diff options
author | Kyle Bowman <kbowman@cloudflare.com> | 2021-10-01 18:41:36 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2022-01-18 13:22:54 +0100 |
commit | db99f6019eab5f108fe1050349b3e793ea21353d (patch) | |
tree | 869eeac568efd27d8a8964ef93e4f648872f2166 /iptables | |
parent | 30b178b9bf11e75cd5ff7310ce0f5d9c9ace3b7a (diff) |
extensions: libxt_NFLOG: use nft built-in logging instead of xt_NFLOG
Replaces the use of xt_NFLOG with the nft built-in log statement.
This additionally adds support for using longer log prefixes of 128
characters in size. Until now NFLOG has truncated the log-prefix to the
64-character limit supported by iptables-legacy. We now use the struct
xtables_target's udata member to store the longer 128-character prefix
supported by iptables-nft.
Signed-off-by: Kyle Bowman <kbowman@cloudflare.com>
Signed-off-by: Alex Forster <aforster@cloudflare.com>
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables')
-rw-r--r-- | iptables/nft.c | 28 | ||||
-rw-r--r-- | iptables/nft.h | 1 |
2 files changed, 29 insertions, 0 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index daab1b4a..e4932a7a 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -39,6 +39,7 @@ #include <linux/netfilter/nf_tables_compat.h> #include <linux/netfilter/xt_limit.h> +#include <linux/netfilter/xt_NFLOG.h> #include <libmnl/libmnl.h> #include <libnftnl/gen.h> @@ -1346,6 +1347,8 @@ int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, ret = add_verdict(r, NF_DROP); else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0) ret = add_verdict(r, NFT_RETURN); + else if (strcmp(cs->jumpto, "NFLOG") == 0) + ret = add_log(r, cs); else ret = add_target(r, cs->target->t); } else if (strlen(cs->jumpto) > 0) { @@ -1358,6 +1361,31 @@ int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, return ret; } +int add_log(struct nftnl_rule *r, struct iptables_command_state *cs) +{ + struct nftnl_expr *expr; + struct xt_nflog_info *info = (struct xt_nflog_info *)cs->target->t->data; + + expr = nftnl_expr_alloc("log"); + if (!expr) + return -ENOMEM; + + if (info->prefix[0] != '\0') + nftnl_expr_set_str(expr, NFTNL_EXPR_LOG_PREFIX, + cs->target->udata); + + nftnl_expr_set_u16(expr, NFTNL_EXPR_LOG_GROUP, info->group); + if (info->flags & XT_NFLOG_F_COPY_LEN) + nftnl_expr_set_u32(expr, NFTNL_EXPR_LOG_SNAPLEN, + info->len); + if (info->threshold) + nftnl_expr_set_u16(expr, NFTNL_EXPR_LOG_QTHRESHOLD, + info->threshold); + + nftnl_rule_add_expr(r, expr); + return 0; +} + static void nft_rule_print_debug(struct nftnl_rule *r, struct nlmsghdr *nlh) { #ifdef NLDEBUG diff --git a/iptables/nft.h b/iptables/nft.h index f189b03f..4c78f761 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -194,6 +194,7 @@ int add_match(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match int add_target(struct nftnl_rule *r, struct xt_entry_target *t); int add_jumpto(struct nftnl_rule *r, const char *name, int verdict); int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set); +int add_log(struct nftnl_rule *r, struct iptables_command_state *cs); char *get_comment(const void *data, uint32_t data_len); enum nft_rule_print { |