Log 'norfc1918'

packets out of 'rfc1918' chains git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@792 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-03-05 10:02:19 +01:00 · 2003-11-27 18:39:11 +00:00 · 2003-11-27 18:39:11 +00:00 · 9fde389c31
commit 9fde389c31
parent a3eaa7f9af
3 changed files with 21 additions and 11 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -7,3 +7,5 @@ Changes since 1.4.8
 3) Change wording in release notes.

 4) Move ip_forward handling to a function.
+
+5) Change 'norfc1918' logging to log out of chains named 'rfc1918'.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -4088,13 +4088,13 @@ add_common_rules() {

 	strip_file rfc1918

-	createchain rfc1918 no
+	createchain norfc1918 no

-	createchain logdrop no
+	createchain rfc1918 no
 	
-	log_rule $RFC1918_LOG_LEVEL logdrop DROP
+	log_rule $RFC1918_LOG_LEVEL rfc1918 DROP
 	
-	run_iptables -A logdrop -j DROP
+	run_iptables -A rfc1918 -j DROP

 	if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
 	    #
@ -4106,27 +4106,30 @@ add_common_rules() {
 	    # Also add a chain to log and drop any RFC1918 packets that we find
 	    #
 	    run_iptables -t mangle -N man1918
-	    run_iptables -t mangle -N logdrop
-	    log_rule $RFC1918_LOG_LEVEL logdrop DROP -t mangle
-	    run_iptables -t mangle -A logdrop -j DROP
+	    run_iptables -t mangle -N rfc1918
+	    log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle
+	    run_iptables -t mangle -A rfc1918 -j DROP
 	fi

 	while read subnet target; do
 	    case $target in
-		logdrop|DROP|RETURN)
+		logdrop)
+		    target=rfc1918
+		    ;;
+		DROP|RETURN)
 		    ;;
 		*)
 		    fatal_error "Invalid target ($target) for $subnet"
 		    ;;
 	    esac

-	    run_iptables2 -A rfc1918 -s $subnet -j $target
+	    run_iptables2 -A norfc1918 -s $subnet -j $target

 	    if [ -n "$CONNTRACK_MATCH" ]; then
 		#
 		# We have connection tracking match -- match on the original destination
 		#
-		run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target
+		run_iptables2 -A norfc1918 -m conntrack --ctorigdst $subnet -j $target
 	    elif [ -n "$MANGLE_ENABLED" ]; then
 		#
 		# No connection tracking match but we have mangling -- add a rule to
@ -4138,7 +4141,7 @@ add_common_rules() {

 	for interface in $norfc1918_interfaces; do
 	    for chain in `first_chains $interface`; do
-		run_iptables -A $chain -m state --state NEW -j rfc1918
+		run_iptables -A $chain -m state --state NEW -j norfc1918
 	    done

 	    [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -17,6 +17,11 @@ New Features:
   stealthed?" questions, the SMB-related rules in
   /etc/shorewall/common.def have been changed from 'reject' to 'DROP'.

+2) For easier identification, packets logged under the 'norfc1918'
+   interface option are now logged out of chains named
+   'rfc1918'. Previously, such packets were logged under chains named
+   'logdrop'.
+