mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-07 16:24:01 +01:00
Add the USE_NFLOG_SIZE option
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
b4a06e9656
commit
ff2323b249
@ -911,6 +911,7 @@ sub initialize( $;$$) {
|
||||
FIREWALL => undef ,
|
||||
BALANCE_PROVIDERS => undef ,
|
||||
PERL_HASH_SEED => undef ,
|
||||
USE_NFLOG_SIZE => undef ,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@ -4048,7 +4049,7 @@ sub make_mask( $ ) {
|
||||
0xffffffff >> ( 32 - $_[0] );
|
||||
}
|
||||
|
||||
my @suffixes = qw(group size threshold nlgroup cprange qthreshold);
|
||||
my @suffixes;
|
||||
|
||||
#
|
||||
# Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate"
|
||||
@ -5376,6 +5377,7 @@ sub update_config_file( $ ) {
|
||||
update_default( 'PAGER', $shorewallrc1{DEFAULT_PAGER} );
|
||||
update_default( 'LOGFORMAT', 'Shorewall:%s:%s:' );
|
||||
update_default( 'LOGLIMIT', '' );
|
||||
update_default( 'USE_NFLOG_SIZE', '' );
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
|
||||
@ -6047,12 +6049,6 @@ sub get_configuration( $$$$ ) {
|
||||
$have_capabilities = 1;
|
||||
}
|
||||
|
||||
if ( have_capability( 'NFLOG_SIZE' ) ) {
|
||||
@suffixes = qw(group size threshold nlgroup cprange qthreshold);
|
||||
} else {
|
||||
@suffixes = qw(group range threshold nlgroup cprange qthreshold);
|
||||
}
|
||||
|
||||
get_params( $export );
|
||||
|
||||
process_shorewall_conf( $update, $annotate );
|
||||
@ -6407,6 +6403,17 @@ sub get_configuration( $$$$ ) {
|
||||
default_yes_no 'AUTOMAKE' , '';
|
||||
default_yes_no 'TRACK_PROVIDERS' , '';
|
||||
default_yes_no 'BALANCE_PROVIDERS' , $config{USE_DEFAULT_RT} ? 'Yes' : '';
|
||||
default_yes_no 'USE_NFLOG_SIZE' , '';
|
||||
|
||||
if ( $config{USE_NFLOG_SIZE} ) {
|
||||
if ( have_capability( 'NFLOG_SIZE' ) ) {
|
||||
@suffixes = qw(group size threshold nlgroup cprange qthreshold);
|
||||
} else {
|
||||
fatal_error "USE_NFLOG_SIZE=Yes, but the --nflog-size capabiity is not present";
|
||||
}
|
||||
} else {
|
||||
@suffixes = qw(group range threshold nlgroup cprange qthreshold);
|
||||
}
|
||||
|
||||
unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
|
||||
default_yes_no( 'NULL_ROUTE_RFC1918', '' );
|
||||
|
@ -249,6 +249,8 @@ TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
|
||||
USE_NFLOG_SIZE=Yes
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
@ -260,6 +260,8 @@ TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
|
||||
USE_NFLOG_SIZE=Yes
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
@ -257,6 +257,8 @@ TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
|
||||
USE_NFLOG_SIZE=Yes
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
@ -260,6 +260,8 @@ TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
|
||||
USE_NFLOG_SIZE=Yes
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
@ -249,6 +249,8 @@ TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
|
||||
USE_NFLOG_SIZE=Yes
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
@ -3083,6 +3083,40 @@ INLINE - - - ;; -j REJECT
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USE_NFLOG_SIZE=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.1.5. The second parameter to the NFLOG
|
||||
target specifies how many bytes of the packet to copy to the log; if
|
||||
omitted or if supplied as zero, the entire packet is copied. This
|
||||
feature has traditionally been implemented using the --nflog-range
|
||||
option to the NFLOG iptables target. Unfortuntely, the --nflog-range
|
||||
option never worked (the entire packet was always copied). To deal
|
||||
with this issue, the Netfilter team:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Added a warning message when --nflog-range is used</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Added --nflog-size which works like --nflog-range was
|
||||
intended to work.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>When USE_NFLOG_SIZE=Yes, Shorewall will attempt to use the new
|
||||
--nflog-size feature. If that feature is not available in the
|
||||
running kernel and ip[6]tables, an error is raised.</para>
|
||||
|
||||
<para>When USE_NFLOG_SIZE is not supplied, USE_NFLOG_SIZE=No is
|
||||
assumed. When USE_NFLOG_SIZE is added by shorewall update, it is
|
||||
added with setting No.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USE_PHYSICAL_NAMES=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
@ -222,6 +222,8 @@ TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
|
||||
USE_NFLOG_SIZE=Yes
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
@ -223,6 +223,8 @@ TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
|
||||
USE_NFLOG_SIZE=Yes
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
@ -222,6 +222,8 @@ TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
|
||||
USE_NFLOG_SIZE=Yes
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
@ -222,6 +222,8 @@ TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
|
||||
USE_NFLOG_SIZE=Yes
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
@ -222,6 +222,8 @@ TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
|
||||
USE_NFLOG_SIZE=Yes
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
USE_RT_NAMES=No
|
||||
|
Loading…
Reference in New Issue
Block a user