test: ulog

54642b82 · Kaarle Ritvanen · c5056f21 · 54642b82 · 54642b82 · 54642b82
Commit 54642b82 authored Nov 01, 2017 by Kaarle Ritvanen
20 changed files
--- a/test/mandatory/log.json
+++ b/test/mandatory/log.json
 {
-    "log": { "none": { "mode": "none" } },
+    "log": {
+	"none": { "mode": "none" },
+	"ulog": { "mode": "ulog", "limit": { "interval": 5 } }
+    },
    "filter": [
 	{},
 	{ "action": "drop" },
@@ -12,6 +15,11 @@
 	{ "log": true, "action": "pass" },
 	{ "log": "none" },
 	{ "log": "none", "action": "drop" },
-	{ "log": "none", "action": "pass" }
+	{ "log": "none", "action": "pass" },
+
+	{ "log": "ulog" },
+	{ "log": "ulog", "action": "drop" },
+	{ "log": "ulog", "action": "pass" },
+	{ "in": "_fw", "log": "ulog", "action": "pass" }
    ]
 }
--- a/test/optional/address.lua
+++ b/test/optional/address.lua
@@ -21,7 +21,7 @@ for _, izone in ipairs{false, 'A', 'B', {'B', 'C'}} do
 	 for _, dest in ipairs{
 	    false, daddr, {daddr, '172.16.2.0/16'}, {daddr, 'fc00::2'}
 	 } do
-	    for _, log in ipairs{false, true} do
+	    for _, log in ipairs{false, true, 'ulog'} do
 	       for _, action in ipairs{false, 'pass'} do
 		  table.insert(
 		     res,

--- a/test/optional/filter-limit.lua
+++ b/test/optional/filter-limit.lua
@@ -8,6 +8,8 @@ See LICENSE file for license details
 util = require('awall.util')
 json = require('cjson')

+LOGOPTIONS = {false, true, 'none', 'ulog'}
+
 res = {}

 function add(limit_type, filter)
@@ -15,7 +17,7 @@ function add(limit_type, filter)
   for _, high_rate in ipairs{false, true} do

      local function add_limit(limit)
-         for _, log in ipairs{false, true, 'none'} do
+         for _, log in ipairs(LOGOPTIONS) do
            for _, action in ipairs{false, 'pass'} do
               if not (high_rate and log and action) then
 	          table.insert(
@@ -38,7 +40,7 @@ function add(limit_type, filter)
      add_limit(count or 1)

      for _, interval in ipairs{false, 5} do
-         for _, log in ipairs{true, false, 'none'} do
+         for _, log in ipairs(LOGOPTIONS) do
 	    local limit = {count=count, interval=interval or nil}
 	    if log ~= true then limit.log = log end


--- a/test/output/address/dump
+++ b/test/output/address/dump
--- a/test/output/address/rules-save
+++ b/test/output/address/rules-save
--- a/test/output/address/rules6-save
+++ b/test/output/address/rules6-save
--- a/test/output/filter-limit/dump
+++ b/test/output/filter-limit/dump
--- a/test/output/filter-limit/rules-save
+++ b/test/output/filter-limit/rules-save
--- a/test/output/filter-limit/rules6-save
+++ b/test/output/filter-limit/rules6-save
--- a/test/output/filter/dump
+++ b/test/output/filter/dump
@@ -200,7 +200,42 @@ Filter 18                   {"action":"pass","log":"none"}
  inet6/filter/INPUT        
  inet6/filter/OUTPUT       

