Move DNAT and REDIRECT logging to the nat table

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@567 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -5,3 +5,7 @@ Changes since 1.4.3a
 2. Change LOGMARKER to a printf mask and allow embedded spaces. Renamed
    it LOGFORMAT to avoid confusion.
 
+3. DNAT and REDIRECT logging is moved from the filter table to the nat
+   table.
+
+

Shorewall/firewall

@@ -1855,6 +1855,13 @@ add_nat_rule() {
 	    fi
 
 	    for adr in $addr; do
+		if [ -n "$loglevel" ]; then
+		    ensurenatchain $chain
+		    log_rule $loglevel $chain $logtarget -t nat \
+			`fix_bang $proto $cli $sports -d $adr $multiport $dports`
+		    loglevel=
+		fi
+
 		addnatrule $chain $proto $cli $sports \
 		    -d $adr $multiport $dports -j $target1
 	    done
@@ -3299,7 +3306,7 @@ build_common_chain() {
 # Construct zone-independent rules
 #
 add_common_rules() {
-    local savelogparms=
+    local savelogparms="$LOGPARMS"
     #
     # Reject Rules
     #
@@ -3324,8 +3331,7 @@ add_common_rules() {
 	createchain badpkt no
 
 	if [ -n "$LOGUNCLEAN" ]; then
-	    savelogparms="$LOGPARMS"
+	    
-
 	    LOGPARMS="$LOGPARMS --log-ip-options"
 
 	    log_rule $LOGUNCLEAN badpkt DROP -p ! tcp 
@@ -3357,8 +3363,6 @@ add_common_rules() {
 
 	[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
 
-	savelogparms="$LOGPARMS"
-	    
 	LOGPARMS="$LOGPARMS --log-ip-options"
 
 	log_rule $LOGUNCLEAN logpkt DROP -p ! tcp 
@@ -4461,8 +4465,13 @@ do_initialize() {
 	CLEAR_TC=
     fi
 
-    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%d:%s:"
+    if [ -n "$LOGFORMAT" ]; then
-
+	if ! qt printf "$LOGFORMAT" foo 1 bar ; then
+	    startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
+	fi
+    else
+	LOGFORMAT="Shorewall:%s:%d:%s:"
+    fi
     #
     # Strip the files that we use often
     #

Shorewall/releasenotes.txt

@@ -12,7 +12,19 @@ New Features:
 2) The LOGMARKER variable has been renamed LOGFORMAT and has been
    changed to a 'printf' formatting template which accepts three
    arguments (the chain name, logging rule number and the disposition).
-   To use LOGFORMAT with ULOG, set it as:
+   To use LOGFORMAT with fireparse, set it as:
 
-       LOGFORMAT="fp=%s:%d a=%s"
+       LOGFORMAT="fp=%s:%d a=%s "
 
+
+   CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT
+   string (up to but not including the first '%') to find log messages
+   in the 'show log', 'status' and 'hits' commands. This part should
+   not be omitted (the LOGFORMAT should not begin with "%") and the
+   leading part should be sufficiently unique for /sbin/shorewall to
+   identify Shorewall messages.
+
+3) When logging is specified on a DNAT[-] or REDIRECT[-] rule, the
+   logging now takes place in the nat table rather than in the filter
+   table. This way, only those connections that actually undergo DNAT
+   or redirection will be logged.

Shorewall/shorewall.conf

@@ -65,7 +65,7 @@ LOGFILE=/var/log/messages
 #
 # If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
 #
-#	LOGFORMAT="fp=%s:%d a=%s"
+#	LOGFORMAT="fp=%s:%d a=%s "
 #
 # If not specified or specified as empty (LOGFORMAT="") then the value
 # "Shorewall:%s:%d:%s:" is assumed.