forked from extern/shorewall_code
parent
ad6401da8c
commit
be2110b47e
@ -450,13 +450,13 @@ use constant { STANDARD => 0x1, #defined by Netfilter
|
|||||||
REDIRECT => 0x20, #'REDIRECT'
|
REDIRECT => 0x20, #'REDIRECT'
|
||||||
ACTION => 0x40, #An action (may be built-in)
|
ACTION => 0x40, #An action (may be built-in)
|
||||||
MACRO => 0x80, #A Macro
|
MACRO => 0x80, #A Macro
|
||||||
LOGRULE => 0x100, #'LOG','NFLOG'
|
LOGRULE => 0x100, #'LOG','ULOG','NFLOG'
|
||||||
NFQ => 0x200, #'NFQUEUE'
|
NFQ => 0x200, #'NFQUEUE'
|
||||||
CHAIN => 0x400, #Manual Chain
|
CHAIN => 0x400, #Manual Chain
|
||||||
SET => 0x800, #SET
|
SET => 0x800, #SET
|
||||||
AUDIT => 0x1000, #A_ACCEPT, etc
|
AUDIT => 0x1000, #A_ACCEPT, etc
|
||||||
HELPER => 0x2000, #CT:helper
|
HELPER => 0x2000, #CT:helper
|
||||||
NFLOG => 0x4000, #NFLOG
|
NFLOG => 0x4000, #NFLOG or ULOG
|
||||||
INLINE => 0x8000, #Inline action
|
INLINE => 0x8000, #Inline action
|
||||||
STATEMATCH => 0x10000, #action.Invalid, action.Related, etc.
|
STATEMATCH => 0x10000, #action.Invalid, action.Related, etc.
|
||||||
USERBUILTIN => 0x20000, #Builtin action from user's actions file.
|
USERBUILTIN => 0x20000, #Builtin action from user's actions file.
|
||||||
@ -656,6 +656,7 @@ our %builtin_target = ( ACCEPT => STANDARD + FILTER_TABLE + NAT_TABLE + MAN
|
|||||||
TPROXY => STANDARD + MANGLE_TABLE,
|
TPROXY => STANDARD + MANGLE_TABLE,
|
||||||
TRACE => STANDARD + RAW_TABLE,
|
TRACE => STANDARD + RAW_TABLE,
|
||||||
TTL => STANDARD + MANGLE_TABLE,
|
TTL => STANDARD + MANGLE_TABLE,
|
||||||
|
ULOG => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||||
);
|
);
|
||||||
|
|
||||||
our %ipset_exists;
|
our %ipset_exists;
|
||||||
@ -3222,6 +3223,7 @@ sub initialize_chain_table($) {
|
|||||||
'REDIRECT' => NATRULE + REDIRECT + OPTIONS,
|
'REDIRECT' => NATRULE + REDIRECT + OPTIONS,
|
||||||
'REDIRECT-' => NATRULE + REDIRECT + NATONLY,
|
'REDIRECT-' => NATRULE + REDIRECT + NATONLY,
|
||||||
'TARPIT' => STANDARD + TARPIT + OPTIONS,
|
'TARPIT' => STANDARD + TARPIT + OPTIONS,
|
||||||
|
'ULOG' => STANDARD + LOGRULE + NFLOG + OPTIONS,
|
||||||
'WHITELIST' => STANDARD,
|
'WHITELIST' => STANDARD,
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -3279,6 +3281,7 @@ sub initialize_chain_table($) {
|
|||||||
'NFLOG' => STANDARD + LOGRULE + NFLOG + OPTIONS,
|
'NFLOG' => STANDARD + LOGRULE + NFLOG + OPTIONS,
|
||||||
'NFQUEUE' => STANDARD + NFQ + OPTIONS,
|
'NFQUEUE' => STANDARD + NFQ + OPTIONS,
|
||||||
'NFQUEUE!' => STANDARD + NFQ,
|
'NFQUEUE!' => STANDARD + NFQ,
|
||||||
|
'ULOG' => STANDARD + LOGRULE + NFLOG,
|
||||||
'ADD' => STANDARD + SET,
|
'ADD' => STANDARD + SET,
|
||||||
'DEL' => STANDARD + SET,
|
'DEL' => STANDARD + SET,
|
||||||
'WHITELIST' => STANDARD,
|
'WHITELIST' => STANDARD,
|
||||||
@ -6753,7 +6756,9 @@ sub log_rule_limit( $$$$$$$$;$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( $config{LOGFORMAT} =~ /^\s*$/ ) {
|
if ( $config{LOGFORMAT} =~ /^\s*$/ ) {
|
||||||
if ( $level =~ /^NFLOG/ ) {
|
if ( $level =~ '^ULOG' ) {
|
||||||
|
$prefix = "-j $level ";
|
||||||
|
} elsif ( $level =~ /^NFLOG/ ) {
|
||||||
$prefix = "-j $level ";
|
$prefix = "-j $level ";
|
||||||
} else {
|
} else {
|
||||||
my $flags = $globals{LOGPARMS};
