From 061ce3d781cc86918b32c3e65421bb9978d4b3fd Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 15 Nov 2018 14:59:29 -0800
Subject: [PATCH] Remove ULOG support

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Chains.pm         | 23 ++++++----------------
 Shorewall/Perl/Shorewall/Config.pm         | 21 ++++----------------
 Shorewall/Perl/Shorewall/Raw.pm            |  2 +-
 Shorewall/Perl/Shorewall/Rules.pm          |  4 ++--
 Shorewall/manpages/shorewall-conntrack.xml |  7 ++++---
 Shorewall/manpages/shorewall-logging.xml   | 13 ++++++------
 Shorewall/manpages/shorewall-policy.xml    |  5 +++++
 Shorewall/manpages/shorewall-rules.xml     |  7 ++++---
 Shorewall/manpages/shorewall-snat.xml      |  9 +++++----
 Shorewall/manpages/shorewall.conf.xml      |  8 +++++++-
 docs/Actions.xml                           |  3 ++-
 docs/shorewall_logging.xml                 | 19 +++++++++---------
 12 files changed, 57 insertions(+), 64 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 7e7ba8eea..490cbe854 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -450,13 +450,13 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       REDIRECT     =>     0x20,       #'REDIRECT'
 	       ACTION       =>     0x40,       #An action (may be built-in)
 	       MACRO        =>     0x80,       #A Macro
-	       LOGRULE      =>    0x100,       #'LOG','ULOG','NFLOG'
+	       LOGRULE      =>    0x100,       #'LOG','NFLOG'
 	       NFQ          =>    0x200,       #'NFQUEUE'
 	       CHAIN        =>    0x400,       #Manual Chain
 	       SET          =>    0x800,       #SET
 	       AUDIT        =>   0x1000,       #A_ACCEPT, etc
 	       HELPER       =>   0x2000,       #CT:helper
-	       NFLOG        =>   0x4000,       #NFLOG or ULOG
+	       NFLOG        =>   0x4000,       #NFLOG
 	       INLINE       =>   0x8000,       #Inline action
 	       STATEMATCH   =>  0x10000,       #action.Invalid, action.Related, etc.
 	       USERBUILTIN  =>  0x20000,       #Builtin action from user's actions file.
@@ -656,7 +656,6 @@ our %builtin_target = ( ACCEPT      => STANDARD + FILTER_TABLE + NAT_TABLE + MAN
 			TPROXY      => STANDARD                            + MANGLE_TABLE,
 			TRACE       => STANDARD                                           + RAW_TABLE,
 			TTL         => STANDARD                            + MANGLE_TABLE,
-			ULOG        => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
 		        );
 
 our %ipset_exists;
@@ -3223,7 +3222,6 @@ sub initialize_chain_table($) {
 		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
 		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
 		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
-		    'ULOG'            => STANDARD + LOGRULE + NFLOG + OPTIONS,
 		    'WHITELIST'       => STANDARD,
 		   );
 
@@ -3281,7 +3279,6 @@ sub initialize_chain_table($) {
 		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
 		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
 		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'ULOG'            => STANDARD + LOGRULE + NFLOG,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
 		    'WHITELIST'       => STANDARD,
@@ -6756,9 +6753,7 @@ sub log_rule_limit( $$$$$$$$;$ ) {
     }
 
     if ( $config{LOGFORMAT} =~ /^\s*$/ ) {
-	if ( $level =~ '^ULOG' ) {
-	    $prefix = "-j $level ";
-	} elsif  ( $level =~ /^NFLOG/ ) {
+	if  ( $level =~ /^NFLOG/ ) {
 	    $prefix = "-j $level ";
 	} else {
 	    my $flags = $globals{LOGPARMS};
@@ -6803,9 +6798,7 @@ sub log_rule_limit( $$$$$$$$;$ ) {
 	    warning_message "Log Prefix shortened to \"$prefix\"";
 	}
 
