From be2110b47ec63e6f2d08e7e4b6ef57c9e1c3f088 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 14 Dec 2018 08:54:07 -0800 Subject: [PATCH] Revert "Remove ULOG support" This reverts commit 061ce3d781cc86918b32c3e65421bb9978d4b3fd. --- Shorewall/Perl/Shorewall/Chains.pm | 23 ++++++++++++++++------ Shorewall/Perl/Shorewall/Config.pm | 21 ++++++++++++++++---- Shorewall/Perl/Shorewall/Raw.pm | 2 +- Shorewall/Perl/Shorewall/Rules.pm | 4 ++-- Shorewall/manpages/shorewall-conntrack.xml | 7 +++---- Shorewall/manpages/shorewall-logging.xml | 13 ++++++------ Shorewall/manpages/shorewall-policy.xml | 5 ----- Shorewall/manpages/shorewall-rules.xml | 7 +++---- Shorewall/manpages/shorewall-snat.xml | 9 ++++----- Shorewall/manpages/shorewall.conf.xml | 8 +------- docs/Actions.xml | 3 +-- docs/shorewall_logging.xml | 19 +++++++++--------- 12 files changed, 64 insertions(+), 57 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 490cbe854..7e7ba8eea 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -450,13 +450,13 @@ use constant { STANDARD => 0x1, #defined by Netfilter REDIRECT => 0x20, #'REDIRECT' ACTION => 0x40, #An action (may be built-in) MACRO => 0x80, #A Macro - LOGRULE => 0x100, #'LOG','NFLOG' + LOGRULE => 0x100, #'LOG','ULOG','NFLOG' NFQ => 0x200, #'NFQUEUE' CHAIN => 0x400, #Manual Chain SET => 0x800, #SET AUDIT => 0x1000, #A_ACCEPT, etc HELPER => 0x2000, #CT:helper - NFLOG => 0x4000, #NFLOG + NFLOG => 0x4000, #NFLOG or ULOG INLINE => 0x8000, #Inline action STATEMATCH => 0x10000, #action.Invalid, action.Related, etc. USERBUILTIN => 0x20000, #Builtin action from user's actions file. @@ -656,6 +656,7 @@ our %builtin_target = ( ACCEPT => STANDARD + FILTER_TABLE + NAT_TABLE + MAN TPROXY => STANDARD + MANGLE_TABLE, TRACE => STANDARD + RAW_TABLE, TTL => STANDARD + MANGLE_TABLE, + ULOG => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE, ); our %ipset_exists; @@ -3222,6 +3223,7 @@ sub initialize_chain_table($) { 'REDIRECT' => NATRULE + REDIRECT + OPTIONS, 'REDIRECT-' => NATRULE + REDIRECT + NATONLY, 'TARPIT' => STANDARD + TARPIT + OPTIONS, + 'ULOG' => STANDARD + LOGRULE + NFLOG + OPTIONS, 'WHITELIST' => STANDARD, ); @@ -3279,6 +3281,7 @@ sub initialize_chain_table($) { 'NFLOG' => STANDARD + LOGRULE + NFLOG + OPTIONS, 'NFQUEUE' => STANDARD + NFQ + OPTIONS, 'NFQUEUE!' => STANDARD + NFQ, + 'ULOG' => STANDARD + LOGRULE + NFLOG, 'ADD' => STANDARD + SET, 'DEL' => STANDARD + SET, 'WHITELIST' => STANDARD, @@ -6753,7 +6756,9 @@ sub log_rule_limit( $$$$$$$$;$ ) { } if ( $config{LOGFORMAT} =~ /^\s*$/ ) { - if ( $level =~ /^NFLOG/ ) { + if ( $level =~ '^ULOG' ) { + $prefix = "-j $level "; + } elsif ( $level =~ /^NFLOG/ ) { $prefix = "-j $level "; } else { my $flags = $globals{LOGPARMS}; @@ -6798,7 +6803,9 @@ sub log_rule_limit( $$$$$$$$;$ ) { warning_message "Log Prefix shortened to \"$prefix\""; } - if ( $level =~ /^NFLOG/ ) { + if ( $level =~ '^ULOG' ) { + $prefix = "-j $level --ulog-prefix \"$prefix\" "; + } elsif ( $level =~ /^NFLOG/ ) { $prefix = "-j $level --nflog-prefix \"$prefix\" "; } elsif ( $level =~ '^LOGMARK' ) { $prefix = join( '', substr( $prefix, 0, 12 ) , ':' ) if length $prefix > 13; @@ -6848,7 +6855,9 @@ sub log_irule_limit( $$$$$$$$@ ) { } if ( $config{LOGFORMAT} =~ /^\s*$/ ) { - if ( $level =~ /^NFLOG/ ) { + if ( $level =~ '^ULOG' ) { + $prefix = "$level"; + } elsif ( $level =~ /^NFLOG/ ) { $prefix = "$level"; } else { my $flags = $globals{LOGPARMS}; @@ -6893,7 +6902,9 @@ sub log_irule_limit( $$$$$$$$@ ) { warning_message "Log Prefix shortened to \"$prefix\""; } - if ( $level =~ /^NFLOG/ ) { + if ( $level =~ '^ULOG' ) { + $prefix = "$level --ulog-prefix \"$prefix\""; + } elsif ( $level =~ /^NFLOG/ ) { $prefix = "$level --nflog-prefix \"$prefix\""; } elsif ( $level =~ '^LOGMARK' ) { $prefix = join( '', substr( $prefix, 0, 12 ) , ':' ) if length $prefix > 13; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index a42d6f4f5..3821c1d60 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -456,6 +456,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', TIME_MATCH => 'Time Match', GOTO_TARGET => 'Goto Support', LOG_TARGET => 'LOG Target', + ULOG_TARGET => 'ULOG Target', NFLOG_TARGET => 'NFLOG Target', LOGMARK_TARGET => 'LOGMARK Target', IPMARK_TARGET => 'IPMARK Target', @@ -1101,6 +1102,7 @@ sub initialize( $;$$$) { TIME_MATCH => undef, GOTO_TARGET => undef, LOG_TARGET => undef, + ULOG_TARGET => undef, NFLOG_TARGET => undef, LOGMARK_TARGET => undef, IPMARK_TARGET => undef, @@ -1279,6 +1281,7 @@ sub initialize( $;$$$) { $globals{PRODUCT} = 'shorewall'; $config{IPTABLES} = undef; $config{ARPTABLES} = undef; + $validlevels{ULOG} = 'ULOG'; } else { $globals{SHAREDIR} = "$shorewallrc{SHAREDIR}/shorewall6"; $globals{PRODUCT} = 'shorewall6'; @@ -4282,23 +4285,25 @@ sub validate_level( $;$ ) { require_capability( "${value}_TARGET", "Log level $level", 's' ); } - if ( $value eq 'NFLOG' ) { + if ( $value =~ /^(NFLOG|ULOG)$/ ) { my $olevel = $value; if ( $qualifier =~ /^[(](.*)[)]$/ ) { my @options = split /,/, $1; - my $index = 0; + my $prefix = lc $olevel; + my $index = $prefix eq 'ulog' ? 3 : 0; level_error( $rawlevel , $option ) if @options > 3; for ( @options ) { if ( supplied( $_ ) ) { level_error( $rawlevel , $option ) unless /^\d+/; - $olevel .= " --nflog-$suffixes[$index] $_"; + $olevel .= " --${prefix}-$suffixes[$index] $_"; } $index++; } + } elsif ( $qualifier =~ /^ --/ ) { return $rawlevel; } else { @@ -4949,6 +4954,10 @@ sub Log_Target() { qt1( "$iptables $iptablesw -A $sillyname -j LOG" ); } +sub Ulog_Target() { + qt1( "$iptables $iptablesw -A $sillyname -j ULOG" ); +} + sub NFLog_Target() { qt1( "$iptables $iptablesw -A $sillyname -j NFLOG" ); } @@ -5134,6 +5143,7 @@ our %detect_capability = LENGTH_MATCH => \&Length_Match, LOGMARK_TARGET => \&Logmark_Target, LOG_TARGET => \&Log_Target, + ULOG_TARGET => \&Ulog_Target, NFLOG_TARGET => \&NFLog_Target, NFLOG_SIZE => \&NFLog_Size, MANGLE_ENABLED => \&Mangle_Enabled, @@ -5298,6 +5308,7 @@ sub determine_capabilities() { $capabilities{TIME_MATCH} = detect_capability( 'TIME_MATCH' ); $capabilities{GOTO_TARGET} = detect_capability( 'GOTO_TARGET' ); $capabilities{LOG_TARGET} = detect_capability( 'LOG_TARGET' ); + $capabilities{ULOG_TARGET} = detect_capability( 'ULOG_TARGET' ); $capabilities{NFLOG_TARGET} = detect_capability( 'NFLOG_TARGET' ); $capabilities{LOGMARK_TARGET} = detect_capability( 'LOGMARK_TARGET' ); $capabilities{FLOW_FILTER} = detect_capability( 'FLOW_FILTER' ); @@ -6861,7 +6872,9 @@ sub get_configuration( $$$ ) { } if ( supplied( $val = $config{LOG_BACKEND} ) ) { - if ( $val eq 'netlink' ) { + if ( $family == F_IPV4 && $val eq 'ULOG' ) { + $val = 'ipt_ULOG'; + } elsif ( $val eq 'netlink' ) { $val = 'nfnetlink_log'; } elsif ( $val eq 'LOG' ) { $val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_LOG'; diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index e9785214c..39aa6dfa1 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -94,7 +94,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) { my $level = ''; - if ( $action =~ /^NFLOG/ ) { + if ( $action =~ /^(?:NFLOG|ULOG)/ ) { $action = join( ":" , 'LOG', $action ); } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index f9205c1ac..90051a4bd 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1580,7 +1580,7 @@ sub merge_levels ($$) { my $tag = $supparts[2]; if ( @supparts == 3 ) { - return "$subordinate:$tag" if $target =~ /^NFLOG\b/; + return "$subordinate:$tag" if $target =~ /^(?:NFLOG|ULOG)\b/; return "$target:none!:$tag" if $level eq 'none!'; return "$target:$level:$tag" if $level =~ /!