|
my $flags = $globals{LOGPARMS};
|
||||||
@ -6798,7 +6803,9 @@ sub log_rule_limit( $$$$$$$$;$ ) {
|
|||||||
warning_message "Log Prefix shortened to \"$prefix\"";
|
warning_message "Log Prefix shortened to \"$prefix\"";
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $level =~ /^NFLOG/ ) {
|
if ( $level =~ '^ULOG' ) {
|
||||||
|
$prefix = "-j $level --ulog-prefix \"$prefix\" ";
|
||||||
|
} elsif ( $level =~ /^NFLOG/ ) {
|
||||||
$prefix = "-j $level --nflog-prefix \"$prefix\" ";
|
$prefix = "-j $level --nflog-prefix \"$prefix\" ";
|
||||||
} elsif ( $level =~ '^LOGMARK' ) {
|
} elsif ( $level =~ '^LOGMARK' ) {
|
||||||
$prefix = join( '', substr( $prefix, 0, 12 ) , ':' ) if length $prefix > 13;
|
$prefix = join( '', substr( $prefix, 0, 12 ) , ':' ) if length $prefix > 13;
|
||||||
@ -6848,7 +6855,9 @@ sub log_irule_limit( $$$$$$$$@ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( $config{LOGFORMAT} =~ /^\s*$/ ) {
|
if ( $config{LOGFORMAT} =~ /^\s*$/ ) {
|
||||||
if ( $level =~ /^NFLOG/ ) {
|
if ( $level =~ '^ULOG' ) {
|
||||||
|
$prefix = "$level";
|
||||||
|
} elsif ( $level =~ /^NFLOG/ ) {
|
||||||
$prefix = "$level";
|
$prefix = "$level";
|
||||||
} else {
|
} else {
|
||||||
my $flags = $globals{LOGPARMS};
|
my $flags = $globals{LOGPARMS};
|
||||||
@ -6893,7 +6902,9 @@ sub log_irule_limit( $$$$$$$$@ ) {
|
|||||||
warning_message "Log Prefix shortened to \"$prefix\"";
|
warning_message "Log Prefix shortened to \"$prefix\"";
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $level =~ /^NFLOG/ ) {
|
if ( $level =~ '^ULOG' ) {
|
||||||
|
$prefix = "$level --ulog-prefix \"$prefix\"";
|
||||||
|
} elsif ( $level =~ /^NFLOG/ ) {
|
||||||
$prefix = "$level --nflog-prefix \"$prefix\"";
|
$prefix = "$level --nflog-prefix \"$prefix\"";
|
||||||
} elsif ( $level =~ '^LOGMARK' ) {
|
} elsif ( $level =~ '^LOGMARK' ) {
|
||||||
$prefix = join( '', substr( $prefix, 0, 12 ) , ':' ) if length $prefix > 13;
|
$prefix = join( '', substr( $prefix, 0, 12 ) , ':' ) if length $prefix > 13;
|
||||||
|
@ -456,6 +456,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
TIME_MATCH => 'Time Match',
|
TIME_MATCH => 'Time Match',
|
||||||
GOTO_TARGET => 'Goto Support',
|
GOTO_TARGET => 'Goto Support',
|
||||||
LOG_TARGET => 'LOG Target',
|
LOG_TARGET => 'LOG Target',
|
||||||
|
ULOG_TARGET => 'ULOG Target',
|
||||||
NFLOG_TARGET => 'NFLOG Target',
|
NFLOG_TARGET => 'NFLOG Target',
|
||||||
LOGMARK_TARGET => 'LOGMARK Target',
|
LOGMARK_TARGET => 'LOGMARK Target',
|
||||||
IPMARK_TARGET => 'IPMARK Target',
|
IPMARK_TARGET => 'IPMARK Target',
|
||||||
@ -1101,6 +1102,7 @@ sub initialize( $;$$$) {
|
|||||||
TIME_MATCH => undef,
|
TIME_MATCH => undef,
|
||||||
GOTO_TARGET => undef,
|
GOTO_TARGET => undef,
|
||||||
LOG_TARGET => undef,
|
LOG_TARGET => undef,
|
||||||
|
ULOG_TARGET => undef,
|
||||||
NFLOG_TARGET => undef,
|
NFLOG_TARGET => undef,
|
||||||
LOGMARK_TARGET => undef,
|
LOGMARK_TARGET => undef,
|
||||||
IPMARK_TARGET => undef,
|
IPMARK_TARGET => undef,
|
||||||
@ -1279,6 +1281,7 @@ sub initialize( $;$$$) {
|
|||||||
$globals{PRODUCT} = 'shorewall';
|
$globals{PRODUCT} = 'shorewall';
|
||||||
$config{IPTABLES} = undef;
|
$config{IPTABLES} = undef;
|
||||||
$config{ARPTABLES} = undef;
