ULOG is deprecated and has been removed from recent kernels. Use the
(not so new) NFLOG module instead. It requires ulogd2 so we can do that
only on jessie hosts.
This fixes logging on jessie hosts as ulogd2 doesn't listen for ULOG
logs by default.
This also allows logging IPv6 the same way than IPv4.
@include 'conf.d/';
+<% if @lsbmajdistrelease >= '8' -%>
+domain (ip ip6) {
+ table filter {
+ chain log_and_reject {
+ NFLOG nflog-prefix "REJECT: ";
+ proto tcp REJECT reject-with tcp-reset;
+ REJECT;
+ }
+
+ chain log_or_drop {
+ mod hashlimit hashlimit-name nflogreject hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject;
+ mod hashlimit hashlimit-name nfloglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second NFLOG nflog-prefix "DROP: ";
+ DROP;
+ }
+
+ }
+}
+<% else -%>
domain ip {
table filter {
chain log_and_reject {
}
}
}
+<% end -%>
domain (ip ip6) {
table filter {
chain INPUT {