diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 086ce6294..92ddb2f89 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -2729,8 +2729,8 @@ sub ensure_manual_chain($) {
sub log_irule_limit( $$$$$$$@ );
-sub ensure_blacklog_chain( $$$$ ) {
- my ( $target, $disposition, $level, $audit ) = @_;
+sub ensure_blacklog_chain( $$$$$ ) {
+ my ( $target, $disposition, $level, $tag, $audit ) = @_;
unless ( $filter_table->{blacklog} ) {
my $logchainref = new_manual_chain 'blacklog';
@@ -2738,7 +2738,7 @@ sub ensure_blacklog_chain( $$$$ ) {
$target =~ s/A_//;
$target = 'reject' if $target eq 'REJECT';
- log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' );
+ log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add' );
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
add_ijump( $logchainref, g => $target );
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index f28ae8c28..5550140cb 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -713,6 +713,14 @@ sub initialize( $;$$) {
KLUDGEFREE => '',
VERSION => "4.5.19-Beta1",
CAPVERSION => 40609 ,
+ BLACKLIST_LOG_TAG => '',
+ RELATED_LOG_TAG => '',
+ MACLIST_LOG_TAG => '',
+ TCP_FLAGS_LOG_TAG => '',
+ SMURF_LOG_TAG => '',
+ RPFILTER_LOG_TAG => '',
+ INVALID_LOG_TAG => '',
+ UNTRACKED_LOG_TAG => '',
);
#
# From shorewall.conf file
@@ -3742,7 +3750,15 @@ sub default_log_level( $$ ) {
unless ( supplied $value ) {
$config{$level} = validate_level $default, $level;
} else {
+ ( $value, my $tag ) = split( ':', $value , 2 );
$config{$level} = validate_level $value, $level;
+ if ( supplied $tag ) {
+ my $tag_name = $level;
+
+ $tag_name =~ s/_LEVEL/_TAG/;
+
+ $globals{$tag_name} = $tag;
+ }
}
}
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 102ee346d..aa5786950 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -136,10 +136,17 @@ sub setup_ecn()
}
}
-sub add_rule_pair( $$$$ ) {
- my ($chainref , $predicate , $target , $level ) = @_;
+sub add_rule_pair( $$$$$ ) {
+ my ($chainref , $predicate , $target , $level, $tag ) = @_;
- log_rule( $level, $chainref, "\U$target", $predicate ) if supplied $level;
+ log_rule_limit( $level,
+ $chainref,
+ $chainref->{name},
+ "\U$target",
+ $globals{LOGLIMIT},
+ $tag,
+ 'add',
+ $predicate ) if supplied $level;
add_jump( $chainref , $target, 0, $predicate );
}
@@ -195,13 +202,16 @@ sub convert_blacklist() {
my $zones = find_zones_by_option 'blacklist', 'in';
my $zones1 = find_zones_by_option 'blacklist', 'out';
my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' };
+ my $tag = $globals{MACLIST_LOG_TAG};
my $audit = $disposition =~ /^A_/;
my $target = $disposition;
my $orig_target = $target;
my @rules;
if ( @$zones || @$zones1 ) {
- $target = "$target:$level" if supplied $level;
+ if ( supplied $level ) {
+ $target = supplied $tag ? "$target:$level:$tag":"$target:$level";
+ }
my $fn = open_file( 'blacklist' );
@@ -631,11 +641,12 @@ sub add_common_rules ( $ ) {
my @state = state_imatch( $globals{BLACKLIST_STATES} );
my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
my $level = $config{BLACKLIST_LOG_LEVEL};
+ my $tag = $globals{BLACKLIST_LOG_TAG};
my $rejectref = $filter_table->{reject};
if ( $config{DYNAMIC_BLACKLIST} ) {
- add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level );
- add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level );
+ add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag);
+ add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
$dynamicref = set_optflags( new_standard_chain( 'dynamic' ) , DONT_OPTIMIZE );
add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
}
@@ -648,6 +659,7 @@ sub add_common_rules ( $ ) {
my $policy = $config{SFILTER_DISPOSITION};
$level = $config{SFILTER_LOG_LEVEL};
+ $tag = $config{SFILTER_LOG_TAG};
my $audit = $policy =~ s/^A_//;
