summaryrefslogtreecommitdiff
path: root/sentinel-fwlogs
diff options
context:
space:
mode:
Diffstat (limited to 'sentinel-fwlogs')
-rw-r--r--sentinel-fwlogs/Makefile67
-rw-r--r--sentinel-fwlogs/files/defaults.sh2
-rwxr-xr-xsentinel-fwlogs/files/init25
-rwxr-xr-xsentinel-fwlogs/files/restart-proxy-hook.sh5
-rwxr-xr-xsentinel-fwlogs/files/sentinel-firewall.sh37
-rwxr-xr-xsentinel-fwlogs/files/uci-defaults19
6 files changed, 155 insertions, 0 deletions
diff --git a/sentinel-fwlogs/Makefile b/sentinel-fwlogs/Makefile
new file mode 100644
index 0000000..756772f
--- /dev/null
+++ b/sentinel-fwlogs/Makefile
@@ -0,0 +1,67 @@
+#
+## Copyright (C) 2020 CZ.NIC z.s.p.o. (https://www.nic.cz/)
+#
+## This is free software, licensed under the GNU General Public License v3.
+# See /LICENSE for more information.
+# #
+#
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=sentinel-fwlogs
+PKG_VERSION:=0.0.1
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://gitlab.nic.cz/turris/sentinel/fwlogs.git
+#PKG_SOURCE_VERSION:=v$(PKG_VERSION)
+PKG_SOURCE_VERSION:=d72fde6eb20a12ca9a126911f86d5cdd8cac3d10
+
+PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz>
+PKG_LICENSE:=GPL-3.0-or-later
+PKG_LICENSE_FILES:=LICENSE
+
+PKG_BUILD_DEPENDS:=argp-standalone
+
+PKG_FIXUP:=autoreconf
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/sentinel-fwlogs
+ SECTION:=collect
+ CATEGORY:=Collect
+ SUBMENU:=Sentinel
+ TITLE:=FWLogs
+ URL:=https://gitlab.nic.cz/turris/sentinel/fwlogs
+ DEPENDS:=\
+ +czmq \
+ +msgpack-c \
+ +logc +logc-argp \
+ +libnetfilter-log \
+ +sentinel-firewall \
+ +sentinel-proxy
+ PROVIDES:=sentinel-nikola
+ CONFLICTS:=sentinel-nikola
+endef
+
+define Package/sentinel-fwlogs/description
+ Collector of firewall logs using libnetfilter-log for Turris Sentinel.
+endef
+
+define Package/sentinel-fwlogs/install
+ $(INSTALL_DIR) $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/sentinel-fwlogs $(1)/usr/bin/sentinel-fwlogs
+
+ $(INSTALL_DIR) $(1)/etc/init.d
+ $(INSTALL_BIN) ./files/init $(1)/etc/init.d/sentinel-fwlogs
+
+ $(INSTALL_DIR) $(1)/etc/uci-defaults
+ $(INSTALL_BIN) ./files/uci-defaults $(1)/etc/uci-defaults/99-sentinel-fwlogs
+
+ $(INSTALL_DIR) $(1)/usr/libexec/sentinel/firewall.d
+ $(INSTALL_BIN) ./files/sentinel-firewall.sh $(1)/usr/libexec/sentinel/firewall.d/60-fwlogs.sh
+
+ $(INSTALL_DIR) $(1)/usr/libexec/sentinel/reload_hooks.d
+ $(INSTALL_BIN) ./files/restart-proxy-hook.sh $(1)/usr/libexec/sentinel/reload_hooks.d/50_nikola.sh
+endef
+
+$(eval $(call BuildPackage,sentinel-fwlogs))
diff --git a/sentinel-fwlogs/files/defaults.sh b/sentinel-fwlogs/files/defaults.sh
new file mode 100644
index 0000000..78345b4
--- /dev/null
+++ b/sentinel-fwlogs/files/defaults.sh
@@ -0,0 +1,2 @@
+DEFAULT_NFLOG_GROUP="1914"
+DEFAULT_NFLOG_THRESHOLD="32"
diff --git a/sentinel-fwlogs/files/init b/sentinel-fwlogs/files/init
new file mode 100755
index 0000000..955b333
--- /dev/null
+++ b/sentinel-fwlogs/files/init
