From 590243a78722aac1989bb0d111cf8f8c0d8bea35 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 3 May 2016 11:27:34 -0700 Subject: [PATCH] Add NFLOG as a supported mangle action - Also document nflog-parameters - Correct range of nflog groups Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 10 ++++++++ Shorewall/manpages/shorewall-mangle.xml | 30 +++++++++++++++++++++++ Shorewall/manpages/shorewall-rules.xml | 27 ++++++++++++++++++-- Shorewall6/manpages/shorewall6-mangle.xml | 30 +++++++++++++++++++++++ Shorewall6/manpages/shorewall6-rules.xml | 24 +++++++++++++++++- docs/shorewall_logging.xml | 2 +- 6 files changed, 119 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 5fc20b230..25f862233 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -4464,6 +4464,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) { }, }, + NFLOG => { + defaultchain => 0, + allowedchains => ALLCHAINS, + minparams => 0, + maxparams => 3, + function => sub () { + $target = validate_level( "NFLOG($params)" ); + } + }, + RESTORE => { defaultchain => 0, allowedchains => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING, diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml index 58f721f77..1d89e7258 100644 --- a/Shorewall/manpages/shorewall-mangle.xml +++ b/Shorewall/manpages/shorewall-mangle.xml @@ -598,6 +598,36 @@ INLINE eth0 - ; -p tcp -j MARK --set + + NFLOG[(nflog-parameters)] + + + Added in Shorewall 5.0.9. Logs matching packets using + NFLOG. The nflog-parameters are a + comma-separated list of up to 3 numbers: + + + + The first number specifies the netlink group + (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of + 0 is assumed. + + + + The second number specifies the maximum number of + bytes to copy. If omitted, 0 (no limit) is assumed. + + + + The third number specifies the number of log + messages that should be buffered in the kernel before they + are sent to user space. The default is 1. + + + + + RESTORE[(mask)] diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index 538464684..8312cac7c 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -595,9 +595,32 @@ Added in Shorewall 4.5.9.3. Queues matching packets to a back end logging daemon via a netlink socket then continues to the next rule. See http://www.shorewall.net/shorewall_logging.html. + url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html. + - Similar to + The nflog-parameters are a + comma-separated list of up to 3 numbers: + + + + The first number specifies the netlink group + (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of + 0 is assumed. + + + + The second number specifies the maximum number of + bytes to copy. If omitted, 0 (no limit) is assumed. + + + + The third number specifies the number of log + messages that should be buffered in the kernel before they + are sent to user space. The default is 1. + + + + NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that the log level is not changed when this ACTION is used in an action or macro body and the invocation of that diff --git a/Shorewall6/manpages/shorewall6-mangle.xml b/Shorewall6/manpages/shorewall6-mangle.xml index 1a7483b5d..a43090e74 100644 --- a/Shorewall6/manpages/shorewall6-mangle.xml +++ b/Shorewall6/manpages/shorewall6-mangle.xml @@ -609,6 +609,36 @@ INLINE eth0 - ; -p tcp -j MARK --set + + NFLOG[(nflog-parameters)] + + + Added in Shorewall 5.0.9. Logs matching packets using + NFLOG. The nflog-parameters are a + comma-separated list of up to 3 numbers: + + + + The first number specifies the netlink group + (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of + 0 is assumed. + + + + The second number specifies the maximum number of + bytes to copy. If omitted, 0 (no limit) is assumed. + + + + The third number specifies the number of log + messages that should be buffered in the kernel before they + are sent to user space. The default is 1. + + + + + RESTORE[(mask)] diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index bf99fd523..dd52ecdb2 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -574,7 +574,29 @@ the next rule. See http://www.shorewall.net/shorewall_logging.html. - Similar to + The nflog-parameters are a + comma-separated list of up to 3 numbers: + + + + The first number specifies the netlink group + (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of + 0 is assumed. + + + + The second number specifies the maximum number of + bytes to copy. If omitted, 0 (no limit) is assumed. + + + + The third number specifies the number of log + messages that should be buffered in the kernel before they + are sent to user space. The default is 1. + + + + NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that the log level is not changed when this ACTION is used in an action or macro and the invocation of that action diff --git a/docs/shorewall_logging.xml b/docs/shorewall_logging.xml index d84fe2139..4940e295e 100644 --- a/docs/shorewall_logging.xml +++ b/docs/shorewall_logging.xml @@ -293,7 +293,7 @@ gateway:/etc/shorewall# - The first number specifies the netlink group (0-32). If + The first number specifies the netlink group (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.