From de719d3de4873d91893681da4d12d34da10eb256 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Pialasse Date: Thu, 18 Apr 2024 12:01:25 -0400 Subject: [PATCH] * Thu Apr 18 2024 Jean-Philippe Pialasse 11.0.0-9.sme - improve ULOG to NFLOG migration [SME: 12557] --- .../etc/rc.d/init.d/masq/90adjustDenyLog | 4 +- .../e-smith/templates/etc/ulogd.conf/10global | 5 +- .../e-smith/templates/etc/ulogd.conf/30stacks | 14 ++-- .../templates/etc/ulogd.conf/40configs | 69 ++----------------- smeserver-packetfilter.spec | 5 +- 5 files changed, 21 insertions(+), 76 deletions(-) diff --git a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustDenyLog b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustDenyLog index 2259fac..4e08422 100644 --- a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustDenyLog +++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustDenyLog @@ -9,7 +9,7 @@ elsif ($logging eq "all") { $OUT .= <<"HERE"; - /sbin/iptables --replace denylog 1 --jump NFLOG --nflog-group 1 --nflog-prefix \"denylog:\" + /sbin/iptables --replace denylog 1 --jump NFLOG --nflog-group 0 --nflog-prefix \"denylog:\" /sbin/iptables --replace denylog 2 --jump $target /sbin/iptables --replace denylog 3 --jump $target /sbin/iptables --replace denylog 4 --jump $target @@ -22,7 +22,7 @@ HERE /sbin/iptables --replace denylog 1 -p udp --dport 520 --jump $target /sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump $target /sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump $target - /sbin/iptables --replace denylog 4 --jump NFLOG --nflog-group 1 --nflog-prefix \"denylog:\" + /sbin/iptables --replace denylog 4 --jump NFLOG --nflog-group 0 --nflog-prefix \"denylog:\" /sbin/iptables --replace denylog 5 --jump $target HERE } diff --git a/root/etc/e-smith/templates/etc/ulogd.conf/10global b/root/etc/e-smith/templates/etc/ulogd.conf/10global index 1e380ec..3c17ea6 100644 --- a/root/etc/e-smith/templates/etc/ulogd.conf/10global +++ b/root/etc/e-smith/templates/etc/ulogd.conf/10global @@ -1,7 +1,8 @@ [global] -# Not necessarily required -nlgroup=1 +###################################################################### +# GLOBAL OPTIONS +###################################################################### logfile=/var/log/ulogd/ulogd.log loglevel=1 rmem=131071 diff --git a/root/etc/e-smith/templates/etc/ulogd.conf/30stacks b/root/etc/e-smith/templates/etc/ulogd.conf/30stacks index 6e7d952..eedf341 100644 --- a/root/etc/e-smith/templates/etc/ulogd.conf/30stacks +++ b/root/etc/e-smith/templates/etc/ulogd.conf/30stacks @@ -1,16 +1,12 @@ -# reetp which one of these do we need? -# I think log2 - -# this is a stack for logging packet send by system via LOGEMU -#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU +###################################################################### +# STACKS +###################################################################### # this is a stack for packet-based logging via LOGEMU -stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU +stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU +# I think log2 # this is a stack for ULOG packet-based logging via LOGEMU # reetp - non functioning #stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU - -# this is a stack for packet-based logging via LOGEMU with filtering on MARK -#stack=log2:NFLOG,base1:BASE,mark1:MARK,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU diff --git a/root/etc/e-smith/templates/etc/ulogd.conf/40configs b/root/etc/e-smith/templates/etc/ulogd.conf/40configs index c249155..bb0dfda 100644 --- a/root/etc/e-smith/templates/etc/ulogd.conf/40configs +++ b/root/etc/e-smith/templates/etc/ulogd.conf/40configs @@ -1,7 +1,11 @@ -# Logging of system packet through NFLOG + +###################################################################### +# OPTIONS FOR EACH PLUGINS IN SEPARATE SECTIONS +###################################################################### + [log1] # netlink multicast group (the same as the iptables --nflog-group param) -# Group O is used by the kernel to log connection tracking invalid message +# Group 0 is used by the kernel to log connection tracking invalid message group=0 #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 @@ -10,66 +14,7 @@ group=0 # set the delay before flushing packet in the queue inside kernel (in 10ms) #netlink_qtimeout=100 -# packet logging through NFLOG for group 1 -[log2] -# netlink multicast group (the same as the iptables --nflog-group param) -group=1 # Group has to be different from the one use in log1 -#netlink_socket_buffer_size=217088 -#netlink_socket_buffer_maxsize=1085440 -# If your kernel is older than 2.6.29 and if a NFLOG input plugin with -# group 0 is not used by any stack, you need to have at least one NFLOG -# input plugin with bind set to 1. If you don't do that you may not -# receive any message from the kernel. -#bind=1 - -# packet logging through NFLOG for group 2, numeric_label is -# set to 1 -[log3] -# netlink multicast group (the same as the iptables --nflog-group param) -group=2 # Group has to be different from the one use in log1/log2 -numeric_label=1 # you can label the log info based on the packet verdict -#netlink_socket_buffer_size=217088 -#netlink_socket_buffer_maxsize=1085440 -#bind=1 - -[ulog1] -# netlink multicast group (the same as the iptables --ulog-nlgroup param) -nlgroup=1 -#numeric_label=0 # optional argument - [emu1] -file="/var/log/ulogd/syslogemu.log" +file="/var/log/iptables/denylog.log" sync=1 -[json1] -sync=1 -#file="/var/log/ulogd.json" -#timestamp=0 -# device name to be used in JSON message -#device="My awesome Netfilter firewall" -# If boolean_label is set to 1 then the numeric_label put on packet -# by the input plugin is coding the action on packet: if 0, then -# packet has been blocked and if non null it has been accepted. -#boolean_label=1 -# Uncomment the following line to use JSON v1 event format that -# can provide better compatility with some JSON file reader. -#eventv1=1 -# Uncomment the following lines to send the JSON logs to a remote host via UDP -#mode="udp" -#host="192.0.2.10" -#port="10210" -# Uncomment the following lines to send the JSON logs to a remote host via TCP -#mode="tcp" -#host="192.0.2.10" -#port="10210" -# Uncomment the following lines to send the JSON logs to a local unix socket -#mode="unix" -#file="/var/run/ulogd.socket" - -[pcap1] -#default file is /var/log/ulogd.pcap -#file="/var/log/ulogd.pcap" -sync=1 - -[mark1] -mark = 1 diff --git a/smeserver-packetfilter.spec b/smeserver-packetfilter.spec index cf8541e..dfd19f4 100644 --- a/smeserver-packetfilter.spec +++ b/smeserver-packetfilter.spec @@ -4,7 +4,7 @@ Summary: smeserver server and gateway - packetfilter add-on %define name smeserver-packetfilter Name: %{name} %define version 11.0.0 -%define release 8 +%define release 9 Version: %{version} Release: %{release}%{?dist} License: GPL @@ -27,6 +27,9 @@ Provides: e-smith-packetfilter smeserver server and gateway software - packetfilter add-on %changelog +* Thu Apr 18 2024 Jean-Philippe Pialasse 11.0.0-9.sme +- improve ULOG to NFLOG migration [SME: 12557] + * Wed Apr 17 2024 Jean-Philippe Pialasse 11.0.0-8.sme - move ulogd.service and tmpfile.d to service package [SME: 12538]