-Filter 19                   {"in":["_fw","A"]}
+Filter 19                   {"log":"ulog"}
+(log)                       
+  inet/filter/FORWARD       -j logaccept-1
+  inet/filter/INPUT         -j logaccept-1
+  inet/filter/OUTPUT        -j logaccept-1
+  inet/filter/logaccept-1   -m limit --limit 12/minute -j ULOG
+  inet/filter/logaccept-1   -j ACCEPT
+  inet6/filter/FORWARD      -j logaccept-1
+  inet6/filter/INPUT        -j logaccept-1
+  inet6/filter/OUTPUT       -j logaccept-1
+  inet6/filter/logaccept-1  -j ACCEPT
+
+Filter 20                   {"action":"drop","log":"ulog"}
+(log)                       
+  inet/filter/FORWARD       -j logdrop-3
+  inet/filter/INPUT         -j logdrop-3
+  inet/filter/OUTPUT        -j logdrop-3
+  inet/filter/logdrop-3     -m limit --limit 12/minute -j ULOG
+  inet/filter/logdrop-3     -j DROP
+  inet6/filter/FORWARD      -j logdrop-3
+  inet6/filter/INPUT        -j logdrop-3
+  inet6/filter/OUTPUT       -j logdrop-3
+  inet6/filter/logdrop-3    -j DROP
+
+Filter 21                   {"action":"pass","log":"ulog"}
+(log)                       
+  inet/filter/FORWARD       -j logpass-1
+  inet/filter/INPUT         -j logpass-1
+  inet/filter/OUTPUT        -j logpass-1
+  inet/filter/logpass-1     -m limit --limit 12/minute -j ULOG
+
+Filter 22                   {"action":"pass","in":"_fw","log":"ulog"}
+(log)                       
+  inet/filter/OUTPUT        -m limit --limit 12/minute -j ULOG
+
+Filter 23                   {"in":["_fw","A"]}
 (zone)                      
  inet/filter/FORWARD       -i eth0 -j ACCEPT
  inet/filter/INPUT         -i eth0 -j ACCEPT
@@ -209,12 +244,12 @@ Filter 19                   {"in":["_fw","A"]}
  inet6/filter/INPUT        -i eth0 -j ACCEPT
  inet6/filter/OUTPUT       -j ACCEPT

-Filter 20                   {"in":"B","out":"C"}
+Filter 24                   {"in":"B","out":"C"}
 (zone)                      
  inet/filter/FORWARD       -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
  inet/filter/FORWARD       -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT

-Filter 21                   {"out":["_fw","B"]}
+Filter 25                   {"out":["_fw","B"]}
 (zone)                      
  inet/filter/FORWARD       -o eth1 -d 10.0.0.0/12 -j ACCEPT
  inet/filter/INPUT         -j ACCEPT
@@ -223,7 +258,7 @@ Filter 21                   {"out":["_fw","B"]}
  inet6/filter/INPUT        -j ACCEPT
  inet6/filter/OUTPUT       -o eth1 -d fc00::/7 -j ACCEPT

-Filter 22                   {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+Filter 26                   {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
 (zone)                      
  inet/filter/FORWARD       -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
  inet/filter/FORWARD       -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
@@ -315,6 +350,9 @@ Log _default  {"limit":1}
 Log none      {"mode":"none"}
 (log)         

