diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 6a6e66e88..b3c9797c7 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -3934,7 +3934,7 @@ sub log_rule_limit( $$$$$$$$ ) { $prefix = "-j $level --nflog-prefix \"$prefix\" "; } elsif ( $level =~ '^LOGMARK' ) { $prefix = join( '', substr( $prefix, 0, 12 ) , ':' ) if length $prefix > 13; - $prefix = "-j LOGMARK --log-level $level --log-prefix \"$prefix\" "; + $prefix = "-j $level --log-prefix \"$prefix\" "; } else { $prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" "; } diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 1b235e381..2eb91587f 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -2132,10 +2132,21 @@ sub validate_level( $ ) { return $rawlevel; } - if ( $level eq 'LOGMARK' ) { + if ( $level =~ /^LOGMARK --/ ) { + require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ); + return $rawlevel; + } + + if ( $level =~ /LOGMARK[(](.*)[)]$/ ) { + my $sublevel = $1; + + $sublevel = $validlevels{$sublevel} unless $sublevel =~ /^[0-7]$/; + + level_error( $level ) unless defined $sublevel =~ /^[0-7]$/; + require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ); require_capability( 'LOGMARK_TARGET' , 'LOGMARK', 's' ); - return 'LOGMARK'; + return "LOGMARK --log-level $sublevel"; } level_error( $rawlevel ); diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index e060156ef..44858c9ea 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -72,7 +72,19 @@ from http://www.netfilter.org/projects/ulogd/index.html and can be configured to log all Shorewall messages to their own log - file + file. + + Beginning with Shorewall 4.4.22, LOGMARK is also a valid level which + logs the packet's mark value along with the other usual information. The + syntax is: + + + LOGMARK(priority) + + + where priority is one of the levels + listed in the list above. The following options may be set in shorewall.conf.