On 12/01/2012 04:53 PM, Mr Dash Four wrote:
>
>>>> 1. I don't seem to be able to invoke action with parameters
>>>> *and* log level specified as action parameter. In other words,
>>>> something like: "circ1(circ2(whatever):debug):info". It would
>>>> be nice to have that ability.
>>
>> The attached patch seems to handle this case correctly.
> Yep, it does the job, though I spotted another issue: when I issue a
> LOG statement (as part of action - inline or otherwise) the generated
> LOG iptables statement does not contain all the "--log-*" options I
> have used in, say, my default policy for example. Is there a way to
> control these options (that will also be needed when you make
> available $tag later on)?
When LOG (NFLOG,ULOG) is used anywhere, the two things that appear in
the --log-prefix are:
- The Chain Name
- The 'disposition' of the rule that generated the message
If LOGTAGONLY=Yes is specified and a tag is supplied along with the log
level, then the tag replaces the Chain Name. I do that to break out
several countries for logging within my own net->all default action:
?if $GEOIP_MATCH
DROP:$LOG:China ^CN
DROP:$LOG:Russia ^RU
DROP:$LOG:USA ^US
...
?endif
That produces messages such as:
Dec 2 06:39:40 USA DROP IN=eth1 OUT=br0 SRC=76.121.47.47
DST=70.90.191.124 LEN=52 TOS=00 PREC=0x20 TTL=121 ID=28849 DF PROTO=TCP
SPT=53499 DPT=37507 SEQ=165394300 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Dec 2 06:39:42 USA DROP IN=eth1 OUT=br0 SRC=76.121.47.47
DST=70.90.191.124 LEN=61 TOS=00 PREC=0x20 TTL=121 ID=28950 PROTO=UDP
SPT=10914 DPT=37507 LEN=41 MARK=0
Dec 2 06:44:14 China DROP IN=eth1 OUT=br0 SRC=58.209.94.102
DST=70.90.191.124 LEN=60 TOS=00 PREC=0x20 TTL=47 ID=58478 DF PROTO=TCP
SPT=54540 DPT=23 SEQ=4222062522 ACK=0 WINDOW=5440 SYN URGP=0 MARK=0
Dec 2 06:44:15 USA DROP IN=eth1 OUT=br0 SRC=76.121.47.47
DST=70.90.191.124 LEN=52 TOS=00 PREC=0x20 TTL=121 ID=14961 DF PROTO=TCP
SPT=54286 DPT=37507 SEQ=408863359 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0
Dec 2 06:44:15 USA DROP IN=eth1 OUT=br0 SRC=76.121.47.47
DST=70.90.191.124 LEN=61 TOS=00 PREC=0x20 TTL=121 ID=14960 PROTO=UDP
SPT=10914 DPT=37507 LEN=41 MARK=0
If LOGTAGONLY=No and a tag is supplied, the tag follows the disposition.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Keep yourself connected to Go Parallel:
DESIGN Expert tips on starting your parallel project right.
http://goparallel.sourceforge.net/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
