Merge branch '5.1.4'

Shorewall/manpages/shorewall-zones.xml

@@ -55,14 +55,14 @@
             <para>The maximum length of an iptables log prefix is 29 bytes. As
             explained in <ulink
             url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
-            the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
+            the legacy default LOGPREFIX formatting string is
-            where the first %s is replaced by the chain name and the second is
+            “Shorewall:%s:%s:” where the first %s is replaced by the chain
-            replaced by the disposition.</para>
+            name and the second is replaced by the disposition.</para>
 
             <itemizedlist>
               <listitem>
-                <para>The default formatting string has 12 fixed characters
+                <para>The "Shorewall:%s:%s:" formatting string has 12 fixed
-                ("Shorewall" and three colons).</para>
+                characters ("Shorewall" and three colons).</para>
               </listitem>
 
               <listitem>
@@ -90,6 +90,29 @@
                 </simplelist>
               </listitem>
             </itemizedlist>
+
+            <para>In Shorewall 5.1.0, the LOGFORMAT in the default and sample
+            shorewall.conf files was changed to "%s:%s ".</para>
+
+            <itemizedlist>
+              <listitem>
+                <para>That formatting string has 2 fixed characters (":" and a
+                space).</para>
+              </listitem>
+
+              <listitem>
+                <para>So the maximum zone name length M is calculated
+                as:</para>
+
+                <simplelist>
+                  <member>2 + 6 + 2*M + 1 = 29</member>
+
+                  <member>2M = 29 - 2 + 6 + 1 = 20</member>
+
+                  <member>M = 10</member>
+                </simplelist>
+              </listitem>
+            </itemizedlist>
           </blockquote>
 
           <para>The order in which Shorewall matches addresses from packets to

Shorewall/manpages/shorewall.conf.xml

@@ -1443,15 +1443,20 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
             </listitem>
           </itemizedlist>
 
-          <para/>
-
           <blockquote>
             <para>For example, using the default LOGFORMAT, the log prefix for
-            logging from the nat table's PREROUTING chain is:</para>
+            logging from the nat table's PREROUTING chain is as follows in
+            versions prior to 5.1.0:</para>
 
             <programlisting>    Shorewall:nat:PREROUTING
  </programlisting>
 
+            <para>In Shorewall 5.1.0 and later releases, the log prefix
+            is:</para>
+
+            <programlisting>    nat:PREROUTING
+ </programlisting>
+
             <important>
               <para>To help insure that all packets in the NEW state are
               logged, rate limiting (LOGLIMIT) should be disabled when using
@@ -1515,6 +1520,24 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
             url="/manpages/shorewall-zones.html">shorewall-zones</ulink>
             (5).</para>
           </note>
+
+          <caution>
+            <para>Beginning with Shorewall 5.1.0, the default and sample
+            shorewall.conf files set LOGFORMAT="%s %s ". Shorewall log
+            messages that use this LOGFORMAT can be uniquely identified using
+            the following regular expression:</para>
+
+            <simplelist>
+              <member>'IN=.* OUT=.* SRC=.*\..* DST='</member>
+            </simplelist>
+
+            <para>To match all Netfilter log messages (Both IPv4 and IPv6),
+            use:</para>
+
+            <simplelist>
+              <member>'IN=.* OUT=.* SRC=.* DST='</member>
+            </simplelist>
+          </caution>
         </listitem>
       </varlistentry>
 
@@ -1551,8 +1574,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
-          <para>Using the default LOGFORMAT, chain names may not exceed 11
+          <para>Using LOGFORMAT=“Shorewall:%s:%s:”, chain names may not exceed
-          characters or truncation of the log prefix may occur. Longer chain
+          5 characters or truncation of the log prefix may occur. Longer chain
           names may be used with log tags if you set LOGTAGONLY=Yes. With
           LOGTAGONLY=Yes, if a log tag is specified then the tag is included
           in the log prefix in place of the chain name.</para>
@@ -1564,10 +1587,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           separated by a comma. So this rule:</para>
 
           <programlisting>#ACTION                                SOURCE         DEST
-LOG:info:foo,bar                 net                   fw</programlisting>
+LOG:info:foo,bar                       net            fw</programlisting>
 
-          <para>would generate the following log prefix when using the default
+          <para>would generate the following log prefix when using
-          LOGFORMAT setting:</para>
+          LOGFORMAT=“Shorewall:%s:%s:”:</para>
 
