"Fossies" - the Fresh Open Source Software Archive 
Member "aif-2.1.1/share/arno-iptables-firewall/plugins/traffic-accounting-helper" (16 Sep 2020, 8194 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
See also the latest
Fossies "Diffs" side-by-side code changes report for "traffic-accounting-helper":
2.1.0_vs_2.1.1.
1 # The plugin configuration file
2 ###############################
3 PLUGIN_CONF_FILE="traffic-accounting.conf"
4
5 # Preinit return value for success
6 PLUGIN_RET_VAL=0
7
8 # Define some global variables
9 VERBOSE=0
10
11 # Check sanity of eg. environment
12 traffic_accounting_helper_sanity_check()
13 {
14 # Check whether chains exists
15 if ! ip4tables -nL ACCOUNTING_INPUT_CHAIN >/dev/null 2>&1; then
16 echo "** ERROR: ACCOUNTING_INPUT_CHAIN does not exist! **" >&2
17 return 1
18 fi
19
20 if ! ip4tables -nL ACCOUNTING_OUTPUT_CHAIN >/dev/null 2>&1; then
21 echo "** ERROR: ACCOUNTING_OUTPUT_CHAIN does not exist! **" >&2
22 return 1
23 fi
24
25 # Check if chains inserted in the main chains
26 # if ! ip4tables -nL INPUT |grep -q '^ACCOUNTING_INPUT_CHAIN '; then
27 # echo "** ERROR: ACCOUNTING_INPUT_CHAIN is not inserted in the INPUT chain! **" >&2
28 # return 1
29 # fi
30
31 # if ! ip4tables -nL OUTPUT |grep -q '^ACCOUNTING_OUTPUT_CHAIN '; then
32 # echo "** ERROR: ACCOUNTING_OUTPUT_CHAIN is not inserted in the OUTPUT chain! **" >&2
33 # return 1
34 # fi
35
36 return 0
37 }
38
39
40 traffic_accounting_helper_do_work()
41 {
42 local RETVAL=0
43
44 # Touch the log file (just in case it doesn't exist yet):
45 touch /var/log/traffic-accounting.log
46
47 # Truncate file
48 printf "" >/tmp/traffic-accounting.new
49
50 # Process the input chain
51 if [ "$VERBOSE" = "1" ]; then
52 echo "${INDENT}Traffic Accounting Hosts:"
53 echo "${INDENT}-------------------------"
54 fi
55
56 # Also include default unicast route addresses, (0.0.0.0/0 and ::/0)
57 DEFAULT_ADDR="0.0.0.0/0"
58 if [ "$IPV6_SUPPORT" = "1" ]; then
59 DEFAULT_ADDR="$DEFAULT_ADDR ::/0"
60 fi
61
62 IFS=' ,'
63 for host in $TRAFFIC_ACCOUNTING_HOSTS $DEFAULT_ADDR; do
64 old_entry="$(grep "^$host " /var/log/traffic-accounting.log)"
65 old_ip="$(echo "$old_entry" |cut -s -d' ' -f2)"
66 old_in_value="$(echo "$old_entry" |cut -s -d' ' -f3)"
67 old_out_value="$(echo "$old_entry" |cut -s -d' ' -f4)"
68
69 # If value is non-existant make it zero
70 if [ -z "$old_in_value" ]; then
71 old_in_value=0
72 fi
73
74 # If value is non-existant make it zero
75 if [ -z "$old_out_value" ]; then
76 old_out_value=0
77 fi
78
79 # Get host_ip, if it fails, skip rule
80 # Parse/get hostname. Try to use host cache if applicable
81 # NOTE: get_dynamic_host_cached returns hostname in $host_ip
82 if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then
83 echo "** WARNING: Skipping rule for \"$host\"! **" >&2
84 RETVAL=1
85 continue
86 fi
87
88 IFS=' ,'
89 for mon_host_ip in $host_ip; do
90 echo "${INDENT}Monitoring host \"$host\" with IP: $mon_host_ip"
91
92 if [ "$VERBOSE" = "1" ]; then
93 printf "${INDENT}old_ip=$old_ip host_ip=$mon_host_ip "
94 fi
95
96 # Process input chain
97 OLDFOUND=0
98 if [ -n "$old_ip" ]; then
99 get_numeric_ip_version "$mon_host_ip"
100 case $? in
101 4)
102 LCOUNT=0
103 IFS=$EOL
104 for LINE in `ip4tables -xnvL ACCOUNTING_INPUT_CHAIN |sed -e "1,2d"`; do
105 ipt_ip="$(echo "$LINE" |awk '{ print $8 }')"
106
107 LCOUNT=$((LCOUNT + 1))
108 if [ "$ipt_ip" = "$old_ip" ]; then
109 ip4tables -R ACCOUNTING_INPUT_CHAIN $LCOUNT -s $mon_host_ip -j RETURN
110 if [ "$VERBOSE" = "1" ]; then
111 printf "in_action=update "
112 fi
113 OLDFOUND=1
114 ipt_in_value="$(echo "$LINE" |awk '{ print $2 }')"
115
116 break
117 fi
118 done
119 ;;
120 6)
121 if [ "$IPV6_SUPPORT" = "1" ]; then
122 LCOUNT=0
123 IFS=$EOL
124 for LINE in `ip6tables -xnvL ACCOUNTING_INPUT_CHAIN |sed -e "1,2d"`; do
125 ipt_ip="$(echo "$LINE" |awk '{ print $7 }')"
126
127 LCOUNT=$((LCOUNT + 1))
128 if [ "$ipt_ip" = "$old_ip" ]; then