my @ipsec = have_ipsec ? ( policy => '--pol none --dir in' ) : ();
@@ -657,7 +669,14 @@ sub add_common_rules ( $ ) {
#
$chainref = new_standard_chain 'sfilter';
- log_rule $level , $chainref , $policy , '' if $level ne '';
+ log_rule_limit( $level,
+ $chainref,
+ $chainref->{name},
+ $policy,
+ $globals{LOGLIMIT},
+ $tag,
+ 'add',
+ '' ) if $level ne '';
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
@@ -742,6 +761,7 @@ sub add_common_rules ( $ ) {
if ( @$list ) {
$policy = $config{RPFILTER_DISPOSITION};
$level = $config{RPFILTER_LOG_LEVEL};
+ $tag = $globals{RPFILTER_LOG_TAG};
$audit = $policy =~ s/^A_//;
if ( $level || $audit ) {
@@ -750,7 +770,14 @@ sub add_common_rules ( $ ) {
#
$chainref = ensure_mangle_chain 'rplog';
- log_rule $level , $chainref , $policy , '' if $level ne '';
+ log_rule_limit( $level,
+ $chainref,
+ $chainref->{name},
+ $policy,
+ $globals{LOGLIMIT},
+ $tag,
+ 'add',
+ '' ) if $level ne '';
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
@@ -811,7 +838,7 @@ sub add_common_rules ( $ ) {
'smurfs' ,
'DROP',
$globals{LOGILIMIT},
- '',
+ $globals{SMURF_LOG_TAG},
'add' );
add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
add_ijump( $smurfref, j => 'DROP' );
@@ -933,6 +960,7 @@ sub add_common_rules ( $ ) {
if ( @$list ) {
my $level = $config{TCP_FLAGS_LOG_LEVEL};
+ my $tag = $globals{TCP_FLAGS_LOG_TAG};
my $disposition = $config{TCP_FLAGS_DISPOSITION};
my $audit = $disposition =~ /^A_/;
@@ -947,7 +975,15 @@ sub add_common_rules ( $ ) {
$globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";
- log_rule $level , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, '';
+ log_rule_limit( $level,
+ $logflagsref,
+ 'logflags',
+ $disposition,
+ $globals{LOGLIMIT},
+ $tag,
+ 'add',
+ ''
+ );
$globals{LOGPARMS} = $savelogparms;
@@ -1052,6 +1088,7 @@ sub setup_mac_lists( $ ) {
my $target = $globals{MACLIST_TARGET};
my $level = $config{MACLIST_LOG_LEVEL};
+ my $tag = $globals{MACLIST_LOG_TAG};
my $disposition = $config{MACLIST_DISPOSITION};
my $audit = ( $disposition =~ s/^A_// );
my $ttl = $config{MACLIST_TTL};
@@ -1220,7 +1257,7 @@ sub setup_mac_lists( $ ) {
run_user_exit2( 'maclog', $chainref );
- log_irule_limit $level, $chainref , $chain , $disposition, [], '', 'add' if $level ne '';
+ log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add' if $level ne '';
add_ijump $chainref, j => $target;
}
}
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index ea1d8fded..dce4c555a 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1022,7 +1022,7 @@ sub finish_chain_section ($$$) {
for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
if ( $state{$_} ) {
- my ( $char, $level, $target ) = @{$statetable{$_}};
+ my ( $char, $level, $tag, $target ) = @{$statetable{$_}};
my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
if ( $twochains || $level || $target ne 'ACCEPT' ) {
@@ -1035,10 +1035,14 @@ sub finish_chain_section ($$$) {
$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" );
}
- log_rule( $level,
- $chain2ref,
- uc $target,
- '' );
+ log_rule_limit( $level,
+ $chain2ref,
+ $chain2ref->{name},
+ uc $target,
+ $globals{LOGLIMIT},
+ $tag ,
+ 'add' ,
+ '');
$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
@@ -3358,10 +3362,10 @@ sub process_rules() {
#
# Populate the state table
#
- %statetable = ( ESTABLISHED => [ '^', '', 'ACCEPT' ] ,
- RELATED => [ '+', $config{RELATED_LOG_LEVEL}, $globals{RELATED_TARGET} ] ,
- INVALID => [ '_', $config{INVALID_LOG_LEVEL}, $globals{INVALID_TARGET} ] ,
- UNTRACKED => [ '&', $config{UNTRACKED_LOG_LEVEL}, $globals{UNTRACKED_TARGET} ] ,
+ %statetable = ( ESTABLISHED => [ '^', '', '', 'ACCEPT' ] ,
+ RELATED => [ '+', $config{RELATED_LOG_LEVEL}, $globals{RELATED_LOG_TAG}, $globals{RELATED_TARGET} ] ,
+ INVALID => [ '_', $config{INVALID_LOG_LEVEL}, $globals{INVALID_LOG_TAG}, $globals{INVALID_TARGET} ] ,
