diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-04-27 15:04:07 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-05-02 18:31:13 +0200 |
| commit | c179ee88d91a84fc75dc4602cca500e8fa72ed66 (patch) | |
| tree | b6b149622e02c81265a673145d6b9a260776f799 /include/logging.h | |
initial commit
This patch bootstrap the new nft-sync software. Basically, this
software aims to support two different setups:
1) Rule-set repository server. The software serves the nft rule-set to
clients that request the ruleset.
Basically from the system that acts as repository, you have to run:
# nft-sync -c ../contrib/nft-sync.conf.server
Then, from the client:
# nft-sync -c ../contrib/nft-sync.conf.client --fetch
Which displays the nft rule-set in the standard output, so you
can inspect the nft rule-set.
Alternatively, the client can also retrieve and apply the nft
rule-set using the pull command instead:
# nft-sync -c ../contrib/nft-sync.conf.client --pull
[ Note that this command above does not work in this bootstrap yet ]
2) Rule-set synchronization: In case of primary-backup and multiprimary
firewall configurations, the software makes sure that the firewall
cluster is deploying the same filtering policy. In this case, you have
to launch the process:
# nft-sync -c ../contrib/nft-sync.conf --sync
[ Note that this command above does not work in this bootstrap yet ]
This bootstrap provides the basic infrastructure as a proof-of-concept.
Many of the necessary features are still lacking:
* Implement --sync and --pull commands.
* Interaction with nft through libnftnl, which allows the software to
retrieve the local nft rule-set, as well as to parse it and apply it.
* SSL support, specifically the repository mode needs it to make sure
nobody can steal your filtering policy from the network.
* IPv6 support.
* Allow to serve different rule-sets in the repository mode.
And many others that will be added progressively.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/logging.h')
| -rw-r--r-- | include/logging.h | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/include/logging.h b/include/logging.h new file mode 100644 index 0000000..e15170c --- /dev/null +++ b/include/logging.h @@ -0,0 +1,30 @@ +#ifndef _NFT_SYNC_LOGGING_H_ +#define _NFT_SYNC_LOGGING_H_ + +enum nft_sync_logging_type { + NFTS_LOG_T_FILE = 0, + NFTS_LOG_T_SYSLOG, +}; + +enum nft_sync_logging_prio { + NFTS_LOG_DEBUG = 0, + NFTS_LOG_INFO, + NFTS_LOG_NOTICE, + NFTS_LOG_ERROR, + NFTS_LOG_FATAL, + NFTS_LOG_MAX +}; + +struct nft_sync_inst; + +int nft_sync_log_init(struct nft_sync_inst *inst); +void nft_sync_log(struct nft_sync_inst *inst, int priority, + const char *format, ...); +void nft_sync_log_fini(struct nft_sync_inst *inst); + +#include "config.h" + +#define nfts_log(prio, fmt, args...) \ + nft_sync_log(&nfts_inst, prio, fmt, ##args) + +#endif |