mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 22:58:52 +01:00
Merge branch '5.1.4'
This commit is contained in:
commit
29ffb7eb4b
@ -55,14 +55,14 @@
|
||||
<para>The maximum length of an iptables log prefix is 29 bytes. As
|
||||
explained in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
|
||||
the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
|
||||
where the first %s is replaced by the chain name and the second is
|
||||
replaced by the disposition.</para>
|
||||
the legacy default LOGPREFIX formatting string is
|
||||
“Shorewall:%s:%s:” where the first %s is replaced by the chain
|
||||
name and the second is replaced by the disposition.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The default formatting string has 12 fixed characters
|
||||
("Shorewall" and three colons).</para>
|
||||
<para>The "Shorewall:%s:%s:" formatting string has 12 fixed
|
||||
characters ("Shorewall" and three colons).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -90,6 +90,29 @@
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>In Shorewall 5.1.0, the LOGFORMAT in the default and sample
|
||||
shorewall.conf files was changed to "%s:%s ".</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>That formatting string has 2 fixed characters (":" and a
|
||||
space).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>So the maximum zone name length M is calculated
|
||||
as:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>2 + 6 + 2*M + 1 = 29</member>
|
||||
|
||||
<member>2M = 29 - 2 + 6 + 1 = 20</member>
|
||||
|
||||
<member>M = 10</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</blockquote>
|
||||
|
||||
<para>The order in which Shorewall matches addresses from packets to
|
||||
|
@ -1443,15 +1443,20 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para/>
|
||||
|
||||
<blockquote>
|
||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||
logging from the nat table's PREROUTING chain is:</para>
|
||||
logging from the nat table's PREROUTING chain is as follows in
|
||||
versions prior to 5.1.0:</para>
|
||||
|
||||
<programlisting> Shorewall:nat:PREROUTING
|
||||
</programlisting>
|
||||
|
||||
<para>In Shorewall 5.1.0 and later releases, the log prefix
|
||||
is:</para>
|
||||
|
||||
<programlisting> nat:PREROUTING
|
||||
</programlisting>
|
||||
|
||||
<important>
|
||||
<para>To help insure that all packets in the NEW state are
|
||||
logged, rate limiting (LOGLIMIT) should be disabled when using
|
||||
@ -1515,6 +1520,24 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>
|
||||
(5).</para>
|
||||
</note>
|
||||
|
||||
<caution>
|
||||
<para>Beginning with Shorewall 5.1.0, the default and sample
|
||||
shorewall.conf files set LOGFORMAT="%s %s ". Shorewall log
|
||||
messages that use this LOGFORMAT can be uniquely identified using
|
||||
the following regular expression:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>'IN=.* OUT=.* SRC=.*\..* DST='</member>
|
||||
</simplelist>
|
||||
|
||||
<para>To match all Netfilter log messages (Both IPv4 and IPv6),
|
||||
use:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>'IN=.* OUT=.* SRC=.* DST='</member>
|
||||
</simplelist>
|
||||
</caution>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1551,8 +1574,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Using the default LOGFORMAT, chain names may not exceed 11
|
||||
characters or truncation of the log prefix may occur. Longer chain
|
||||
<para>Using LOGFORMAT=“Shorewall:%s:%s:”, chain names may not exceed
|
||||
5 characters or truncation of the log prefix may occur. Longer chain
|
||||
names may be used with log tags if you set LOGTAGONLY=Yes. With
|
||||
LOGTAGONLY=Yes, if a log tag is specified then the tag is included
|
||||
in the log prefix in place of the chain name.</para>
|
||||
@ -1564,10 +1587,10 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
separated by a comma. So this rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST
|
||||
LOG:info:foo,bar net fw</programlisting>
|
||||
LOG:info:foo,bar net fw</programlisting>
|
||||
|
||||
<para>would generate the following log prefix when using the default
|
||||
LOGFORMAT setting:</para>
|
||||
<para>would generate the following log prefix when using
|
||||
LOGFORMAT=“Shorewall:%s:%s:”:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>Shorewall:foo:bar:</member>
|
||||
@ -2550,7 +2573,7 @@ INLINE - - - ;; -j REJECT
|
||||
the <option>routeback</option> option.<footnote>
|
||||
<para>Hairpin packets are packets that are routed out of the
|
||||
same interface that they arrived on.</para>
|
||||
</footnote> interfaces without the routeback option.</para>
|
||||
</footnote></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2566,9 +2589,9 @@ INLINE - - - ;; -j REJECT
|
||||
the <option>routeback</option> option.<footnote>
|
||||
<para>Hairpin packets are packets that are routed out of the
|
||||
same interface that they arrived on.</para>
|
||||
</footnote> interfaces without the routeback option. The default
|
||||
is <option>info</option>. If you don't wish for these packets to be
|
||||
logged, use SFILTER_LOG_LEVEL=none.</para>
|
||||
</footnote> The default is <option>info</option>. If you don't
|
||||
wish for these packets to be logged, use
|
||||
