diff options
-rw-r--r-- | logc/Makefile | 76 | ||||
-rw-r--r-- | sentinel-fwlogs/Makefile | 67 | ||||
-rw-r--r-- | sentinel-fwlogs/files/defaults.sh | 2 | ||||
-rwxr-xr-x | sentinel-fwlogs/files/init | 25 | ||||
-rwxr-xr-x | sentinel-fwlogs/files/restart-proxy-hook.sh | 5 | ||||
-rwxr-xr-x | sentinel-fwlogs/files/sentinel-firewall.sh | 37 | ||||
-rwxr-xr-x | sentinel-fwlogs/files/uci-defaults | 19 |
7 files changed, 231 insertions, 0 deletions
diff --git a/logc/Makefile b/logc/Makefile new file mode 100644 index 0000000..d8fffcd --- /dev/null +++ b/logc/Makefile @@ -0,0 +1,76 @@ +# +## Copyright (C) 2020 CZ.NIC z.s.p.o. (https://www.nic.cz/) +# +## This is free software, licensed under the GNU General Public License v3. +# See /LICENSE for more information. +# # +# +include $(TOPDIR)/rules.mk + +PKG_NAME:=logc +PKG_VERSION:=0.0.1 +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://gitlab.nic.cz/turris/base64c.git +#PKG_SOURCE_VERSION:=v$(PKG_VERSION) +PKG_SOURCE_VERSION:=57c3f8db4d55f579411aa46fbcc73fa9e6e2780f + +PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz> +PKG_LICENSE:=MIT +PKG_LICENSE_FILES:=LICENSE + +PKG_INSTALL:=1 +PKG_FIXUP:=autoreconf + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/autotools.mk + +define Package/Common + SECTION:=libs + CATEGORY:=Libraries + URL:=https://gitlab.nic.cz/turris/logc.git +endef + +define Package/logc + $(call Package/Common) + TITLE:=logc +endef + +define Package/logc-argp + $(call Package/Common) + TITLE:=logc-argp +endef + +define Package/logc/description + Logging library for C (LogC) +endef + +define Package/logc-argp/description + Argument parsing library for LogC base on argp. +endef + +CONFIGURE_ARGS += \ + --disable-tests \ + --disable-linters + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + + $(INSTALL_DIR) $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/ +endef + +define Package/logc/install + $(INSTALL_DIR) $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/liblogc.so* $(1)/usr/lib/ +endef + +define Package/logc-argp/install + $(INSTALL_DIR) $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/liblogc_argp.so* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,logc)) +$(eval $(call BuildPackage,logc-argp)) diff --git a/sentinel-fwlogs/Makefile b/sentinel-fwlogs/Makefile new file mode 100644 index 0000000..756772f --- /dev/null +++ b/sentinel-fwlogs/Makefile @@ -0,0 +1,67 @@ +# +## Copyright (C) 2020 CZ.NIC z.s.p.o. (https://www.nic.cz/) +# +## This is free software, licensed under the GNU General Public License v3. +# See /LICENSE for more information. +# # +# +include $(TOPDIR)/rules.mk + +PKG_NAME:=sentinel-fwlogs +PKG_VERSION:=0.0.1 +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://gitlab.nic.cz/turris/sentinel/fwlogs.git +#PKG_SOURCE_VERSION:=v$(PKG_VERSION) +PKG_SOURCE_VERSION:=d72fde6eb20a12ca9a126911f86d5cdd8cac3d10 + +PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz> +PKG_LICENSE:=GPL-3.0-or-later +PKG_LICENSE_FILES:=LICENSE + +PKG_BUILD_DEPENDS:=argp-standalone + +PKG_FIXUP:=autoreconf + +include $(INCLUDE_DIR)/package.mk + +define Package/sentinel-fwlogs + SECTION:=collect + CATEGORY:=Collect + SUBMENU:=Sentinel + TITLE:=FWLogs + URL:=https://gitlab.nic.cz/turris/sentinel/fwlogs + DEPENDS:=\ + +czmq \ + +msgpack-c \ + +logc +logc-argp \ + +libnetfilter-log \ + +sentinel-firewall \ + +sentinel-proxy + PROVIDES:=sentinel-nikola + CONFLICTS:=sentinel-nikola +endef + +define Package/sentinel-fwlogs/description + Collector of firewall logs using libnetfilter-log for Turris Sentinel. +endef + +define Package/sentinel-fwlogs/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/sentinel-fwlogs $(1)/usr/bin/sentinel-fwlogs + + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/init $(1)/etc/init.d/sentinel-fwlogs + + $(INSTALL_DIR) $(1)/etc/uci-defaults + $(INSTALL_BIN) ./files/uci-defaults $(1)/etc/uci-defaults/99-sentinel-fwlogs + + $(INSTALL_DIR) $(1)/usr/libexec/sentinel/firewall.d + $(INSTALL_BIN) ./files/sentinel-firewall.sh $(1)/usr/libexec/sentinel/firewall.d/60-fwlogs.sh + + $(INSTALL_DIR) $(1)/usr/libexec/sentinel/reload_hooks.d + $(INSTALL_BIN) ./files/restart-proxy-hook.sh $(1)/usr/libexec/sentinel/reload_hooks.d/50_nikola.sh +endef + +$(eval $(call BuildPackage,sentinel-fwlogs)) diff --git a/sentinel-fwlogs/files/defaults.sh b/sentinel-fwlogs/files/defaults.sh new file mode 100644 index 0000000..78345b4 --- /dev/null +++ b/sentinel-fwlogs/files/defaults.sh @@ -0,0 +1,2 @@ +DEFAULT_NFLOG_GROUP="1914" +DEFAULT_NFLOG_THRESHOLD="32" diff --git a/sentinel-fwlogs/files/init b/sentinel-fwlogs/files/init new file mode 100755 index 0000000..955b333 --- /dev/null +++ b/sentinel-fwlogs/files/init @@ -0,0 +1,25 @@ +#!/bin/sh /etc/rc.common + +USE_PROCD=1 +START=99 +STOP=10 + + +start_service() { + source /lib/functions/sentinel.sh + source /usr/libexec/sentinel/fwlogs-defaults.sh + allowed_to_run "fwlogs" || return 1 + + config_load sentinel + local nflog_group nflog_threshold + config_get nflog_group fwlogs nflog_group "$DEFAULT_NFLOG_GROUP" + + procd_open_instance + procd_set_param command /usr/bin/sentinel-fwlogs + procd_append_param command --nflog-group="$nflog_group" + procd_set_param respawn 3600 5 5 + procd_set_param stdout 1 + procd_set_param stderr 1 + procd_set_param file /etc/config/sentinel + procd_close_instance +} diff --git a/sentinel-fwlogs/files/restart-proxy-hook.sh b/sentinel-fwlogs/files/restart-proxy-hook.sh new file mode 100755 index 0000000..938adf4 --- /dev/null +++ b/sentinel-fwlogs/files/restart-proxy-hook.sh @@ -0,0 +1,5 @@ +#!/bin/sh +# restart Sentinel:FWLogs service +/etc/init.d/sentinel-fwlogs restart +# Apply logging rules +/etc/init.d/firewall reload diff --git a/sentinel-fwlogs/files/sentinel-firewall.sh b/sentinel-fwlogs/files/sentinel-firewall.sh new file mode 100755 index 0000000..e066b16 --- /dev/null +++ b/sentinel-fwlogs/files/sentinel-firewall.sh @@ -0,0 +1,37 @@ +#!/bin/sh +set -e +. "${0%/*}/common.sh" +. /lib/functions.sh +. /lib/functions/sentinel.sh +. /usr/libexec/sentinel/fwlogs-defaults.sh + +allowed_to_run "fwlogs" 2>/dev/null || return 0 + + +config_load "sentinel" +config_get nflog_group fwlogs nflog_group "$DEFAULT_NFLOG_GROUP" +config_get nflog_threshold fwlogs nflog_threshold "$DEFAULT_NFLOG_THRESHOLD" + + +fwlogs_logging() { + local config_section="$1" + local zone enabled + config_get zone "$config_section" "name" + config_get_bool enabled "$config_section" "sentinel_fwlogs" "0" + [ "$enabled" = "1" ] || return 0 + + report_operation "Logging of zone '$zone'" + for fate in DROP REJECT; do + local chain="zone_${zone}_src_${fate}" + iptables_chain_exists "$chain" || continue + report_info "$fate" + iptables -I "$chain" 1 \ + -m comment --comment "!sentinel: fwlogs" \ + -j NFLOG \ + --nflog-group "$nflog_group" \ + --nflog-threshold "$nflog_threshold" + done +} + +config_load "firewall" +config_foreach fwlogs_logging "zone" diff --git a/sentinel-fwlogs/files/uci-defaults b/sentinel-fwlogs/files/uci-defaults new file mode 100755 index 0000000..c3c2644 --- /dev/null +++ b/sentinel-fwlogs/files/uci-defaults @@ -0,0 +1,19 @@ +#!/bin/sh +set -e +. /lib/functions/sentinel-firewall.sh + +# fwlogs entry in sentinel config +if [ "$(uci -q get sentinel.fwlogs)" != "fwlogs" ]; then + uci -q batch <<EOT + delete sentinel.fwlogs + set sentinel.fwlogs='fwlogs' + commit sentinel.fwlogs +EOT +fi + + +# Enable for default interface +config_firewall_default_enable "sentinel_fwlogs" + +# Always reload firewall to use latest version of sentinel-firewall script +/etc/init.d/firewall reload |