Add the USE_NFLOG_SIZE option

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Config.pm

@@ -911,6 +911,7 @@ sub initialize( $;$$) {
 	  FIREWALL => undef ,
 	  BALANCE_PROVIDERS => undef ,
 	  PERL_HASH_SEED => undef ,
+	  USE_NFLOG_SIZE => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -4048,7 +4049,7 @@ sub make_mask( $ ) {
     0xffffffff >> ( 32 - $_[0] );
 }
 
-my @suffixes = qw(group size threshold nlgroup cprange qthreshold);
+my @suffixes;
 
 #
 # Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate"
@@ -5376,6 +5377,7 @@ sub update_config_file( $ ) {
     update_default( 'PAGER',             $shorewallrc1{DEFAULT_PAGER} );
     update_default( 'LOGFORMAT',         'Shorewall:%s:%s:' );
     update_default( 'LOGLIMIT',          '' );
+    update_default( 'USE_NFLOG_SIZE',    '' );
 
     if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
@@ -6047,12 +6049,6 @@ sub get_configuration( $$$$ ) {
 	$have_capabilities = 1;
     }
 
-    if ( have_capability( 'NFLOG_SIZE' ) ) {
-	@suffixes = qw(group size threshold nlgroup cprange qthreshold);
-    } else {
-	@suffixes = qw(group range threshold nlgroup cprange qthreshold);
-    }
-
     get_params( $export );
 
     process_shorewall_conf( $update, $annotate );
@@ -6407,6 +6403,17 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
     default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
+    default_yes_no 'USE_NFLOG_SIZE'             , '';
+
+    if ( $config{USE_NFLOG_SIZE} ) {
+	if ( have_capability( 'NFLOG_SIZE' ) ) {
+	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
+	} else {
+	    fatal_error "USE_NFLOG_SIZE=Yes, but the --nflog-size capabiity is not present";
+	}
+    } else {
+	@suffixes = qw(group range threshold nlgroup cprange qthreshold);
+    }
 
     unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );

Shorewall/Samples/Universal/shorewall.conf

@@ -249,6 +249,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=Yes
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/one-interface/shorewall.conf

@@ -260,6 +260,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=Yes
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -257,6 +257,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=Yes
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -260,6 +260,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=Yes
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/configfiles/shorewall.conf

@@ -249,6 +249,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=Yes
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall/manpages/shorewall.conf.xml

@@ -3083,6 +3083,40 @@ INLINE          -       -       -       ;; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">USE_NFLOG_SIZE=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.5. The second parameter to the NFLOG
+          target specifies how many bytes of the packet to copy to the log; if
+          omitted or if supplied as zero, the entire packet is copied. This
+          feature has traditionally been implemented using the --nflog-range
+          option to the NFLOG iptables target. Unfortuntely, the --nflog-range
+          option never worked (the entire packet was always copied). To deal
+          with this issue, the Netfilter team:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>Added a warning message when --nflog-range is used</para>
+            </listitem>
+
+            <listitem>
+              <para>Added --nflog-size which works like --nflog-range was
+              intended to work.</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>When USE_NFLOG_SIZE=Yes, Shorewall will attempt to use the new
+          --nflog-size feature. If that feature is not available in the
+          running kernel and ip[6]tables, an error is raised.</para>
+
+          <para>When USE_NFLOG_SIZE is not supplied, USE_NFLOG_SIZE=No is
+          assumed. When USE_NFLOG_SIZE is added by shorewall update, it is
+          added with setting No.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">USE_PHYSICAL_NAMES=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -222,6 +222,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=Yes
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -223,6 +223,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=Yes
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -222,6 +222,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=Yes
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -222,6 +222,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=Yes
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No

Shorewall6/configfiles/shorewall6.conf

@@ -222,6 +222,8 @@ TRACK_RULES=No
 
 USE_DEFAULT_RT=Yes
 
+USE_NFLOG_SIZE=Yes
+
 USE_PHYSICAL_NAMES=No
 
 USE_RT_NAMES=No