|
hotsanic |
Subversion Repositories: |
Compare with Previous - Blame - Download
package HotSaNICmod::OSdep;use lib "../../lib";sub version {($VERSION = '$Revision: 1.8 $') =~ s/.*(\d+\.\d+).*/$1/;return "$^O.pm $VERSION";}sub sample {my %args=@_;my $IPTABLES=$args{IPTABLES};my $VAR=$args{VARDIR};if ( (! -e "$VAR/acct_int.dat") || (! -e "$VAR/acct_ext.dat")) {system("$IPTABLES -L acct_int -xvn > $VAR/acct_int.dat");system("$IPTABLES -L acct_ext -xvn > $VAR/acct_ext.dat");}my %acct_int_old=readfile("$VAR/acct_int.dat",$IPTABLES);my %acct_ext_old=readfile("$VAR/acct_ext.dat",$IPTABLES);system("$IPTABLES -L acct_int -xvn > $VAR/acct_int.dat");system("$IPTABLES -L acct_ext -xvn > $VAR/acct_ext.dat");my %acct_int=readfile("$VAR/acct_int.dat",$IPTABLES);my %acct_ext=readfile("$VAR/acct_ext.dat",$IPTABLES);my $time=time;foreach my $nn (sort(keys(%acct_int))) {$allin=$acct_int{$nn}[1]-$acct_int_old{$nn}[1];$tcpin=$acct_int{$nn}[3]-$acct_int_old{$nn}[3];$udpin=$acct_int{$nn}[5]-$acct_int_old{$nn}[5];$icmpin=$acct_int{$nn}[7]-$acct_int_old{$nn}[7];$allout=$acct_int{$nn}[2]-$acct_int_old{$nn}[2];$tcpout=$acct_int{$nn}[4]-$acct_int_old{$nn}[4];$udpout=$acct_int{$nn}[6]-$acct_int_old{$nn}[6];$icmpout=$acct_int{$nn}[8]-$acct_int_old{$nn}[8];my $name = "int$nn";$name =~ s/\//_/g;HotSaNICmod::do_rrd($name,"U",$time,$tcpin,$udpin,$icmpin,$tcpout,$udpout,$icmpout);}foreach my $nn (sort(keys(%acct_ext))) {$allin=$acct_ext{$nn}[1]-$acct_ext_old{$nn}[1];$tcpin=$acct_ext{$nn}[3]-$acct_ext_old{$nn}[3];$udpin=$acct_ext{$nn}[5]-$acct_ext_old{$nn}[5];$icmpin=$acct_ext{$nn}[7]-$acct_ext_old{$nn}[7];$allout=$acct_ext{$nn}[2]-$acct_ext_old{$nn}[2];$tcpout=$acct_ext{$nn}[4]-$acct_ext_old{$nn}[4];$udpout=$acct_ext{$nn}[6]-$acct_ext_old{$nn}[6];$icmpout=$acct_ext{$nn}[8]-$acct_ext_old{$nn}[8];my $name = "ext$nn";$name =~ s/\//_/g;HotSaNICmod::do_rrd($name,"U",$time,$tcpin,$udpin,$icmpin,$tcpout,$udpout,$icmpout);}}sub init {my %args=@_;if (! defined $args{IPTABLES}) { HotSaNICmod::dupe_control("die",$args{MODNAME},"IPTABLES missing in module settings..."); }$IPTABLES=$args{IPTABLES};HotSaNIClog::info("clearing old accounting chains");foreach $dev (split(/,/,$args{EXTIF})) {if ($IPTABLES =~ /ipchains/) {system("$IPTABLES -D input -i $dev -j acct_ext > /dev/null");system("$IPTABLES -D output -i $dev -j acct_ext > /dev/null");}else {system("$IPTABLES -D INPUT -i $dev -j acct_ext > /dev/null");system("$IPTABLES -D OUTPUT -o $dev -j acct_ext > /dev/null");system("$IPTABLES -D FORWARD -i $dev -j acct_ext > /dev/null");system("$IPTABLES -D FORWARD -o $dev -j acct_ext > /dev/null");}}system("$IPTABLES -F acct_ext > /dev/null");system("$IPTABLES -X acct_ext > /dev/null");foreach $dev (split(/,/,$args{INTIF})) {if ($IPTABLES =~ /ipchains/) {system("$IPTABLES -D input -i $dev -j acct_int > /dev/null");system("$IPTABLES -D output -i $dev -j acct_int > /dev/null");}else {system("$IPTABLES -D INPUT -i $dev -j acct_int > /dev/null");system("$IPTABLES -D OUTPUT -o $dev -j acct_int > /dev/null");system("$IPTABLES -D FORWARD -i $dev -j acct_int > /dev/null");system("$IPTABLES -D FORWARD -o $dev -j acct_int > /dev/null");}}system("$IPTABLES -F acct_int > /dev/null");system("$IPTABLES -X acct_int > /dev/null");HotSaNIClog::info("setting up accounting chains");system("$IPTABLES -N acct_ext > /dev/null");system("$IPTABLES -N acct_int > /dev/null");## set up Accounting for unique IPs in subnet...#HotSaNIClog::info("accounting for local targets");foreach $item (@{$args{DEVINT}}) {($host,$maxin,$maxout,$descr)=split(/,/,$item);HotSaNIClog::info(" $host");foreach $prt ("tcp","udp","icmp","all") {system("$IPTABLES -A acct_int -s $host -p $prt");system("$IPTABLES -A acct_int -d $host -p $prt");}}## set up accounting for dedicated networks to loacl subnet#HotSaNIClog::info("accounting for externel targets");foreach $item (@{$args{DEVEXT}}) {($host,$maxin,$maxout,$descr)=split(/,/,$item);HotSaNIClog::info(" $host");foreach $prt ("tcp","udp","icmp","all") {system("$IPTABLES -A acct_ext -s $host -p $prt");system("$IPTABLES -A acct_ext -d $host -p $prt");}}HotSaNIClog::info("linking accounting chains to INPUT/OUTPUT chain");foreach $item (split(/,/,$args{EXTIF})) {($dev,$maxin,$maxout,$descr)=split(/,/,$item);if ($IPTABLES =~ /ipchains/) {system("$IPTABLES -I input -i $dev -j acct_ext > /dev/null");system("$IPTABLES -I output -i $dev -j acct_ext > /dev/null");}else {system("$IPTABLES -I INPUT -i $dev -j acct_ext > /dev/null");system("$IPTABLES -I OUTPUT -o $dev -j acct_ext > /dev/null");system("$IPTABLES -I FORWARD -i $dev -j acct_ext > /dev/null");system("$IPTABLES -I FORWARD -o $dev -j acct_ext > /dev/null");}}foreach $item (split(/,/,$args{INTIF})) {($dev,$maxin,$maxout,$descr)=split(/,/,$item);if ($IPTABLES =~ /ipchains/) {system("$IPTABLES -I input -i $dev -j acct_int > /dev/null");system("$IPTABLES -I output -i $dev -j acct_int > /dev/null");}else {system("$IPTABLES -I INPUT -i $dev -j acct_int > /dev/null");system("$IPTABLES -I OUTPUT -o $dev -j acct_int > /dev/null");system("$IPTABLES -I FORWARD -i $dev -j acct_int > /dev/null");system("$IPTABLES -I FORWARD -o $dev -j acct_int > /dev/null");}}HotSaNIClog::info("All done! - accounting should be running now!");}sub readfile {my ($file,$IPTABLES)=@_;my $ip="";undef my %hash;open (FILE,$file);while (<FILE>) {chomp;if (index($IPTABLES,"ipchains") >= 0 ) { ($pkt,$bytes,$target,$proto,$opt,$tosa,$tosx,$ifname,$src,$dst)=split; }else { ($pkt,$bytes,$target,$proto,$opt,$in,$out,$src,$dst)=split; }if ($pkt =~ /^[0-9]*$/ ) {if ($dst eq "") { ($proto,$opt,$in,$out,$src,$dst)=($target,$proto,$opt,$in,$out,$src); }if ($src eq "0.0.0.0/0") { $ip=$dst;$dir=1; } elsif ($dst eq "0.0.0.0/0") { $ip=$src;$dir=0; }if ($proto eq "all") { $prt=1 };if ($proto eq "tcp") { $prt=3 };if ($proto eq "udp") { $prt=5 };if ($proto eq "icmp") { $prt=7 };if ($ip ne "") {$hash{"$ip"}[$prt+$dir]=$bytes;}}}close (FILE);return %hash;}1;