"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/share/arno-iptables-firewall/plugins/traffic-accounting-helper" (16 Sep 2020, 8194 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "traffic-accounting-helper": 2.1.0_vs_2.1.1.

    1 # The plugin configuration file
    2 ###############################
    3 PLUGIN_CONF_FILE="traffic-accounting.conf"
    4 
    5 # Preinit return value for success
    6 PLUGIN_RET_VAL=0
    7 
    8 # Define some global variables
    9 VERBOSE=0
   10 
   11 # Check sanity of eg. environment
   12 traffic_accounting_helper_sanity_check()
   13 {
   14   # Check whether chains exists
   15   if ! ip4tables -nL ACCOUNTING_INPUT_CHAIN >/dev/null 2>&1; then
   16     echo "** ERROR: ACCOUNTING_INPUT_CHAIN does not exist! **" >&2
   17     return 1
   18   fi
   19 
   20   if ! ip4tables -nL ACCOUNTING_OUTPUT_CHAIN >/dev/null 2>&1; then
   21     echo "** ERROR: ACCOUNTING_OUTPUT_CHAIN does not exist! **" >&2
   22     return 1
   23   fi
   24 
   25   # Check if chains inserted in the main chains
   26 #  if ! ip4tables -nL INPUT |grep -q '^ACCOUNTING_INPUT_CHAIN '; then
   27 #    echo "** ERROR: ACCOUNTING_INPUT_CHAIN is not inserted in the INPUT chain! **" >&2
   28 #    return 1
   29 #  fi
   30 
   31 #  if ! ip4tables -nL OUTPUT |grep -q '^ACCOUNTING_OUTPUT_CHAIN '; then
   32 #    echo "** ERROR: ACCOUNTING_OUTPUT_CHAIN is not inserted in the OUTPUT chain! **" >&2
   33 #    return 1
   34 #  fi
   35 
   36   return 0
   37 }
   38 
   39 
   40 traffic_accounting_helper_do_work()
   41 {
   42   local RETVAL=0
   43 
   44   # Touch the log file (just in case it doesn't exist yet):
   45   touch /var/log/traffic-accounting.log
   46 
   47   # Truncate file
   48   printf "" >/tmp/traffic-accounting.new
   49 
   50   # Process the input chain
   51   if [ "$VERBOSE" = "1" ]; then
   52     echo "${INDENT}Traffic Accounting Hosts:"
   53     echo "${INDENT}-------------------------"
   54   fi
   55 
   56   # Also include default unicast route addresses, (0.0.0.0/0 and ::/0)
   57   DEFAULT_ADDR="0.0.0.0/0"
   58   if [ "$IPV6_SUPPORT" = "1" ]; then
   59     DEFAULT_ADDR="$DEFAULT_ADDR ::/0"
   60   fi
   61 
   62   IFS=' ,'
   63   for host in $TRAFFIC_ACCOUNTING_HOSTS $DEFAULT_ADDR; do
   64     old_entry="$(grep "^$host " /var/log/traffic-accounting.log)"
   65     old_ip="$(echo "$old_entry" |cut -s -d' ' -f2)"
   66     old_in_value="$(echo "$old_entry" |cut -s -d' ' -f3)"
   67     old_out_value="$(echo "$old_entry" |cut -s -d' ' -f4)"
   68 
   69     # If value is non-existant make it zero
   70     if [ -z "$old_in_value" ]; then
   71       old_in_value=0
   72     fi
   73 
   74     # If value is non-existant make it zero
   75     if [ -z "$old_out_value" ]; then
   76       old_out_value=0
   77     fi
   78 
   79     # Get host_ip, if it fails, skip rule
   80     # Parse/get hostname. Try to use host cache if applicable
   81     # NOTE: get_dynamic_host_cached returns hostname in $host_ip
   82     if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then
   83       echo "** WARNING: Skipping rule for \"$host\"! **" >&2
   84       RETVAL=1
   85       continue
   86     fi
   87 
   88     IFS=' ,'
   89     for mon_host_ip in $host_ip; do
   90       echo "${INDENT}Monitoring host \"$host\" with IP: $mon_host_ip"
   91 
   92       if [ "$VERBOSE" = "1" ]; then
