diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 40825191d..5595d24aa 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -2651,6 +2651,7 @@ allow_command() {
if [ -n "$g_blacklistipset" ]; then
if qt $IPSET -D $g_blacklistipset $1; then
allowed=Yes
+ [ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
fi
fi
@@ -2667,6 +2668,7 @@ allow_command() {
*)
if [ -n "$g_blacklistipset" ]; then
if qt $IPSET -D $g_blacklistipset $1; then
+ [ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
allowed=Yes
fi
fi
@@ -3646,6 +3648,7 @@ blacklist_command() {
local message
progress_message2 "$1 Blacklisted"
+ [ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Blacklisted"
if [ -n "$g_disconnect" ]; then
message="$(conntrack -D -s $1 2>&1)"
@@ -3900,7 +3903,7 @@ setup_dbl() {
case $DYNAMIC_BLACKLIST in
ipset*,src-dst*)
#
- # This utility doesn't need to know about 'src-dst'
+ # Capture 'src-dst'
#
DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
@@ -3908,6 +3911,17 @@ setup_dbl() {
;;
esac
+ case $DYNAMIC_BLACKLIST in
+ ipset*,log*)
+ #
+ # Capture 'log'
+ #
+ DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,log//')
+
+ g_dbllog=Yes
+ ;;
+ esac
+
case $DYNAMIC_BLACKLIST in
ipset*,timeout*)
#
@@ -4480,6 +4494,7 @@ shorewall_cli() {
g_havemutex=
g_trace=
g_dbltimeout=
+ g_dbllog=
VERBOSE=
VERBOSITY=1
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 6a577a2e5..b8b064e68 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -6695,7 +6695,7 @@ sub get_configuration( $$$ ) {
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
if ( $val =~ /^ipset/ ) {
- my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
+ my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1, 'log' => 1 );
my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 3b39cfcf7..d2b893003 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -245,8 +245,8 @@
Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
is enabled (see shorewall-accounting(5)).
- If not specified or set to the empty value, ACCOUNTING=Yes is
+ url="shorewall-accounting.html">shorewall-accounting(5)). If
+ not specified or set to the empty value, ACCOUNTING=Yes is
assumed.
@@ -271,8 +271,8 @@
This parameter determines whether Shorewall automatically adds
the external address(es) in shorewall-nat(5), and is
- only available in IPv4 configurations. If the variable is set to
+ url="shorewall-nat.html">shorewall-nat(5), and is only
+ available in IPv4 configurations. If the variable is set to
Yes or yes then Shorewall automatically adds these
aliases. If it is set to No or
@@ -300,8 +300,8 @@
This parameter determines whether Shorewall automatically adds
the SNAT ADDRESS in shorewall-masq(5), and
- is only available in IPv4 configurations. If the variable is set to
+ url="shorewall-masq.html">shorewall-masq(5), and is only
+ available in IPv4 configurations. If the variable is set to
Yes or yes then Shorewall automatically adds these
addresses. If it is set to No or
@@ -445,8 +445,7 @@
Specify the appropriate helper in the HELPER column in
- shorewall-rules
+ shorewall-rules
(5).
@@ -514,8 +513,8 @@
Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
determines whether the provider option (see
shorewall-providers(5))
- is the default. When BALANCE_PROVIDERS=Yes, then the
+ url="shorewall-providers.html">shorewall-providers(5)) is
+ the default. When BALANCE_PROVIDERS=Yes, then the
option is assumed unless the
, ,
or option is
@@ -531,8 +530,8 @@
Added in Shorewall-4.6.0. When set to Yes, causes entries in shorewall-tcfilters(5)
- to generate a basic filter rather than a u32 filter. This setting
+ url="shorewall-tcfilters.html">shorewall-tcfilters(5) to
+ generate a basic filter rather than a u32 filter. This setting
requires the Basic Ematch capability in your
kernel and iptables.
@@ -589,8 +588,7 @@
The BLACKLIST_DISPOSITION setting determines the disposition
of packets sent to the blacklog
- target of shorewall-blrules
+ target of shorewall-blrules
(5), but otherwise does not affect entries in that
file.