|
$config{ARPTABLES} = undef;
|
||||||
|
$validlevels{ULOG} = 'ULOG';
|
||||||
} else {
|
} else {
|
||||||
$globals{SHAREDIR} = "$shorewallrc{SHAREDIR}/shorewall6";
|
$globals{SHAREDIR} = "$shorewallrc{SHAREDIR}/shorewall6";
|
||||||
$globals{PRODUCT} = 'shorewall6';
|
$globals{PRODUCT} = 'shorewall6';
|
||||||
@ -4282,23 +4285,25 @@ sub validate_level( $;$ ) {
|
|||||||
require_capability( "${value}_TARGET", "Log level $level", 's' );
|
require_capability( "${value}_TARGET", "Log level $level", 's' );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $value eq 'NFLOG' ) {
|
if ( $value =~ /^(NFLOG|ULOG)$/ ) {
|
||||||
my $olevel = $value;
|
my $olevel = $value;
|
||||||
|
|
||||||
if ( $qualifier =~ /^[(](.*)[)]$/ ) {
|
if ( $qualifier =~ /^[(](.*)[)]$/ ) {
|
||||||
my @options = split /,/, $1;
|
my @options = split /,/, $1;
|
||||||
my $index = 0;
|
my $prefix = lc $olevel;
|
||||||
|
my $index = $prefix eq 'ulog' ? 3 : 0;
|
||||||
|
|
||||||
level_error( $rawlevel , $option ) if @options > 3;
|
level_error( $rawlevel , $option ) if @options > 3;
|
||||||
|
|
||||||
for ( @options ) {
|
for ( @options ) {
|
||||||
if ( supplied( $_ ) ) {
|
if ( supplied( $_ ) ) {
|
||||||
level_error( $rawlevel , $option ) unless /^\d+/;
|
level_error( $rawlevel , $option ) unless /^\d+/;
|
||||||
$olevel .= " --nflog-$suffixes[$index] $_";
|
$olevel .= " --${prefix}-$suffixes[$index] $_";
|
||||||
}
|
}
|
||||||
|
|
||||||
$index++;
|
$index++;
|
||||||
}
|
}
|
||||||
|
|
||||||
} elsif ( $qualifier =~ /^ --/ ) {
|
} elsif ( $qualifier =~ /^ --/ ) {
|
||||||
return $rawlevel;
|
return $rawlevel;
|
||||||
} else {
|
} else {
|
||||||
@ -4949,6 +4954,10 @@ sub Log_Target() {
|
|||||||
qt1( "$iptables $iptablesw -A $sillyname -j LOG" );
|
qt1( "$iptables $iptablesw -A $sillyname -j LOG" );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub Ulog_Target() {
|
||||||
|
qt1( "$iptables $iptablesw -A $sillyname -j ULOG" );
|
||||||
|
}
|
||||||
|
|
||||||
sub NFLog_Target() {
|
sub NFLog_Target() {
|
||||||
qt1( "$iptables $iptablesw -A $sillyname -j NFLOG" );
|
qt1( "$iptables $iptablesw -A $sillyname -j NFLOG" );
|
||||||
}
|
}
|
||||||
@ -5134,6 +5143,7 @@ our %detect_capability =
|
|||||||
LENGTH_MATCH => \&Length_Match,
|
LENGTH_MATCH => \&Length_Match,
|
||||||
LOGMARK_TARGET => \&Logmark_Target,
|
LOGMARK_TARGET => \&Logmark_Target,
|
||||||
LOG_TARGET => \&Log_Target,
|
LOG_TARGET => \&Log_Target,
|
||||||
|
ULOG_TARGET => \&Ulog_Target,
|
||||||
NFLOG_TARGET => \&NFLog_Target,
|
NFLOG_TARGET => \&NFLog_Target,
|
||||||
NFLOG_SIZE => \&NFLog_Size,
|
NFLOG_SIZE => \&NFLog_Size,
|
||||||
MANGLE_ENABLED => \&Mangle_Enabled,
|
MANGLE_ENABLED => \&Mangle_Enabled,
|
||||||
@ -5298,6 +5308,7 @@ sub determine_capabilities() {
|
|||||||
$capabilities{TIME_MATCH} = detect_capability( 'TIME_MATCH' );
|
$capabilities{TIME_MATCH} = detect_capability( 'TIME_MATCH' );
|
||||||
$capabilities{GOTO_TARGET} = detect_capability( 'GOTO_TARGET' );
|
$capabilities{GOTO_TARGET} = detect_capability( 'GOTO_TARGET' );
|
||||||
$capabilities{LOG_TARGET} = detect_capability( 'LOG_TARGET' );
|
$capabilities{LOG_TARGET} = detect_capability( 'LOG_TARGET' );
|
||||||
|
