Hello,
after solving my "dropped icmpv6" issues there still is the issue of the
missing log entries.
I was lucky that the proxmox logging daemon caught these and I found at
least a hint what might be wrong.
The pvefw-logger (proxmox) is logging netfilter-group 0 and thus
blocking any other logging attempts of that group (solution: disable the
daemon).
I have configured shorewall logging so that ipV4 is logged in group 4
and ipV6 is logged in group 6:
Shorewall:
LOG="NFLOG(4)"
LOG="NFLOG(6,0,1)"
ulogd:
stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu4:LOGEMU
stack=log6:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu6:LOGEMU
...
# Using log4 for IPv4
[log4]
group=4
numeric_label=4
# Using log6 for IPv6
[log6]
group=6
numeric_label=6
attach_conntrack=1
bind=1
...
[emu4]
file="/var/log/shorewall.log"
sync=1
[emu6]
file="/var/log/shorewall6.log"
sync=1
...
I could also log group 0 into a separate log, but the better way would
be to use the appropriate logs that exist already (emu4, emu6)
When analyzing the shorewall6 dump file I noticed that not all NFLOG
targets have an associated nflog-group.
The ones without a group then get logged to group 0.
This is true for ipV4 and ipV6 so they get mixed up in group 0:
grep nflog-prefix /tmp/sh6.dump
0 0 NFLOG 0 -- * * ::/0
::/0 limit: up to 1/sec burst 10 mode srcip nflog-prefix
"Sh6:INPUT:DROP:" nflog-group 6 nflog-threshold 1
0 0 NFLOG 0 -- * * ::/0
::/0 limit: up to 1/sec burst 10 mode srcip nflog-prefix
"Sh6:FORWARD:DROP:" nflog-group 6 nflog-threshold 1
0 0 NFLOG 0 -- * * ::/0
::/0 limit: up to 1/sec burst 10 mode srcip nflog-prefix
"Sh6:logflags:DROP:"
0 0 NFLOG 0 -- * * ::/0
::/0 limit: up to 1/sec burst 10 mode srcip nflog-prefix
"Sh6:sfilter:DROP:"
0 0 NFLOG 0 -- * * ::/0
::/0 limit: up to 1/sec burst 10 mode srcip nflog-prefix
"Sh6:smurfs:DROP:"
0 0 NFLOG 0 -- * * ::/0
::/0 limit: up to 1/sec burst 10 mode srcip nflog-prefix
"Sh6:dmz-net:ACCEPT:" nflog-group 6 nflog-threshold 1
0 0 NFLOG 0 -- * * ::/0
::/0 limit: up to 1/sec burst 10 mode srcip nflog-prefix
"Sh6:rplog:DROP:"
...
grep nflog-prefix /tmp/sh4.dump
1 60 NFLOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 nflog-prefix "ShW:INPUT:REJECT:" nflog-group 4
2 120 NFLOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 nflog-prefix "ShW:FORWARD:REJECT:" nflog-group 4
0 0 NFLOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 nflog-prefix "ShW:sfilter:DROP:"
...
Is there a way to specify an nflog--group somewhere in the shorewall
configuration so that *all* logs are sent there?
Or is there another solution for this?
Kind regards,
Uwe
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users