-	if ( $level =~ '^ULOG' ) {
-	    $prefix = "-j $level --ulog-prefix \"$prefix\" ";
-	} elsif  ( $level =~ /^NFLOG/ ) {
+	if  ( $level =~ /^NFLOG/ ) {
 	    $prefix = "-j $level --nflog-prefix \"$prefix\" ";
 	} elsif ( $level =~ '^LOGMARK' ) {
 	    $prefix = join( '', substr( $prefix, 0, 12 ) , ':' ) if length $prefix > 13;
@@ -6855,9 +6848,7 @@ sub log_irule_limit( $$$$$$$$@ ) {
     }
 
     if ( $config{LOGFORMAT} =~ /^\s*$/ ) {
-	if ( $level =~ '^ULOG' ) {
-	    $prefix = "$level";
-	} elsif  ( $level =~ /^NFLOG/ ) {
+	if  ( $level =~ /^NFLOG/ ) {
 	    $prefix = "$level";
 	} else {
 	    my $flags = $globals{LOGPARMS};
@@ -6902,9 +6893,7 @@ sub log_irule_limit( $$$$$$$$@ ) {
 	    warning_message "Log Prefix shortened to \"$prefix\"";
 	}
 
-	if ( $level =~ '^ULOG' ) {
-	    $prefix = "$level --ulog-prefix \"$prefix\"";
-	} elsif  ( $level =~ /^NFLOG/ ) {
+	if  ( $level =~ /^NFLOG/ ) {
 	    $prefix = "$level --nflog-prefix \"$prefix\"";
 	} elsif ( $level =~ '^LOGMARK' ) {
 	    $prefix = join( '', substr( $prefix, 0, 12 ) , ':' ) if length $prefix > 13;
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 39dcf0733..56a0d4e8d 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -456,7 +456,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TIME_MATCH      => 'Time Match',
 		 GOTO_TARGET     => 'Goto Support',
 		 LOG_TARGET      => 'LOG Target',
-		 ULOG_TARGET     => 'ULOG Target',
 		 NFLOG_TARGET    => 'NFLOG Target',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
 		 IPMARK_TARGET   => 'IPMARK Target',
@@ -1093,7 +1092,6 @@ sub initialize( $;$$$) {
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
 	       LOG_TARGET => undef,
-	       ULOG_TARGET => undef,
 	       NFLOG_TARGET => undef,
 	       LOGMARK_TARGET => undef,
 	       IPMARK_TARGET => undef,
@@ -1272,7 +1270,6 @@ sub initialize( $;$$$) {
 	$globals{PRODUCT}       = 'shorewall';
 	$config{IPTABLES}       = undef;
 	$config{ARPTABLES}      = undef;
-	$validlevels{ULOG}      = 'ULOG';
     } else {
 	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall6";
 	$globals{PRODUCT}       = 'shorewall6';
@@ -4211,25 +4208,23 @@ sub validate_level( $;$ ) {
 	    require_capability( "${value}_TARGET", "Log level $level", 's' );
 	}
 
-	if ( $value =~ /^(NFLOG|ULOG)$/ ) {
+	if ( $value eq 'NFLOG' ) {
 	    my $olevel  = $value;
 
 	    if ( $qualifier =~ /^[(](.*)[)]$/ ) {
 		my @options = split /,/, $1;
-		my $prefix  = lc $olevel;
-		my $index   = $prefix eq 'ulog' ? 3 : 0;
+		my $index   = 0;
 
 		level_error( $rawlevel , $option ) if @options > 3;
 
 		for ( @options ) {
 		    if ( supplied( $_ ) ) {
 			level_error( $rawlevel , $option ) unless /^\d+/;
-			$olevel .= " --${prefix}-$suffixes[$index] $_";
+			$olevel .= " --nflog-$suffixes[$index] $_";
 		    }
 
