diff --git a/Shorewall/manpages/shorewall-zones.xml b/Shorewall/manpages/shorewall-zones.xml
index 7ed4dda70..23bef021d 100644
--- a/Shorewall/manpages/shorewall-zones.xml
+++ b/Shorewall/manpages/shorewall-zones.xml
@@ -55,14 +55,14 @@
The maximum length of an iptables log prefix is 29 bytes. As
explained in shorewall.conf (5),
- the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
- where the first %s is replaced by the chain name and the second is
- replaced by the disposition.
+ the legacy default LOGPREFIX formatting string is
+ “Shorewall:%s:%s:” where the first %s is replaced by the chain
+ name and the second is replaced by the disposition.
- The default formatting string has 12 fixed characters
- ("Shorewall" and three colons).
+ The "Shorewall:%s:%s:" formatting string has 12 fixed
+ characters ("Shorewall" and three colons).
@@ -90,6 +90,29 @@
+
+ In Shorewall 5.1.0, the LOGFORMAT in the default and sample
+ shorewall.conf files was changed to "%s:%s ".
+
+
+
+ That formatting string has 2 fixed characters (":" and a
+ space).
+
+
+
+ So the maximum zone name length M is calculated
+ as:
+
+
+ 2 + 6 + 2*M + 1 = 29
+
+ 2M = 29 - 2 + 6 + 1 = 20
+
+ M = 10
+
+
+ The order in which Shorewall matches addresses from packets to
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 4ed13d472..67ce8f596 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -1443,15 +1443,20 @@ net all DROP infothen the chain name is 'net-all'
-
-
For example, using the default LOGFORMAT, the log prefix for
- logging from the nat table's PREROUTING chain is:
+ logging from the nat table's PREROUTING chain is as follows in
+ versions prior to 5.1.0:
Shorewall:nat:PREROUTING
+ In Shorewall 5.1.0 and later releases, the log prefix
+ is:
+
+ nat:PREROUTING
+
+
To help insure that all packets in the NEW state are
logged, rate limiting (LOGLIMIT) should be disabled when using
@@ -1515,6 +1520,24 @@ net all DROP infothen the chain name is 'net-all'
url="/manpages/shorewall-zones.html">shorewall-zones
(5).
+
+
+ Beginning with Shorewall 5.1.0, the default and sample
+ shorewall.conf files set LOGFORMAT="%s %s ". Shorewall log
+ messages that use this LOGFORMAT can be uniquely identified using
+ the following regular expression:
+
+
+ 'IN=.* OUT=.* SRC=.*\..* DST='
+
+
+ To match all Netfilter log messages (Both IPv4 and IPv6),
+ use:
+
+
+ 'IN=.* OUT=.* SRC=.* DST='
+
+
@@ -1551,8 +1574,8 @@ net all DROP infothen the chain name is 'net-all'
role="bold">Yes|No]
- Using the default LOGFORMAT, chain names may not exceed 11
- characters or truncation of the log prefix may occur. Longer chain
+ Using LOGFORMAT=“Shorewall:%s:%s:”, chain names may not exceed
+ 5 characters or truncation of the log prefix may occur. Longer chain
names may be used with log tags if you set LOGTAGONLY=Yes. With
LOGTAGONLY=Yes, if a log tag is specified then the tag is included
in the log prefix in place of the chain name.
@@ -1564,10 +1587,10 @@ net all DROP infothen the chain name is 'net-all'
separated by a comma. So this rule:#ACTION SOURCE DEST
-LOG:info:foo,bar net fw
+LOG:info:foo,bar net fw
- would generate the following log prefix when using the default
- LOGFORMAT setting:
+ would generate the following log prefix when using
+ LOGFORMAT=“Shorewall:%s:%s:”:Shorewall:foo:bar:
@@ -2550,7 +2573,7 @@ INLINE - - - ;; -j REJECT
the option.Hairpin packets are packets that are routed out of the
same interface that they arrived on.
- interfaces without the routeback option.
+
@@ -2566,9 +2589,9 @@ INLINE - - - ;; -j REJECT
the option.Hairpin packets are packets that are routed out of the
same interface that they arrived on.
- interfaces without the routeback option. The default
- is . If you don't wish for these packets to be
- logged, use SFILTER_LOG_LEVEL=none.
+ The default is . If you don't
+ wish for these packets to be logged, use
+ SFILTER_LOG_LEVEL=none.
diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std
index 69ea468da..5fd11c6dc 100644
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -17,6 +17,7 @@ allowInvalid inline # Accepts packets in the INVALID conntrack state
allowMcast inline # Silently Allow Multicast
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
AutoBLL noinline # Helper for AutoBL
+BLACKLIST logjump,section # Add sender to the dynamic blacklist
Broadcast noinline # Handles Broadcast/Anycast
Drop # Default Action for DROP policy (deprecated)
dropBcast inline # Silently Drop Broadcast
diff --git a/Shorewall6/manpages/shorewall6-zones.xml b/Shorewall6/manpages/shorewall6-zones.xml
index d65e416b9..2f7afaeff 100644
--- a/Shorewall6/manpages/shorewall6-zones.xml
+++ b/Shorewall6/manpages/shorewall6-zones.xml
@@ -42,26 +42,27 @@
role="bold">,parent-zone]...]
- Name of the zone. The names "all",
- "none", "SOURCE" and "DEST" are reserved and may not be used as zone
- names. The maximum length of a zone name is determined by the
- setting of the LOGFORMAT option in shorewall6.conf(5).
- With the default LOGFORMAT, zone names can be at most 5 characters
+ Name of the zone. Must start with a
+ letter and consist of letters, digits or '_'. The names "all",
+ "none", "any", "SOURCE" and "DEST" are reserved and may not be used
+ as zone names. The maximum length of a zone name is determined by
+ the setting of the LOGFORMAT option in shorewall6.conf(5). With
+ the default LOGFORMAT, zone names can be at most 5 characters
long.