$capabilities{ULOG_TARGET} = detect_capability( 'ULOG_TARGET' );
|
||||||
$capabilities{NFLOG_TARGET} = detect_capability( 'NFLOG_TARGET' );
|
$capabilities{NFLOG_TARGET} = detect_capability( 'NFLOG_TARGET' );
|
||||||
$capabilities{LOGMARK_TARGET} = detect_capability( 'LOGMARK_TARGET' );
|
$capabilities{LOGMARK_TARGET} = detect_capability( 'LOGMARK_TARGET' );
|
||||||
$capabilities{FLOW_FILTER} = detect_capability( 'FLOW_FILTER' );
|
$capabilities{FLOW_FILTER} = detect_capability( 'FLOW_FILTER' );
|
||||||
@ -6861,7 +6872,9 @@ sub get_configuration( $$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( supplied( $val = $config{LOG_BACKEND} ) ) {
|
if ( supplied( $val = $config{LOG_BACKEND} ) ) {
|
||||||
if ( $val eq 'netlink' ) {
|
if ( $family == F_IPV4 && $val eq 'ULOG' ) {
|
||||||
|
$val = 'ipt_ULOG';
|
||||||
|
} elsif ( $val eq 'netlink' ) {
|
||||||
$val = 'nfnetlink_log';
|
$val = 'nfnetlink_log';
|
||||||
} elsif ( $val eq 'LOG' ) {
|
} elsif ( $val eq 'LOG' ) {
|
||||||
$val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_LOG';
|
$val = $family == F_IPV4 ? 'ipt_LOG' : 'ip6t_LOG';
|
||||||
|
@ -94,7 +94,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
|
|||||||
|
|
||||||
my $level = '';
|
my $level = '';
|
||||||
|
|
||||||
if ( $action =~ /^NFLOG/ ) {
|
if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
|
||||||
$action = join( ":" , 'LOG', $action );
|
$action = join( ":" , 'LOG', $action );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1580,7 +1580,7 @@ sub merge_levels ($$) {
|
|||||||
my $tag = $supparts[2];
|
my $tag = $supparts[2];
|
||||||
|
|
||||||
if ( @supparts == 3 ) {
|
if ( @supparts == 3 ) {
|
||||||
return "$subordinate:$tag" if $target =~ /^NFLOG\b/;
|
return "$subordinate:$tag" if $target =~ /^(?:NFLOG|ULOG)\b/;
|
||||||
return "$target:none!:$tag" if $level eq 'none!';
|
return "$target:none!:$tag" if $level eq 'none!';
|
||||||
return "$target:$level:$tag" if $level =~ /!$/;
|
return "$target:$level:$tag" if $level =~ /!$/;
|
||||||
return $subordinate if $subparts >= 2;
|
return $subordinate if $subparts >= 2;
|
||||||
@ -1588,7 +1588,7 @@ sub merge_levels ($$) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( @supparts == 2 ) {
|
if ( @supparts == 2 ) {
|
||||||
return $subordinate if $target =~ /^NFLOG\b/;
|
return $subordinate if $target =~ /^(?:NFLOG|ULOG)\b/;
|
||||||
return "$target:none!" if $level eq 'none!';
|
return "$target:none!" if $level eq 'none!';
|
||||||
return "$target:$level" if ($level =~ /!$/) || ($subparts < 2);
|
return "$target:$level" if ($level =~ /!$/) || ($subparts < 2);
|
||||||
}
|
}
|
||||||
|
@ -334,10 +334,9 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para><option>ULOG</option></para>
|
<para><option>ULOG</option></para>
|
||||||
|
|
||||||
<para>IPv4 only. Added in Shoreawll 4.6.0 and removed in
|
<para>IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to
|
||||||
Shorewall 5.2.2. Queues the packet to a backend logging daemon
|
a backend logging daemon using the ULOG netfilter target with
|
||||||
using the ULOG netfilter target with the specified
|
the specified <replaceable>ulog-parameters</replaceable>.</para>
|
||||||
<replaceable>ulog-parameters</replaceable>.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
