ferm: use NFLOG instead of LOG/ULOG on jessie

ULOG is deprecated and has been removed from recent kernels. Use the
(not so new) NFLOG module instead. It requires ulogd2 so we can do that
only on jessie hosts.

This fixes logging on jessie hosts as ulogd2 doesn't listen for ULOG
logs by default.

This also allows logging IPv6 the same way than IPv4.

diff --git a/modules/ferm/templates/ferm.conf.erb b/modules/ferm/templates/ferm.conf.erb
index 5f77ce48530fb0a42ce3e63f195229299b8764f1..da573e56a14dad20ae9a4cd2fcfcccd6d2537593 100644 (file)
--- a/modules/ferm/templates/ferm.conf.erb
+++ b/modules/ferm/templates/ferm.conf.erb
@@ -7,6 +7,24 @@
 
 @include 'conf.d/';
 
+<% if @lsbmajdistrelease >= '8' -%>
+domain (ip ip6) {
+        table filter {
+              chain log_and_reject {
+                      NFLOG nflog-prefix "REJECT: ";
+                      proto tcp REJECT reject-with tcp-reset;
+                      REJECT;
+              }
+
+              chain log_or_drop {
+                      mod hashlimit hashlimit-name nflogreject  hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject;
+                      mod hashlimit hashlimit-name nfloglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second NFLOG nflog-prefix "DROP: ";
+                      DROP;
+              }
+
+        }
+}
+<% else -%>
 domain ip {
         table filter {
               chain log_and_reject {
@@ -38,6 +56,7 @@ domain ip6 {
               }
         }
 }
+<% end -%>
 domain (ip ip6) {
         table filter {
               chain INPUT {