$/; return $subordinate if $subparts >= 2; @@ -1588,7 +1588,7 @@ sub merge_levels ($$) { } if ( @supparts == 2 ) { - return $subordinate if $target =~ /^NFLOG\b/; + return $subordinate if $target =~ /^(?:NFLOG|ULOG)\b/; return "$target:none!" if $level eq 'none!'; return "$target:$level" if ($level =~ /!$/) || ($subparts < 2); } diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index ea8ffb403..4580cb59f 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -334,10 +334,9 @@ - IPv4 only. Added in Shoreawll 4.6.0 and removed in - Shorewall 5.2.2. Queues the packet to a backend logging daemon - using the ULOG netfilter target with the specified - ulog-parameters. + IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to + a backend logging daemon using the ULOG netfilter target with + the specified ulog-parameters. diff --git a/Shorewall/manpages/shorewall-logging.xml b/Shorewall/manpages/shorewall-logging.xml index 4c7e46661..bbd0e3e23 100644 --- a/Shorewall/manpages/shorewall-logging.xml +++ b/Shorewall/manpages/shorewall-logging.xml @@ -326,8 +326,8 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net ULOG (ipt_ULOG) - ULOG logging as described ablve. Only available for IPv4 and - removed in Shorewall 5.2.2. + ULOG logging as described ablve. Only available for + IPv4. @@ -343,10 +343,10 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net The currently-available and currently-selected IPv4 and IPv6 backends are shown in /proc/sys/net/netfilter/nf_log: - $ cat /proc/net/netfilter/nf_log + cat /proc/net/netfilter/nf_log 0 NONE (nfnetlink_log) 1 NONE (nfnetlink_log) - 2 nf_log_ipv4 (nf_log_ipv4,nfnetlink_log) + 2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log) 3 NONE (nfnetlink_log) 4 NONE (nfnetlink_log) 5 NONE (nfnetlink_log) @@ -354,10 +354,9 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net 7 NONE (nfnetlink_log) 8 NONE (nfnetlink_log) 9 NONE (nfnetlink_log) -10 nf_log_ipv6 (nf_log_ipv6,nfnetlink_log) +10 ip6t_LOG (ip6t_LOG,nfnetlink_log) 11 NONE (nfnetlink_log) -12 NONE (nfnetlink_log) -$ +12 NONE (nfnetlink_log) The magic numbers (0-12) are Linux address family numbers (AF_INET is 2 and AF_INET6 is 10). diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml index 12f937b10..cd6eedb77 100644 --- a/Shorewall/manpages/shorewall-policy.xml +++ b/Shorewall/manpages/shorewall-policy.xml @@ -279,11 +279,6 @@ separate log through use of ulogd (http://www.netfilter.org/projects/ulogd/index.html). - - Support for ULOG was removed in Shorewall 5.2.2 as Netfilter - has dropped support for ULOG. - - For a description of logging, see shorewall-logging(5). diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index 49cf3eb97..74f6c6ec2 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -905,10 +905,9 @@ role="bold">ULOG[(ulog-parameters)] - IPv4 only. Added in Shorewall 4.5.10 and removed in - 5.2.2. Queues matching packets to a back end logging daemon - via a netlink socket then continues to the next rule. See - IPv4 only. Added in Shorewall 4.5.10. Queues matching + packets to a back end logging daemon via a netlink socket then + continues to the next rule. See shorewall-logging(5). Similar to diff --git a/Shorewall/manpages/shorewall-snat.xml