|
@ -326,8 +326,8 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net
|
|||||||
<term>ULOG (ipt_ULOG)</term>
|
<term>ULOG (ipt_ULOG)</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>ULOG logging as described ablve. Only available for IPv4 and
|
<para>ULOG logging as described ablve. Only available for
|
||||||
removed in Shorewall 5.2.2.</para>
|
IPv4.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -343,10 +343,10 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net
|
|||||||
<para>The currently-available and currently-selected IPv4 and IPv6
|
<para>The currently-available and currently-selected IPv4 and IPv6
|
||||||
backends are shown in /proc/sys/net/netfilter/nf_log:</para>
|
backends are shown in /proc/sys/net/netfilter/nf_log:</para>
|
||||||
|
|
||||||
<programlisting>$ cat /proc/net/netfilter/nf_log
|
<programlisting>cat /proc/net/netfilter/nf_log
|
||||||
0 NONE (nfnetlink_log)
|
0 NONE (nfnetlink_log)
|
||||||
1 NONE (nfnetlink_log)
|
1 NONE (nfnetlink_log)
|
||||||
2 nf_log_ipv4 (nf_log_ipv4,nfnetlink_log)
|
2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
|
||||||
3 NONE (nfnetlink_log)
|
3 NONE (nfnetlink_log)
|
||||||
4 NONE (nfnetlink_log)
|
4 NONE (nfnetlink_log)
|
||||||
5 NONE (nfnetlink_log)
|
5 NONE (nfnetlink_log)
|
||||||
@ -354,10 +354,9 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net
|
|||||||
7 NONE (nfnetlink_log)
|
7 NONE (nfnetlink_log)
|
||||||
8 NONE (nfnetlink_log)
|
8 NONE (nfnetlink_log)
|
||||||
9 NONE (nfnetlink_log)
|
9 NONE (nfnetlink_log)
|
||||||
10 nf_log_ipv6 (nf_log_ipv6,nfnetlink_log)
|
10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
|
||||||
11 NONE (nfnetlink_log)
|
11 NONE (nfnetlink_log)
|
||||||
12 NONE (nfnetlink_log)
|
12 NONE (nfnetlink_log)</programlisting>
|
||||||
$</programlisting>
|
|
||||||
|
|
||||||
<para>The magic numbers (0-12) are Linux address family numbers (AF_INET
|
<para>The magic numbers (0-12) are Linux address family numbers (AF_INET
|
||||||
is 2 and AF_INET6 is 10).</para>
|
is 2 and AF_INET6 is 10).</para>
|
||||||
|
@ -279,11 +279,6 @@
|
|||||||
separate log through use of ulogd (<ulink
|
separate log through use of ulogd (<ulink
|
||||||
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
||||||
|
|
||||||
<note>
|
|
||||||
<para>Support for ULOG was removed in Shorewall 5.2.2 as Netfilter
|
|
||||||
has dropped support for ULOG.</para>
|
|
||||||
</note>
|
|
||||||
|
|
||||||
<para>For a description of logging, see <ulink
|
<para>For a description of logging, see <ulink
|
||||||
url="/shorewall_logging.html">shorewall-logging(5)</ulink>.</para>
|
url="/shorewall_logging.html">shorewall-logging(5)</ulink>.</para>
|
||||||
|
|
||||||
|
@ -905,10 +905,9 @@
|
|||||||
role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
|
role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>IPv4 only. Added in Shorewall 4.5.10 and removed in
|
<para>IPv4 only. Added in Shorewall 4.5.10. Queues matching
|
||||||
5.2.2. Queues matching packets to a back end logging daemon
|
packets to a back end logging daemon via a netlink socket then
|
||||||
via a netlink socket then continues to the next rule. See
|
continues to the next rule. See <ulink
