Add nflog group for packet captures

roles/firewall/defaults/main.yaml

@@ -34,6 +34,8 @@ firewall_ulogd_nflog_group: 1
 firewall_ulogd_syslog_facility: LOG_LOCAL0
 firewall_ulogd_syslog_level: LOG_INFO
 
+firewall_iptables_nflog_group: 2
+
 firewall_drop_icmp_flood: true
 firewall_limit_icmp_flood_seconds: 1
 firewall_limit_icmp_flood_hitcount: 6

roles/firewall/templates/ip6tables.j2

@@ -4,6 +4,7 @@
 :OUTPUT {{ firewall_iptables_output_policy_v6 }}
 
 -N LOG_ACCEPT
+-A LOG_ACCEPT -j NFLOG --nflog-group {{ firewall_iptables_nflog_group }}
 {% if firewall_use_ulogd %}
 -A LOG_ACCEPT -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-group {{ firewall_ulogd_nflog_group }} --nflog-prefix "[iptables ACCEPT] "
 {% else %}
@@ -12,6 +13,7 @@
 -A LOG_ACCEPT -j ACCEPT
 
 -N LOG_DROP
+-A LOG_DROP -j NFLOG --nflog-group {{ firewall_iptables_nflog_group }}
 {% if firewall_use_ulogd %}
 -A LOG_DROP -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-group {{ firewall_ulogd_nflog_group }} --nflog-prefix "[iptables DROP] "
 {% else %}

roles/firewall/templates/iptables.j2

@@ -4,6 +4,7 @@
 :OUTPUT {{ firewall_iptables_output_policy }}
 
 -N LOG_ACCEPT
+-A LOG_ACCEPT -j NFLOG --nflog-group {{ firewall_iptables_nflog_group }}
 {% if firewall_use_ulogd %}
 -A LOG_ACCEPT -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-group {{ firewall_ulogd_nflog_group }} --nflog-prefix "[iptables ACCEPT] "
 {% else %}
@@ -12,6 +13,7 @@
 -A LOG_ACCEPT -j ACCEPT
 
 -N LOG_DROP
+-A LOG_DROP -j NFLOG --nflog-group {{ firewall_iptables_nflog_group }}
 {% if firewall_use_ulogd %}
 -A LOG_DROP -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j NFLOG --nflog-group {{ firewall_ulogd_nflog_group }} --nflog-prefix "[iptables DROP] "
 {% else %}