           <simplelist>
             <member>Shorewall:foo:bar:</member>
@@ -2550,7 +2573,7 @@ INLINE          -       -       -       ;; -j REJECT
           the <option>routeback</option> option.<footnote>
               <para>Hairpin packets are packets that are routed out of the
               same interface that they arrived on.</para>
-            </footnote> interfaces without the routeback option.</para>
+            </footnote></para>
         </listitem>
       </varlistentry>
 
@@ -2566,9 +2589,9 @@ INLINE          -       -       -       ;; -j REJECT
           the <option>routeback</option> option.<footnote>
               <para>Hairpin packets are packets that are routed out of the
               same interface that they arrived on.</para>
-            </footnote> interfaces without the routeback option. The default
+            </footnote> The default is <option>info</option>. If you don't
-          is <option>info</option>. If you don't wish for these packets to be
+          wish for these packets to be logged, use
-          logged, use SFILTER_LOG_LEVEL=none.</para>
+          SFILTER_LOG_LEVEL=none.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/actions.std

@@ -17,6 +17,7 @@ allowInvalid inline		# Accepts packets in the INVALID conntrack state
 allowMcast   inline		# Silently Allow Multicast
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
+BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
 Broadcast    noinline      	# Handles Broadcast/Anycast
 Drop		        	# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast

Shorewall6/manpages/shorewall6-zones.xml

@@ -42,26 +42,27 @@
         role="bold">,</emphasis><emphasis>parent-zone</emphasis>]...]</term>
 
         <listitem>
-          <para>Name of the <emphasis>zone</emphasis>. The names "all",
+          <para>Name of the <emphasis>zone</emphasis>. Must start with a
-          "none", "SOURCE" and "DEST" are reserved and may not be used as zone
+          letter and consist of letters, digits or '_'. The names "all",
-          names. The maximum length of a zone name is determined by the
+          "none", "any", "SOURCE" and "DEST" are reserved and may not be used
-          setting of the LOGFORMAT option in <ulink
+          as zone names. The maximum length of a zone name is determined by
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
+          the setting of the LOGFORMAT option in <ulink
-          With the default LOGFORMAT, zone names can be at most 5 characters
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5). With
+          the default LOGFORMAT, zone names can be at most 5 characters
           long.</para>
 
           <blockquote>
             <para>The maximum length of an iptables log prefix is 29 bytes. As
             explained in <ulink
-            url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5),
+            url="shorewall6.conf.html">shorewall6.conf</ulink> (5), the legacy
-            the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
+            default LOGPREFIX formatting string is “Shorewall:%s:%s:” where
-            where the first %s is replaced by the chain name and the second is
+            the first %s is replaced by the chain name and the second is
             replaced by the disposition.</para>
 
             <itemizedlist>
               <listitem>
-                <para>The default formatting string has 12 fixed characters
+                <para>The "Shorewall:%s:%s:" formatting string has 12 fixed
-                ("Shorewall" and three colons).</para>
+                characters ("Shorewall" and three colons).</para>
               </listitem>
 
               <listitem>
@@ -72,7 +73,8 @@
               <listitem>
                 <para>The canonical name for the chain containing the rules
                 for traffic going from zone 1 to zone 2 is "&lt;zone
-                1&gt;2&lt;zone 2&gt;".</para>
+                1&gt;2&lt;zone 2&gt;" or "&lt;zone 1&gt;-&lt;zone
+                2&gt;".</para>
               </listitem>
 
               <listitem>
@@ -88,6 +90,29 @@
                 </simplelist>
               </listitem>
             </itemizedlist>
+
+            <para>In Shorewall 5.1.0, the LOGFORMAT in the default and sample
+            shorewall.conf files was changed to "%s:%s ".</para>
+
+            <itemizedlist>
+              <listitem>
+                <para>That formatting string has 2 fixed characters (":" and a
+                space).</para>
+              </listitem>
+
+              <listitem>
+                <para>So the maximum zone name length M is calculated
+                as:</para>
+
+                <simplelist>
+                  <member>2 + 6 + 2*M + 1 = 29</member>
+
+                  <member>2M = 29 - 2 + 6 + 1 = 20</member>
+
+                  <member>M = 10</member>
+                </simplelist>
+              </listitem>
+            </itemizedlist>
           </blockquote>
 
           <para>The order in which Shorewall6 matches addresses from packets

Shorewall6/manpages/shorewall6.conf.xml

@@ -1229,7 +1229,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
         <listitem>
           <para>This option is intended for use as a debugging aid. When set
-          to a log level, this option causes Shorewall6 to generate a logging
+          to a log level, this option causes Shorewall to generate a logging
           rule as the first rule in each builtin chain.</para>
 
           <itemizedlist>
@@ -1244,14 +1244,19 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
             </listitem>
           </itemizedlist>
 