+Log ulog      {"limit":{"interval":5},"mode":"ulog"}
+(log)         
+

 Mark 1                      {"in":["_fw","A"],"mark":1}
 (zone)                      
@@ -569,10 +607,13 @@ hash:net family inet
 :OUTPUT DROP [0:0]
 :icmp-routing - [0:0]
 :logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
 :logdrop-0 - [0:0]
 :logdrop-1 - [0:0]
 :logdrop-2 - [0:0]
+:logdrop-3 - [0:0]
 :logpass-0 - [0:0]
+:logpass-1 - [0:0]
 :logreject-0 - [0:0]
 :logtarpit-0 - [0:0]
 :tarpit - [0:0]
@@ -595,6 +636,9 @@ hash:net family inet
 -A FORWARD -j ACCEPT
 -A FORWARD -j DROP
 -A FORWARD 
+-A FORWARD -j logaccept-1
+-A FORWARD -j logdrop-3
+-A FORWARD -j logpass-1
 -A FORWARD -i eth0 -j ACCEPT
 -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
 -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -665,6 +709,9 @@ hash:net family inet
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -j logaccept-1
+-A INPUT -j logdrop-3
+-A INPUT -j logpass-1
 -A INPUT -i eth0 -j ACCEPT
 -A INPUT -j ACCEPT
 -A INPUT -p icmp -j icmp-routing
@@ -688,6 +735,10 @@ hash:net family inet
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -j logaccept-1
+-A OUTPUT -j logdrop-3
+-A OUTPUT -j logpass-1
+-A OUTPUT -m limit --limit 12/minute -j ULOG
 -A OUTPUT -j ACCEPT
 -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
 -A OUTPUT -p icmp -j icmp-routing
@@ -696,13 +747,18 @@ hash:net family inet
 -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
 -A logaccept-0 -m limit --limit 1/second -j LOG
 -A logaccept-0 -j ACCEPT
+-A logaccept-1 -m limit --limit 12/minute -j ULOG
+-A logaccept-1 -j ACCEPT
 -A logdrop-0 -m limit --limit 1/second -j LOG
 -A logdrop-0 -j DROP
 -A logdrop-1 -m limit --limit 1/second -j LOG
 -A logdrop-1 -j DROP
 -A logdrop-2 -m limit --limit 1/second -j LOG
 -A logdrop-2 -j DROP
+-A logdrop-3 -m limit --limit 12/minute -j ULOG
+-A logdrop-3 -j DROP
 -A logpass-0 -m limit --limit 1/second -j LOG
+-A logpass-1 -m limit --limit 12/minute -j ULOG
 -A logreject-0 -m limit --limit 1/second -j LOG
 -A logreject-0 -j REJECT
 -A logtarpit-0 -m limit --limit 1/second -j LOG
@@ -755,9 +811,11 @@ COMMIT
 :OUTPUT DROP [0:0]
 :icmp-routing - [0:0]
 :logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
 :logdrop-0 - [0:0]
 :logdrop-1 - [0:0]
 :logdrop-2 - [0:0]
+:logdrop-3 - [0:0]
 :logpass-0 - [0:0]
 :logreject-0 - [0:0]
 :logtarpit-0 - [0:0]
@@ -781,6 +839,8 @@ COMMIT
 -A FORWARD -j ACCEPT
 -A FORWARD -j DROP
 -A FORWARD 
+-A FORWARD -j logaccept-1
+-A FORWARD -j logdrop-3
 -A FORWARD -i eth0 -j ACCEPT
 -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
 -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -827,6 +887,8 @@ COMMIT
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -j logaccept-1
+-A INPUT -j logdrop-3
 -A INPUT -i eth0 -j ACCEPT
 -A INPUT -j ACCEPT
 -A INPUT -p icmpv6 -j ACCEPT
@@ -850,6 +912,8 @@ COMMIT
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -j logaccept-1
+-A OUTPUT -j logdrop-3
 -A OUTPUT -j ACCEPT
 -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
 -A OUTPUT -p icmpv6 -j ACCEPT
@@ -859,12 +923,14 @@ COMMIT
 -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
 -A logaccept-0 -m limit --limit 1/second -j LOG
 -A logaccept-0 -j ACCEPT
+-A logaccept-1 -j ACCEPT
 -A logdrop-0 -m limit --limit 1/second -j LOG
 -A logdrop-0 -j DROP
 -A logdrop-1 -m limit --limit 1/second -j LOG
 -A logdrop-1 -j DROP
 -A logdrop-2 -m limit --limit 1/second -j LOG
 -A logdrop-2 -j DROP
+-A logdrop-3 -j DROP
 -A logpass-0 -m limit --limit 1/second -j LOG
 -A logreject-0 -m limit --limit 1/second -j LOG
 -A logreject-0 -j REJECT