b/Shorewall/manpages/shorewall-snat.xml index 49334a845..9ce9f8113 100644 --- a/Shorewall/manpages/shorewall-snat.xml +++ b/Shorewall/manpages/shorewall-snat.xml @@ -221,10 +221,9 @@ role="bold">ULOG[(ulog-parameters)] - IPv4 only. Added in Shorewall 5.1.9 and removed in - Shorewall 5.2.2. Queues matching packets to a back end logging - daemon via a netlink socket then continues to the next rule. - See IPv4 only. Added in Shorewall 5.1.9. Queues matching + packets to a back end logging daemon via a netlink socket then + continues to the next rule. See shorewall-logging(5). Similar to @@ -289,7 +288,7 @@ Beginning with Shorewall 5.1.12, SNAT may be performed in the nat table's INPUT chain by specifying $FW rather than one or more - interfaces. + interfaces. Each interface must match an entry in shorewall-interfaces(5). diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 7584eb6f9..2f2013266 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -91,11 +91,6 @@ LOG_LEVEL="NFLOG(1,0,1)" - - Support for ULOG was removed in Shorewall 5.2.2 as Netfilter has - removed support for ULOG logging. - - Beginning with Shorewall 5.0.0, the log level may be followed by a colon (":") and a log tag. The log tag normally follows the packet disposition in Shorewall-generated Netfilter log @@ -1430,8 +1425,7 @@ net all DROP infothen the chain name is 'net-all' IPv4 only. - Use ULOG logging to ulogd. Support for ULOG was removed - in Shorewall 5.2.2. + Use ULOG logging to ulogd. diff --git a/docs/Actions.xml b/docs/Actions.xml index 6342045af..c591be9df 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -749,8 +749,7 @@ bar:debug Either a syslog level or a ULOG or NFLOG target expression (e.g., "NFLOG(1,0,1)"). Specifies how you want the - logging done. Support for ULOG was removed in Shorewall - 5.2.2. + logging done. diff --git a/docs/shorewall_logging.xml b/docs/shorewall_logging.xml index b445d344d..7d51de586 100644 --- a/docs/shorewall_logging.xml +++ b/docs/shorewall_logging.xml @@ -277,7 +277,7 @@ shell variable simplifies future changes. Here's what I had at one time: - gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|LOGFILE' + gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|ULOG|LOGFILE' params:LOG=NFLOG policy:loc $FW REJECT $LOG policy:net all DROP $LOG 10/sec:40 @@ -302,8 +302,8 @@ gateway:/etc/shorewall# logwatch and dump commands. - The NFLOG target is a successor to ULOG. NFLOG may be followed by - a list of up to three numbers in parentheses. + The NFLOG target is a successor to ULOG. Both ULOG and NFLOG may + be followed by a list of up to three numbers in parentheses. @@ -384,8 +384,8 @@ sync=1 ULOG (ipt_ULOG) - ULOG logging as described ablve. Only available for IPv4 and - removed in Shorewall 5.2.2. + ULOG logging as described ablve. Only available for + IPv4. @@ -401,10 +401,10 @@ sync=1 The currently-available and currently-selected IPv4 and IPv6 backends are shown in /proc/sys/net/netfilter/nf_log: - $ cat /proc/net/netfilter/nf_log + cat /proc/net/netfilter/nf_log 0 NONE (nfnetlink_log) 1 NONE (nfnetlink_log) - 2 nf_log_ipv4 (nf_log_ipv4,nfnetlink_log) + 2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log) 3 NONE (nfnetlink_log) 4 NONE (nfnetlink_log) 5 NONE (nfnetlink_log) @@ -412,10 +412,9 @@ sync=1 7 NONE (nfnetlink_log) 8 NONE (nfnetlink_log) 9 NONE (nfnetlink_log) -10 nf_log_ipv6 (nf_log_ipv6,nfnetlink_log) +10 ip6t_LOG (ip6t_LOG,nfnetlink_log) 11 NONE (nfnetlink_log) -12 NONE (nfnetlink_log) -$ +12 NONE (nfnetlink_log) The magic numbers (0-12) are Linux address family numbers (AF_INET is 2 and AF_INET6 is 10).