1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
#!/bin/bash
# $Header:$
# IFACE = Logical interface name
# MODE = start | stop
# IF_METHOD = manual, otherwise exit!
# IF_DEVICE = device name
# IF_IP_ACCOUNTING = "output-packets"
# this script is an example for the incredible flexibility this interface
# initialization scheme gives to you.
# At the site where this was developed, Linux is in use in IP routers. To
# retrieve accounting data that is compatible with cisco's "ip accounting
# output-packets" that might be retrieved in other parts of the network,
# ulog-acctd (also available as a Debian package) is used. Packets that
# should go into ip accounting needs to be sent to the ULOG target with
# appropriate parameters. This script sets this up. Parts of the packet
# filtering mechanism may retrieve data from the state file to do their
# part in setting up the packet filtering and accounting apparatus.
. /etc/network/ifupdown-scripts-zg2.d/common-functions
# only do something if method manual
[ "$IF_METHOD" == "manual" ] || exit 0
# exit if no ip-accounting statement is present
[ -z "$IF_IP_ACCOUNTING" ] && exit 0
iptables_accounting_rule()
{
local ITF
local MODE
ITF="$1"
MODE="$2"
# these are the parameters for proper accounting of IPv4 packets
# with a prefix of "a"
ULOG_PARM="--jump ULOG --ulog-qthreshold 40 --ulog-cprange 44 --ulog-prefix a"
# create new chain ulog, don't barf if it already exists
cmd --no-errors "iptables --new-chain ulog 2>/dev/null"
if [ $? -eq 3 ]; then
echo >&2 "ERR: no iptables support in kernel. ip accounting will not work."
return 3
fi
# remove all rules in the ulog chain that reference "our" interface
# as outgoing interface
while cmd --no-errors "iptables --delete ulog --out-int $ITF $ULOG_PARM 2>/dev/null"; do true; done
while cmd --no-errors "iptables --delete ulog --out-int $ITF --jump RETURN 2>/dev/null"; do true; done
if [ "$MODE" == "add" ]; then
# if we need to add accouting rules, insert them at the top of the
# ulog chain. Sending the packet to the ULOG target does not stop its
# processing, so we explicitly RETURN to avoid processing other rules.
cmd "iptables --insert ulog 1 --out-int $ITF $ULOG_PARM"
cmd "iptables --insert ulog 2 --out-int $ITF --jump RETURN"
elif [ "$MODE" == "del" ]; then
# we have already deleted the rules
true
else
echo >&2 "ERR: wrong parameter $MODE given to iptables_accounting_rule"
exit 1
fi
}
case "$MODE" in
start)
add_down "ip-accounting" "$IF_IP_ACCOUNTING"
if [ "$IF_IP_ACCOUNTING" == "output-packets" ]; then
iptables_accounting_rule $IF_DEVICE add
if [ $? -eq 3 ]; then
exit 3
fi
add_down "ip-accounting-rule-itf" "$IF_DEVICE"
fi
;;
stop)
ITF=`get_down "ip-accounting-rule-itf"`
cmd "iptables_accounting_rule $ITF del"
exec_down "ip-accounting" ""
exec_down "ip-accounting-rule-itf" ""
;;
*)
;;
esac
# end of file
|