--- a/test/output/filter/rules-save
+++ b/test/output/filter/rules-save
@@ -5,10 +5,13 @@
 :OUTPUT DROP [0:0]
 :icmp-routing - [0:0]
 :logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
 :logdrop-0 - [0:0]
 :logdrop-1 - [0:0]
 :logdrop-2 - [0:0]
+:logdrop-3 - [0:0]
 :logpass-0 - [0:0]
+:logpass-1 - [0:0]
 :logreject-0 - [0:0]
 :logtarpit-0 - [0:0]
 :tarpit - [0:0]
@@ -31,6 +34,9 @@
 -A FORWARD -j ACCEPT
 -A FORWARD -j DROP
 -A FORWARD 
+-A FORWARD -j logaccept-1
+-A FORWARD -j logdrop-3
+-A FORWARD -j logpass-1
 -A FORWARD -i eth0 -j ACCEPT
 -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
 -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -101,6 +107,9 @@
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -j logaccept-1
+-A INPUT -j logdrop-3
+-A INPUT -j logpass-1
 -A INPUT -i eth0 -j ACCEPT
 -A INPUT -j ACCEPT
 -A INPUT -p icmp -j icmp-routing
@@ -124,6 +133,10 @@
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -j logaccept-1
+-A OUTPUT -j logdrop-3
+-A OUTPUT -j logpass-1
+-A OUTPUT -m limit --limit 12/minute -j ULOG
 -A OUTPUT -j ACCEPT
 -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
 -A OUTPUT -p icmp -j icmp-routing
@@ -132,13 +145,18 @@
 -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
 -A logaccept-0 -m limit --limit 1/second -j LOG
 -A logaccept-0 -j ACCEPT
+-A logaccept-1 -m limit --limit 12/minute -j ULOG
+-A logaccept-1 -j ACCEPT
 -A logdrop-0 -m limit --limit 1/second -j LOG
 -A logdrop-0 -j DROP
 -A logdrop-1 -m limit --limit 1/second -j LOG
 -A logdrop-1 -j DROP
 -A logdrop-2 -m limit --limit 1/second -j LOG
 -A logdrop-2 -j DROP
+-A logdrop-3 -m limit --limit 12/minute -j ULOG
+-A logdrop-3 -j DROP
 -A logpass-0 -m limit --limit 1/second -j LOG
+-A logpass-1 -m limit --limit 12/minute -j ULOG
 -A logreject-0 -m limit --limit 1/second -j LOG
 -A logreject-0 -j REJECT
 -A logtarpit-0 -m limit --limit 1/second -j LOG

--- a/test/output/filter/rules6-save
+++ b/test/output/filter/rules6-save
@@ -5,9 +5,11 @@
 :OUTPUT DROP [0:0]
 :icmp-routing - [0:0]
 :logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
 :logdrop-0 - [0:0]
 :logdrop-1 - [0:0]
 :logdrop-2 - [0:0]
+:logdrop-3 - [0:0]
 :logpass-0 - [0:0]
 :logreject-0 - [0:0]
 :logtarpit-0 - [0:0]
@@ -31,6 +33,8 @@
 -A FORWARD -j ACCEPT
 -A FORWARD -j DROP
 -A FORWARD 
+-A FORWARD -j logaccept-1
+-A FORWARD -j logdrop-3
 -A FORWARD -i eth0 -j ACCEPT
 -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
 -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -77,6 +81,8 @@
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -j logaccept-1
+-A INPUT -j logdrop-3
 -A INPUT -i eth0 -j ACCEPT
 -A INPUT -j ACCEPT
 -A INPUT -p icmpv6 -j ACCEPT
@@ -100,6 +106,8 @@
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -j logaccept-1
+-A OUTPUT -j logdrop-3
 -A OUTPUT -j ACCEPT
 -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
 -A OUTPUT -p icmpv6 -j ACCEPT
@@ -109,12 +117,14 @@
 -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
 -A logaccept-0 -m limit --limit 1/second -j LOG
 -A logaccept-0 -j ACCEPT
+-A logaccept-1 -j ACCEPT
 -A logdrop-0 -m limit --limit 1/second -j LOG
 -A logdrop-0 -j DROP
 -A logdrop-1 -m limit --limit 1/second -j LOG
 -A logdrop-1 -j DROP
 -A logdrop-2 -m limit --limit 1/second -j LOG
 -A logdrop-2 -j DROP
+-A logdrop-3 -j DROP
 -A logpass-0 -m limit --limit 1/second -j LOG
 -A logreject-0 -m limit --limit 1/second -j LOG
 -A logreject-0 -j REJECT