|
||||||
<ulink
|
|
||||||
url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
|
url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
|
||||||
|
|
||||||
<para>Similar to<emphasis role="bold">
|
<para>Similar to<emphasis role="bold">
|
||||||
|
@ -221,10 +221,9 @@
|
|||||||
role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
|
role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>IPv4 only. Added in Shorewall 5.1.9 and removed in
|
<para>IPv4 only. Added in Shorewall 5.1.9. Queues matching
|
||||||
Shorewall 5.2.2. Queues matching packets to a back end logging
|
packets to a back end logging daemon via a netlink socket then
|
||||||
daemon via a netlink socket then continues to the next rule.
|
continues to the next rule. See <ulink
|
||||||
See <ulink
|
|
||||||
url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
|
url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
|
||||||
|
|
||||||
<para>Similar to<emphasis role="bold">
|
<para>Similar to<emphasis role="bold">
|
||||||
@ -289,7 +288,7 @@
|
|||||||
|
|
||||||
<para>Beginning with Shorewall 5.1.12, SNAT may be performed in the
|
<para>Beginning with Shorewall 5.1.12, SNAT may be performed in the
|
||||||
nat table's INPUT chain by specifying $FW rather than one or more
|
nat table's INPUT chain by specifying $FW rather than one or more
|
||||||
interfaces.</para>
|
interfaces. </para>
|
||||||
|
|
||||||
<para>Each interface must match an entry in <ulink
|
<para>Each interface must match an entry in <ulink
|
||||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||||
|
@ -91,11 +91,6 @@
|
|||||||
<programlisting>LOG_LEVEL="NFLOG(1,0,1)"</programlisting>
|
<programlisting>LOG_LEVEL="NFLOG(1,0,1)"</programlisting>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
<note>
|
|
||||||
<para>Support for ULOG was removed in Shorewall 5.2.2 as Netfilter has
|
|
||||||
removed support for ULOG logging.</para>
|
|
||||||
</note>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 5.0.0, the log level may be followed by a
|
<para>Beginning with Shorewall 5.0.0, the log level may be followed by a
|
||||||
colon (":") and a <firstterm>log tag</firstterm>. The log tag normally
|
colon (":") and a <firstterm>log tag</firstterm>. The log tag normally
|
||||||
follows the packet disposition in Shorewall-generated Netfilter log
|
follows the packet disposition in Shorewall-generated Netfilter log
|
||||||
@ -1430,8 +1425,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>IPv4 only.</para>
|
<para>IPv4 only.</para>
|
||||||
|
|
||||||
<para>Use ULOG logging to ulogd. Support for ULOG was removed
|
<para>Use ULOG logging to ulogd.</para>
|
||||||
in Shorewall 5.2.2.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -749,8 +749,7 @@ bar:debug</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Either a syslog level or a ULOG or NFLOG target
|
<para>Either a syslog level or a ULOG or NFLOG target
|
||||||
expression (e.g., "NFLOG(1,0,1)"). Specifies how you want the
|
expression (e.g., "NFLOG(1,0,1)"). Specifies how you want the
|
||||||
logging done. Support for ULOG was removed in Shorewall
|
logging done.</para>
|
||||||
5.2.2.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -277,7 +277,7 @@
