"}
(log)
inet/filter/FORWARD -j logaccept-1
inet/filter/INPUT -j logaccept-1
inet/filter/OUTPUT -j logaccept-1
inet/filter/logaccept-1 -m limit --limit 12/minute -j ULOG
inet/filter/logaccept-1 -j ACCEPT
inet6/filter/FORWARD -j logaccept-1
inet6/filter/INPUT -j logaccept-1
inet6/filter/OUTPUT -j logaccept-1
inet6/filter/logaccept-1 -j ACCEPT
Filter 14 {"action":"drop","log":"ulog"}
(log)
inet/filter/FORWARD -j logdrop-2
inet/filter/INPUT -j logdrop-2
inet/filter/OUTPUT -j logdrop-2
inet/filter/logdrop-2 -m limit --limit 12/minute -j ULOG
inet/filter/logdrop-2 -j DROP
inet6/filter/FORWARD -j logdrop-2
inet6/filter/INPUT -j logdrop-2
inet6/filter/OUTPUT -j logdrop-2
inet6/filter/logdrop-2 -j DROP
Filter 15 {"action":"pass","log":"ulog"}
(log)
inet/filter/FORWARD -j logpass-1
inet/filter/INPUT -j logpass-1
inet/filter/OUTPUT -j logpass-1
inet/filter/logpass-1 -m limit --limit 12/minute -j ULOG
Filter 16 {"action":"pass","in":"_fw","log":"ulog"}
(log)
inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
Filter 17 {"in":["_fw","A"]}
(zone)
inet/filter/FORWARD -i eth0 -j ACCEPT
inet/filter/INPUT -i eth0 -j ACCEPT
......@@ -139,12 +174,12 @@ Filter 13 {"in":["_fw","A"]}
inet6/filter/INPUT -i eth0 -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 14 {"in":"B","out":"C"}
Filter 18 {"in":"B","out":"C"}
(zone)
inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
Filter 15 {"out":["_fw","B"]}
Filter 19 {"out":["_fw","B"]}
(zone)
inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
inet/filter/INPUT -j ACCEPT
......@@ -153,7 +188,7 @@ Filter 15 {"out":["_fw","B"]}
inet6/filter/INPUT -j ACCEPT
inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
Filter 16 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
Filter 20 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
(zone)
inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
......@@ -245,6 +280,9 @@ Log _default {"limit":1}
Log none {"mode":"none"}
(log)
Log ulog {"limit":{"interval":5},"mode":"ulog"}
(log)
Mark 1 {"in":["_fw","A"],"mark":1}
(zone)
......@@ -511,9 +549,12 @@ hash:net family inet
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]