--- a/test/output/no-track/dump
+++ b/test/output/no-track/dump
@@ -130,7 +130,42 @@ Filter 12                   {"action":"pass","log":"none"}
  inet6/filter/INPUT        
  inet6/filter/OUTPUT       

-Filter 13                   {"in":"_fw","no-track":true,"service":"http"}
+Filter 13                   {"log":"ulog"}
+(log)                       
+  inet/filter/FORWARD       -j logaccept-1
+  inet/filter/INPUT         -j logaccept-1
+  inet/filter/OUTPUT        -j logaccept-1
+  inet/filter/logaccept-1   -m limit --limit 12/minute -j ULOG
+  inet/filter/logaccept-1   -j ACCEPT
+  inet6/filter/FORWARD      -j logaccept-1
+  inet6/filter/INPUT        -j logaccept-1
+  inet6/filter/OUTPUT       -j logaccept-1
+  inet6/filter/logaccept-1  -j ACCEPT
+
+Filter 14                   {"action":"drop","log":"ulog"}
+(log)                       
+  inet/filter/FORWARD       -j logdrop-2
+  inet/filter/INPUT         -j logdrop-2
+  inet/filter/OUTPUT        -j logdrop-2
+  inet/filter/logdrop-2     -m limit --limit 12/minute -j ULOG
+  inet/filter/logdrop-2     -j DROP
+  inet6/filter/FORWARD      -j logdrop-2
+  inet6/filter/INPUT        -j logdrop-2
+  inet6/filter/OUTPUT       -j logdrop-2
+  inet6/filter/logdrop-2    -j DROP
+
+Filter 15                   {"action":"pass","log":"ulog"}
+(log)                       
+  inet/filter/FORWARD       -j logpass-1
+  inet/filter/INPUT         -j logpass-1
+  inet/filter/OUTPUT        -j logpass-1
+  inet/filter/logpass-1     -m limit --limit 12/minute -j ULOG
+
+Filter 16                   {"action":"pass","in":"_fw","log":"ulog"}
+(log)                       
+  inet/filter/OUTPUT        -m limit --limit 12/minute -j ULOG
+
+Filter 17                   {"in":"_fw","no-track":true,"service":"http"}
 (no-track)                  
  inet/filter/INPUT         -p tcp --sport 80 -j ACCEPT
  inet/filter/OUTPUT        -p tcp --dport 80 -j ACCEPT
@@ -141,7 +176,7 @@ Filter 13                   {"in":"_fw","no-track":true,"service":"http"}
  inet6/raw/OUTPUT          -p tcp --dport 80 -j CT --notrack
  inet6/raw/PREROUTING      -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack

-Filter 14                   {"dest":"172.17.0.0\/16","no-track":true,"service":"radius","src":"172.16.0.0\/16"}
+Filter 18                   {"dest":"172.17.0.0\/16","no-track":true,"service":"radius","src":"172.16.0.0\/16"}
 (no-track)                  
  inet/filter/FORWARD       -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
  inet/filter/FORWARD       -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
@@ -164,7 +199,7 @@ Filter 14                   {"dest":"172.17.0.0\/16","no-track":true,"service":"
  inet/raw/PREROUTING       -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
  inet/raw/PREROUTING       -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack

-Filter 15                   {"dest":"172.18.0.0\/16","no-track":true,"service":"ssh"}
+Filter 19                   {"dest":"172.18.0.0\/16","no-track":true,"service":"ssh"}
 (no-track)                  
  inet/filter/FORWARD       -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
  inet/filter/FORWARD       -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
@@ -177,7 +212,7 @@ Filter 15                   {"dest":"172.18.0.0\/16","no-track":true,"service":"
  inet/raw/PREROUTING       -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack
  inet/raw/PREROUTING       -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack

-Filter 16                   {"no-track":true,"out":"_fw","service":"ipsec"}
+Filter 20                   {"no-track":true,"out":"_fw","service":"ipsec"}
 (no-track)                  
  inet/filter/INPUT         -p esp -j ACCEPT
  inet/filter/INPUT         -p udp -m multiport --dports 500,4500 -j ACCEPT
@@ -196,7 +231,7 @@ Filter 16                   {"no-track":true,"out":"_fw","service":"ipsec"}
  inet6/raw/PREROUTING      -m addrtype --dst-type LOCAL -p esp -j CT --notrack
  inet6/raw/PREROUTING      -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack

-Filter 17                   {"in":["_fw","A"]}
+Filter 21                   {"in":["_fw","A"]}
 (zone)                      
  inet/filter/FORWARD       -i eth0 -j ACCEPT
  inet/filter/INPUT         -i eth0 -j ACCEPT
@@ -205,12 +240,12 @@ Filter 17                   {"in":["_fw","A"]}
  inet6/filter/INPUT        -i eth0 -j ACCEPT
  inet6/filter/OUTPUT       -j ACCEPT

-Filter 18                   {"in":"B","out":"C"}
+Filter 22                   {"in":"B","out":"C"}
 (zone)                      
  inet/filter/FORWARD       -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
  inet/filter/FORWARD       -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT

-Filter 19                   {"out":["_fw","B"]}
+Filter 23                   {"out":["_fw","B"]}
 (zone)                      
  inet/filter/FORWARD       -o eth1 -d 10.0.0.0/12 -j ACCEPT
  inet/filter/INPUT         -j ACCEPT
@@ -219,7 +254,7 @@ Filter 19                   {"out":["_fw","B"]}
  inet6/filter/INPUT        -j ACCEPT
  inet6/filter/OUTPUT       -o eth1 -d fc00::/7 -j ACCEPT

-Filter 20                   {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+Filter 24                   {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
 (zone)                      
  inet/filter/FORWARD       -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
  inet/filter/FORWARD       -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
@@ -311,6 +346,9 @@ Log _default  {"limit":1}
 Log none      {"mode":"none"}
 (log)         

+Log ulog      {"limit":{"interval":5},"mode":"ulog"}
+(log)         
+

 Mark 1                      {"in":["_fw","A"],"mark":1}
 (zone)                      
@@ -565,9 +603,12 @@ hash:net family inet
 :OUTPUT DROP [0:0]
 :icmp-routing - [0:0]
 :logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
 :logdrop-0 - [0:0]
 :logdrop-1 - [0:0]
+:logdrop-2 - [0:0]
 :logpass-0 - [0:0]
+:logpass-1 - [0:0]
 -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
 -A FORWARD -j ACCEPT
 -A FORWARD -j logdrop-0
@@ -581,6 +622,9 @@ hash:net family inet
 -A FORWARD -j ACCEPT
 -A FORWARD -j DROP
 -A FORWARD 
+-A FORWARD -j logaccept-1
+-A FORWARD -j logdrop-2
+-A FORWARD -j logpass-1
 -A FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
 -A FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
 -A FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
@@ -651,6 +695,9 @@ hash:net family inet
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -j logaccept-1
+-A INPUT -j logdrop-2
+-A INPUT -j logpass-1
 -A INPUT -p tcp --sport 80 -j ACCEPT
 -A INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
 -A INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
@@ -677,6 +724,10 @@ hash:net family inet
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -j logaccept-1
+-A OUTPUT -j logdrop-2
+-A OUTPUT -j logpass-1
+-A OUTPUT -m limit --limit 12/minute -j ULOG
 -A OUTPUT -p tcp --dport 80 -j ACCEPT
 -A OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
 -A OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
@@ -694,11 +745,16 @@ hash:net family inet
 -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
 -A logaccept-0 -m limit --limit 1/second -j LOG
 -A logaccept-0 -j ACCEPT
+-A logaccept-1 -m limit --limit 12/minute -j ULOG
+-A logaccept-1 -j ACCEPT
 -A logdrop-0 -m limit --limit 1/second -j LOG
 -A logdrop-0 -j DROP
 -A logdrop-1 -m limit --limit 1/second -j LOG
 -A logdrop-1 -j DROP
+-A logdrop-2 -m limit --limit 12/minute -j ULOG
+-A logdrop-2 -j DROP
 -A logpass-0 -m limit --limit 1/second -j LOG
+-A logpass-1 -m limit --limit 12/minute -j ULOG
 COMMIT
 *mangle
 :FORWARD ACCEPT [0:0]
@@ -761,8 +817,10 @@ COMMIT
 :OUTPUT DROP [0:0]
 :icmp-routing - [0:0]
 :logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
 :logdrop-0 - [0:0]
 :logdrop-1 - [0:0]
+:logdrop-2 - [0:0]
 :logpass-0 - [0:0]
 -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
 -A FORWARD -j ACCEPT
@@ -777,6 +835,8 @@ COMMIT
 -A FORWARD -j ACCEPT
 -A FORWARD -j DROP
 -A FORWARD 
+-A FORWARD -j logaccept-1
+-A FORWARD -j logdrop-2
 -A FORWARD -i eth0 -j ACCEPT
 -A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
 -A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -817,6 +877,8 @@ COMMIT
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -j logaccept-1
+-A INPUT -j logdrop-2
 -A INPUT -p tcp --sport 80 -j ACCEPT
 -A INPUT -p esp -j ACCEPT
 -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
@@ -837,6 +899,8 @@ COMMIT
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -j logaccept-1
+-A OUTPUT -j logdrop-2
 -A OUTPUT -p tcp --dport 80 -j ACCEPT
 -A OUTPUT -p esp -j ACCEPT
 -A OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT
@@ -849,10 +913,12 @@ COMMIT
 -A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
 -A logaccept-0 -m limit --limit 1/second -j LOG
 -A logaccept-0 -j ACCEPT
+-A logaccept-1 -j ACCEPT
 -A logdrop-0 -m limit --limit 1/second -j LOG
 -A logdrop-0 -j DROP
 -A logdrop-1 -m limit --limit 1/second -j LOG
 -A logdrop-1 -j DROP
+-A logdrop-2 -j DROP
 -A logpass-0 -m limit --limit 1/second -j LOG
 COMMIT
 *mangle