+ UNTRACKED => [ '&', $config{UNTRACKED_LOG_LEVEL}, $globals{UNTRACKED_LOG_TAG}, $globals{UNTRACKED_TARGET} ] ,
);
%section_states = ( BLACKLIST_SECTION , $globals{BLACKLIST_STATES},
ESTABLISHED_SECTION, 'ESTABLISHED',
@@ -3391,14 +3395,14 @@ sub process_rules() {
if ( $fn ) {
first_entry( sub () {
- my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' };
+ my ( $level, $disposition , $tag ) = ( @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' }, $globals{BLACKLIST_LOG_TAG} ) ;
my $audit = $disposition =~ /^A_/;
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
progress_message2 "$doing $currentfilename...";
if ( supplied $level ) {
- ensure_blacklog_chain( $target, $disposition, $level, $audit );
+ ensure_blacklog_chain( $target, $disposition, $level, $tag, $audit );
ensure_audit_blacklog_chain( $target, $disposition, $level ) if have_capability 'AUDIT_TARGET';
} elsif ( $audit ) {
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 129eeebf6..b3f8538b1 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -78,18 +78,19 @@
If you want to specify parameters to ULOG or NFLOG (e.g.,
- NFLOG(1,0,1)), then you must either quote the setting or you must escape
- the parentheses.
+ NFLOG(1,0,1)), then you must quote the setting.
- Examples:
+ Example:
MACLIST_LOG_LEVEL="NFLOG(1,0,1)"
-
- or
-
- MACLIST_LOG_LEVEL=NFLOG\(1,0,1\)
+ Beginning with Shorewall 5.0.0, the log level may be followed by a
+ colon (":") and a log tag. The log tag normally
+ follows the packet disposition in Shorewall-generated Netfilter log
+ messages, separated from the disposition by a colon (e.g, "DROP:mytag").
+ See LOGTAGONLY below for additional information.
+
Beginning with Shorewall 4.4.22, LOGMARK is also a valid level which
logs the packet's mark value along with the other usual information. The
syntax is:
@@ -514,7 +515,7 @@
BLACKLIST_LOG_LEVEL=[log-level]
+ role="bold">BLACKLIST_LOG_LEVEL=[log-level[:log-tag]]
Formerly named BLACKLIST_LOGLEVEL. This parameter determines
@@ -1001,7 +1002,7 @@ net all DROP infothen the chain name is 'net-all'
INVALID_LOG_LEVEL=log-level
+ role="bold">INVALID_LOG_LEVEL=log-level[:log-tag]
Added in Shorewall 4.5.13. Packets in the INVALID state that
@@ -1464,7 +1465,7 @@ LOG:info:,bar net fw
MACLIST_LOG_LEVEL=[log-level]
+ role="bold">MACLIST_LOG_LEVEL=[log-level[:log-tag]]
Determines the syslog level for logging connection requests
@@ -2075,7 +2076,7 @@ LOG:info:,bar net fw
RELATED_LOG_LEVEL=log-level
+ role="bold">RELATED_LOG_LEVEL=log-level[:log-tag]
Added in Shorewall 4.4.27. Packets in the related state that
@@ -2292,7 +2293,7 @@ INLINE - - - ; -j REJECT
RPFILTER_LOG_LEVEL=log-level
+ role="bold">RPFILTER_LOG_LEVEL=log-level[:log-tag]
Added in shorewall 4.5.7. Determines the logging of packets
@@ -2353,7 +2354,7 @@ INLINE - - - ; -j REJECT
SFILTER_LOG_LEVEL=log-level
+ role="bold">SFILTER_LOG_LEVEL=log-level[:log-tag]
Added on Shorewall 4.4.20. Determines the logging of packets
@@ -2398,7 +2399,7 @@ INLINE - - - ; -j REJECT
SMURF_LOG_LEVEL=[log-level]
+ role="bold">SMURF_LOG_LEVEL=[log-level[:log-tag]]
Specifies the logging level for smurf packets (see the
@@ -2573,7 +2574,7 @@ INLINE - - - ; -j REJECT
TCP_FLAGS_LOG_LEVEL=[log-level]
+ role="bold">TCP_FLAGS_LOG_LEVEL=[log-level[:log-tag]]
Determines the syslog level for logging packets that fail the
@@ -2649,7 +2650,7 @@ INLINE - - - ; -j REJECT
UNTRACKED_LOG_LEVEL=log-level
+ role="bold">UNTRACKED_LOG_LEVEL=log-level[:log-tag]
Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index cade5b156..67ff6f66a 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -77,18 +77,19 @@
If you want to specify parameters to ULOG or NFLOG (e.g.,
- NFLOG(1,0,1)), then you must either quote the setting or you must escape
- the parentheses.