The maximum length of an iptables log prefix is 29 bytes. As
explained in shorewall6.conf (5),
- the default LOGPREFIX formatting string is “Shorewall:%s:%s:”
- where the first %s is replaced by the chain name and the second is
+ url="shorewall6.conf.html">shorewall6.conf (5), the legacy
+ default LOGPREFIX formatting string is “Shorewall:%s:%s:” where
+ the first %s is replaced by the chain name and the second is
replaced by the disposition.
- The default formatting string has 12 fixed characters
- ("Shorewall" and three colons).
+ The "Shorewall:%s:%s:" formatting string has 12 fixed
+ characters ("Shorewall" and three colons).
@@ -72,7 +73,8 @@
The canonical name for the chain containing the rules
for traffic going from zone 1 to zone 2 is "<zone
- 1>2<zone 2>".
+ 1>2<zone 2>" or "<zone 1>-<zone
+ 2>".
@@ -88,6 +90,29 @@
+
+ In Shorewall 5.1.0, the LOGFORMAT in the default and sample
+ shorewall.conf files was changed to "%s:%s ".
+
+
+
+ That formatting string has 2 fixed characters (":" and a
+ space).
+
+
+
+ So the maximum zone name length M is calculated
+ as:
+
+
+ 2 + 6 + 2*M + 1 = 29
+
+ 2M = 29 - 2 + 6 + 1 = 20
+
+ M = 10
+
+
+ The order in which Shorewall6 matches addresses from packets
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 9f67921c0..aa9bdc6f9 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -1229,7 +1229,7 @@ net all DROP infothen the chain name is 'net-all'
This option is intended for use as a debugging aid. When set
- to a log level, this option causes Shorewall6 to generate a logging
+ to a log level, this option causes Shorewall to generate a logging
rule as the first rule in each builtin chain.
@@ -1244,14 +1244,19 @@ net all DROP infothen the chain name is 'net-all'
-
-
For example, using the default LOGFORMAT, the log prefix for
- logging from the nat table's PREROUTING chain is:
+ logging from the nat table's PREROUTING chain is as follows in
+ versions prior to 5.1.0:
Shorewall:nat:PREROUTING
-
+
+
+ In Shorewall 5.1.0 and later releases, the log prefix
+ is:
+
+ nat:PREROUTING
+ To help insure that all packets in the NEW state are
@@ -1295,7 +1300,7 @@ net all DROP infothen the chain name is 'net-all'
The value of this variable generate the --log-prefix setting
- for Shorewall6 logging rules. It contains a “printf” formatting
+ for Shorewall logging rules. It contains a “printf” formatting
template which accepts three arguments (the chain name, logging rule
number (optional) and the disposition). To use LOGFORMAT with
fireparse, set it as:
@@ -1306,14 +1311,31 @@ net all DROP infothen the chain name is 'net-all'
logging rule number is calculated and formatted in that position; if
that substring is not included then the rule number is not included.
If not supplied or supplied as empty (LOGFORMAT="") then
- “Shorewall6:%s:%s:” is assumed.
+ “Shorewall:%s:%s:” is assumed.
The setting of LOGFORMAT has an effect of the permitted
length of zone names. See shorewall6-zones
+ url="/manpages/shorewall-zones.html">shorewall6-zones
(5).
+
+
+ Beginning with Shorewall 5.1.0, the default and sample
+ shorewall.conf files set LOGFORMAT="%s %s ". Shorewall6 log
+ messages that use this LOGFORMAT can be uniquely identified using
+ the following regular expression:
+
+
+ 'IN=.* OUT=.* SRC=.*:.* DST='
+
+
+ To match all Netfilter log messages, use:
+
+
+ 'IN=.* OUT=.* SRC=.* DST='
+
+
@@ -1350,8 +1372,8 @@ net all DROP infothen the chain name is 'net-all'
role="bold">Yes|No]
- Using the default LOGFORMAT, chain names may not exceed 11
- characters or truncation of the log prefix may occur. Longer chain
+ Using LOGFORMAT=“Shorewall:%s:%s:”, chain names may not exceed
+ 5 characters or truncation of the log prefix may occur. Longer chain
names may be used with log tags if you set LOGTAGONLY=Yes. With
LOGTAGONLY=Yes, if a log tag is specified then the tag is included
in the log prefix in place of the chain name.
@@ -1363,10 +1385,10 @@ net all DROP infothen the chain name is 'net-all'
separated by a comma. So this rule:#ACTION SOURCE DEST
-LOG:info:foo,bar net fw
+LOG:info:foo,bar net fw
- would generate the following log prefix when using the default
- LOGFORMAT setting:
+ would generate the following log prefix when using
+ LOGFORMAT=“Shorewall:%s:%s:”:Shorewall:foo:bar:
@@ -1375,7 +1397,7 @@ LOG:info:foo,bar net fw
Similarly,#ACTION SOURCE DEST
-LOG:info:,bar net fw
+LOG:info:,bar net fw
would generate
@@ -2236,7 +2258,7 @@ INLINE - - - ;; -j REJECT
the option.Hairpin packets are packets that are routed out of the
same interface that they arrived on.
- interfaces without the routeback option.
+
@@ -2252,9 +2274,8 @@ INLINE - - - ;; -j REJECT
the option.Hairpin packets are packets that are routed out of the
same interface that they arrived on.
- interfaces without the routeback option. The default
- is . If you don't wish for these packets to be
- logged, use SFILTER_LOG_LEVEL=none.
+ The default is . If you don't wish
+ for these packets to be logged, use SFILTER_LOG_LEVEL=none.