holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add NFLOG as a supported mangle action

Browse Source 
- Also document nflog-parameters
- Correct range of nflog groups

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-05-03 11:27:34 -07:00
parent 9dd0346987
commit 590243a787
6 changed files with 119 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -4464,6 +4464,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
},
},
NFLOG => {
defaultchain => 0,
allowedchains => ALLCHAINS,
minparams => 0,
maxparams => 3,
function => sub () {
$target = validate_level( "NFLOG($params)" );
}
},
RESTORE => {
defaultchain => 0,
allowedchains => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,

30
Shorewall/manpages/shorewall-mangle.xml
View File

@ -598,6 +598,36 @@ INLINE eth0 - ; -p tcp -j MARK --set
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
<listitem>
<para>Added in Shorewall 5.0.9. Logs matching packets using
NFLOG. The <replaceable>nflog-parameters</replaceable> are a
comma-separated list of up to 3 numbers:</para>
<itemizedlist>
<listitem>
<para>The first number specifies the netlink group
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
0 is assumed.</para>
</listitem>
<listitem>
<para>The second number specifies the maximum number of
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
</listitem>
<listitem>
<para>The third number specifies the number of log
messages that should be buffered in the kernel before they
are sent to user space. The default is 1.</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>

27
Shorewall/manpages/shorewall-rules.xml
View File

@ -595,9 +595,32 @@
<para>Added in Shorewall 4.5.9.3. Queues matching packets to a
back end logging daemon via a netlink socket then continues to
the next rule. See <ulink
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
</para>
<para>Similar to<emphasis role="bold">
<para>The <replaceable>nflog-parameters</replaceable> are a
comma-separated list of up to 3 numbers:</para>
<itemizedlist>
<listitem>
<para>The first number specifies the netlink group
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
0 is assumed.</para>
</listitem>
<listitem>
<para>The second number specifies the maximum number of
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
</listitem>
<listitem>
<para>The third number specifies the number of log
messages that should be buffered in the kernel before they
are sent to user space. The default is 1.</para>
</listitem>
</itemizedlist>
<para>NFLOG is similar to<emphasis role="bold">
LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
except that the log level is not changed when this ACTION is
used in an action or macro body and the invocation of that

30
Shorewall6/manpages/shorewall6-mangle.xml
View File

@ -609,6 +609,36 @@ INLINE eth0 - ; -p tcp -j MARK --set
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
<listitem>
<para>Added in Shorewall 5.0.9. Logs matching packets using
NFLOG. The <replaceable>nflog-parameters</replaceable> are a
comma-separated list of up to 3 numbers:</para>
<itemizedlist>
<listitem>
<para>The first number specifies the netlink group
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
0 is assumed.</para>
</listitem>
<listitem>
<para>The second number specifies the maximum number of
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
</listitem>
<listitem>
<para>The third number specifies the number of log
messages that should be buffered in the kernel before they
are sent to user space. The default is 1. </para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>

24
Shorewall6/manpages/shorewall6-rules.xml
View File

@ -574,7 +574,29 @@
the next rule. See <ulink
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
<para>Similar to<emphasis role="bold">
<para>The <replaceable>nflog-parameters</replaceable> are a
comma-separated list of up to 3 numbers:</para>
<itemizedlist>
<listitem>
<para>The first number specifies the netlink group
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
0 is assumed.</para>
</listitem>
<listitem>
<para>The second number specifies the maximum number of
bytes to copy. If omitted, 0 (no limit) is assumed.</para>
</listitem>
<listitem>
<para>The third number specifies the number of log
messages that should be buffered in the kernel before they
are sent to user space. The default is 1.</para>
</listitem>
</itemizedlist>
<para>NFLOG is similar to<emphasis role="bold">
LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
except that the log level is not changed when this ACTION is
used in an action or macro and the invocation of that action

2
docs/shorewall_logging.xml
View File

@ -293,7 +293,7 @@ gateway:/etc/shorewall# </programl
<itemizedlist>
<listitem>
<para>The first number specifies the netlink group (0-32). If
<para>The first number specifies the netlink group (0-65535). If
omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.</para>
</listitem>