Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new rich rule target nflog, that allows to capture packages with ulogd #587

Closed
frispete opened this issue Mar 12, 2020 · 2 comments · Fixed by #720
Closed

Add new rich rule target nflog, that allows to capture packages with ulogd #587

frispete opened this issue Mar 12, 2020 · 2 comments · Fixed by #720
Labels
feature New feature or enhancement.

Comments

@frispete
Copy link

After a brief discussion with Eric Garver on the mailing list, he recommended to create this issue.

In order to be able to examine eg. discarded packages, we need some way to redirect these packages to another target, that allows further processing eg. with ulogd.

What's needed is a new target for rich rules, that allows to use a low precedence catch-all rich rule in order to be executed right before the accept/drop for the zone. e.g.

firewall-cmd --add-rich-rule='rule priority=32767 ... nflog prefix=.. group=..'
@erig0 erig0 added the feature New feature or enhancement. label Mar 12, 2020
@erig0 erig0 mentioned this issue May 11, 2020
Open
TorontoMedia added a commit to TorontoMedia/firewalld that referenced this issue Nov 25, 2020
@TorontoMedia
feat(rich): Support nflog target and add log attribute errors/checks
15f693d 
Implement nflog target for rich rules. Also add log rule errors and checks
for attributes group, prefix, and queue-size.

Closes: firewalld#259 - ulog is deprecated
Fixes: firewalld#587
@TorontoMedia TorontoMedia mentioned this issue Nov 25, 2020
Merged
TorontoMedia added a commit to TorontoMedia/firewalld that referenced this issue Nov 25, 2020
@TorontoMedia
feat(rich): Support nflog target and add log attribute errors/checks
f015c77 
Implement nflog target for rich rules. Also add log rule errors and checks
for attributes group, prefix, and queue-size.

Closes: firewalld#259 - ulog is deprecated
Fixes: firewalld#587
TorontoMedia added a commit to TorontoMedia/firewalld that referenced this issue Nov 25, 2020
@TorontoMedia
feat(rich): Support nflog target and add log attribute errors/checks
f104137 
Implement nflog target for rich rules. Also add log rule errors and checks
for attributes group, prefix, and queue-size.

Closes: firewalld#259 - ulog is deprecated
Fixes: firewalld#587
TorontoMedia added a commit to TorontoMedia/firewalld that referenced this issue Dec 8, 2020
@TorontoMedia
feat(rich): Support nflog target and add log attribute errors/checks
17e515d 
Implement nflog target for rich rules, checkUINT16 function, and
log attribute errors/checks for group, prefix, and queue-size.

Closes: firewalld#259 - ulog is deprecated
Fixes: firewalld#587
TorontoMedia added a commit to TorontoMedia/firewalld that referenced this issue May 4, 2021
@TorontoMedia
feat(rich): Support nflog target and add log attribute errors/checks
fda82fb 
Implement nflog target for rich rules, checkUINT16 function and
log attribute errors/checks for group, prefix, and queue-size.

Closes: firewalld#259 - ulog is deprecated
Fixes: firewalld#587
@erig0 erig0 mentioned this issue Sep 14, 2021
Closed
erig0 pushed a commit to TorontoMedia/firewalld that referenced this issue Dec 8, 2021
@TorontoMedia @erig0
feat(rich): Support nflog target and add log attribute errors/checks
a74285c 
Implement nflog target for rich rules, checkUINT16 function and
log attribute errors/checks for group, prefix, and queue-size.

Fixes: firewalld#587
@erig0 erig0 closed this as completed in #720 Dec 8, 2021
erig0 pushed a commit that referenced this issue Dec 8, 2021
@TorontoMedia @erig0
feat(rich): Support nflog target and add log attribute errors/checks
85d2a8d 
Implement nflog target for rich rules, checkUINT16 function and
log attribute errors/checks for group, prefix, and queue-size.

Fixes: #587
@gsgxnet
Copy link

gsgxnet commented Apr 13, 2022

Great you implemented this feature. Many thanks.

firewall-cmd --set-log-denied=<scope> with NFLOG as target is what I would like to get going.
As far as I know that would cover all zones. The rich rules available now would have to be defined for every (active) zone one by one, true?

For a zone i got a plain nflog going with:

firewall-cmd --zone=<myzone> --add-rich-rule='rule priority=32767 nflog'
success

Then inspect how this rule is setup in

nft list chain inet firewalld filter_IN_<myzone>_post
table inet firewalld {
        chain filter_IN_<myzone>_post {
                log group 0
        }
}

I already had figured that log group 0 seems to be the same as nflog. In the past I could not figure how to setup a rich rule with log to a specific group, would that have been possible?

@erig0
Copy link
Collaborator

erig0 commented Apr 14, 2022

@gsgxnet, check the man page firewalld.richlanguage. You can specify the group.

nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"] [limit value="rate/duration"]

@abraithwaite abraithwaite mentioned this issue Jul 4, 2022
Open
@Yetoo1 Yetoo1 mentioned this issue Mar 11, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature or enhancement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(rich): Add support for nflog, attribute checks and errors TorontoMedia/firewalld
3 participants
@erig0 @frispete @gsgxnet