summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile10
-rw-r--r--debian/changelog6
-rw-r--r--debian/compat1
-rw-r--r--debian/control15
-rw-r--r--debian/copyright2
-rw-r--r--debian/fswarn.postinst18
-rw-r--r--debian/fswarn.postrm15
-rwxr-xr-xdebian/rules4
-rw-r--r--debian/source/format1
-rw-r--r--etc/cron.d/iptables-rrdtool2
-rw-r--r--etc/default/iptables-rrdtool11
-rw-r--r--sbin/iptables-rrdtool51
12 files changed, 136 insertions, 0 deletions
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..d8779b4
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,10 @@
+build:
+
+install:
+ install -o root -g root -m 755 -d $(DESTDIR)/etc/cron.d
+ install -o root -g root -m 755 -d $(DESTDIR)/etc/default
+ install -o root -g root -m 755 -d $(DESTDIR)/usr/sbin
+ install -o root -g root -m 644 etc/cron.d/iptables-rrdtool $(DESTDIR)/etc/cron.d/
+ install -o root -g root -m 644 etc/default/iptables-rrdtool $(DESTDIR)/etc/default/
+ install -o root -g root -m 644 sbin/iptables-rrdtool $(DESTDIR)/usr/sbin/
+clean:
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..a8bf33b
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,6 @@
+iptables-rrdtool (0.1) unstable; urgency=low
+
+ * Initial release.
+
+ -- Joe Rayhawk <jrayhawk@omgwallhack.org> Sat, 08 Sep 2012 11:01:59 -0700
+
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..7f8f011
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+7
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..c1ba8fa
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,15 @@
+Source: iptables-rrdtool
+Maintainer: Joe Rayhawk <jrayhawk@omgwallhack.org>
+Section: admin
+Build-depends: debhelper (>= 7)
+Priority: extra
+Homepage: http://piny.be/iptables-rrdtool/
+Standards-version: 3.9.1
+
+Package: iptables-rrdtool
+Architecture: all
+Depends: ${misc:Depends}, bash (>= 4.0), rrdtool, moreutils, base-files (>= 6.2) | initscripts (>= 2.88dsf-13.3)
+Recommends: cron
+Description: Cronjob to generate RRD files from all iptables rule counters
+ Creates RRDs for every iptables rule every five munutes and optionally graphs
+ them.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..f626d21
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,2 @@
+Copyright © 2010 Joe Rayhawk <jrayhawk@omgwallhack.org>
+Licensed under the BSD 3-clause license.
diff --git a/debian/fswarn.postinst b/debian/fswarn.postinst
new file mode 100644
index 0000000..a22b368
--- /dev/null
+++ b/debian/fswarn.postinst
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+
+ configure)
+
+ if [ "$2" = "" ]; then
+ mkdir /var/lib/iptables-rrdtool || true
+ fi
+
+ ;;
+
+ *)
+ ;;
+
+esac
diff --git a/debian/fswarn.postrm b/debian/fswarn.postrm
new file mode 100644
index 0000000..f7b1a11
--- /dev/null
+++ b/debian/fswarn.postrm
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+
+ purge)
+ rm -r /var/lib/iptables-rrdtool || true
+ ;;
+
+ *)
+ ;;
+
+esac
+
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..2d33f6a
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,4 @@
+#!/usr/bin/make -f
+
+%:
+ dh $@
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
diff --git a/etc/cron.d/iptables-rrdtool b/etc/cron.d/iptables-rrdtool
new file mode 100644
index 0000000..71a9877
--- /dev/null
+++ b/etc/cron.d/iptables-rrdtool
@@ -0,0 +1,2 @@
+# generate and update RRDs from iptables rule counters every five minutes
+*/5 * * * * root /usr/sbin/iptables-rrdtool
diff --git a/etc/default/iptables-rrdtool b/etc/default/iptables-rrdtool
new file mode 100644
index 0000000..69a2494
--- /dev/null
+++ b/etc/default/iptables-rrdtool
@@ -0,0 +1,11 @@
+## Defaults sourced by iptables-rrdtool script on Debian systems.
+## Uncomment (remove the leading '#') and change values as needed.
+
+## Directory rrd files are stored
+# RRDDIR=/var/lib/iptables-rrdtool
+
+## Generate PNGs?
+# GENPNG=1
+
+## Directory png files are stored. If not defined, will default to ${RRDDIR}
+# PNGDIR=
diff --git a/sbin/iptables-rrdtool b/sbin/iptables-rrdtool
new file mode 100644
index 0000000..b45fe59
--- /dev/null
+++ b/sbin/iptables-rrdtool
@@ -0,0 +1,51 @@
+#!/bin/bash
+# requires bash 4.0+ regexes, substring manipulation
+
+# make sure we're running flocked against the PID file
+if ! grep -q /usr/bin/lckdo /proc/$PPID/cmdline; then
+ exec /usr/bin/lckdo /run/iptables-rrdtool.pid "$0" "$@";
+fi
+
+[ -s /etc/default/iptables-rrdtool ] && . /etc/default/iptables-rrdtool
+RRDDIR="${RRDDIR:-/var/lib/iptables-rrdtools}"
+PNGDIR="${PNGDIR:-$RRDDIR}"
+
+set -e
+#set -x
+
+# "Internal Field Separator" for composing arguments from command substitution, among other things
+IFS=$'\n'
+
+for table in $(cat /proc/net/ip_tables_names); do
+ for rule in $(/sbin/iptables-save -c -t ${table}); do
+# iptables-save has inconsistent output for no sane reason; we grab rematch
+# strings both before and after the counters, then hamfistedly combine them
+# under the generally safe assumption that one is blank
+ if [[ "${rule}" =~ ^(.*)\[[0-9]+:([0-9]+)\](.*)$ ]]; then
+ name="${BASH_REMATCH[1]}${BASH_REMATCH[3]}"
+ name="${name//\/32/}" # remove extraneous POSIX-unsafe '/32' string
+ name="${name//\//slash}" # replace all other instances of POSIX-unsafe '/'
+ name="${name/#:/ -P }" # normalize iptables-save's dumb policy rule output
+ name="${name//:/colon}" # remove colon because rrdtool can't deal with POSIX filenames
+ name="${name% }" # remove trailing whitespace
+ name="iptables -t ${table}${name}"
+ counter="${BASH_REMATCH[2]}"
+
+ if ! [ -s "${RRDDIR}/${name}.rrd" ]; then
+ rrdtool create "${RRDDIR}/${name}.rrd" \
+ DS:rule:DERIVE:600:0:U \
+ RRA:AVERAGE:0.5:1:576 \
+ RRA:AVERAGE:0.5:6:720 \
+ RRA:AVERAGE:0.5:24:720 \
+ RRA:AVERAGE:0.5:288:730
+ fi
+
+ rrdtool update "${RRDDIR}/${name}.rrd" "N:${counter}"
+
+ if [ "${GENPNG}" = "1" ]; then
+ rrdtool graph "${PNGDIR}/${name}.png" --start -2d DEF:rule="${RRDDIR}/${name}.rrd":rule:AVERAGE LINE1:rule#0080ff:rule
+ fi
+ fi
+ done
+done
+