From ea40bd344ef38e1b4263a09143d7b68a8883ee98 Mon Sep 17 00:00:00 2001
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Mon, 24 Aug 2015 12:08:09 +0200
Subject: [PATCH] ferm: use NFLOG instead of LOG/ULOG on jessie

ULOG is deprecated and has been removed from recent kernels. Use the
(not so new) NFLOG module instead. It requires ulogd2 so we can do that
only on jessie hosts.

This fixes logging on jessie hosts as ulogd2 doesn't listen for ULOG
logs by default.

This also allows logging IPv6 the same way than IPv4.
---
 modules/ferm/templates/ferm.conf.erb | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/modules/ferm/templates/ferm.conf.erb b/modules/ferm/templates/ferm.conf.erb
index 5f77ce485..da573e56a 100644
--- a/modules/ferm/templates/ferm.conf.erb
+++ b/modules/ferm/templates/ferm.conf.erb
@@ -7,6 +7,24 @@
 
 @include 'conf.d/';
 
+<% if @lsbmajdistrelease >= '8' -%>
+domain (ip ip6) {
+        table filter {
+              chain log_and_reject {
+                      NFLOG nflog-prefix "REJECT: ";
+                      proto tcp REJECT reject-with tcp-reset;
+                      REJECT;
+              }
+
+              chain log_or_drop {
+                      mod hashlimit hashlimit-name nflogreject  hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject;
+                      mod hashlimit hashlimit-name nfloglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second NFLOG nflog-prefix "DROP: ";
+                      DROP;
+              }
+
+        }
+}
+<% else -%>
 domain ip {
         table filter {
               chain log_and_reject {
@@ -38,6 +56,7 @@ domain ip6 {
               }
         }
 }
+<% end -%>
 domain (ip ip6) {
         table filter {
               chain INPUT {
-- 
2.20.1