+ NFLOG(1,0,1)), then you must quote the setting.
- Examples:
+ Example:
MACLIST_LOG_LEVEL="NFLOG(1,0,1)"
-
- or
-
- MACLIST_LOG_LEVEL=NFLOG\(1,0,1\)
+ Beginning with Shorewall 5.0.0, the log level may be followed by a
+ colon (":") and a log tag. The log tag normally
+ follows the packet disposition in Shorewall-generated Netfilter log
+ messages, separated from the disposition by a colon (e.g, "DROP:mytag").
+ See LOGTAGONLY below for additional information.
+
The following options may be set in shorewall6.conf.
@@ -434,7 +435,7 @@
BLACKLIST_LOG_LEVEL=[log-level]
+ role="bold">BLACKLIST_LOG_LEVEL=[log-level[:log-tag]]
Formerly named BLACKLIST_LOGLEVEL. This parameter determines
@@ -866,7 +867,7 @@ net all DROP infothen the chain name is 'net-all'
INVALID_LOG_LEVEL=log-level
+ role="bold">INVALID_LOG_LEVEL=log-level[:log-tag]
Added in Shorewall 4.5.13. Packets in the INVALID state that
@@ -1291,7 +1292,7 @@ LOG:info:,bar net fw
MACLIST_LOG_LEVEL=[log-level]
+ role="bold">MACLIST_LOG_LEVEL=[log-level[:log-tag]]
Determines the syslog level for logging connection requests
@@ -1830,7 +1831,7 @@ LOG:info:,bar net fw
RELATED_LOG_LEVEL=log-level
+ role="bold">RELATED_LOG_LEVEL=log-level[:log-tag]
Added in Shorewall 4.4.27. Packets in the related state that
@@ -1971,7 +1972,7 @@ INLINE - - - ; -j REJECT
RPFILTER_LOG_LEVEL=log-level
+ role="bold">RPFILTER_LOG_LEVEL=log-level[:log-tag]
Added in shorewall 4.5.7. Determines the logging of packets
@@ -2027,7 +2028,7 @@ INLINE - - - ; -j REJECT
SMURF_LOG_LEVEL=[log-level]
+ role="bold">SMURF_LOG_LEVEL=[log-level[:log-tag]]
Specifies the logging level for smurf packets (see the
@@ -2057,7 +2058,7 @@ INLINE - - - ; -j REJECT
SFILTER_LOG_LEVEL=log-level
+ role="bold">SFILTER_LOG_LEVEL=log-level[:log-tag]
Added on Shorewall 4.4.20. Determines the logging of packets
@@ -2235,7 +2236,7 @@ INLINE - - - ; -j REJECT
TCP_FLAGS_LOG_LEVEL=[log-level]
+ role="bold">TCP_FLAGS_LOG_LEVEL=[log-level[:log-tag]]
Determines the syslog level for logging packets that fail the
@@ -2313,7 +2314,7 @@ INLINE - - - ; -j REJECT
UNTRACKED_LOG_LEVEL=log-level
+ role="bold">UNTRACKED_LOG_LEVEL=log-level[:log-tag]
Added in Shorewall 4.5.13. Packets in the UNTRACKED state that