summaryrefslogtreecommitdiff
path: root/sentinel-fwlogs/files/sentinel-firewall.sh
diff options
context:
space:
mode:
Diffstat (limited to 'sentinel-fwlogs/files/sentinel-firewall.sh')
-rwxr-xr-xsentinel-fwlogs/files/sentinel-firewall.sh37
1 files changed, 37 insertions, 0 deletions
diff --git a/sentinel-fwlogs/files/sentinel-firewall.sh b/sentinel-fwlogs/files/sentinel-firewall.sh
new file mode 100755
index 0000000..e066b16
--- /dev/null
+++ b/sentinel-fwlogs/files/sentinel-firewall.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+set -e
+. "${0%/*}/common.sh"
+. /lib/functions.sh
+. /lib/functions/sentinel.sh
+. /usr/libexec/sentinel/fwlogs-defaults.sh
+
+allowed_to_run "fwlogs" 2>/dev/null || return 0
+
+
+config_load "sentinel"
+config_get nflog_group fwlogs nflog_group "$DEFAULT_NFLOG_GROUP"
+config_get nflog_threshold fwlogs nflog_threshold "$DEFAULT_NFLOG_THRESHOLD"
+
+
+fwlogs_logging() {
+ local config_section="$1"
+ local zone enabled
+ config_get zone "$config_section" "name"
+ config_get_bool enabled "$config_section" "sentinel_fwlogs" "0"
+ [ "$enabled" = "1" ] || return 0
+
+ report_operation "Logging of zone '$zone'"
+ for fate in DROP REJECT; do
+ local chain="zone_${zone}_src_${fate}"
+ iptables_chain_exists "$chain" || continue
+ report_info "$fate"
+ iptables -I "$chain" 1 \
+ -m comment --comment "!sentinel: fwlogs" \
+ -j NFLOG \
+ --nflog-group "$nflog_group" \
+ --nflog-threshold "$nflog_threshold"
+ done
+}
+
+config_load "firewall"
+config_foreach fwlogs_logging "zone"