SFILTER_LOG_LEVEL=none.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -17,6 +17,7 @@ allowInvalid inline # Accepts packets in the INVALID conntrack state
|
||||
allowMcast inline # Silently Allow Multicast
|
||||
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
|
||||
AutoBLL noinline # Helper for AutoBL
|
||||
BLACKLIST logjump,section # Add sender to the dynamic blacklist
|
||||
Broadcast noinline # Handles Broadcast/Anycast
|
||||
Drop # Default Action for DROP policy (deprecated)
|
||||
dropBcast inline # Silently Drop Broadcast
|
||||
|
@ -42,26 +42,27 @@
|
||||
role="bold">,</emphasis><emphasis>parent-zone</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Name of the <emphasis>zone</emphasis>. The names "all",
|
||||
"none", "SOURCE" and "DEST" are reserved and may not be used as zone
|
||||
names. The maximum length of a zone name is determined by the
|
||||
setting of the LOGFORMAT option in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
||||
With the default LOGFORMAT, zone names can be at most 5 characters
|
||||
<para>Name of the <emphasis>zone</emphasis>. Must start with a
|
||||
letter and consist of letters, digits or '_'. The names "all",
|
||||
"none", "any", "SOURCE" and "DEST" are reserved and may not be used
|
||||
as zone names. The maximum length of a zone name is determined by
|
||||
the setting of the LOGFORMAT option in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5). With
|
||||
the default LOGFORMAT, zone names can be at most 5 characters
|
||||
long.</para>
|
||||
|
||||
<blockquote>
|
||||
<para>The maximum length of an iptables log prefix is 29 bytes. As
|
||||
explained in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5),
|
||||
the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
|
||||
where the first %s is replaced by the chain name and the second is
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink> (5), the legacy
|
||||
default LOGPREFIX formatting string is “Shorewall:%s:%s:” where
|
||||
the first %s is replaced by the chain name and the second is
|
||||
replaced by the disposition.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The default formatting string has 12 fixed characters
|
||||
("Shorewall" and three colons).</para>
|
||||
<para>The "Shorewall:%s:%s:" formatting string has 12 fixed
|
||||
characters ("Shorewall" and three colons).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -72,7 +73,8 @@
|
||||
<listitem>
|
||||
<para>The canonical name for the chain containing the rules
|
||||
for traffic going from zone 1 to zone 2 is "<zone
|
||||
1>2<zone 2>".</para>
|
||||
1>2<zone 2>" or "<zone 1>-<zone
|
||||
2>".</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -88,6 +90,29 @@
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>In Shorewall 5.1.0, the LOGFORMAT in the default and sample
|
||||
shorewall.conf files was changed to "%s:%s ".</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>That formatting string has 2 fixed characters (":" and a
|
||||
space).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>So the maximum zone name length M is calculated
|
||||
as:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>2 + 6 + 2*M + 1 = 29</member>
|
||||
|
||||
<member>2M = 29 - 2 + 6 + 1 = 20</member>
|
||||
|
||||
<member>M = 10</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</blockquote>
|
||||
|
||||
<para>The order in which Shorewall6 matches addresses from packets
|
||||
|
@ -1229,7 +1229,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
|
||||
<listitem>
|
||||
<para>This option is intended for use as a debugging aid. When set
|
||||
to a log level, this option causes Shorewall6 to generate a logging
|
||||
to a log level, this option causes Shorewall to generate a logging
|
||||
rule as the first rule in each builtin chain.</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -1244,14 +1244,19 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para/>
|
||||
|
||||
<blockquote>
|
||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||
logging from the nat table's PREROUTING chain is:</para>
|
||||
logging from the nat table's PREROUTING chain is as follows in
|
||||
versions prior to 5.1.0:</para>
|
||||
|
||||
<programlisting> Shorewall:nat:PREROUTING
|
||||
</programlisting>
|
||||
</programlisting>
|
||||
|
||||
<para>In Shorewall 5.1.0 and later releases, the log prefix
|
||||
is:</para>
|
||||
|
||||
<programlisting> nat:PREROUTING
|
||||
</programlisting>
|
||||
|
||||
<important>
|
||||
<para>To help insure that all packets in the NEW state are
|
||||
@ -1295,7 +1300,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
|
||||
<listitem>
|
||||
<para>The value of this variable generate the --log-prefix setting
|
||||
for Shorewall6 logging rules. It contains a “printf” formatting
|
||||
for Shorewall logging rules. It contains a “printf” formatting
|
||||
template which accepts three arguments (the chain name, logging rule
|
||||
number (optional) and the disposition). To use LOGFORMAT with
|
||||
fireparse, set it as:</para>
|
||||
@ -1306,14 +1311,31 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
logging rule number is calculated and formatted in that position; if
|
||||
that substring is not included then the rule number is not included.
