diff options
-rw-r--r-- | Makefile | 10 | ||||
-rw-r--r-- | debian/changelog | 6 | ||||
-rw-r--r-- | debian/compat | 1 | ||||
-rw-r--r-- | debian/control | 15 | ||||
-rw-r--r-- | debian/copyright | 2 | ||||
-rw-r--r-- | debian/fswarn.postinst | 18 | ||||
-rw-r--r-- | debian/fswarn.postrm | 15 | ||||
-rwxr-xr-x | debian/rules | 4 | ||||
-rw-r--r-- | debian/source/format | 1 | ||||
-rw-r--r-- | etc/cron.d/iptables-rrdtool | 2 | ||||
-rw-r--r-- | etc/default/iptables-rrdtool | 11 | ||||
-rw-r--r-- | sbin/iptables-rrdtool | 51 |
12 files changed, 136 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..d8779b4 --- /dev/null +++ b/Makefile @@ -0,0 +1,10 @@ +build: + +install: + install -o root -g root -m 755 -d $(DESTDIR)/etc/cron.d + install -o root -g root -m 755 -d $(DESTDIR)/etc/default + install -o root -g root -m 755 -d $(DESTDIR)/usr/sbin + install -o root -g root -m 644 etc/cron.d/iptables-rrdtool $(DESTDIR)/etc/cron.d/ + install -o root -g root -m 644 etc/default/iptables-rrdtool $(DESTDIR)/etc/default/ + install -o root -g root -m 644 sbin/iptables-rrdtool $(DESTDIR)/usr/sbin/ +clean: diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..a8bf33b --- /dev/null +++ b/debian/changelog @@ -0,0 +1,6 @@ +iptables-rrdtool (0.1) unstable; urgency=low + + * Initial release. + + -- Joe Rayhawk <jrayhawk@omgwallhack.org> Sat, 08 Sep 2012 11:01:59 -0700 + diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..7f8f011 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +7 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..c1ba8fa --- /dev/null +++ b/debian/control @@ -0,0 +1,15 @@ +Source: iptables-rrdtool +Maintainer: Joe Rayhawk <jrayhawk@omgwallhack.org> +Section: admin +Build-depends: debhelper (>= 7) +Priority: extra +Homepage: http://piny.be/iptables-rrdtool/ +Standards-version: 3.9.1 + +Package: iptables-rrdtool +Architecture: all +Depends: ${misc:Depends}, bash (>= 4.0), rrdtool, moreutils, base-files (>= 6.2) | initscripts (>= 2.88dsf-13.3) +Recommends: cron +Description: Cronjob to generate RRD files from all iptables rule counters + Creates RRDs for every iptables rule every five munutes and optionally graphs + them. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..f626d21 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,2 @@ +Copyright © 2010 Joe Rayhawk <jrayhawk@omgwallhack.org> +Licensed under the BSD 3-clause license. diff --git a/debian/fswarn.postinst b/debian/fswarn.postinst new file mode 100644 index 0000000..a22b368 --- /dev/null +++ b/debian/fswarn.postinst @@ -0,0 +1,18 @@ +#!/bin/sh + +set -e + +case "$1" in + + configure) + + if [ "$2" = "" ]; then + mkdir /var/lib/iptables-rrdtool || true + fi + + ;; + + *) + ;; + +esac diff --git a/debian/fswarn.postrm b/debian/fswarn.postrm new file mode 100644 index 0000000..f7b1a11 --- /dev/null +++ b/debian/fswarn.postrm @@ -0,0 +1,15 @@ +#!/bin/sh + +set -e + +case "$1" in + + purge) + rm -r /var/lib/iptables-rrdtool || true + ;; + + *) + ;; + +esac + diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..2d33f6a --- /dev/null +++ b/debian/rules @@ -0,0 +1,4 @@ +#!/usr/bin/make -f + +%: + dh $@ diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/etc/cron.d/iptables-rrdtool b/etc/cron.d/iptables-rrdtool new file mode 100644 index 0000000..71a9877 --- /dev/null +++ b/etc/cron.d/iptables-rrdtool @@ -0,0 +1,2 @@ +# generate and update RRDs from iptables rule counters every five minutes +*/5 * * * * root /usr/sbin/iptables-rrdtool diff --git a/etc/default/iptables-rrdtool b/etc/default/iptables-rrdtool new file mode 100644 index 0000000..69a2494 --- /dev/null +++ b/etc/default/iptables-rrdtool @@ -0,0 +1,11 @@ +## Defaults sourced by iptables-rrdtool script on Debian systems. +## Uncomment (remove the leading '#') and change values as needed. + +## Directory rrd files are stored +# RRDDIR=/var/lib/iptables-rrdtool + +## Generate PNGs? +# GENPNG=1 + +## Directory png files are stored. If not defined, will default to ${RRDDIR} +# PNGDIR= diff --git a/sbin/iptables-rrdtool b/sbin/iptables-rrdtool new file mode 100644 index 0000000..b45fe59 --- /dev/null +++ b/sbin/iptables-rrdtool @@ -0,0 +1,51 @@ +#!/bin/bash +# requires bash 4.0+ regexes, substring manipulation + +# make sure we're running flocked against the PID file +if ! grep -q /usr/bin/lckdo /proc/$PPID/cmdline; then + exec /usr/bin/lckdo /run/iptables-rrdtool.pid "$0" "$@"; +fi + +[ -s /etc/default/iptables-rrdtool ] && . /etc/default/iptables-rrdtool +RRDDIR="${RRDDIR:-/var/lib/iptables-rrdtools}" +PNGDIR="${PNGDIR:-$RRDDIR}" + +set -e +#set -x + +# "Internal Field Separator" for composing arguments from command substitution, among other things +IFS=$'\n' + +for table in $(cat /proc/net/ip_tables_names); do + for rule in $(/sbin/iptables-save -c -t ${table}); do +# iptables-save has inconsistent output for no sane reason; we grab rematch +# strings both before and after the counters, then hamfistedly combine them +# under the generally safe assumption that one is blank + if [[ "${rule}" =~ ^(.*)\[[0-9]+:([0-9]+)\](.*)$ ]]; then + name="${BASH_REMATCH[1]}${BASH_REMATCH[3]}" + name="${name//\/32/}" # remove extraneous POSIX-unsafe '/32' string + name="${name//\//slash}" # replace all other instances of POSIX-unsafe '/' + name="${name/#:/ -P }" # normalize iptables-save's dumb policy rule output + name="${name//:/colon}" # remove colon because rrdtool can't deal with POSIX filenames + name="${name% }" # remove trailing whitespace + name="iptables -t ${table}${name}" + counter="${BASH_REMATCH[2]}" + + if ! [ -s "${RRDDIR}/${name}.rrd" ]; then + rrdtool create "${RRDDIR}/${name}.rrd" \ + DS:rule:DERIVE:600:0:U \ + RRA:AVERAGE:0.5:1:576 \ + RRA:AVERAGE:0.5:6:720 \ + RRA:AVERAGE:0.5:24:720 \ + RRA:AVERAGE:0.5:288:730 + fi + + rrdtool update "${RRDDIR}/${name}.rrd" "N:${counter}" + + if [ "${GENPNG}" = "1" ]; then + rrdtool graph "${PNGDIR}/${name}.png" --start -2d DEF:rule="${RRDDIR}/${name}.rrd":rule:AVERAGE LINE1:rule#0080ff:rule + fi + fi + done +done + |