diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 5fc20b230..25f862233 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -4464,6 +4464,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
},
},
+ NFLOG => {
+ defaultchain => 0,
+ allowedchains => ALLCHAINS,
+ minparams => 0,
+ maxparams => 3,
+ function => sub () {
+ $target = validate_level( "NFLOG($params)" );
+ }
+ },
+
RESTORE => {
defaultchain => 0,
allowedchains => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml
index 58f721f77..1d89e7258 100644
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -598,6 +598,36 @@ INLINE eth0 - ; -p tcp -j MARK --set
+
+ NFLOG[(nflog-parameters)]
+
+
+ Added in Shorewall 5.0.9. Logs matching packets using
+ NFLOG. The nflog-parameters are a
+ comma-separated list of up to 3 numbers:
+
+
+
+ The first number specifies the netlink group
+ (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
+ 0 is assumed.
+
+
+
+ The second number specifies the maximum number of
+ bytes to copy. If omitted, 0 (no limit) is assumed.
+
+
+
+ The third number specifies the number of log
+ messages that should be buffered in the kernel before they
+ are sent to user space. The default is 1.
+
+
+
+
+
RESTORE[(mask)]
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index 538464684..8312cac7c 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -595,9 +595,32 @@
Added in Shorewall 4.5.9.3. Queues matching packets to a
back end logging daemon via a netlink socket then continues to
the next rule. See http://www.shorewall.net/shorewall_logging.html.
+ url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html.
+
- Similar to
+ The nflog-parameters are a
+ comma-separated list of up to 3 numbers:
+
+
+
+ The first number specifies the netlink group
+ (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
+ 0 is assumed.
+
+
+
+ The second number specifies the maximum number of
+ bytes to copy. If omitted, 0 (no limit) is assumed.
+
+
+
+ The third number specifies the number of log
+ messages that should be buffered in the kernel before they
+ are sent to user space. The default is 1.
+
+
+
+ NFLOG is similar to
LOG:NFLOG[(nflog-parameters)],
except that the log level is not changed when this ACTION is
used in an action or macro body and the invocation of that
diff --git a/Shorewall6/manpages/shorewall6-mangle.xml b/Shorewall6/manpages/shorewall6-mangle.xml
index 1a7483b5d..a43090e74 100644
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -609,6 +609,36 @@ INLINE eth0 - ; -p tcp -j MARK --set
+
+ NFLOG[(nflog-parameters)]
+
+
+ Added in Shorewall 5.0.9. Logs matching packets using
+ NFLOG. The nflog-parameters are a
+ comma-separated list of up to 3 numbers:
+
+
+
+ The first number specifies the netlink group
+ (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
+ 0 is assumed.
+
+
+
+ The second number specifies the maximum number of
+ bytes to copy. If omitted, 0 (no limit) is assumed.
+
+
+
+ The third number specifies the number of log
+ messages that should be buffered in the kernel before they
+ are sent to user space. The default is 1.
+
+
+
+
+
RESTORE[(mask)]
diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml
index bf99fd523..dd52ecdb2 100644
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -574,7 +574,29 @@
the next rule. See http://www.shorewall.net/shorewall_logging.html.
- Similar to
+ The nflog-parameters are a
+ comma-separated list of up to 3 numbers:
+
+
+
+ The first number specifies the netlink group
+ (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
+ 0 is assumed.
+
+
+
+ The second number specifies the maximum number of
+ bytes to copy. If omitted, 0 (no limit) is assumed.
+
+
+
+ The third number specifies the number of log
+ messages that should be buffered in the kernel before they
+ are sent to user space. The default is 1.
+
+
+
+ NFLOG is similar to
LOG:NFLOG[(nflog-parameters)],
except that the log level is not changed when this ACTION is
used in an action or macro and the invocation of that action
diff --git a/docs/shorewall_logging.xml b/docs/shorewall_logging.xml
index d84fe2139..4940e295e 100644
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -293,7 +293,7 @@ gateway:/etc/shorewall#
- The first number specifies the netlink group (0-32). If
+ The first number specifies the netlink group (0-65535). If
omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.