 		    $index++;
 		}
-
 	    } elsif ( $qualifier =~ /^ --/ ) {
 		return $rawlevel;
 	    } else {
@@ -4879,10 +4874,6 @@ sub Log_Target() {
     qt1( "$iptables $iptablesw -A $sillyname -j LOG" );
 }
 
-sub Ulog_Target() {
-    qt1( "$iptables $iptablesw -A $sillyname -j ULOG" );
-}
-
 sub NFLog_Target() {
     qt1( "$iptables $iptablesw -A $sillyname -j NFLOG" );
 }
@@ -5068,7 +5059,6 @@ our %detect_capability =
       LENGTH_MATCH => \&Length_Match,
       LOGMARK_TARGET => \&Logmark_Target,
       LOG_TARGET => \&Log_Target,
-      ULOG_TARGET => \&Ulog_Target,
       NFLOG_TARGET => \&NFLog_Target,
       NFLOG_SIZE => \&NFLog_Size,
       MANGLE_ENABLED => \&Mangle_Enabled,
@@ -5233,7 +5223,6 @@ sub determine_capabilities() {
 	$capabilities{TIME_MATCH}      = detect_capability( 'TIME_MATCH' );
 	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
-	$capabilities{ULOG_TARGET}     = detect_capability( 'ULOG_TARGET' );
 	$capabilities{NFLOG_TARGET}    = detect_capability( 'NFLOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
 	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
@@ -6790,9 +6779,7 @@ sub get_configuration( $$$ ) {
     }
 
     if ( supplied( $val = $config{LOG_BACKEND} ) ) {
-	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
-	    $val = 'ipt_ULOG';
-	} elsif ( $val eq 'netlink' ) {
+	if ( $val eq 'netlink' ) {
 	    $val = 'nfnetlink_log';
 	} elsif ( $val eq 'LOG' ) {
 	    $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_LOG';
diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index 39aa6dfa1..e9785214c 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -94,7 +94,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $level = '';
 
-    if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
+    if ( $action =~ /^NFLOG/ ) {
 	$action = join( ":" , 'LOG', $action );
     }
 
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index f22d78cdc..97098f327 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1580,7 +1580,7 @@ sub merge_levels ($$) {
     my $tag      = $supparts[2];
 
     if ( @supparts == 3 ) {
-	return "$subordinate:$tag"    if $target =~ /^(?:NFLOG|ULOG)\b/;
+	return "$subordinate:$tag"    if $target =~ /^NFLOG\b/;
 	return "$target:none!:$tag"   if $level eq 'none!';
 	return "$target:$level:$tag"  if $level =~ /!$/;
 	return $subordinate           if $subparts >= 2;
@@ -1588,7 +1588,7 @@ sub merge_levels ($$) {
     }
 
     if ( @supparts == 2 ) {
-	return $subordinate           if $target =~ /^(?:NFLOG|ULOG)\b/;
+	return $subordinate           if $target =~ /^NFLOG\b/;
 	return "$target:none!"        if $level eq 'none!';
 	return "$target:$level"       if ($level =~ /!$/) || ($subparts < 2);
     }
diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml
index 4580cb59f..ea8ffb403 100644
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -334,9 +334,10 @@
             <listitem>
               <para><option>ULOG</option></para>
 
-              <para>IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to
-              a backend logging daemon using the ULOG netfilter target with
-              the specified <replaceable>ulog-parameters</replaceable>.</para>
+              <para>IPv4 only. Added in Shoreawll 4.6.0 and removed in
+              Shorewall 5.2.2. Queues the packet to a backend logging daemon
+              using the ULOG netfilter target with the specified
+              <replaceable>ulog-parameters</replaceable>.</para>
             </listitem>
           </itemizedlist>
 
diff --git a/Shorewall/manpages/shorewall-logging.xml b/Shorewall/manpages/shorewall-logging.xml
index bbd0e3e23..4c7e46661 100644
--- a/Shorewall/manpages/shorewall-logging.xml
+++ b/Shorewall/manpages/shorewall-logging.xml
@@ -326,8 +326,8 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net
         <term>ULOG (ipt_ULOG)</term>
 