@@ -652,8 +650,8 @@
not supply an /etc/shorewall/tcstart file. That way, your traffic
shaping rules can still use the “fwmark” classifier based on packet
marking defined in shorewall-tcrules(5).
- If not specified, CLEAR_TC=Yes is assumed.
+ url="shorewall-tcrules.html">shorewall-tcrules(5). If not
+ specified, CLEAR_TC=Yes is assumed.When you specify TC_ENABLED=shared (see below), then you
@@ -943,6 +941,16 @@
+
+
+ log
+
+
+ Added in Shorewall 5.2.5. When specified, successful
+ 'blacklist' and 'allow' commands will log a message to the
+ system log.
+
+ When ipset-based dynamic blacklisting is enabled, the contents
@@ -1159,12 +1167,11 @@ net all DROP infothen the chain name is 'net-all'
Subzones are defined by following their name with ":" and a
list of parent zones (in shorewall-zones(5)).
- Normally, you want to have a set of special rules for the subzone
- and if a connection doesn't match any of those subzone-specific
- rules then you want the parent zone rules and policies to be
- applied; see shorewall-nesting(5).
+ url="shorewall-zones.html">shorewall-zones(5)). Normally,
+ you want to have a set of special rules for the subzone and if a
+ connection doesn't match any of those subzone-specific rules then
+ you want the parent zone rules and policies to be applied; see
+ shorewall-nesting(5).
With IMPLICIT_CONTINUE=Yes, that happens automatically.If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
@@ -1182,10 +1189,10 @@ net all DROP infothen the chain name is 'net-all'
Added in Shorewall 4.5.13. Shorewall has traditionally passed
INVALID packets through the NEW section of shorewall-rules (5).
- When a packet in INVALID state fails to match any rule in the
- INVALID section, the packet is disposed of based on this setting.
- The default value is CONTINUE for compatibility with earlier
+ url="shorewall-rules.html">shorewall-rules (5). When a
+ packet in INVALID state fails to match any rule in the INVALID
+ section, the packet is disposed of based on this setting. The
+ default value is CONTINUE for compatibility with earlier
versions.
@@ -1197,9 +1204,9 @@ net all DROP infothen the chain name is 'net-all'
Added in Shorewall 4.5.13. Packets in the INVALID state that
do not match any rule in the INVALID section of shorewall-rules (5) are
- logged at this level. The default value is empty which means no
- logging is performed.
+ url="shorewall-rules.html">shorewall-rules (5) are logged at
+ this level. The default value is empty which means no logging is
+ performed.
@@ -1482,8 +1489,8 @@ net all DROP infothen the chain name is 'net-all'
sample configurations use this as the default log level and changing
it will change all packet logging done by the configuration. In any
configuration file (except shorewall-params(5)),
- $LOG_LEVEL will expand to this value.
+ url="shorewall-params.html">shorewall-params(5)), $LOG_LEVEL
+ will expand to this value.
@@ -1635,8 +1642,7 @@ net all DROP infothen the chain name is 'net-all'
The setting of LOGFORMAT has an effect of the permitted
length of zone names. See shorewall-zones
- (5).
+ url="shorewall-zones.html">shorewall-zones (5).
@@ -1793,8 +1799,8 @@ LOG:info:,bar net fw
The performance of configurations with a large numbers of
entries in shorewall-maclist(5)
- can be improved by setting the MACLIST_TTL variable in shorewall-maclist(5) can be
+ improved by setting the MACLIST_TTL variable in shorewall[6].conf(5).If your iptables and kernel support the "Recent Match" (see
@@ -1804,15 +1810,14 @@ LOG:info:,bar net fw
When a new connection arrives from a 'maclist' interface, the
packet passes through then list of entries for that interface in
- shorewall-maclist(5).
- If there is a match then the source IP address is added to the
- 'Recent' set for that interface. Subsequent connection attempts from
- that IP address occurring within $MACLIST_TTL seconds will be
- accepted without having to scan all of the entries. After
- $MACLIST_TTL from the first accepted connection request from an IP
- address, the next connection request from that IP address will be
- checked against the entire list.
