diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index e867d10ef..ee7392c80 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -81,32 +81,51 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
}
- my $target = $action;
+ my $disposition = $action;
my $exception_rule = '';
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
+ my $level = '';
+
+ if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
+ $action = join( ":" , 'LOG', $action );
+ }
if ( $action eq 'NOTRACK' ) {
#
# A patch that deimplements the NOTRACK target has been posted on the
# Netfilter development list
#
- $action = 'CT --notrack' if have_capability 'CT_TARGET';
- } elsif ( $action ne 'DROP' ) {
- ( $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;
+ if ( have_capability 'CT_TARGET' ) {
+ $action = 'CT --notrack';
+ $disposition = 'notrack';
+ }
+ } elsif ( $action =~ /^(DROP|LOG)(:(.+))?$/ ) {
+ if ( $2 ) {
+ validate_level( $level = $3 );
+ $action = $1;
+ $disposition = $1;
+ }
+ } else {
+ ( $disposition, my ( $option, $args ), $level ) = split ':', $action, 4;
- fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
+ fatal_error "Invalid notrack ACTION ( $action )" if $disposition ne 'CT';
+
+ validate_level( $level ) if supplied $level;
require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
if ( $option eq 'notrack' ) {
fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
$action = 'CT --notrack';
+ $disposition = 'notrack';
} else {
fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
if ( $option eq 'helper' ) {
my $modifiers = '';
+ $disposition = "helper";
+
if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
$args = $1;
$modifiers = $2;
@@ -149,8 +168,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
$dest ,
'' ,
$action ,
- '' ,
- $target ,
+ $level || '' ,
+ $disposition ,
$exception_rule );
progress_message " Conntrack rule \"$currentline\" $done";
@@ -224,6 +243,8 @@ sub process_format( $ ) {
sub setup_conntrack() {
+ $format = 1;
+
for my $name ( qw/notrack conntrack/ ) {
my $fn = open_file( $name, 3 , 1 );
@@ -271,11 +292,11 @@ sub setup_conntrack() {
}
} elsif ( $action =~ s/:O$// ) {
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
- } elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
+ } elsif ( $action =~ s/:OP$// || $action =~ s/:PO// ) {
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} else {
- $action =~ s/:P//;
+ $action =~ s/:P$//;
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
}
diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml
index d4569973a..c8e3c6c09 100644
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -88,7 +88,7 @@
role="bold">NOTRACK|CT:helper:name[(arg=val[,...])|CT:notrack|DROP}[:chain-designator]
+ role="bold">CT:notrack|DROP|LOG|ULOG(ulog-parameters):NFLOG(nflog-parameters)}[log-level[:log-tag]][:chain-designator]
This column is only present when FORMAT >= 2. Values other
@@ -100,23 +100,19 @@
or
- Disables connection tracking for this packet.
+ Disables connection tracking for this packet. If a
+ log-level is specified, the packet
+ will also be logged at that level.
-
-
- Added in Shorewall 4.5.10. Silently discard the
- packet.
-
-
-
- :name
+ :nameAttach the helper identified by the
name to this connection. This is more
- flexible than loading the conntrack helper with preset
- ports.
+ flexible than loading the conntrack helper with preset ports. If
+ a log-level is specified, the packet
+ will also be logged at that level.
At this writing, the available helpers are:
@@ -175,14 +171,6 @@
-
-
-
-
-
-
-
-
sane
@@ -253,6 +241,39 @@
+
+
+
+
+ Added in Shorewall 4.5.10. Silently discard the packet. If
+ a log-level is specified, the packet
+ will also be logged at that level.
+
+
+
+
+
+ Added in Shoreawll 4.6.0. Logs the packet using the
+ specified log-level and
+ log-tag (if any). If no log-level is specified,
+ then 'info' is assumed.
+
+
+
+
+
+ Added in Shoreawll 4.6.0. Queues the packet to a backend
+ logging daemon using the NFLOG netfilter target with the
+ specified nflog-parameters.
+
+
+
+
+
+ Added in Shoreawll 4.6.0. Queues the packet to a backend
+ logging daemon using the ULOG netfilter target with the
+ specified ulog-parameters.
+ When FORMAT = 1, this column is not present and the rule is
diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml
index e50b7d5a3..a2b71296c 100644
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -88,7 +88,7 @@
role="bold">NOTRACK|CT:helper:name[(arg=val[,...])|CT:notrack|drop}[:chain-designator]
+ role="bold">CT:notrack|DROP|LOG|NFLOG(nflog-parameters)}[:log-level[:log-tag]][:chain-designator]
This column is only present when FORMAT >= 2. Values other
@@ -100,14 +100,9 @@
or
- Disables connection tracking for this packet.
-
-
-
-
-
- Added in Shorewall 4.5.10. Silently discard the
- packet.
+ Disables connection tracking for this packet. If a
+ log-level is specified, the packet
+ will also be logged at that level.
@@ -115,8 +110,105 @@
Attach the helper identified by the
name to this connection. This is more
- flexible than loading the conntrack helper with preset ports.
- May be followed by an option list of
+ flexible than loading the conntrack helper with preset ports. If
+ a log-level is specified, the packet
+ will also be logged at that level.
+
+ At this writing, the available helpers are:
+
+
+
+ amanda
+
+
+ Requires that the amanda netfilter helper is
+ present.
+
+
+
+
+ ftp
+
+
+ Requires that the FTP netfilter helper is
+ present.
+
+
+
+
+ irc
+
+
+ Requires that the IRC netfilter helper is
+ present.
+
+
+
+
+ netbios-ns
+
+
+ Requires that the netbios_ns (sic) helper is
+ present.
+
+
+
+
+ RAS and Q.931
+
+
+ These require that the H323 netfilter helper is
+ present.
+
+
+
+
+ pptp
+
+
+ Requires that the pptp netfilter helper is
+ present.
+
+
+
+
+ sane
+
+
+ Requires that the SANE netfilter helper is
+ present.
+
+
+
+
+ sip
+
+
+ Requires that the SIP netfilter helper is
+ present.
+
+
+
+
+ snmp
+
+
+ Requires that the SNMP netfilter helper is
+ present.
+
+
+
+
+ tftp
+
+
+ Requires that the TFTP netfilter helper is
+ present.
+
+
+
+
+ May be followed by an option list of
arg=val
pairs in parentheses:
@@ -149,6 +241,31 @@
+
+
+
+
+ Added in Shorewall 4.5.10. Silently discard the packet. If
+ a log-level is specified, the packet
+ will also be logged at that level.
+
+
+
+
+
+ Added in Shoreawll 4.6.0. Logs the packet using the
+ specified log-level and
+ log-tag (if any). If no log-level is specified,
+ then 'info' is assumed.
+
+
+
+
+
+ Added in Shoreawll 4.6.0. Queues the packet to a backend
+ logging daemon using the NFLOG netfilter target with the
+ specified nflog-parameters.
+ When FORMAT = 1, this column is not present and the rule is