         <listitem>
-          <para>ULOG logging as described ablve. Only available for
-          IPv4.</para>
+          <para>ULOG logging as described ablve. Only available for IPv4 and
+          removed in Shorewall 5.2.2.</para>
         </listitem>
       </varlistentry>
 
@@ -343,10 +343,10 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net
     <para>The currently-available and currently-selected IPv4 and IPv6
     backends are shown in /proc/sys/net/netfilter/nf_log:</para>
 
-    <programlisting>cat /proc/net/netfilter/nf_log
+    <programlisting>$ cat /proc/net/netfilter/nf_log
  0 NONE (nfnetlink_log)
  1 NONE (nfnetlink_log)
- 2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
+ 2 nf_log_ipv4 (nf_log_ipv4,nfnetlink_log)
  3 NONE (nfnetlink_log)
  4 NONE (nfnetlink_log)
  5 NONE (nfnetlink_log)
@@ -354,9 +354,10 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net
  7 NONE (nfnetlink_log)
  8 NONE (nfnetlink_log)
  9 NONE (nfnetlink_log)
-10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
+10 nf_log_ipv6 (nf_log_ipv6,nfnetlink_log)
 11 NONE (nfnetlink_log)
-12 NONE (nfnetlink_log)</programlisting>
+12 NONE (nfnetlink_log)
+$</programlisting>
 
     <para>The magic numbers (0-12) are Linux address family numbers (AF_INET
     is 2 and AF_INET6 is 10).</para>
diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml
index cd6eedb77..12f937b10 100644
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -279,6 +279,11 @@
           separate log through use of ulogd (<ulink
           url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
 
+          <note>
+            <para>Support for ULOG was removed in Shorewall 5.2.2 as Netfilter
+            has dropped support for ULOG.</para>
+          </note>
+
           <para>For a description of logging, see <ulink
           url="/shorewall_logging.html">shorewall-logging(5)</ulink>.</para>
 
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index 74f6c6ec2..49cf3eb97 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -905,9 +905,10 @@
               role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
 
               <listitem>
-                <para>IPv4 only. Added in Shorewall 4.5.10. Queues matching
-                packets to a back end logging daemon via a netlink socket then
-                continues to the next rule. See <ulink
+                <para>IPv4 only. Added in Shorewall 4.5.10 and removed in
+                5.2.2. Queues matching packets to a back end logging daemon
+                via a netlink socket then continues to the next rule. See
+                <ulink
                 url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
 
                 <para>Similar to<emphasis role="bold">
diff --git a/Shorewall/manpages/shorewall-snat.xml b/Shorewall/manpages/shorewall-snat.xml
index 9ce9f8113..49334a845 100644
--- a/Shorewall/manpages/shorewall-snat.xml
+++ b/Shorewall/manpages/shorewall-snat.xml
@@ -221,9 +221,10 @@
               role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
 
               <listitem>
-                <para>IPv4 only. Added in Shorewall 5.1.9. Queues matching
-                packets to a back end logging daemon via a netlink socket then
-                continues to the next rule. See <ulink
+                <para>IPv4 only. Added in Shorewall 5.1.9 and removed in
+                Shorewall 5.2.2. Queues matching packets to a back end logging
+                daemon via a netlink socket then continues to the next rule.
+                See <ulink
                 url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
 
                 <para>Similar to<emphasis role="bold">
@@ -288,7 +289,7 @@
 
           <para>Beginning with Shorewall 5.1.12, SNAT may be performed in the
           nat table's INPUT chain by specifying $FW rather than one or more
-          interfaces. </para>
+          interfaces.</para>
 
           <para>Each interface must match an entry in <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 2f2013266..7584eb6f9 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -91,6 +91,11 @@
       <programlisting>LOG_LEVEL="NFLOG(1,0,1)"</programlisting>
     </note>
 