+ shorewall-maclist(5). If
+ there is a match then the source IP address is added to the 'Recent'
+ set for that interface. Subsequent connection attempts from that IP
+ address occurring within $MACLIST_TTL seconds will be accepted
+ without having to scan all of the entries. After $MACLIST_TTL from
+ the first accepted connection request from an IP address, the next
+ connection request from that IP address will be checked against the
+ entire list.If MACLIST_TTL is not specified or is specified as empty (e.g,
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
@@ -2386,13 +2391,12 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}
Added in Shorewall 4.4.27. Shorewall has traditionally
ACCEPTed RELATED packets that don't match any rule in the RELATED
- section of shorewall-rules (5).
- Concern about the safety of this practice resulted in the addition
- of this option. When a packet in RELATED state fails to match any
- rule in the RELATED section, the packet is disposed of based on this
- setting. The default value is ACCEPT for compatibility with earlier
- versions.
+ section of shorewall-rules
+ (5). Concern about the safety of this practice resulted in the
+ addition of this option. When a packet in RELATED state fails to
+ match any rule in the RELATED section, the packet is disposed of
+ based on this setting. The default value is ACCEPT for compatibility
+ with earlier versions.
@@ -2403,9 +2407,9 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}
Added in Shorewall 4.4.27. Packets in the related state that
do not match any rule in the RELATED section of shorewall-rules (5) are
- logged at this level. The default value is empty which means no
- logging is performed.
+ url="shorewall-rules.html">shorewall-rules (5) are logged at
+ this level. The default value is empty which means no logging is
+ performed.
@@ -2506,8 +2510,7 @@ INLINE - - - ;; -j REJECT
Added in Shorewall 4.4.10. The default is No. If set to Yes,
at least one optional interface must be up in order for the firewall
to be in the started state. Intended to be used with the Shorewall Init
- Package.
+ url="shorewall-init.html">Shorewall Init Package.
@@ -2593,18 +2596,17 @@ INLINE - - - ;; -j REJECT
During shorewall start, IP
addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
ADD_SNAT_ALIASES=Yes are quietly deleted when shorewall-nat(5) and
- shorewall-masq(5)
- are processed then are re-added later. This is done to help ensure
- that the addresses can be added with the specified labels but can
- have the undesirable side effect of causing routes to be quietly
- deleted. When RETAIN_ALIASES is set to Yes, existing addresses will
- not be deleted. Regardless of the setting of RETAIN_ALIASES,
- addresses added during shorewall
- start are still deleted at a subsequent shorewall [stop, shorewall reload or shorewall restart.
+ url="shorewall-nat.html">shorewall-nat(5) and shorewall-masq(5) are processed
+ then are re-added later. This is done to help ensure that the
+ addresses can be added with the specified labels but can have the
+ undesirable side effect of causing routes to be quietly deleted.
+ When RETAIN_ALIASES is set to Yes, existing addresses will not be
+ deleted. Regardless of the setting of RETAIN_ALIASES, addresses
+ added during shorewall start are
+ still deleted at a subsequent shorewall
+ [stop, shorewall reload
+ or shorewall restart.
@@ -2708,9 +2710,9 @@ INLINE - - - ;; -j REJECT
Added in Shorewall 4.4.20. Determines the disposition of
packets matching the option (see shorewall-interfaces(5))
- and of hairpin packets on interfaces without
- the option.
+ url="shorewall-interfaces.html">shorewall-interfaces(5)) and
+ of hairpin packets on interfaces without the
+ option.Hairpin packets are packets that are routed out of the
same interface that they arrived on.
@@ -2724,9 +2726,9 @@ INLINE - - - ;; -j REJECT
Added on Shorewall 4.4.20. Determines the logging of packets
matching the option (see shorewall-interfaces(5))
- and of hairpin packets on interfaces without
- the option.