|
|||||||
shell variable simplifies future changes. Here's what I had at one
|
shell variable simplifies future changes. Here's what I had at one
|
||||||
time:</para>
|
time:</para>
|
||||||
|
|
||||||
<programlisting>gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|LOGFILE'
|
<programlisting>gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|ULOG|LOGFILE'
|
||||||
params:LOG=NFLOG
|
params:LOG=NFLOG
|
||||||
policy:loc $FW REJECT $LOG
|
policy:loc $FW REJECT $LOG
|
||||||
policy:net all DROP $LOG 10/sec:40
|
policy:net all DROP $LOG 10/sec:40
|
||||||
@ -302,8 +302,8 @@ gateway:/etc/shorewall# </programl
|
|||||||
<quote><command>logwatch</command></quote> and
|
<quote><command>logwatch</command></quote> and
|
||||||
<quote><command>dump</command></quote> commands.</para>
|
<quote><command>dump</command></quote> commands.</para>
|
||||||
|
|
||||||
<para>The NFLOG target is a successor to ULOG. NFLOG may be followed by
|
<para>The NFLOG target is a successor to ULOG. Both ULOG and NFLOG may
|
||||||
a list of up to three numbers in parentheses.</para>
|
be followed by a list of up to three numbers in parentheses.</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -384,8 +384,8 @@ sync=1</programlisting>
|
|||||||
<term>ULOG (ipt_ULOG)</term>
|
<term>ULOG (ipt_ULOG)</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>ULOG logging as described ablve. Only available for IPv4 and
|
<para>ULOG logging as described ablve. Only available for
|
||||||
removed in Shorewall 5.2.2.</para>
|
IPv4.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -401,10 +401,10 @@ sync=1</programlisting>
|
|||||||
<para>The currently-available and currently-selected IPv4 and IPv6
|
<para>The currently-available and currently-selected IPv4 and IPv6
|
||||||
backends are shown in /proc/sys/net/netfilter/nf_log:</para>
|
backends are shown in /proc/sys/net/netfilter/nf_log:</para>
|
||||||
|
|
||||||
<programlisting>$ cat /proc/net/netfilter/nf_log
|
<programlisting>cat /proc/net/netfilter/nf_log
|
||||||
0 NONE (nfnetlink_log)
|
0 NONE (nfnetlink_log)
|
||||||
1 NONE (nfnetlink_log)
|
1 NONE (nfnetlink_log)
|
||||||
2 nf_log_ipv4 (nf_log_ipv4,nfnetlink_log)
|
2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
|
||||||
3 NONE (nfnetlink_log)
|
3 NONE (nfnetlink_log)
|
||||||
4 NONE (nfnetlink_log)
|
4 NONE (nfnetlink_log)
|
||||||
5 NONE (nfnetlink_log)
|
5 NONE (nfnetlink_log)
|
||||||
@ -412,10 +412,9 @@ sync=1</programlisting>
|
|||||||
7 NONE (nfnetlink_log)
|
7 NONE (nfnetlink_log)
|
||||||
8 NONE (nfnetlink_log)
|
8 NONE (nfnetlink_log)
|
||||||
9 NONE (nfnetlink_log)
|
9 NONE (nfnetlink_log)
|
||||||
10 nf_log_ipv6 (nf_log_ipv6,nfnetlink_log)
|
10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
|
||||||
11 NONE (nfnetlink_log)
|
11 NONE (nfnetlink_log)
|
||||||
12 NONE (nfnetlink_log)
|
12 NONE (nfnetlink_log)</programlisting>
|
||||||
$</programlisting>
|
|
||||||
|
|
||||||
<para>The magic numbers (0-12) are Linux address family numbers (AF_INET
|
<para>The magic numbers (0-12) are Linux address family numbers (AF_INET
|
||||||
is 2 and AF_INET6 is 10).</para>
|
is 2 and AF_INET6 is 10).</para>
|
||||||
|
Loading…
Reference in New Issue
Block a user