--- a/test/output/no-track/rules-save
+++ b/test/output/no-track/rules-save
@@ -5,9 +5,12 @@
 :OUTPUT DROP [0:0]
 :icmp-routing - [0:0]
 :logaccept-0 - [0:0]
+:logaccept-1 - [0:0]
 :logdrop-0 - [0:0]
 :logdrop-1 - [0:0]
+:logdrop-2 - [0:0]
 :logpass-0 - [0:0]
+:logpass-1 - [0:0]
 -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
 -A FORWARD -j ACCEPT
 -A FORWARD -j logdrop-0
@@ -21,6 +24,9 @@
 -A FORWARD -j ACCEPT
 -A FORWARD -j DROP
 -A FORWARD 
+-A FORWARD -j logaccept-1
+-A FORWARD -j logdrop-2
+-A FORWARD -j logpass-1
 -A FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
 -A FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
 -A FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
@@ -91,6 +97,9 @@
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -j logaccept-1
+-A INPUT -j logdrop-2
+-A INPUT -j logpass-1
 -A INPUT -p tcp --sport 80 -j ACCEPT
 -A INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
 -A INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
@@ -117,6 +126,10 @@
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -j logaccept-1
+-A OUTPUT -j logdrop-2
+-A OUTPUT -j logpass-1
+-A OUTPUT -m limit --limit 12/minute -j ULOG
 -A OUTPUT -p tcp --dport 80 -j ACCEPT
 -A OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
 -A OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
@@ -134,11 +147,16 @@
 -A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
 -A logaccept-0 -m limit --limit 1/second -j LOG
 -A logaccept-0 -j ACCEPT
+-A logaccept-1 -m limit --limit 12/minute -j ULOG
+-A logaccept-1 -j ACCEPT
 -A logdrop-0 -m limit --limit 1/second -j LOG
 -A logdrop-0 -j DROP
 -A logdrop-1 -m limit --limit 1/second -j LOG
 -A logdrop-1 -j DROP
+-A logdrop-2 -m limit --limit 12/minute -j ULOG