...
 
Commits (8)
......@@ -202,6 +202,22 @@ if not call(
end
local iptables = require('awall.iptables')
if mode == 'fallback' then
for _, sig in ipairs{'HUP', 'INT', 'PIPE'} do
signal(posix['SIG'..sig], 'SIG_IGN')
end
posix.sleep(10)
printmsg('\nTimeout, reverting to the old configuration')
iptables.revert()
os.exit()
end
local input = policyset:load()
if mode == 'dump' then level = 0 + (arg[opind] or 0) end
......@@ -284,9 +300,6 @@ if not call(
local dumpfile = outputdir and outputdir..'/dump' or sysdumpfile
local iptables = require('awall.iptables')
if mode == 'dump' then dump(level)
elseif mode == 'diff' then
......@@ -384,17 +397,6 @@ if not call(
end
elseif mode == 'fallback' then
for i, sig in ipairs({'HUP', 'PIPE'}) do
signal(posix['SIG'..sig], 'SIG_IGN')
end
posix.sleep(10)
printmsg('\nTimeout, reverting to the old configuration')
iptables.revert()
elseif mode == 'flush' then iptables.flush()
else assert(false) end
......
--[[
Dependency order resolver for Alpine Wall
Copyright (C) 2012-2014 Kaarle Ritvanen
Copyright (C) 2012-2018 Kaarle Ritvanen
See LICENSE file for license details
]]--
local util = require('awall.util')
local contains = util.contains
local sortedkeys = util.sortedkeys
return function(items)
local visited = {}
......@@ -17,8 +18,8 @@ return function(items)
visited[key] = true
local after = util.list(items[key].after)
for k, v in pairs(items) do
if contains(v.before, key) then table.insert(after, k) end
for _, k in sortedkeys(items) do
if contains(items[k].before, key) then table.insert(after, k) end
end
for i, k in ipairs(after) do
if items[k] then
......@@ -30,7 +31,7 @@ return function(items)
table.insert(res, key)
end
for i, k in util.sortedkeys(items) do
for _, k in sortedkeys(items) do
local ek = visit(k)
if ek ~= nil then return ek end
end
......
--[[
Host address resolver for Alpine Wall
Copyright (C) 2012-2017 Kaarle Ritvanen
Copyright (C) 2012-2018 Kaarle Ritvanen
See LICENSE file for license details
]]--
......@@ -29,7 +29,7 @@ function M.resolve(host, context)
if not dnscache[host] then
dnscache[host] = {}
for rec in io.popen('dig -t ANY '..host):lines() do
for rec in io.popen('dig '..host..' A '..host..' AAAA'):lines() do
local name, rtype, addr =
rec:match(
'^('..familypatterns.domain..')%s+%d+%s+IN%s+(A+)%s+(.+)'
......
--[[
Base data model for Alpine Wall
Copyright (C) 2012-2017 Kaarle Ritvanen
Copyright (C) 2012-2018 Kaarle Ritvanen
See LICENSE file for license details
]]--
......@@ -125,7 +125,7 @@ function M.Zone:optfrags(dir)
local aopts = nil
if self.addr then
aopts = {}
for _, addr in resolvelist(self.addr) do
for _, addr in resolvelist(self.addr, self) do
table.insert(
aopts,
{family=addr[1], [aprop]=addr[2], match='-'..aopt..' '..addr[2]}
......
......@@ -54,7 +54,8 @@ function Log:optfrags()
local targets = {}
if mode then
local optmap = {
local optmap = (
{
log={level='level', prefix='prefix'},
nflog={
group='group',
......@@ -69,14 +70,15 @@ function Log:optfrags()
threshold='qthreshold'
}
}
if not optmap[mode] then self:error('Invalid logging mode: '..mode) end
)[mode]
if not optmap then self:error('Invalid logging mode: '..mode) end
local target = mode:upper()
for s, t in pairs(optmap[mode]) do
for _, s in util.sortedkeys(optmap) do
local value = self[s]
if value then
if s == 'prefix' then value = util.quote(value) end
target = target..' --'..mode..'-'..t..' '..value
target = target..' --'..mode..'-'..optmap[s]..' '..value
end
end
......@@ -85,7 +87,7 @@ function Log:optfrags()
)
end
for _, addr in resolvelist(self.mirror) do
for _, addr in resolvelist(self.mirror, self) do
table.insert(targets, {family=addr[1], target='TEE --gateway '..addr[2]})
end
......
......@@ -84,6 +84,7 @@
{ "proto": "udp", "port": 139 }
],
"ntp": { "proto": "udp", "port": 123 },
"openvpn": { "proto": "udp", "port": 1194 },
"ospf": { "proto": "ospf" },
"pgsql": { "proto": "tcp", "port": 5432 },
"ping": [
......
......@@ -2,12 +2,14 @@
"log": {
"dual": { "mode": "log", "mirror": "fc00::1" },
"mirror": { "mirror": [ "10.0.0.1", "10.0.0.2", "fc00::2" ] },
"nflog": { "mode": "nflog", "group": 1, "range": 128 },
"none": { "mode": "none" },
"ulog": { "mode": "ulog", "limit": { "interval": 5 } }
},
"packet-log": [
{ "out": "_fw" },
{ "out": "_fw", "log": "mirror" },
{ "out": "_fw", "log": "nflog" },
{ "out": "_fw", "log": "ulog" }
],
"filter": [
......
......@@ -8085,6 +8085,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"}
(log)
......@@ -8141,7 +8144,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"}
Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG
......@@ -8251,6 +8259,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"}
(services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"}
(services)
......@@ -10306,6 +10317,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......@@ -13186,6 +13198,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
......@@ -1950,6 +1950,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......
......@@ -571,6 +571,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
......@@ -59513,6 +59513,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"}
(log)
......@@ -59569,7 +59572,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"}
Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG
......@@ -59679,6 +59687,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"}
(services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"}
(services)
......@@ -68693,6 +68704,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......@@ -100475,6 +100487,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
......@@ -8909,6 +8909,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......@@ -8882,6 +8882,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
......@@ -433,6 +433,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"}
(log)
......@@ -489,7 +492,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"}
Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG
......@@ -599,6 +607,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"}
(services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"}
(services)
......@@ -804,6 +815,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......@@ -1022,6 +1034,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
......@@ -100,6 +100,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......
......@@ -73,6 +73,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
......@@ -429,6 +429,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"}
(log)
......@@ -485,7 +488,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"}
Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG
......@@ -595,6 +603,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"}
(services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"}
(services)
......@@ -796,6 +807,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......@@ -1018,6 +1030,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
......@@ -96,6 +96,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......
......@@ -63,6 +63,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
......@@ -363,6 +363,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"}
(log)
......@@ -419,7 +422,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"}
Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG
......@@ -541,6 +549,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"}
(services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"}
(services)
......@@ -736,6 +747,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......@@ -928,6 +940,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
......@@ -90,6 +90,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......
......@@ -63,6 +63,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
......@@ -363,6 +363,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"}
(log)
......@@ -419,7 +422,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"}
Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG
......@@ -529,6 +537,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"}
(services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"}
(services)
......@@ -730,6 +741,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......@@ -921,6 +933,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
......@@ -90,6 +90,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......
......@@ -63,6 +63,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......