+    <note>
+      <para>Support for ULOG was removed in Shorewall 5.2.2 as Netfilter has
+      removed support for ULOG logging.</para>
+    </note>
+
     <para>Beginning with Shorewall 5.0.0, the log level may be followed by a
     colon (":") and a <firstterm>log tag</firstterm>. The log tag normally
     follows the packet disposition in Shorewall-generated Netfilter log
@@ -1425,7 +1430,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
               <listitem>
                 <para>IPv4 only.</para>
 
-                <para>Use ULOG logging to ulogd.</para>
+                <para>Use ULOG logging to ulogd. Support for ULOG was removed
+                in Shorewall 5.2.2.</para>
               </listitem>
             </varlistentry>
 
diff --git a/docs/Actions.xml b/docs/Actions.xml
index c591be9df..6342045af 100644
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -749,7 +749,8 @@ bar:debug</programlisting>
               <listitem>
                 <para>Either a syslog level or a ULOG or NFLOG target
                 expression (e.g., "NFLOG(1,0,1)"). Specifies how you want the
-                logging done.</para>
+                logging done. Support for ULOG was removed in Shorewall
+                5.2.2.</para>
               </listitem>
             </varlistentry>
 
diff --git a/docs/shorewall_logging.xml b/docs/shorewall_logging.xml
index 7d51de586..b445d344d 100644
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -277,7 +277,7 @@
       shell variable simplifies future changes. Here's what I had at one
       time:</para>
 
-      <programlisting>gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|ULOG|LOGFILE'
+      <programlisting>gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|LOGFILE'
 params:LOG=NFLOG
 policy:loc              $FW             REJECT          $LOG
 policy:net              all             DROP            $LOG            10/sec:40
@@ -302,8 +302,8 @@ gateway:/etc/shorewall#                                               </programl
       <quote><command>logwatch</command></quote> and
       <quote><command>dump</command></quote> commands.</para>
 
-      <para>The NFLOG target is a successor to ULOG. Both ULOG and NFLOG may
-      be followed by a list of up to three numbers in parentheses.</para>
+      <para>The NFLOG target is a successor to ULOG. NFLOG may be followed by
+      a list of up to three numbers in parentheses.</para>
 
       <itemizedlist>
         <listitem>
@@ -384,8 +384,8 @@ sync=1</programlisting>
         <term>ULOG (ipt_ULOG)</term>
 
         <listitem>
-          <para>ULOG logging as described ablve. Only available for
-          IPv4.</para>
+          <para>ULOG logging as described ablve. Only available for IPv4 and
+          removed in Shorewall 5.2.2.</para>
         </listitem>
       </varlistentry>
 
@@ -401,10 +401,10 @@ sync=1</programlisting>
     <para>The currently-available and currently-selected IPv4 and IPv6
     backends are shown in /proc/sys/net/netfilter/nf_log:</para>
 
-    <programlisting>cat /proc/net/netfilter/nf_log
+    <programlisting>$ cat /proc/net/netfilter/nf_log
  0 NONE (nfnetlink_log)
  1 NONE (nfnetlink_log)
- 2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
+ 2 nf_log_ipv4 (nf_log_ipv4,nfnetlink_log)
  3 NONE (nfnetlink_log)
  4 NONE (nfnetlink_log)
  5 NONE (nfnetlink_log)
@@ -412,9 +412,10 @@ sync=1</programlisting>
  7 NONE (nfnetlink_log)
  8 NONE (nfnetlink_log)
  9 NONE (nfnetlink_log)
-10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
+10 nf_log_ipv6 (nf_log_ipv6,nfnetlink_log)
 11 NONE (nfnetlink_log)
-12 NONE (nfnetlink_log)</programlisting>
+12 NONE (nfnetlink_log)
+$</programlisting>
 
     <para>The magic numbers (0-12) are Linux address family numbers (AF_INET
     is 2 and AF_INET6 is 10).</para>