   93         printf "${INDENT}old_ip=$old_ip host_ip=$mon_host_ip "
   94       fi
   95 
   96       # Process input chain
   97       OLDFOUND=0
   98       if [ -n "$old_ip" ]; then
   99         get_numeric_ip_version "$mon_host_ip"
  100         case $? in
  101         4)
  102           LCOUNT=0
  103           IFS=$EOL
  104           for LINE in `ip4tables -xnvL ACCOUNTING_INPUT_CHAIN |sed -e "1,2d"`; do
  105             ipt_ip="$(echo "$LINE" |awk '{ print $8 }')"
  106 
  107             LCOUNT=$((LCOUNT + 1))
  108             if [ "$ipt_ip" = "$old_ip" ]; then
  109               ip4tables -R ACCOUNTING_INPUT_CHAIN $LCOUNT -s $mon_host_ip -j RETURN
  110               if [ "$VERBOSE" = "1" ]; then
  111                 printf "in_action=update "
  112               fi
  113               OLDFOUND=1
  114               ipt_in_value="$(echo "$LINE" |awk '{ print $2 }')"
  115 
  116               break
  117             fi
  118           done
  119           ;;
  120         6)
  121           if [ "$IPV6_SUPPORT" = "1" ]; then
  122             LCOUNT=0
  123             IFS=$EOL
  124             for LINE in `ip6tables -xnvL ACCOUNTING_INPUT_CHAIN |sed -e "1,2d"`; do
  125               ipt_ip="$(echo "$LINE" |awk '{ print $7 }')"
  126 
  127               LCOUNT=$((LCOUNT + 1))
  128               if [ "$ipt_ip" = "$old_ip" ]; then
  129                 ip6tables -R ACCOUNTING_INPUT_CHAIN $LCOUNT -s $mon_host_ip -j RETURN
  130                 if [ "$VERBOSE" = "1" ]; then
  131                   printf "in_action=update "
  132                 fi
  133                 OLDFOUND=1
  134                 ipt_in_value="$(echo "$LINE" |awk '{ print $2 }')"
  135 
  136                 break
  137               fi
  138             done
  139           fi
  140           ;;
  141         esac
  142       fi
  143 
  144       if [ $OLDFOUND -eq 0 ]; then
  145         if [ "$VERBOSE" = "1" ]; then
  146           printf "in_action=add "
  147         fi
  148 
  149         if [ "$mon_host_ip" = "0.0.0.0/0" -o "$mon_host_ip" = "::/0" ]; then
  150           iptables -A ACCOUNTING_INPUT_CHAIN -s $mon_host_ip -j RETURN
  151         else
  152           iptables -I ACCOUNTING_INPUT_CHAIN 1 -s $mon_host_ip -j RETURN
  153         fi
  154 
  155         # Preset values to zero as none exist yet
  156         ipt_in_value=0
  157       fi
  158 
  159       # Process output chain
  160       OLDFOUND=0
  161       if [ -n "$old_ip" ]; then
  162         get_numeric_ip_version "$mon_host_ip"
  163         case $? in
  164         4)
  165           LCOUNT=0
  166           IFS=$EOL
  167           for LINE in `ip4tables -xnvL ACCOUNTING_OUTPUT_CHAIN |sed -e "1,2d"`; do
  168             ipt_ip="$(echo "$LINE" |awk '{ print $9 }')"
  169 
  170             LCOUNT=$((LCOUNT + 1))
  171             if [ "$ipt_ip" = "$old_ip" ]; then
  172               ip4tables -R ACCOUNTING_OUTPUT_CHAIN $LCOUNT -d $mon_host_ip -j RETURN
  173               if [ "$VERBOSE" = "1" ]; then
  174                 printf "out_action=update "
  175               fi
  176               OLDFOUND=1
  177               ipt_out_value="$(echo "$LINE" |awk '{ print $2 }')"
  178 
  179               break
  180             fi
  181           done
  182           ;;
  183         6)
  184           if [ "$IPV6_SUPPORT" = "1" ]; then