129 ip6tables -R ACCOUNTING_INPUT_CHAIN $LCOUNT -s $mon_host_ip -j RETURN
130 if [ "$VERBOSE" = "1" ]; then
131 printf "in_action=update "
132 fi
133 OLDFOUND=1
134 ipt_in_value="$(echo "$LINE" |awk '{ print $2 }')"
135
136 break
137 fi
138 done
139 fi
140 ;;
141 esac
142 fi
143
144 if [ $OLDFOUND -eq 0 ]; then
145 if [ "$VERBOSE" = "1" ]; then
146 printf "in_action=add "
147 fi
148
149 if [ "$mon_host_ip" = "0.0.0.0/0" -o "$mon_host_ip" = "::/0" ]; then
150 iptables -A ACCOUNTING_INPUT_CHAIN -s $mon_host_ip -j RETURN
151 else
152 iptables -I ACCOUNTING_INPUT_CHAIN 1 -s $mon_host_ip -j RETURN
153 fi
154
155 # Preset values to zero as none exist yet
156 ipt_in_value=0
157 fi
158
159 # Process output chain
160 OLDFOUND=0
161 if [ -n "$old_ip" ]; then
162 get_numeric_ip_version "$mon_host_ip"
163 case $? in
164 4)
165 LCOUNT=0
166 IFS=$EOL
167 for LINE in `ip4tables -xnvL ACCOUNTING_OUTPUT_CHAIN |sed -e "1,2d"`; do
168 ipt_ip="$(echo "$LINE" |awk '{ print $9 }')"
169
170 LCOUNT=$((LCOUNT + 1))
171 if [ "$ipt_ip" = "$old_ip" ]; then
172 ip4tables -R ACCOUNTING_OUTPUT_CHAIN $LCOUNT -d $mon_host_ip -j RETURN
173 if [ "$VERBOSE" = "1" ]; then
174 printf "out_action=update "
175 fi
176 OLDFOUND=1
177 ipt_out_value="$(echo "$LINE" |awk '{ print $2 }')"
178
179 break
180 fi
181 done
182 ;;
183 6)
184 if [ "$IPV6_SUPPORT" = "1" ]; then
185 LCOUNT=0
186 IFS=$EOL
187 for LINE in `ip6tables -xnvL ACCOUNTING_OUTPUT_CHAIN |sed -e "1,2d"`; do
188 ipt_ip="$(echo "$LINE" |awk '{ print $8 }')"
189
190 LCOUNT=$((LCOUNT + 1))
191 if [ "$ipt_ip" = "$old_ip" ]; then
192 ip6tables -R ACCOUNTING_OUTPUT_CHAIN $LCOUNT -d $mon_host_ip -j RETURN
193 if [ "$VERBOSE" = "1" ]; then
194 printf "out_action=update "
195 fi
196 OLDFOUND=1
197 ipt_out_value="$(echo "$LINE" |awk '{ print $2 }')"
198
199 break
200 fi
201 done
202 fi
203 ;;
204 esac
205 fi
206
207 if [ $OLDFOUND -eq 0 ]; then
208 if [ "$VERBOSE" = "1" ]; then
209 printf "out_action=add "
210 fi
211
212 if [ "$mon_host_ip" = "0.0.0.0/0" -o "$mon_host_ip" = "::/0" ]; then
213 iptables -A ACCOUNTING_OUTPUT_CHAIN -d $mon_host_ip -j RETURN
214 else
215 iptables -I ACCOUNTING_OUTPUT_CHAIN 1 -d $mon_host_ip -j RETURN
216 fi
217
218 # Preset values to zero as none exist yet
219 ipt_out_value=0
220 fi
221
222 # Calculate new in value
223 new_in_value=$((old_in_value + ipt_in_value))
224
225 # Calculate new out value
226 new_out_value=$((old_out_value + ipt_out_value))
227 if [ "$VERBOSE" = "1" ]; then
228 printf "old_in_val=$old_in_value ipt_in_val=$ipt_in_value new_in_val=$new_in_value old_out_val=$old_out_value ipt_out_val=$ipt_out_value new_out_val=$new_out_value"
229 fi
230
231 # Create entry in accounting file
232 echo "$host $mon_host_ip $new_in_value $new_out_value" >>/tmp/traffic-accounting.new
233
234 if [ "$VERBOSE" = "1" ]; then
235 printf "\n\n"
236 fi
237 done
238 done
239
240 # FIXME: Don't use old-file
241 if [ -f /var/log/traffic-accounting.log ]; then
242 if [ -f /var/log/traffic-accounting.log.old ]; then
243 rm -f /var/log/traffic-accounting.log.old
244 fi
245
246 mv /var/log/traffic-accounting.log /var/log/traffic-accounting.log.old
247 fi
248 mv /tmp/traffic-accounting.new /var/log/traffic-accounting.log
249
250 return $RETVAL
251 }
252
253
254 ############
255 # Mainline #
256 ############
257
258 if [ "$1" = "-v" -o "$1" = "--verbose" ]; then
259 VERBOSE=1
260 fi
261
262 # Check where to find the config file
263 CONF_FILE=""
264 if [ -n "$PLUGIN_CONF_PATH" ]; then
265 CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
266 fi
267
268 # Check if the config file exists
269 if [ ! -f "$CONF_FILE" ]; then
270 echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2
271 PLUGIN_RET_VAL=1
272 else
273 # Source the plugin config file
274 . "$CONF_FILE"
275
276 # Only proceed if environment ok
277 if ! traffic_accounting_helper_sanity_check; then
278 PLUGIN_RET_VAL=1
279 else
280 # Create actual rules
281 if ! traffic_accounting_helper_do_work; then
282 PLUGIN_RET_VAL=1
283 fi
284 fi
285 fi