-          <para/>
-
           <blockquote>
             <para>For example, using the default LOGFORMAT, the log prefix for
-            logging from the nat table's PREROUTING chain is:</para>
+            logging from the nat table's PREROUTING chain is as follows in
+            versions prior to 5.1.0:</para>
 
             <programlisting>    Shorewall:nat:PREROUTING
-</programlisting>
+ </programlisting>
+
+            <para>In Shorewall 5.1.0 and later releases, the log prefix
+            is:</para>
+
+            <programlisting>    nat:PREROUTING
+ </programlisting>
 
             <important>
               <para>To help insure that all packets in the NEW state are
@@ -1295,7 +1300,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
         <listitem>
           <para>The value of this variable generate the --log-prefix setting
-          for Shorewall6 logging rules. It contains a “printf” formatting
+          for Shorewall logging rules. It contains a “printf” formatting
           template which accepts three arguments (the chain name, logging rule
           number (optional) and the disposition). To use LOGFORMAT with
           fireparse, set it as:</para>
@@ -1306,14 +1311,31 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           logging rule number is calculated and formatted in that position; if
           that substring is not included then the rule number is not included.
           If not supplied or supplied as empty (LOGFORMAT="") then
-          “Shorewall6:%s:%s:” is assumed.</para>
+          “Shorewall:%s:%s:” is assumed.</para>
 
           <note>
             <para>The setting of LOGFORMAT has an effect of the permitted
             length of zone names. See <ulink
-            url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>
+            url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>
             (5).</para>
           </note>
+
+          <caution>
+            <para>Beginning with Shorewall 5.1.0, the default and sample
+            shorewall.conf files set LOGFORMAT="%s %s ". Shorewall6 log
+            messages that use this LOGFORMAT can be uniquely identified using
+            the following regular expression:</para>
+
+            <simplelist>
+              <member>'IN=.* OUT=.* SRC=.*:.* DST='</member>
+            </simplelist>
+
+            <para>To match all Netfilter log messages, use:</para>
+
+            <simplelist>
+              <member>'IN=.* OUT=.* SRC=.* DST='</member>
+            </simplelist>
+          </caution>
         </listitem>
       </varlistentry>
 
@@ -1350,8 +1372,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
-          <para>Using the default LOGFORMAT, chain names may not exceed 11
+          <para>Using LOGFORMAT=“Shorewall:%s:%s:”, chain names may not exceed
-          characters or truncation of the log prefix may occur. Longer chain
+          5 characters or truncation of the log prefix may occur. Longer chain
           names may be used with log tags if you set LOGTAGONLY=Yes. With
           LOGTAGONLY=Yes, if a log tag is specified then the tag is included
           in the log prefix in place of the chain name.</para>
@@ -1363,10 +1385,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           separated by a comma. So this rule:</para>
 
           <programlisting>#ACTION                                SOURCE         DEST
-LOG:info:foo,bar                 net                   fw</programlisting>
+LOG:info:foo,bar                       net            fw</programlisting>
 
-          <para>would generate the following log prefix when using the default
+          <para>would generate the following log prefix when using
-          LOGFORMAT setting:</para>
+          LOGFORMAT=“Shorewall:%s:%s:”:</para>
 
           <simplelist>
             <member>Shorewall:foo:bar:</member>
@@ -1375,7 +1397,7 @@ LOG:info:foo,bar                 net                   fw</programlisting>
           <para>Similarly,</para>
 
           <programlisting>#ACTION                               SOURCE            DEST
-LOG:info:,bar                        net                    fw</programlisting>
+LOG:info:,bar                         net               fw</programlisting>
 
           <para>would generate</para>
 
@@ -2236,7 +2258,7 @@ INLINE          -       -       -       ;; -j REJECT
           the <option>routeback</option> option.<footnote>
               <para>Hairpin packets are packets that are routed out of the
               same interface that they arrived on.</para>
-            </footnote> interfaces without the routeback option.</para>
+            </footnote></para>
         </listitem>
       </varlistentry>
 
@@ -2252,9 +2274,8 @@ INLINE          -       -       -       ;; -j REJECT
           the <option>routeback</option> option.<footnote>
               <para>Hairpin packets are packets that are routed out of the
               same interface that they arrived on.</para>
-            </footnote> interfaces without the routeback option. The default
+            </footnote>The default is <option>info</option>. If you don't wish
-          is <option>info</option>. If you don't wish for these packets to be
+          for these packets to be logged, use SFILTER_LOG_LEVEL=none.</para>
-          logged, use SFILTER_LOG_LEVEL=none.</para>
         </listitem>
       </varlistentry>