[Shorewall-users] Some logs are not logged to configured nflog-group - is there a solution?

[Uwe B]

Hello,

after solving my "dropped icmpv6" issues there still is the issue of the 
missing log entries.
I was lucky that the proxmox logging daemon caught these and I found at 
least a hint what might be wrong.
The pvefw-logger (proxmox) is logging netfilter-group 0 and thus 
blocking any other logging attempts of that group (solution: disable the 
daemon).
I have configured shorewall logging so that ipV4 is logged in group 4 
and ipV6 is logged in group 6:
Shorewall:
LOG="NFLOG(4)"
LOG="NFLOG(6,0,1)"
ulogd:

stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu4:LOGEMU
stack=log6:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu6:LOGEMU
...
# Using log4 for IPv4
[log4]
group=4
numeric_label=4

# Using log6 for IPv6
[log6]
group=6
numeric_label=6
attach_conntrack=1
bind=1
...
[emu4]
file="/var/log/shorewall.log"
sync=1

[emu6]
file="/var/log/shorewall6.log"
sync=1
...
I could also log group 0 into a separate log, but the better way would 
be to use the appropriate logs that exist already (emu4, emu6)

When analyzing the shorewall6 dump file I noticed that not all NFLOG 
targets have an associated nflog-group.
The ones without a group then get logged to group 0.
This is true for ipV4 and ipV6 so they get mixed up in group 0:
grep nflog-prefix /tmp/sh6.dump
    0     0 NFLOG      0    --  *      *       ::/0 
::/0                 limit: up to 1/sec burst 10 mode srcip nflog-prefix 
"Sh6:INPUT:DROP:" nflog-group 6 nflog-threshold 1
    0     0 NFLOG      0    --  *      *       ::/0 
::/0                 limit: up to 1/sec burst 10 mode srcip nflog-prefix 
"Sh6:FORWARD:DROP:" nflog-group 6 nflog-threshold 1
    0     0 NFLOG      0    --  *      *       ::/0 
::/0                 limit: up to 1/sec burst 10 mode srcip nflog-prefix 
"Sh6:logflags:DROP:"
    0     0 NFLOG      0    --  *      *       ::/0 
::/0                 limit: up to 1/sec burst 10 mode srcip nflog-prefix 
"Sh6:sfilter:DROP:"
    0     0 NFLOG      0    --  *      *       ::/0 
::/0                 limit: up to 1/sec burst 10 mode srcip nflog-prefix 
"Sh6:smurfs:DROP:"
    0     0 NFLOG      0    --  *      *       ::/0 
::/0                 limit: up to 1/sec burst 10 mode srcip nflog-prefix 
"Sh6:dmz-net:ACCEPT:" nflog-group 6 nflog-threshold 1
    0     0 NFLOG      0    --  *      *       ::/0 
::/0                 limit: up to 1/sec burst 10 mode srcip nflog-prefix 
"Sh6:rplog:DROP:"
...
grep nflog-prefix /tmp/sh4.dump
    1    60 NFLOG      0    --  *      *       0.0.0.0/0 
0.0.0.0/0            nflog-prefix "ShW:INPUT:REJECT:" nflog-group 4
    2   120 NFLOG      0    --  *      *       0.0.0.0/0 
0.0.0.0/0            nflog-prefix "ShW:FORWARD:REJECT:" nflog-group 4
    0     0 NFLOG      0    --  *      *       0.0.0.0/0 
0.0.0.0/0            nflog-prefix "ShW:sfilter:DROP:"
...

Is there a way to specify an nflog--group somewhere in the shorewall 
configuration so that *all* logs are sent there?
Or is there another solution for this?

Kind regards,

Uwe



_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users