Shorewall users - Jan 2014 - Shorewall 4.5.15 with ipset ADD and logging

Just wanted to report a bug in Shorewall.  I've looked for a Shorewall 
bugzilla but couldn't find one.

I just discovered that using an ADD rule with logging, Shorewall uses a 
'- g' instead of a '-j' for the target in iptables.  This makes
a new
connection hit my 'all all REJECT notice' instead of my 'inet all
DROP
info'.  Also, no other rule following the ADD with logging will be used.

[0:root@apinetstore shorewall]$ rpm -qa | grep -i shorewall
shorewall-core-4.5.15-1.fc19.noarch
shorewall-4.5.15-1.fc19.noarch


/etc/shorewall/rules:
?COMMENT timeout port scanners
ADD(+IpOneDay:src)              inet            fw      tcp 22    # uses -j
ADD(+IpOneDay:src):notice       inet            fw      udp 80,443  # no 
such udp service: uses -g
ADD(+IpOneDay:src):notice       inet            fw      tcp     8443


/etc/shorewall/policy:
#-------------------------------------------------------------------------------
#inet   all     REJECT          info
inet    all     DROP            info


#-------------------------------------------------------------------------------
#
# THE FOLLOWING POLICY MUST BE LAST
#
#-------------------------------------------------------------------------------
all     all     REJECT          notice
#all    all     DROP            notice


/var/lib/shorewall/.restart:
-A inet-fw -p 6 --dport 22 -j SET --add-set IpOneDay src -m comment 
--comment "timeout port scanners"
-A inet-fw -p 17 -m multiport --dports 80,443 -g ~log4 -m comment 
--comment "timeout port scanners"
-A inet-fw -p 6 --dport 8443 -g ~log4 -m comment --comment "timeout port 
scanners"
-A inet-fw -p 17 --dport 1063:1067 -g ~log3 -m comment --comment 
"timeout port scanners"
-A inet-fw -j Drop


iptables -nvL:
Chain ~log4 (2 references)
  pkts bytes target     prot opt in     out     source destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0            limit: up to 3/min burst 2 mode srcip /* timeout 
port scanners */ LOG flags 0 level 5 prefix "Shorewall:inet-fw:ADD(+IpOne
"
     0     0 SET        all  --  *      *       0.0.0.0/0 
0.0.0.0/0            /* timeout port scanners */ add-set IpOneDay src



Thanks,
Bill


------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk