diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 7fc863e5c..69f8bc2d7 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -5,3 +5,7 @@ Changes since 1.4.3a 2. Change LOGMARKER to a printf mask and allow embedded spaces. Renamed it LOGFORMAT to avoid confusion. +3. DNAT and REDIRECT logging is moved from the filter table to the nat + table. + + diff --git a/Shorewall/firewall b/Shorewall/firewall index 96dc32d09..30c978456 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1855,6 +1855,13 @@ add_nat_rule() { fi for adr in $addr; do + if [ -n "$loglevel" ]; then + ensurenatchain $chain + log_rule $loglevel $chain $logtarget -t nat \ + `fix_bang $proto $cli $sports -d $adr $multiport $dports` + loglevel= + fi + addnatrule $chain $proto $cli $sports \ -d $adr $multiport $dports -j $target1 done @@ -3299,7 +3306,7 @@ build_common_chain() { # Construct zone-independent rules # add_common_rules() { - local savelogparms= + local savelogparms="$LOGPARMS" # # Reject Rules # @@ -3324,8 +3331,7 @@ add_common_rules() { createchain badpkt no if [ -n "$LOGUNCLEAN" ]; then - savelogparms="$LOGPARMS" - + LOGPARMS="$LOGPARMS --log-ip-options" log_rule $LOGUNCLEAN badpkt DROP -p ! tcp @@ -3357,8 +3363,6 @@ add_common_rules() { [ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info - savelogparms="$LOGPARMS" - LOGPARMS="$LOGPARMS --log-ip-options" log_rule $LOGUNCLEAN logpkt DROP -p ! tcp @@ -4461,8 +4465,13 @@ do_initialize() { CLEAR_TC= fi - [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%d:%s:" - + if [ -n "$LOGFORMAT" ]; then + if ! qt printf "$LOGFORMAT" foo 1 bar ; then + startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" + fi + else + LOGFORMAT="Shorewall:%s:%d:%s:" + fi # # Strip the files that we use often # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 178d3406d..22fd3049b 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -12,7 +12,19 @@ New Features: 2) The LOGMARKER variable has been renamed LOGFORMAT and has been changed to a 'printf' formatting template which accepts three arguments (the chain name, logging rule number and the disposition). - To use LOGFORMAT with ULOG, set it as: + To use LOGFORMAT with fireparse, set it as: - LOGFORMAT="fp=%s:%d a=%s" + LOGFORMAT="fp=%s:%d a=%s " + + CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT + string (up to but not including the first '%') to find log messages + in the 'show log', 'status' and 'hits' commands. This part should + not be omitted (the LOGFORMAT should not begin with "%") and the + leading part should be sufficiently unique for /sbin/shorewall to + identify Shorewall messages. + +3) When logging is specified on a DNAT[-] or REDIRECT[-] rule, the + logging now takes place in the nat table rather than in the filter + table. This way, only those connections that actually undergo DNAT + or redirection will be logged. diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 27db2289a..16d3b1251 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -65,7 +65,7 @@ LOGFILE=/var/log/messages # # If you want to integrate Shorewall with fireparse, then set LOGFORMAT as: # -# LOGFORMAT="fp=%s:%d a=%s" +# LOGFORMAT="fp=%s:%d a=%s " # # If not specified or specified as empty (LOGFORMAT="") then the value # "Shorewall:%s:%d:%s:" is assumed.