please add NFLOG support

With bug #728128 being fixed (in ufw 0.35), this can be worked around as follows, for simple setups at least:

 $ cd /etc/ufw
 $ sudo sed 's/-j LOG --log-prefix/-j NFLOG --nflog-prefix/' -i.bak user.rules
 $ sudo sed 's/-j LOG --log-prefix/-j NFLOG --nflog-prefix/' -i.bak user6.rules

Comming from https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/555852/comments/16 :
Those UFW logs on dmesg are incredible annoying: https://askubuntu.com/q/10836/349837

Workaround in #1 doesn't work. UFW seems to just override the changes when it's enabled/disabled.

With LXD it is important to fix:

 $ cd /etc/ufw
 $ sudo sed 's/-j LOG --log-prefix/-j NFLOG --nflog-prefix/' -i.bak user.rules
 $ sudo sed 's/-j LOG --log-prefix/-j NFLOG --nflog-prefix/' -i.bak user6.rules

Please add NFLOG support.
Unprivileged containers don't have a /dev/kmsg device and access to /proc/kmsg is blocked by the kernel.

### LOGGING ###
-A ufw-after-logging-input -j NFLOG --nflog-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j NFLOG --nflog-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j NFLOG --nflog-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j NFLOG --nflog-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###

### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j NFLOG --nflog-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###

How can I replace the rules in after.rules?

There is no workaround? Any time indication for the wishlist?

In terms of workarounds, could monkey patch the source for this in the container, or do the sed whenever ufw overwrites the changes.

Obviously both are unsatisfactory, so but I bumped the priority to medium. The time frame won't be immediate, but I'm going to try to fold this in with other work that is pending for this development cycle.

Thank you Jamie! I will keep an eye on it.

Hi Jamie,

Any updates about this feature to allow NFLOG? Would be awesome in combination with CSF or Fail2ban.

As this is a feature request, it is better listed as Wishlist. At this point NFLOG support would be nice, but there has been no progress.

TomvB, I can say since you mentioned fail2ban, you might be interested in the 'ufw prepend' command in ufw 0.36 which is much friendlier with fail2ban than insert.

https://code.launchpad.net/~ekacnetubuntu/ufw/+git/ufw/+merge/435890