  185             LCOUNT=0
  186             IFS=$EOL
  187             for LINE in `ip6tables -xnvL ACCOUNTING_OUTPUT_CHAIN |sed -e "1,2d"`; do
  188               ipt_ip="$(echo "$LINE" |awk '{ print $8 }')"
  189 
  190               LCOUNT=$((LCOUNT + 1))
  191               if [ "$ipt_ip" = "$old_ip" ]; then
  192                 ip6tables -R ACCOUNTING_OUTPUT_CHAIN $LCOUNT -d $mon_host_ip -j RETURN
  193                 if [ "$VERBOSE" = "1" ]; then
  194                   printf "out_action=update "
  195                 fi
  196                 OLDFOUND=1
  197                 ipt_out_value="$(echo "$LINE" |awk '{ print $2 }')"
  198 
  199                 break
  200               fi
  201             done
  202           fi
  203           ;;
  204         esac
  205       fi
  206 
  207       if [ $OLDFOUND -eq 0 ]; then
  208         if [ "$VERBOSE" = "1" ]; then
  209           printf "out_action=add "
  210         fi
  211 
  212         if [ "$mon_host_ip" = "0.0.0.0/0" -o "$mon_host_ip" = "::/0" ]; then
  213           iptables -A ACCOUNTING_OUTPUT_CHAIN -d $mon_host_ip -j RETURN
  214         else
  215           iptables -I ACCOUNTING_OUTPUT_CHAIN 1 -d $mon_host_ip -j RETURN
  216         fi
  217 
  218         # Preset values to zero as none exist yet
  219         ipt_out_value=0
  220       fi
  221 
  222       # Calculate new in value
  223       new_in_value=$((old_in_value + ipt_in_value))
  224 
  225       # Calculate new out value
  226       new_out_value=$((old_out_value + ipt_out_value))
  227       if [ "$VERBOSE" = "1" ]; then
  228         printf "old_in_val=$old_in_value ipt_in_val=$ipt_in_value new_in_val=$new_in_value old_out_val=$old_out_value ipt_out_val=$ipt_out_value new_out_val=$new_out_value"
  229       fi
  230 
  231       # Create entry in accounting file
  232       echo "$host $mon_host_ip $new_in_value $new_out_value" >>/tmp/traffic-accounting.new
  233 
  234       if [ "$VERBOSE" = "1" ]; then
  235         printf "\n\n"
  236       fi
  237     done
  238   done
  239 
  240   # FIXME: Don't use old-file
  241   if [ -f /var/log/traffic-accounting.log ]; then
  242     if [ -f /var/log/traffic-accounting.log.old ]; then
  243       rm -f /var/log/traffic-accounting.log.old
  244     fi
  245 
  246     mv /var/log/traffic-accounting.log /var/log/traffic-accounting.log.old
  247   fi
  248   mv /tmp/traffic-accounting.new /var/log/traffic-accounting.log
  249 
  250   return $RETVAL
  251 }
  252 
  253 
  254 ############
  255 # Mainline #
  256 ############
  257 
  258 if [ "$1" = "-v" -o "$1" = "--verbose" ]; then
  259   VERBOSE=1
  260 fi
  261 
  262 # Check where to find the config file
  263 CONF_FILE=""
  264 if [ -n "$PLUGIN_CONF_PATH" ]; then
  265   CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
  266 fi
  267 
  268 # Check if the config file exists
  269 if [ ! -f "$CONF_FILE" ]; then
  270   echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2
  271   PLUGIN_RET_VAL=1
  272 else
  273   # Source the plugin config file
  274   . "$CONF_FILE"
  275 
  276   # Only proceed if environment ok
  277   if ! traffic_accounting_helper_sanity_check; then
  278     PLUGIN_RET_VAL=1
  279   else
  280     # Create actual rules
  281     if ! traffic_accounting_helper_do_work; then
  282       PLUGIN_RET_VAL=1
  283     fi
  284   fi
  285 fi