From e711ee3a220a3cfc2ed3189c55c9cbf88e6b372c Mon Sep 17 00:00:00 2001
From: Ryan Cavicchioni <ryan@cavi.cc>
Date: Mon, 2 Sep 2019 17:51:48 +0000
Subject: [PATCH] Add nflog group for packet captures

---
 roles/firewall/defaults/main.yaml     | 2 ++
 roles/firewall/templates/ip6tables.j2 | 2 ++
 roles/firewall/templates/iptables.j2  | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/roles/firewall/defaults/main.yaml b/roles/firewall/defaults/main.yaml
index 00da283..af608db 100644
--- a/roles/firewall/defaults/main.yaml
+++ b/roles/firewall/defaults/main.yaml
@@ -34,6 +34,8 @@ firewall_ulogd_nflog_group: 1
 firewall_ulogd_syslog_facility: LOG_LOCAL0
 firewall_ulogd_syslog_level: LOG_INFO
 
+firewall_iptables_nflog_group: 2
+
 firewall_drop_icmp_flood: true
 firewall_limit_icmp_flood_seconds: 1
 firewall_limit_icmp_flood_hitcount: 6
diff --git a/roles/firewall/templates/ip6tables.j2 b/roles/firewall/templates/ip6tables.j2
index 9f1554e..9b6221a 100644
--- a/roles/firewall/templates/ip6tables.j2
+++ b/roles/firewall/templates/ip6tables.j2
@@ -4,6 +4,7 @@
 :OUTPUT {{ firewall_iptables_output_policy_v6 }}
 
 -N LOG_ACCEPT
+-A LOG_ACCEPT -j NFLOG --nflog-group {{ firewall_iptables_nflog_group }}
 {% if firewall_use_ulogd %}
 -A LOG_ACCEPT -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-group {{ firewall_ulogd_nflog_group }} --nflog-prefix "[iptables ACCEPT] "
 {% else %}
@@ -12,6 +13,7 @@
 -A LOG_ACCEPT -j ACCEPT
 
 -N LOG_DROP
+-A LOG_DROP -j NFLOG --nflog-group {{ firewall_iptables_nflog_group }}
 {% if firewall_use_ulogd %}
 -A LOG_DROP -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-group {{ firewall_ulogd_nflog_group }} --nflog-prefix "[iptables DROP] "
 {% else %}
diff --git a/roles/firewall/templates/iptables.j2 b/roles/firewall/templates/iptables.j2
index 7b2bd89..0535f1c 100644
--- a/roles/firewall/templates/iptables.j2
+++ b/roles/firewall/templates/iptables.j2
@@ -4,6 +4,7 @@
 :OUTPUT {{ firewall_iptables_output_policy }}
 
 -N LOG_ACCEPT
+-A LOG_ACCEPT -j NFLOG --nflog-group {{ firewall_iptables_nflog_group }}
 {% if firewall_use_ulogd %}
 -A LOG_ACCEPT -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-group {{ firewall_ulogd_nflog_group }} --nflog-prefix "[iptables ACCEPT] "
 {% else %}
@@ -12,6 +13,7 @@
 -A LOG_ACCEPT -j ACCEPT
 
 -N LOG_DROP
+-A LOG_DROP -j NFLOG --nflog-group {{ firewall_iptables_nflog_group }}
 {% if firewall_use_ulogd %}
 -A LOG_DROP -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-group {{ firewall_ulogd_nflog_group }} --nflog-prefix "[iptables DROP] "
 {% else %}