+ url="shorewall-interfaces.html">shorewall-interfaces(5)) and
+ of hairpin packets on interfaces without the
+ option.Hairpin packets are packets that are routed out of the
same interface that they arrived on. The default is . If you don't
@@ -2754,9 +2756,9 @@ INLINE - - - ;; -j REJECT
Added in Shorewall 4.4.20. The default setting is DROP which
causes smurf packets (see the nosmurfs option in shorewall-interfaces(5))
- to be dropped. A_DROP causes the packets to be audited prior to
- being dropped and requires AUDIT_TARGET support in the kernel and
+ url="shorewall-interfaces.html">shorewall-interfaces(5)) to
+ be dropped. A_DROP causes the packets to be audited prior to being
+ dropped and requires AUDIT_TARGET support in the kernel and
iptables.
@@ -2768,8 +2770,8 @@ INLINE - - - ;; -j REJECT
Specifies the logging level for smurf packets (see the
nosmurfs option in shorewall-interfaces(5)).
- If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
+ url="shorewall-interfaces.html">shorewall-interfaces(5)). If
+ set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
logged.
@@ -2871,8 +2873,7 @@ INLINE - - - ;; -j REJECT
If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
simple traffic shaping using shorewall-tcinterfaces(5)
- and shorewall-tcpri(5) is
+ and shorewall-tcpri(5) is
enabled.If you set TC_ENABLED=Internal or internal or leave the option
@@ -2936,10 +2937,10 @@ INLINE - - - ;; -j REJECT
Determines the disposition of TCP packets that fail the checks
enabled by the tcpflags interface
option (see shorewall-interfaces(5))
- and must have a value of ACCEPT (accept the packet), REJECT (send an
- RST response) or DROP (ignore the packet). If not set or if set to
- the empty value (e.g., TCP_FLAGS_DISPOSITION="") then
+ url="shorewall-interfaces.html">shorewall-interfaces(5)) and
+ must have a value of ACCEPT (accept the packet), REJECT (send an RST
+ response) or DROP (ignore the packet). If not set or if set to the
+ empty value (e.g., TCP_FLAGS_DISPOSITION="") then
TCP_FLAGS_DISPOSITION=DROP is assumed.A_DROP and A_REJECT are audited versions of DROP and REJECT
@@ -2968,8 +2969,8 @@ INLINE - - - ;; -j REJECT
Added in Shorewall 4.4.3. When set to Yes, causes the
option to be assumed on all providers defined
in shorewall-providers(5).
- May be overridden on an individual provider through use of the
+ url="shorewall-providers.html">shorewall-providers(5). May
+ be overridden on an individual provider through use of the
option. The default value is 'No'.Beginning in Shorewall 4.4.6, setting this option to 'Yes'
@@ -3023,10 +3024,10 @@ INLINE - - - ;; -j REJECT
Added in Shorewall 4.5.13. Shorewall has traditionally passed
UNTRACKED packets through the NEW section of shorewall-rules (5).
- When a packet in UNTRACKED state fails to match any rule in the
- UNTRACKED section, the packet is disposed of based on this setting.
- The default value is CONTINUE for compatibility with earlier
+ url="shorewall-rules.html">shorewall-rules (5). When a
+ packet in UNTRACKED state fails to match any rule in the UNTRACKED
+ section, the packet is disposed of based on this setting. The
+ default value is CONTINUE for compatibility with earlier
versions.
@@ -3038,9 +3039,9 @@ INLINE - - - ;; -j REJECT
Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
do not match any rule in the UNTRACKED section of shorewall-rules (5) are
- logged at this level. The default value is empty which means no
- logging is performed.
+ url="shorewall-rules.html">shorewall-rules (5) are logged at
+ this level. The default value is empty which means no logging is
+ performed.
@@ -3062,8 +3063,8 @@ INLINE - - - ;; -j REJECT
Both the DUPLICATE and the COPY columns in providers(5)
- file must remain empty (or contain "-").
+ url="shorewall-providers.html">providers(5) file must
+ remain empty (or contain "-").
@@ -3083,9 +3084,9 @@ INLINE - - - ;; -j REJECT
Packets are sent through the main routing table by a rule
with priority 999. In shorewall-rtrules(5),
- the range 1-998 may be used for inserting rules that bypass the
- main table.
+ url="shorewall-rtrules.html">shorewall-rtrules(5), the
+ range 1-998 may be used for inserting rules that bypass the main
+ table.