Fix [SME: 12257]

2024-04-12 13:50:48 +02:00
parent 65a899e526
commit d24edca890
6 changed files with 98 additions and 16 deletions
--- a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustDenyLog
+++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustDenyLog
@@ -9,7 +9,7 @@
    elsif ($logging eq "all")
    {
        $OUT .= <<"HERE";
-    /sbin/iptables --replace denylog 1 --jump ULOG --ulog-nlgroup 1 --ulog-prefix \"denylog:\"
+    /sbin/iptables --replace denylog 1 --jump NFLOG --nflog-group 1 --nflog-prefix \"denylog:\"
    /sbin/iptables --replace denylog 2 --jump $target
    /sbin/iptables --replace denylog 3 --jump $target
    /sbin/iptables --replace denylog 4 --jump $target
@@ -22,7 +22,7 @@ HERE
    /sbin/iptables --replace denylog 1 -p udp --dport 520 --jump $target
    /sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump $target
    /sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump $target
-    /sbin/iptables --replace denylog 4 --jump ULOG --ulog-nlgroup 1 --ulog-prefix \"denylog:\"
+    /sbin/iptables --replace denylog 4 --jump NFLOG --nflog-group 1 --nflog-prefix \"denylog:\"
    /sbin/iptables --replace denylog 5 --jump $target
 HERE
    }
--- a/root/etc/e-smith/templates/etc/ulogd.conf/10global
+++ b/root/etc/e-smith/templates/etc/ulogd.conf/10global
@@ -1,7 +1,9 @@
 [global]
+# Not necessarily required 
 nlgroup=1
+
 logfile=/var/log/ulogd/ulogd.log
-loglevel=5
+loglevel=1
 rmem=131071
 bufsize=150000

--- a/root/etc/e-smith/templates/etc/ulogd.conf/20plugins
+++ b/root/etc/e-smith/templates/etc/ulogd.conf/20plugins
@@ -9,11 +9,11 @@
 # 1. load the plugins _first_ from the global section
 # 2. options for each plugin in seperate section below

-#plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"
-plugin="/usr/lib64/ulogd/ulogd_inppkt_ULOG.so"
-#plugin="/usr/lib64/ulogd/ulogd_inppkt_UNIXSOCK.so"
+plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"
+#plugin="/usr/lib64/ulogd/ulogd_inppkt_ULOG.so"
+plugin="/usr/lib64/ulogd/ulogd_inppkt_UNIXSOCK.so"
 #plugin="/usr/lib64/ulogd/ulogd_inpflow_NFCT.so"
-#plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"
+plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"
 plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"
 #plugin="/usr/lib64/ulogd/ulogd_filter_IP2BIN.so"
 #plugin="/usr/lib64/ulogd/ulogd_filter_IP2HBIN.so"
--- a/root/etc/e-smith/templates/etc/ulogd.conf/30stacks
+++ b/root/etc/e-smith/templates/etc/ulogd.conf/30stacks
@@ -1,4 +1,16 @@

-#our base stack ULOG to LOGEMU
-stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+# reetp which one of these do we need?
+# I think log2

+# this is a stack for logging packet send by system via LOGEMU
+#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+
+# this is a stack for packet-based logging via LOGEMU
+stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+
+# this is a stack for ULOG packet-based logging via LOGEMU
+# reetp - non functioning
+#stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+
+# this is a stack for packet-based logging via LOGEMU with filtering on MARK
+#stack=log2:NFLOG,base1:BASE,mark1:MARK,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
--- a/root/etc/e-smith/templates/etc/ulogd.conf/40configs
+++ b/root/etc/e-smith/templates/etc/ulogd.conf/40configs
@@ -1,10 +1,75 @@
+# Logging of system packet through NFLOG
+[log1]
+# netlink multicast group (the same as the iptables --nflog-group param)
+# Group O is used by the kernel to log connection tracking invalid message
+group=0
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+# set number of packet to queue inside kernel
+#netlink_qthreshold=1
+# set the delay before flushing packet in the queue inside kernel (in 10ms)
+#netlink_qtimeout=100
+
+# packet logging through NFLOG for group 1
+[log2]
+# netlink multicast group (the same as the iptables --nflog-group param)
+group=1 # Group has to be different from the one use in log1
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+# If your kernel is older than 2.6.29 and if a NFLOG input plugin with
+# group 0 is not used by any stack, you need to have at least one NFLOG
+# input plugin with bind set to 1. If you don't do that you may not
+# receive any message from the kernel.
+#bind=1
+
+# packet logging through NFLOG for group 2, numeric_label is
+# set to 1
+[log3]
+# netlink multicast group (the same as the iptables --nflog-group param)
+group=2 # Group has to be different from the one use in log1/log2
+numeric_label=1 # you can label the log info based on the packet verdict
+#netlink_socket_buffer_size=217088
+#netlink_socket_buffer_maxsize=1085440
+#bind=1
+
 [ulog1]
-# denylog:
 # netlink multicast group (the same as the iptables --ulog-nlgroup param)
 nlgroup=1
-
+#numeric_label=0 # optional argument

 [emu1]
-file="/var/log/iptables/denylog.log"
+file="/var/log/ulogd/syslogemu.log"
 sync=1

+[json1]
+sync=1
+#file="/var/log/ulogd.json"
+#timestamp=0
+# device name to be used in JSON message
+#device="My awesome Netfilter firewall"
+# If boolean_label is set to 1 then the numeric_label put on packet
+# by the input plugin is coding the action on packet: if 0, then
+# packet has been blocked and if non null it has been accepted.
+#boolean_label=1
+# Uncomment the following line to use JSON v1 event format that
+# can provide better compatility with some JSON file reader.
+#eventv1=1
+# Uncomment the following lines to send the JSON logs to a remote host via UDP
+#mode="udp"
+#host="192.0.2.10"
+#port="10210"
+# Uncomment the following lines to send the JSON logs to a remote host via TCP
+#mode="tcp"
+#host="192.0.2.10"
+#port="10210"
+# Uncomment the following lines to send the JSON logs to a local unix socket
+#mode="unix"
+#file="/var/run/ulogd.socket"
+
+[pcap1]
+#default file is /var/log/ulogd.pcap
+#file="/var/log/ulogd.pcap"
+sync=1
+
+[mark1]
+mark = 1