|
||||
If not supplied or supplied as empty (LOGFORMAT="") then
|
||||
“Shorewall6:%s:%s:” is assumed.</para>
|
||||
“Shorewall:%s:%s:” is assumed.</para>
|
||||
|
||||
<note>
|
||||
<para>The setting of LOGFORMAT has an effect of the permitted
|
||||
length of zone names. See <ulink
|
||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>
|
||||
url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>
|
||||
(5).</para>
|
||||
</note>
|
||||
|
||||
<caution>
|
||||
<para>Beginning with Shorewall 5.1.0, the default and sample
|
||||
shorewall.conf files set LOGFORMAT="%s %s ". Shorewall6 log
|
||||
messages that use this LOGFORMAT can be uniquely identified using
|
||||
the following regular expression:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>'IN=.* OUT=.* SRC=.*:.* DST='</member>
|
||||
</simplelist>
|
||||
|
||||
<para>To match all Netfilter log messages, use:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>'IN=.* OUT=.* SRC=.* DST='</member>
|
||||
</simplelist>
|
||||
</caution>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1350,8 +1372,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Using the default LOGFORMAT, chain names may not exceed 11
|
||||
characters or truncation of the log prefix may occur. Longer chain
|
||||
<para>Using LOGFORMAT=“Shorewall:%s:%s:”, chain names may not exceed
|
||||
5 characters or truncation of the log prefix may occur. Longer chain
|
||||
names may be used with log tags if you set LOGTAGONLY=Yes. With
|
||||
LOGTAGONLY=Yes, if a log tag is specified then the tag is included
|
||||
in the log prefix in place of the chain name.</para>
|
||||
@ -1363,10 +1385,10 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
separated by a comma. So this rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST
|
||||
LOG:info:foo,bar net fw</programlisting>
|
||||
LOG:info:foo,bar net fw</programlisting>
|
||||
|
||||
<para>would generate the following log prefix when using the default
|
||||
LOGFORMAT setting:</para>
|
||||
<para>would generate the following log prefix when using
|
||||
LOGFORMAT=“Shorewall:%s:%s:”:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>Shorewall:foo:bar:</member>
|
||||
@ -1375,7 +1397,7 @@ LOG:info:foo,bar net fw</programlisting>
|
||||
<para>Similarly,</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST
|
||||
LOG:info:,bar net fw</programlisting>
|
||||
LOG:info:,bar net fw</programlisting>
|
||||
|
||||
<para>would generate</para>
|
||||
|
||||
@ -2236,7 +2258,7 @@ INLINE - - - ;; -j REJECT
|
||||
the <option>routeback</option> option.<footnote>
|
||||
<para>Hairpin packets are packets that are routed out of the
|
||||
same interface that they arrived on.</para>
|
||||
</footnote> interfaces without the routeback option.</para>
|
||||
</footnote></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2252,9 +2274,8 @@ INLINE - - - ;; -j REJECT
|
||||
the <option>routeback</option> option.<footnote>
|
||||
<para>Hairpin packets are packets that are routed out of the
|
||||
same interface that they arrived on.</para>
|
||||
</footnote> interfaces without the routeback option. The default
|
||||
is <option>info</option>. If you don't wish for these packets to be
|
||||
logged, use SFILTER_LOG_LEVEL=none.</para>
|
||||
</footnote>The default is <option>info</option>. If you don't wish
|
||||
for these packets to be logged, use SFILTER_LOG_LEVEL=none.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user