@@ -0,0 +1,25 @@
+#!/bin/sh /etc/rc.common
+
+USE_PROCD=1
+START=99
+STOP=10
+
+
+start_service() {
+ source /lib/functions/sentinel.sh
+ source /usr/libexec/sentinel/fwlogs-defaults.sh
+ allowed_to_run "fwlogs" || return 1
+
+ config_load sentinel
+ local nflog_group nflog_threshold
+ config_get nflog_group fwlogs nflog_group "$DEFAULT_NFLOG_GROUP"
+
+ procd_open_instance
+ procd_set_param command /usr/bin/sentinel-fwlogs
+ procd_append_param command --nflog-group="$nflog_group"
+ procd_set_param respawn 3600 5 5
+ procd_set_param stdout 1
+ procd_set_param stderr 1
+ procd_set_param file /etc/config/sentinel
+ procd_close_instance
+}
diff --git a/sentinel-fwlogs/files/restart-proxy-hook.sh b/sentinel-fwlogs/files/restart-proxy-hook.sh
new file mode 100755
index 0000000..938adf4
--- /dev/null
+++ b/sentinel-fwlogs/files/restart-proxy-hook.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+# restart Sentinel:FWLogs service
+/etc/init.d/sentinel-fwlogs restart
+# Apply logging rules
+/etc/init.d/firewall reload
diff --git a/sentinel-fwlogs/files/sentinel-firewall.sh b/sentinel-fwlogs/files/sentinel-firewall.sh
new file mode 100755
index 0000000..e066b16
--- /dev/null
+++ b/sentinel-fwlogs/files/sentinel-firewall.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+set -e
+. "${0%/*}/common.sh"
+. /lib/functions.sh
+. /lib/functions/sentinel.sh
+. /usr/libexec/sentinel/fwlogs-defaults.sh
+
+allowed_to_run "fwlogs" 2>/dev/null || return 0
+
+
+config_load "sentinel"
+config_get nflog_group fwlogs nflog_group "$DEFAULT_NFLOG_GROUP"
+config_get nflog_threshold fwlogs nflog_threshold "$DEFAULT_NFLOG_THRESHOLD"
+
+
+fwlogs_logging() {
+ local config_section="$1"
+ local zone enabled
+ config_get zone "$config_section" "name"
+ config_get_bool enabled "$config_section" "sentinel_fwlogs" "0"
+ [ "$enabled" = "1" ] || return 0
+
+ report_operation "Logging of zone '$zone'"
+ for fate in DROP REJECT; do
+ local chain="zone_${zone}_src_${fate}"
+ iptables_chain_exists "$chain" || continue
+ report_info "$fate"
+ iptables -I "$chain" 1 \
+ -m comment --comment "!sentinel: fwlogs" \
+ -j NFLOG \
+ --nflog-group "$nflog_group" \
+ --nflog-threshold "$nflog_threshold"
+ done
+}
+
+config_load "firewall"
+config_foreach fwlogs_logging "zone"
diff --git a/sentinel-fwlogs/files/uci-defaults b/sentinel-fwlogs/files/uci-defaults
new file mode 100755
index 0000000..c3c2644
--- /dev/null
+++ b/sentinel-fwlogs/files/uci-defaults
@@ -0,0 +1,19 @@
+#!/bin/sh
+set -e
+. /lib/functions/sentinel-firewall.sh
+
+# fwlogs entry in sentinel config
+if [ "$(uci -q get sentinel.fwlogs)" != "fwlogs" ]; then
+ uci -q batch <<EOT
+ delete sentinel.fwlogs
+ set sentinel.fwlogs='fwlogs'
+ commit sentinel.fwlogs
+EOT
+fi
+
+
+# Enable for default interface
+config_firewall_default_enable "sentinel_fwlogs"
+
+# Always reload firewall to use latest version of sentinel-firewall script
+/etc/init.d/firewall reload